Ruijie RG-S2900G-E Series Configuration Manual
  1. Manuals
  2. Brands
  3. Ruijie Manuals
  4. Switch
  5. RG-S2900G-E Series
  6. Configuration manual

Ruijie RG-S2900G-E Series Configuration Manual

Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
Table of Contents

Advertisement

Quick Links

RG-S2900G-E Series Switch
RGOS Configuration Guide, Release 10.4(2b12)p1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the RG-S2900G-E Series and is the answer not in the manual?

Questions and answers

Related Manuals for Ruijie RG-S2900G-E Series

Summary of Contents for Ruijie RG-S2900G-E Series

  • Page 1 RG-S2900G-E Series Switch RGOS Configuration Guide, Release 10.4(2b12)p1...
  • Page 2 This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will not shoulder any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.
  • Page 3 This manual is intended for:  Network engineers  Technical support and servicing engineers  Network administrators Obtaining Technical Assistance  Ruijie Networks Website: http://www.ruijienetworks.com/  Service Email: service_rj@ruijienetworks.com  http://www.ruijienetworks.com/service.aspx Technical Support:  Technical Support Hotline: +86-4008-111-000 Related Documents...
  • Page 4 · Symbols Means reader take note. Notes contain helpful suggestions or references. Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.
  • Page 5 System Configuration 1. Command Line Interface Configuration 2. Basic Switch Management Configuration 3. Configuring HTTP Service 4. LINE Mode Configuration 5. System Upgrade Configuration 6. File System Configuration 7. System Management Configuration 8. System Memory Display Configuration 9. Syslog Configuration 10.

  • Page 6: Command Mode

    Accessing CLI Command Mode The management interface of Ruijie network devices falls into multiple modes. The command mode you are working with determines the commands you can use. To list the usable commands in each mode, enter a question mark (?) at the command prompt.
  • Page 7 Remark mode method Used Enter command exit to quit basic test this mode. User EXEC Log in. Ruijie> showing Enter command enable to system enter the privileged EXEC informatio mode. To return to the user EXEC Verify In the user...

  • Page 8: Getting Help

    For example: Ruijie# di? dir disable Complete a partial command name. abbreviated-command-entry For example: <Tab> Ruijie# show conf<Tab> Ruijie# show configuration List a command's associated keywords.(Leave a space between the keyword and question mark.) Command ? For example: Ruijie# show ? List a command's associated arguments.(Leave...

  • Page 9: Understanding Cli Error Messages

    Command Line Interface Configuration For example, when you want to view the information about access lists, the following command is not complete. Ruijie# show access % Ambiguous command: "show access" Using no and default Options Almost all commands have the no option generally used to disable a feature or function or perform a reversed action of the command.

  • Page 10: Using Editing Features

    Configuration Guide Command Line Interface Configuration Using Historical Commands The system records the commands you have input recently, which is very useful when you input a long and complex command again. To re-execute the commands you have input from the historical records, perform the following operations.
  • Page 11 Configuration Guide Command Line Interface Configuration Function Shortcut Key Description Scroll up the displayed contents by one line and make the next line Return appear. This is used only before the end of the output. Scroll up by one line or one page Scroll up the displayed contents by one page and make the next page Space...

  • Page 12: Using Command Alias

    To look up the specified message in the information outputted by the show command, execute the following command: Command Description Look up the specified content from the information Ruijie# show any-command | outputted by the show command and output all begin regular-expression information of the first line that contains this content and subsequent lines.
  • Page 13 The command that an alias represents must run under the mode you have defined in the current system. In the global configuration mode, you can enter alias? to list all command modes that can configure alias. Ruijie(config)#alias ? aaa-gs AAA server group mode...

  • Page 14: Accessing Cli

    Command Line Interface Configuration dhcp IP Address via DHCP Ruijie(config-if)#ip address Here lists the parameter information after the command “ip address”, and replaces the alias with the actual command. An alias must be inputted fully for use. Otherwise, it can not be identified.
  • Page 15 Configuration Guide Basic Switch Management Configuration Basic Switch Management Configuration Overview This chapter describes how to manage our switches:  Command Authorization-based Access Control  Logon Authentication Control  System Time Configuration  Scheduled Restart  System Name and Command Prompt Configuration ...

  • Page 16: Privileged Level

    15 security password, the system will show a warning message. Set the security password, which has the same function but better password Ruijie(config)# enable secret [level encryption algorithm than the static level] {encryption-type password. For the purpose of security, it...
  • Page 17 – Change the privileges of all the Ruijie(config)# privilege mode [all] {level sub-commands specified level | reset} command-string commands into the same level.

  • Page 18: Configuring Line Password Protection

    Configuring the Password Security Policy Ruijie‟s products support the configuration of password security policies for local passwords of a device.A password security policy covers password length check, strong password check, duplicate password check and password lifecycle setting.The configuration of password security only takes effect on...
  • Page 19 The password length check limits the minimum length of the local password, so passwords shorter than the minimum length are not permitted. Command Purpose Ruijie(config)# password policy min-size Set the minimum length of the password length length : the minimum length of the...
  • Page 20 Remove the password lifecycle Ruijie(config)# no password policy life-cycle The device checks whether the password used by the user has expired when he/she uses the password to log in. If a password expires after its user has logged in, the user will be prompted to change the password when logging in with that password later.If the user makes no change, the current command...

  • Page 21: Logon Authentication Control

    EXEC mode of the terminal: Command Purpose Enable the function of locking the line Ruijie(config-line)# lockable terminal Ruijie# lock Lock the current line terminal Logon Authentication Control...

  • Page 22: Configuring Local Users

    AAA mode and local authentication of line login management in non-AAA mode. To enable the username identity authentication, run the following specific commands in the global configuration mode: Command Function Ruijie(config)# username name Enable username identity [password password | password authentication with encrypted password.
  • Page 23 Restrict the local user from remote login. rlogin Delete restrictions on the local user from Ruijie(config)#no username name reject remote login. rlogin When this command is configured, you cannot use the local user account to login in to the device.

  • Page 24: System Time Configuration

    Function Ruijie# clock set hh:mm:ss month Set system date and time. date day year For example, change the system time to10:10:12, 2003-6-20: Ruijie# clock set 10:10:12 6 20 2003 //Set system time and date. Ruijie# show clock //Confirm the modification takes effect.
  • Page 25 In the privileged mode, execute clock update-calendar command to make software clock overwrite the value of hardware clock. Command Function Update hardware clock via software Ruijie# clock update-calendar clock. Execute the command below to copy current date and time of software clock to hardware clock. Ruijie# clock update-calendar...
  • Page 26 The following is an example specifying the system reload at 12:00 a.m. January 11, 2005 (suppose the current system clock is 8:30 a.m. January 11,2005): Ruijie# reload at 12:00 1 11 2005 midday //Set the reload time and date. Ruijie# show reload //Confirm the modification takes effect.

  • Page 27: Configuring A System Name And Prompt

    If you configure a system name of more than 32 characters, the first 32 characters are used as the system prompt. The prompt varies with the system name. By default, the system name and command prompt is “Ruijie”.

  • Page 28: Configuring A System Name

    Command Function Configure a system name with printable Ruijie(Config)# hostname name characters less than 255 bytes. To restore the name to the default value, use the no hostname command in the global configuration mode. The following example changes the equipment...

  • Page 29: Configuring A Login Banner

    (&). After inputting the delimiter, press the Enter key. Now, you can start to type text. You need to input the delimiter and Ruijie(Config)# banner motd c then press Enter to complete the type. Note that if you type additional characters after...

  • Page 30: Viewing System Information

    (&). After inputting the delimiter, press the Enter key. Now, you can start to type text. You need to input the delimiter and Ruijie(Config)# banner login c then press Enter to complete the type. Note that if you type additional characters after...
  • Page 31 (number of ports of the module plugged). You may use the following commands to show the information of the device and slots in the privileged mode: Command Function Ruijie# show version devices Show device information. Show the information about slots and Ruijie# show version slots modules.

  • Page 32: Configuring Telnet

    //Enter the console line configuration mode Ruijie(config-line)# speed 57600 //Set the console rate to 57600bps Ruijie(config-line)# end //Return to the privileged mode Ruijie# show line console 0 //View the console configuration Type speed Overruns 57600 Line 0, Location: "", Type: "vt100"...

  • Page 33: Using Telnet Client

    IP address. The following example shows how to establish a Telnet session and manage the remote device with the IP address 192.168.65.119: Ruijie# telnet 192.168.65.119 //Establish the telnet session to the remote device Trying 192.168.65.119 ... Open User Access Verification...
  • Page 34 The connection timeout setting can be removed by using the no exec-timeout command in the line configuration mode. Ruijie# configure terminal //Enter the global configuration mode. Ruijie# line vty 0 //Enter the line configuration mode Ruijie(config-line)#exec-timeout 20 //Set the timeout to 20min Session Timeout...
  • Page 35 ..executing done Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# line vty 1 16 Ruijie(config-line)# transport input all Ruijie(config-line)# no exec Ruijie(config-line)# end The file name and contents of a batch file can be specified.
  • Page 36 //Enter the global configuration mode. Ruijie(config)# enable service web-server //Enable Web Server Ruijie(config)# username name password pass //Set local user Ruijie(config)# username name privilege 15 //Bind user right Ruijie(config)# ip http port 8080 //Set service port Ruijie(config)# ip http authentication loca //Set authentication method...
  • Page 37 Configuration Guide Configuring HTTP Service Configuring HTTP Service Overview Understanding HTTP The Hypertext Transfer Protocol (HTTP) is used to deliver Web page information over the Internet. HTTP is located at the application layer of the TCP/IP protocol stack and uses connection-oriented TCP as the transport protocol. The Hypertext Transfer Protocol Secure (HTTPS) is an HTTP protocol that supports the Secure Sockets Layer (SSL) protocol.
  • Page 38 Therefore, network delay is reduced and performance is improved. See Figure 1-2. Figure 1-2 HTTP/1.1 protocol packet interaction Currently, Ruijie switches support HTTP/1.0 and HTTP/1.1.  Which protocol version is used by the switch is determined by the Web browser.
  • Page 39 Configuration Guide Configuring HTTP Service  During local upgrade, the device serves as the HTTP server and users log in to the device through a Web browser and upload the files to be upgraded to the device and realize the upgrade. ...

  • Page 40: Typical Application

    During the remote upgrade, the device serves as the client, connects to the remote HTTP server and acquires the files on the server to upgrade the local files. The default domain name of the Web server provided by Ruijie is rgos.ruijie.com.cn.
  • Page 41 Configuration Guide Configuring HTTP Service Configuring HTTP Default Configuration Feature Default setting Enabling HTTP service It is disabled by default. HTTP Verification mode By default, the authentication mode of ordinary HTTP service is enable. The default port number of the ordinary HTTP service and HTTPS service is HTTP service port 80 and 443 respectively.
  • Page 42 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# enable service web-server Configuring HTTP Authentication Information To use the HTTP service, users need to pass the login authentication to enter the Web page. Ruijie provides two authentication setting methods. ...
  • Page 43 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# webmaster level 1 username admin password ruijie Configuring HTTP Service Port Configuring the port number can reduce illegal users' attack on the HTTP service. Ruijie's devices support HTTP and HTTPS services. ...
  • Page 44 Shows the Web service configuration information and status. Configuration examples: The following example shows the HTTP configuration information of a Ruijie device. Ruijie# show web-server status http server status : enabled http server port : 80 https server status: enabled...
  • Page 45 Configure the HTTP service port number as 8080; and the HTTPS service port number as 4430. Configuration Steps Configure the local database's identity information. The username is admin and the plaintext password is ruijie with an authority level of 15.
  • Page 46 Networking Requirements A company purchases a Ruijie's product and intends to use the HTTP upgrade function to upgrade files.  The device can acquire information about files that can be upgraded remotely from Ruijie's server at a fixed time everyday. ...
  • Page 47 Configure the upgrade server address. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http update server rgos.ruijie.com.cn Enable auto detect mode and configure the remote monitoring time at 2:00 AM everyday. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 48 The server version information is shown on the Web online upgrade interface. Local HTTP Upgrade Configuration Example Networking Requirements  Users can acquire the latest Web package from Ruijie's website and the device can run the latest Web package. Networking Topology Figure 1-8 Local HTTP upgrade service topology Configuration Tips The following tips are provided to meet the above-mentioned requirements: ...
  • Page 49 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#vlan 1 Ruijie(config-vlan)#exit Ruijie(config)#interface vlan 1 Ruijie(config-VLAN 1)#ip address 10.10.10.131 255.255.255.0 Enable the tftp server on PC and use copy tftp command on the device to download the Web package. Ruijie#copy tftp://10.10.10.13/web_management_pack.upd flash:web_management_pack.upd Update the Web package.

  • Page 50: Line Mode Configuration

    After entering the specific LINE mode, you can configure the specified line. Execute the following commands to enter the specified LINE mode: Command Function Ruijie(config)# line [console | vty ] first-line Enter the specified LINE mode. [last-line] Increasing/Decreasing LINE VTY By default, the number of line vty is 5.
  • Page 51 Configuration Guide LINE Mode Configuration Command Description Enter line configuration line vty line number mode. Configure protocol transport input {all | ssh | telnet | none} communicate on the line. Disable the communication of no transport input any protocol on the line. Restore the setting to the default default transport input value.
  • Page 52 System Upgrade Configuration Understanding Program Image in the System The system image contains RGOS software. All Ruijie network devices are embedded with specific version of images before distribution. The user may upgrade such images to upgrade the device to the latest version. Use "show version"...
  • Page 53 Operating Principle The RGOS program image release for Ruijie devices is a self-extracting executable program. The RGOS program image carries the main program image for the device. For box devices, the RGOS program image contains main program and boot program;...
  • Page 54 Configuration Guide System Upgrade Configuration During system upgrade, the user may choose two different means: automatic installation and manual installation. The corresponding processes are shown below:  Automatic installation: The new-version file is copied to the device -> reset device -> wait until device installation is completed ...
  • Page 55 Configuration Guide System Upgrade Configuration Do not carry out upgrade or hot-plug/reset the line card when the device is extremely busy (with CPU utilization rate > 70%). This may lead to unsuccessful upgrade or boot failure of line card, including: 1.
  • Page 56 Configuration Guide System Upgrade Configuration When user uses "copy tftp" command to download upgrade file from tftp server to the device (master management board) and at the same time overwrites the boot/main program, the system will check the validity of the upgrade file downloaded (i.e., whether inappropriate upgrade file is downloaded, or whether the upgrade file is corrupted).
  • Page 57 Configuration Guide System Upgrade Configuration Using this method to copy upgrade file will not lead to validity check. In addition, this method cannot be used when there are two management boards. Caution  Download via FTP Set the device as FTP server, and use FTP client to download upgrade file. Using this method to copy upgrade file will not lead to validity check.
  • Page 58 Copy the new-version software to the device  Reset the device  Wait for device installation Upgrade to 10.4(2) or higher version Copy the new-version software to the device: Ruijie#copy tftp://192.168.201.98/S8600_V10.4(2)_R64047.bin flash:rgos.bin Accessing tftp://192.168.201.98/ S8600_V10.4(2)_R64047.bin... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  • Page 59 THE PROGRAM VERSION: RGOS 10.4.*, Release(64047) Upgrade Master CM main program OK. CURRENT PRODUCT INFORMATION : PRODUCT ID: 0x20110010 PRODUCT DESCRIPTION: Ruijie Gigabit Security & Intelligence Access Switch (S2628G) By Ruijie Network SUCCESS: UPGRADING OK. Reset the device: Ruijie# reload Wait for device installation after device reboot: In most cases, when upgrading older version to 10.4(2) or higher version, the device...
  • Page 60 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Transmission finished, file length 6128032 bytes. Verify the system boot image .[ok] CURRENT PRODUCT INFORMATION : PRODUCT ID: 0x20110010 PRODUCT DESCRIPTION: Ruijie Gigabit Security & Intelligence Access Switch (S2628G) By Ruijie Networks SUCCESS: UPGRADING OK. Reset the device: Ruijie#reload Wait for device installation after device reboot: After reboot, the device will automatically commence local image installation.
  • Page 61 Upgrade file to Module(s) in slot: [M2] Please wait..Upgrade file to Module in slot [M2] OK! Upgrade Master CM main program OK. CURRENT PRODUCT INFORMATION : PRODUCT ID: 0x20060062 PRODUCT DESCRIPTION: Ruijie High-density IPv6 10G Core Routing Switch(S8610) By Ruijie Network...
  • Page 62 Configuration Guide System Upgrade Configuration SUCCESS: UPGRADING OK. Reset the device: Ruijie#reload Wait for automatic installation of device: After entering the main program, the main management board will implement local installation first: *Apr 1 07:32:17: %UPGRADE-5-LOCAL_BEG: Installing: 'flash: CTRL'. *Apr 1 07:32:17: %UPGRADE-5-LOCAL: Upgrading CTRL.
  • Page 63 Degrade to 10.4(1) or older version Copy the new-version software to the device: Use "copy" command to copy the old edition software of 10.4(1) to the device. Ruijie#copy tftp://192.168.201.97/rgos.bin flash:rgos.bin Accessing tftp://192.168.201.97/ rgos.bin ... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  • Page 64 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!![OK 22,815,872 bytes] Waiting for image installed..Complete CURRENT PRODUCT INFORMATION : PRODUCT ID: 0x20060062 PRODUCT DESCRIPTION: Ruijie High-density IPv6 10G Core Routing Switch(S8610) By Ruijie Networks SUCCESS: UPGRADING OK. Reset the device: Ruijie#reload Wait for automatic installation of device: The following installation information will prompt after device reboot: Prepare installation data ...
  • Page 65 Configuration Guide System Upgrade Configuration Write executable file install_lc_200e0020.bin to file system. Checking file, please wait for a few minutes ..Check file success. Upgrade file install_lc_200e0030.bin succeed. Upgrading file install_lc_20070010.bin ... Write executable file install_lc_20070010.bin to file system. Checking file, please wait for a few minutes ..Check file success.
  • Page 66 Configuration Guide System Upgrade Configuration *Apr 1 06:12:13: %7: Installing, wait please ! *Apr 1 06:14:03: %7: Installing, wait please ! *Apr 1 06:14:13: %7: Installing, wait please ! *Apr 1 06:14:18: %OIR-6-INSCARD: Card inserted in slot 1, interfaces are now online.
  • Page 67 Configuration Guide System Upgrade Configuration The displayed main program version indicates the version number of main program being run in the system. Therefore, in the case of manual installation, the displayed version number of main program is not the version number of software newly installed, but the version number of software run currently.
  • Page 68 Configuration Guide System Upgrade Configuration The potential problem of degrading is: line card supported by higher version software may not be supported by the degraded software version. In such a case, when using "copy tftp" command to copy lower version software to the device, the system will give the Caution following warning: Warning:M8600-24GT/12SFP in slot 1 is not support by rgos.bin...
  • Page 69 Configuration Guide System Upgrade Configuration *Feb 10 15:47:12: %UPGRADE-4-PROTO_TIMEOUT: Server is busy and ack timeo By this time, the following solutions can be used: Ensure whether the boardcards to be upgraded are plugged or reset. Ensure whether the boardcards to be upgraded are busy (with high CPU utilization rate) Ensure whether the boardcards to be upgraded are using large file system space, if so, remove some useless files, and retry the upgrade after freeing the...

  • Page 70: File System Configuration

    Configuration Guide File System Configuration File System Configuration Overview The file system is an organization for storing and managing the files on the auxiliary storage devices. The switch provides the serial Flash as the auxiliary storage device to store and manage the NM operating system files and configuration files of the switch.
  • Page 71 Changing Directories This shifts from the current directory to the specified directory. In the privileged mode, use this command by performing the following steps: Command Function Ruijie# cd directory Enter the specified directory. Enter the higher-level directory Ruijie# cd ../...

  • Page 72: Copying Files

    Copy the file to the specified file directoryname The following example shows how to copy a file to a directory and another file: Ruijie# cp dest ../bak sour config.text Ruijie# cp dest con_bak.txt sour config.text Showing Directories This shows the contents of the current working directory or specified directory:...

  • Page 73: Moving Files

    The following example formats the first MTD device in the dev directory for use by the jffs2 file system: Ruijie# makefs dev /dev/mtd/mtdblock/1 fs jffs2 The above example formats a device in the mtdlbock directory for the jffs2 file system, clearing the data on the device for use by the file system.
  • Page 74 File System Configuration Deleting Empty Directories In the privileged mode, delete an empty directory permanently by performing the following step: Command Function Ruijie# rmdir directoryname Delete an empty directory The above example deletes an empty directory named MNT. Ruijie# rmdir mnt...

  • Page 75: System Management Configuration

    Use the show cpu command to show the total CPU utilization and the CPU utilization per process: Command Function Ruijie# show cpu Show CPU utilization. By default, the switch name is Ruijie. Below is the result of executing this command: Ruijie#show cpu ======================================= CPU Using Rate Information CPU utilization in five seconds: 25%...
  • Page 76 Configuration Guide System Management Display Configuration ll_mt ll main process bridge_relay d1x_task secu_policy_task dhcpa_task dhcpsnp_task igmp_snp mstp_event GVRP_EVENT rldp_task rerp_task reup_event_handler tpp_task ip6timer rtadvd tnet6 tnet Tarptime gra_arp Ttcptimer ef_res ef_rcv_msg ef_inconsistent_daemon ip6_tunnel_rcv_pkt res6t tunrt6 ef6_rcv_msg ef6_inconsistent_daemon imid nsmd ripd ripngd ospfd ospf6d...
  • Page 77 Configuration Guide System Management Display Configuration sntp_recv_task ntp_task sla_deamon track_daemon pbr_guard vrrpd psnpd igsnpd coa_recv co_oper co_mac radius_task tac+_acct_task tac+_task dhcpd_task dhcps_task dhcpping_task dhcpc_task uart_debug_file_task ssp_init_task rl_listen ikl_msg_operate_thread bcmDPC bcmL2X.0 bcmL2X.0 bcmCNTR.0 bcmTX bcmXGS3AsyncTX bcmLINK.0 bcmRX mngpkt_rcv_thread mngpkt_recycle_thread stack_task stack_disc_task redun_sync_task conf_dispatch_task devprob_task...
  • Page 78 The following example sets the lower threshold to 70% and the higher threshold to 80%: Ruijie# configure terminal // Enter the global configuration mode Ruijie(config)# cpu-log log-limit 70 80 // Configure the CPU logging trigger threshold If the CPU utilization is higher than 80%, the system prompts:...

  • Page 79: Configuration Task List

    Use the show memory command to show the usage and status of system memory: Command Function Ruijie# show memory Show the usage of system memory. By default, the switch name is Ruijie. Below is the result of executing this command: Ruijie#show memory System Memory Statistic: Free pages: 13031...
  • Page 80 Configuration Guide System Management Display Configuration Parameter Description The memory resources are severely insufficient. One route protocol will auto-exit and release the memory if lower the lower watermark has been reached. For the details, see the memory-lack exit-policy command. The memory resources are insufficient. The route protocol will be in OVERFLOW state if the low watermark has been reached.
  • Page 81 Use the show memory command to show the usage and status of system memory: Command Function Ruijie# show memory Show the usage of system memory. By default, the switch name is Ruijie. Below is the result of executing this command: Ruijie#show memory Ruijie#show memory System Memory Statistic:...
  • Page 82 Configuration Guide System Memory Display Configuration Parameter Description A plenty of memory resources. Each route protocol attempts high to restore the state from OVERFLOW to normal. System Total Memory Total memory of the system. System Free Memory Total free memory, including the space of free pages and buffer pool.

  • Page 83: Syslog Configuration

    – information type: abbre: information contents Priority value = Device value *8 + Severity For example: <189> 226:Mar 5 02:09:10 Ruijie %SYS-5-CONFIG_I: Configured from console by console The priority field is not attached to the log messages that are printed in the user window.
  • Page 84 To configure different displaying devices for receiving logs, run the following commands in the global configuration mode or privileged level: Command Function Ruijie(config)# logging buffered [buffer-size | Record log in memory buffer level] Ruijie# termninal monitor Allow log to be displayed on VTY window...

  • Page 85: Enabling The Log Timestamp Switch Of Log Information

    Function Ruijie(config)# service timestamps Enable the timestamp in the log information message-type [uptime | datetime] Ruijie(config)# no service timestamps Disable the timestamp in the log information message-type The timestamp are available in two formats: device uptime and device datetime. Select the type of timestamp appropriately.
  • Page 86 By default, log rate is not limited. Use this command to configure log rate limit in the global configuration mode: Command Function Ruijie(config)# logging rate-limit number Set log rate limit. Ruijie(config)# no logging rate-limit Delete the setting of log rate limit.
  • Page 87 Set the level of log information that is allowed to be displayed on the VTY window (such as telnet Ruijie(config)# logging monitor level window) Ruijie(config)# logging buffered [buffer-size | Set the level of log information that is allowed to level] be recorded in memory buffer...

  • Page 88: Configuring The Log Information Device Value

    Command Function Ruijie(config)# logging facility facility-type Configure the log information device value Restore the default of the log information device Ruijie(config)# no logging facility facility-type value The meanings of various device values are described as below: Numerical Code Facility kernel messages...

  • Page 89: Log Monitoring

    Ruijie(config)# logging source interface Configure the source port of log information interface-type interface-number Ruijie(config)# logging source ip A.B.C.D Configure the source IP address of log messages Setting and Sending User Log By default, no log is output when a user logs in or out and executes configuration commands.
  • Page 90 Configuration Guide Syslog Configuration Examples of Log Configurations Here is a typical example to enable the logging function: Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# ip address 192.168.200.42 255.255.255.0 Ruijie(config-if)# exit Ruijie(config)# service sequence-numbers //Enable sequence number Ruijie(config)# service timestamps debug datetime...
  • Page 91 Configuration Guide Configuring PoE Configuration...

  • Page 92: Poe Configuration

    The PoE power supply will supply power to the entire PoE system. It is classified into external power supply and internal power supply. Of Ruijie products, box-type PoE switches generally contain internal power modules and some may also support external power supply. The external power supply is called Remote Power Supply (RPS).

  • Page 93: Configuring Poe

    According to IEEE 802.3af, a PoE switch can supply power over the idle line or signal line of a twisted pair whereas a PD must simultaneously support power supply over the idle line and power supply over the signal line. Some Ruijie PoE switches supply power over the idle line and the others supply power over the signal line.
  • Page 94 Ruijie(config-if)# no poe enable Ruijie(config-if)# end  By default, the PoE function is enabled on Ruijie access and convergence switches. On the PoE line cards of Ruijie core switches, however, the PoE function is disabled.  If you run the interface range command to set the PoE function on a batch of ports at one time, enabling or disabling the PoE function on one port will affect the power management of the entire switch, because the interface range command sets ports one by one.
  • Page 95 Enters the global configuration mode Sets the power management mode of the PoE system to Ruijie(config)# poe mode { auto | energy-saving | static } auto, energy-saving, or static mode By default, the auto mode is applied for power management on a switch.
  • Page 96 For example, you can run the following commands in turn to enable the PoE function on port 1 of line card 1: Ruijie# configure Ruijie(config)# time-range poe-time Ruijie(config-time-range)# periodic weekdays 8:30 to 17:30 Ruijie(config-time-range)# exit Ruijie(config)# interface gigabitEthernet 1/1 Ruijie(config-if)# poe power-off time-range poe-time...
  • Page 97 Currently, IEEE 802.3af and 802.3at are applied as PoE standards in the industry. In practical applications, however, PDs are diversified and may not necessarily conform to the two standards. The following commands are available on Ruijie switches to provide compatibility with some non-standard PoE devices.
  • Page 98 Function Ruijie# configure Enters the global configuration mode Enters the interface configuration mode and specifies the Ruijie(config)# interface fastEthernet interface-id physical port to be configured Sets the maximum power of the port, which ranges from Ruijie(config-if)# poe max-power int 0 to 30 in watts with a precision of one decimal point...
  • Page 99 PoE devices. The following commands are available on each Ruijie PoE switch to set the reserved power of the system to ensure that the PoE switch provides redundant power and the current power consumption of the PoE switch does not go beyond the power capacity of the PoE switch itself.
  • Page 100 A Command Line Interface (CLI) is also available on Ruijie switches to set the power alarm threshold of the system. This CLI provides the same function and configuration as pethMainPseUsageThreshold for setting the power alarm threshold of the system in the MIB.
  • Page 101 RFC 3621, which is the standard Management Information Base (MIB) for PoE, defines a configuration item named pethNotificationControlEnable to control the sending of such trap notifications. CLI commands are also available on Ruijie switches to set the trap sending function of the system. Command...
  • Page 102 In practical applications, you may often need to record the name of a PD connected to a certain PoE port. RFC 3621 defines a configuration item named pethPsePortType to set the descriptor of the PD on a port. CLI commands are also available on Ruijie switches to set the descriptor of the PD on a port. Command...
  • Page 103 For example, you can run the following commands in turn to enable and then disable LLDP classification: Ruijie# configure Ruijie(config)# poe class-lldp enable Ruijie(config)# no poe class-lldp enable Ruijie(config)# end After LLDP classification is enabled, the PD on a port is of Type 1 by default.
  • Page 104 4(Type1) 53.5V Fa0/6 enable on 14.9W 7.8W 14.9W 279mA 4(Type1) 53.5V The following information is displayed if LLDP classification is enabled and the PD is Type 2: Ruijie(config)#show poe interface fastEthernet 0/2 Interface : Fa0/2 Power enabled : enable Power status...
  • Page 105 Configuration Guide Configuring PoE Configuration Ruijie# show poe interface fastEthernet [interface-id] Shows the power supply status of a specific port Shows the power supply status of all PoE ports (24 Ruijie# show poe interfaces status electrical ports to which power can be supplied)
  • Page 106 There are PoE LED switching buttons on the panel of a Ruijie PoE switch. If you press such a button once, the LED of the respective port will change to the LED mode. If you press the button again, the LED will change to the default port LED status.
  • Page 107 0.0W 0.0W 0.0W 0mA 0.0V Fa0/24 enable off 0.0W 0.0W 0.0W 0mA 0.0V Run the following command to show configuration information about all PoE ports: Ruijie#show poe interfaces configuration Interface Power Power Alloc Port Port Power-off Control Status Power Power Priority Legacy Time-range...
  • Page 108 To show the PoE status of the system, run the following show command in the privileged mode: Command Function Ruijie# show poe powersupply Shows the PoE status of the entire PoE system For example, you can run the following command to show the PoE status of the entire PoE system:...
  • Page 109 Configuration Guide Configuring PoE Configuration Device member Indicates the device ID, which identifies the sequence number of the system among a stacked or VSU system. Power management Indicates the power management mode: auto: auto mode energy-saving: energy-saving mode static: static mode PSE total power Indicates the maximum power that the system supports.
  • Page 110 After loading U disk card to the system, directly run file system commands (dir, copy, del, and others) to operate U disk card. Operations below show how to copy the file of U disk card to flash. Enter the U disk partition. Ruijie# cd usb0:/ Enter the SD card partition.
  • Page 111 Configuring PoE Ruijie# cd sd0:/ Copy the a.txt file in U disk to device‟s root directory. Ruijie# copy a.txt usb0:/b.txt Copy the a.txt file in the SD card to device‟s root directory. Ruijie# copy a.txt sd0:/b.txt Run the dir command. The result shows that the b.txt file has been added to the USB card.
  • Page 112 Function Step 1 It is used to uninstall the USB device card with Ruijie# usb remove Device_ID number of Device_ID. As shown above, IDO indicates a USB device, and ID1 indicates SD card. The commands below can uninstall the corresponding USB device and SD card.
  • Page 113 Configuration Guide Configuring PoE After the uninstall command is used, the system will print: OK, now you can pull out the device 1 Now, users can pull out the USB device card. Sometimes, it may lead to failure to uninstall the device for the device is being used. Wait a while, and then run the uninstall command to pull out the device.
  • Page 114 If no location is specified, you need to separately input the IP address of the TFTP server. Command Function Ruijie# copy tftp: //location/ filename flash: Download the specified file from the URL on the host to the equipment.
  • Page 115 Before download, first run the TFTP server software on the local host. Finally, log in to the equipment. In the privileged EXEC mode, download the files by using the following commands. Command Function Ruijie# copy tftp: //location/ filename flash: Download the specified file from the filename URL on the host to the equipment.
  • Page 116 Command Function Download the file from the host to the Ruijie# copy xmodem flash:filename equipment and name it filename. In the CLI command mode, upload the files by performing the following steps: Prior to upload, first log in to the out-band management interface of the switch by using the Windows HyperTerminal.
  • Page 117 System Upgrade and Maintenance Command Function Upload the file from the equipment to Ruijie# copy flash:filename xmodem the host. It is necessary to put the filename with space in quotes. For example: copy xmodem flash:”filename” OR copy flash:”filename” xmodem Caution...
  • Page 118 Configuration Guide System Upgrade and Maintenance Whenever you upgrade the master supervisor engine, the slave one (if any) is upgraded at the same time to keep the version consistent. The upgrade of a line card will upgrade all the line cards inserted into the device.Do not power off the device before the upgrade is complete.
  • Page 119 Configuration Guide System Upgrade and Maintenance Keep power on, don't draw out the card and don't restart your machine before finished !!!!!! Other Printing Information Transmission is OK, now, card in slot [3] need restart ... Software installation of card in slot [3] is in process ..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Software installation of card in slot [3] has finished successfully ..

  • Page 120: Stack Management

    IP address to reduce the occupation of IP addresses and facilitate network management. Hardware Structure Special stack ports and cables are usually needed to form a stack system. Ruijie switches provide multiple hardware solutions available for users: ...

  • Page 121: Configuring A Stack

    Configuration Guide Stack Management In the stack environment, if link loss of the stack cable is detected, the management of the stack will fail, and the system will send a log to the user: STACKMODULE-LINKSTATUS-CHANGED: Link loss is detected in the stack loop. Device [2] loss has been detected, system will reset.
  • Page 122 The length of the string is 31 characters, it [member member] description indicates the alias of the device. By default, the configured a member device is 1. For example: Specify the alias of member device 2 to red-giant: Ruijie(config)# device-description member 2 red-giant...

  • Page 123: Saving Parameters

    Ruijie(config-if)# stack on this command to disable the stack port. For example: Enable the stack for GigabitEthernet 0/28: Ruijie(config)# interface GigabitEthernet 0/28 Ruijie(config-if)# stack on For the S2900E series switch, you need to configure the specified port as the stack port in order to stack the specified modules through that stack port.
  • Page 124 Showing Stack Information In the privileged mode, you can view the stack information by using the following commands. Command Description Ruijie# show version devices Show the system device information. Ruijie# show version slots Show the slot information. Ruijie# show version Show the version of the stack system.
  • Page 125 M5700_STACK_IB4X M5750-48GT/4SFP_Static_Module M5700_STACK_IB4X M5700_STACK_IB4X Ruijie#show version System description : Red-Giant 10G Routing Switch(RG-S5750-24GT/12SFP) By Ruijie Network System start time : 2007-4-23 17:39:11 System hardware version : 1.0 System software version : RGOS 10.1.00(2), Release(12889) System BOOT version : 10.1.11330 System CTRL version : 10.1.11330...
  • Page 126 Hardware version : 1.0 Software version : RGOS 10.1.00(2), Release(12889) BOOT version : 10.1.11330 CTRL version : 10.1.11330 Serial Number : 1234942570008 Ruijie#show member Member Mac Address Priority Software Version Hardware Version Description ------ -------------- -------- ---------------- ------------- -------- ------------ 00d0.f810.3323 1...

  • Page 127: Threshold Configuration

    Configuration Guide Threshold Configuration Threshold Configuration Understanding the Threshold Threshold Overview The threshold value is specifically used to check the system state. The threshold is divided into 3 categories: CPU utilization threshold, memory utilization threshold and the temperature threshold. Each category has the threshold of 2 levels: the first level is warning threshold, and the second level is the critical threshold.
  • Page 128 View the configuration Configuring the CPU Utilization Threshold Command Purpose Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# threshold set cpu [M1 Specify the warning threshold and critical slot member threshold of the CPU utilization for the specific warning_value critical_value device, in the range of 1-100.
  • Page 129 80 and 90, 50 and 80 respectively: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#threshold set cpu member 1 80 90 Ruijie(config)#threshold set temperature member 1 60 80 Configuration Verification Use the show threshold command to view the threshold of each category:...

