RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1 (5) B6 PDF

RG-WLAN Series Access Point
RGOS Configuration Guide, Release 11.1(5)B6

·
Copyright Statement
Ruijie Networks© 2015
Ruijie Networks reserves all copyrights of this document. Any reproduction, excerption, backup, modification,
transmission, translation or commercial use of this document or any portion of this document, in any form or by any means,
without the prior written consent of Ruijie Networks is prohibited.
, , , , ,
, , , ,
, , are registered trademarks of Ruijie Networks.
Counterfeit is strictly prohibited.
Exemption Statement
This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain
the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will
not shoulder any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.
·
Preface
Thank you for using our products. This manual matches the RGOS Release 11.1(5)B6.
Audience
This manual is intended for:
 Network engineers
 Technical support and servicing engineers
 Network administrators
Obtaining Technical Assistance
 Ruijie Networks website: http://www.ruijienetworks.com/

 Ruijie service portal: http://case.ruijienetworks.com
Related Documents
Documents Description
Describes the related configuration commands, including command modes,

Command Reference
parameter descriptions, usage guides, and related examples.
Describes the functional and physical features and provides the device
Hardware Installation and Reference
installation steps, hardware troubleshooting, module technical specifications,
Guide
and specifications and usage guidelines for cables and connectors.
Conventions
This manual uses the following conventions:
Convention Description
boldface font Commands, command options, and keywords are in boldface.
italic font Arguments for which you supply values are in italics.
[ ] Elements in square brackets are optional.
{x|y|z} Alternative keywords are grouped in braces and separated by vertical bars.
[x|y|z] Optional alternative keywords are grouped in brackets and separated by

vertical bars.
·
Symbols
Means reader take note. Notes contain helpful suggestions or references.
Means reader be careful. In this situation, you might do something that could result in equipment damage or
loss of data.
RGOS Configuration Guide,
Release 11.1(5)B6
WLAN Basic Configuration

1. Configuring AP Management
2. Configuring STA Management
3. Configuring Ethernet Management
4. Configuring Data Plane
5. Configuring WLAN WLOG

Configuration Guide Configuring AP Management
Configuring AP Management
Overview
A wireless local area network (WLAN) links computers and other devices using wireless communication technology to
form a network system for communication and resource sharing between each other. The essential characteristic of
WLAN is that computers are connected to the network through wireless means rather than cables, making the
construction of networks and mobility of terminals more flexible.
Concepts Related to WLAN
1) Access Point (AP): Access points serve as a bridge between wireless terminals and wired network for wireless
terminals to access the wired network.
2) Access Control (AC): Wireless controls are connected with APs through the wired network for centralized
management of APs.
3) Radio Frequency: WLAN uses radio frequencies as the media of transmission for the communication between APs
and wireless terminals and between wireless terminals.
4) Frequency band: it indicates the range of frequency. In a WLAN, wireless devices may support different 802.11
standards which working at different frequency ranges.
5) Wireless user: it refers to the user that accesses the network through wireless terminals.
WLAN Transmission Standards

802.11 is an industrial standard developed by IEEE for wireless network communication for WLAN, and has developed
into a family of standards of 802.11X after continuous improvement. Among them, the main transmission standards are
802.11b\a\g\n, which are described below:
1) 802.11b
It works at the frequency band of 2.4GHz at a transmission rate up to 11Mb/s, which can be 11, 5.5, 2 or 1Mb/s based on
actual needs.
2) 802.11a
It works at the frequency band of 5GHz, at a transmission rate up to 54Mb/s, which can be 48, 36, 24, 18, 12, 9 or 6Mb/s
based on actual needs.
3) 802.11g
It works at the frequency band of 2.4GHz, at a transmission rate up to 54Mb/s. Devices supporting 802.11g also support
802.11b.
4) 802.11n
It can work at the frequency bands of 2.4GHz and 5GHz, at a transmission rate up to 600Mb/s. Devices supporting
802.11n also support 802.11a/b/g.
Fit AP Network Architecture

With fit APs, a network consists of a wired switch, access controllers (ACs) and fit APs. APs are simple wireless access
points without management and control functions. The AC manages all APs and sends control policies, which are not
configured on each AP, to specified APs, as shown in the following figure. The AC is connected with multiple APs via the
wired network, and users only need to configure and manage associated APs with the AC.
Figure 1-1 Networking topology with fit APs
License
The license function is used to protect the legitimate rights of the authorized users. With the license activation-key, the
user can confirm whether the license is valid or not and obtain the corresponding authorization. The license function is
used to control the maximum AP number supported by the AC. For different devices, the maximum AP number, license
type and the detailed formats for different license types are different.
The user can configure/add a valid license executing the command, and the input license must be valid and applicable for
the device. If the authorized AP number has reached the maximum AP number supported by the device, no new license
can be configured or added.
In this configuration guide, the license activation-key configured on the device is also named license, license
ID, license key, ect, and the Serial Number for the license CD purchased is called the license serial number.
License Function Attributes
The followings are the function attributes and use restrictions for the license function:
1) One license that the user applied for can only be used for the specified device, and is invalid for other devices;
2) Once configured, the license takes effect permanently, that is, the user is authorized to use this license forever.
3) Once configured, the license takes effect immediately, that is, the license can be used without the operation of
resetting.
4) Multiple licenses can be configured on one device, that is, the maximum AP number supported by the device is the
summary of the multiple authorized license number. However, the maximum AP number supported by the
authorized license cannot exceed the maximum AP number supported by the device itself.
Cluster and Redundancy

Cluster means a group of coordinated service entities that provide more expandable and usable services platform than a
single service entity. In a WLAN project, cluster means a group of coordinated ACs. Compared with the single-AC model,
a group of coordinated ACs (cluster) provides higher usability (redundancy fault recovery) and load balancing.
AC Redundancy
In order to provide services for wireless users, AP must maintain connection with a specific AC. If this AC fails suddenly,
AP will be unable to connect to AC and the service will fail. To enhance serviceability, the feature of AC redundancy is
introduced.
AC redundancy assigns multiple ACs to the AP. When one AC fails, the AP can use the backup AC. AC redundancy well
improves the reliability of AC cluster and avoid the circumstance that the downlink AP cannot provide services due to the
failure of certain AC.
AC to Support the Failover Priority of AP
Generally, when the connection between AP and AC fails, the AP will look for the backup AC. By default, AP is connected
to AC according to the sequence of association requests arrived. Failover Priority can help specify the priority level for AP,
so that AC can accept the access request of AP according to the priority level of AP, ensuring that high-priority APs can be
given the priority to connect to AC.
When the number of APs connected to AC has reached the threshold, if a new AP requests to associate with this AC and
its priority level is higher than some connected APs, then AC will randomly kick out one AP among those associated APs
with the lowest priority level. In this way, the new AP can then associate with this AC.
The priority level of AP ranges from 1 to 4. 1 indicates the lowest priority level.
WLAN Working Principles
Connection of Wireless Terminals to Network
Connection of wireless terminals to network is completed in three steps: scanning, authentication and association, as
shown in the figure below.
Figure 1-2 Connection of wireless users to AP
 Scanning
Before a wireless terminal is connected to a network, it searches available networks in its location. The searching is
performed by either active or passive scanning.
Active scanning: The wireless terminal sends the Probe Request frame to requesting for joining the network. After the AP
has received the Probe Request frame, it sends back the Probe Response frame.
Passive scanning: The AP periodically broadcasts Beacon frames (which carry the SSID associated to the AP), and the
wireless terminal listens to Beacon frames to identify networks.
 Authentication
If a wireless terminal has received Probe Response frames from APs, it selects one candidate AP for association.
Authentication is required before association, including open system authentication and shared key authentication.
Authentication: The wireless terminal sends Authentication Request frame to the selected AP requesting for
authentication. After the AP has received the Authentication Request frame, it sends back Authentication Response
frame.
 Association
After the authentication, the wireless terminal is able to establish association with the selected AP. The association
process is as follows: The wireless terminal sends Association Request frame to the selected AP requesting for
association. After the AP has received the Association Request frame, it sends back the Association Response frame.
WLAN Communication
A WLAN is a network combining wired network and wireless communication. The wireless interfaces of APs are
connected to wireless terminals for communication through 802.11 frames; the Ethernet ports of APs are connected with
the wired network for communication through 802.3 frames.
In a network with fat APs, the APs independently complete the conversion between 802.11 fames and 802.3 frames for
communication between the wired and the wireless networks.
In a network with fit APs, control channels and data channels are established between ACs and APs through the
CAPWAP protocol. The control channels are for configuration of APs at the AC and for APs to send event notices to the
AC, and the data channels are for sending data messages between the APs and the AC.
The data communication in a network with fit APs is usually in the Split MAC mode or the Local MAC mode. The Local
MAC mode is further classified into centralized forward mode and local forward mode.
 Split MAC mode: After the AP receives an 802.11 frame, it directly forwards the frame to the AC after direct
CAPWAP encapsulation; then the AC de-encapsulates the frame and converts the 802.11 frame into the 802.3
frame; and vice versa.
 Centralized forward mode: After the AP receives an 802.11 frame, it locally converts the frame into an 802.3 frame
and then forwards the frame to the AC after CAPWAP encapsulation; and vice versa.
 Local forward mode: After the AP receives an 802.11 frame, it locally processes and forwards the frame without
sending it to the AC via the CAPWAP tunnel.
Configuration
Switching the AP Mode