  • Page 130: Eee Configuration

    The following table describes the default configuration of EEE. Feature Default setting EEE is disabled on ports by default. Configuring EEE Use the following commands to configure EEE on a port. Command Function Step 1 Ruijie# configure Enters global configuration mode.
  • Page 131 Step 2 interface-id interface on which EEE is configured. Step 3 Ruijie(config-if)# eee enable | no eee enable Enables or disables EEE on the specific port. The following example enables or disables EEE on GigabitEthernet 0/1. Ruijie# configure Ruijie(config)# interface gigabitEthernet 0/1...
  • Page 132 A peer port is disabled with or does not support EEE. To display EEE statuses of all ports, run the show eee interfaces status command without specifying a port ID. The following example displays EEE statuses of all ports. ruijie#show eee int st Interface EEE Admin...
  • Page 133 Configuration Guide EEE Configuration...

  • Page 134: Device Management Configuration

    Configuration Guide Device Management Configuration Device Management Configuration Introduction Device management includes intelligent temperature control and asset management. Intelligent temperature control provides a temperature control mechanism and an over-temperature protection function for the system. Generally, the intelligent controller not only controls the rotation speed of fans to keep the system from over-heating, but also reduces noise, saves energy, and prolongs the lifetime of fans.
  • Page 135 Function Ruijie# configure Enters global configuration mode. Ruijie(config)# fan force enable | disable | auto | no fan Sets the working mode of a fan to force enable, force force enable | disable | auto disable or restores to the default auto mode.
  • Page 136 Enters global configuration mode. Ruijie# configure Sets the working mode of the specified fan to force Ruijie(config)# fan force enable | disable | auto device enable, force disable or restores to the default auto mode. Example: Set the working mode of a fan on Device 1 to the force enable mode.
  • Page 137 Configuration Guide Device Management Configuration Displaying Device Temperature Status and Value Command Function Ruijie# show temperature Displays the temperature status and value of the current device. Example: Display the temperature status and value of the current device. Ruijie#show temperature Device...
  • Page 138 Ethernet Switching Configuration 1. Interface Configuration 2. MAC Address Configuration 3. Aggregate Port Configuration 4. VLAN Configuration 5. Protocol VLAN Configuration 6. Private VLAN Configuration 7. Share VLAN Configuration 8. Voice VLAN Configuration 9. MSTP Configuration 10. Configuring Transparent Transmission of Protocol Frames 11.

  • Page 139: Interface Configuration

    Configuration Guide Interface Configuration Interface Configuration Overview of Interface Types This chapter classifies the interfaces used on Ruijie devices and defines interface types. Interfaces on Ruijie devices are divided into two types:  L2 Interfaces  L3 Interfaces (supported on layer 3 devices) L2 Interfaces This section presents the types of L2 interfaces and their definitions.
  • Page 140 Configuration Guide Interface Configuration An access port handles tagged frames in the following ways:  When the VID (VLAN ID) of the tag is the same as the default VLAN ID, the access port receives the frame and removes the tag before sending it out. ...
  • Page 141 Configuration Guide Interface Configuration Untagged packets are ordinary Ethernet packets that can be recognized by the network cards in PCs for communication. Tagging refers to append four bytes of VLAN information, namely the VLAN tag header, at the end of the source MAC Note address and the destination MAC address.
  • Page 142 Configuration Guide Interface Configuration As the following figure depicts, the hosts of VLAN20 can communicate to each other directly without routing through an L3 device. If host A in VLAN20 wants to communicate with host B in VLAN30, it must route through SVI1 corresponding to VLAN20 and SVI2 corresponding to VLAN30.

  • Page 143: Configuring Interfaces

    You can also configure Ruijie(config)# interface interface ID an interface range by using the interface range or interface range macro command. However, the interfaces in the same range must be of the same type and features.
  • Page 144 This example shows how to use the interface range command in the global configuration mode: Ruijie# configure terminal Ruijie(config)# interface range fastethernet 1/1 - 10 Ruijie(config-if-range)# no shutdown Ruijie(config-if-range)# This example shows how to separate multiple ranges by a comma ―,‖:...
  • Page 145 SVIs. This example defines a macro for fastethernet1/1-4 by using the define interface-range command: Ruijie# configure terminal Ruijie(config)# define interface-range resource fastethernet 1/1-4 Ruijie(config)# end This example defines a macro for multiple ranges: Ruijie# configure terminal...
  • Page 146 Otherwise, they cannot be added to the AP. The port type of the members of the aggregate port cannot be changed. Command Function Ruijie(config-if)# medium-type { fiber | copper } Set the media type of a port. This example sets the media type of gigabitethernet 1/1: Ruijie# config terminal Enter configuration commands, one per line.
  • Page 147 The following command takes effect only for switch port and routed port. Command Function Ruijie(config-if)# speed {10 | 100 | 1000 | auto } Select a speed or set it to auto. Set duplex mode. Ruijie(config-if)# duplex {auto | full | half } Set flow control mode.
  • Page 148 Command Function Enable disable Ruijie(config-if)# negotiation mode { on | off } auto-negotiation mode on the interface. In the interface configuration mode, you can restore the settings of speed, duplexing, flow control and auto-negotiation mode to the default values (auto-negotiation) by using the no speed, no duplex, no flowcontrol and no negotiation mode commands.

  • Page 149: Configuring L2 Interfaces

    Num: <64 to 9216> This example shows how to set the MTU for Gigabitethernet 1/1: Ruijie# config terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface gigabitethernet 1/1 Ruijie(config-if)# mtu 64 Ruijie(config-if)# end Configuring L2 Interfaces The following table shows the default settings of L2 interfaces. For the configurations of VLAN and ports, please refer to Configuring VLAN and Configuring Port-based Flow Control.
  • Page 150 10. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface gigabitethernet 2/1 Ruijie(config-if)# switchport trunk native vlan 10 Ruijie(config-if)# end Set port security. For more information about port security, refer to Port-based Flow Control:...
  • Page 151 Set the output rule for the port. [[add] [tagged | untaged]] |remove ] vlist Ruijie# configure terminal Ruijie(config)# interface g 0/1 Ruijie(config-if)# switchport mode hybrid Ruijie(config-if)# switchport hybrid native vlan 3 Ruijie(config-if)# switchport hybrid allowed vlan untagged 20-30 Ruijie(config-if)# end Ruijie# show running interface g 0/1...

  • Page 152: Configuring L3 Interfaces

    If no interface is specified, the counters of all layer 2 interfaces will be cleared. The following example shows how to clear the counter of gigabitethernet 1/1. Ruijie# clear counters gigabitethernet 1/1 Configuring L3 Interfaces To configure a layer 3 interface, execute the following steps:...
  • Page 153 Configuration Guide Interface Configuration Ruijie(config)# interface gigabitethernet 2/1 Ruijie(config-if)# no switchport Ruijie(config-if)# ip address 192.20.135.21 255.255.255.0 Ruijie(config-if)# no shutdown Ruijie(config-if)# end Configuring SVI This section describes how to create a SVI and some related configuration. You may create a SVI or modify an existing one by using the interface vlan vlan-id command.

  • Page 154: Showing Interface Configuration And Status

    Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface aggregateport 2 Ruijie(config-if)# no switchport Ruijie(config-if)# ip address 192.168.1.1 255.255.255.0 Ruijie(config-if)# no shutdown Ruijie(config-if)# end Showing Interface Configuration and Status This section covers interface status display and gives examples. You may view interface status by using the show command in the privileged EXEC mode.
  • Page 155 : Unknown FlowControlAdminStatus : Autonego FlowControlOperStatus : Disabled Priority This example shows the configuration of GigabitEthernet 1/1: Ruijie# show interfaces gigabitEthernet 1/1 switchport Interface Switchport Mode Access Native Protected VLAN lists ---------- ---------- --------- --------- --------- --------- ------------ gigabitethernet 1/1...
  • Page 156 Configuration Guide Interface Configuration Ruijie# show interfaces gigabitethernet 1/2 description Interface Status Administrative Description -------------------- --------- --------------- ---------------- gigabitethernet 2/1 down down Gi 2/1 This example shows statistics of the interfaces. Ruijie# show interfaces gigabitethernet 1/2 counters Interface : gigabitethernet 1/2...
  • Page 157 Digital Diagnostic Monitoring : YES The following example shows the alarm information for the optical module on the interface GigabitEthernet 5/4: Ruijie#show interfaces gigabitEthernet 5/4 transceiver alarm gigabitEthernet 5/4 transceiver current alarm information: RX loss of signal The following table shows the alarm information for the SFP optical modules:...
  • Page 158 Configuration Guide Interface Configuration Field Description Voltage high Alarm of the high voltage. Voltage low Alarm of the low voltage. Transceiver info Transceiver information checksum error. checksum error Transceiver info I/O Transceiver information read&write error error RX loss of signal Loss of the receiving signal.
  • Page 159 Transceiver info I/O Transceiver information read&write error error The following example shows the optical module transceiver diagnosis parameter on the interface GigabitEthernet 5/4: Ruijie#show interfaces gigabitEthernet 5/4 transceiver diagnosis Current diagnostic parameters: Temp(°C) Voltage(V) Bias(mA) RX power(dBM) TX power(dBM) 36(OK) 3.31(OK)

  • Page 160: Line Detection

    Interface Configuration The functions of information display, alarm and diagnostic parameter detection of the optical module require the support of the optical modules of Ruijie Networks. The fault alarm of the optical module and diagnostic parameter Caution cannot be displayed if the optical module does not support the Digital Diagnostic Monitoring function.
  • Page 161 Configuration Command Command Function Enable or disable the function of sending the LinkTrap function of Ruijie(config-if)# [no] snmp trap link-status this interface. Configuration Example The following configuration shows how to configure the interface not to send LinkTrap: Ruijie(config)# interface gigabitEthernet 1/1...

  • Page 162: Mac Address Configuration

    Configuration Guide MAC Address Configuration MAC Address Configuration Using the information in the MAC address table, the Ethernet switch rapidly searches for the address to which the messages in the data link layer are forwarded. This chapter describes the MAC address configuration, including the following sections: ...
  • Page 163 Configuration Guide MAC Address Configuration State VLAN MAC address Interface Figure-1 MAC Address Entry  State: Dynamic,static or filtering address.  VLAN: VLAN to which the MAC address belongs;  MAC address: the MAC address information in the entry;  Interface: the information of the interface with which the MAC address is correspondent.
  • Page 164 Configuration Guide MAC Address Configuration Learning the Dynamic Address Dynamic Address A dynamic address is the MAC address learnt automatically from the packets received by the switch. Only the dynamic address be removed by the aging mechanism of the address table. Address Learning Process In general, it maintains the MAC address table by learning the dynamic address.
  • Page 165 MAC address for a long time (depending on the aging time), the address will be aged out and removed from the MAC address table. Management Learning mode of the Dynamic Address  Ruijie high-density modular Ethernet switches support the management learning mode of the dynamic address.
  • Page 166 Configuration Guide MAC Address Configuration Uniform MAC address learning mode A. Operation Mechanism In this mode, multiple line cards in the switch learn the MAC addresses, with each line card learning the MAC address independently. The MAC address learn process is described as follows: The UserA under the Line Card1 sends the packets to the UserB.
  • Page 167 Configuration Guide MAC Address Configuration After receiving the packets from the UserA, the UserB sends the reply packets to the Line Card1. Since the Line Card 1 has learned the MAC address for the UserA, the packets will be sent to the port of UserA in the unicast form and will not be sent to the Line Card 2.
  • Page 168 Configuration Guide MAC Address Configuration The capacity of the address table for all linecards in the switch is allocated on demand: If two users exchange the packets on the same line card, only the MAC address space of the line card 1 is occupied. High System Performance: Small system expenditure since the internal system adopts the dispersive MAC address learning mode.
  • Page 169 Configuration Guide MAC Address Configuration The disadvantages of the MAC address synchronization:  Occupy the large space of the MAC address table: Even though two users exchange the packets on the same line card, the MAC address space of other line cards will also be occupied. ...
  • Page 170 Configuration Guide MAC Address Configuration By configuring the static address manually, you can bind the MAC address for the network device with the interface in the MAC address table. Filtering Address A filtering address is a manually configured MAC address When the device receives the packets from a filtering address, it will directly discard them.
  • Page 171 Configuration Guide MAC Address Configuration the device within the aging time) lets you know that a user does not use the device any more. When many users use the device, lots of MAC address changes may occur in a short period of time (for example, when the device is powered on), incurring additional network traffic.
  • Page 172 Protocol Description Address BPDU Spanning Tree Protocol 01-80-C2-00-00-00 802.1x IEEE Std 802.1X PAE Protocol 01-80-C2-00-00-03 Ruijie Private 802.1X 01-D0-F8-00-00-03 Protocol Related Protocols 《IEEE Std 802.3 Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer specifications》 《IEEE Std 802.1Q Virtual Bridged Local Area Networks》...
  • Page 173 VLAN. vlan-id:the specified VLAN to which the dynamic address to be cleared belongs. The following example shows how to clear all dynamic addresses in VLAN 1 on interface GigabitEthernet 0/1: Ruijie#clear mac-address-table dynamic interface GigabitEthernet 0/1 vlan 1...
  • Page 174 MAC address table in the specified VLAN. The following example shows all dynamic MAC addresses in VLAN 1 on interface GigabitEthernet 0/1: Ruijie#show mac-address-table dynamic interface gigabitEthernet 0/1 vlan 1 Vlan MAC Address Type...

  • Page 175: Setting The Aging Time

    Total Mac Addresses : 30 Total Mac Address Space Available: 8159 Example 2: show the number of MAC addresses in VLAN1. Ruijie# show mac-address-table count vlan 1 Dynamic Address Count : 7 Static Address Count : 0 Filter Address Count : 0 Total Mac Addresses Example 3: show the number of MAC addresses on the interface g0/1..
  • Page 176 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#vlan 1 Ruijie(config-vlan)#max-dynamic-mac-count 160 Viewing Configurations Show the maximum number of dynamic addresses for a specified VLAN: Ruijie#show mac-address-table max-dynamic-mac-count vlan 1 vlan limit mac count learning ---- ------- --------- --------...
  • Page 177 00d0.f800.073c. When a packet to this address is received in VLAN 4, it is forwarded to Gigabitethernet 0/3. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# mac-address-table static 00d0.f800.073c vlan 4 interface gigabitethernet 0/3 The following example shows how to remove the static address 00d0.f800.073c.
  • Page 178 Configuration Guide MAC Address Configuration Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#no mac-address-table static 00d0.f800.073c vlan 4 interface gigabitethernet 0/3 Viewing Configurations Command Function Show the information of all the static Ruijie# show mac-address-table static MAC addresses.
  • Page 179 Configuration Guide MAC Address Configuration Ruijie(config)#no mac-address-table filtering 00d0.f800.073c vlan 4 Viewing Configurations Command Function Show the information of all the Ruijie# show mac-address-table filtering filtering MAC addresses. The following example shows how to view the information of all the filtering...
  • Page 180 MAC address change history list to 100, and enable the MAC address change notification funciton on gigabitethernet 0/1 when a MAC address is added or removed. Ruijie(config)# snmp-server host 192.168.12.54 traps public Ruijie(config)# snmp-server enable traps Ruijie(config)# mac-address-table notification...
  • Page 181 View the global configuration of the MAC address change notification: Ruijie# show mac-address-table notification MAC Notification Feature : Enabled Interval(Sec): 2 Maximum History Size : 154 Current History Size : 2 Ruijie# show mac-address-table notification interface Interface MAC Added Trap MAC Removed Trap ---------------- -------------- ---------------- Gi0/1 Disabled...

  • Page 182: Address Binding

    In the global mode, to configure IP address and MAC address binding, execute the following commands. Command Function Configure IP address and MAC address Ruijie(config)# address-bind ip-address mac-address binding. Ruijie(config)# address-bind install Enable the address binding function. To cancel the IP address and MAC address binding, use the no address-bind ip-address mac-address command in the global configuration mode.
  • Page 183 Use the no address-bind uplink interface-id command to cancel the configuration of the specified exceptional port. The following example shows how to set the interface GigabitEthenet 0/1 to the exceptional port: Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# address-bind uplink GigabitEthernet 0/1...
  • Page 184 To show the IP address and MAC address binding table, use the show address-bind command in the privileged mode: Command Function the IP address and MAC address View Ruijie(config)#show address-bind binding table. The following example shows how to the IP address and MAC address view binding table :...
  • Page 185 Configurations The following example shows how to configure the switch: Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#mac-address-table static 00d0.f800.0001 vlan 1 interface GigabitEthernet 0/1 Ruijie(config)#mac-address-table static 00d0.f800.0002 vlan 1 interface GigabitEthernet 0/2 Ruijie(config)#mac-address-table static 00d0.f800.0003 vlan 1 interface...

  • Page 186: Aggregate Port Configuration

    Multiple physical links can be bound into a logical link, called an aggregate port (hereinafter referred to as AP). Ruijie devices provide the AP function that complies with the IEEE802.3ad standard. This function can be used to expand link bandwidth and improve reliability.
  • Page 187 Configuration Guide Aggregate Port Configuration Source MAC address-based traffic balancing refers to distribute the traffic on the member links of an AP according to the source MAC addresses of packets. Those packets with different source MAC addresses are evenly distributed on the member links of an AP according to different source MAC addresses.

  • Page 188: Configuring Aggregate Port

    Configuration Guide Aggregate Port Configuration In the following diagram, a switch communicates with a router through an AP, and the router serves as the gateway for all the devices inside the network (such as 4 PCs on the top of the diagram).
  • Page 189 The example below shows how to configure the layer2 Ethernet interface 1/0 to a member of layer2 AP 5. Ruijie# configure terminal Ruijie(config)# interface range gigabitEthernet 0/1 Ruijie(config-if-range)# port-group 5 Ruijie(config-if-range)# end The command interface aggregateport n (n is the AP number) in the global configuration mode can be used to directly create an AP (if AP n does not exist).
  • Page 190 IP address (192.168.1.1): Ruijie# configure terminal Ruijie(config)# interface aggretegateport 3 Ruijie(config-if)# no switchport Ruijie(config-if)# ip address 192.168.1.1 255.255.255.0 Ruijie(config-if)# end Only L3 switch support L3 AP. You shall create a L3 AP before adding the interface to the L3 Caution AP by executing port-group command.
  • Page 191 In the privileged mode, show the AP configuration by performing the following steps. Command Function Ruijie# show aggregateport [port-number]{load-balance | Show the AP settings. summary} Ruijie# show aggregateport load-balance Load-balance : Source MAC address Ruijie# show aggregateport 1 summary AggregatePort MaxPorts SwitchPort Mode Ports ------------- -------- ---------- ------ Enabled ACCESS...

  • Page 192: Vlan Configuration

    IP subnet belong to the same VLAN. A layer 3 device must be used for communication between VLANs. Ruijie L3 devices can perform IP routing between VLANs through SVI (Switch Virtual Interfaces).

  • Page 193: Configuring A Vlan

    Configuration Guide VLAN Configuration Supported VLAN Complying with IEEE802.1Q Standard, our products support up to 4094 VLANs(VLAN ID 1-4094 ), in which VLAN 1 is the default VLAN that cannot be deleted. VLAN Member Type You can determine the frames that can pass a port and the number of VLANs that the port can belong to by configuring the VLAN member type of the port.

  • Page 194: Deleting A Vlan

    In the privileged mode, you can delete a VLAN by executing the following command. Command Function Ruijie(config)# no vlan vlan-id Enter the VLAN ID that you want to delete. Assigning Access Ports to a VLAN If you assign a port to an inexistent VLAN, the switch will automatically create that VLAN.
  • Page 195 The following example adds Ethernet 1/10 to VLAN20 as an access port: Ruijie# configure terminal Ruijie(config)# interface fastethernet 1/10 Ruijie(config-if)# switchport mode access Ruijie(config-if)# switchport access vlan 20 Ruijie(config-if)# end The following example shows how to verify the configuration: Ruijie(config)#show interfaces gigabitEthernet 3/1...

  • Page 196: Configuring Vlan Trunks

    (for instance, router or switch). A trunk can transmit the traffics of multiple VLANs. The Trunk encapsulation of Ruijie device is 802.1Q-complied. The following diagram shows a network connected with trunks. You can set a common Ethernet port or aggregate port to be a trunk port. For the details of aggregate port, refer to Configuring Aggregate Port.

  • Page 197: Configuring A Trunk Port

    Basic Trunk Port Configuration In the privileged mode, you can configure a trunk port by executing the following command. Command Function Ruijie(config-if)# switchport Configure the port as a L2 trunk port. mode trunk Ruijie(config-if)# switchport Specify a native VLAN for the port.
  • Page 198 VLAN Configuration The following example removes VLAN 2 from the allowed VLAN list of port 1/15: Ruijie(config)# interface fastethernet 1/15 Ruijie(config-if)# switchport trunk allowed vlan remove 2 Ruijie(config-if)# end Ruijie# show interfaces fastethernet 1/15 switchport Interface Switchport Mode Access Native Protected VLAN lists...
  • Page 199 Gi0/16, Gi0/17, Gi0/18, Gi0/19 Gi0/20, Gi0/21, Gi0/22, Gi0/23 Gi0/24 10 VLAN0010 STATIC Gi0/2, Gi0/3 20 VLAN0020 STATIC Gi0/2, Gi0/3, Gi0/4 30 VLAN0030 STATIC Gi0/3, Gi0/4 Ruijie#show vlan id 20 VLAN Name Status Ports ---- -------- ------ ----------------------- 20 VLAN0020 STATIC...

  • Page 200: Protocol Vlan Configuration

    The protocol VLAN configuration takes effect for Trunk port and Hybrid port, not for the Access port. Ruijie products support both global IP address-based VLAN classification, and packet type and Ethernet type-based VLAN classification on a port. Because IP address-based VLAN classification is a global configuration, once configured, it will apply to all trunk ports and Hybrid ports.

  • Page 201: Configuring A Protocol Vlan

    Specify the IP address and subnet mask in the x.x.x.x format. Note The following command configures the IP address of 192.168.100.3, and the mask of 255.255.255.0 VLAN 100. Ruijie# configure terminal Ruijie(config)# protocol-vlan ipv4 192.168.100.3 mask 255. 255.255.0 vlan 100 Ruijie(config-vlan)# end Ruijie# show protocol-vlan ipv4 mask vlan...
  • Page 202 Show all profiles. Show a profile. show protocol-vlan profile id For example: Ruijie# configure terminal Ruijie(config)# protocol-vlan profile 1 frame-type ETHERII ether-type EHTER_AARP Ruijie(config)# protocol-vlan profile 2 frame-type SNAP ether-type 0x809b Ruijie(config-vlan)# end Ruijie# show protocol-vlan profile profile frame-type ether-type Interfaces|vid...
  • Page 203 The following example applies profile 1 and profile 2 to the GE interface 1 of Slot 3. The VLAN categories are VLAN 101 and 102: Ruijie# configure terminal Ruijie(config)# interface gi 3/1 Ruijie(config-if)# protocol-vlan profile 1 vlan 101 Ruijie(config-if)# protocol-vlan profile 2 vlan 102 Ruijie(config-if)# end Ruijie# show protocol-vlan profile...

  • Page 204: Private Vlan Configuration

    Configuration Guide Private VLAN Configuration Private VLAN Configuration Private VLAN Technology If the service provider offers a VLAN to each subscriber, the service provider supports a limited number of subscribers because one device supports 4096 VLANs at most. On the layer 3 device, each VLAN is assigned with a subnet address or a series of addresses, which results in a waste of IP addresses.
  • Page 205 Configuration Guide Private VLAN Configuration but the packets in the isolated VLAN received on the Trunk Port cannot be forwarded to the isolated port. The VID for the tagged packet forwarded from the promiscuous port to the the isolated trunk port, is the VID for the secondary VLAN. Community port, a port in the community VLAN, can communicate with other community ports in the same community VLAN as well as the promiscuous port in the primary VLAN.

  • Page 206: Configuring A Vlan As A Private Vlan

    3. The secondary VLANs are associated with the primary VLAN. The following example configures 802.1Q VLAN as a private VLAN: Ruijie# configure terminal Ruijie(config)# vlan 303 Ruijie(config-vlan)# private-vlan community Ruijie(config-vlan)# end Ruijie# show vlan private-vlan community VLAN Type Status Routed Interface Associated VLANs --- ----...
  • Page 207 VLANs. Exit the VLAN mode. Show the private VLAN show vlan private-vlan [type] For example: Ruijie# configure terminal Ruijie(config)# vlan 202 Ruijie(config-vlan)# private-vlan association 303-307,309,440 Ruijie(config-vlan)# end Ruijie# show vlan private-vlan VLAN Type Status Routed Interface Associated VLANs --- ----...
  • Page 208 Configuration Guide Private VLAN Configuration The following example configures Secondary VLAN routing: Ruijie# configure terminal Ruijie(config)# interface vlan 202 Ruijie(config-if)# private-vlan mapping add 303-307,309,440 Ruijie(config-if)# end Ruijie# The primary VLAN and the secondary VLANs in this process are associated. Note...
  • Page 209 Trunk Native VLAN list to the default VLAN1. For example: Ruijie# configure terminal Ruijie(config)# interface gigabitEthernet 0/2 Ruijie(config-if)# switchport mode trunk Ruijie(config-if)# switchport private-vlan association trunk 202 203 Ruijie(config-if)# switchport trunk allowed vlan 100 Ruijie(config-if)# switchport trunk native vlan 100...
  • Page 210 For example: Ruijie# configure terminal Ruijie(config)# interface gigabitEthernet 0/2 Ruijie(config-if)# switchport mode private-vlan promiscuous Ruijie(config-if)# switchport private-vlan mapping 202 add 203 Ruijie(config-if)# end The primary VLAN and the secondary VLANs in this process are associated. Note Showing a Private VLAN...
  • Page 211 Configuration Guide Private VLAN Configuration Ruijie# show vlan private-vlan VLAN Type Status Routed Interface Associated VLANs --- ---- -------- ------ --------- ------------------ 202 prim active Enabled Gi0/1 303-307,309,440 303 comm active Disabled Gi0/2 304 comm active Disabled Gi0/3 305 comm...
  • Page 212 #Set interface gigabitEthernet 0/1, 0/2 in Community VLAN 100, interface gigabitEthernet 0/3 in Isolated VLAN 101, interface gigabitEthernet 0/4 as Promiscuous Port. Ruijie(config)#interface gigabitEthernet 0/1 Ruijie(config-if)#switchport mode private-vlan host Ruijie(config-if)#switchport private-vlan host-association 99 100 Ruijie(config-if)#exit Ruijie(config)#interface gigabitEthernet 0/2 Ruijie(config-if)#switchport mode private-vlan host Ruijie(config-if)#switchport private-vlan host-association 99 100...
  • Page 213 Configuration Guide Private VLAN Configuration Ruijie(config)#interface gigabitEthernet 0/5 Ruijie(config-if)#switchport mode private-vlan promiscuous Ruijie(config-if)#switchport private-vlan mapping 99 add 100-101 Ruijie(config-if)#show vlan private-vlan VLAN Type Status Routed Ports Associated VLANs ----- ---------- -------- -------- -------------------------- primary active Disabled Gi0/4, Gi0/5 100-101 community active...
  • Page 214 # Set interface gigabitEthernet 0/1, 0/2 in Community VLAN 100, interface gigabitEthernet 0/3 in Isolated VLAN 101, interface gigabitEthernet 0/4 as Promiscuous Port. Ruijie(config)#interface gigabitEthernet 0/1 Ruijie(config-if)#switchport mode private-vlan host Ruijie(config-if)#switchport private-vlan host-association 99 100 Ruijie(config-if)#exit Ruijie(config)#interface gigabitEthernet 0/2 Ruijie(config-if)#switchport mode private-vlan host Ruijie(config-if)#switchport private-vlan host-association 99 100...
  • Page 215 Configuration Guide Private VLAN Configuration Ruijie(config-if)#switchport mode private-vlan promiscuous Ruijie(config-if)#switchport private-vlan mapping 99 add 100-101 Ruijie(config-if)#exit # Set a SVI(192.168.1.1) for Primary VLAN and map Secondary VLANs to the L3 interface of Primary VLAN. Ruijie(config)#interface vlan 99 Ruijie(config-if)#ip address 192.168.1.1 255.255.255.0...
  • Page 216 Ruijie(config-vlan)#private-vlan isolated Ruijie(config-vlan)#exit Ruijie(config)#vlan 99 Ruijie(config-vlan)#private-vlan primary Ruijie(config-vlan)#private-vlan association 101 Ruijie(config-vlan)#exit #On the SwitchA and SwitchB, set interface gigabitEthernet 0/1 as the Trunk Port, interface gigabitEthernet 0/2, 0/3 as the Isolated Trunk Port, interface gigabitEthernet 0/4 in the Isolated VLAN101.
  • Page 217 Configuration Guide Private VLAN Configuration Ruijie(config-if)#switchport mode trunk Ruijie(config-if)#exit Ruijie(config)#interface gigabitEthernet 0/2 Ruijie(config-if)#switchport mode trunk Ruijie(config-if)#switchport private-vlan association trunk 99 101 Ruijie(config-if)#exit Ruijie(config)#interface gigabitEthernet 0/3 Ruijie(config-if)#switchport mode trunk Ruijie(config-if)#switchport private-vlan association trunk 99 101 Ruijie(config-if)#exit Ruijie(config)#interface gigabitEthernet 0/4 Ruijie(config-if)#switchport mode private-vlan host...
  • Page 218 Configuration Guide Share VLAN Configuration Share VLAN Configuration Overview As a VLAN sharing addresses, the Share VLAN can solve the problem that the packets to this MAC address will be broadcast in another VLAN while the switch learns a MAC address in a VLAN. When a VLAN is set to be the Share VLAN, however, it will replicate its learned dynamic and static MAC addresses to other VLANs, and other VLANs also replicate their learned dynamic and static MAC addresses to the Share VLAN.
  • Page 219 Configure Share VLAN Do the following steps to configure the Share VLAN: Command Function Ruijie(config-vlan)# Share Enable the Share VLAN.
  • Page 220 VLAN0002 STATIC Gi0/1 VLAN0004 STATIC Gi0/2 VLAN0010 Share Gi0/1 Show the status of the MAC address: Ruijie# show mac-address-table Share Vlan MAC Address Type Interface Status ---- -------------- ------- ------------------- ---------- 0040.4650.1e1e DYNAMIC GigabitEthernet 0/1 original 0040.4650.1e1e DYNAMIC GigabitEthernet 0/1 duplicated...
  • Page 221 Configuration Guide Share VLAN Configuration Configuration Example Switch configuration: Core switch Port 1 is a hybrid port; PVID is VLAN 10; all VLANs are untagged; port 3 and port 4 are trunk ports; all VLANs are allowed VLANs; the native VLAN is VLAN Aggregate switch 1 Port 2 and port 3 are trunk ports;...
  • Page 222 Configuration Guide Share VLAN Configuration Port 1 is a hybrid port; PVID is VLAN 2; VLAN 2 and VLAN 10 are untagged; port 2 is a trunk port; all VLANs are allowed VLANs; the native VLAN is VLAN 1. Access switch 2 Port 1 is a hybrid port;...
  • Page 223 Gi0/1, Gi0/3, Gi0/4 VLAN0004 STATIC Gi0/1, Gi0/3, Gi0/4 VLAN0010 Share Gi0/1, Gi0/3, Gi0/4 Show the status of the MAC address: Ruijie(config)# show mac-address-table Share Vlan MAC Address Type Interface Status ---- -------------- ------- ------------------- ---------- 0040.4650.1e1e DYNAMIC GigabitEthernet 0/3 original...

  • Page 224: Voice Vlan Configuration

    Configuration Guide Voice VLAN Configuration Voice VLAN Configuration Introduction to Voice VLAN Overview With the continual development of technology, IP phone is being used more and more widely. It converts analog signals into digital signals which are transmitted over the IP network to the receiver. Then, upon the receipt of data packets, the receiver converts digital signals back to the analog signals.
  • Page 225 Configuration Guide Voice VLAN Configuration 2. PC and IP phones form a daisy chain to access the network with voice and data streams transmitted. In this case, voice streams and data streams are transmitted in voice VLAN and data VLAN respectively. Generally, this type of connection is applied when office clerks need to conduct both data communication with PC and voice communication with IP phones.
  • Page 226 Configuration Guide Voice VLAN Configuration message as the one of voice stream of voice VLAN configured on the equipment. Meanwhile, the subscriber may set Voice VLAN aging time on the equipment. When no voice message is received from the input port within the aging time, the system will delete the port from Voice VLAN.
  • Page 227 Configuration Guide Voice VLAN Configuration Trunk Port Yes; native VLAN of the access port must exist and must not be Voice VLAN. Meanwhile, the port allows native VLAN passing. Hybrid Port Yes; native VLAN of the access port must exist and must not be Voice VLAN.
  • Page 228 Configuration Guide Voice VLAN Configuration Trunk Port Yes, Native VLAN of the access port must exist and must not be Voice VLAN. Meanwhile, access port allows native VLAN Voice VLAN messages passing. Hybrid Port Yes; Native VLAN of the access port must exist and must not be Voice VLAN.
  • Page 229 Configuration Guide Voice VLAN Configuration Private VLAN Yes; Voice VLAN hybrid-port interface must be configured to be Primary VLAN. Trunk Port Yes; Native VLAN of the access port must be Voice VLAN and the access port allows the VLAN passing. Hybrid Port Yes;...
  • Page 230 Configuration Guide Voice VLAN Configuration dropped. When safe mode is disabled, the source MAC address of streams will not be checked, and all streams will be permitted to transmit within Voice VLAN. Under safe mode, only the source MAC address of untagged packets and the packets of voice VLAN tag is checked.
  • Page 231 Enabling Voice VLAN Voice VLAN is disabled by default. To enable voice VLAN, run the following commands. Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# vlan vlan-id Create a Voice VLAN. Ruijie(config-vlan)# exit Exit VLAN configuration mode.
  • Page 232 Configuration Guide Voice VLAN Configuration Ruijie(config)# voice vlan vlan-id Enable Voice VLAN and set one VLAN as Voice VLAN. To disable voice VLAN, run the no form of this command. For example: # Enable Voice VLAN globally and set VLAN 2 as Voice VLAN.
  • Page 233 By default, voice VLAN works in auto mode on a port. To set working mode, run the following commands. Command Function Enter global configuration mode. Ruijie# configure terminal Ruijie(config)# interface interface-name Enter the interface configuration mode. Eanble auto mode. Ruijie(config-if)# voice vlan mode auto The working mode of voice VLAN is independent on each interface.
  • Page 234 2) In auto mode, do not set the native VLAN of a port as Voice VLAN for normal operation. 3) For Ruijie products, all VLAN packets can be transmitted on Trunk Port / Caution Hybrid Port by default. Remove voice VLAN from the allowable VLAN list...
  • Page 235 # Set 0012.3400.0000 as the legal OUI address of voice VLAN. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# voice vlan mac-address 0012.3400.0000 mask ffff.ff00.0000 description Company A Ruijie(config)# show voice vlan oui Oui Address...
  • Page 236 Command Function Ruijie# configure terminal Enter global configuration mode. Enable safe mode. Ruijie(config)# voice vlan security enable By default, Voice VLAN safe mode is enabled. To disable safe mode, run the no form of this command. For example: # Enable safe mode.
  • Page 237 Configuration Guide Voice VLAN Configuration Showing Voice VLAN Configuration and Status Voice VLAN provides the following display command for showing various configuration and operation information. Functions of each command is explained as follows: Command Function Display Voice VLAN configuration information show voice vlan and current status, including working modes of ports enabling Voice VLAN function.
  • Page 238 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# vlan 2 Ruijie(config-vlan)# exit Ruijie(config)# voice vlan 2 2) Voice VLAN Aging time is 1,000 minutes. # Set Voice VLAN aging time. Ruijie(config)# voice vlan aging 1000...
  • Page 239 5) Enable 802.1x function on the port simultaneously. # Configure expert ACL and permit the streams matching OUI address. Ruijie(config)# expert access-list extended safe_channel Ruijie(config-exp-nacl)# permit ip any 0012.3400.0000 ffff.ff00.0000 any any # configure security tunnel. Ruijie(config)# security global access-group safe_channel # Set Fa0/1 with 802.1 x enabled as controlled port.
  • Page 240 MODE -------------------- ---------- Fa0/1 AUTO // Fa 0/1 enables Voice VLAN as auto mode # Viewing Voice VLAN OUI address of the equipment Ruijie(config)# show voice vlan oui Oui Address Mask Description 0012.3400.0000 ffff.ff00.0000 Voice VLAN Manual Mode Networking requirements 1) Create VLAN 2 as Voice VLAN.
  • Page 241 Ruijie(config-if)# switchport hybrid native vlan 2 # Join Voice VLAN (i.e., VLAN 2) in the list of untagged VLANs that join Fa 0/1 Ruijie(config-if)# switchport hybrid allowed vlan add untagged 2 # Enable Voice VLAN function of Fa 0/1 Ruijie(config)# interface fastEthernet 0/1...
  • Page 242 Current voice vlan enabled port mode: PORT MODE -------------------- ---------- Fa0/1 MANUAL // Fa 0/1 enables Voice VLAN as manual mode # Viewing Voice VLAN OUI address of the equipment Ruijie(config)# show voice vlan oui Oui Address Mask Description 0012.3400.0000 ffff.ff00.0000 Company A...

  • Page 243: Mstp Configuration

    STP and RSTP STP and RSTP Overview Ruijie series supports both the STP protocol and the RSTP protocol, as well as complying with the IEEE 802.1D and IEEE 802.1w standards. The STP protocol can prevent broadcast storm caused by link loops and provide link redundancy and backup.
  • Page 244 Configuration Guide MSTP Configuration By exchanging the Bridge Protocol Data Units (BPDU) frame destined to the multicast address 01-80-C2-00-00-00 (in hex), bridges gets the information necessary for building the optimal tree-type topology. A BPDU is comprised of the following elements: ...
  • Page 245 Configuration Guide MSTP Configuration Spanning-Tree Timers The following describes three timers impacting the performance of spanning tree.  Hello timer: Interval to send the BUDU message.  Forward-Delay timer: Interval to change the port status, that is, the time interval at which the port switches from the listening status to the learning status and vice versa when the RSTP protocol runs in the compatible STP protocol mode.
  • Page 246 Configuration Guide MSTP Configuration Figure-3 There are three port states for every port to indicate whether the data packet is forwarded and control the topology of the whole spanning tree.  Discarding: Neither forward the received frame nor learn about the source Mac address.
  • Page 247 Configuration Guide MSTP Configuration Figure-4 If all of these three switches enable the Spanning Tree protocol, they will select switch A as the root bridge by exchanging BPDU message. Once Switch B detects that two ports are connected to Switch A, it will select the port with the highest priority as the root port, while another one is selected as the alternate port.
  • Page 248 Configuration Guide MSTP Configuration Figure-6 If the path between Switch B and Switch C fails, Switch C will automatically switch the alternate port to the root port. Consequently, the network topology is generated as shown in Figure 7. Figure-7 Rapid Convergence of RSTP The following introduces the special function of RSTP: enabling rapid forwarding on a port.
  • Page 249 Configuration Guide MSTP Configuration than itself, takes the Switch A as the root bridge and the port that receives the message as the root port and forwards the proposal message. Then it sends the Agree message to Switch A through the root port. Upon the receipt of the proposal message, Switch A will forward the message through its designated port.
  • Page 250 Configuration Guide MSTP Configuration Figure-9 Figure-10 In addition, the following figure is a point-to-point connection and should be differentiated by users carefully. Figure-11...
  • Page 251 Figure-12 Protocol Migration Figure-13 MSTP Overview Ruijie series supports the MSTP protocol, a new spanning-tree protocol derived from the traditional STP and RSTP protocols that includes the rapid forwarding mechanism of the RSTP protocol itself. Since traditional spanning tree protocols are not related to a VLAN, the...
  • Page 252 Configuration Guide MSTP Configuration As shown in Figure 14, Switches A and B are located in Vlan1, and switches C and D in Vlan2. They form a loop. Figure-14 If the cost of the path from Switch A through Switch C, Switch D to Switch B is smaller than that of the direct path from Switch A to Switch B, the latter path will be torn down, as shown in Figure 15.
  • Page 253 Configuration Guide MSTP Configuration Figure-16 In this way, no loop occurs and the communication between the devices in a VLAN works as well. How to Partition MSTP regions According to above description, MSTP regions should be partitioned rationally and the switches in a MSTP region should be configured similarly for the MSTP protocol to work properly.
  • Page 254 Configuration Guide MSTP Configuration The MSTP BPDU carries above information. If a device has received the same MST configuration information of the BPDU as that of itself, it considers that the device connecting to this port belong to the same MST region as itself. You are recommended to configure the instance-vlan table while the STP protocol is disable, and then enable the MSTP protocol to ensure the stability and convergence of the network topology.
  • Page 255 Configuration Guide MSTP Configuration instance 1, only the path from switch A to switch B and switch A to switch C are available, which break the loop of the VLAN group. Figure-18 As shown in Figure 19, switch B with the highest priority is selected as the region root in the MSTI 2 (instance 2).
  • Page 256 Configuration Guide MSTP Configuration Spanning Tree between MSTP regions (CST) For CST, each MSTP region is equivalent to a large-sized device, and different MSTP regions also form a large-sized network topology tree, referred to as CST (common spanning tree). As shown in Figure 20, for CST, switch A with the smallest bridge ID is selected as the root of the entire CST (CST Root) and the CIST Regional Root in this region.
  • Page 257 Configuration Guide MSTP Configuration 0, which means the BPDU message is timeout. A device will discard the BPDU message whose hop count is 0. In order to be compatible with the STP protocol and the RSTP protocol out a region, the MSTP protocol still remains the Message age and Max age mechanisms.
  • Page 258 Configuration Guide MSTP Configuration If the BPDU message is received from the Port Fast enabled port, its Port Fast operational state is disabled. At this time, this port will execute the forwarding by normal STP algorithm. Understanding AutoEdge If the specified port doesn’t receive the BPDU message sent by the downstream port within a certain period of time (3 seconds), the port will be considered that it connects a network device and set as an edge port to enter the Forwarding status directly.
  • Page 259 Configuration Guide MSTP Configuration port, this port will enter the error-disabled status, indicating the configuration error. At the same time, the port will be closed to show that some illegal users may add a network device to the network, which change the network topology. You can also use the spanning-tree bpduguard enable command to enable BPDU guard on individual interface in the interface configuration mode (it is not related to whether it is AutoEdge port or not ).
  • Page 260 Configuration Guide MSTP Configuration Understanding TC Guard The TC-Protection function can reduce the removal of MAC address entries and ARP entries when a lot number of TC messages are generated in a network. However, you need to do more delete oeprations in case of TC message attack. Furthermore, the TC message is propagated and will have an effect on the whole network.
  • Page 261 Configuration Guide MSTP Configuration Therefore , the concept of TC filter is introduce d. TC filter enables the port to filter the messages it receives when topology changes. This function resolves problems of clearing addresse s and interruptin TC filter is disabled by default. g core routing when a...
  • Page 262 Configuration Guide MSTP Configuration Understanding BPDU Source MAC Check The gobal of the BPDU source MAC check funciton is to prevent malicious attack on the switch by sending the BPDU message manually and thus cause the MSTP protocol work abnormally. When the peer switch connected to a port in the point-to-point mode is determined, enabling the BPDU source MAC check function can receive only the BPDU message from the remote switch and discard all other BPDU messages to protect against malicious attacks.
  • Page 263 Configuration Guide MSTP Configuration 1. Incorrectly using ROOT Guard leads to network link breakdown. 2. If you enable ROOT Guard on non-designated port, the non-designated port will be enforced as designated port and show BKN status(blocking status). 3. If MST0 enters BKN status because it receives configuration message of higher priority on a port, ROOT Guard will enforce Caution the port in all the other instances to enter BKN status.
  • Page 264 The spanning tree protocol is disabled on the device by default. To enable the spanning tree protocol, execute the following command in the privileged mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enable the spanning tree protocol. Ruijie(config)# spanning-tree Ruijie(config)# end Return to the privileged EXEC mode.

  • Page 265: Configuring Switch Priority

    The default mode of the device is MSTP. To enable the spanning tree protocol, execute the following command in the privileged mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# spanning-tree Switch the spanning tree version. mode mstp/rstp/stp Ruijie(config)# end Return to the privileged EXEC mode.

  • Page 266: Configuring Port Priority

    Configuration Guide MSTP Configuration To configure switch priority, execute the following command in the global configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Configure different switch priorities for different instances. This command configures the switch priority for instance 0 without the instance-id parameter.
  • Page 267 0 to 240. Furthermore, it is increased by the integral multiple of 16, 128 by default. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show spanning-tree [mst Verify the configuration. instance-id] interface interface-id Ruijie# copy running-config Save the configuration.
  • Page 268 200,000,000. The default value is calculated by the media rate of the port automatically. Ruijie(config-if)# end Return to the privileged EXEC mode. Ruijie# show spanning-tree [mst Verify the configuration. instance-id] interface interface-id Ruijie# copy running-config Save the configuration. startup-config To restore the path cost of a port to the default value, execute the no spanning-tree mst cost command in the interface configuration mode.

  • Page 269: Configuring Hello Time

    Configuration Guide MSTP Configuration Command Function Ruijie# configure terminal Enter the global configuration mode. Configure the default calculation method Ruijie(config)# spanning-tree of the port path cost as long or short, with pathcost method long/short long by default. Ruijie(config)# end Return to the privileged EXEC mode.
  • Page 270 Command Function Ruijie(config)# end Return to the privileged EXEC mode. Verify the configuration. Ruijie# show running-config Ruijie# copy running-config Save the configuration. startup-config To restore the forward-delay time to the default value, execute the no spanning-tree forward-time command in the global configuration mode.

  • Page 271: Configuring Protocol Migration Processing

    Configuration Guide MSTP Configuration Command Function Ruijie# configure terminal Enter the global configuration mode. Configure the maximum number of the Ruijie(config)# spanning-tree BPDU message sent per second in the tx-hold-count numbers range of 1 to10, 3 by default. Ruijie(config)# end Return to the privileged EXEC mode.
  • Page 272 Configuration Guide MSTP Configuration Command Function Ruijie# clear spanning-tree Forcibly check the version on all ports. detected-protocols Ruijie# clear spanning-tree Check the version forcibly on the port. detected-protocols interface interface-id Configuring a MSTP Region To deploy several devices in the same MSTP Region, you have to configure these devices with the same name, the same revision number, and the same Instance-VLAN table.
  • Page 273 Similarly, the no name and no revision commands can be used to restore the MST name and MST revision number settings to the default value, respectively. The following is the example of configuration: Ruijie(config)# spanning-tree mst configuration Ruijie(config-mst)# instance 1 vlan 10-20 Ruijie(config-mst)# name region1 Ruijie(config-mst)# revision 1 Ruijie(config-mst)# show...
  • Page 274 Configuration Guide MSTP Configuration Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# spanning-tree Configure Maximum-Hop Count ranging from 1 to 40, 20 by default. max-hops hop-count Ruijie(config)# end Return to the privileged EXEC mode. Ruijie# show running-config Verify the configuration.

  • Page 275: Enabling Port Fast

    The configuration clears the STP receive/transmit packet statistics. Use show spanning-tree counters command to see the statistics. Command Function Clear the statistics of the receive/transmit Ruijie# clear spanning-tree counters packets on all ports. Ruijie# clear spanning-tree counters Clear the statistics of the receive/transmit interface interface-id packets on the designated ports.

  • Page 276: Enabling Bpdu Guard

    To disable AutoEdge, execute the following commands in the global configuraiton mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the interface configuration mode. A Ruijie(config)# interface legal interface contains a physical port and interface-id an Aggregate Link.
  • Page 277 Configuration Guide MSTP Configuration Command Function Enter the interface configuration mode. A Ruijie(config)# interface interface-id legal interface contains a physical port and an aggregate link. Enable Port Fast on the interface before Ruijie(config-if)# spanning-tree the bpduguard configuration takes effect portfast globally.
  • Page 278 Enabling Tc_Protection To configure Tc_Protection, execute the following commands in the global configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# spanning-tree Enable Tc-Protection tc-protection Ruijie(config)# end Return to the privileged EXEC mode.
  • Page 279 Enter configuration mode of the specified interface. Legal interfaces Ruijie(config)# interface Interface-id include physical ports and Aggregate Link. Ruijie(config-if)# spanning-tree ignore tc Enable TC filter on the interface. Ruijie(config-if)# end Return to privileged EXEC mode. Ruijie# show running-config Verify the configuration.
  • Page 280 Ruijie(config-if)#bpdu src-mac-check Enable BPDU source MAC check. H.H.H Ruijie(config-if)# end Return to the privileged mode. Ruijie# show running-config Verify the configuration. Ruijie# copy running-config Save the configuration. startup-config To disable BPDU source MAC check, execute the no bpdu src-mac-check command in the interface mode.

  • Page 281: Enabling Loop Guard

    MSTP Configuration Enabling Loop Guard To configure global LOOP Guard, execute the following commands in the privileged mode: Command Function Ruijie# configure terminal Enter the global configuration mode, Ruijie(config)#spanning-tree Enable global LOOP Guard. loopguard default Return to the privileged mode.

  • Page 282: Showing Mstp Configuration And Status

    Show the information on the parameters and Ruijie# show spanning-tree topology of MSTP. Show the information on various instances Ruijie# show spanning-tree summary and port forwarding status of MSTP. Ruijie# show spanning-tree Show the block port due to root guard or loop inconsistentports guard.

  • Page 283: Mstp Configuration Example

    Configuration Guide MSTP Configuration Command Meaning Ruijie# show spanning-tree interface Show the MSTP information of all the instances of the interface. interface-id Ruijie# show spanning-tree Show forward-time. forward-time Ruijie# show spanning-tree Hello Show Hello time. Time Ruijie# show spanning-tree Show max-hops.
  • Page 284 Ruijie(config-vlan)# exit # Set the spanning tree to MSTP mode, VLAN 2-Instance 1 and VLAN 3-Instance 2 mapping, and set the MST configuration name to Ruijie, MST Revision Number to 1. View the MST configurations and enable the spanning tree protocol.
  • Page 285 Ruijie(config)# spanning-tree Enable spanning-tree. # Set the priority for Instance 0 to 4096 Ruijie(config)# spanning-tree mst 0 priority 4096 Configuring Switch B # Set interface Gi0/1 and Gi 0/2 as Trunk port and create VLAN 2 and VLAN 3 Ruijie(config)# interface gigabitEthernet 0/1...
  • Page 286 Ruijie(config-vlan)# exit # Set the spanning tree to MSTP mode, VLAN 2-Instance 1 and VLAN 3-Instance 2 mapping, and set the MST configuration name to Ruijie, MST Revision Number to 1. View the MST configurations and enable the spanning tree protocol.
  • Page 287 Ruijie(config-vlan)# exit # Set the spanning tree to MSTP mode, VLAN 2-Instance 1 and VLAN 3-Instance 2 mapping, and set the MST configuration name to Ruijie, MST Revision Number to 1. View the MST configurations and enable the spanning tree protocol.
  • Page 288 Configuration Guide MSTP Configuration HelloTime : 2 ForwardDelay : 15 BridgeMaxAge : 20 BridgeHelloTime : 2 BridgeForwardDelay : 15 MaxHops: 20 TxHoldCount : 3 PathCostMethod : Long BPDUGuard : enabled BPDUFilter : Disabled LoopGuardDef : Disabled ###### mst 0 vlans map : 1, 4-4094 BridgeAddr : 00d0.f82a.aa8e Priority: 32768 TimeSinceTopologyChange : 0d:0h:19m:44s...
  • Page 289 TopologyChanges : 5 DesignatedRoot : 1002.00d0.f82a.aa8e RootCost : 0 RootPort : 0 # View the spanning tree configurations on the interface Fa 0/1 Ruijie# show spanning-tree interface fastEthernet 0/1 PortAdminPortFast : Disabled PortOperPortFast : Disabled PortAdminAutoEdge : Enabled PortOperAutoEdge : Disabled...
  • Page 290 Configuration Guide MSTP Configuration ###### MST 1 vlans mapped :2 PortState : discarding PortPriority : 128 PortDesignatedRoot : 1001.00d0.f834.56f0 PortDesignatedCost : 0 PortDesignatedBridge :8001.00d0.f822.33aa PortDesignatedPort : 8002 PortForwardTransitions : 5 PortAdminPathCost : 200000 PortOperPathCost : 200000 Inconsistent states : normal PortRole : alternatePort ###### MST 2 vlans mapped :3 PortState : forwarding...
  • Page 291 802.1X frames: Standard frames developed by the IEEE for authentication of users accessing the network, including frames stipulated by the IEEE standards and private protocol frames of Ruijie. The frames are identified by the Layer 2 destination MAC address, which is 0180:C200:0003 for standard protocol frames and 01D0:F800:0003 for Ruijie 802.1X frames.
  • Page 292 Execute the following commands globally to enable transparent transmission of BPDU frames: Command Function Enters the global configuration mode Ruijie# configure terminal Ruijie(config)# bridge-frame forwarding protocol bpdu Enables transparent transmission of BPDU frames Ruijie(config)# end Returns to the privileged mode Configuring Transparent Transmission of GVRP Frames...
  • Page 293 Simple configuration of transparent transmission of PVST frames Configuration requirements In this network topology, Ruijie switch is working with Cisco devices. Enable Cisco PVST on the Cisco switches and the multicast function on the Ruijie switch. Make sure that Cisco PVST works properly.

  • Page 294: Gvrp Configuration

    Configuration Guide GVRP Configuration GVRP Configuration Overview GVRP (GARP VLAN Registration Protocol) is a GARP (Generic Attribute Registration Protocol) application that dynamically configures and propagates VLAN membership. Through GVRP protocol, the device can:  Listen to GVRP PDUs on each port, learn the VLAN information registered on GVRP-aware devices connected according to such GVRP PDUs, and then configure VLAN members on the port receiving GVRP PDUs.
  • Page 295 When GVRP is not enabled globally, you can configure other GVRP parameters, but these GVRP configurations will only take effect after running GVRP. Enable GVRP globally: Command Function Ruijie(config)# [no] gvrp enable Enable GVRP (if it is disabled) Configuration example: Ruijie# configure Enter configuration commands, one per line. End with CNTL/Z.
  • Page 296 The user cannot change the parameters of dynamic VLANs created by GVRP. Configuration example: Ruijie# configure Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# gvrp dymanic-vlan-creation enable Ruijie(config)# end Configure the GVRP VLAN In the context without STP (Spanning-tree protocol), all available ports can be GVRP participants.
  • Page 297 GVRP Configuration Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface gigabitethernet 1/1 Ruijie(config-if)# gvrp registration mode enable normal Ruijie(config-if)# end Configure Port Declaration Mode There are two declaration modes to control whether the port will send GVRP declarations.
  • Page 298 Make sure all interconnected GVRP devices use the same GVRP Timer configurations, or else the GVRP may not function well. Adjust the value of GVRP Timer: Command Function Ruijie(config)# [no] gvrp timer {join | leave | Set the timer value of port leaveall} timer-value Example of setting GVRP Join Timer: Ruijie# configure Enter configuration commands, one per line.

  • Page 299: Display Gvrp Status

    To clear all GVRP statistics so that it will restart calculation: Command Function Clear all statistics for the port Ruijie# clear gvrp statistics {interface-id | all} Example of clearing GVRP statistics for port 1: Ruijie# clear gvrp statistics gigabitethernet 1/1 Display GVRP status Execute "show gvrp status"...
  • Page 300 Execute "show gvrp configuration" command to display the current GVRP status. This command can be used to display the dynamic ports of dynamically created VLANs and static VLANs. Command Function Ruijie# show gvrp configuration Display current GVRP configurations Configuration example: Ruijie# show gvrp configuration Global GVRP Configuration:...

  • Page 301: Qinq Configuration

    Configuration Guide QinQ Configuration QinQ Configuration Introduction to QinQ For QinQ, as specified in IEEE 802.1ad, there are so many names in the industry, for instance, dot1q-tunneling, Tag in Tag, VLAN VPN and Stack VLAN. Since the VLAN Tag domain defined in IEEE 802.1Q has only 12 bits for VLAN ID, the device supports up to 4094 VLANs.
  • Page 302 Configuration Guide QinQ Configuration really untagged or tagged with 802.1Q tag, and then are encapsulated with the tag of ISP. VLAN ID is the default VLAN of tunnle port. Fiugre 2 Packet structure with two tags Basic QinQ Basic QinQ is enabled based on port. When tunnel port is configured, the device will add the VLAN tag of the default VLAN of the tunnel port to the packet arriving the tunnel port.
  • Page 303 Configuration Guide QinQ Configuration Other functions  TPID setting and priority duplication and mapping  MAC address duplication  Layer 2 protocol transparent transmission  Uplink port TPID setting and priority duplication and mapping The Ethernet frame tag includes four fields-TPID (Tag Protocol Identifier), User Priority, CFI and VLAN ID.
  • Page 304 Configuration Guide QinQ Configuration Figure 3 Learn MAC address of flexible QinQ packet As shown in the above figure, the switch connects to user network through dot1q-tunnel port, on which VLAN 4 is set to be native VLAN. The packets of VLAN 3 are encapsualted with VLAN 5 tag as outer tag.

  • Page 305: Configuring Qinq

    Configuration Guide QinQ Configuration packets arrive the edge device on other side,the destination MAC address is changed back to public address. This ensures transparent transmission of Layer 2 protocol packets in ISP networks. Uplink port Uplink port essentially is a special trunk port. The difference is that the packets outputted from the uplink port are tagged, but the packets outputted from the trunk port (when they are forwarded from native VLAN) are untagged.

  • Page 306: Configuring Basic Qinq

    The following example demonstrates how to configure a QinQ port: Ruijie(config)# interface fastEthernet 0/1 Ruijie(config-if)# switchport mode dot1q-tunnel Ruijie(config-if)# switchport dot1q-tunnel nativ vlan 20 Ruijie(config-if)# switchport dot1q-tunnel allowed vlan tagged 100-200 Ruijie(config)# end Configuring Flexible QinQ The section includes: ...
  • Page 307 4-22: Ruijie# configure Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# switchport mode dot1q-tunnel Ruijie(config-if)# switchport dot1q-tunnel allowed vlan add tagged 3 Ruijie(config-if)# dot1q outer-vid 3 register inner-vid 4-22 Ruijie(config-if)# end Configure outer tag-based VID change policy table For the packets incoming from Access port, Trunk port, Hybrid port and Uplink port, sometimes you need to change the VIDs of outer tags according to the VIDs of outer tags of incoming packets.
  • Page 308 The following example changes the VID of outer tag as 100 when the VID of outer tag of incoming packets is 10-20. Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# switchport mode trunk Ruijie(config-if)# dot1q relay-vid 100 translate local-vid 10-20 Ruijie(config-if)# end Configuring flow-based VID change policy table ...
  • Page 309 The following example adds the VID 9 to the packets from 1.1.1.3: Ruijie# configure Ruijie(config)# ip access-list standard 20 Ruijie(config-acl-std)# permit host 1.1.1.3 Ruijie(config-acl-std)# exit Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# switchport mode dot1q-tunnel...
  • Page 310 The following example changes the VID of outer tag as 3 for the packets from 1.1.1.1: Ruijie# configure Ruijie(config)# ip access-list standard 2 Ruijie(config-acl-std)# permit host 1.1.1.1 Ruijie(config-acl-std)# exit Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# switchport mode trunk...

  • Page 311: Configuring Vlan Mapping

    The following example demonstrates how to change the VID in the tag of the ingress packet back to 4 before forwarding it. Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# switchport mode trunk Ruijie(config-if)# vlan-mapping-in vlan 3 remark 4 Ruijie(config-if)# vlan-mapping-out vlan 4 remark 3 Ruijie(config-if)# end Configuring Many-to-one VLAN Mapping On Access, Trunk, Hybrid or Uplink ports, execute the following commands to configure many-to-one VLAN mapping.
  • Page 312 8 before forwarding it. Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# switchport mode trunk Ruijie(config-if)# vlan-mapping-in vlan 3-7 remark 8 Ruijie(config-if)# end After VLAN mapping is configured, the VLAN ID of the packet delivered to CPU is the changed VLAN ID.
  • Page 313 View the TPID value list on the port. The following example demonstrates how to configure TPID: Ruijie(config)# interface gigabitethernet 0/1 Ruijie(config-if)# frame-tag tpid 9100 Ruijie(config)# end Ruijie# show frame-tag tpid interface gigabitethernet 0/1 Port tpid ------- ------------- Gi0/1 0x9100...
  • Page 314 The following example shows how to configure the priority duplication of the user tag: Ruijie(config)# interface gigabitethernet 0/1 Ruijie(config-if)# mls qos trust cos Ruijie(config-if)# inner-priority-trust enable Ruijie(config)# end Ruijie# show inner-priority-trust interface gigabitethernet 0/1 Port inner-priority-trust ------ ------------------- Gi0/1 enable...
  • Page 315 The following example shows how to configure the priority mapping of the user tag: Ruijie(config)# interface gigabitethernet 0/1 Ruijie(config-if)#dot1q-Tunnel cos 3 remark-cos 5 Ruijie(config)# end Ruijie# show interface gigabitethernet 0/1 remark Ports Type From value To value ------------ ----------- ----------- --------...
  • Page 316 To delete these entries, disable inter-VLAN MAC address duplication. The following example shows how to configure address duplication of the user tag: Ruijie(config)# interface gigabitethernet 0/1 Ruijie(config)# switchport mode trunk Ruijie(config-if)#mac-address-mapping destination-vlan5 source-vlan 1-3...
  • Page 317 Enter the global configuration mode. tunnel-dmac Configure the transparent transmission address l2protocol-tunnel stp mac-address of corresponding protocl. show l2protocol-tunnel stp View the configuration. An example below shows how to configure the transparent transmission address of STP protocol: Ruijie# configure Ruijie(config)#l2protocol-tunnel stp tunnel-dmac 011AA9 000005...
  • Page 318 Show the TPID value on the interface. interface [ intf-id ] Ruijie# show inner-priority-trust Show the priority duplication configuration. Ruijie# show interface intf-name Show the priority mapping configuration. remark Ruijie# show Show the address duplication configuration. mac-address-mapping...
  • Page 319 Configuration Guide QinQ Configuration...
  • Page 320 IP Address and Application Configuration 1. IP Address and Service Configuration 2. IPv6 Configuration 3. DHCP Configuration 4. DHCP Relay Configuration 5. DHCPv6 Configuration 6. DHCPv6 Relay Agent Configuration 7. DNS Configuration 8. FTP Server Configuration 9. FTP Client Configuration 10.

  • Page 321: Ip Address Configuration

    Configuration Guide IP Address and Service Configuration IP Address and Service Configuration IP Address Configuration IP Address Overview IP address is made up of 32 binary bits and expressed in the dotted decimal format for the convenience of writing and description. In the dotted decimal format, the 32 binary bits are broken into four octets (1 octet equals to 8 bits).
  • Page 322 Configuration Guide IP Address and Service Configuration Class Multicast address address An IP address whose highest four bits are 1111 is prohibited. This type of IP address, also called Class E IP address, is reserved. Note When you build up a network, you should execute IP addressing according to the real network environment.

  • Page 323: Ip Address Configuration Task List

    At this point, the mask is called subnet mask. Theoretically, any bit of the host address of an IP address can be used as the subnet mask. Ruijie product only supports continuous subnet masks from left to right starting from the Note network ID.
  • Page 324  Assigning multiple IP addresses to an interface Ruijie product supports assigning multiple IP addresses for an interface with one being the primary IP address and others being the secondary addresses. Theoretically, you can configure secondary addresses up your mind. A secondary IP address can reside in the same or different network with the primary IP address.
  • Page 325 The principle of RARP is similar to ARP. RARP resolves the IPaddress upon a MAC address. RARP is configured on non-disk workstation in general. Normally, a device can work without any special address resolution configuration. Ruijie product can manage address resolution by.  Configuring ARP Statically...
  • Page 326 The ARP offers dynamic IP address to MAC address mapping. It is not necessary to configure ARP statically in most cases. By configuring ARP Sstatically, Ruijie product can respond to the ARP request from other IP addresses. To configure static ARP, execute the following command in the global...
  • Page 327 Layer 2. Handling Broadcast Packets A broadcast packet is destined for all hosts in a physical network. Ruijie product supports two kinds of broadcast packets: directed broadcast and flooding. A directed broadcast packet is sent to all the hosts in a specific network that the host IDs of their IP addresses are all set to 1.

  • Page 328: Monitoring And Maintaining Ip Address

    Establishing an IP Broadcast Address Currently, the most popular way is the destination address consisting of all 1s (255.255.255.255). Ruijie product can be configured to generate any form of IP broadcast address and receive any form of IP broadcast packets.

  • Page 329: Ip Address Configuration Examples

    Command Function Ruijie# clear arp-cache Clear the ARP cache. Ruijie# clear ip route {network [mask] | *} Clear the routing table. Displaying System and Network Status You can show the contents of the IP routing table, cache, and database. Such information is very helpful in troubleshooting the network.
  • Page 330 Configuration Guide IP Address and Service Configuration Secondary IP address configuration example Configure RIPv1. You can see the routes of 172.16.2.0/24 on router C and the routes of 172.16.1.0/24 on router D. Configuration of the Routers: RIPv1 does not support classless-based routes. This means masks are not carried with routing advertisement.

  • Page 331: Ip Service Configuration

    To enable this service, execute the following command in the interface configuration mode: Command Function Enable the ICMP protocol unreachable Ruijie(config-if)# ip unreachables and host unreachable messages. Disable the ICMP protocol unreachable Ruijie(config-if)# no ip unreachables and host unreachable messages.
  • Page 332 MTU have to be fragmented before sending. Otherwise it is unable to be forwarded on the interface. Ruijie product allows you to adjust the MTU on an interface. Changing the MTU value can affect the IP MTU value, and the IP MTU value will be modified automatically to match the new MTU.
  • Page 333 Ruijie(config-if)# no ip mtu Configuring IP Source Routing Ruijie product supports IP source routing. Upon receiving an IP packet, the device will check its IP header like strict source route, loose source route and recorded route, which are defined in RFC 791. If one of these options is enabled, the device performs appropriate action.
  • Page 334 Configuration Guide IPv6 Configuration IPv6 Configuration IPv6 Overview As the Internet is growing rapidly and the IPv4 address space is exhausting, the limitation of the IPv4 is more obvious. The research and practice of the next generation of the Internet Protocol becomes popular. Furthermore, the IPng workgroup of the IETF determines the protocol specification of IPng referred to as IPv6.
  • Page 335 Configuration Guide IPv6 Configuration service of the IPv4 and refers to it as the Stateful Auto-configuration. Furthermore, the IPv6 also adopts an auto-configuration service, referred to as the Stateless Auto-configuration. During the stateless auto-configuration, the host obtains the local address of the link, the address prefix of local device and some other related configuration information automatically.

  • Page 336: Ipv6 Address Format

    Configuration Guide IPv6 Configuration  IPv6 Stateless Auto-configuration  IPv6 Address Configuration  IPv6 Route Forwarding (supporting static route configuration)  Configuration of various IPv6 parameters  Diagnosis Tool Ping IPv6 IPv6 Address Format The basic format of an IPv6 address is X : X : X : X : X : X : X : X, where X is a 4 hex integers (16 bits).
  • Page 337 Configuration Guide IPv6 Configuration  Unicast: Identifier of a single interface. The packet to be sent to a unicast address will be transmitted to the interface identified by this address.  Anycast: Identifiers of a set of interfaces. The packet to be sent to an anycast address will be transmitted to one of the interfaces identified by this address (select the nearest one according to the routing protocol).
  • Page 338 Configuration Guide IPv6 Configuration  RES field (Reserved for future use): Reservation field, 8 bits. It will possibly be used to expand the top level or the next level aggregation identifier field.  NLA ID field (Next-Level Aggregation Identifier): Next-Level Aggregation Identifier, 24 bits. This identifier is used to control the top-level aggregation to arrange the address space by some institutions.
  • Page 339 Configuration Guide IPv6 Configuration 3. Site-level Local Addresses The format of the site-level local addresses is shown as follows: bits 38 bits 16 bits 64 bits +-------------+----------------+--------------+---------------------------------------+ |1111111011| | subnet ID | interface ID +-------------+---------------+-------------+-----------------------------------------+ The site-level local address can be taken to transmit the data within the site, and the router will not forward the message of the source address of the destination address with the site-level local address to Internet.
  • Page 340 Configuration Guide IPv6 Configuration IPv6 addresses of the IPv4 mapping dynamically and return them to the IPv6 application. Multicast Addresses The format of the IPv6 multicast address is shown as follows: | 4 | 4 | 112 bits +----------+----+----+-----------------------------------------------------------------+ |11111111|flgs|scop| group ID +----------+----+----+-----------------------------------------------------------------+ The first byte of the address format is full 1, which denote a multicast address.
  • Page 341 Configuration Guide IPv6 Configuration address of the solicited node for each configured unicast address and anycast address. The prefix of the multicast address for the solicited node is FF02:0:0:0:0:1:FF00:0000/104, another 24 bits are comprised of the unicast address or the lower 24 bits of the anycast address, for instance, the multicast address of the solicited node corresponding to the FE80::2AA:FF:FE21:1234 is FF02::1:FF21:1234, The multicast address of solicited node is usually used to the neighbor solicitation (NS) message.
  • Page 342 Configuration Guide IPv6 Configuration IPv6 Packet Header Structure The format of the IPv6 packet header is shown as the figure below: The IPv4 packet header takes 4 bytes as the unit; the IPv6 packet header takes 8 bytes as the unit and the total length of the packet header is 40 bytes. In the IPv6 packet header, the following fields are defined: ...
  • Page 343 Configuration Guide IPv6 Configuration The length is 16 bits, including the byte length of payload and the length of various IPv6 extension options (if any). In other words, it includes the length of an IPv6 packet except for the IPv6 header itself. ...
  • Page 344 Configuration Guide IPv6 Configuration necessary. This extended header can be used to carry the information checked by the destination node.  Upper-layer Extended Header (Upper-layer header): It indicates the the upper layer transmission protocol, such as TCP(6) and UDP(17). Furthermore, the extended header of the Authentication and the Encapsulating Security Payload will be described in the IPSec section.
  • Page 345 Configuration Guide IPv6 Configuration The following is the neighbor solicitation procedure: Neighbor Unreachability Detection Enabling the Neighbor Unreachability Detection function to send the IPv6 unicast packet to the neighbor whose reachable time expires. Neighbor Unreachability Detection and sending the IPv6 packet to the neighbor can be co-processed.
  • Page 346 Configuration Guide IPv6 Configuration In general, the Router Advertisement (RA) contains the contents below:  One or more IPv6 address prefixes used for the on-link confirmation or the stateless address auto-configuration.  Effective period of the IPv6 address prefix.  Usage of the host auto-configuration (Stateful or stateless).

  • Page 347: Configuring Ipv6 Address

    Configuration Guide IPv6 Configuration Rs-initerval: Interval of sending the neighbor solicitation message. Reachabletime: Time maintained after considering the neighbor reachable. We configure the above parameters in the IPv6 interface property. By default, no Router Advertisement (RA) message is sent actively on the interface. To do so, you can use the command no ipv6 nd suppress-ra in the interface configuration mode.
  • Page 348 The following is an example of the configuration of the IPv6 address: Ruijie(config)# interface vlan 1 Ruijie(config-if)# ipv6 enable Ruijie(config-if)# ipv6 address fec0:0:0:1::1/64 Ruijie(config-if)# end Ruijie(config-if)# show ipv6 interface vlan 1 Interface vlan 1 is Up, ifindex: 2001 address(es): Mac Address: 00:00:00:00:00:01 INET6: fe80::200:ff:fe00:1 , subnet is fe80::/64...
  • Page 349 Use the no ipv6 redirects command to disable the redirection function. The following is an example to configure the redirection function: Ruijie(config)# interface vlan 1 Ruijie (config-if)# ipv6 redirects Ruijie (config-if)# end Ruijie # show ipv6 interface vlan 1 Interface vlan 1 is Up, ifindex: 2001 address(es):...

  • Page 350: Configuring Static Neighbor

    Use the no ipv6 neighbor command to delete the specified neighbor. The following is an example to configure a static neighbor on SVI 1: Ruijie(config)# ipv6 neighbor fec0:0:0:1::100 vlan 1 00d0.f811.1234 Ruijie (config)# end Ruijie# show ipv6 neighbors verbose fec0:0:0:1::100...