To switch AP to fit mode or to fat mode, run the following command:
Command Function
Ruijie# config terminal Enters global configuration mode.
Ruijie(config)# ap-mode fit Switches the AP to fit mode.
Swiches the AP to fat mode.
When the DHCP parameter is configured, the AP
Ruijie(config)# ap-mode fat [dhcp]
enables DHCP to obtain IP address by default; Otherwise
the AP uses static IP addresses by default.
After switching the AP working mode, restart the device to ensure the configuration consistency.
For Ruijie Networks’ WALL-AP ,when working as a fat AP, the default IP address of the rear end wired interface (Which is
connected to the PoE switching device) is 192.168.110.1/255.255.255.0; the default IP address of the front end wired
interface (the Ethernet port on the front panel) is 192.168.111.1/255.255.255.0.\
When the command ap-mode fat dhcp is configured, once the AP is switched to fat mode, the fat AP will obtain IP
address through DHCP. After AP is restarted without further related configuration, it will still obtain IP address through
DHCP.
When the command ap-mode fat dhcp is configured on the WALL-AP, DHCP is enabled only on the rear
end wired interface by default; that is to say,by default, the front end interface still uses static IP address.
You cannot use commands ap-mode fat dhcp and ap-mode fat to perform direct switchover in the fat mode.
You should switch to fit mode and then perform such switchover.
Configuration Example:
# Switch the AP to fit mode.
Ruijie(config)# ap-mode fit
# Switch the AP to fat mode and enables DHCP.
Ruijie(config)# ap-mode fat dhcp
Displaying APMG Configuration
Use the following commands in privileged EXEC mode to display AP management configuration.
Command Function
show ap-mode Displays the AP mode.
Configuration Guide Configuring STA Management
Configuring STA Management
Overview
Station management (STAMG) provides services of controlling the STA access and notifying STA relevant events.
STAMG applies in the following scenarios:
1. Configuring a dynamic blacklist in the network which requires high-security performance to prevent STA attacks.
2. Configuring the maximum number of STAs when the AP capacity is exceeded.
3. Configuring load balancing for STAs to distribute traffic to multiple AP devices.
4. Configuring association control in the e-bag scenario.
Association Control
The association control is a method of controlling wireless STA’s association behaviors. By grouping STAs, define one of
the STAs as the master STA and others as secondary-STAs which must follow the master STA’s method, and make the
associated wireless network of secondary-STAs be the same as that of the master STA, therefore, the associated
behaviors of wireless terminals can be controlled.
1) The association control zone: it can be understood as the wireless network made up of one or one group of APs. For
a STA group, it can only successfully associate with a certain AP in an association control zone at one time.
2) The terminal package: it’s made up of a group of STAs, including the master STA and secondary-STAs.
Secondary-STAs cannot be separated from the master STA, associating with certain AP in the control zone alone. It
can only follow the master STA; it can only associate with certain AP in the control zone with which the master STA
associate.
Association Control Working Principle
Divide the scope of the wireless network into several association control zones, and arrange one or several APs in every
association control zone, then group the wireless terminal to strictly control the control zones that the terminal can
associate with. Take the application of the school e-bag for instance, a school has many classrooms in which wireless
APs are installed and the wireless signal travels in the space. When two neighboring classrooms are using the e-bag, the
ideal situation is that teachers’ and students’ computers all associate with local APs, therefore, every class can proceed
without interruption. This requires each classroom to be an association control zone, and students’ and teachers’
computers all associate with local wireless APs. Currently, the fit AP framework and the fat AP framework are the two
wireless networking methods. The following is the principle sketch of how these two methods use the association control.
The Fit AP Network Framework
The figure below shows the fit AP framework of the association control application.
Figure 1-1 The Fit AP Networking Topology

Premise
The purpose of the association control is to prevent the terminal to perform random associations when there are many
wireless networks. The premise of the network configuration is as below:
 Set each association control zone as a WLAN subnet and allocate a VLAN for each subnet. By this measure, the
broadcast or the multicast report is limited in the local control zone, thus, the application fluency of the association
control zone is ensured.
 Use different SSIDs for all WLAN subnets. For example, use the association control zone’s name as SSID for easier
differentiation. It’s easier for the master STA and secondary-STAs in the terminal to associate with designate APs in
the association control zone.
Working Principle
 The AC sends all information of the master STA in the terminal package to all APs in the association control zone as
per the pre-configured information of the association control zone and the terminal package.
 Since all the information of the master STA in the terminal package is on the AP’s white list, when applying the
association control function, the master STA needs to associate with corresponding SSIDs in the control zone first;
after the master STA completes the association, the AC will send all secondary-STAs to all APs in the association
control zone as per the configuration of the terminal package where the master STA stays, and create the white list,
thus, secondary-STAs are allowed to be associated with the local control zone.
 When the master STA releases association and logs off, all corresponding secondary-STAs will be offline and be
deleted from the APs’ white list in the association control zone.
 The above process can be briefly summarized as that secondary-STAs follow the master STA; with whichever APs
the master STA associates, secondary-STAs must follow and associate with the APs in the association control zone.
The corresponding white list is only on the APs of the association zone, and since the list doesn’t exist on APs in
other association control zones, it ensures that STAs will not perform random associations.
The Fat AP Network Framework
The figure below shows the fat AP framework of the association control application.
Figure 1-2 The Fat AP Networking Topology
Premise
The purpose of the association control is to prevent the terminal to perform random associations when there are many
wireless networks. The premise of network configuration is as below:
 Set each association control zone as a WLAN subnet and allocate a VLAN for each subnet. By this measure, the
broadcast or the multicast report is limited in the local control zone, thus, the application fluency of the association
control zone is ensured.
 Use different SSIDs for all WLAN subnets. For example, use the association control zone’s name as SSID for easier
differentiation. It’s easier for the master STA and secondary-STAs in the terminal to associate with the designate
APs in the association control zone.
Working Principle
 The AP adds all the information of the master STA into the white list as per pre-configured information of the
association control zone and the terminal package
 Since all the information of the master STA in the terminal package is on the AP’s white list, when applying the
association control function, the master STA needs to associate with corresponding SSIDs in the control zone first;
after the master STA completes the association, the AP will create a white list of all secondary-STAs as per the
configuration of the terminal package where the master STA stays, thus, secondary-STAs are allowed to be
associated with the local control zone.
 When the master STA releases the association and logs off, all corresponding secondary-STAs will be offline and be
deleted from the fat AP’s white list.
 The above process can be briefly summarized as that secondary-STAs follow the master STA; with whichever the fat
AP the master STA associate, students’ computers must follow to associate with this fat AP. This can prevent certain
mis-behavior students to perform random association. For instance, secondary-STAs cannot associate with other
APs.
In the fit AP framework, the master STA and secondary-STAs might be distributed to several APs in certain
control zones. But in the fat AP framework, the master STA and secondary-STAs only associate with one AP.
Because, different from the fit AP framework which has the AC to be managed, the fat AP does the
management on its own, if the master STA only associate with one fat AP, other fat APs can’t predict to
which the fat AP the master STA associates. Therefore, as per the principle that secondary-STAs must
follow the master STA, secondary-STAs must associate with the same fat AP that the master STA
associates.
Configuration
Configuring the Terminal Package

By default, no terminal package configuration is in the system, enter privileged EXEC mode, follow the steps below to
configure the terminal package information:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Configure the terminal package named pkg-name, and
Ruijie(config)# package pkg-name enter the terminal configuration mode. pkg-name is the
alphabetic string, and its length is [1,32].
Ruijie(config- package)#end Quit from the terminal package configuration mode.
Ruijie#show package View the terminal package configuration.
Use the no package [ pkg-name ] configuration command to delete the terminal package configuration.
Configuration example:
# configure terminal package named”package_1”

Ruijie# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# package package_1
Ruijie(config-package)# end
Ruijie# show package
total package num : 1
========= package_1 =========
teacher computer : none
student computer num : 0
# delete the terminal package named”package_1”
Ruijie(config)#no package package_1
The operation will clear package(s) configuration, which may cause corresponding STAs offline . Continue? [no]y
no package configuration.
When delete the terminal package, all configurations relating to the terminal package will be deleted. And if
there are STAs online, this will cause all the STAs log off.
This command only exists on the AC and the fat AP, the fit AP is excluded.
The AC allows a maximum of 300-terminal-package configuration, and the fat AP 50. An error notice will
appear if the number reaches the maximum.
Configuring the STA Master STA

By default, no master STA configuration is in the system, enter privileged EXEC mode, follow the steps below to configure
the corresponding master STA of terminal package:
Command Function
Ruijie(config)# package pkg-name Enter the terminal package configuration mode.
Configure the master STA in the terminal package. The
Ruijie(config-package)#primary-sta mac-address MAC address of the master STA is mac-address, and the
form is as: xxx.xxxx.xxxx
Ruijie(config-package)#end Quit from the terminal package configuration mode.
Use the no primary-sta configuration command to the delete master STA configuration.
# configure the master STA for the terminal package package_1, the MAC address is 00d0.f800.0001

Ruijie(config -package)# primary-sta 00d0.f800.0001
========= package_1 =========
teacher computer : 00d0.f800.0001
Deleting the master STA in a terminal package might cause the STA offline, and also cause other STAS
offline.
One terminal package only allows configuring one master STA. If there are different master STA
configuration information, follow the last configuration.
Configuring Secondary-STAs
By default, no secondary-STA configuration is in the system, enter privileged EXEC mode, follow the steps below to
configure secondary-STAs:
Command Function
Ruijie(config)# package pkg-name Enter the terminal package configuration mode.
Configure secondary-STAs. The Mac address of
Ruijie(config-package)# secondary-sta mac-address secondary-STAs is mac-address, and the from is as:
xxx.xxxx.xxxx
Ruijie(config-package)#end Quit from the terminal package configuration mode.
Use the secondary-sta [ mac-address ] configuration command to delete the secondary-STAs configuration.
# configure secondary-STAs in the terminal package package_1, the MAC address is 00d0.f800.0002


Ruijie(config-package)# primary-sta 00d0.f800.0002
========= package_1 =========
teacher computer : 00d0.f800.0001
00d0.f800.0002
Deleting a secondary-STA from a terminal package might cause this STA offline.
A terminal package allows a maximum of 100-secondary-STA configuration; An error notice will appear if the
number reaches the maximum.
Configuring Association Control Zone