  • Page 351: Configuring Address Conflict Detection

    Use the no ipv6 nd dad attempts command to restore the default value. The following is an example to configure the times of the neighbor solicitation (NS) message sent for the address conflict detection on the SVI1: Ruijie(config)# interface vlan 1 Ruijie(config-if)# ipv6 nd dad attempts 3 Ruijie(config-if)# end...
  • Page 352 Configuration Guide IPv6 Configuration Ruijie# show ipv6 interface vlan 1 Ruijie(config)# interface vlan 1 Ruijie(config-if)# ipv6 nd dad attempts 3 Ruijie(config-if)# end Ruijie# show ipv6 interface vlan 1 Interface vlan 1 is Up, ifindex: 2001 address(es): Mac Address: 00:d0:f8:00:00:01 INET6: fe80::2d0:f8ff:fe00:1 , subnet is fe80::/64...
  • Page 353 Configuration Guide IPv6 Configuration Command Meaning (Optional) Define the time when the neighbor is considered to be reachable. Note: as specified in RFC4861, the reachable time ipv6 nd reachable-time milliseconds of a neighbor should be increased or decreased at random on the basis of the configured time in the range of 0.5 to 1.5 of the configured time.

  • Page 354: Ipv6 Monitoring And Maintenance

    [static] [local] Show the information of the IPv6 routing table. [connected] 1. View the IPv6 information of an interface. Ruijie# show ipv6 interface interface vlan 1 is Down, ifindex: 2001 address(es): Mac Address: 00:d0:f8:00:00:01 INET6: fe80::2d0:f8ff:fe00:1 , subnet is fe80::/64...
  • Page 355 IPv6 Configuration nformation of the router advertisement (RA) message to be sent of an 2. View the i interface Ruijie# show ipv6 interface ra-info vlan 1: DOWN RA timer is stopped waits: 0, initcount: 3 statistics: RA(out/in/inconsistent): 4/0/0, RS(input): 0...

  • Page 356: Dhcp Configuration

    The DHCP is detailed in RFC 951 and RFC 1542. Introduction to the DHCP Server As specified in RFC2131, the DHCP server of Ruijie is implemented to assign and manage IP addresses for the DHCP clients. The DHCP operation process...
  • Page 357 During negotiation, if the DHCP client does not respond to the DHCPOFFER packet in time, the DHCP server will send the DHCPNAK packet to the DHCP client, initiating the address request process again. The advantages of using the DHCP server of Ruijie for network construction are:...
  • Page 358 Configuration Guide DHCP Configuration  Decrease network access cost. Generally, dynamic address assignment costs less than static address assignment.  Simplify configuration tasks and reduce network construction cost. Dynamic address assignment significantly simplifies equipment configuration, and even reduces deployment cost if devices are deployed in the places where there are no professionals.
  • Page 359 500ms. Configuring the DHCP Client on the Ethernet Interface Ruijie products support obtaining the IP address dynamicaly assigned by the DHCP server on an Ethernet interface. To configure the DHCP client on the Ethernet port, execute the following...
  • Page 360 DHCP Configuration Configuring the DHCP Client in the PPP Encapsulation Link Ruijie products support obtaining the IP address dynamicaly assigned by the DHCP server on a PPP encapsulation interface. To configure the DHCP client, execute the following command in the interface...
  • Page 361 DHCP Configuration Command Function Clear the DHCP address conflict Ruijie# clear ip dhcp conflict { address | *} information. Ruijie# clear ip dhcp server statistics Clear the DHCP server statistics. To debug the DHCP server, execute the following command in the command...

  • Page 362: Dhcp Relay Configuration

    Configuration Guide DHCP Relay Configuration DHCP Relay Configuration Overview Understanding DHCP The DHCP protocol is widely used to dynamically allocate the reusable network resources, for example, IP address. The DHCP Client sends the DHCP DISCOVER packet in broadcast form to the DHCP Server.
  • Page 363 RFC3046 specifies that the option is numbered 82, so it is also called option82. This option can be divided into several sub-options. Currently, the sub-options in frequent use are Circuit ID and Remote ID. Ruijie provides two types of relay agent information. One is the relay agent information option dot1x that is combined with the 802.1x/SAM application scheme, the other is relay...
  • Page 364 Configuration Guide DHCP Relay Configuration different privileges. The Circuit ID is in the following format, where the privilege and vid fields respectively have two bytes: 2. relay agent information option82: This option can be used without running other protocol modules. During DHCP relay, the device forms option82 information according to the port that receives the DHCP request message and the physical IP address of the device itself, and uploads the option82 information to the DHCP server.

  • Page 365: Configuring The Dhcp Relay Agent

    To configure the DHCP relay agent, execute the following commands in the global configurtion mode: Command Function Ruijie (config)# service dhcp Enable the DHCP agent. Disable the DHCP agent. Ruijie(config)# no service dhcp Configuring the IP Address of the DHCP Server After you have configured the IP address of the DHCP Server, the DHCP request message received by the device will be forwarded to it.
  • Page 366 In global configuration mode, follow the steps to configure the DHCP manage-valan. Command Function Enable the DHCP manage-vlan function Ruijie(config)# ip dhcp relay and designate the source interface as information manage-vlan vlanid vlan vlanid. Ruijie(config)# no ip dhcp relay Disable the DHCP manage-vlan information manage-vlan function.
  • Page 367 Configuration Guide DHCP Relay Configuration Command Function Ruijie(config)# default ip dhcp relay Designate the source interface as information manage-vlan default vlan 1. Configuring DHCP option dot1x Description in Understanding the DHCP Relay Agent Information shows that we can configure ip dhcp relay information option dot1x to enable the option dot1x function of the DHCP relay when you need to assign the IP addresses with different privileges to the users of different privileges.

  • Page 368: Configuring Dhcp Option 82

    //Permit the packets whose source IP address is the gateway. Ruijie(config-ext-nacl)# permit ip host 192.168.4.1 any Ruijie(config-ext-nacl)# permit ip host 192.168.5.1 any Ruijie(config-ext-nacl)# deny ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255 //Prohibit unauthorized users from accessing each other Ruijie(config-ext-nacl)# deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255...

  • Page 369: Configuring Dhcp Relay Suppression

    Function Ruijie(config)# ip dhcp relay Enable the DHCP option82 function. information option82 Ruijie(config)# no ip dhcp relay Disable the DHCP option82 function. information option82 Configuring DHCP relay check server-id After the ip dhcp relay check server-id command is configured, the device resolves DHCP SERVER-ID option upon receiving DHCP relay.
  • Page 370 Configuration Guide DHCP Relay Configuration Ruijie# configure terminal Ruijie(config)# service dhcp //Enable the dhcp relay function Ruijie(config)# ip helper-address 192.18.100.1 //Add an IP address globally Ruijie(config)# ip helper-address192.18.100.2 //Add an IP address globally Ruijie(config)# interface GigabitEthernet 0/3 Ruijie(config-if)# ip helper-address 192.18.200.1...
  • Page 371 Configuration Guide DHCP Relay Configuration hostname Ruijie vlan 1 ip helper-address 192.18.100.1 ip helper-address 192.18.100.2 ip dhcp relay information option dot1x interface GigabitEthernet 0/1 interface GigabitEthernet 0/2 interface GigabitEthernet 0/3 no switchport ip helper-address 192.168.200.1 ip helper-address 192.168.200.2 interface VLAN 1 ip address 192.168.193.91 255.255.255.0...
  • Page 372 # Set Gi0/2 as the Trust Port of ARP detection Ruijie(config-if)# ip arp inspection trust Ruijie(config-if)# exit # Enable the DAI function in the specified VLAN Ruijie(config)# ip arp inspection vlan 1 # Set the IP address(SVI1) for the device Ruijie(config)# interface vlan 1 Ruijie(config-if)# ip address 10.2.0.1 255.255.0.0 # Set the static route to another network segment(10.1.0.0/16)
  • Page 373 # Configure the default gateway for the DHCP Client Ruijie(dhcp-config)# default-router 10.2.1.1 # Configure the network number and mask for the DHCP address pool Ruijie(dhcp-config)# network 10.2.0.0 255.255.0.0 # Configure the static route to another network segment (10.2.0.0/16) Ruijie(config)# ip route 10.2.0.0 255.255.0.0 10.1.0.1...

  • Page 374: Dhcpv6 Configuration

    Configuration Guide DHCPv6 Configuration DHCPv6 Configuration DHCPv6 Overview Along with the development of IPv6 network, IPv6-based network is being applied more and more widely. As the framework proposed at the beginning of IPv6 design, the automatic configuration of network nodes has become a key feature of IPv6 network. In the new network framework, the concepts of stateless configuration and stateful configuration were brought forward.
  • Page 375 Configuration Guide DHCPv6 Configuration Request message to solicit for configuration information, and the DHCP server will send Reply message after completing the allocation of parameters. As mentioned above, such a 4-message interaction is very similar to the 4-message interaction in DHCPv4 (Discover - Offer - Request - Reply). Certainly, DHCPv6 has made further modifications and expansions.
  • Page 376 Configuration Guide DHCPv6 Configuration sites. Terminal devices (such as PC) can realize auto-configuration of address via stateless auto-configuration or stateful auto-configuration. Fig 2 Prefix-based DHCPv6 application The above figure illustrates the application of prefix-based DHCPv6 in IPv6 network.  Core router runs prefix delegation (PD) based DHCPv6 server. ...
  • Page 377 Ruijie (config)# interface type number Enter interface configuration mode. Ruijie (config-if)#ipv6 dhcp client pd Enable the DHCPv6 client and prefix prefix-name [rapid-commit] solicitation on the interface. For example: Ruijie# configure terminal Ruijie(config)# interface fastethernet 0/1 Ruijie(config-if)# ipv6 dhcp client pd pd_name...
  • Page 378 Restart the DHCPv6 Client on the Interface To restart DHCPv6 Client on the interface, run the following commands: Command Function Ruijie#clear ipv6 dhcp client Restart the DHCPv6 client on this interface-type interface-number interface. For example: Ruijie# clear ipv6 dhcp client fastethernet 0/1...

  • Page 379: Dhcpv6 Relay Agent Configuration

    Configuration Guide DHCPv6 Relay Agent Configuration DHCPv6 Relay Agent Configuration Understanding DHCPv6 Relay Agent DHCPv6 Overview In the IPv6 network, DHCPv6 enables users to automatically obtain the IPv6 address and related parameters. Without the help of the DHCPv6 Relay Agent, the DHCPv6 server can only provide service for the DHCPv6 clients belonging to the same network segment.
  • Page 380 Default value DHCPv6 Relay Agent Disabled DHCPv6 Relay Agent Server Address Not specified. Configuring DHCPv6 Relay Agent Command Function Ruijie# configure terminal Enter global configuration mode. Enter interface configuration mode Ruijie(config)# interface (the gateway of DHCPv6 client interface-type interface-name network segment).
  • Page 381 VLAN 1, with the destination address of 3001::2: Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#interface vlan 1 Ruijie(config-if)#ipv6 dhcp relay destination 3001::2 Ruijie(config-if)#end 1. The IPv6 DHCP Relay Destination command can only be used on the layer-3 interface.

  • Page 382: Network Requirements

    Configuration Guide DHCPv6 Relay Agent Configuration The following example shows the DHCPv6 Relay destination address: Ruijie# show ipv6 dhcp relay destination all Interface: Vlan1 Destination address(es) Output Interface 3001::2 FF02::1:2 Vlan2 The following example shows the DHCPv6 Relay Agent statistical information:...
  • Page 383 Ruijie#config Enter configuration commands, one per line. End with CNTL/Z Ruijie(config)#interface vlan 1 Ruijie(config-if)#ipv6 dhcp relay destination FF02::1:2 interface gi 0/1 Showing Verification ) Show the DHCPv6 Relay Agent configurations on the Device1: Ruijie# show ipv6 dhcp relay destination all...
  • Page 384 Configuration Guide DHCPv6 Relay Agent Configuration Server address(es) Output Interface 3001::2 2) Show the DHCPv6 Relay Agent configurations on the Device2: Ruijie# show ipv6 dhcp relay destination all Interface: Interface vlan 1 Server address(es) Output Interface FF02::1:2 gi0/...

  • Page 385: Dns Configuration

    The domain name resolution (or host name resolution) is the process that the device obtains IP address which corresponds to the host name by the host name. The Ruijie switches support the host name resolution locally or by the DNS. During the resolution of domain name, you can firstly adopt the static method.
  • Page 386 * is entered, the dynamic buffer table will be cleared. Otherwise, only the entries of specified domain names will be cleared. Command Function Clear the dynamic buffer table of host names. Ruijie# clear host [word] The host names configured statically will not be removed.

  • Page 387: Application Examples

    Configuration Guide DNS Configuration Showing Domain Name Resolution Information This section describes how to display the DNS configuration. Command Function Ruijie# show hosts Show the DNS configuration. Ruijie# show hosts DNS name server 192.168.5.134 static host type address www.163.com static 192.168.5.243...

  • Page 388: Ftp Server Configuration

    Configuration Guide FTP Server Configuration FTP Server Configuration Overview You can set a device as the FTP server. Then you can connect to the FTP server through a FTP client and upload or download documents through the FTP protocol. FTP server enables you to get documents from devices like Syslog file. You can also copy documents to the file system of devices directly.
  • Page 389 Function Ruijie(config)# ftp-server enable Enable the FTP Server. Disable the FTP Server. Ruijie(config)# no ftp-server enable In real network, only one client is allowed to access the FTP server at a time. Caution Configure the Top Directory The function limits the range that the FTP client can access. (For the details on how to view and manage the directories on the device, refer to File System Configuration Guide.) For...
  • Page 390 To configure session idle timeout, run the ftp-server timeout command in the global configuration mode. Command Function Sets the session idle timeout. Ruijie(config)# ftp-server timeout time time: idle timeout in the range of 1-3600 minutes Restores the idle timeout to the default value Ruijie(config)# no ftp-server timeout...
  • Page 391 Command Function Ruijie(config)# ftp-server username Sets user name. username Removes the user name configuration. Ruijie(config)# no ftp-server username Ruijie(config)# ftp-server password [type] Sets a password. password Ruijie(config)# no ftp-server password Removes the password configuration. A user name consists of up to 64 characters, including English letter, half-width numeral and half-width symbol, not blank space.
  • Page 392 PORT 192,167,201,82,7,120 FTPSRV_DEBUG:(REPLY) 200 PORT Command okay. The following example turns off the debugging of the FTP Server: Ruijie# no debug ftpserver Configuration Example Below shows how to configure the FTP Server: Step 1: Set the user name to “admin” and the password to “letmein”.

  • Page 393: Ftp Client Configuration

    Configuration Guide FTP Client Configuration FTP Client Configuration FTP Client provides users with the feature of file transfer with remote FTP server through FTP protocol. FTP Overview FTP (File Transfer Protocol) is a concrete application of TCP/IP for establishing connection-oriented and reliable TCP session between FTP client and server.
  • Page 394 Configuration Guide FTP Client Configuration Active Mode Figure 2 Port (active) Mode In this mode, FTP server actively establishes data connection with FTP client through the following four steps:  The client uses the source port 5150 to communicate with the port 21 of server. The client requests to establish connection and notify the server that it is using the port 5151.
  • Page 395 The control connection for transferring commands and replies exists all along, and the data connection is only established when needed. The application of PASV mode or PORT mode is determined only by FTP client, which will send relevant commands to use different modes of data connection. By default, Ruijie FTP client uses passive mode.

  • Page 396: Introduction To Ftp Client

    Introduction to FTP Client Instead of any standard FTP client using interactive commands, Ruijie FTP Client uses the copy command to complete the steps of open, user and pass. After control connection is established, it will enter file transfer process and establish data connection, allowing file upload or download.

  • Page 397: Restoring Default Settings

    Before downloading, launch FTP Server program on the host and then log into the device. In privileged EXEC mode, execute the following command to download file. Command Function Ruijie# copy Download the file specified in URL to the device. The ftp://username:password@dest-address[/remote-directory ]/remote-file filename can be reset.

  • Page 398: Uploading File

    Using username of "user" and password of "pass" to download a file named "remote-file" from the directory "root" on FTP Server with IP address being 192.168.23.69 to directory "home" on the local device, and change the name to "local-file". Ruijie# copy ftp://user:pass@192.168.23.69/root/remote-file flash: home/local-file Uploading File In CLI command mode, execute the following steps to complete file upload: Before uploading, launch FTP Server program on the host and then log into the device.

  • Page 399: Network Communication Detection Tools

    As with the basic ping function, the extended ping also shows statistics. The following is an example of the extended ping: Ruijie ping 192.168.5.197 length 1500 ntimes 100 data ffff source 192.168.4.190 timeout 3 Sending 100, 1000-byte ICMP Echoes to 192.168.5.197, timeout is 3 seconds: <...

  • Page 400: Traceroute Connectivity Test

    As with the basic ping function, the extended ping also shows statistics. The following is an example of the extended ping: Ruijie# ping ipv6 2000::1 length 1500 ntimes 100 data ffff source 2000::2 timeout 3 Sending 100, 1000-byte ICMP Echoes to 2000::1, timeout is 3 seconds: <...
  • Page 401 The traceroute command can run in the user EXEC mode and the privileged EXEC mode. The command format is as follows: Command Function Ruijie# traceroute [protocol] [address] Trace the path that a packet passes [probe probe] [ttl minimum maximum] through.
  • Page 402 The traceroute ipv6 command can run in the user EXEC mode and the privileged EXEC mode. The command format is as follows: Command Function Ruijie# traceroute ipv6 [address [probe Trace the path that a packet passes probe] [ttl minimum maximum] [timeout through.
  • Page 403 This is very useful for network analysis. 2. traceroute ipv6 example where some gateways in a network are not connected: Ruijie# traceroute ipv6 3004::1 < press Ctrl+C to break > Tracing the route to 3004::1 3000::1...
  • Page 404 Configuration Guide IPv4 Express Forwarding Configuration IPv4 Express Forwarding Configuration Overview To adapt to the needs of high-end devices, currently we are using "Prefix Tree + Adjacency" Express Forwarding model to achieve fast forwarding. In case the device only caches partial information of the core routing table, the central CPU will have to add cache entries again if the cache fails.
  • Page 405 In the express forwarding table, adjacency list is one of the important data structure. Execute the following commands to view existing adjacency information: Command Function Ruijie# show ip ref adjacency [glean | Display the glean adjacency, local adjacency, IP-specific adjacency,...
  • Page 406 IPv4 Express Forwarding Configuration Display the default routing information in the existing express forwarding table. If no default route is Ruijie# show ip ref route [default | specified, all routing information in the express (ip mask)] forwarding table will be displayed, including routes, default route and ordinary gateway routes.
  • Page 407 Use the corresponding "no" command to remove KEY components represented by the keywords carried in "no" command. For example, the combination of SIP+DIP+Port Ruijie(config)# ecmp has been saved by the system. After executing load-balance {[crc32_lower | crc32 "no ip ref ecmp route dip port" command, SIP upper] [dip] [port] [udf number]} will be the only component of KEY.

  • Page 409: Ip Routing Configuration

    IP Routing Configuration 1. Static Route Configuration...

  • Page 410: Static Route Configuration

    Ruijie(config)# no ip static route-limit number of static routes. If they are not deleted, Ruijie product will always retain the static routes. However, you can replace the static routes with the better routes learned by the dynamic routing protocols. Better routes mean that they have smaller distances.
  • Page 411 Configuration Guide Static Route Configuration Ruijie(config)#show ip route 10.0.0.0 Routing entry for 10.0.0.0/8 Distance 1, metric 0 Routing Descriptor Blocks: *172.0.1.2, generated by "static" Ruijie(config)#show ip route weight ------------[distance/metric/weight]----------- 10.0.0.0/8 [1/0/6] via 172.0.1.2 The maximum number of static routes is 32 by default. If the number of static routes configured exceeds the specified upper limit, they will not be automatically deleted, but the addition will fail.
  • Page 413 Multicast Configuration 1. IGMP Snooping Configuration 2. MLD Snooping Configuration...

  • Page 414: Igmp Snooping Configuration

    Configuration Guide IGMP Snooping Configuration IGMP Snooping Configuration Overview IGMP Snooping Internet Group Management Protocol, abbreviated as IGMP Snooping, is an IP multicast flow mechanism running in the VLAN, and used to manage and control the IP multicast flow forwarding in the VLAN and belongs to the Layer2 multicast funtion. The IGMP Snooping function described below is in the VLAN, and the related ports are the member ports in the VLAN.
  • Page 415 Configuration Guide IGMP Snooping Configuration Ruijie multicast products support both the layer 2 multicast(IGMP Snooping) function and the layer 3 multicast(Multicast-routing) function. That is to say, to realize better packet forwarding function, Ruijie device supports not only the layer 3 multicast route forwarding, but also the snooping in the VLAN.
  • Page 416 Configuration Guide IGMP Snooping Configuration Enable a timer for Aging timer each dynamic router Receive the IGMP Remove port port. The timeout time general query packet from the router port dynamic is the aging time of or the IP PIM Hello list.
  • Page 417 Configuration Guide IGMP Snooping Configuration  After receiving the IGMP query(general or specific-group query) packets, the IP multicast group member host responds to the received packets.  If the host wants to join in an IP multicast group, it will take the initiative to send the IGMP membership report to the IGMP querier and claim to join in the IP multicast group.

  • Page 418: Enabling Igmp Snooping

    In the global configuration mode, run the following commands to configure the IGMP Snooping IVGL mode: Command Function Ruijie(config)# ip igmp Enable the IGMP Snooping IVGL mode. By default, the IGMP Snooping is disabled. snooping ivgl Ruijie (config)#show ip igmp Verify the configuration. snooping...
  • Page 419 VLAN. This example disables the IGMP Snooping in the VLAN3: Ruijie# configure terminal Ruijie(config)# no ip igmp snooping vlan 3 Ruijie(config)# show ip igmp snooping IGMP Snooping running mode: IVGL SVGL vlan: 1 SVGL profile number: 11...
  • Page 420 Configuration Guide IGMP Snooping Configuration vlan 1 ------------- IGMP Snooping :Enabled Multicast router learning mode :pim-dvmrp IGMPv2 immediate leave :Disabled vlan 2 ------------- IGMP Snooping :Enabled Multicast router learning mode :pim-dvmrp IGMPv2 immediate leave :Disabled vlan 3 ------------- IGMP Snooping :Disabled Multicast router learning mode :pim-dvmrp IGMPv2 immediate leave...
  • Page 421 The following example configures the aging time of the dynamically learned router interface to 100s: Ruijie# configure terminal Ruijie(config)# ip igmp snooping dyn-mr-aging-time 100 Configuring the Maximum Response Time of the IGMP Query Message The multicast router periodically sends an IGMP Query message to query whether a multicast member exists or not.
  • Page 422 This example sets GigabitEthernet 1/1 as the router port and enables dynamic learning function in the VLAN1: Ruijie# configure terminal Ruijie(config)# ip igmp snooping vlan 1 mrouter interface gigabitEthernet 0/7 Ruijie(config)# ip igmp snooping vlan 1 mrouter learn pim-dvmrp Ruijie(config)# end...

  • Page 423: Configuring Igmp Snooping Suppression

    For IGMP Snooping-enabled devices, a multicast group address may have multiple IGMP users. When a user joins the multicast group and receives the IGMP Query message, he or she will send an IGMP Report message. Ruijie switches will forward every IGMP Query...

  • Page 424: Configuring Igmp Profiles

    The following example enables the IGMP Snooping suppression function: Ruijie# configure terminal Ruijie(config)# ip igmp snooping suppression enalbe Ruijie(config)# end Configuring IGMP Profiles An IGMP Profile entry defines a set of multicast address range and permit/deny activity for the funcitons like multicast address range for SVGL mode, multicast data range filtered on the router interface, and IGMP Filtering range.

  • Page 425: Configuring Igmp Filtering

    Ruijie(config)# ip igmp profile 1 Ruijie(config-profile)# permit Ruijie(config-profile)# range 224.0.1.0 239.255.255.255 Ruijie(config-profile)# end Ruijie# show ip igmp profile 1 IGMP Profile 1 permit range 224.0.1.0 239.255.255.255 As you can see, the rule of the IGMP Profile is to permit the multicast addresses from 224.0.1.0 to 239.255.255.255, while all other multicast addresses are denied.

  • Page 426: Viewing Current Mode

    Configuration Guide IGMP Snooping Configuration Ruijie #show ip igmp snooping interface fastEthernet 0/1 Interface Filter profile number max-group --------------- --------------------- --------- FastEthernet 0/1 1000 Monitoring You can view the following IGMP Snooping information:  Current operation mode  Router interface ...

  • Page 427: Viewing Dynamic Forwarding Table

    Configuration Guide IGMP Snooping Configuration Ruijie# show ip igmp snooping statistics Current number of Gda-table entries: 1 Configured Statistics database limit: 1024 Current number of IGMP Query packet received : 1957 Current number of IGMPv1/v2 Report packet received: 5 Current number of IGMPv3 Report packet received: 4...

  • Page 428: Viewing Igmp Profile

    This example clears the information on various multicast groups of the GDA table: Ruijie# clear ip igmp snooping gda-table Clearing IGMP Snooping Statistics To clear the forwarding rule of each port in the multicast group, that is, the GDA(Group...
  • Page 429 To view the IGMP Filtering information, execute the following command in the privileged mode: Command Function Ruijie# show ip igmp snooping interface View IGMP Filtering information. interface-id The following example views the IGMP Filtering information. Ruijie# show ip igmp snooping interface GigabitEthernet 0/7 Interface Filter Profile number max-groups ---------- ---------------------- -----------...

  • Page 430: Mld Snooping Configuration

    Configuration Guide MLD Snooping Configuration MLD Snooping Configuration Overview MLD Snooping is the short form of Multicast Listener Discovery Snooping. It is designed to manage and control the transmission of IPv6 multicast stream on layer By running the MLD Snooping equipment and analyzing the MLD message received, mapping relationship is established for port and MAC multicasting address, and such relationship provides a basis for the transmission of IPv6 multicast data on layer 2.
  • Page 431 Configuration Guide MLD Snooping Configuration Figure 1 Two types of MLD Snooping ports Multicast Router Port: a multicast device of the switch to connect layer 3, e.g., Eth 0 / 1 port; Member Port: the short form of the IPv6 multicast group member port, also called Listener Port.
  • Page 432 Configuration Guide MLD Snooping Configuration demote the timer to configured MLD query-max-response-time. When the timer value is reduced to "0", it is considered that there is no longer any listener of the port receiving multicast stream. Layer 2 multicast equipment will delete the port from MLD Snooping forwarding-table.
  • Page 433 Configuration Guide MLD Snooping Configuration certain dynamic listener port. When the fast–leave function is enabled, the equipment will directly remove relevant ports from the list of ports that transmit corresponding group records. Protocol Specification Relevant Protocol specification: RFC4541 Default Configuration The following table is used to describe the default configuration of MLD Snooping.
  • Page 434 IVGL mode. By default, the MLD ivgl Snooping is disabled. Ruijie(config)# exit Return to the privilege mode. Ruijie# show ipv6 mld snooping Verify the configurations. The following example shows how to enable the MLD Snooping and configure the IVGL mode: Ruijie# configure terminal...
  • Page 435 VLANs are enabled. Ruijie(config-vlan)# end Return to the privilege mode. Verify the configurations. Ruijie# show ipv6 mld snooping The following example shows how to disable the MLD Snooping in vlan 2: Ruijie# configure terminal Ruijie(config)# vlan 2...
  • Page 436 The following example shows how to set the aging time for the dynamic route port as 100s: Ruijie# configure terminal Ruijie(config)# ipv6 mld snooping dyn-mr-aging-time 100  Product As for Version 10.4, all products support this configuration.
  • Page 437 10s. The following example shows how to set the max-response-time for the MLD query message as 15s: Ruijie# configure terminal Ruijie(config)# ipv6 mld snooping query-max-response-time 15  Product As for Version 10.4, all products support this configuration. support...
  • Page 438 Configuration Guide MLD Snooping Configuration Ruijie# configure terminal Ruijie(config)# ipv6 mld snooping vlan 1 mrouter interface gigabitEthernet 0/1 Ruijie(config)# ipv6 mld snooping vlan 1 mrouter learn Ruijie(config)# end Ruijie# show ipv6 mld snooping mrouter VLAN Interface State MLD profile ----...
  • Page 439 Ruijie# configure terminal Ruijie(config)# ipv6 snooping vlan static FF88::1234 interface GigabitEthernet 0/7 Ruijie(config)# end Ruijie# show ipv6 mld snooping gda Abbr: M - mrouter D - dynamic S - static VLAN Address Listener ports ---- -------------- ----------------------------- FF88::1234 GigabitEthernet 0/7(S) ...
  • Page 440 Configuration Guide MLD Snooping Configuration Ruijie(config)# ipv6 mld snooping fast–leave enable  Product As for Version 10.4, all products support this configuration. support Configuring the Response Suppression for MLD Snooping Membership Report Message When receiving MLD membership report message from one IPv multicast listener, lay 2 equipment will forward the message to directly connected layer 3 equipment.
  • Page 441 The following example shows how to configure the profile: Ruijie(config)# ipv6 mld profile 1 Ruijie(config-profile)# permit Ruijie(config-profile)# range ff77::1 ff77::100 Ruijie(config-profile)# range ff88::123 Ruijie(config-profile)# end Ruijie# show ipv6 mld profile 1 MLD Profile 1 permit...
  • Page 442 Command Function Ruijie(config)# interface interface-id Enter the interface configuration mode. (Optional) Apply the profile to this port. Ruijie(config-if)# ipv6 mld snooping profile-number: the valid range is 1-1024. filter profile-number By default, no profile is associated with a port. (Optional) Permit a max number of groups to join this port dynamically.
  • Page 443 Configuration Guide MLD Snooping Configuration Ruijie(config-if)# ipv6 mld snooping filter 1 Ruijie(config-if)# ipv6 mld snooping max-groups 1000 Ruijie (config-if)#end Ruijie #show ipv6 mld snooping interface fastEthernet 0/1 Interface Filter profile number max-group --------------- --------------------- --------- FastEthernet 0/1 1000  Product As for Version 10.4, all products support this configuration.
  • Page 444 View the MLD Snooping statistics. statistics [VLAN VLAN-ID] Ruijie# clear ipv6 mld snooping Clear the MLD Snooping statistics. statistics The following example shows the MLD Snooping statistics: Ruijie# show ipv6 mld snooping statistics GROUP Interface Last report Last leave Last...
  • Page 445 The following example shows each multicast group information in the GDA table and the information of all listener ports of a multicast group: Ruijie# show ipv6 mld snooping gda-table Abbr: M - mrouter D - dynamic S - static...
  • Page 446 To view view MLD Snooping Profile information, run the following command: Command Function View Snooping Profile Ruijie# show ipv6 profile profile-number information. The following example shows the MLD Snooping Profile information: Ruijie# show ipv6 mld profile 1 MLD Profile 1 permit range FF77::1 FF77::100 range FF88::123...
  • Page 447 11. DoS Protection Configuration 12. DHCP Snooping Configuration 13. Dynamic ARP Inspection Configuration 14. IP Source Guard Configuration 15. ND Snooping Configuration 16. DHCPv6 Snooping Configuration 17. Gateway Anti-Arp-spoofing Configuration 18. NFPP Configuration 19. Ruijie Swithches Security Compatible Mode Configuration...

  • Page 448: Aaa Configuration

    Working Principles Authentication, Authorization and Accounting (shortened as AAA) provide a consistence framework for configuring the authentication, authorization and accounting functions, which are supported by Ruijie products. The AAA provides the following services in a modular manner:  Authentication: It verifies whether a user can access, where the Radius protocol or Local can be used.
  • Page 449 Configuration Guide AAA Configuration Although the AAA is the primary access control method, our product also provides simple control accesses out of the range of AAA, such as the local username authentication, line password authentication and more. The difference lies in the degree of their network protection, and the AAA provides the security protection of a higher level.
  • Page 450 Configuration Guide AAA Configuration The figure above illustrates a typical AAA network configuration, including two security servers: R1 and R2 are both RADIUS servers. Supposed the system administrator has defined a method list, R1 is used first to capture the identity information, then R2, and finally the local username database on the NAS.
  • Page 451 Command Function Disable AAA Ruijie(config)# no aaa new-model Sequential Configuration Steps After the AAA is enabled, it is time to configure the other parts related with the selected security solutions. Following table lists the possible configuration tasks and their description chapters.

  • Page 452: Configuring Authentication

    Configuration Guide AAA Configuration Configuring Authentication The authentication allows the user’s identity verification before the user of network resources. In most cases, the authentication is implemented with the AAA security features. We recommend the use of AAA as much as possible. Defining AAA Authentication Method List To configure the AAA authentication, the first step is to define a named list of the authentication method, and then the applications use the defined list for authentication.
  • Page 453 When an TIMEOUT is detected, the AAA selects the next authentication method in the method list to continue the authentication process. Authentication Type Ruijie products support the following authentication types:  Login Authentication -- the authentication of the user terminal logging in the NAS CLI.
  • Page 454 Configuration Guide AAA Configuration  Configure the security protocol parameters if you decide to use the security server, such as RADIUS. See Configuring Radius for details.  Define the authentication method list by using the aaa authentication command.  Applying method list on a specific interface or line, if possible. TACACS+ is not supported by the DOT1X authentication.
  • Page 455 Configuration Guide AAA Configuration In the example below, it is possible to pass the identity authentication even if the Radius server returns TIMEOUT. aaa authentication login default group radius none Since the keyword "none" enables any dialup user can pass the authentication even if the security server has no reply, it is only used as the backup authentication method.
  • Page 456 Configuration Guide AAA Configuration Command Function aaa new-model Turn on the AAA switch. aaa authentication login {default | Define the local method list. list-name} local Return to the privileged mode. Confirm the configured method list. show aaa method-list configure terminal Enter the global configuration mode.
  • Page 457 Configuration Guide AAA Configuration Command Function show aaa method-list Confirm the configured method list. configure terminal Enter the global configuration mode. line vty line-num Enter the line configuration mode login authentication {default | Apply the method list. list-name} Return to the privileged mode. show running-config Confirm the configuration.
  • Page 458 Configuration Guide AAA Configuration even if no specified methods reply, it is possible to specify none as the last authentication method. Once configured, the enable authentication method takes effect. When executing enable command in the privileged mode, it prompts to authenticate if you want to switchover a higher privilege level.
  • Page 459 Configuration Guide AAA Configuration Command Function username name [password Establish the local username and set the password] password. username name [privilege level] Set the user privilege level. (Optional) Return to the privileged mode. show running-config Confirm the configuration. To define the local Enable authentication method list, run the following commands: Command Function configure terminal...
  • Page 460 PPP negotiation. This section deals with how to configure the AAA Enable authentication methods supported by Ruijie product. To configure the AAA Enable authentication, execute the following command in the global configuration mode: Command...
  • Page 461 The example below illustrates show to configure the network device to use “Radius + local” for authentication. Ruijie(config)# aaa new-model Ruijie(config)# username Ruijie password starnet Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# aaa authentication login test group radius local Ruijie(config)# line vty 0 Ruijie(config-line)# login authentication test Ruijie(config-line)# end Ruijie# show running-config...
  • Page 462 Ruijie(config)# aaa new-model Ruijie(config)# username Ruijie password starnet Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# radius-server key test Ruijie(config)# aaa authentication login test group radius local Ruijie(config)# aaa authentication login terms none Ruijie(config)# line tty 1 4 Ruijie(config-line)# login authentication terms Ruijie(config-line)# exit...

  • Page 463: Configuring Authorization

    Configuration Guide AAA Configuration Configuring Authorization The AAA authorization enables the administrator to control the user’s use of the services or the rights. After the AAA authorization service is enabled, the network device configures the user sessions by using the user configuration file stored locally or in the server. After the authorization is completed, the user can only use the services allowed in the profile or has the allowed rights.
  • Page 464 Configuration Guide AAA Configuration Command Function aaa authorization exec network{default | list-name} method1 Define the AAA Exec authorization method. [method2|…] aaa authorization network Define the AAA Command authorization network{default | list-name} method1 method. [method2|…] Configuring AAA Exec Authorization The Exec authorization grants the privilege level of command execution for the user terminal loggs in the network access server (NAS).
  • Page 465 Configuration Guide AAA Configuration Keyword Description Use the local username database for Exec local authorization. none Do not perform Exec authorization. group radius Use Radius for Exec authorization. group tacacs+ Use Tacacs+ for Exec authorization. The table above lists the AAA Exec authorization methods supported by our product. The exec authorization is always used together with the login authentication, and they can be applied to the same line at the same time.
  • Page 466 “Radius+local” exec authorization are used when the user on the vty line 0-4 loggs in. The access server uses the Radius server with IP address 192.168.217.64 and shared keyword test. The local username and password are Ruijie, and the privilege level is 6.
  • Page 467 Configuration Guide AAA Configuration Ruijie(config-line)# login authentication mlist1 Ruijie(config-line)# authorization exec mlist2 Ruijie(config-line)# end Ruijie(config)# show running-config aaa new-model aaa authorization lexec mlist2 group radius local aaa authentication login mlist1 local username Ruijie password Ruijie username Ruijie privilege 6 Radius-server host 192.168.217.64...

  • Page 468: Configuring Accounting

    The example below illustrates how to configure network authorization. Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# radius-server key test Ruijie(config)# aaa authorization network test group radius local Ruijie(config-line)# end Ruijie(config)# show running-config aaa new-model aaa authorization network test group radius none radius-server host 192.168.217.64...
  • Page 469 Configuration Guide AAA Configuration Accounting Types Our product currently supports the following accounting types:  Exec Accounting -- record the accounting information of entering to and exiting from the CLI of the user terminal logged in the NAS CLI.  Command Accounting –...
  • Page 470 Configuration Guide AAA Configuration Command Function configure terminal Enter the global configuration mode. aaa new-model Turn on the AAA switch. aaa accounting exec Define the AAA Exec accounting method list. If network{default | list-name} you need to define multiple method lists, start-stop method1 [method2|…] execute this command repeatedly.
  • Page 471 Radius exec authorization are used when the user on the vty line 0-4 loggs in. The access server uses the Radius server with IP address 192.168.217.64 and shared keyword test. The local username and password are Ruijie Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.217.64...
  • Page 472 The example below illustrates how to configure network authorization using RADIUS. Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# radius-server key test Ruijie(config)# aaa accounting network acct start-stop group radius Ruijie(config-line)# end Ruijie(config)# show running-config aaa new-model aaa accounting network acct start-stop group radius radius-server host 192.168.217.64...
  • Page 473 Configuration Guide AAA Configuration Monitoring AAA user To view the information of the current login users, run the following commands in the privileged user mode: Command Function show aaa user { id | all } View the information of the current AAA user. Configuring Failed Authentication Lockout of Login User To prevent login user from decoding password, use command to limit the attempt times.
  • Page 474 AAA service method list. Ruijie product supports the following types of username: 1. userid@domain-name 2. domain-name\userid 3.
  • Page 475 Configuration Guide AAA Configuration Figure-2 Typical topology for the multi-domain network Domain-name-based AAA Service Configuration Tasks The system supports up to 32 domains. Note Enabling AAA Command Function configure terminal Enter the global configuration mode. aaa new-model Turn on the AAA switch. For the detailed command descriptions, please refer to the chapter of Enabling AAA.
  • Page 476 Configuration Guide AAA Configuration Enabling the Domain-name-based AAA Service Switch Command Function configure terminal Enter the global configuration mode. Enable the domain-name-based AAA service aaa domain enable switch. Creating the Domain You shall follow the following rules when searching for the domain-name matched the username: 1.
  • Page 477 Configuration Guide AAA Configuration Configuring the Domain Attribute Collection Use the following commands to select the AAA service method list in the domain configuration mode: Command Function In the domain configuration mode, select the authentication dot1x {default | list-name} authentication method list. In the domain configuration mode, select the accounting network {default | list-name} accounting method list.
  • Page 478 Configuration Guide AAA Configuration 1. To select the AAA service method list in the domain configuration mode, the AAA service method list is defined before entering the domain configuration mode. Or the configurations are inexistent when selecting the AAA method list-name.
  • Page 479 The following is an example of configuring the domain-name-based AAA service: Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.197.154 Ruijie(config)# radius-server key test Ruijie(config)# aaa authentication dot1x default group radius Ruijie(config)# aaa domain domain.com Ruijie(config-aaa-domain)# authentication dot1x default Ruijie(config-aaa-domain)# username-format without-domain After the configuration, with the user a1 in the radius server, use the 802.1x client to login the...

  • Page 480: Radius Configuration

    Configuration Guide RADIUS Configuration RADIUS Configuration Overview The Remote Authentication Dial-In User Service (Radius) is a distributed client/server system that works with the AAA to perform authentication for the users who are attempting to make connection and prevent unauthorized access. In the implementation of our product, the RADIUS client runs on the router or the network access server (NAS) to send the authentication requests to the central RADIUS server.
  • Page 481 Configuration Guide RADIUS Configuration Typical RADIUS network configuration Configuration To configure Radius on the network device, perform the following tasks first:  Enable AAA. For the details, see AAA Overview.  Define the RADIUS authentication method list by using the aaa authentication command. For details about how to use "aaa authentication"...
  • Page 482 Configuration Guide RADIUS Configuration To configure the RADIUS, it is necessary to configure the RADIUS Key. The sharing password on the network device and the sharing password on the Radius server must be the same. Caution Specifying the Radius Authentication This means defining the authentication method list for the Radius after the Radius server is specified and the Radius authentication sharing password is defined.
  • Page 483 Configuration Guide RADIUS Configuration Specify Radius Private Attribute Type The contents in this section enable configuring freely the type of private attributes. The default configurations are as follows: Default configurations of our product private attribute recognition: Function Type max down-rate user ip vlan id version to client...
  • Page 484 Two functions cannot be configured with the same type number. Note Here is an example on how to configure the private type for network device: Ruijie# show radius vendor-specific vendor-specific type-value ---- -------------------- ---------- max down-rate...
  • Page 485 50 Ruijie# configure Ruijie(config)# radius attribute 24 vendor-type 67 Ruijie(config)# show radius vendor-specific vendor-specific type-value ---- -------------------- ---------- max down-rate user ip vlan id version to client...
  • Page 486 Here is an example on how to configure the Radius for network device: Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.12.219 auth-port 1645 acct-port 1646 Ruijie(config)# radius-server key aaa Ruijie(config)# aaa authentication login test group radius Ruijie(config)# end Ruijie# show radius server Server IP: 192.168.12.219 Accounting Port: 1646...
  • Page 487 Configuration Guide RADIUS Dynamic Authorization Extension Configuration RADIUS Dynamic Authorization Extension Configuration Overview The Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS) protocol is defined in RFC 3576 by IETF. This protocol defines a user offline management method, that is, the device communicates with a RADIUS server through Disconnect-Messages (DMs) to log out authenticated users.
  • Page 488 This attribute varies with servers. The calling-station-id attribute supports three kinds of coding formats: ietf, normal and unformatted. For Ruijie servers, ess and smp must be configured into the ietf format, and sam be normal format. For other servers, you need to configure it as required. For detailed commands, see the “Calling-Station-ID Format”...
  • Page 489 RADIUS Dynamic Authorization Extension Configuration Step 2 Clear DM statistics. Ruijie# clear radius dynamic-authorization-extension statistics Configuration example: Ruijie# show radius dynamic-authorization-extension statistics Disconnect-Request Received: Incorrect Disconnect-Request Received: Disconnect-Request Dropped for Queue Full: Disconnect-Request Process Timeout: Disconnect-Request Process Success: Disconnect-ACK Sent:...
  • Page 490 Examples for Configuring RADIUS Dynamic Authorization Extension Networking Requirements RADIUS dynamic authorization extension must work with the authentication mechanism. The network comprises SAM servers, RADIUS servers, Ruijie access devices, and PCs of users. Ruijie access devices must support RADIUS dynamic authorization extension. Network Topology...

  • Page 491: Configuration Procedure

    Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# aaa new-model Ruijie(config)# aaa authentication dot1x default group radius Ruijie(config)# aaa accounting network default start-stop group radius Ruijie(config)# dot1x authentication default Ruijie(config)# dot1x accounting default Ruijie(config)# radius-server host 192.168.181.66 key radius-key...
  • Page 492 Configuration Guide TACACS+ Configuration TACACS+ Configuration Overview TACACS+ is a security protocol with more powerful function on the basis of TACACS (RFC 1492 Terminal Access Controller Access Control System). It implements AAA function of multi-users by Client-Server mode and TACACS server communication. It needs to configure the related contents of TACACS+ server before using TACACS+ server.
  • Page 493 Configuration Guide TACACS+ Configuration  Length ―body length of TACACS+ packet (excluding head). All the packets are transmitted in the network in the encrypted form. Application The typical application of TACACS+ is the login management control of terminal users. TACACS+ client sends user name and password to TACACS+ server for authentication.
  • Page 494 Configuration Guide TACACS+ Configuration Figure 3 The whole process of basic information interaction is divided into three parts: Authentication process includes: a) User requests for logging in to the switch;...
  • Page 495 Configuration Guide TACACS+ Configuration b) After receiving the request, TACACS+ Client sends the authentication beginning message to TACACS+ server; c) TACACS+ server sends the authentication reply message, requesting for the user name; d) TACACS+ Client asks user for user name. e) The user keys in the login user name;...
  • Page 496 Configuration Guide TACACS+ Configuration  Use aaa new-mode to enable AAA. AAA must be enabled before using TACACS+; for the information how to enable aaa new-mode, please refer to AAA Overview.  Use tacacs-server host to configure one or multiple tacacs+ servers. ...
  • Page 497 Configuration Guide TACACS+ Configuration Configure IP address of remote TACACS+ security server; configures different parameters on this server by different parameter combination:  ip-address :configures server address;  port intege [optional] :determines the port used tacacs-server host ip-address by the server; By default , the port number is [port integer] [timeout integer] key 49 with the range from 1 to 65535.
  • Page 498 Ruijie(config)# tacacs-server host 192.168.12.219 Ruijie(config)# tacacs-server key aaa  Configures authentication method of using tacacs+: Ruijie(config)# aaa authentication login test group tacacs+  Applies the authentication method on the interface: Ruijie(config)# line vty 0 4 Ruijie (config-line)# login authentication test Through the above configuration, you implement to configure login tacacs+ authentication.
  • Page 499 Ruijie(config-gs-tacacs)# server 192.168.12.219 Ruijie(config-gs-tacacs)# server 192.168.12.218 Configures authentication method of using tacgroup1: Ruijie(config)# aaa authentication enable default group tacgroup1 Through the above configuration, you implement to configure enable authentication of some tacacs+ servers. The configuration is shown as follows; Ruijie#show running-config...
  • Page 500 Then configures tacacs+ server information: Ruijie(config)# tacacs-server host 192.168.12.219 Ruijie(config)# tacacs-server key aaa Configures the authorization method of using tacacs+: Ruijie(config)# aaa authorization exex test group tacacs+ Applies the authorization on the interface: Ruijie(config)# line vty 0 4 Ruijie (config-line)# authorization exec test Through the above configuration, you implement to configure to use tacacs+ by login authorization.
  • Page 501 Ruijie(config)# tacacs-server host 192.168.12.219 Ruijie(config)# tacacs-server key aaa Configures command audit method of using tacacs+:  Ruijie(config)# aaa accounting commands 15 default group start-stop tacacs+ Applies the authorization on the interface:  Ruijie(config)# line vty 0 4 Ruijie (config-line)# accounting commands 15 default Through the above configuration, you implement to configure enable authentication of some tacacs+ servers.
  • Page 502 Configuration Guide TACACS+ Configuration tacacs-server host 192.168.12.219 tacacs-server key aaa line con 0 line vty 0 accounting commands 15 default line vty 1 4 accounting commands 15 default...

  • Page 503: Device Roles

    Configuration Guide 802.1x Configuration 802.1x Configuration Overview In an IEEE 802 LAN, users can access the network device without authorization and authorization as long as they are connected to the network device. Therefore, an unauthorized user can access the network unobstructed by connecting the LAN.

  • Page 504: Authentication Initiation And Packet Interaction During Authentication

    Configuration Guide 802.1x Configuration  Supplicant: The supplicant is a role played by the end user, usually a PC. It requests for the access to network services and acknowledges the request packets from the authenticator. The supplicant must run the IEEE 802.1x client. Currently, the most popular one is the IEEE802.1x client carried by Windows XP.

  • Page 505: States Of Authorized Users And Unauthorized Users

    Configuration Guide 802.1x Configuration required for an MAC address (01-80-C2-00-00-03) for the protocol for packet exchange during the initial authentication process. The following diagram shows a typical authentication process, during which the three role devices exchange packets with one another. Figure 0-1 This is a typical authentication process initiated by users (in some special cases, the switch can actively initiate authentication request, whose process is the same as that shown in the diagram, except that it does not contain the step...

  • Page 506: Topologies Of Typical Applications

    Configuration Guide 802.1x Configuration When a user has passed authentication (the switch has received success packets from the RADIUS Server), the user is authorized and therefore can freely use network resources. If the user fails in the authentication and remains in the unauthenticated status, it is possible to initiate authentication once again.
  • Page 507 Configuration Guide 802.1x Configuration  The ports connected to the Radius Server and the uplink ports are configured as uncontrolled ports, so that the switch can normally communicate with the server and the authorized users can access network resources through the uplink interface.
  • Page 508 Configuration Guide 802.1x Configuration  The ports connected to the access layer switches must be set as controlled ports to control the accessed users, and the users cannot access network resources unless they first pass the authentication. Characteristics of this solution: ...

  • Page 509: Configuring The Communication Between The Device And Radius Server

    Command Function Turn on the AAA switch. Ruijie(config)#aaa new-model Configure the RADIUS server. Ruijie(config)#radius-server host ip-address [auth-port port] [acct-port port] Ruijie(config)#radius-server key string Configure RADIUS key. Ruijie#show radius server Show the RADIUS server. You can use the no radius-server host ip-address auth-port command to restore the authentication UDP port of the Radius Server to its default.
  • Page 510 For detailed configuration, see Configuring the AAA Service Based on Domain Names. The following example enables 802.1x authentication: Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 192.168.217.64 Ruijie(config)# radius-server key starnet Ruijie(config)# aaa authentication dot1x authen group radius Ruijie(config)# dot1x authentication authen Ruijie(config)# end Ruijie# show running-config aaa new-model...
  • Page 511 Configuration Guide 802.1x Configuration aaa authentication dot1x authen group radius username Ruijie password 0 starnet radius-server host 192.168.217.64 radius-server key 7 072d172e071c2211 dot1x authentication authen interface VLAN 1 ip address 192.168.217.222 255.255.255.0 no shutdown line con 0 line vty 0 4 To apply the RADIUS authentication method in the 802.1x, configure the IP address of the Radius Server and make sure...
  • Page 512 The following example enables re-authentication and sets the re-authentication interval as 1000 seconds. Ruijie# configure terminal Ruijie(config)# dot1x re-authentication Ruijie(config)# dot1x timeout re-authperiod 1000 Ruijie(config)# end Ruijie# show dot1x 802.1X Status:...
  • Page 513 Enabling/Disabling the Filtering of Non-Ruijie Supplicant When the Ruijie supplicant product is used as the 802.1x authentication client, authentication may fail if you use some other 802.1x authentication clients at the same time (for example, Windows XP 802.1x authentication function is enabled).

  • Page 514: Changing The Quiet Time

    You can use the no dot1x timeout quiet-period command to restore the Quiet Period to its default. In the example below the QuietPeriod value is set as 500 seconds: Ruijie# configure terminal Ruijie (config)# dot1x timeout quiet-period 500 Ruijie(config)# end Setting the Packet Retransmission Interval After the device sends the EAP-request/identity, it resends that message if no response is received from the user within a certain period.
  • Page 515 You can use the no dot1x max-req command to restore the maximum number of packet re-transmissions to its default. The following example sets the maximum number of packet retransmissions to 5: Ruijie# configure terminal Ruijie(config)# dot1x max-req 5 Ruijie(config)# end Setting the Maximum Number of Re-authentications When the user authentication fails, the device attempts to perform authentication for the user once again.
  • Page 516 In the privileged EXEC mode, you can set the number of automatic authentication requests by performing the following steps: Command Function Ruijie(config)#dot1x auto-req packet-num num The device proactively initiates num 802.1x authentication request messages. If num is equal to 0, the device will continually send that message. The default is 0 (infinite).
  • Page 517 802.1x Configuration In the privileged EXEC mode, you can set the packet sending interval by performing the following steps: Command Function Ruijie(config)#dot1x auto-req req-interval interval Setting the Packet Sending Interval Show the configuration. Ruijie#show dot1x auto-req The no option of the command restores the value to its default. Since sending the authentication request multicast message will cause re-authentication for all users under the authentication interface, the sending interval shall not be too small lest the authentication efficiency is affected.
  • Page 518 192.1.1.1, that of the backup accounting server to 192.1.1.2, and the UDP port of the accounting server to 1200, and enables 802.1x accounting: Ruijie# configure terminal Ruijie(config)# aaa new-model Ruijie(config)# aaa group server radius acct-use Ruijie(config-gs-radius)# server 192.168.4.12 acct-port 1200 Ruijie(config-gs-radius)# server 192.168.4.13 acct-port 1200 Ruijie(config-gs-radius)# exit Ruijie(config)# aaa accounting network acct-list start-stop group acct-use...
  • Page 519 Configuration Guide 802.1x Configuration Ruijie(config)# dot1x accounting acct-list Ruijie(config)# end Ruijie# write memory Ruijie# show running-config The agreed accounting key must be the same as that of the Radius Server and authentication. The accounting function cannot be enabled unless the AAA is enabled.
  • Page 520 Configuring the IP authorization mode The 802.1x implemented by Ruijie Network can force the authenticated users to use fixed IP. By configuring the IP authorization mode, the administrator can limit the way the user gets IP address. There are four IP authorization modes: DISABLE, DHCP SERVER, RADIUS SERVER and SUPPLICANT.
  • Page 521 In the privileged EXEC mode, configure the IP authorization mode as follows: Command Function Ruijie(config)#aaa new-model Enable the AAA function Ruijie(config)#aaa authorization ip-auth-mode {disabled | Configure the IP authorization mode dhcp-server | radius-server | supplicant } Show the configuration. show running-config...

  • Page 522: Releasing Advertisement

    Configuration Guide 802.1x Configuration Releasing Advertisement Our 802.1x allows you to configure the Reply-Message field on the Radius Server. When authentication succeeds, the information of the field is shown on our 802.1x client of Star-Supplicant, by which the operators can release some information.
  • Page 523 Configuring the Authentication Mode In the standard, the 802.1x implements authentication through the EAP-MD5. The 802.1X designed by Ruijie can perform authentication through both the EAP-MD5 (default) mode and the CHAP and PAP mode. The advantage of the CHAP is that it reduces the communication between the switch and the RADIUS SERVER, thus alleviating the pressure on the RADIUS SERVER.
  • Page 524 In the privileged EXEC mode, you can set the backup authentication server by performing the following steps: Command Function Ruijie(config)#aaa new-model Turn on the AAA switch. Ruijie(config)#aaa group server radius gs-name Configure the server group. Configure the server. Ruijie(config-gs-radius)#server sever Ruijie(config-gs-radius)#server server-backup Configure the backup server.

  • Page 525: Configuring And Managing Online Users

    Radius Server. Port-based Traffic Charging In addition to the duration-based billing, Ruijie’s network devices provide the traffic-based billing function in case each port of the equipment has only one user access. This function calls for no configuration on the device but need the support of the Radius server.
  • Page 526 Configuration Guide 802.1x Configuration The access device supports the RADIUS server to use the standard RADIUS attributes to assign the VLAN, including the following attribute combinations:  No.64 Attribute Tunnel-Type  No.65 Attribute Tunnel-Medium-Type  No.81 Attribute Tunnel-Private-Group-ID  And for the auto-switching of the dynamic VLAN application, the valid range is: ...
  • Page 527 Configuration Guide 802.1x Configuration VLAN supporting the auto-switching on the TRUNK port, the user authentication will be successful and the Native VLAN for the port to be authenticated will be set as the assigned VLAN. The following lists the VLANs not supporting the auto-switching on the TRUNK port: ...
  • Page 528 Ruijie(config)#radius-server key text Configure the RADIUS server shared key. For the details, see Configuring RADIUS.  enable the method list Command Function Ruijie(config)#aaa authentication dot1x list1 group Configure the authentication method list1. radius Ruijie(config)#aaa accounting network list2 Configure the accounting method list2.
  • Page 529 802.1x authentication on the interface Command Function Ruijie(config)#interface interface_id Enter the interface mode to be configured. interface_id is the interface to be entered. Ruijie(config-if-type ID)#dot1x port-control auto Enable the 802.1x authentication on the interface.  enable the VLAN auto-switching on the interface Command Function Enter interface configuration mode.
  • Page 530 Enter interface configuration mode. Allow Vlan jump on the interface. Ruijie(config-if-type ID)#dot1x dynamic-vlan enable Configure whether to enable guest vlan, which is disabled Ruijie(config-if-type ID)# [no] dot1x guest-vlan vid by default. show running-config Show the configuration. Guest vlan takes effect unless you configure dot1x dynamic-vlan enable.
  • Page 531 Configuration Guide 802.1x Configuration If you configure guest vlan on the port, it will check whether the port is added to guest vlan when the port state is switched from linkdown to linkup. Shielding Proxy Server and Dial-up The two major potential threats to network security are: The user sets its own proxy server and the user makes dial-up to access the network after authentication.

  • Page 532: Configuring The Option Flag For Eapol Frames To Carry Tag

    Command Function Ruijie(config)#dot1x client-probe enable Enable the on-line probe function of the client Configure the Hello Interval Ruijie(config)#dot1x probe-timer interval interval Ruijie(config)#dot1x probe-timer alive interval Configure the Alive Interval of the device. Ruijie#show dot1x Show the configuration. Configuring the Option Flag for EAPOL Frames to Carry TAG In accordance with IEEE 802.1x, the EAPOL packets cannot be added with vlan TAG.
  • Page 533 To configure port-based control mode, execute the following commands in the privileged EXEC mode. Command Function Ruijie(config)#interface interface-id Enter the interface mode Enable the function being controlled. Ruijie(config-if-type ID)#dot1x port-control auto Select the controlled mode. Ruijie(config-if-type ID)#dot1x port-control-mode {mac-based|port-based} Ruijie#show dot1x port-control Show the configuration of port 802.1X.
  • Page 534 From the privileged EXEC mode, follow the steps below to configure port-based single-user control mode on the port. Command Function Enter interface configuration mode. Ruijie(config)#interface interface-id Ruijie(config-if-type ID)#dot1x port-control auto Enable control function. Port-based single-user control mode. Ruijie(config-if-type ID)#dot1x port-control-mode port-based single-host Show 802.1x configuration.
  • Page 535 Execute the following command if you need to support dynamic acl assignment on the server which is not authenticated by our company. Ruijie#configure terminal Ruijie(config)# radius vendor-specific extend Configuring Dot1x MAC Authentication Bypass GUEST VLAN provides a method of network accessing without the 802.1x authentication client, but this technology is unable to determine whether the access device is secure or insecure.
  • Page 536 802.1x Configuration Following example shows how to configure the MAB function. Ruijie# configure terminal Ruijie(config)# interface fa 0/1 Ruijie(config-if)# dot1x port-control auto Ruijie(config-if)# dot1x mac-auth-bypass Use the format XXXXXXXXXXXX when setting the username and keyword for the MAC address on the server.
  • Page 537 Following example shows how to configure the MAB timeout time. Ruijie# configure terminal Ruijie(config)# interface fa 0/1 Ruijie(config-if)# dot1x mac-auth-bypass timeout-activity 3600 If the online time for the MAC address authentication is also assigned by the server, this online time is independent from the timeout-activity.
  • Page 538 To configure the auth-fail VLAN in interface configuration mode, run the following commands: Command Function Enter interface configuration mode. Ruijie(config)#interface interface-id Ruijie(config-if-type ID)#dot1x auth-fail vlan vid Set the auth-fail VLAN on the interface. Show configurations. Ruijie#show run Following example shows how to configure the auth-fail VLAN.
  • Page 539 Ruijie# configure terminal Ruijie(config)# interface fa 0/1 Ruijie(config-if)# dot1x auth-fail vlan 2 If the configured vlan is inexistent, the vlan will be created dynamically when the port enters the auth-fail vlan, and will be auto-removed when the port exits from the auth-fail vlan.
  • Page 540 Command Function Ruijie# configure terminal Enter global configuration mode. Ruijie(config)# interface <interface-id> Enter interface configuration mode. Ruijie(config-if)# dot1x critical vlan <vlan-id> Configure IAB authentication with switching VLAN. Ruijie(config-if)# end Return to privileged EXEC mode. Ruijie# show running-config Display all configurations.
  • Page 541 Ruijie(config-if)# dot1x port-control auto Ruijie(config-if)# dot1x critical Ruijie(config-if)# dot1x critical vlan 100 If there are already certain authenticated users on the port before all RADIUS servers fail, new users are authorized to access the network after servers have failed and if no inaccessible VLAN is configured on the port. If IAB authentication with inaccessible VLAN has been configured on the server, new users won't be authorized to access network in order to guarantee that the authenticated users have the priority to use network.
  • Page 542 Ruijie(config-if)# dot1x port-control auto Ruijie(config-if)# dot1x critical Ruijie(config-if)# dot1x critical recovery action reinitialize After the server has recovered, normally authenticated users under the port can continue to access the network without re-authentication. After the server is failed, IAB-authenticated users will be subject to the authentication interaction initiated by the switch.
  • Page 543 Use the following commands to configure the multiple MAB authentication function. Command Function Ruijie(config)#interface interface-id Enters interface configuration mode. Ruijie(config-if)#dot1x mac-auth-bypass multi-user Enables the multiple MAB authentication function. Ruijie#show running-config Shows all configurations. This example shows how to configure the multiple MAB authentication function.The online time of MAB users supported by multiple MAB users is the time configured by the dot1x mac-auth-bypass timeout-activity <value>...
  • Page 544 Ruijie(config)#show running-config Shows all configurations. This example shows how to configure the silence period for unauthorized multiple MAB users. Ruijie# configure terminal Ruijie(config)# dot1x multi-mab quiet-period 100 Ruijie(config)# interface fa 0/1 Ruijie(config-if)# dot1x port-control auto Ruijie(config-if)# dot1x mac-auth-bypass multi-user Viewing the Configuration and Current Statistics of the 802.1x Our 802.1X provides a full range of state machine information, which is very useful for network management and can be...

  • Page 545: Viewing The Radius Authentication And Accounting Configuration

    Viewing the Radius Authentication and Accounting Configuration Run the show radius server command to check the related configuration of the Radius Sever, and run the show aaa user command to view the user-related information. Ruijie# show radius server Server IP: 192.168.5.11...

  • Page 546: Viewing The User Authentication Status Information

    Show the list of the hosts that can be authenticated. Use the no dot1x auth-address-table address command to delete the specified authenticable host list. The following example shows the list of the hosts that can be authenticated. Ruijie# show dot1x auth-address-table interface:g3/1 ----------------------------------- mac addr: 00D0.F800.0001...
  • Page 547 Configuration Guide 802.1x Configuration  Complete data isolation shall be achieved between VLANs corresponding to three user groups, namely the members of one group cannot exchange data with members of another group. Network topology is shown below: Figure 11 Typical topology of dynamic VLAN assignment Configuration example is shown below Configure RADIUS server Include a managerial access device of 192.168.197.241, which uses the default authentication and accounting ports of...
  • Page 548 Configuration Guide 802.1x Configuration  Tunnel-Medium-Type = "IEEE-802",  Tunnel-Private-Group-ID = "staff" Configure access switch  Turn on AAA switch configure terminal aaa new-model  Configure RADIUS server configure terminal radius-server host 192.168.197.154 radius-server key shared  Configure authentication method list configure terminal aaa authentication dot1x default group radius aaa accounting network default start-stop group radius...
  • Page 549 Configuration Guide 802.1x Configuration Other Precautions for Configuring 802.1x  Concurrent use of 1X and ACL In the non-IP authorization mode, if you enable the 802.1x authentication function of a port and at the same time associate one ACL with a interface, the ACL takes effect on the basis of the MAC address. In other words, only the packets from the source MAC addresses of the authenticated users can pass ACL filtering, and the packets from other source MAC addresses will be discarded.
  • Page 550 (here we take port F0/1 as the example); (corresponding to paragraph 1 of "Application Needs")  Filter non-Ruijie supplicant (corresponding to paragraph 2 of "Networking requirements")  Configure 802.1x accounting and accounting update, and configure the interval of accounting update packets (corresponding to paragraph 3 of "...
  • Page 551 Configuration Guide 802.1x Configuration Group" - haha, "Device Type" - switch, "Specific Model" - S21XX and later, "Device Key" - Ruijie, "Read/Write Community" - weilin, "Device Aging Duration" - 3s, as shown below: Figure 0-8 Click "User Management - User Management" to insert user information. The required configurations include: "Username"...
  • Page 552 Ruijie(config-if-FastEthernet 0/1)#dot1x port-control auto Ruijie(config-if-FastEthernet 0/1)#exit ! Filter non-Ruijie supplicant Ruijie(config)#dot1x private-supplicant-only ! Configure 802.1X accounting method list Ruijie(config)#aaa accounting network jizhang start-stop group radius ! Apply 802.1X accounting method list Ruijie(config)#dot1x accounting jizhang ! Configure accounting update Ruijie(config)#aaa accounting update...
  • Page 553 -------- -------------- --------- ---- --------------- ------------- ----------- --------- 00d0.f864.6909 Fa0/1 Authenticated Idle Authed static Step 2: Display detailed information about authenticated user. Ruijie#show dot1x user id 1 User name: qq User id: 1 Type: static Mac address is 00d0.f864.6909 Vlan id is 1 Access from port Fa0/1 Time online: 0days 0h 2m24s User ip address is 192.168.217.82...
  • Page 554 Private supplicant only: enable Client Online Probe: disable Eapol Tag Enable: disable Authorization Mode: disable Step 4: Display Radius authentication and accounting related configurations; Ruijie#show radius server Server IP: 192.168.32.120 Accounting Port: 1813 Authen Port: 1812 Server State: ready Application of 802.1X port-based dynamic VLAN assignment Network Topology Figure 13 Topoloy for 802.1X port-based dynamic VLAN assignment...
  • Page 555 (taking user group "development" as the example; the VLAN to which the user belongs is configured as Figure 0-11 Figure 0-12 Step 2: Configure access switch "SwitchA" ! Turn on AAA switch Ruijie(config)#aaa new-model ! Configure RADIUS server Ruijie(config)#radius-server host 192.168.32.120 ! Configure RADIUS key Ruijie(config)#radius-server key ruijie...
  • Page 556 ! Apply dot1x authentication method list Ruijie(config)#dot1x authentication hello ! Configure 802.1X accounting method list Ruijie(config)#aaa accounting network jizhang start-stop group radius ! Apply 802.1X accounting method list Ruijie(config)#dot1x accounting jizhang ! Configure the port as controlled port (enable port-based authentication)
  • Page 557 -------- -------------- --------- ---- --------------- ------------- ----------- --------- 00d0.f864.6909 Fa0/1 Authenticated Idle Authed static Step 2: Display detailed information about authenticated user. Ruijie#show dot1x user id 5 User name: st User id: 5 Type: static Mac address is 00d0.f864.6909 Vlan id is 2 Access from port Fa0/1 Time online: 0days 0h 4m35s User ip address is 192.168.217.82...
  • Page 558  Configure whether or not enable guest VLAN on the corresponding interface. Configuration Steps Configure access switch "SwitchA": ! Configure the VLANs to which the port belong: Ruijie(config)#interface fastEthernet 0/3 Ruijie(config-if-FastEthernet 0/3)#switchport access vlan 10 Ruijie(config-if-FastEthernet 0/3)#exit Ruijie(config)#interface fastEthernet 0/24...
  • Page 559 ! Apply dot1x authentication method list Ruijie(config)#dot1x authentication hello ! Configure 802.1X accounting method list Ruijie(config)#aaa accounting network jizhang start-stop group radius ! Apply 802.1X accounting method list Ruijie(config)#dot1x accounting jizhang ! Configure the port as controlled port (enable port-based authentication)
  • Page 560 -------- -------------- --------- ---- --------------- ------------- ----------- --------- 00d0.f864.6909 Fa0/1 Authenticated Idle Authed static Step 2: Display detailed information about authenticated user. Ruijie#show dot1x user id 8 User name: st User id: 8 Type: static Mac address is 00d0.f864.6909 Vlan id is 2 Access from port Fa0/1 Time online: 0days 0h 4m25s User ip address is 192.168.201.56...
  • Page 561 Configure the control mode of user authentication under the corresponding port as port-based authentication;  Configure to prohibit dynamic user from moving between ports;  Configure IP authorization mode as radius Server mode. Configuration Steps Configure access switch "SwitchA": ! Turn on AAA switch Ruijie(config)#aaa new-model...
  • Page 562 ! Apply dot1x authentication method list Ruijie(config)#dot1x authentication hello ! Configure 802.1X accounting method list Ruijie(config)#aaa accounting network jizhang start-stop group radius ! Apply 802.1X accounting method list Ruijie(config)#dot1x accounting jizhang ! Configure the port as controlled port (enable port-based authentication)
  • Page 563 Configuration Guide 802.1x Configuration Verify Configurations Step 1: Display the authentication state information of current user: Ruijie#show dot1x summary Interface VLAN Auth-State Backend-State Port-Status User-Type -------- -------------- --------- ---- --------------- ------------- ----------- --------- none 00d0.f864.6909 Fa0/1 Authenticated Idle Authed Dynamic...