By default, no association control zone configuration is in the system, enter privileged EXEC mode, follow the steps below
to configure the association control zone:
Command Function
Configure the association control zone and enter the
association control zone configuration mode, association
Ruijie(config)# control-zone czone-name
control zone’s name is czone-name, and the length is
[1,64].
Quit from the association control zone configuration
Ruijie(config-czone)#end
mode.
View the summary of the association control zone
Ruijie#show control-zone summary
configuration.
Use the no control-zone [ czone-name ] configuration command to delete the association control zone configuration.
# configure association control zone named “Grade one(1)”

Ruijie(config)# control-zone Class one Grade one
Ruijie(config-czone)# end
Ruijie# show control-zone summary
control zone num : 1
Class one Grade one
# delete association control zone named”Grade one(1)”
Ruijie(config)#no control-zone Class one Grade one

The operation will clear the control zone configuration, which may cause corresponding STA(s)
offline . Continue? [no]y
Ruijie# show control-zone summary
no control zone configuration.
The names of the association control zones cannot be repeated, or an error notice will appear. Besides,
when deleting the association control zone, all the associated configurations will be deleted, and this might
cause corresponding STAs in the terminal package associated with this control zone offline.
The AC allows a maximum of 300-association-control-zone configuration, and the fat AP one. An error notice
will appear if the number reaches the maximum.
Configuring the AP Information

By default, no association AP configuration is in the association control zone, enter privileged EXEC mode, follow the
steps below to configure the AP information in the association control zone:
Command Function
Ruijie(config)# control-zone classroom-name Enter the association control zone configuration mode
Configure the AP information. WORD presents the AP’s
Ruijie(config-czone)#ap WORD
name, and the length is [1-64]
View the details of the association control zone
Ruijie#show control-zone
configuration
Use the no ap [ WORD ] configuration command to delete the AP configuration.
# configure AP information of AP1(1)-2 in the association control zone named “Class one Grade one”

Ruijie(config)# control-zone Class one Grade one

Ruijie(config-czone)# ap AP1(1)-2
Ruijie# show control-zone
control zone num : 4
control-zone AP
------------- ------------------------
Class one Grade one AP1(1)-1 00d0.f800.889f
AP1(1)-2 00d0.f800.1115
Class two Grade two AP2(2)-1 00d0.f800.889f
Class two Grade three AP2(3)-1 00d0.f800.123f
Class two Grade four AP2(2)-4 offline
Class two Grade five n/a
Deleting the AP information in an association control zone might cause the corresponding STA of the
terminal package on the AP offline.
An association control zone allows a maximum of 5-AP-information configuration. An error notice will
appear if the number reaches the maximum.
Enabling Association Control

By default, the association control function is disabled, enter privileged EXEC mode, and follow the steps below to enable
the association control function:
Command Function
Ruijie(config)#assoc-control Enable the association control function
Ruijie(config)# exit Quit from the global configuration mode.
Ruijie# show assoc-control View the current association control enabling condition.
Use the no assoc-control configuration command to disable the association control function.
# enable the association control function

Ruijie(config)# assoc-control
Ruijie(config)# exit
Ruijie# show assoc-control
Association control is enabled.
# disable the association control function

Ruijie(config)# no assoc-control
Ruijie(config)# end
Ruijie# show assoc-control
Association control is disabled.
When the association control function is disabled, the relating commands can still be configured, but the
function doesn’t work
View Association Control Configuration

The association control function provides the displaying commands below to view the configuration information and the
operating information, and the descriptions of each command are as below:
Command Function
show assoc-control Display the current association control operating
condition
show package [ pkg-name ] Display the terminal package configuration information
show control-zone [ summary | czone-name ] Display the association control zone configuration
information
Displaying Configuration
Command Function
show assoc-control Display the state of the association control.
show control-zone [ summary | czone-name ] Display the association control-zone configuration.
show package [ pkg-name ] Display the terminal package configuration.
Configuration Guide Configuring Ethernet Management
Configuring Ethernet Management
Overview
Ethernet Management (ETH-MNG) is an AP wired parameter management service used to configure wired parameters of
APs.
The LAN interface bandwidth restriction function, as a fundamental service of ETH-MNG, is used to configure the
maximum bandwidth of various LAN interfaces of APs, so as to avoid the slow Internet access of wireless users in a
scenario where wireless and wired users coexist and wired users occupy a substantial bandwidth.
The following sections describe ETH-MNG only.
Protocols and Standards
 N/A
Features
Basic Concepts
N/A
Overview
Feature Description
LAN Interface Bandwidth Configure the maximum bandwidth of various LAN interfaces of APs so as to avoid the
Restriction slow Internet access of wireless users in a scenario where wireless and wired users
coexist and wired users occupy a substantial bandwidth.
LAN Interface Bandwidth Restriction
Working Principle
The LAN interface bandwidth restriction function is used to configure the maximum bandwidth of various LAN interfaces of
APs so as to avoid the slow Internet access of wireless users caused in a scenario where wireless and wired users coexist
and wired users occupy a substantial bandwidth.
Configuration
Configuration Description and Command
Configuring the Maximum Optional configuration, which is used to configure the maximum bandwidth of
Bandwidth of LAN LAN interfaces of APs.
Interfaces
Configures the maximum bandwidth (in

wired-rate value Mbps) of various LAN interfaces of the AP
on the AP.
LAN Interface Bandwidth Restriction
Networking Requirements
 Configure the maximum bandwidth of various LAN interfaces.
Notes
 N/A
Configuration Steps
Configuring the LAN Interface Bandwidth Restriction Function
 The configuration is optional.
 Perform this configuration on a fat AP.
 Run the wired-rate command to configure the maximum bandwidth of various LAN interfaces.
 The wired-rate value command is supported only on AP120-W and AP130-W.

Command Syntax wired-rate value
Parameter -
Description
Defaults By default, the maximum bandwidths of various LAN interfaces are not limited but are
negotiated on the LAN interfaces.
Command Mode Interface configuration mode
Configuration Usage By default, the bandwidths of various LAN interfaces are not limited.
Verification
 Run the show running-config command to display the configuration about the bandwidth restriction of various LAN
interfaces.
Configuration Example
Configuring LAN Interface Bandwidth Restriction
1) Configure the maximum bandwidth of various LAN interfaces.
Configuration
Steps
AP120-W
 On one AP120-W, set the maximum bandwidth of FastEthernet 0/4 to 40 Mbps.
Ruijie(config)#interface fastEthernet 0/4

Ruijie(config-if-FastEthernet 0/4)#wired-rate 40
AP130-W
 On one AP130-W, set the maximum bandwidth of GigabitEthernet 0/4 to 40 Mbps.
Ruijie(config)#interface GigabitEthernet 0/4

Ruijie(config-if-GigabitEthernet 0/4)#wired-rate 40
Verification
 On the AP, run the show running-config command to display the configuration.
AP120-W Ruijie(config)# show running-config

…
interface FastEthernet 0/4
wired-rate 40
…
AP130-W Ruijie(config)# show running-config
…
interface GigabitEthernet 0/4
wired-rate 40
…
Common Errors
 N/A
Monitoring
 N/A
Configuration Guide Configuring Data Plane
Configuring Data Plane
Overview
The data plane provides broadcast forwarding control functions, including broadcast forwarding weight control and
broadcast wireless forwarding control.
Broadcast forwarding weight control means restricting the weights of packet types for broadcast forwarding, so as to
prevent STAs from being influenced when a certain type of packets occupy all resources.
Broadcast wireless forwarding control means forwarding only necessary packets to the wireless network, so as to prevent
some useless broadcast packets from occupying substantial radio frequency (RF) resources.
 Broadcast forwarding weight control is applicable to all packets to be flooded.
 Broadcast wireless forwarding control is applicable to all packets to be sent to the radio interface.
 N/A
Applications
Application Description
Broadcast Forwarding Control Set up the network with at least one AC and one fit AP.
Broadcast Forwarding Control
Scenario
An AC is deployed in the wireless network and enabled with broadcast wireless forwarding control function.
The AC controls the wireless forwarding of broadcast packets, as shown in Figure 0-1.
Figure 0-1
AC: a wireless access controller.

POE: a gateway switch for the AP.
AP: a wireless access point.
STA1 and STA2: user equipment used as STAs
Corresponding Protocols
 Enable the broadcast wireless forwarding control function on the AC.
Features
Basic Concepts
Broadcast Forwarding Weight Control
A network switching device may need to flood broadcast packets, multicast packets, and some unicast packets. A weight
can be set for each type of packets to prevent a certain type of broadcast packets from exhausting all broadcast
forwarding capabilities, thereby improving STAs' network experience.
Broadcast Wireless Forwarding Control
The broadcast wireless forwarding control function is used to forward only necessary broadcast packets to the wireless
network, so as to prevent certain broadcast packets from occupying substantial air interface resources and improve the
network rates of STAs.
Overview
Feature Description
Broadcast Restricts the weights of packet types for broadcast forwarding, so as to protect RF resources from
Forwarding Weight being occupied by a certain type of packets and thereby guarantee normal forwarding of other
Control packets.
Broadcast Wireless Controls whether to forward broadcast packets to the wireless network, so as to prevent useless
Forwarding Control broadcast packets from occupying substantial RF resources.
Broadcast Forwarding Weight Control

Broadcast forwarding weight control is used to restrict a certain type of packets, so that the ratio of this type of packets is
no greater than the specified weight during broadcast forwarding.
Working Principle
The broadcast forwarding weight control function classifies packets at first into unicast packets, multicast packets,
broadcast packets, unknown multicast packets, and unknown unicast packets.
 Classify packets. Packets may be roughly classified into the following types: unicast packets, multicast packets,
broadcast packets, unknown multicast packets, and unknown unicast packets.
 Allocate a token bucket to each type of packets, and record the number of packets permitted to pass at this moment.
 According to the configured broadcast forwarding weights, calculate the number of packets permitted to pass within
each interval, and adjust the sizes of the token buckets accordingly.
 When a packet arrives, determine the type of the packet and check whether there is any token in the token bucket
corresponding to the packet type. If the token bucket contains a token, the packet is permitted to pass; otherwise, the
packet is discarded.
Broadcast Wireless Forwarding Control