  • Page 564: Web Authentication Configuration

    Ruijie Web Authentication There are two versions of Ruijie Portal server. They are called Ruijie first generation web authentication and Ruijie second generation web authentication because different version has different authentication process.
  • Page 565 Configuration Guide WEB Authentication Configuration After the HTTP interception, the access device directs the HTTP connection requests from the user to itself and thus establishes a session between the access device and the user. The access device uses the HTTP redirection function to push the redirection page to the user, and the user’s browser will show a window which may require authentication, or may display a link for downloading software.
  • Page 566 Configuration Guide WEB Authentication Configuration  Roles related to web authentication: Authentication client: refers to a browser running the HTTP protocol. It sends HTTP requests when the user uses the browser to access the network. Access device: generally refers to an access layer device (for example, a wireless AP in a WLAN) in the network topology.
  • Page 567 Internet. The detailed schematic diagram is shown below: Figure 2 Ruijie first generation web authentication procedures User logout procedures: There are two types of user logout: one is the logout detected by the access device, because the user's time is out and the flow is used up or the link is interrupted.
  • Page 568 HTTP Redirection The same as the HTTP redirection technology of Ruijie First generation Web Authentication Operating Principle The networking topology of Ruijie second generation web authentication is the same as that of Ruijie first generation web authentication (Figure 1). ...
  • Page 569 22) The access device initiates an authentication request to the RADIUS server and replies the result to the Portal server. 23) The Portal server responds to the user with a page to indicate the result (success or failure). Figure 3 Ruijie second generation web authentication procedures  User logout procedures: There are two types of user logout: one is the user logout detected by the access device because user’s...
  • Page 570 Portal Server about whether the user can access network.  Ruijie built-in portal authentication mechanism simplifies the role of the portal server in the first generation and the second generation authentication mechanism. This role is now supported by the access device.
  • Page 571 Configuration Guide WEB Authentication Configuration stop-accounting message is initiated by the access device. In Ruijie built-in portal authentication mechanism, the stop-accounting message is also initiated by the access device. 1. Whether to deploy the first generation web authentication mechanism or the second generation, or the built-in portal authentication depends on the type of Portal Server you are using.
  • Page 572 By default, traffic detection is disabled. If enabled, the default detection interval will be 15 minutes, and the default detection threshold is 0 byte. Configuring the Functional Switch of Web Authentication The current software supports three web authentication mechanisms:  Ruijie first generation web authentication (default).
  • Page 573 27) Configure the requisite information for Web authentication, such as the IP address and URL of Portal Server.  If you are using Ruijie second generation or the built-in web authentication mechanism, the corresponding AAA method list and RADIUS server should be configured. ...
  • Page 574 To disable the web authentication for a specific WLAN, execute the no webauth command in interface configuration mode. # Enable web authentication on FastEthernet 0/14. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface FastEthernet 0/14 Ruijie(config-if-FastEthernet 0/14)# web-auth port-control Ruijie(config-if-FastEthernet 0/14)# show web-auth port-control...
  • Page 575 Configuring the IP Address of Portal Server To successfully deploy Ruijie first generation web authentication, the IP address of Portal Server must be configured. By default, the IP address of Portal Server is not configured on the device. The configuration...
  • Page 576 WEB Authentication Configuration Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect 176.10.0.1 Ruijie(config)# show http redirect If the IP address of Portal Server is configured, it can be accessed directly, which means the user can access this IP address directly without authentication.
  • Page 577 # Configure the communication key used between the device and Portal Server as web-auth. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# web-auth portal key web-auth Ruijie(config)# show running-config Configuring the SNMP Parameters Used Between Device and Portal Server According to the procedures of the first generation web authentication, SNMP protocol is required between the Portal Server and the access device to control the login and logout of users.
  • Page 578 Configuration Guide WEB Authentication Configuration successfully apply Ruijie first generation web authentication, you have to configure the SNMP parameters used between the device and the Portal Server. By default, the SNMP parameters used between the device and Portal Server are not configured. The...
  • Page 579 Ruijie(config)# snmp-server community web-auth rw Ruijie(config)# snmp-server enable traps web-auth Ruijie(config)# snmp-server host 176.10.0.1 informs version 2c web-auth web-auth The SNMP communication parameters listed herein are based on SNMPv2. If higher security is required for the SNMP communication between device and Portal Server, SNMPv3 is suggested.
  • Page 580 172.20.1.10 http://172.20.1.10:7080/index.php Ruijie(config)# show web-auth portal v2 by-name edu-server Configuring AAA Web Authentication Method List In the second generation web authentication, the device will initiate radius authentication. Therefore, to deploy the second generation web authentication, you need to configure AAA authentication method list on the device.
  • Page 581 # Configure the name of the network-related AAA accounting method list as default and use the default RADIUS group named radius). Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# aaa new-model Ruijie(config)# aaa accounting network default start-stop group radius Ruijie(config)# show aaa method-list...
  • Page 582 # Set the communication key used between the device and Portal Server to web-auth. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# web-auth portal key web-auth Ruijie(config)# show running-config Configuring Global Authentication Method List There are two steps to configure the web authentication method list. Step 1 is to configure an AAA authentication method list as mentioned above.
  • Page 583 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# web-auth authentication v2 edu-web Ruijie(config)# show web-auth portal v2 aaa Before configuring the method list, make sure this method list is already configured for AAA. After the authentication method list is removed, the authentication method list named default will be used by default.
  • Page 584 WEB Authentication Configuration Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# web-auth accounting v2 edu-acct Ruijie(config)# show web-auth portal v2 aaa Configuring Global Portal Server The previous section has introduced how to create Portal Server using the portal-server command. After the Portal Server is created, it will only take effect after being applied to web authentication.
  • Page 585 Ruijie security solutions; therefore, Ruijie extends the Portal protocol. By default, Ruijie devices use the extended Portal protocol to communicate with the Portal server. If you need to disable extension and use the standard Portal protocol, run the no web-auth portal extension command.
  • Page 586 Ruijie(config)# show web-auth portal parameters For interworking with non-Ruijie products, disable Portal protocol extension because the third-party Portal server may not support Ruijie Portal protocol extension. If Portal protocol extension is not disabled during interworking with non-Ruijie products, incompatibility problems may occur.
  • Page 587 # Redirect HTTP request with the specific destination port number 8080 sent by the user. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect port 8080 Ruijie(config)# show http redirect 1. The commonly-used management ports on the access device, such as port 22, 23 and 53 and ports reserved by the system are not allowed to be configured as the redirection port.
  • Page 588 # Set the maximum number of HTTP sessions of unauthenticated user to 10. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect session-limit 10 Ruijie(config)# show http redirect If you see no authentication page during authentication, it is very likely that the HTTP sessions imitated by the user has reached maximum number.
  • Page 589 # Set the timeout for maintaining redirection connection to 4 seconds. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect timeout 4 Ruijie(config)# show http redirect Configuring Scope of Network Resources Requiring No Authentication After Web authentication is activated, an authenticated user must pass Web authentication before he/she can access the network resources.
  • Page 590 # Set the site of 172.16.x.x in the campus intranet to be a resource requiring no authentication. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect direct-site 172.16.0.0 255.255.0.0 Ruijie(config)# show web-auth Configuring Information Updating Interval of Authenticated Users The access device keeps information of authenticated users and periodically updates such information as time of being online, to monitor the traffic and the online hours of the users.
  • Page 591 # Configure the user with the IP address of 176.10.0.1 free from the authentication Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# web-auth direct-host 176.10.0.1 Ruijie(config)# show http redirect Configuring Flow Detection Function Web authentication provides a low-traffic log out functionality which allows the device to detect authenticated users’...
  • Page 592 1024 bytes. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# web-auth offline-detect flow idle-timeout 3 threshold 1024 Ruijie(config)# show running-config The Web authentication supports the following three methods of logout detection: 1. Link-based detection. Assume that the user logs out when user’s physical signal is disconnected.
  • Page 593 Configuration Guide WEB Authentication Configuration Configuration Example Typical Configuration Examples of First-generation Web Authentication Networking Requirements  The network is deployed with a Radius server, a Portal server (which may integrate the functions of the Radius server), a DHCP server, a pass-through server (website), a DNS server, a core device, a convergence device, and several access devices and user PCs.
  • Page 594 Ruijie# config Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# http redirect 192.168.3.1 Ruijie(config)# web-auth portal key web_auth_s26_1 30) On the access devices, configure the URL of the authentication page. Ruijie(config)# http redirect homepage http://www.web_auth.com/webportal/index.jsp...
  • Page 595 31) Set the SNMP network management parameters between the access devices and authentication server. Ruijie(config)# snmp-server community web_auth_key Ruijie(config)# snmp-server enable traps web-auth Ruijie(config)# snmp-server host 192.168.3.1 inform version 2c web_auth_key web-auth Ruijie(config)# exit 32) On the access devices, enable web authentication for the Fa0/2 and Fa0/3 ports.
  • Page 596 Port ARP Binding --------------- ---------------- ---------- ---------- 192.168.4.12 255.255.255.255 Fa0/3 37) Query the range of IP addresses of users for which web authentication is not required. Ruijie# show web-auth direct-host direct-host Address Mask Port ARP Binding --------------- ---------------- ---------- ---------- 192.168.4.12...
  • Page 597 Configuration Guide WEB Authentication Configuration Networking Topology Figure 4 Networking topology for web authentication solution  The user PCs are connected to the access devices, whose upstream ports are connected to the convergence device. The convergence device is connected to the core device, which allows the user PCs to access the Internet.
  • Page 598 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# aaa new-model Ruijie(config)# radius-server host 172.20.1.20 key aaatest Ruijie(config)# aaa authentication web-auth default group radius Ruijie(config)# aaa accounting network default start-stop group radius 42) Enable web authentication on ports. Ruijie(config)# interface range fa0/2-3...
  • Page 599 Configuration Guide WEB Authentication Configuration Verification Query the authentication configuration and statistics on interfaces. Ruijie# show web-auth port-control Port Control ------------------------- ---------- FastEthernet 0/1 FastEthernet 0/2 FastEthernet 0/3...

  • Page 600: Ssh Configuration

    Compression algorithm NONE (uncompressed) NONE (uncompressed) Ruijie’s SSH Supports The products of Ruijie Networks support only the SSH server (compatible with the SSHv1 and SSHv2) but do not support the SSH client. Caution SSH Configuration Default SSH Configurations Item...
  • Page 601 Configuration Guide SSH Terminal Service Configuration Item Default value SSH service end status SSH version Compatible mode (supporting versions 1 and 2) SSH user authentication timeout period 120s SSH user re-authentication times User Authentication Configuration 1) For the consideration of the SSH connection security, the login without authentication is forbidden.
  • Page 602 Configuration Guide SSH Terminal Service Configuration Command Description configure terminal Enter the global configuration mode no enable service ssh-server Delete the key to disable SSH Server. Configuring the Supported SSH Server Version By default, the SSHv1 and SSHv2 are compatible. Run the following commands to configure the SSH version.
  • Page 603 Enter the configuration mode. Ruijie(config)#ip scp server enable Enable the SCP server function. Ruijie(config)# no ip scp server enable Disable the SCP server function. Using SSH for Device Management You may use the SSH for device management by first enabling the SSH Server function that is disabled by default.
  • Page 604 Configuration Guide SSH Terminal Service Configuration As shown in Figure-1, protocol 2 is used for login, so SSH2 is chosen in “Protocol”. “Hostname” indicates the IP address of the host that will log in, 192.168.5.245. Port 22 is the default number of the port for SSH listening. “Username”...
  • Page 605 Configuration Guide SSH Terminal Service Configuration Ask the machine that is logging into the host 192.168.5.245 to see whether the key from the server end is received or not. Select “Accept & Save” or “Accept Once” to enter the password confirmation dialog box, as shown below: Figure-4 Enter the Telnet login password to enter the UI that is the same as the Telnet.
  • Page 606 Configuration Guide SSH Terminal Service Configuration Using SSH Public-Key Based Authentication To use the public-key based authentication method on a client, you need to generate a key pair (RSA or DSA) on the client, put the key on the SSH server, and select the PublicKey authentication method.
  • Page 607 Configuration Guide SSH Terminal Service Configuration If the key pair has not been generated, generate a new key pair (Create Identity File). During key generation, you can set a password (the password can be blank) for the private key. If so, you need to enter the password in every authentication.
  • Page 608 DSA public key. See the following contents. Ruijie# configure terminal Ruijie(config)# ip ssh peer test public-key rsa flash:rsa.pub Ruijie(config)# ip ssh peer test public-key dsa flash:dsa.pub In this way, the client can log in to the network device using the public-key based authentication method.
  • Page 609 Configuration Guide SSH Terminal Service Configuration In this way, the client can use SCP to connect to the server and transfer files. The SCP server uses the SSH thread. When connecting the network device for SCP transfer, the client uses a VTY connection. When you run the show user command, you can find that the user type is SSH.
  • Page 610 Most options are related to the client. A few options require support of both the client and the server. However, the SCP server on Ruijie network devices does not support the options -d -p –q-r. When these options are used, the system will prompt that they are not supported.

  • Page 611: Gsn Configuration

    Configuration Guide GSN Configuration GSN Configuration RG GSN Security Solution Introduction RG GSN Security Solution consists of the following four elements: 1. RG Security policy Management Platform 2. RG Security Agent 3. RG Restore System 4. RG Security Switch RG SMP RG Security policy Management Platform allows or disallows the data and packet transmission within the range of some conditions by the policy setting.
  • Page 612 Enable the global GSN security switch. The following example shows how to enable the GSN function: Ruijie# configure terminal Ruijie(config)# security gsn enable Configuring the Community Between SMP Servers The SMP server IP address and the security authentication name must be configured to implement the community between the SMP servers.
  • Page 613 [no] security event interval interval By default, the interval is 5s. This example shows the priority value configuration process: Ruijie(config)# cpu-protect type bpdu pri 7 Set packet type bpdu priority 7. Enabling the Security Address-bind on the Interface The SMP server IP address and the security authentication name must be configured...
  • Page 614 In the privileged mode, show the minimum security event interval by using the following commands: Command Function Show the minimum security event interval. Ruijie# show security event interval For example: Ruijie# show security event interval Event sending interval(Seconds):5...
  • Page 615 Configuration Guide GSN Configuration Precautions for GSN Configuration Supported GSN Entry Number Since the implementation of the GSN policy installation is by the hardware filtering, the supported policy numbers are different for different product chips. Besides, for the reason that the hardware entry resources used by GSN may be occupied by other modules, enabling the relevant functions(for example, anti-arp-spoofing, ect) also reduces the available entry number, and so does the GSN-supported entry number.

  • Page 616: Cpu Protection Configuration

    Malicious attacks towards the switch CPU often occur in the network environment, and such attacks cause too high CPU utilization on the switch and abnormal operation of it. Ruijie switch provides CPP function to reduce the CPU load and protect the normal operation.

  • Page 617: Viewing Cpu Protect Information

    In the configuration mode, configure the bandwidth of each type of packet by performing the following steps: Command Function Ruijie(config)# cpu-protect type {arp | bpdu | dhcp | ipv6mc | igmp | rip | ospf Set the bandwidth for the packets in PPS, which is an integer.
  • Page 618 Command Function Show the packets received by the CPU of a specific line card. Ruijie# show cpu-protect slot slot_id slot_id: slot ID The following example shows the CPU protection information of the line card in slot 2. Ruijie(config)# show cpu-protect slot 2...
  • Page 619 In the privileged mode, show the priority and bandwidth of each type of packet by using the following commands: Command Function Ruijie# show cpu-protect type arp | Show the statistics of the packets received by bpdu | dhcp | ipv6mc | igmp | rip | ospf | each type...
  • Page 620 Configuration Guide CPU Protection Configuration tp-guard dot1x rldp rldp-loop rerp bpdu tunnel-bpdu ipv4-icmp-local 180 dhcps gvrp tunnel-gvrp dvmrp igmp ospf vrrp stargv unknown-ipmc err-ttl0 err-ttl1 isis-es isis-is isis-l1is isis-l2is ipv6mc dhcp-relay-c dhcp-relay-s option82...
  • Page 621 Configuration Guide CPU Protection Configuration udp-helper dhcp-client lacp...

  • Page 622: Storm Control

    Function broadcast: Enable the broadcast storm control function. multicast: Enable the unknown multicast storm control function. Ruijie(config-if)# storm-control unicast: Enable the unknown unicast storm control {broadcast | multicast | unicast} function. [{ level percent | pps packets | percent: Set according to the bandwidth percentage,...

  • Page 623: Viewing The Enable Status Of Storm Control

    Ruijie# show storm-control Show storm control information. [interface-id] The instance below shows the enabled status of the storm control function of interface Gi1/3: Ruijie# show storm-control gigabitEthernet 0/3 Interface Broadcast Control Multicast Control Unicast Control action GigabitEthernet 0/3 Disabled Disabled Disabled...

  • Page 624: Protected Port

    Ruijie(config-if)# end Showing Protected Port Configuration Command Function Ruijie(config-if)# show interfaces switchport Show the configuration of the switching port You can use the command of show interfaces switchport to view the configuration of protected port. Ruijie# show interfaces gigabitethernet 0/3 switchport...

  • Page 625: Port Security

    Configuration Guide Port-based Flow Control Configuration Interface Switchport Mode Access Native Protected VLAN lists --------- ---------- ---- ------ ----- -------- ---- GigabitEthernet 0/3 enabled Trunk 1 Enabled Port Security Overview Port security function allows the packets to enter the switch port by the source MAC address, source MAC+IP address or source IP address.

  • Page 626: Configuring Port Security

    IP address has a high priority). Configuration of Secure Ports and Violation Handling Modes In the interface configuration mode, configure secure ports and violation handling modes by using the following commands: Command Function Ruijie(config-if)# switchport Enable the port security function of this interface. port-security...
  • Page 627 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface gigabitethernet 0/3 Ruijie(config-if)# switchport mode access Ruijie(config-if)# switchport port-security Ruijie(config-if)# switchport port-security maximum 8 Ruijie(config-if)# switchport port-security violation protect Ruijie(config-if)# switchport port-security mac-address sticky Ruijie(config-if)# end...
  • Page 628 Configuration of Secure Addresses on the Secure Port In the global configuration mode, add secure addresses for secure ports by using the following commands: Command Function Ruijie(config)# switch portport-security In the global configuration mode, manually interface interface-id mac-address configure the secure addresss on the port.
  • Page 629 Ruijie(config-if)# switchport mode access Ruijie(config-if)# switchport port-security Ruijie(config-if)# switchport port-security mac-address sticky Ruijie(config-if)# switchport port-security mac-address sticky 00d0.f800.073c vlan 1 Ruijie(config-if)# end Configuration of Secure Address Binding on the Secure Port In the global configuration mode, add secure address binding for secure ports by using the following...
  • Page 630 Ruijie(config)# interface gigabitethernet 0/3 Ruijie(config-if)# switchport mode access Ruijie(config-if)# switchport port-security Ruijie(config-if)# switchport port-security binding 00d0.f800.073c vlan 1 192.168.12.202 Ruijie(config-if)# end For the packets that correspond to the IP+MAC binding and IP binding, they can be forwarded on the condition that the source MAC address must be the secure address at the same time.

  • Page 631: Viewing Port Security Information

    Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface gigabitthernet 0/3 Ruijie(config-if)# switchport port-security aging time 8 Ruijie(config-if)# switchport port-security aging static Ruijie(config-if)# end Viewing Port Security Information In the privileged mode, you can view the security information of a port by using the following commands.
  • Page 632 ARP fraud in the network and improving the network stability. Ruijie switches support multiple IP security application(such as IP Source Guard, globle IP+MAC binding, port security, ect), which effectively filter the user IP packets and avoid the illegal user to use the network resources.
  • Page 633 IP on all the ports by half. Caution Configuring ARP-CHECK Use the following commands to configure ARP-CHECK in the privileged mode: Actio Command Ruijie# configure t Enter the global configuration mode. Enter the interface configuration mode. Ruijie(config)#interface interface-id...
  • Page 634 Ruijie#show interface { interface-type interface-number } Show the ARP check entry information. arp-check list The example below shows the ARP check entry information: Ruijie#show interfaces arp-check list Interface Sender MAC Sender IP Policy Source ------------------------ ---------------- ---------------- -------------------- Gi 0/1 00D0.F800.0003...
  • Page 635 Configuration Guide DoS Protection Configuration DoS Protection Configuration DoS Protection Configuration Overview The DoS protection function can defend against Land attacks and invalid TCP message attacks. Land attack The attacker sends a SYN packet to the destination host with the source address/port the same as the destination address/port and causes system crash while the attacked host attempts to establish a TCP link with itself (infinite loop).
  • Page 636 To enable Land attack protection function, run the following commands: Command Function Ruijie# configure terminal Enter global configuration mode Ruijie(config)# ip deny land Enable Land attack protection function Ruijie(config)# end Return to privilege mode Defend against invalid TCP message attack...
  • Page 637 Display Land attack protection status To display Land attack protection status, run the following commands: Command Function Ruijie# show ip deny land Display Land attack protection status The example below shows how to display the Land attack protection status: Ruijie# show ip deny land...
  • Page 638 ACLs by the switch itself, and will not pile any pressure on network forwarding. Of course, you can also use the address binding or Dot1x function of Ruijie network switch to achieve filtering effect, or by setting up ACLs.
  • Page 639 Configuration Guide DoS Protection Configuration Configure Ingress Filtering to Defend Against DoS Attack Default configuration The ingress filtering for defending against DoS attacks is disabled on all network interfaces. Precautions Only layer-3 interfaces with network address can support ingress filtering for defending against DoS attacks.
  • Page 640 Set up Ingress Filtering to Defend Against DoS Attack To set up ingress filtering, run the following commands: Command Function Ruijie# configure terminal Enter global configuration mode. Ruijie(config)# interface interface-id Enter layer-3 interface Ingress filtering function to defend...
  • Page 641 Configuration Guide DHCP Snooping Configuration DHCP Snooping Configuration Overview DHCP The DHCP protocol is widely used to dynamically allocate the recycled network resources, for example, IP address. A typical IP acquisition process using DHCP is shown below: The DHCP Client sends a DHCP DISCOVER broadcast packet to the DHCP Server. The Client will send the DHCP DISCOVER again if it does not receive a response from the server within a specified time.
  • Page 642 Configuration Guide DHCP Snooping Configuration DHCP Snooping TRUST port: Because the packets for obtaining IP addresses through DHCP are in the form of broadcast, some illegal servers may prevent users from obtaining IP addresses, or even cheat and steal user information. To solve this problem, DHCP Snooping classifies the ports into two types: TRUST port and UNTRUST port.
  • Page 643 Configuration Guide DHCP Snooping Configuration Agent Circuit ID (DOT1X format) Agent Remote ID DHCP Snooping Address Binding By snooping the packets between the DHCP Clients and the DHCP Server, DHCP Snooping combines the legal user information, including IP address, MAC address, VID, port and lease time, into a entry to form a DHCP Snooping user database.
  • Page 644 DHCP Snooping VLAN range. Command Description Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# [no] ip dhcp snooping vlan Configures enabled Snooping VLAN. {vlan-rng | {vlan-min [vlan-max]}} Here is an example of configuring DHCP snooping enabled in VLAN1000: Ruijie# configure terminal...

  • Page 645: Configuring Static Dhcp Snooping Information Option

    The following example shows how to enable the DHCP source MAC address check function: Ruijie# configure terminal Ruijie(config)# ip dhcp snooping verify mac-address Ruijie(config)# end Configuring Static DHCP Snooping Information Option By default, this function is disabled. After configuring this command, when DHCP Snooping forwards the packets, option82 will be added to all DHCP request packets and removed from all reply packets.
  • Page 646 The following example sets the interval at which the switch writes the DHCP databse to the flash to 3600s: Ruijie# configure terminal Ruijie(config)# ip dhcp snooping database write-delay 3600 Ruijie(config)# end You need to set a proper time for writing to the flash since erasing and writing to the flash frequently shortens its life.
  • Page 647 Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# interface interface-id Enter the interface configuration mode. Ruijie(config-if)# [no] ip dhcp snooping limit rate Configures rate of receiving DHCP packet on rate-value the port. The following example shows how to set the rate of receiving DHCP packet on GigabitEthernet...

  • Page 648: Showing Dhcp Snooping Configuration

    Command Description Clear information from the current database. Ruijie# clear ip dhcp snooping binding The following example shows how to clear information from the current database manually: Ruijie# clear ip dhcp snooping binding Showing DHCP Snooping Configuration Showing DHCP Snooping...

  • Page 649: Dhcp Snooping Configuration Example

    Configure Switch B Step 1: Enable DHCP Snooping. Ruijie#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#ip dhcp snooping Step 2: Configure the uplink port as the trusted port. Ruijie(config)#interface gigabitEthernet 0/1 Ruijie(config-if-GigabitEthernet 0/1)#ip dhcp snooping trust...
  • Page 650 ---------------- GigabitEthernet 0/1 unlimited S tep 3: Verify the database bound with DHCP Snooping address (User’s MAC address, dynamically assigned address, lease time, VLAN and port number Ruijie#show ip dhcp snooping binding Total number of bindings: 1 MacAddress IpAddress Lease(sec)

  • Page 651: Dynamic Arp Inspection

    The most typical one is the man in the middle attack, which is described as follows: As shown in the diagram, devices A, B and C are connected to Ruijie device and located in the same subnet. Their IP and MAC addresses are respectively represented by (IPA, MACA), (IPB, MACB) and (IPC, MACC).
  • Page 652 Configuration Guide Dynamic ARP Inspection Configuration With this model, device C will cause the corresponding relationship of ARP entries in device A and device B incorrect. The policy is to broadcast ARP response to the network continuously. The IP address in this response is IPA/IPB, and the MAC address is MACC.
  • Page 653 Command Function Turn on the DAI packet check function switch for Ruijie(config)# ip arp inspection vlan vlan-id VLAN vlan-id Turn off the DAI packet check function switch for VLAN vlan-id Ruijie(config)# no ip arp Inspection vlan...

  • Page 654: Showing Dai Configuration

    Ruijie(config-if)# ip arp inspection trust Set the port as a trust port. Set the port as an untrusted port. Ruijie(config-if)# no ip arp inspection trust Related Configuration of DHCP Snooping Database Refer to DHCP Snooping Configuration. If DHCP Snooping database is not configured, all the ARP packets pass inspection.

  • Page 655: Ip Source Guard Configuration

    Configuration Guide IP Source Guard Configuration IP Source Guard Configuration Overview DHCP In the typical DHCP-enabled network, the DHCP server is responsible for managing and allocating addresses for hosts. The hosts apply for legal network addresses from the DHCP server. DHCP is helpful for administrators to manage network addresses and avoid address conflict.
  • Page 656 Configuration Guide IP Source Guard Configuration Figure 3 Network with feigned DHCP client attack Figure 4 Network protected by DHCP Snooping By filtering DHCP packets, DHCP Snooping shields feigned servers and block the attacks from the clients. However, it cannot control the users assign IP addresses privately.
  • Page 657 After enabling IP Source Guard on the interface, it will filter the IP packets of the users connecting to the interface according to the hardware-based IP packet filtering database. Command Description Ruijie(config)# interface interface-id Enter the interface configuration mode.
  • Page 658 Configure static binding user. ip-address interface interface-id The following example shows how to add a static binding user: Ruijie# configure terminal Ruijie(config)# ip source binding 00d0.f801.0101 vlan 1 192.168.4.243 interface FastEthernet 0/9 Ruijie(config)# end Showing IP Source Guard Configuration Showing IP Source Guard Filtering Entry Use this command to show IP Source Guard filtering entry.
  • Page 659 Configuration Guide IP Source Guard Configuration Ruijie# show ip verify source Show IP Source Guard filtering entry. [interface interface] For example: Ruijie # show ip verify source Interface Filter-type Filter-mode Ip-address Mac-address VLAN --------------- --------- ----------- ---------- ----------- ------ FastEthernet 0/3 active 3.3.3.3...
  • Page 660 Configuration Guide ND Snooping Configuration ND Snooping Configuration Overview In the IPv6 network, the network nodes use ND (Neighbor Discovery) protocol to discover router and carry out auto-configuration, detect duplicate address, translate link-layer address, detect neighbor accessibility, announce link-layer address change, and redirect route. Since ND protocol lacks intrinsic security, it is faced with such problems as address resolution attack and routing information attack, and it's very complicated to increase security by deploying extrinsic encryption &...
  • Page 661 Enter the global configuration mode. Ruijie# configure terminal Enable/disable the global IPv6 ND Snooping Ruijie(config)# [no] ipv6 nd snooping The following example shows how to enable the IPv6 ND Snooping: For example: enable global IPv6 ND snooping Ruijie# configure terminal...
  • Page 662 Ruijie# configure terminal interface_id Ruijie(config)# Interface Enter the interface configuration mode. Ruijie(config-if)# ipv6 nd snooping trust Set the IPv6 ND Snooping trusted interface. For example: set interface FastEthernet 0/1 to Trust interface. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z.
  • Page 663 Configuration Guide ND Snooping Configuration Gi0/1 For example: display ND Snooping interface configurations Ruijie# show ipv6 nd snooping interface Interface Trusted Combine-security --------- ------- ---------------- Gi0/1 Configuration Example Networking Requirements The user uses stateless auto-configuration to assign IPv6 addresses, and now intends to deploy IPv6...
  • Page 664 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)#ipv6 nd snooping Configure trust attribute of the interface Ruijie(config)#interface fastethernet 0/1 Ruijie(config-if)#ipv6 nd snooping trust Ruijie(config-if)#exit Verification Ruijie# show ipv6 nd snooping Global switch: enabled ND Snooping is disabled in following VLANs:...
  • Page 665 Configuration Guide ND Snooping Configuration None Address resolution check: disabled, software Route information check: enabled, software Stateless-user monitor: disabled Stateless-user bind: disabled, loose, IP-only Interface Trusted Combine-security --------- ------- ---------------- Gi0/1...
  • Page 666 Configuration Guide DHCPv6 Snooping Configuration DHCPv6 Snooping Configuration Overview DHCPv6 As IPv6 network is growing, IPv6 network-based applications are popularized gradually. As the framework put forward in the initial design stage of IPv6, automatic configuration of nodes is the key point of IPv6 network. Stateless configuration and stateful configuration come into being in the new network framework.
  • Page 667 Configuration Guide DHCPv6 Snooping Configuration Figure 2 Network protected through DHCPv6 Snooping As shown in Figure 2, DHCPv6 Snooping prevents abnormal packet attacks from the forged DCHP server and illegal DHCP clients in a untrusted network. Furthermore, the snooping packet result is generated and applied. If the DHCPv6 server allocates IPv6 prefix, a user entry is formed based on the information like the allocated IPv6 prefix, user MAC address, port where the user is located in, ID of the VLAN the user belongs to, and lease period, and thus the DHCPv6 Snooping prefix database is generated.
  • Page 668 Configuration Guide DHCPv6 Snooping Configuration forward the DHCPv6 server’s reply message from trusted ports and discard the DHCPv6 server’s reply message from untrusted ports. Hence, the port connected to the legal DHCPv6 server is set to trusted port and other ports are set to untrusted ports to shield illegal DHCPv6 server.
  • Page 669 Enter the global configuration mode. Ruijie(config)# ipv6 dhcp snooping Enable DHCPv6 Snooping. Ruijie(config)# show ipv6 dhcp snooping Show the configuration of DHCPv6 Snooping. To restore the setting to the default value, run the no ipv6 dhcp snooping command in the global configuration mode.
  • Page 670 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 dhcp snooping vlan 1,3-5,7,9-11 Once a VLAN is created, DHCP Snooping is enabled on this VLAN by default. To disable this function, run the corresponding command on this VLAN Caution manually.
  • Page 671 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 dhcp snooping database write-delay 600 Writing the Bound Database to Flash File in Real Time Administrator can manually write the bound database to Flash file before rebooting the device to guarantee the normal operation of the bound user in case of abnormal reboot.
  • Page 672 Configuration example: # Add a statically bound user. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 source binding 00d0.f866.4777 vlan 10 2001:2002::2003 interface fastethernet 0/10 Ruijie(config)# end Ruijie# show ipv6 source binding Total number of bindings: 1...
  • Page 673 DHCPv6 Snooping Configuration Ruijie(config-if)# end Exit to the privileged EXEC mode. Ruijie# show ipv6 dhcp snooping Show DHCPv6 Snooping configuration. To restore the setting to the default value, run the no ipv6 dhcp snooping trust command in the interface configuration mode.
  • Page 674 # Filter the DHCPv6 request message on FastEthernet 0/1. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# interface fastEthernet 0/10 Ruijie(config-if)# ipv6 dhcp snooping filter-dhcp-pkt Ruijie# show ipv6 dhcp snooping Switch DHCPv6 snooping status : ENABLE DHCPv6 snooping vlan: 1-4094...
  • Page 675 Configuration example: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 dhcp snooping ignore dest-not-found Ruijie(config)# end Clearing Dynamically Bound Entries when the Port is Linked Down Once a port is linked down, the users under the port cannot communicate with external users.
  • Page 676 Configuration example: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 dhcp snooping link-detection Ruijie(config)# end Adding the Dynamically Bound Entries to the Hardware Filtering Table Lingeringly By default, the dynamically bound entries are added to the hardware filtering table in real time.
  • Page 677 Configuration example: Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# ipv6 dhcp snooping binding-delay 10 Ruijie(config)# end 、 Showing/ Clearing DHCPv6 Snooping Configurations and States The following commands show or clear DHCPv6 Snooping configurations and states.
  • Page 678 Set the IP address of gateway anti-arp-spoofing: Command Function Configure gateway anti-arp-spoofing on this port. Ruijie(config-if)# anti-arp-spoofing ip-address : specify the IP address of the ip ip-address gateway. In the interface configuration mode, you may use the no anti-arp-spoofing ip...
  • Page 679 You cannot configure gateway anti-arp- spoofing at an upper link port. After gateway anti-arp-spoofing or arp check has been configured, ipv6 acl Caution cannot be used any longer. Vice versa. Monitoring View the gateway anti-arp-spoofing of a switch: Command Function Show gateway anti-arp-spoofing Ruijie #show anti-arp-spoofing information of all interfaces.
  • Page 680 Configuration Guide NFPP Configuration NFPP Configuration NFPP Overview NFPP is the abbreviation of Network Foundation Protection Policy.  NFPP Function  NFPP Principle NFPP Function In the network, some malicious attacks put too much burden on the switch. When the packet traffic bandwidth or the packet percent exceeds the limit, it leads to the CPU over-utilization and abnormal operation of the switch.
  • Page 681 Configuration Guide NFPP Configuration In order to make full use of the NFPP function, you can modify the rate-limit value of each packet in CPU Protect Policy according to specified network environment, you can also use the recommended value displayed after executing the show Caution cpu-protect summary command.
  • Page 682 Configuration Guide NFPP Configuration the anti-attack policy uses the hardware filter in order to make sure that the attack packets will not be sent to the CPU and ensure the normal device operation. After detecting an attack, NFPP sends the warning messages to the administrator.
  • Page 683 Ruijie(config)# cpu-protect sub-interface in pps, ranging from 1 to 8192, in {manage|protocol|route} pps pps_vaule integer. For example: Ruijie(config)# cpu-protect sub-interface manage pps 200 Ruijie(config)# end Configuring the packet percent This section describes how to configure the packet percent: Command Function...
  • Page 684 1 to 100, in integer. percent percent_vaule For example: Ruijie(config)# cpu-protect sub-interface manage percent 60 Ruijie(config)# end The valid percent value of one packet must be less than 100% minus the percent value of other two types of packets...
  • Page 685 MAC address and source IP address are fixed while the destination IP address is changing. Ruijie products only support to detect the first ARP scan (the source MAC address on link layer is fixed while the source IP address is changing).
  • Page 686 Ruijie(config-if)# nfpp arp-guard enable By default, arp-guard is not enabled on the interface. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp arp-guard summary Show the configurations. Ruijie# copy running-config Save the configurations. startup-config With the arp-guard disabled, the monitored hosts and scan hosts are auto-cleared.
  • Page 687 Return to the privileged EXEC mode. Ruijie(config-if)# end Show the arp-guard parameter Ruijie# show nfpp arp-guard summary settings. Ruijie# copy running-config Save the configurations. startup-config To restore the global isolated time to the default value, use the no arp-guard isolate-period command in the nfpp configuration mode.
  • Page 688 Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Show arp-guard parameter Ruijie# show nfpp arp-guard summary settings. Ruijie# copy running-config Save the configurations. startup-config To restore the monitored host limit to the default value, use the no arp-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 689 Configuration Guide NFPP Configuration Host-based rate-limit and attack detection For the host-based attack detection, it can be classified into the following two types: source address/VID/port-based source address/VID/port-based. For each attack detection, you can configure the rate-limit threshold and attack threshold (also called warning threshold). The ARP packet will be dropped when the packet rate exceeds the rate-limit threshold.
  • Page 690 Configuration Guide NFPP Configuration The following example shows the describing information included in the sent TRAP messages: Failed to isolate host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1>. It prompts the following message when the ARP scan was detected: %NFPP_ARP_GUARD-4-SCAN: Host<IP=1.1.1.1,MAC=0000.0000.0004,port=Gi4/1,V LAN=1> was detected. (2009-07-01 13:00:00) The following example shows the describing information included in the sent TRAP messages: ARP scan from host<...
  • Page 691 This section shows the administrator how to configure the host-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the arp-guard rate-limit, ranging from 1 to 9999, 4 by default.
  • Page 692 Return to the privileged EXEC mode. Ruijie(config-if)# end Show the arp-guard parameter Ruijie# show nfpp arp-guard summary settings. Ruijie# copy running-config Save the configurations. startup-config Port-based rate-limit and attack detection You can configure the arp-guard rate limt and attack threshold on the port.
  • Page 693 Command Function Enter the global configuration mode. Ruijie# configure terminal Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the arp-guard rate-limit of the Ruijie(config-nfpp)# arp-guard rate-limit...
  • Page 694 Clear all isolated hosts. clear nfpp arp-guard hosts vlan vid: Clear all isolated hosts in a VLAN. clear nfpp arp-guard hosts [vlan vid] Ruijie# clear nfpp arp-guard hosts [vlan [interface interface-id]: Clear vid] [interface interface-id] [ip-address | isolated hosts on a interface in a VLAN.
  • Page 695 NFPP Configuration Clearing the ARP san table The administrator can use the following command to clear the ARP scan table manually. Command Function Ruijie# clear nfpp arp-guard scan Clear the ARP scan table. Showing arp-guard  Showing arp-guard configuration ...
  • Page 696 Show the isolated hosts in a VLAN. show nfpp arp-guard hosts [vlan vid] [interface interface-id]: Show Ruijie#show nfpp arp-guard hosts [vlan the isolated hosts on a interface in a vid] [interface interface-id] [ip-address | VLAN. mac-address]...
  • Page 697 1.1.2.1 Gi0/3 0000.0000.1111 110 Gi0/4 0000.0000.2222 Total:4 hosts Ruijie# show nfpp arp-guard hosts vlan 1 interface G 0/1 1.1.1.1 If column 1 shows '*', it means "hardware do not isolate user". VLAN interface IP address MAC address remain-time(s) ---- --------...
  • Page 698 To this end, a large amount of the scanning packets take up the network bandwidth, leading to the abnormal network communication. Ruijie Layer-3 device provides the IP-guard function to prevent the attacks from the hacker and the virus such as “Blaster”, reducing the CPU burden of the layer-3 devices.
  • Page 699 Configuration Guide NFPP Configuration  Sending the IP packets to the inexistent destination IP address at the high-rate: for the layer-3 device, the packets are directly forwarded by the switching chip without the consumption of the CPU resources if the destination IP address exists.
  • Page 700 Return to the privileged EXEC mode. Ruijie(config-if)# end Show the configurations. Ruijie# show nfpp ip-guard summary Ruijie# copy running-config Save the configurations. startup-config With the ip-guard disabled, the monitored hosts are auto-cleared.
  • Page 701 Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp ip-guard summary Show the parameter settings. Ruijie# copy running-config Save the configurations. startup-config To restore the global isolated time to the default value, use the no ip-guard isolate-period command in the nfpp configuration mode.
  • Page 702 Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Show the parameter settings. Ruijie# show nfpp ip-guard summary Ruijie# copy running-config Save the configurations. startup-config To restore the monitored host limit to the default value, use the no ip-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 703 Configuration Guide NFPP Configuration It prompts the message that “% NFPP_IP_GUARD-4-SESSION_LIMIT: if the monitored Attempt to exceed limit of 1000 monitored hosts.” host table is full. Caution Host-based rate-limit and attack detection Use the source IP address/VID/port-based method to detect the host-based attack.
  • Page 704 This section shows the administrator how to configure the host-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the ip-guard rate-limit, ranging from 1 to 9999, 20 by default.

  • Page 705: Table Of Contents

    The valid range is 1-9999 and by default, it adopts the global Ruijie(config-if)#nfpp ip-guard policy p rate-limit threshold value. er-src-ip rate-limit-pps attack-threshold-pp attack-threshold-pps: set the attack threshold. The valid range is 1-9999 and by default, it adopts the global attack threshold value.

  • Page 706: Function

    Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the ip-guard rate-limit of the Ruijie(config)# ip-guard rate-limit per-port IP packet on the port, ranging from 1 to 9999, 100 by default. Configure the ip-guard attack threshold, ranging from 1 to 9999, 200 by default.
  • Page 707 For example: The following example shows how to delete all trusted hosts: Ruijie(config-nfpp)# no ip-guard trusted-host all The following example shows how to delete a trusted host entry: Ruijie(config-nfpp)# no ip-guard trusted-host 1.1.1.1 255.255.255.255...
  • Page 708 Configuration Guide NFPP Configuration It prompts that “%ERROR: Attempt to exceed limit of 500 trusted to inform the administrator of the full trusted host table. hosts.” If the IP address for the trusted host entry is the same to the one existing in the untrusted host list, the system will auto-delete the entry according to the IP address.
  • Page 709 Clear all isolated hosts. clear nfpp ip-guard hosts vlan vid: Clear all isolated hosts in a VLAN. clear nfpp ip-guard hosts [vlan vid] Ruijie# clear nfpp ip-guard hosts [vlan [interface interface-id]: Clear vid] [interface interface-id] [ip-address] isolated hosts on a interface in a VLAN.
  • Page 710 Show the isolated hosts in a VLAN. show nfpp ip-guard hosts [vlan vid] [interface interface-id]: Show Ruijie#show nfpp ip-guard hosts [vlan isolated hosts on a interface in a VLAN. vid] [interface interface-id] [ip-address | mac-address] show nfpp ip-guard hosts [vlan vid]...
  • Page 711 1.1.1.1 ATTACK Gi0/2 1.1.2.1 SCAN Total:2 hosts Ruijie# show nfpp ip-guard hosts vlan 1 interface G 0/1 1.1.1.1 If column 1 shows '*', it means "hardware do not isolate user". VLAN interface IP address MAC address remain-time(s) ---- -------- ---------...
  • Page 712 You can enable icmp-guard in the nfpp configuration mode or in the interface configuration mode. By default, the icmp-guard is enabled. Command Function Enter the global configuration mode. Ruijie# configure terminal Enter the nfpp configuration mode. Ruijie(config)# nfpp Enable the icmp-guard. By default, Ruijie(config-nfpp)# icmp-guard enable icmp-guard is enabled.
  • Page 713 Ruijie(config-if)# nfpp icmp-guard enable interface. By default, icmp-guard is not enabled on the interface. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp icmp-guard summary Show the configurations. Ruijie# copy running-config Save the configurations. startup-config With the icmp-guard disabled, the monitored hosts are auto-cleared.
  • Page 714 Permanent represents permanent isolation. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp icmp-guard summary Show the parameter settings. Ruijie# copy running-config Save the configurations. startup-config To restore the global isolated time to the default value, use the no icmp-guard isolate-period command in the nfpp configuration mode.
  • Page 715 Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Show the parameter settings. Ruijie# show nfpp icmp-guard summary Ruijie# copy running-config Save the configurations. startup-config To restore the monitored host limit to the default value, use the no icmp-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 716 Configuration Guide NFPP Configuration Host-based rate-limit and attack detection Use the source IP address/VID/port-based method to detect the host-based attack. For each attack detection, you can configure the rate-limit threshold and attack threshold (also called warning threshold). The ICMP packet will be dropped when the packet rate exceeds the rate-limit threshold.

  • Page 717: Per-Src-Ip: To Detect The Hosts Based

    This section shows the administrator how to configure the host-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the icmp-guard rate-limit,...

  • Page 718: Show The Parameter Settings

    Configuration Guide NFPP Configuration Command Function Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie(config-if)# show nfpp icmp-guard Show the parameter settings. summary Ruijie# copy running-config Save the configurations. startup-config Port-based rate-limit and attack detection You can configure the icmp-guard rate limt and attack threshold on the port. The rate limit value must be less than the attack threshold value.
  • Page 719 The valid range is 1-9999 and by default, it adopts the global attack threshold value. Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie(config-if)# show nfpp icmp-guard Show the parameter settings. summary Ruijie# copy running-config Save the configurations. startup-config The source IP address-based rate limit takes precedence over port-based rate limit.

  • Page 720: Save The Configurations

    For example: The following example shows how to delete all trusted hosts: Ruijie(config-nfpp)# no icmp-guard trusted-host all The following example shows how to delete a trusted host entry: Ruijie(config-nfpp)# no icmp-guard trusted-host 1.1.1.1 255.255.255.255...
  • Page 721 Configuration Guide NFPP Configuration It prompts that “%ERROR: Attempt to exceed limit of 500 trusted to inform the administrator of the full trusted host table. hosts.” If the IP address for the trusted host entry is the same to the one existing in the untrusted host list, the system will auto-delete the entry according to the IP address.
  • Page 722 Clear all isolated hosts in a VLAN. clear nfpp icmp-guard hosts [vlan Ruijie# clear nfpp icmp-guard hosts [vlan vid] [interface interface-id]: Clear all vid] [interface interface-id] [ip-address] isolated hosts on a interface in a VLAN.
  • Page 723 No configuration. Showing monitored host configuration Command Function Show the icmp-guard hosts statistics, including total host amount, isolated Ruijie# show nfpp icmp-guard hosts host amount and non-isolated host statistics amount. Show the isolated hosts information. show nfpp icmp-guard hosts vlan vid: Show the isolated hosts in a VLAN.
  • Page 724 NFPP Configuration Gi0/1 1.1.1.1 Gi0/2 1.1.2.1 Total:2 hosts Ruijie# show nfpp icmp-guard hosts vlan 1 interface G 0/1 1.1.1.1 If column 1 shows '*', it means "hardware do not isolate user". VLAN interface IP address remain-time(s) ---- -------- --------- ------------- Gi0/1 1.1.1.1...
  • Page 725 Enable dhcp-guard Ruijie(config-if)# nfpp dhcp-guard enable interface. By default, dhcp-guard is not enabled on the interface. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp dhcp-guard summary Show the configurations. Ruijie# copy running-config Save the configurations. startup-config...
  • Page 726 Permanent represents permanent isolation. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp dhcp-guard summary Show the parameter settings. Ruijie# copy running-config Save the configurations. startup-config To restore the global isolated time to the default value, use the no dhcp-guard isolate-period command in the nfpp configuration mode.
  • Page 727 180-86400s(one day). The monitor-period seconds default value is 600s. Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie# show nfpp dhcp-guard summary Show the parameter settings. Ruijie# copy running-config Save the configurations. startup-config To restore the monitored time to the default value, use the no dhcp-guard monitor-period command in the nfpp configuration mode.
  • Page 728 NFPP Configuration Command Function Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie# show nfpp dhcp-guard summary Show the parameter settings. Ruijie# copy running-config Save the configurations. startup-config To restore the monitored host limit to the default value, use the no dhcp-guard monitored-host-limit command in the nfpp configuration mode.
  • Page 729 This section shows the administrator how to configure the host-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the dhcp-guard rate-limit, ranging from 1 to 9999, 5 by default.
  • Page 730 MAC address/VID/port; Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# interface Enter the interface configuration mode. interface-name Configure the rate-limit and attack threshold on the specified interface.
  • Page 731 This section shows the administrator how to configure the port-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the dhcp-guard rate-limit of the...
  • Page 732 Showing dhcp-guard  Showing dhcp-guard configuration  Showing monitored host configuration Showing dhcp-guard configuration Use this command to show the dhcp-guard configurations. Command Function Ruijie# show nfpp dhcp-guard summary Show the dhcp-guard configurations. For example,...
  • Page 733 Configuration Guide NFPP Configuration Ruijie# show nfpp dhcp-guard summary (Format of column Rate-limit and Attack-threshold is per-src-ip/per-src- mac/per-port.) Interface Status Isolate-period Rate-limit Attack-threshold Global Enable -/5/150 -/10/300 G 0/1 Enable -/6/- -/8/- G 0/2 Disable -/5/30 -/10/50 Maximum count of monitored hosts: 1000 Monitor period:300s...
  • Page 734 ----------- ------------- Gi0/1 0000.0000.0001 110 Gi0/2 0000.0000.2222 Total:2 host(s) Ruijie# show nfpp dhcp-guard hosts vlan 1 interface g 0/1 0000.0000.0001 If column 1 shows '*', it means "hardware failed to isolate host". VLAN interface MAC address remain-time(s) ---- -------- -----------...
  • Page 735 Enter the interface configuration mode. Ruijie# interface interface-name Enable dhcpv6-guard Ruijie(config-if)# nfpp dhcpv6-guard interface. By default, dhcpv6-guard is enable not enabled on the interface. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp dhcpv6-guard Show the configurations. summary...

  • Page 736: Configuring The Isolated Time

    0s, 180-86400s(one day). By default, the isolated time is configured Ruijie(config-if)# nfpp arp-guard globally. 0s represents no isolation. isolate-period [seconds | permanent] Permanent represents permanent isolation. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp dhcpv6-guard Show the parameter settings. summary...

  • Page 737: Configuring The Monitored Time

    180-86400s(one day). The monitor-period seconds default value is 600s. Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie# show nfpp dhcpv6-guard Show the parameter settings. summary Ruijie# copy running-config Save the configurations. startup-config To restore the monitored time to the default value, use the no dhcpv6-guard...

  • Page 738: Configuring The Monitored Host Limit

    1-4294967295. The default monitored-host-limit seconds value is1000. Return to the privileged EXEC mode. Ruijie(config-nfpp)# end Ruijie# show nfpp dhcpv6-guard Show the parameter settings. summary Ruijie# copy running-config Save the configurations. startup-config To restore the monitored host limit to the default value, use the no dhcpv6-guard monitored-host-limit command in the nfpp configuration mode.

  • Page 739: Host-Based Rate-Limit And Attack Detection

    Configuration Guide NFPP Configuration Host-based rate-limit and attack detection Use the source MAC/VID/port-based method to detect the host-based attack. For each attack detection, you can configure the rate-limit threshold and attack threshold (also called warning threshold). The DHCPv6 packet will be dropped when the packet rate exceeds the rate-limit threshold.
  • Page 740 This section shows the administrator how to configure the host-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the dhcpv6-guard rate-limit, ranging Ruijie(config-nfpp)# from 1 to 9999, 5 by default.

  • Page 741: Port-Based Rate-Limit And Attack Detection

    Configuration Guide NFPP Configuration Command Function Ruijie# copy running-config Save the configurations. startup-config Port-based rate-limit and attack detection You can configure the dhcpv6-guard rate limt and attack threshold on the port. The rate limit value must be less than the attack threshold value. When the DHCPv6 packet rate on a port exceeds the limit, the DHCPv6 packets are dropped.
  • Page 742 Clear all isolated hosts. clear nfpp dhcpv6-guard hosts vlan vid: Clear all isolated hosts in a VLAN. Ruijie# clear nfpp dhcpv6-guard clear nfpp dhcpv6-guard hosts [vlan vid] hosts [vlan vid] [interface [interface interface-id]: Clear all isolated interface-id] [mac-address] hosts on a interface in a VLAN.
  • Page 743 Use this command to show the dhcpv6-guard configurations. Command Function Ruijie# show nfpp dhcpv6-guard Show the dhcpv6-guard summary configurations. For example, Ruijie# show nfpp dhcpv6-guard summary (Format of column Rate-limit and Attack-threshold is per-src-ip/per-src- mac/per-port.) Interface Status Isolate-period Rate-limit Attack-threshold Global Enable -/5/150 -/10/300...
  • Page 744 ----------- ------------- Gi0/1 0000.0000.0001 110 Gi0/2 0000.0000.2222 Total:2 host(s) Ruijie# show nfpp dhcpv6-guard hosts vlan 1 interface g 0/1 0000.0000.0001 If column 1 shows '*', it means "hardware failed to isolate host". VLAN interface MAC address remain-time(s) ---- -------- -----------...

  • Page 745: Showing Related Dhcpv6-Guard Information

    You can enable ND-guard in the nfpp configuration mode or in the interface configuration mode. By default, the ND-guard is enabled. Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Enable the nd-guard. By default, nd-guard Ruijie(config-nfpp)# nd-guard enable is enabled.
  • Page 746 Ruijie(config-if)# nfpp nd-guard default, nd-guard is not enabled on the enable interface. Return to the privileged EXEC mode. Ruijie(config-if)# end Ruijie# show nfpp dhcpv6-guard Show the configurations. summary Ruijie# copy running-config Save the configurations. startup-config With the nd-guard disabled, the monitored hosts are auto-cleared.
  • Page 747 This section shows the administrator how to configure the port-based rate-limit and attack detection in the nfpp configuration mode and in the interface configuration mode: Command Function Ruijie# configure terminal Enter the global configuration mode. Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the rate-limit of the ND packets...
  • Page 748 Showing ND-guard configuration Showing ND-guard configuration Use this command to show the ND-guard configurations. Command Function Ruijie# show nfpp nd-guard summary Show the ND-guard configurations. For example, Ruijie# show nfpp nd-guard summary (Format of column Rate-limit and Attack-threshold is NS-NA/RS/RA-REDIRECT.)...

  • Page 749: Return To The Privileged Exec Mode

    The administrator can configure the NFPP log-buffer entry number in the nfpp configuration mode. Command Function Enter the global configuration mode. Ruijie# configure terminal Enter the nfpp configuration mode. Ruijie(config)# nfpp Configure the NFPP log-buffer area Ruijie(config-nfpp)# log-buffer entries size(in the range of 0-1024), 256 by number default.

  • Page 750: Return To The Privileged Exec Mode

    Configuration Guide NFPP Configuration Command Function Show the configurations. Ruijie# show nfpp log summary Configuring the rate of generating NFPP syslog The administrator can configure the rate of generating the NFPP syslog in the nfpp configuration mode. Command Function Ruijie# configure terminal Enter the global configuration mode.
  • Page 751 Ruijie# show nfpp log summary Show the NFPP syslog configuration. Show the NFPP syslog in the log-buffer area. Ruijie# show nfpp log buffer [statistics] The parameter statistics shows the log number in the log-buffer area. The following example shows the NFPP syslog configuration:...
  • Page 752 Configuration Guide NFPP Configuration The following example shows the NFPP syslog number in the log-buffer area: Ruijie#show nfpp log buffer statistics There are 6 logs in buffer. The following example shows the NFPP syslog buffer area: Ruijie#show nfpp log buffer...

  • Page 753: Mode Configuration

    Introduction to the Security of Ruijie Switches With the development of business applications, users are more and more concerned on the security of networks. Ruijie Networks’s Ethernet switches come with a rich of security functions to address various requirements. Logically, the security functions are divided into two parts: access control components and network security components, which check the incoming packets in order.
  • Page 754 Configuration Guide Ruijie Switches Security Compatible Mode Configuration Global IP-MAC binding: The packets are allowed only when they match the global IP-MAC binding or otherwise they will be dropped. Port security: The packets are allowed only when they match the port security address or the bound port security address if port security-IP binding is enabled.
  • Page 755 Default value Coexistence in RGOS compatible mode Enabled Configure the Security Compatible Mode Command By default, Ruijie Switches’ security functions coexist in RGOS compatible mode. To set the coexistence mode of security function, do the following steps: Command Function Enters...
  • Page 756 Configuration Guide Ruijie Switches Security Compatible Mode Configuration After executing this command, you must save the configuration and then restart to bring the security compatible mode configuration into effect. Caution View Security Compatible Mode Configuration No specific show command is available to view the configuration of the security compatible mode.
  • Page 758 ACL & QoS Configuration 1. Access Control List Configuration 2. QoS Configuration...

  • Page 759: Access Control List Configuration

    Configuration Guide Access Control List Configuration Access Control List Configuration Overview As part of our security solution, ACL is used to provide a powerful data flow filtering function. At present, our product supports the following access lists:  Standard IP access control list ...
  • Page 760 Configuration Guide Access Control List Configuration other services like TELNET are disabled). Or, allow users to access services only during a given period or only allow some hosts to access networks. Figure 1 is a case. In the case, only host A is allowed to access Finance Network, while Host B is disallowed to do so.
  • Page 761 Configuration Guide Access Control List Configuration Input/Output ACL, Filtering Domain Template and Rule When a device interface receives a message, the input ACL checks whether the message matches an ACE of the ACL input on the interface. When a device interface is ready to output a message, the output ACL checks whether the message matches an ACE of the ACL output on the interface.
  • Page 762 Configuration Guide Access Control List Configuration Figure 2 Analysis of the ACE: permit tcp host 192.168.12.2 any eq telnet...
  • Page 763 Configuration Guide Access Control List Configuration A filtering domain template can be the collection of L3 fields (Layer 3 Field) and L4 fields (Layer 4 Field) or the collection of multiple L2 fields (Layer 2 Field). However, the filtering domain templates of a standard and extended ACL cannot be the collection of L2 and L3, L2 and 4, L2 and L3, or L4 fields.
  • Page 764 Configuration Guide Access Control List Configuration Guide to configure IP Access List When you create an access list, defined rules will be applied to all packet messages on a switch. The switch decides whether to forward or block a packet messages by judging whether the packet matches a rule.
  • Page 765 Select the interface to which the access Ruijie(config)# interface interface list is to be applied. Apply the access list to the specific Ruijie(config-if)# ip access-group id { in | out } interface Method 2: Run the following command in the ACL configuration mode: Command...
  • Page 766 Note Showing IP ACL To monitor access lists, run the following command the in privileged user mode: Ruijie# show access-lists [ id | name ] This command can be used to view the basic access list. IP ACL Example ...
  • Page 767 According to requirements, configure an extended access list numbered 101 access-list 101 permit tcp 192.168.12.0 0.0.0.255 any eq telnet time-range check Ruijie(config)# access-list 101 deny icmp 192.168.12.0 0.0.0.255 any Ruijie(config)# access-list 101 deny ip 2.2.2.0 0.0.0.255 any Ruijie(config)# access-list 101 deny ip any any...
  • Page 768 Select the interface to which the access list Ruijie(config)# interface interface is to be applied. Ruijie(config-if)# mac access-group id { in | Apply the access list to the specific out } interface Method 2: Run the following command in the ACL configuration mode:...

  • Page 769: Configuring Expert Extended Access List

    Note Showing Configuration of MAC Extended Access List To monitor access lists, please run the following command the in privileged mode: Ruijie# show access-lists [ id | name] You can view basic access lists MAC Extended Access List Example It is required to implement the following security functions by configuring MAC access lists: The 0013.2049.8272 host using the ipx protocol cannot access the giga 0/1 port of a device.
  • Page 770 Apply the access list to a specific interface (application particular case) There are two methods to configure an expert access list. Method 1: Run the following command in the global configuration mode: Command Function Ruijie (config)# access-list id {deny | permit} [prot | {[ethernet-type] [cos cos]}] [VID...
  • Page 771 It cannot access other ports. Ruijie> enable Ruijie# config terminal Ruijie(config)# expert access-list extended expert-list Ruijie(config-exp-nacl)# permit ip vid 20 any host 0013.2049.8272 any any Ruijie(config-exp-nacl)# deny any any any any Ruijie(config-exp-nacl)# exit Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# expert access-group expert-list in...
  • Page 772 It is required to implement the following security functions by configuring access lists: The 192.168.4.12 host can access the gi 0/1 port of a device. It cannot access other ports. Ruijie> enable Ruijie# config terminal Ruijie(config)# ipv6 access-list v6-list Ruijie(config-ipv6-nacl)# permit ipv6 ::192:68:4:12/24 any...

  • Page 773: Configuring Acl

    Configuration Guide Access Control List Configuration Ruijie(config-ipv6-nacl)# deny ipv6 any any Ruijie(config-ipv6-nacl)# exit Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# ipv6 traffic-filter v6-list in Ruijie(config-if)# end Ruijie# show access-lists ipv6 access-list v6-list permit ipv6 ::192.168.4.12 any deny any any Ruijie# Configuring ACL80 The ACL80 is also call the custom access list, which means matching the first 80 bytes of the message to filter the messages.
  • Page 774 Configuration Guide Access Control List Configuration In the figure above, the meaning of each letter and the value of offset are shown below: Letter Meaning Offset Letter Meaning Offset Destination MAC TTL field Source MAC Protocol ID VLAN tag field IP checksum Data frame length field Source IP address...

  • Page 775: Configuring Tcp Flag Filtering Control

    Function Ruijie(config)# ip access-list Enter the access list configuration mode extended { id | name } Ruijie(config-ext-nacl)# [sn] [permit | deny] tcp source source-wildcard [ operator port [port] ] Add table entries for ACL. For details about destination destination-wildcard commands, please see command reference.

  • Page 776: Configuring Acl Entries By Priority

    Ruijie# configure terminal Enter the ACL configuration mode. Ruijie(config)# ip access-list extended test-tcp-flag Add an ACL entry Ruijie(config-ext-nacl)# permit tcp any any match-all rst Add a deny entry Ruijie(config-ext-nacl)# deny tcp any any match-all fin Adding/delete entries repeatedly. Ruijie(config-ext-nacl)# end...
  • Page 777 10 ace2: 20 ace3: 30 The ACE numbers are as follows after “ip access-list resequence tst_acl 100 3” is run: Ruijie(config)# ip access-list resequence tst_acl 100 3 ace1: 100 ace2: 103 ace3: 106 When adding ace4 without entering sn-num, the numbers are as follows: Ruijie(config-std-nacl)# permit …...
  • Page 778 ACLs as example: Ruijie(config)# time-range no-http Ruijie(config-time-range)# periodic weekdays 8:00 to 18:00 Ruijie(config)# end Ruijie(config)# ip access-list extended limit-udp Ruijie(config-ext-nacl)# deny tcp any any eq www time-range no-http Ruijie(config-ext-nacl)# exit Ruijie(config)# interface gigabitEthernet 0/1 Ruijie(config-if)# ip access-group no-http in Ruijie(config)# end...
  • Page 779 In the privileged configuration mode, execute the following commands to configure a global security tunnel: Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# security global access-group Configure a global security tunnel. acl-name In the privileged configuration mode, execute the following commands to set an exception port: Command Function Enter the global configuration mode.
  • Page 780 Only the packets whose source IP address is 192.168.6.3 and MAC address is 0000.0000.0011 can flow in the switch from port 4. To receive IPX packets, set a security tunnel as follows: Ruijie#configure Ruijie(config)#expert access-list extended safe_channel Ruijie(config-exp-nacl)#permit ipx any any Ruijie(config-exp-nacl)#exit...
  • Page 781 Access Control List Configuration Command Function Enter the global configuration mode. Ruijie# configure terminal Ruijie(config)# ip access-list standard id Enter the ACL configuration mode. Ruijie(config-std-nacl)# list-remark comment Configure the list remark. You can also execute the following commands to set the ACL remark:...
  • Page 782 Ruijie(config)# ip access-list extended 101 # Deny the packets whose SYN is 1 and permit other packets whose SYN is 0 (including ACK) Ruijie(config-ext-nacl)# deny tcp any any match-all SYN # Permit other IP packets Ruijie(config-ext-nacl)# permit ip any any 2)...
  • Page 783 Access Control List Configuration 3) Show the configuration of ACL # In the privileged mode, use the Show command to display related configuration of ACL Ruijie# show access-lists 101 ip access-list extended 101 10 deny tcp any any match-all syn...
  • Page 784 Configuration Guide QoS Configuration QoS Configuration QoS Overview The fast development of the Internet results in more and more demands for multimedia streams. Generally, people have different service quality requirements for different multimedia, which requires the network to be able to allocate and dispatch resources according to the user demands.
  • Page 785 Configuration Guide QoS Configuration of the ToS field for IPv4 packet header or Traffic Class field for IPv6 packet header, called Differentiated Services Code Point (DSCP) value. In a DiffServ-compliant network, every device has the same transmission service policy for the messages with the same classification information, and vice versa. The class information in the packet can be assigned by all the systems along the way, such as hosts, devices, or other network devices.
  • Page 786 Configuration Guide QoS Configuration port is associated with a policy-map but has no DSCP value set for it, the switch will assign the priority for the messages of this classification by performing the default behavior: following the priority information contained in the layer-2 packet header of the message or the default priority of the port.

  • Page 787: Default Qos Configuration

    Configuration Guide QoS Configuration enabled, the DSCP value of messages in the classified dataflow will remain unchanged, and no message will be discarded before the message is sent for the Marking action. Marking After the Classifying and Policing actions, the Marking action will write the QoS information for the message to ensure the DSCP value of the classified message can be transferred to the next hop device in the network.
  • Page 788 Default mapping table from DSCP to CoS DSCP Configure the QoS trust mode of the interface By default, the QoS trust mode of an interface is disabled. Command Description Ruijie#configure terminal Enter the configuration mode Enter the interface configuration mode. Ruijie(config)# interface interface...

  • Page 789: Configuring Class Maps

    The example below set the default CoS value of interface g0/4 to 6: Ruijie# configure terminal Ruijie(config)# interface g 0/4 Ruijie(config-if)# mls qos cos 6 Ruijie(config-if)# end Ruijie# show mls qos interface g 0/4 Interface GigabitEthernet 0/4 Attached input policy-map: Default COS: trust dscp Default COS: 6...

  • Page 790: Configuring Policy Maps

    For example, the following steps creates a class-map named class1, which is associated with a ACL:acl_1. This class-map will classify all TCP messages with port 80. Ruijie(config)# ip access-list extended acl_1 Ruijie(config-ext-nacl)# permit tcp any any eq 80 Ruijie(config-ext-nacl)# exit Ruijie(config)# class-map class1...
  • Page 791 For example, the following steps create a policy-map named policy1 and associate it with interface Gigabitethernet 1/1. Ruijie(config)# policy-map policy1 Ruijie(config-pmap)# class class1 Ruijie(config-pmap-c)# set ip dscp 48 Ruijie(config-pmap-c)# exit Router(config-pmap)# exit Ruijie(config)# interface gigabitethernet 1/1 Ruijie(config-if)# switchport mode trunk...
  • Page 792 Ruijie(config)#no mls qos scheduler Restore the default wrr scheduling For example, the following steps set the port output algorithm to SP: Ruijie# configure terminal Ruijie(config)# mls qos scheduler sp Ruijie(config)# end Ruijie# show mls qos scheduler Global Multi-Layer Switching scheduling...
  • Page 793 The no option restores the default weight value. drr-queue} bandwidth The example below sets the wrr scheduling weight as 1:2:3:4:5:6:7:8 Ruijie# configure terminal Ruijie(config)# wrr-queue bandwidth 1 2 3 4 5 6 7 8 Ruijie(config)# end Ruijie# show mls qos queueing Cos-queue map:...
  • Page 794 CoS values 0 ~ 7. The DSCP value range varies Ruijie(config)# no mls qos map with specific products. cos-dscp For Example: Ruijie# configure terminal Ruijie(config)# mls qos map cos-dscp 56 48 46 40 34 32 26 24 Ruijie(config)# end Ruijie# show mls qos maps cos-dscp cos dscp --- ----...
  • Page 795 For example, the following steps set the DSCP values 0, 32 and 56 to map 6: Ruijie# configure terminal Ruijie(config)# mls qos map dscp-cos 0 32 56 to 6 Ruijie(config)# show mls qos maps dscp-cos dscp cos dscp cos...
  • Page 796 IP-Precedence values 0~7 Ruijie(config)# no mls qos map Restore default ip-prec-dscp For Example: Ruijie# configure terminal Ruijie(config)# mls qos map ip-precedence-dscp 56 48 46 40 34 32 26 24 Ruijie(config)# end Ruijie# show mls qos maps ip-prec-dscp ip-precedence dscp ------------- ----...
  • Page 797 [interface| The Policers option shows the policy map applied policers] on the interface. For example, Ruijie# show mls qos interface gigabitEthernet 0/4 Interface GigabitEthernet 0/4 Attached input policy-map: pp Default COS: trust dscp Default COS: 6...
  • Page 798 You may show the QoS queue information through the following steps: Command Description Show the QoS queue information, show mls qos queueing CoS-to-queue map, wrr weight and drr weight; For example: Ruijie# show mls qos queueing Cos-queue map: cos qid --- --- wrr bandwidth weights: qid weights --- -------...
  • Page 799 QoS Configuration Command Description show mls qos maps [cos-dscp | Show MLS QoS map. dscp-cos | ip-prec-dscp] For example: Ruijie# show mls qos maps cos-dscp cos dscp --- ---- Ruijie# show mls qos maps dscp-cos dscp cos dscp cos dscp cos...
  • Page 800 Command Description show mls qos rate-limit [interface interface] Show the rate limit of [port] Ruijie# show mls qos rate-limit Interface GigabitEthernet 0/4 rate limit input bps = 100 burst = 100 Showing the policy-map interface You can show the configuration of port policy map by performing following steps...
  • Page 801 Reliability Configuration 1. RLDP Configuration 2. TPP Configuration 3. SEM Configuration...

  • Page 802: Rldp Configuration

    RLDP Configuration RLDP Overview Understanding RLDP The Rapid Link Detection Protocol (RLDP) is one of Ruijie's proprietary link protocol designed to detect Ethernet link fault quickly. General Ethernet link detection mechanism only makes use of the status of the physical connections and detects the connectivity of the link via the auto-negotiation of the physical layer.
  • Page 803 Configuration Guide RLDP Configuration To make use of the one-way detection and two-way detection functions of the RLDP, it is necessary to ensure the RLDP is enabled on the ports at both ends of the link. And, it is not allowed for a port with RLDP enabled to connect multiple neighbor ports.
  • Page 804 Configuration Guide RLDP Configuration The so-called one-way link detection means the link connected with the port can receive message only or send messages only (due to misconnection of the optical receiving line pair, for example). As shown above, the RLDP only receives the detection message from the neighbor port on a port, so it is considered one-way link fault.

  • Page 805: Configuring Rldp

    The RLDP works on the port only when the global RLDP is enabled. In the global configuration mode, follow these steps to enable RLDP: Command Function Ruijie(config)# rldp enable Enable RLDP globally. Return to the privileged mode. Ruijie(config)# end The no option of the command turns off the global RLDP.
  • Page 806 Ruijie(config)# interface gigabitEthernet 0/5 Ruijie(config-if)# rldp port unidirection-detect shutdown-svi Ruijie(config-if)# rldp port bidirection-detect warning Ruijie(config-if)# rldp port loop-detect block Ruijie(config-if)# end Ruijie# show rldp interface gigabitEthernet 0/5 port state : normal local bridge : 00d0.f822.33ac neighbor bridge : 0000.0000.0000 neighbor port...
  • Page 807 See the Overview for details of the fault types. In the global configuration mode, follow these steps to configure the RERP maximum detection times: Command Function Ruijie(config)# rldp detect-max Configure the maximum detection times, num range 2-10, 2 by default. Ruijie(config)# end Return to the privileged mode.

  • Page 808: Viewing Rldp Information

    Command Function Make any port with RLDP detection failure resume Ruijie# rldp reset the detection. The errdisable recover command can be used in the global configuration mode to restart, instantly or at fixed time, the RLDP detection of the port that is set violation by RLDP.
  • Page 809 View the RLDP detection information of interface-id. Ruijie# show rldp interface interface-id In the example below, the show rldp interface GigabitEthernet 0/1 command is used to view the RLDP detection information of port fas0/1: Ruijie# show rldp int GigabitEthernet 0/1 port state :error local bridge : 00d0.f8a6.0134...

  • Page 810: Tpp Configuration

    Configuration Guide TPP Configuration TPP Configuration TPP Overview The Topology Protection Protocol (TPP) is a topology stability protection protocol. The network topology is rather fragile. Illegal attacks in the network may cause abnormal CPU utilization on network devices, frame path blocked, etc. These are apt to cause network topology turbulence.
  • Page 811 Configuration Guide TPP Configuration As shown in the above dual-core topology, A and B are the L3 convergence devices, and C and D are the L2 access devices. A is the MSTP root bridge. The topology protection functions of all the devices are enabled. The CPU of the L3 convergence device A is extremely busy due to network attack, resulting in that the BPDU packets cannot be sent.