The broadcast wireless forwarding control function is used to forward only partial packets that affect STAs to the wireless
network, so as to prevent useless broadcast packets from occupying substantial air interface resources.
Working Principle
Wireless networks differ from wired networks in performance. In a wireless network, air interface resources are shared by
STAs and APs which often becomes a bottleneck for STAs. Meanwhile, they are seized for a long time because broadcast
packets are sent at low rates.
In practice, some broadcast packets are useless for STAs. Forwarding these packets to the wireless network will result in
fewer air interface resources and worse user experience.
One solution is to classify broadcast packets for forwarding control. Only the packets of specified types are forwarded to
the wireless network.
Configuration

Broadcast Forwarding
Weight Control
Optional configuration. Set the weights of packet types for broadcast forwarding.
Configures the weights of packet types for

data-plane queue-weight
broadcast forwarding on the AC or AP.
Broadcast Wireless
Optional configuration. Enable the broadcast wireless forwarding function.
Forwarding Control
Enables or disables the broadcast wireless

data-plane wireless-broadcast
forwarding control function on the AC or AP.
Configuring Broadcast Forwarding Weights
 You can control the weight of a packet type for forwarding according to actual network conditions, so as to avoid
network congestion for sudden traffic spike.
Notes
 N/A
Configuration Steps
 Optional configuration. Run the data-plane queue-weight command in global configuration mode to configure the
broadcast forwarding weights.
Command Syntax data-planequeue-weightunicast-packet-weightmulticast-packet-weightbroadcast-packet-weightunkn

own-multicast-packet-weightunknown-unicast-packet-weight
Parameter unicast-packet-weight: sets the forwarding weight of unicast packets. The range is from 1 to 100
Description multicast-packet-weight: sets the forwarding weight of multicast packets. The range is from 1 to 50
broadcast-packet-weight: sets the forwarding weight of broadcast packets. The range is from 1 to 50
unknown-multicast-packet-weight: sets the forwarding weight of unknown multicast packets. The
range is from 1 to 25
unknown-unicast-packet-weight: sets the forwarding weight of unknown unicast packets. The range is
from 1 to 25
Defaults Default weights are applied.
Command Mode Global configuration mode
Configuration Usage N/A
Verification
 Run the show run command to display the configuration.
Scenario
Figure 0-2
Configuration Steps Configure the forwarding weights of packet types for broadcast forwarding in global configuration
mode.
AC/AP Ruijie#configure terminal
Ruijie(config)#data-plane queue-weight 100 50 50 25 25
Ruijie(config)#exit
Verification Run the show run command to display the configuration.

AC/AP Ruijie#show run
…
!
cwmp
!
data-plane queue-weight 100 50 50 25 25
!
…
Common Errors
 N/A
Configuring Broadcast Wireless Forwarding
 Useless broadcast packets are not forwarded to the air interface.

Notes
 N/A
Configuration Steps
Broadcast Forwarding Function
 Optional configuration. By default, the broadcast wireless forwarding function is disabled. Run the data-plane
wireless-broadcast command in global configuration mode to enable or disable this function.
Command Syntax data-plane wireless-broadcast{ enable | disable }

Parameter enable: permits all broadcast packets to be forwarded to the air interface
Description disable: prohibits all broadcast packets from being forwarded to the air interface
Defaults The broadcast wireless forwarding function is disabled; that is, broadcast packets are not forwarded to
the wireless network.
Configuration Usage N/A
Verification
 Run the show run command to display configuration information.
Enabling the Broadcast Wireless Forwarding Function
Scenario
Figure 0-3
Configuration Enable the broadcast wireless forwarding function in global configuration mode.
Steps
AC/AP Ruijie#configure terminal
Ruijie(config)#data-plane wireless-broadcast enable
Verification Run the show running-config command to display the configuration.

AC/AP Ruijie# show ap-config running
!
cwmp
!
data-plane wireless-broadcast enable
!
Common Errors
 N/A
Monitoring
 N/A
Configuration Guide Configuring WLAN WLOG
Configuring WLAN WLOG
Overview
WLAN-WLOG is used to collect, store, and check information about WLANs and terminals over a period of time. The
latest 24-hour information about WLANs, APs, and STAs provided through the CLI can help users analyze and locate
problems on WLANs.
Currently, WLAN-WLOG cannot automatically analyze the collected information. WLAN-WLOG is designed to provide
information over the past 24 hours for users to analyze and locate problems based on accurate status information about
WLANs and terminals.
Information collected by WLAN-WLOG is restored on ACs and APs. Currently, APs store only STA space information,
while others are stored on ACs.
Basic Concepts
Network Overview
Network overview includes the following aspects:
 Continuous running time of ACs
 Number of online APs
 Number of APs pre-deployed but offline
 Version information about online APs, including number of APs of each version
 Information about terminals of each WLAN (SSID)
1) Number of terminals that pass web authentication
2) Number of terminals that pass the 802.1x authentication
3) Number of terminals free of authentication
AP Overview
AP overview includes the following aspects:
 Name of an AP
 MAC address of the AP
 IP address of the AP
 Online time of the AP
 Information about each wired port of the AP

1) Input and output rates for the recent five minutes (bits/s)
2) Statistics on input and output unicast, broadcast, and multicast packets, and incorrect frames
 Information about each radio
Working channel
Sending frequency (the absolute value of dBm)
Number of terminals that are successfully associated
Number of terminals that pass web authentication
Number of terminals that pass 802.1x authentication
Co-frequency interference intensity
Number of received incorrect frames
Number of retransmission times of packets
STA Overview
The terminal (STA) overview includes the following aspects:
 IP address
 Signal strength
 Connection rate
 APs, radios, and WLANs associated with terminals
STA Space Information
STA space information contains the statistics on data frames and management frames on terminals and all types of rates,
including:
 Number of data frames/flows that APs send to terminals
 Number of data frames/flows without response
 Number of management frames/flows
 Number of each type of frames sent at a common rate
Common rates include the following levels:
Level 0 1 2 3 4 5 6 7
Rate 1/2 5.5/11 6/9 12/18 24/36 48/54 Reserved Reserved
(Mbps)
 Number of frames that are transmitted at each level of rate in MIMO mode
Transmission rates in MIMO mode include the following levels:

Level 0 1 2 3 4 5 6 7
Rate mcs0 mcs2 mcs4 mcs6 mcs8 mcs10 mcs12 mcs14
mcs1 mcs3 mcs5 mcs7 mcs9 mcs11 mcs13 mcs15
Space information shows whether an STA is running at a low rate, whether the proportion of no-ACK frames is high, and
whether excessive management frames are received. It helps users to locate the problems caused by low-rate nodes,
management frame attacks, and tough network environment. STA Given that STA space information changes all the time,
the current collection frequency is once every five minutes. The information is stored only on APs due to its huge volume.
AP Actions
AP actions include: getting online, getting offline, and processing CAPWAP connection failures.
STA Actions
STA actions include: associating, disassociating, roaming, getting online through web authentication, getting offline
through web authentication, getting online through 802.1x authentication, and getting offline through 802.1x
authentication.
Working Principle
Information on ACs is collected in the following modes:
Periodical collection
Information about whole network overview, AP overview and STA overview is collected and stored on a regular basis, for
example, on an hourly basis. Information about AP overview and STA overview contains all information about online APs
and STAs.
Collecting information when receiving a notification
“AP actions" define that information is collected and stored when a related module notifies the WLAN-WLOG module of
the occurrence of AP actions.
“STA actions" define that information is collected and stored when a related module notifies the WLAN-WLOG module of
the occurrence of STA actions.
On APs, only STA space information is collected. On STAs, information is collected periodically.
Default Configuration
The default WLAN-WLOG configuration is shown in the following table.
Feature Default Setting

WLAN-WLOG function Disabled
Configuring WLAN-WLOG
Enabling the WLAN-WLOG Function

The following command is used to enable the WLAN log (WLOG) function on an AP:
Command Function
Ruijie(config)# wlan diag enable Enables the WLOG function.
The example below enables the WLOG function:

Ruijie(config)#wlan diag enable
Ruijie(config)#no wlan diag enable
When the WLAN-WLOG function is enabled, memories are pre-allocated. If there is no sufficient memory,
the WLAN-WLOG function cannot be enabled.
When the WLAN-WLOG function is disabled, all memories including the pre-allocated ones for storing
information collected by the WLAN-WLOG module are reclaimed.
Displaying the Configuration
Displaying STA Statistics
The command for displaying STA statistics is supported on APs. The displayed statistics vary with options set in the
command.
The following command is used to display STA statistics on an AP.
Command Function
Ruijie#show wlan diag sta [ sta-mac STA_MAC ] Displays STA statistics.
[ number NUMBER ] The option [ sta-mac STA_MAC ] specifies an STA
whose statistics are displayed. If it is not set, statistics
about all STA are displayed.
The option [ number NUMBER ] specifies the maximum
number of records.
The example below displays STA statistics on an AP:
Ruijie# show wlan diag sta

sta mac: c83a.35c6.0c72
=========================================================================================
================================================
2012-05-28 19:31:08
wlan id state rssi_rt rs_rate_mcs tx_frm_cnts rx_frm_cnts tx_frm_flow rx_frm_flow
tx_cnts_error tx_flow_error mgmt_cnts mgmt_flow
-------- -------- -------- ----------- ----------- ----------- ----------- -----------
------------- ------------- --------- ---------
1 3 23 80 18 59 4384 5967 0 0
3 381
tx/rxmcs mcs0, mcs1 mcs2, mcs3 mcs4, mcs5 mcs6, mcs7 mcs8, mcs9 mcs10, mcs11
mcs12, mcs13 mcs14, mcs15
------------- ------------- ------------- ------------- ------------- -------------
------------- ------------- -------------
txmcspercent : 0 0 0 0 0 0 0
0
rxmcspercent : 0 0 0 0 0 0 0
0
tx/rxrate 1, 2 5.5, 11 6, 9 12, 18 24, 36 48, 54 -- --

------------- ------- ------- ------- ------- ------- ------- ------- -------
txratepercent: 16 0 0 7 50 27 0 0
rxratepercent: 57 3 0 5 13 22 0 0
 This command is supported on all APs.
Typical Example of WLAN-WLOG Configuration
The WLAN-WLOG function is used to collect, store, and display information about a local AC or AP. It has no special
requirements on network topology.
Key Points
Enable the WLAN-WLOG function.
Configuration Procedure
Enable the WLAN-WLOG function.

Ruijie(config)#wlan diag enable
Verifying the Configuration
1) Use the show running-config command to check whether WLAN-WLOG is enabled.
2) Display information collected by the WLAN-WLOG module.

For details, see the sections "Displaying Network Overview Statistics", "Displaying AP Statistics", and "Displaying STA
Statistics."
RG-WLAN Series Access Point RGOS Configuration Guide,
Release 11.1(5)B6
WLAN RF Configuration
1. Configuring RF Resource Scheduling
2. Configuring Band Select
3. Configuring Smartant
4. Configuring Spectral Analysis
5. Configuring WLAN Location

Configuration Guide Configuring RF Resource Scheduling
Configuring RF Resource Scheduling
Overview
As a wireless access device, AP plays a part of the physical layer and MAC, and generally has no switching function. In
view of hardware structure, there is only one wired uplink which serves as the data channel for all access users in either a
fat or a fit AP.
As a typical application of the WLAN shown below, the uplink of the STA access server connected to a fit AP is: STA→ fit
AP→Switch→Route→Switch→AC→Switch→Route→Server; and that connected to a fat AP is: STA→ fat
AP→Switch→Route→Server. The downlink channel is in the reserve direction.
Figure 1 Typical Application of WLAN
The RF resource scheduling will suspend the access service of the AP.RF resource scheduling means to disable the RF
or WLAN of an AP within a period specified by a user to save power and reduce wireless disturbance as well as
enhancing network security. The RF resource scheduling aims at security and energy conservation.
Features
The function of RF resource scheduling applies to wireless access in a fixed period. For example, the wireless access in
the teaching building of a university is only provided during the class hours of the day; the WLAN for visitors in an office
building is only enabled during the work hours on weekdays.
The RF resource scheduling works to:
 Reduce network traffic, save limited network resources and prevent waste and abuse;
 Reduce RF disturbance, save power and protect the environment;
 Reduce potential insecure factors by disabling the access service during “risky” hours.
RF resource scheduling can not only disable the RF of an AP but also disable specifically one or more
WLANs to achieve more accurate control.
Working Principles
First, configure a schedule session, including the scheduling cycle and time; For example, configure a schedule session to
disable wireless access after 9pm and enable it on 6am in the next morning on weekdays.
In the fit AP mode, apply the schedule session to an AC based on an AP, AP group or WLAN. For example, for the above
schedule session,
 If the schedule session is applied to a single AP, the AP will disable RF at 9pm every weekday and enable the RF at
6am in the next morning;
 If the schedule session is applied to an AP group, all the APs in this group will disable RF at 9pm every weekday and
enable the RF at 6am in the next morning;
 If the schedule session is applied to a WLAN, all the APs in all the AP groups that provide such WLAN access
service will disable the RF at 9pm every weekday and enable the RF at 6am in the next morning.
In the fat AP mode, apply a schedule session globally or based on a WLAN. For example, for the above schedule session,
 If the schedule session is applied globally, the AP will disable RF at 9pm every weekday and enable the RF at 6am in
the next morning;
 If the schedule session is applied to a WLAN, the AP will disable the WLAN at 9pm every weekday and enable the
WLAN at 6am in the next morning.
If there are more than one schedule sessions, the principle to deal with the scheduling conflicts is
preferably to disable the function.
As long as a schedule session requires to disable the RF or WLAN, the RF or WLAN will be disabled;
The RF or WLAN will not be enabled unless all the schedule sessions require to enable the RF or WLAN;

None
The default settings of RF resource scheduling are described in the table below.

Schedule session None
Schedule session time None
Schedule session of an AP None
Schedule session of an AP group None
Schedule session of a WLAN None
Configuration
Configuring schedule session
Command Function
Creates a schedule session.

Ruijie(config)# schedule session sid sid is the ID of the schedule session to be created. The
range is from 1 to 8 for a fat AP.
Configures the schedule time of a schedule session.
sid is the ID of the schedule session to be configured.
The range is from 1 to 8 for a fat AP.
n: Specifies the scheduling session time-range ID, in the
range from 1 to 8.
day1: Specifies the start day of the scheduling session
time range. Select a value from { sun | mon | tue | wed |
Ruijie(config)# schedule session sid time-range n thu | fri | sat }.
period day1 [ to day2 ] time hh1:mm1 to hh2:mm2 to day2: Specifies the end day of the scheduling session
time range. The default scheduling session time range is
one day.
time hh1:mm1 to hh2:mm2: Specifies the start and end
time. hh1:mm1indicate the start hour and minute;
hh2:mm2 indicate the end hour and minute. The hour
value is in the range from 0 to 23 and the minute value is
in the range from 0 to 59.
# Create session 1 and specify the period as from 9:30pm every weekday to 6:00 am in the next morning.

Ruijie(config)# schedule session 1

Ruijie(config)# schedule session 1 period mon to fri
Ruijie(config)# schedule session 1 time 21:30 to 6:00
Applying schedule session on WLAN in the fit AP architecture

Command Function
Ruijie# config terminal Enters global configuration mode
Ruijie(config)# wlan-config wid Enters WLAN configuration mode

wid is the ID of the WLAN to be configured.
Ruijie(config-wlan)# schedule session sid Applies the schedule session to the WLAN provided the
schedule session has been created.
sid is the ID of the scheduling session to be created or to
be applied to a WLAN. The range is from 1 to 64 for an
AC.
No scheduling session is applied to a WLAN. Use the no form of this command to remove the configuration.
Example:
# Apply schedule session 1 which has been created to the specified WLAN.

Ruijie(config)# wlan-config 1
Ruijie(config-wlan)# schedule session 1
Applying schedule session on WLAN in the fat AP architecture

Command Function
Ruijie# config terminal Enters global configuration mode
Ruijie(config)# schedule session sid Applies the schedule session to the radio of the AP
provided the schedule session has been created.
sid is the ID of the scheduling session to be created or to
be applied to a WLAN. The range is from 1 to 8 for a fat
AP.
# Apply schedule session 1 to WLAN 2 provided both schedule session 1 and WLAN 2 have been created.

Ruijie(config-ap)# schedule session 1 wlan 2
Monitoring
Command Function
Ruijie# show schedule session [ sid ] Displays configuration of the current schedule session.
sid is the specified session ID, which ranges from 1 to 64.
The configuration about all scheduling sessions is displayed by default.
# Show configuration of the current schedule session.

Ruijie(config)#show schedule session 1
Schedule session [1]:
Schedule period ............................... Mon to Fri
Schedule time ................................. 21:30 to 6:00
Configuration Examples
 AP1 and AP2 are dual-band APs, each with two radios; AP3 is a single-band AP with only one radio;
 AP1 and AP2 belong to the same AP group “apg1” and are required to be disabled at 11pm every night and enabled
at 7am in the next morning.
 AP3 is required to be disabled at 9pm every weekend and enabled at 9am in the next morning;
 WLAN 1 is configured on the AC, with the same scheduling requirements as for the AP group “apg1”.
Networking Topology
Figure 2 Network Topology

Configuration Steps
Configure a schedule session
# schedule session of the AP group “apg1” and wlan1
// from Sunday to Saturday means every day
Ruijie(config)# schedule session 1 period sun to sat

# schedule session of AP3
// from Saturday to Sunday means only weekends
Ruijie(config)# schedule session 2 period sat to sun

Apply the schedule session of the AP group “apg1”
Ruijie(config)# ap-group apg1
// the members in the AP group include 2 radios
Ruijie(config-ap-group)# schedule session 1 radio 1

Ruijie(config-ap-group)# schedule session 1 radio 2
Ruijie(config-ap-group)# exit
Apply the schedule session of AP3
Ruijie(config)#ap-config AP3
Ruijie(config-ap)# schedule session 2 radio 1
Ruijie(config-ap)# exit
Apply the schedule session of wlan1
Ruijie(config)# wlan-config 1
Ruijie(config-wlan)# schedule session 1
Ruijie(config-wlan)# exit
Verification
Ruijie# show schedule session

Schedule period ............................... Sun to Sat
Schedule time ................................. 23:00 to 7:00
Schedule period ............................... Sat to Sun
Schedule time ................................. 21:00 to 9:00
Ruijie# show running-config
……
link-check enable
……
wlan-config 1 <NULL> wlan1
……
schedule session 1
……
ap-group apg1
……
schedule session 1 radio 1
schedule session 1 radio 2
……
ap-config AP3
……
schedule session 2 radio
Configuration Guide Configuring Band Select
Configuring Band Select
 The band select function is not supported on the following AP products: AP110-W, AP220-I V1.x, AP220-SI V1.x,
AP220-E V2.x, AP220-SH V2.0, AP220-SH(C) V3.0, AP220-E(M) V2.x, AP620-H(C) V2.x, AP220-E(C) V3.0,
AP220-SH(C) V2.99 or AP220-E(C) V2.99.
Overview
The major communication band of IEEE802.11 is divided into two parts:
 GHz (2.4 to 2.4835 GHz), where the 802.11b/g/n band is at;