  • Page 812: Typical Tpp Configuration Examples

    Ruijie(config)# topology guard Enable the global topology protection Exit to the privileged mode. Ruijie(config)# end Ruijie# copy running-config startup-config Save the configuration. The no topology guard command disables the global topology protection function on the device. Configuring Topology Protection on the Port...
  • Page 813 Viewing the TPP configuration and status of the device In the privileged mode, run the following command to view the TPP configuration and status of the device: Command Function Ruijie# show tpp View the TPP configuration and status of the device Ruijie #show tpp tpp state : enable tpp local bridge : 00d0.f822.35ad...
  • Page 814 Configuration Guide SEM Configuration SEM Configuration Introduction to SEM Overview SEM (Smart Embedded Manager) is a network management tool embedded in the device. It can be deployed independently or configured through user commands, and is independent of external network management, making it very easy to deploy. The conventional external network management is accomplished by accessing the device through the network.
  • Page 815 Configuration Guide SEM Configuration Policy is used to sort the relationship between events and between event and action. The policy will be triggered when the policy event meets the preconfigured rule and policy actions will be taken in turn. Event detector It is embedded in a specific service and monitor such service according to user configurations.
  • Page 816 Configuration Guide SEM Configuration SEM supports a named counter used inside the SEM system. The SEM counter event detector will detect the variance in SEM named counter, and the value of SEM named counter will be controlled by SEM counter action during policy execution. SEM named counter can be used by the policy to trigger such actions as summation, numerical value statistics and etc.
  • Page 817 Configuration Guide SEM Configuration SEM features Event detectors supported by SEM SEM supports multiple kinds of event detectors, which have been embedded in respective services. Events are detected during service operation to determine whether they have occurred or not. Currently, the types of detectors supported include: CLI event detector CLI event detector will detect user's command line inputs.
  • Page 818 Configuration Guide SEM Configuration None event detector None event detector will not carry out actual detection. Instead, it is triggered by executing "smart manager run" command. The parameter of this command is the name of policy containing none event. When this command is successfully executed, the corresponding none event of the policy will be triggered.
  • Page 819 Configuration Guide SEM Configuration  Watchdog timer event: The timer is set to the seconds elapsed from policy initiation. Each time when the timer counts down to zero, the timer will reset and trigger a timer event.  CRON timer event: CRON is derived from the Greek word of chronos, which means "time".
  • Page 820 Configuration Guide SEM Configuration result in errors. Setting nonexistent local variable will automatically generate user local variable. SEM intelligent management server management SEM intelligent management server provides user with a management interface through which the user can view SEM operational information and carry out management. The user can view various information of SEM, mainly including: ...
  • Page 821 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# A newly created policy or a policy being modified will not take effect immediately. It will only come into effect after configuring event and action and executing "commit"...
  • Page 822 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# event tag event_a syslog pattern "shutdown" If policy configurations are submitted without configuring event, the policy will not be registered and remain in editing state You can configure multiple events for one policy.
  • Page 823 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# action label syslog priority 6 msg "action running" If policy configurations are submitted without configuring action. the policy can still be registered but it will do nothing when triggered.
  • Page 824 15 seconds. Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# trigger delay 5 maxrun 15 Configure CLI Action Output Record Command Function Ruijie>enable...
  • Page 825 Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(sem-applet)# action action_1 cli command "enable" Ruijie(sem-applet)# action action_2 cli command "show arp" Ruijie(sem-applet)# policy record per-instance 500 per-policy 2000 Display current policy configurations Command...
  • Page 826 Ruijie(SEM-applet)#commit Submit policy configurations Configuration example: # Submit the configurations of "policy_a". Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# commit...
  • Page 827 [policy policy-name] [event-type registered event-name] [class class-options] [time-ordered | name-ordered] Configuration example: # Submit the configurations of "policy_a". Ruijie# show smart manager policy registered No. Class Event Type Time Registered Secu Name applet syslog Wed Mar 10 10:49:03 2010 none policy_a event_a: syslog: pattern {shutdown} trigger delay 5.000...
  • Page 828 # Roll back the configurations of "policy_a". Ruijie# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# rollback The user can roll back policy configuration under two circumstances: newly configured policy which hasn't been submitted yet; policy has been submitted and registered, but the changes to policy has not been submitted.
  • Page 829 Enter configuration commands, one per line. End with CNTL/Z. Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# event tag event_a syslog pattern "need reload" Ruijie(SEM-applet)# event tag event_b correlate and oir type plugin Ruijie(SEM-applet)# trigger correlate-period 180 When configuring multiple events, SEM will automatically sequence events according to the alphabetical order of "tag".
  • Page 830 Ruijie(config)# smart manager environment var_g value_1 Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# action action_1 set var_l value_2 Ruijie(SEM-applet)# action action_2 syslog msg "var_g = $var_g ; var_l = $var_l ; _event_type_string = $_event_type_string" In the above example, "varg_g" is the global variable set by "smart manager environment"...
  • Page 831 Configuration Guide SEM Configuration Enter privileged EXEC mode Ruijie>enable Ruijie# smart manager scheduler hold {all | policy Hold the policy being executed job-id | class class-options} Ruijie# smart manager scheduler release {all | Release the policy being held policy policy-id | class class-options} Configuration example: # Hold the execution of policies falling within class A.
  • Page 832 SEM Configuration Display SEM detector Command Function Enter privileged EXEC mode Ruijie>enable Ruijie# show smart manager detector [all | Display SEM detector detector-name] [detailed | statistics] Configuration example: # Display SEM detector Ruijie# show smart manager detector syslog detailed No. Name...
  • Page 833 Configuration Guide SEM Configuration Event Detectors: name version application syslog counter grtd interface none snmp snmp-object snmp-notification sysmon timer Typical SEM configuration example SEM timer event Networking requirements Device A is connected with Tftp Server. Device A will automatically send log file to Tftp Server at 0:00 everyday and delete the original log file.
  • Page 834 Submit the policy e, End policy editing Ruijie# configure terminal Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# event tag event_1 timer cron cron-entry "0 0 * * *" Ruijie(SEM-applet)# action action_1 cli command "enable" : Ruijie(SEM-applet)# action action_2 cli command "copy flash logfile.txt...
  • Page 835 Execute "copy" command to backup configuration file. d, Submit the policy e, End policy editing Ruijie# configure terminal Ruijie(config)# smart manager applet policy_a Ruijie(SEM-applet)# event tag event_1 cli pattern "copy running-config startup-config" sync yes Ruijie(SEM-applet)# action action_1 cli command "enable"...
  • Page 836 Configuration Guide SEM Configuration Ruijie(SEM-applet)# action action_2 cli command "copy startup-config tftp://172.16.0.2/device_a/conf_$_event_pub_time" Ruijie(SEM-applet)# action action_3 exit 1 Ruijie(SEM-applet)# commit Ruijie(SEM-applet)# exit Ruijie(config)# Verification Ruijie# show smart manager policy registered No. Class Event Type Time Registered Name applet Mon Mar 8 19:30:00 2010 policy_a event_1: cli: pattern “copy running-config startup-config”...
  • Page 837 End policy editing Ruijie# configure terminal Ruijie(config)# smart manager applet policy_a Ruijie(sem-applet)# event tag event_1 snmp-object oid 1.3.6.1.2.1.2.1 istable no type int skip yes Ruijie(sem-applet)# action action_1 syslog msg "cancel snmp operate" priority 5 Ruijie(sem-applet)# commit Ruijie(sem-applet)# exit Ruijie(config)# Verification Ruijie# show smart manager policy registered No.
  • Page 838 Ruijie(SEM-applet)# event tag event_1 none Ruijie(SEM-applet)# action action_1 cli command "enable" Ruijie(SEM-applet)# action action_2 cli command "clear arp-cache" Ruijie(SEM-applet)# action action_3 cli command "clear ip route *" Ruijie(SEM-applet)# action action_4 cli command "clear ipv6 route *" Ruijie(SEM-applet)# commit Ruijie(SEM-applet)# exit...
  • Page 839 "No-memory" content. c, Configure a switchover action for policy_a. d, Submit the policy e, End policy editing Ruijie# configure terminal Ruijie(config)# smart manager applet policy_a Ruijie(sem-applet)# event tag event_1 syslog pattern "No-memory" priority critical Ruijie(sem-applet)# action action_1 reload Ruijie(sem-applet)# commit...
  • Page 840 Configuration Guide SEM Configuration Ruijie(sem-applet)# exit Ruijie(config)# Verification Ruijie# show smart manager policy registered No. Class Event Type Time Registered Secu Name applet syslog Tue Mar 9 18:38:23 2010 none policy_a event_1: syslog: pattern “No-memory” priority critical maxrun 20.000 action action_1 switchover...
  • Page 841 Network Management & Monitoring Configuration 1. SNMP Configuration 2. RMON Configuration 3. NTP Configuration 4. SNTP Configuration 5. SPAN Configuration 6. RSPAN Configuration 7. ERSPAN Configuration...
  • Page 842 System), is a system to control and monitor the network using the SNMP protocol. HP OpenView, CiscoView and CiscoWorks 2000 are the typical network management platforms running on the NMS. Ruijie has developed a suit of software (Star View) for network management against its own network devices.
  • Page 843 Configuration Guide SNMP Configuration Relationship between the NMS and the SNMP Agent The MIB (Management Information Base) is a virtual information base for network management. There are large volumes of information for the managed network equipment. In order to uniquely identify a specific management unit in the SNMP message, the tree-type hierarchy is used to by the MIB to describe the management units in the network management equipment.
  • Page 844 Configuration Guide SNMP Configuration SNMP Versions This software supports these SNMP versions:  SNMPv1: The first formal version of the Simple Network Management Protocol, which is defined in RFC1157.  SNMPv2C: Community-based Administrative Framework for SNMPv2, an experimental Internet protocol defined in RFC1901. ...
  • Page 845 Configuration Guide SNMP Configuration Trap: The SNMP Agent proactively sends messages to notify the NMS that some event will occur. The first four messages are sent from the NMS to the SNMP Agent, and the last two messages are sent from the SNMP Agent to the NMS (Note: SNMPv1 does not support the Get-bulk operation).

  • Page 846: Snmp Engine Id

    Configuration Guide SNMP Configuration Model Level Authentication Encryption Description Ensures data validity Community SNMPv1 noAuthNoPriv None through string community string. Ensures data validity Community through SNMPv2c noAuthNoPriv None string community string. Ensures data validity SNMPv3 noAuthNoPriv User name None through user name.
  • Page 847 NMS can use this community string. To configure the SNMP community string, run the following command in the global configuration mode: Command Function Ruijie(config)# snmp-server community [0 | 7] string [view Set the community string and its right. view-name] [ro | rw] [host host-ip] [num] One or more coummnity strings can be specified for the NMS of different rights.

  • Page 848: Configuring Mib Views And Groups

    To configure the SNMP protocol port number, run the following command in global configuration mode. Command Function Specify a UDP port for SNMP to receive Ruijie(config)# snmp-server udp-port port-num messages. Use the no snmp-server udp-port command to restore the default port. Configuring MIB Views and Groups With view-based access control model, you can determine whether the object of a management operation is in a view or not.

  • Page 849: Configuring Snmp Users

    To configure a SNMP user, run the following commands in the global configuration mode: Command Function Ruijie(config)# snmp-server user username groupname {v1 | v2 | v3 [encrypted] Configure the user information. [auth { md5|sha } auth-password ]...

  • Page 850: Disabling The Snmp Agent

    Shield the SNMP agent service. Disabling the SNMP Agent Ruijie products provide a different command from the shield command to disable the SNMP Agent. This command will act on all of the SNMP services instead of shielding the configuration information of the SNMP Agent. To...
  • Page 851 Command Function Ruijie(config)# interface interface-id Enter the interface configuration mode. Ruijie(config-if)# [no] snmp trap Enable or disable sending the LinkTrap message of the interface. link-status The following configures the intereface not to send LinkTrap Message: Ruijie(config)# interface gigabitEthernet 1/1...
  • Page 852 Ruijie(config)# snmp-server Specify the interval of sending Trap message. trap-timeout seconds SNMP Monitoring and Maintenance Checking the Current SNMP Status To monitor the SNMP status and troubleshoot SNMP configurations, Ruijie product provides monitoring commands for SNMP to easily check the SNMP...
  • Page 853 Configuration Guide SNMP Configuration status of the current network device. In the privileged mode, execute show snmp to check the current SNMP status. Ruijie# show snmp Chassis: 1234567890 0987654321 Contact: wugb@i-net.com.cn Location: fuzhou 2381 SNMP packets input 5 Bad SNMP version errors...
  • Page 854 SNMP Configuration Checking the MIB Objects Supported by the Current SNMP Agent To check the MIB objects supported by the current SNMP Agent, run the show snmp mib command in the privileged mode: Ruijie# show snmp mib sysDescr sysObjectID sysUpTime...
  • Page 855 Viewing SNMP Users To view the SNMP users configured on the current SNMP agent, run the show snmp user command in the privileged mode: Ruijie# show snmp user User name: test Engine ID: 8000131103000000000000 storage-type: permanent active Security level: auth priv...

  • Page 856: Snmp Configuration Example

    Detailed router configuration Enable the SNMP agent service: Ruijie(config)# snmp-server community public RO As long as the above command is configured in the global configuration mode, the SNMP agent service is enabled on the router, and then the NMS can monitor the router.
  • Page 857 NMS proactively. Ruijie(config)# snmp-server enable traps Ruijie(config)# snmp-server host 192.168.12.181 public The SNMP agent is configured for the router by the above configuration. Then, the NMS can monitor and manage the router. Take HP OpenView as an...
  • Page 858 Statistics graph of interface traffic Example of SNMP Access Control List Association Ruijie product allows the setting of access list association mode. Only the NMS allowed in the access list can monitor and manage the SNMP Agent through SNMP. This may limit NMS's accesses to the network devices and improve the...
  • Page 859 Ruijie(config)# snmp-server view v3userview 1.3.6.1.2.1 include Ruijie (config)# snmp-server group v3usergroup v3 priv read v3userview write v3userview Ruijie (config)# snmp-server user v3user v3usergroup v3 auth md5 md5-auth priv des56 des-priv Ruijie (config)# snmp-server host 192.168.65.199 traps version 3 priv v3user...

  • Page 860: Rmon Configuration

    Configuration Guide RMON Configuration RMON Configuration Overview RMON (Remote Monitoring) is a standard monitoring specification of IETF (Internet Engineering Task Force). It can be used to exchange the network monitoring data among various network monitors and console systems. In the RMON, detectors can be placed on the network nodes, and the NMS determines which information is reported by these detectors, for example, the monitored statistics and the time buckets for collecting history.

  • Page 861: Rmon Configuration Task List

    Ruijie(config-if)# no rmon collection Remove a statistic entry. stats index The current version of Ruijie product supports only the statistics of Ethernet interface. The index value should be an integer between 1 to 65535. At present, at most 100 statistic entries can Caution be configured at the same time.

  • Page 862: Configuring Alarm And Event

    Configuration Guide RMON Configuration The current version of Ruijie product supports only the records of Ethernet. The index value should be within 1 to 65535. At Caution most 10 history entries can be configured. Bucket-number: Specifies the used data source and time interval. Each sampling interval should be sampled once.

  • Page 863: Rmon Configuration Examples

    Use the following commands if you want to get the statistics of Ethernet Port 3 every 10 minutes: Ruijie(config)# interface gigabitEthernet 0/3 Ruijie(config-if)# rmon collection history 1 owner aaa1 interval 600 Example of Configuring Alarm and Event If you want to configure the alarm function for a statistical MIB variable, the following example shows you how to set the alarm function to the instance ifInNUcastPkts.6 (number of non-unicast frames received on port 6;...

  • Page 864: Example Of Showing Rmon Status

    Configuration Guide RMON Configuration Ruijie(config)#rmon alarm 10 1.3.6.1.2.1.2.2.1.12.6 30 delta rising-threshold 20 1 falling-threshold 10 1 owner aaa1 Ruijie(config)#rmon event 1 log trap rmon description "ifInNUcastPkts is too much " owner aaa1 Example of Showing RMON Status show rmon alarm...
  • Page 865 OversizePkts : 0 Fragments : 0 Jabbers : 0 Collisions : 0 Utilization : 0 show rmon statistics Ruijie# show rmon statistics Statistics : 1 Data source : Gi1/1 DropEvents : 0 Octets : 1884085 Pkts : 3096 BroadcastPkts : 161...

  • Page 866: Ntp Configuration

    This mechanism provides protection of anti-interference. Ruijie switches support the NTP client and server. That is, the switch can not only synchronize the time of server, but also be the time server to synchronize the time of other switches.
  • Page 867 Configuration Guide NTP Configuration However, enabling the global security authentication does not mean that the encryption is used to implement the communication between the NTP server and the NTP client. You need to configure other keys globally and an encryption key for the NTP server.

  • Page 868: Configuring The Ntp Server

    Caution Configuring the NTP Server No NTP server is configured by default. Ruijie’s client system supports simultaneous interaction with up to 20 NTP servers, and one authentication key can be set for each server to initiate encrypted communication with the NTP server after relevant settings of global authentication and key are completed.
  • Page 869 Configuration Guide NTP Configuration Only when the global security authentication and key setting mechanisms are completed, and the trusted key for communicating with server is set, can the NTP client initiate the encrypted communication with the NTP server. To this end, the NTP server should have the same trusted key configured.
  • Page 870 Configuration Guide NTP Configuration Configuring the NTP Real-time Synchronization To configure the NTP real-time synchronization, run the following commands in the global configuration mode: Command Function Enable the NTP real-time ntp synchronize synchronization. Disable the NTP real-time no ntp synchronize synchronization.
  • Page 871 The following example shows how to set the reliable reference source of the local time and set the time starum as 12: Ruijie(config)# ntp master 12 Using this command to set the local time as the master (in particular, specify a lower starum value), is likely to be covered by the effective clock source.
  • Page 872 Configuration Guide NTP Configuration Configuring the Access Control Privilege of NTP Service NTP services access control function provides a minimal security measures (more secure way is to use the NTP authentication mechanism). By default, no NTP access control rules are configured in the system. To set the NTP services access control privilege, run the following command in the global configuration mode.
  • Page 873 Ruijie(config)# ntp access-group peer 1 Ruijie(config)# ntp access-group serve-only 2 Showing NTP Information...
  • Page 874 6 and the key-string of wooooop is configured as the trusted key for the server. To configure the Ruijie client to synchronize the time with the NTP server on the network, configure the NTP client as follows: enable security authentication, configure the same key as that for the NTP server, set this NTP server to synchronize the time, and begin to synchronize the time.

  • Page 875: Sntp Configuration

    Configuration Guide SNTP Configuration SNTP Configuration Overview Network Time Protocol (NTP) is designed for time synchronization on network devices. Another protocol, Simple Network Time Protocol(SNMP) can be used to synchronize the network time, too. NTP protocol can be used across various platforms and operating systems, and provide precise time calculation (1-50ms precision) and prevent from latency and jitter in the network.

  • Page 876: Configuring Sntp

    Configuration Guide SNTP Configuration T1: time request sent by client(refer to the client time) with the mark ―Originate Timestamp‖; T2: time request received at server(refer to the server time) with the mark ―Receive Timestamp‖; T3: time reply by server(refer to the server time) with the mark ―Transmit Timestamp ‖;...
  • Page 877 Command Function Specify the IP address for the SNTP Ruijie(config)# sntp server ip-address server. Configuring the SNTP Sync Interval To adjust the time regularly, you need to set the sync interval for SNTP Client to access the NTP server SNTP Client regularly.
  • Page 878 Function Configure the time-zone, ranging from GMT-23 to GMT+23, wherein ―-‖ indicates western area, ―+‖ indicates Ruijie(config)#clock time-zone time-zone eastern area and ―0‖ indicates Greenwich mean time. The default time-zone is GMT+8, Beijing time. To restore the local time-zone to the default, use the command no clock time-zone.

  • Page 879: Span Configuration

    Configuration Guide SPAN Configuration SPAN Configuration Overview With SPAN, you can analyze the communications between ports by copying a frame from one port to another port connected with a network analysis device or RMON analyzer. The SPAN mirrors all the packets sent/received at a port to a physical port for analysis.
  • Page 880 Configuration Guide SPAN Configuration port, and AP can be configured as source port and destination port. The SPAN session does not affect the normal operation of the switch. You can configure the SPAN session on one disabled port, but the SPAN does not take effect until you enable the destination and source ports.

  • Page 881: Configuring Span

    Configuration Guide SPAN Configuration  The source port and the destination port can reside in the same VLAN or different VLANs. Destination Port The SPAN session has a destination port (also known as the monitoring port) used to receive the frames copied from the source port. The destination port has the following features: ...
  • Page 882 The following example shows how to create session 1. First, clear the configuration of session 1, and then mirror the frames from port 1 to port 8. The Show monitor session command allows you to verify your configuration. Ruijie(config)# no monitor session 1...
  • Page 883 SPAN session in the global configuration mode. The following example shows how to delete port 1 from session 1 and verify your configuration. Ruijie(config)# no monitor session 1 source interface gigabitethernet 1/1 both Ruijie(config)# end Ruijie# show monitor session 1...

  • Page 884: Showing The Span Status

    For the ACL configuration commands, see the related configuration guide. Showing the SPAN Status The show monitor command shows the current SPAN status. The following example illustrates how to show the current status of SPAN session 1. Ruijie# show monitor session 1 sess-num: 1 src-intf: GigabitEthernet 3/1 frame-type Both...
  • Page 885 Configuration Guide RSPAN Configuration RSPAN Configuration Overview RSPAN is the expansion of SPAN. Remote mirroring breaks the restriction that mirrored port and mirroring port must be on the same device. Multiple network devices are deployed between them and administrators can observe the data packets on the remotely mirroring port by analyzer in the central machine room.
  • Page 886 Configuration Guide RSPAN Configuration The table below presents ports that participate mirroring on the switch: Switch Mirrored Port Function Monitored user port that copies UDP to the designated output port or the reflector port via Source Port local port mirroring. There are many source ports.

  • Page 887: Configuring Rspan

    Configuration Guide RSPAN Configuration RSPAN and local SPAN can be enabled simultaneously on the source swithc, the middle switch and the destination switch. The packets of Remote VLAN bring no influence on the CPU utilization. You can enable or disable communcations on the mirroring Note destination port.
  • Page 888 Configuration Steps Configure the source switch by the following steps: Command Function Enter the global configuration mode. Ruijie# configure terminal Enter the VLAN configuration mode. Ruijie(config)# vlan vlan-id Ruijie(config-Vlan)# remote-span Set the VLAN as the remote SPAN VLAN. Ruijie(config-Vlan)# exit...
  • Page 889 Configuring the Middle Switch In a RSPAN session, the middle switch ensures transparnet transmission of mirrored packets in a VLAN. Command Function Ruijie# configure terminal Enter the global configuration mode. Ruijie(config)# vlan vlan-id Enter the VLAN configuration mode. Ruijie(config-Vlan)# remote-span...
  • Page 890 Enter the VLAN configuration mode. Ruijie(config-Vlan)# remote-span Set the VLAN as remote-span Vlan. Ruijie(config-Vlan)# exit Return to the global configuration mode. Ruijie(config)# monitor session session_num Configure the remote mirroring destination. remote-destination Configure Remote VLAN and the remote Ruijie(config)# monitor session session-num mirroring destination port.
  • Page 891 Vid: VID for remote-span vlan. If the destination port is acess port, join the destination port to remote-span vlan; Ruijie(config-if)# { switchport access vlan vid | switchport trunk native vlan vid } If the destination port is trunk port, join the...
  • Page 892 Ruijie(config-if)# switchport trunk allowed vlan add 7 Ruijie(config-if)# exit Ruijie(config)# monitor session 2 remote-source Ruijie(config)# monitor session 2 source interface gigabitEthernet1/2 Ruijie(config)# monitor session 2 destination remote vlan 7 interface gigabitEthernet 1/3 switch Configure the middle switch Ruijie# configure Ruijie(config)# vlan 7...
  • Page 893 Ruijie(config)# vlan 7 Ruijie(config-Vlan)# remote-span Ruijie(config-Vlan)# exit Ruijie(config)# interface gigabitEthernet 1/4 Ruijie(config-if)# switchport mode trunk Ruijie(config-if)# switchport trunk allowed vlan add 7 Ruijie(config-if)# exit Ruijie(config)# monitor session 2 remote- destination Ruijie(config)# monitor session 2 destination remote vlan 7 interface gigabitEthernet 1/1 switch...

  • Page 894: Erspan Configuration

    Configuration Guide ERSPAN Configuration ERSPAN Configuration This chapter describes the ERSPAN configuration of Ruijie devices. Overview ERSPAN (Encapsulated Remote Switched Port Analyzer) is the expansion of RSPAN (Remote Switched Port Analyzer). For normal RSPAN, the mirrored data packets can be only transmitted at Layer 2, so that they are unable to pass through the routable network;...

  • Page 895: Configuring Erspan

    Configuring the Source Switch Configuring the ERSPAN Session To configure the ERSPAN for the switch and differentiate the ERSPAN attributes of the switch, run the following commands: Command Function Ruijie(config)# monitor session Configure the ERSPAN session on the session_num erspan-source source switch.
  • Page 896 Command Function Ruijie (config-mon-erspan-src)# Disable the ERSPAN mirroring. shutdown Enable the ERSPAN mirroring. Ruijie (config-mon-erspan-src)# no shutdown Configuring the Encapsulated Source IP Address The encapsulated source IP address is used for the source IP address of GRE-encapsulated packets. Command Function...
  • Page 897 Function Ruijie# configure terminal Enter global configuration mode. Ruijie (config)# monitor session ERSPAN_source_session_number Configure an ERSPAN session number erspan-source and enter the ERSPAN source mirrored device configuration mode. Clear the mirroring configuration. Ruijie (config)# no monitor session {session_number | all}...
  • Page 898 Ruijie (config-mon-erspan-src)# Configure ERSPAN encapsulated source IP address. original ip address ip_address Ruijie (config-mon-erspan-src)# ip ttl (Optional) Configure the TTL value of the encapsulated IP packet’s header. ttl_value Ruijie (config-mon-erspan-src)# ip (Optional) Configure the DSCP field value of the encapsulated IP packet’s header.
  • Page 899 Configuration Guide ERSPAN Configuration Typical ERSPAN Configuration Examples Topological Diagram Figure 2 ERSPAN application topology Application Requirements  The network analyzer can monitor the user via remote mirroring.  Data can be exchanged normally between devices. Configuration Tips On the source device, set the port (Gi 0/1) directly connected with user as the source port, and set the port (Gi 0/2) connected with the intermediate device as the output port.

  • Page 900: Verifying The Configuration

    Configuration Guide ERSPAN Configuration Verifying the configuration Step1: Display the configuration of the device. ! The configuration of the Switch A. SwitchA#show running-config monitor session 1 erspan-src source interface GigabitEthernet 0/1 both origin ip address 10.1.1.2 destination ip address 12.1.1.2 Step2: Display the ERSPAN information of the device.
  • Page 901 Configuration Guide ERSPAN Configuration...
  • Page 902 Web-based Configuration 1. Web-based Configuration...

  • Page 903: Web Management Overview

    Configuration Guide Web-based Configuration Web-based Configuration Web Management Overview Default Configuration The following table describes the default configuration for Web management. Features Default value Web service Disabled To enable the Web services, refer to the following section of The Typical Example of Web Management.
  • Page 904 Configuration Guide Web-based Configuration Figure 1-1 Original Page Select a type of the languages and click Login to display the authentication dialog box. Enter the user name and password in this dialog box. Figure 1-2 Logon the authentication dialogue box If the authentication succeeds, enter the main page of the Web management as follows:...

  • Page 905: System Management

    Configuration Guide Web-based Configuration Figure 1-3 Main page of Web management platform If Web management is authenticated by using Enable, directly enter Enable password and no need to enter the user name. Note System Management Switch IP address Configuration Use the function through the menu “Switch IP Setting”. The page of the “switch IP address setting”...
  • Page 906 Configuration Guide Web-based Configuration Figure 1-4 Switch IP address setting Configuration Description: Modification: If you want to modify the IP address of a switch, select the checkbox and click “Modify” to display the following configuration page. Figure 1-5 Switch IP Address Modification Users can modify the IP address and subnet mask.

  • Page 907: Vlan Management

    Configuration Guide Web-based Configuration VLAN Management Use the function through the menu item “VLAN Management”. 1) VLAN management page Figure 1-6 VLAN management Configuration Description Enter this page to display the VLAN information of the current system. Users can create, delete and modify the VLAN, but the default VLAN cannot be deleted.
  • Page 908 Configuration Guide Web-based Configuration Figure 1-7 Create VLAN Enter the VLAN ID and VLAN Name (optional) and then click Save to validate the setting. After the succesful setting, the new VLAN is displayed on the VLAN Management page. Delete: To delete the specified VLAN, select the corresponding checkbox and then click Delete to validate the configuration.
  • Page 909 Configuration Guide Web-based Configuration 2) Specify the VLAN page Figure 1-9 Specify the VLAN Configuration Description: Specify the port mode and VLAN ID to be configured. After all the ports are set, click Save to validate the configuration. Gateway Setting Use the function through the menu item Gateway Setting.

  • Page 910: Port Mirroring

    Configuration Guide Web-based Configuration Figure 1-10 Gateway setting Configuration Description: If the switch has already been configured with a gateway, when you open the page, the IP address of the configured gateway is displayed in the textbox. If you want to set a new gateway IP address, enter the new one in the textbox and then click Save to validate the configuration.
  • Page 911 Configuration Guide Web-based Configuration Configuration Description: Select the monitoring ports and tick the checkbox in front of the ports to be monitored. Click Save to validate the configuration. The monitoring port and the port to be monitored should not be the same one. Click Delete Port Monitor to delete the configuration of port monitoring.
  • Page 912 Configuration Guide Web-based Configuration Configuration Description: Enter the rate limiting value in the textbox on the port that limits the rate. You can set the values on multiple ports. After the rate limiting value is set, click Save to validate the setting. The textbox should be null for the port without limiting the rate.
  • Page 913 Configuration Guide Web-based Configuration Figure 1-13 Aggregation port setting Configuration Description: 1) Configuring the traffic balancing algorithm To configure the traffic balancing algorithm, select the corresponding algorithm item and click Save to validate the configuration. 2) Configuring the aggregation port To create an aggregation port, click New to display the following interface.

  • Page 914: Port Setting

    Configuration Guide Web-based Configuration Figure 1-14 Aggregation port creation Select the member port and specify the aggregation port number, then click Save to validate the configuration. If a member port belongs to other aggregation port, then the check box in front of the member port can not be selected.
  • Page 915 Configuration Guide Web-based Configuration Figure 1-15 Port setting Configuration Description: Select the port to be configured and configure related parameters, then click Save to validate the configuration. If the selected parameter is not be supported by the device, the corresponding paramter setting does not take effect. DHCP Relay Use the function menu item through the DHCP Relay.

  • Page 916: Igmp Snooping

    Configuration Guide Web-based Configuration Figure 1-16 DHCP relay 1) Enabling/disabling DHCP relay To enable or disable the DHCP relay function, select the related option button and click Save to validate the configuration. 2) Setting DHCP server Set the IP address for the DHCP server and then click Save to validate the configuration. The configuration result is displayed in the following figure.
  • Page 917 Configuration Guide Web-based Configuration Figure 1-17 IGMP Snooping setting Configuration description: To enable the IGMP Snooping function, Click the Enable option button and then the Mode drop-down list changes to the selectable state. You can select three modes: ivgl, svgl, or ivgl-svgl from this list.
  • Page 918 Configuration Guide Web-based Configuration Select the Enable STP functions option button or the Disable STP functions option button and click Save to validate the configuration. SNMP Management Use the function through the menu item SNMP Management. SNMP management page Figure 1-19 SNMP management setting Configuration description: To enable the SNMP management function, select the Enable SNMP option button and configure the parameters such as the group name, read-write attribute.
  • Page 919 Configuration Guide Web-based Configuration Figure 1-20 Anti-gateway ARP spoofing Configuration Description: Select the port to be configured. Enter the IP address of the gateway and click Save to validate the configuration. A port can be configured with multiple IP addresses of the gateway. In order to delete the configured gateway, tick the check box of the IP address of the gateway to be deleted and click Delete to validate the configuration.
  • Page 920 Configuration Guide Web-based Configuration Figure 1-21 Anti-ARP-spoofing setting Configuration Description: 1) Binding Port/MAC address/IP address In order to configure port/MAC address/IP address binding, select the port to be configured and configure the IP address and MAC address. Click Save to validate the configuration. If the selected port learns MAC address automatically, the MAC address is displayed in the address textbox, as shown in the figure above.
  • Page 921 Configuration Guide Web-based Configuration 2) Setting the port security function Select the port to be configured. If the port security function is enabled on the port, the Enable port security option button is selected. Otherwise the Disable port security option button is selected.
  • Page 922 Configuration Guide Web-based Configuration If the ARP detection function is already enabled on the selected port, the Enable ARP detection function option button is selected. Otherwise the Disable ARP detection function option button is selected by default. Use the ACL menu item to enable the function. ACL setting page Figure 1-24 ACL setting Displaying ACL Information...
  • Page 923 Configuration Guide Web-based Configuration Figure 1-25 Configuring standard IP address access list Configuration description: Rule: Select the filtering rule from the drop-down list. There are Disable and Enable filtering rules. List ID (name): Enter the standard access list ID or name. IP address: If you select the Specify IP address range option button, enter the correct IP address.
  • Page 924 Configuration Guide Web-based Configuration Figure 1-26 Configuring extended IP address access list Configuration Description: Rule: Select the filtering rule from the drop-down list. There are Disable and Enable filtering rules. List ID (name): Enter the extended access list ID or name. Protocol: You can select the TCP, UDP, IP, or ICMP protocol.
  • Page 925 Configuration Guide Web-based Configuration Figure 1-27 Applying ACL on the port Configuration Description: Port: Select the port to be configured. ACL list: Select the ACL applied on the port. After the parameters are configured, click Save to validate the configuration. In order to delete the configuration of the port, select the entry to be deleted and then click Delete to validate the configuration.
  • Page 926 Configuration Guide Web-based Configuration Figure 1-28 DHCP Snooping setting Configuration Description: 1)DHCP Snooping setting...
  • Page 927 Configuration Guide Web-based Configuration To enable the DHCP Snooping function or the source MAC address detection function of DHCP Snooping, select the related option button and then click Save to validate the configuration. 2) Setting the DHCP Snooping trust port Select the trust port to be configured and click Save to validate the configuration.
  • Page 928 Configuration Guide Web-based Configuration Policy Setting Use the Policy Setting menu item to enable the function. Policy setting page Figure 1-30 Policy setting Configuration description: Policy name: Configure the policy name. Classification list: This item lists the classification name that is already set. If the list is null, no classification is set.
  • Page 929 Configuration Guide Web-based Configuration In order to delete the policy that is already set, select the policy from the policy list to display the detailed information of the policy. Select the entry to be deleted and click Delete to validate the configuration.

  • Page 930: System Status

    Configuration Guide Web-based Configuration Rate limiting direction: Select the rate limiting direction. After the parameters are configured, click Save to validate the configuration. In order to delete the configuration of the port, tick the check box of the entry to be deleted and then click Delete to validate the configuration.

  • Page 931: Port Status

    Configuration Guide Web-based Configuration Figure 1-33 Current configuration Port Status Use the Port Status menu item to enable the function. Port status page...
  • Page 932 Configuration Guide Web-based Configuration Figure 1-34 Port status Port Status Use the Port Running Status menu item to enable the function. Port running status page Figure 1-35 Figure 35 Port running status...
  • Page 933 Configuration Guide Web-based Configuration Port Statistics Use the Port Statistics Information menu item to enable the function. Port statistics information page Figure 1-36 Port statistics information Showing the Log information Use the Log Information menu item to enable the function. System log information page...

  • Page 934: System Maintenance

    Configuration Guide Web-based Configuration Figure 1-37 Showing system log information System Maintenance Ping Use the Ping menu item to enable the function. Ping page Figure 1-38 Ping Configuration description:...

  • Page 935: User Management

    Configuration Guide Web-based Configuration Enter the IP address in the textbox and click Start. If you cannot ping through the IP address, the page makes response after Ping times out. Telnet Use the Telnet menu item to enable the function. Telnet page Figure 1-39 Telnet Configuration Description:...
  • Page 936 Configuration Guide Web-based Configuration Figure 1-40 Users management Configuration Description: Add users: In order to add a new user, click Add users to display the following configuration page. Figure 1-41 Adding the users Enter the user name and password and then click Save to validate the configuration. After the configuration succeeds, the new user is displayed in the User management page.

  • Page 937: Password Setting

    Configuration Guide Web-based Configuration Figure 1-42 Modifying the users Enter the user name and password and then click Save to validate the configuration. After the configuration succeeds, the modified user is displayed in the User management page. If the deleted or modified user name is the login user name, an authentication dialog box is displayed.
  • Page 938 Configuration Guide Web-based Configuration Figure 1-43 Password setting Configuration description: 1) Modifying the password of Enable. In order to modify the password of Enable, enter the new password and then click Save to validate the configuration. The following dialog box is displayed. Figure 1-44 Login authentication dialog box Use the new password to log in.
  • Page 939 Configuration Guide Web-based Configuration In order to modify the password of Telnet, enter the new password and then click Save to validate the configuration. Import/Export Configuration Use the Import/Export Configuration menu item to enable the function. Import/Export configuration page Figure 1-45 Import/Export configuration Configuration description: In order to import or export the config.text file in the switch, enter the IP address and file name of the TFTP server and click Save to validate the configuration.
  • Page 940 Configuration Guide Web-based Configuration Enter the valid port number and click Save to validate the configuration. After the port number is set, log in to the device using the new port. For example, if the new port is 8080 and the IP address of the device is 192.168.1.1, log in to the device through http://192.168.1.1:8080.
  • Page 941 Configure the login authentication method for Web management to Local. Ruijie(config)#ip http authentication local d. Configure the local user name (class 15 users) and password. Ruijie(config)#user name admin password admin Ruijie(config)#user name admin privilege 15 e. Configure the IP address for management.
  • Page 942 Ruijie(config)#ip http authentication enable d. Configure the password of Enable. Ruijie(config)#enable password admin e. Configure the IP address for management. Ruijie(config)#interface vlan 1 Ruijie(config-if-VLAN 1)#ip address 192.168.100.1 255.255.255.0 Verification 1) Perform login authentication in the Local method. Ruijie(config)#show running-config Building configuration...
  • Page 943 Web-based Configuration line con 0 line vty 0 4 login 2) Perform login authentication in the Enable method. Ruijie(config)#show running-config Building configuration... Current configuration : 2014 bytes version RGOS 10.2(4), Release(55435)(Wed May 13 11:50:07 CST 2009 -ngcf32) vlan 1 no service password-encryption enable password admin // The password authentication for Web management adopts Enable.

Table of Contents

Save PDF