 GHz (5.15 to 5.35 and 5.725 to 5.825 GHz), where the 802.11a/n band is at.
With the popularity of WLAN, there come more and more wireless users, many of whom use dual-band STAs which can
simultaneously support the 2.4 G band and the 5 G band. However, 802.11b/g enjoys more popularity than 802.11a so
that many dual-band STAs unanimously use the 2.4 G band, resulting in a crowded 2.4 G band and a wasted 5 G band. In
fact, the 5 G band has a higher access capacity while the 2.4 G band can only have a maximum of three non-overlapping
communication channels; moreover, the 5 G band is able to provide more non-overlapping communication channels, five
in China, and up to 24 in North America.
Band Select uses technical means to guide the dual-band STAs to be connected to the 5 G band which has higher access
capacity so as to reduce the pressure on the 2.4 G band and enhance the user experience.
Features
The Process of STA Detecting WLAN
First STAs send probe frames (broadcast) on all the communication channels of all its supporting bands, and the probe
frame contains the information such as the wireless access speed that STAs support and etc; once APs which provide
WLAN access services received the probe frame, APs will send out probe responses, providing some information of the
WLAN that they provide to STAs; STAs usually aggregate all responses they receive and present a list of accessible
WLANs to the users so that they could choose which WLAN to access.
The following figure shows the process of an STA detecting the accessible WLANs that provided by a dual-band AP. After
the process is finished, the STA would detect two BSSIDs with two bands belonging to the same WLAN, but the user is
unable to discern between them since their SSIDs are the same. If the user selects this WLAN for access, then the choice
of two bands depends on the user's wireless driver and it is an uncontrollable factor for both the user and the AP.
Figure 1-1 The Process of Dual-band STA Detecting WLAN

How to determine whether the network card supports dual-band? Generally the description of the wireless
network card will have a, b, g, n and other letters. The letters indicate the 802.11 protocol type that the
wireless network cards support. 802.11a operates in the 5.0 G band; 802.11b / g work in the 2.4 G band;
802.11n can work in both the 5 G band as well as the 2.4 G band. Therefore, if the description of the network
card contains both a and b or g, then it indicates that the network card supports both bands
Working Principles
The principle of the Band Select is as the following: discover the APs’ behavior in the process of WLAN by changing STAs,
and guide STAs to select the 5 G band. As shown in the figure below, in comparison with Figure 1 The Process of
Dual-band STA Detecting WLAN", this figure doesn’t show the probe response to the 2.4 G band.
Figure 1-2 Band Select Principle

The Reorganization of STAs by the Dual-band AP
To accomplish the guiding of the access of the dual-band STA, the first step is to identify whether the STA is dual-band.
The dual-band AP identifies the STA by the conditions below :
 If the STA’s probe request can be received in both the 2.4 G band and the 5 G band, then it is a dual-band STA;
 If the STA’s probe request can only be received in the 2.4 G band, then this AP is a STA with 2.4 G band;
 If the STA’s probe request can only be received in the 5 G band, then this AP is a STA with 5 G band;
Therefore, the reorganization of single-band STA is more time-consuming, because we need to wait to confirm that the
probe request will not be received from another band.
The STA information recognized by the AP needs to be saved up to provide the basis for follow-up response strategies.
Because the STA probe requests are broadcast reports, and generally, the AP will receive a large number of probe
requests, saving them all up is not necessary since the distance of some STAs is too far, and it is impossible for them to
have access to the local AP. Therefore, the Band Select only save the information of those STAs which may be
associated with, and the selection criteria is the STA's RSSI (Received Signal Strength Indication), whose threshold value
is configurable. Please refer to “Configuring the acceptable lower limit of STA RSSI.
AP Behaviors after Adding Band Select Features
Before recognizing STA:
 the probe request on the 2.4 G band is not responded;

 the probe request on the 5 G band is normally responded
After recognizing STA:

 The STA with single-band 2.4 G: negative response, it received more than one probe before sending out a response
and only the access is guaranteed;
 The STA with single-band 5 G: normal response, and normal access is guaranteed;
 The dual-band STA: it does not respond to the probe requests on the 2.4 G band, but it responds to the probe
requests on the 5 G band, and guide STA to have access to WLAN with 5 G band;
After being recognized, STAs are divided into two categories for the Band Select: STAs with single-band 2.4 G becomes
"suppression STAs" while dual-band STAs are called "dual-band STAs"; there is no need to distinguish STAs with
single-band 5 G from the dual-band STAs regarding to the Band Select, so they can be classified in one category.
The relevant information of these two categories of STAs after being recognized shall be saved up as the user may switch
STA bands manually, resulting in the stored information becoming out-of-date. Therefore aging shall be carried out for all
these information.
The introduction of distinguishing services of Band Select can guide dual-band users to use the 5 G band with higher
access capacity, thereby, increasing the service quality of the entire WLAN.
The Band Select can only work on dual-band APs; it is meaningless to use it on single-band APs.
Side Effects of Band Select
Because APs do not respond to the probe request on the 2.4 G band before recognizing STAs, this will lead to the fact
that STAs with single-band 2.4 G are unable to detect WLAN before being recognized by APs. This period of time is 20
seconds, which means that STAs with single-band 2.4 G STA may not detect the accessible WLAN within 20 seconds.
Assuming the time it takes to refresh a WLAN list is 7 seconds, then the worst case is that users of STAs with single-band
2.4 G are unable to see the accessible WLAN until the third time of refreshing the WLAN list; generally, if a user of STAs
with single-band 2.4 G STA will be able to see the WLAN after trying for a second time if the first time of refreshing the
WLAN list fails to achieve that result.
None.
The default configuration of the Band Select is described in the chart below.

Band Select function Disabled
The acceptable lower limit of the STA RSSI. -80 dBm
The probe count of the suppression STA 2
The cycle of the STA information aging scan 500 milliseconds
The aging time of the dual-band STA information 60 seconds
The aging time of the suppression STA information 20 seconds
Configuration
Configuring the Band Select Enable

Use this command to enable the spectrum navigation in WLAN configuration mode. Use the no form of this command to
restore the default setting.
Commands Function
Ruijie(config)# band-select enable Enables the Band Select function.
This function is disabled by default. Enabling the spectrum navigation requires that:
1. WLAN is mapped to a dual-band AP.
2. WLAN is mapped to two radios of the dual-band AP.
If the scenario cannot meet the above requirements, it is recommended not to enable the spectrum navigation.
If the WLAN with the spectrum navigation enabled is mapped to a single-band 2.4GHz AP, the dual-band
STA within AP signal coverage cannot navigate to the 5GHz band.
The following example enables the Band Select function

Ruijie(config)# band-select enable
Ruijie(config)# show band-select configuration
Band Select Configuration
Band Select Enable....................................... Enable
Probe Cycle Count........................................ 2
Scan Cycle Period Threshold (milliseconds)............... 500
Age Out Suppression (seconds)............................ 20
Age Out Dual Band (seconds).............................. 60
Acceptable Client RSSI (dBm)............................. -80
Configuring the Acceptable Lower Limit of STA RSSI

Commands Function
Ruijie# config terminal Enters the global configuration mode.
Ruijie(config)# band-select acceptable-rssi value Configures the acceptable lower limit of STA RSSI.
Value means the acceptable lower limit of STA RSSI in the
range from -100 to -50 in the unit of dBm.
Ruijie(config)# no band-select acceptable-rssi Recovers the default value of -80.
The following example sets the acceptable lower limit of STA RSSI as -70 dBm.

Ruijie(config)# band-select acceptable-rssi -70
The information of STAs with less value than this RSSI threshold value will not be saved, Please refer to "AP
behaviors after adding the Band Select functions " for the implemented standards of behavior for these STAs
by the AP - behaviors before recognizing STAs
Configuring the Probe Count of the Suppression STA

Commands Function
Ruijie(config)# band-select probe-count value Configures the probe count of the suppression STA.
Value is the probe count of suppression STA in the range
is from 1 to 10.
Ruijie(config)# no band-select probe-count Recovers the default value of 2.
The probe count of the suppression STA only works on the 2.4 G band; if the configuration is n, it means that
the AP does not respond for the first time until it receives n probe reports from one STA, acting
as ”suppressing" the STA to detect the WLAN.
The following example configures the probe count of the suppression STA as 5.

Ruijie(config)# band-select probe-count 5

Configuring the Access-denial Count

Use this command to set the access-denial count in global configuration mode.
Commands Function
Ruijie(config)# band-select access-denial value Sets the access-denial count,

value: sets the access-denial count, in the range from 0 to
10.
Ruijie(config)# no band-select access-denial Recovers the default value of 0.
The value n indicates that the AP does not respond until it receives n consecutive link authentication requests from the
dual-band STA on 2.4-GHz band.
This parameter can increase the navigation rate for high frequency spectrum, but it may cause difficulty in
access to some dual-band STAs.
The following example sets the access-denial count to 4.
Ruijie(config)# band-select access-denial 4
Configuring the Cycle of the STA Information Aging Scan

Commands Function
Ruijie(config)# band-select scan-cycle period Configures the cycle of the STA information aging scan.
period means Cycle of STA information aging scan in the
range from 1 to 1000 in the unit of milliseconds.
Ruijie(config)# no band-select scan-cycle Recovers the default value of 500.
The cycle of the STA information aging scan specifies how often we shall check STA information to
determine whether the STA information should be aged. The following two aging time is the standards for
determining whether information of one STA should be aged.
The smaller this value is, the more frequently the scan of STA information is, and the higher the efficiency of
aging is; but correspondingly, the more system resources it ties up. When the network is busy, it is
recommended to configure a larger value so as to take up less system resources.
The following example configures the cycle of the STA information aging scan as 400 milliseconds.

Ruijie(config)# band-select scan-cycle 400
Configuring the Aging Time of STA Information

Use this command to configure the aging cycle of STA information in global configuration mode. Use the no form of this
command to restore the default setting.
Commands Function
Ruijie(config)# band-select age-out { dual-band value | Configures the aging cycle of STA information.
suppression value } dual-band value: The aging cycle of dual-band STA
information, in the range from 20 to 120 in the unit of
seconds.
suppression value: The aging cycle of suppressed STA
information, in the range from 10 to 60 in the unit of
seconds.
The default aging cycle of dual-band STA information is 60 seconds. The default aging cycle of suppressed STA
information is 20 seconds.
The AP is less sensitive to the STA band switching as the life cycle of the dual-band STA information increases. If the
wireless users’ network cards often switch between 2.4-GHz and 5-GHz bands, a smaller value can be configured;
otherwise, a bigger value can be configured.
It is recommended to configure the aging cycle of dual-band STA information as two or three times as that
of the suppressed STAs.
The following example sets the aging cycle of dual-band STA information to 120 seconds.
Ruijie(config)#band-select age-out dual-band 120
The following example sets the aging cycle of suppressed STA information to 60 seconds.
Ruijie(config)# band-select age-out suppression 60
Monitoring
Commands Function
Ruijie# show band-select configuration Displays the Band Select configuration.
Ruijie# show band-select statistics Displays the Band Select statistics.
The following example displays the Band Select configuration and the statistics.
Ruijie# show band-select configuration

Ruijie# show band-select statistics
Band Select Statistics
Number of dual band client............................... 4
Number of dual band client added......................... 132
Number of dual band client expired....................... 128
Number of suppressed client.............................. 6
Number of suppressed client added........................ 234
Number of suppressed client expired...................... 228
The dual-band client means the current total number of dual-band STAs; the dual band client added means
the increased amount of dual-band STAs, including the total number of recognized dual-band clients since
the AP is starting to run; if a STA is re-identified after aging, the count will be repeated; dual-band client
expired means the number of aging dual-band STAs, including the total number of dual-band clients since
the AP is starting to run and the count will also be repeated.
Suppressed client series data is similar to that of the dual-band client series.
Network Requirements
If the AP is a dual-band AP, then two radios work respectively on the 2.4 G and the 5 G band;
Configure two identical WLANs for the AP’s two radio
Networking Topology
Figure 3-1 The Band Select Network Topology
Configuration Steps
The following example enables the Band Select function


Ruijie(config)# band-select enable
Verification
The following example displays the Band Select configuration.
Ruijie# show band-select configuration

Configuration Guide Configuring Smartant
Configuring Smartant
 The smart antenna function is supported only on AP320-I, AP330-I or AP630-H V1.0 & AP520-I at present.
Overview
Antennas are passive devices that fall into the categories of omni-directional antennas and directional antennas according
to the radiation lobe. An omni-directional antenna covers a broad area over a relatively short distance, while a directional
antenna covers limited areas over a long distance. To cover all directions over a long distance, the smartant (SA) is
introduced.
The following section analyzes the disadvantages of omni-directional antennas and directional antennas.
Figure 1-1 Omni-directional Antenna Coverage
As shown in Figure 1-1, although an omni-directional antenna covers both of the two clients, the AP only exchanges
packets with one of the client at a time. When the AP forms effective coverage for Client A, the rest of the signal
propagation is ineffective and wasted. If the wasted energy is directed to the effective coverage area, the signal intensity
and transmission bandwidth can be increased.
Figure 1-2 Directional Antenna Coverage

As shown in Figure 1-2, although a directional antenna focuses the energy and the signal intensity within the coverage
area is higher, the coverage angle is small and many areas are not within the signal coverage. If signals can be
transferred for other clients when Client A is in idle state, the coverage effectiveness and user access capability will highly
increase.
When the AP is communicating with a client, smart antennas can automatically modulate as directional antennas and
focus the energy beam on the client. The client will obtain stronger signals and other clients will not be disturbed.
Smartants are invented to achieve this effect.
Technically, an SA modulates its coverage to the intended area through beam switching and adaptive array.
 Beam switching antenna
A beam switching antenna consists of multiple narrow beam antennas. The angle of each antenna is small, so the
transmission gain is large and the antenna covers a long distance. Only one of the narrow beam antennas is functioning
for one user. When the user is changed or the location of the user shifts, the smartant system will disable the previous
narrow beam antenna and enable another one in the correct angle. The number of angles of a beam switching antenna
equals the number of its narrow beam antennas. The types and precision of the angles are limited due to hardware design.
However, the beam switching antenna has engineering advantages. The multi-beam SA is relatively easy to configure.
When the speed of digital signal processors (DSPs) cannot meet adaptive calculation requirements, the multi-beam SA
can be used to achieve a high cost performance ratio. Therefore, the multi-beam SA attains is applied in some projects.
 Adaptive array antenna
Multiple antennas form an array and the different combinations of antennas form different radiation lobes. These
virtualized antennas of various directions, angles, and gains adapt to different working environments for users in different
locations and avoid unnecessary interference. An adaptive array antenna analyzes the working environment and senses
the location of users. By the processing of the internal chip, the system calculates the optimal antenna combination to
meet coverage requirements. Wireless access devices can easily adapt to all kinds of indoor environments and enlarge
the coverage area to stabilize the network through different antenna combinations and radiation lobes.
Smartant Characteristics
Obstacles blocking in the transmission path lead to wireless signal attenuation. Signals coming across obstacles reflex or
refract, which changes the cycle of the signal phase. Signal attenuation varies with the type of obstacle, as shown in Table
1-1. The major obstacles in dormitories are concrete walls and wooden walls. The coverage distance of an indoor AP is 50
meters, which will decrease to 5 meters when signals pass through the concrete wall and to 15 meters when signals pass
through the wooden wall.
Table 1-1 Obstacle-Induced Signal Attenuation
Obstacle Attenuation (dB)

Bearing wall 20-30 dB
Wooden wall (5-10 cm) 5-6 dB
Concrete wall 10-12 dB
Glass window 3 dB
Ceiling (solid) 15-20 dB
Ceiling (thicken) 20-25 dB
SA study focuses on how to bypass obstacles or take advantage of the reflection on the surface of obstacles. SAs flatten
signals, which will become more concentrated. See the following figure. Traditional APs do not support direction analysis,
and they only cover surrounding areas with equal signals. Signals will be attenuated by 20-30 dB when they travel through
bearing walls. However, smartant APs find the transmission path with minimum signal attenuation. In this way, signals
sent by SA APs are 20-30 dB stronger than signals sent by traditional APs with the same transmit power in the same
location. The performance difference may be several times or even more.
Working Principle
Sample the downlink packets by APs to find the optimal transmission path to avoid interferences and obstacles.
Protocol Specification
N/A
The following table describes the default configuration of the smartant.
Function Characteristics Default Value
Smartant function Disabled
Configuration
Enabling Smartant
Command Function
Ruijie(config)# ap-config apname Enters AP configuration mode.
Ruijie(config-ap)# smartant enable Enables the SA of the specified radio on the

specified AP.
The example is as follow:

# Enable the smartant function.
Ruijie(config-if-Dot11radio 2/0)#smartant enable
The RG-AP320 and AP330 support the smartant function.
Networking Topology
Figure 1 Smartant Networking Topology
Configuration Steps
# Enable the smartant function.

Ruijie(config)# ap－config apname
Ruijie(config)# smartant enable radio 1
Verification
AC5302_7#sh ap-config running
!
ap-config ap320
smartant enable radio 1
long-retries 3 radio 1
long-retries 3 radio 2
short-retries 6 radio 1
short-retries 6 radio 2
rts-retry 2 radio 1
rts-retry 2 radio 2
Configuration Guide Configuring Spectral Analysis
Configuring Spectral Analysis
 The FSS function is supported only on the following AP products: AP120-W, AP220-E(P), AP220-E(C) V4.0, AP3220
V1.00, AP220-SH V1.0, AP220-SH V1.1, AP330-I V1.00, AP330 V1.1 & AP630-H V1.0 & AP520-I.
Overview
The Spectral Analyzer (SA) is a device that uses frequency domain to analyze and study signal, it is necessary for signal
analysis. It. SA is widely applied to a wide range of areas such as the communication transmitter. Besides, it is also used
to measure interference signal, monitor frequency domain and analyze device features. Different industries and
departments focus on different application of the spectral analyzer. For example, a cable TV signal contains many image
signals and sound signals with complicated frequency domain distribution. Another example is that there are many
information channels procured by satellite monitoring. Each channel occupies some frequency domain and each
frequency point occupies some bandwidth. All these signals produce required parameters through SA.
WLAN mainly works within 2.4G and 5G frequency bands free from authorization and can be used by anyone. At present,
most infrequence signals work in 2.4G frequency band, such as Bluetooth, microwave, cordless phones and wireless
mouses. Specialized wireless network requires stable and reliable physical link as the basis for data transmission.
However, Wi-Fi network can hardly meet the requirement as this network has to share 2.4G and 5G frequency bands with
various potential interferences. When an 802.11 client or an AP device encounters the interference source in data
transmission, interference causes data dropout and enforces WIFI data retransmission, leading to degraded network
performance and worse experience for customers sharing the same AP. Sometimes a WLAN fault is caused by the RF
interference source, which cannot send effective 802.11a/b/g signals. The most common RF interference sources include
microwave ovens, cordless phones and Bluetooth devices and so on. Therefore, it is important to analyze RF signals. The
spectral analyzer is an effective tool to detect RF signals.
Features
At present, most signals are divided into broadband and narrowband. There are no rigorous definitions of broadband and
narrowband signals by documents or organizations. It is generally recognized that broadband signals and narrowband
signals are two relative concepts. Those signals not meeting narrowband conditions are named broadband signals. There
are different versions of narrowband signal definitions at preset. In general, narrowband signals refer to the signals with
drastically different bandwidth and carrier frequency.
As most interference signals such as that of microwave, Bluetooth and cordless phone belong to narrowband signals
compared with WLAN signals. Therefore, the interference signal source can be identified through narrowband signal
analysis.
Working Principle
Ruijie wireless access points (APs) contain basic hardware of a mini spectral analyzer, covering 2.4GHz and 5GHz
frequency range of 802.11a/b/g.
The wireless transceiver in the AP device detects RF signals and transmits data to the spectral analyzer engine. The
spectral analyzer receives data, performs Fast Fourier Transform (FFT), and sends spectral-related information to the
controller, including basic information such as the power and monopulse-related information of the RF spectral. The
controller formats the received data and sends it to the classification engine. The classification engine can identify
interference signals by analyzing specific information and then display the signals on the terminal.
N/A
The following table shows default configurations of SA.
Function Default Settings

SA Disabled.
SA Configuration
Enabling SA
Use this command to enable the Spectral Analysis (SA) function on the AP. Use the no form of this command to restore
the default setting.
Command Function
Ruijie(config)# spectral enable Enables spectral on the specified AP.
 This command is only supported on AP220-SH v1.x, AP320－I，AP330－I，AP110-W，AP120-W，AP220－I v2.0，

AP220-E v5.0，AP520, and AP530v2.X.
Enable SA.

Ruijie(config)# spectral enable
Configuring Interference with Recognition Accuracy of SA

Command Function
Ruijie(config)# [ no ] spectral stability vbr num Configures recognition accuracy of the video bridge in
the range from 1 to 5. The default is 5.
Ruijie(config)# [ no ] spectral stability bth num Configures recognition accuracy of the Bluetooth headset
in the range from 1 to 4. The default is 1.
Ruijie(config)# [ no ] spectral stability bts num Configures recognition accuracy of the Bluetooth voice in
Ruijie(config)# [ no ] spectral stability cph num Configures recognition accuracy of the cordless phone in
Ruijie(config)# [ no ] spectral stability cwa num Configures recognition accuracy of the continuous wave
in the range from 4 to10. The default is 8.
Ruijie(config)# [ no ] spectral stability mwo num Configures recognition accuracy of the microwave in the
range from 1 to 5. The default is 1.

AP220-E v5.0，AP520，and AP530v2.X.
Configure interference with recognition accuracy of SA.

Ruijie(config)# spectral stability bth 2
Configuring Scanning Cycle of SA

Use this command to configure the AP scanning cycle. Use the no form of this command to restore the default setting.
Command Function
Ruijie(config)# [ no ] spectral period num Configures scanning cycle within the range from 1 to 100.
The default value is 5 microseconds.

AP220-E v5.0，AP520，and AP530v2.X.
Configure scanning cycle of SA.

Ruijie(config)# spectral period 10
AP refers to AP320 or AP330 supporting SA.
Networking Topology
Fig 1-1 SA Networking Topology

Configuration Steps
# Enable SA.

Ruijie(config)# spectral enable
Verification
AC5302_7#show ap-config running

ap-config ap320
spectral enable
Configuration Guide Configuring WLAN Location
Configuring WLAN Location
 The WLAN location function is not supported on AP110-W or AP120-W because of memory.
Overview
The whole system of WiFi-based standard solution adopts hardware based on 802.11a/b/g standard. With no need for
more hardware, enterprises can install the system rapidly to reduce initial costs and support costs in the long term.
Besides, WiFi-based location system also reduces the possibility of Radio Frequency (RF) interference. The fact that the
whole WIFI location system shares the network with other customers makes the installation of other independent wireless
networks unnecessary. Ruijie integrated wireless location is a technology that uses WiFi-based Radio Frequency
Identification (RFID) and devices such as the transducer and the mobile unit (MU) to locate, track and monitor the location
of the specified target. AP sends collected Tag or MU information to the location server for calculation. The location server
sends the calculated location information to the graphics software. From the graphics software, users can procure location
information visually in many ways such as maps, tables and reports.
 Support indoor and outdoor deployment.

 Support RSSI location, RDOA location and two location algorithms.
 Accurate and reliable wireless RFID (MU and TAG).
Features
The location system is divided into three parts: the device or source to be located, the device receiving location
information and the location system.
 The device or source to be located: It can be an AE-produced Tag (a portable RFID which is usually seated on or
pasted to the object to be located) or a MU. Namely, it can be whatever wireless terminal or device in line with
802.11 technologies. The devices share the same feature of sending wireless signals around periodically.
 The device receiving location information: Ruijie adopts the AP with standard 820.11 technologies or the
AE-produced Tag exciter (a device which motivates Tag to send specified wireless signals and which is not engaged
in collecting location information).
 The location system: includes the location server, AE calculation software and various graphics software.
Working Principle
TDOA location technology: Suppose in the location system there are two known locations (known through the built-in GPS
module or other specialized systems) and two location bases (BSs) with synchronized clocks (GPS clocks or other high
precision clocks). The distance between two locations is L. When BSs receive radio signals from the same MU, if they are
not the same far away from the MU, the radio waves will not arrive at the BSs at the same time. Therefore, the time
difference between arrivals can be identified. As the radio wave is transmitted at a known speed (the speed of light), the
time difference helps to calculate distance D, the distance between two BSs. With distance D known, it can be deduced
that the MU is located on the hyperbola that takes two BSs as focuses and value L/D as the eccentricity. If there is another
BS that can receive signals from the MU, the second hyperbola can be identified. The intersection of two hyperbolas in
figure 1-1 is the two-dimension position of the MU. This technology is hyperbolic location based on time difference.
Figure 1-1
Triangulation location technology using received signal strength indication (RSSI): The basic principle is to estimate
distance d, the distance from the MU to the BS through RSSI and the propagation mode of the wireless information
channel between them. For BS (i), the MU must be located at the circle with BS (i) as the center and distance d as the
radius. In this way, MU position can be identified using three or more BSs for distance calculation. The multipath effect in
wireless signal transmission and the shadow effect produced by signals passing through barriers are the main reasons
causing location error. In open space with no barriers, location precision can be ensured. However, in most environments,
location precision will be greatly affected by the multipath effect and uncertain factors caused by various barriers, such as
attenuation and scattering.
Figure 1-2
Default Specification
The following table shows default configuration of SA.
Function Default Settings

WLAN Location Disabled.
Configuration
Enabling WLAN Location

Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)# wlocation enable Enables WLAN location on the specified AP.
Enable WLAN Location.
Ruijie(config-wlocation)# wlocation enable
Configuring the IP Address of AE Server

Use this command to configure the IP address of the AE server connected with the specified AP. Use the no form of this
Command Function
Ruijie(config-wlocation)# wlocation ae-ip ip-address Configures the IP address of the AE server connected
with the specified AP.
ip-address: The IP address of the AE server.
This function is not configured by default.
Ruijie(config-wlocation)# wlocation ae-ip 1.1.1.1
Configuring the Port of the AE Server

Use this command to set the port number of the AE server connected with the specified AP. Use the no form of this
Command Function
Ruijie(config-wlocation)# wlocation ae-port port Configures the port of AE server connected with the
specified AP.
The default is 12092.
Set the port number of the AE server.
Ruijie(config-wlocation)# wlocation ae-port 12093
Configuring Aggregate Transmission of Wireless Location Information

Use this command to enable the function of transmitting aggregate data of wireless location. Use the no form of this
command to disable this function.
Command Function
Ruijie(config-wlocation)# wlocation compound enable Enables aggregate transmission of wireless location
information on the specified AP.
This function is enabled by default.
Enable the function of transmitting aggregate data of wireless location.
Ruijie(config-wlocation)# wlocation compound enable
Enabling MU Location
Use this command to enable Mobile Unit (MU) wireless location on the specified AP. Use the no form of this command to
Command Function
Ruijie(config-wlocation)# wlocation mu enable Enables MU location on the specified AP.
This function is disabled by default.
Enable the MU location.
Ruijie(config-wlocation)# wlocation mu enable
Enabling TAG Location

Use this command to enable tag wireless location on the specified AP. Use the no form of this command to restore the
default setting.
Command Function
Ruijie(config-wlocation)# wlocation tag enable Enables Tag location on the specified AP.
Enable Tag wireless location.
Ruijie(config-wlocation)# wlocation tag enable
Configuring the Frequency to Send MU Wireless Location Information

Use this command to set frequency of sending MU location packets on the specified AP. Use the no form of this
Command Function
Ruijie(config-wlocation)# wlocation send-mu-time Configures the frequency to send MU wireless location
interval information on the specified AP. The default value is 300
ms.
interval: Packets sending interval in the range from 100
to 5000 in the unit of milliseconds.
The default is 300 milliseconds.
Configure the frequency to send MU wireless location information.
Ruijie(config-wlocation)# wlocation send-mu-time 400
Configuring the Frequency to Send TAG Wireless Location Information

Use this command to set frequency to send tag location packets on the specified AP. Use the no form of this command to
Command Function
Ruijie(config-wlocation)# wlocation send-tag-time Configures the frequency to send TAG wireless location
interval information on the specified AP. The default value is 300
ms.
interval: Packets sending interval within the range from
100 to 5000 in the unit of milliseconds.

Configure the frequency to send Tag wireless location information.
Ruijie(config-wlocation)# wlocation send-tag-time 400
Enabling AP to Send MU Location Report

Use this command to enable the specified AP to send the MU location report directly in Wlocation mode on the fat AP.
Use the no form of this command to restore the default setting.
Command Function
Ruijie(config-wlocation)#wlocation mu report enable Enables the specified AP to send the MU location report
directly.
The function is disabled by default. It allows the MU location report to pass through the NAT network without the three-way
handshake.
The following example enables the AP to send the MU location report directly.
Ruijie(config-wlocation)# wlocation mu report enable
The following example disables the AP from sending the MU location report directly.
Ruijie(config-wlocation)# no wlocation mu report enable
Enabling AP to Send TAG Location Report

Use this command to enable the specified AP to send the TAG location report directly in Wlocation mode on the fat AP.
Command Function
Ruijie(config-wlocation)#wlocation tag report enable Enables the specified AP to send the TAG location report
directly.
This function is disabled by default. It allows the TAG location report to pass through the NAT network without the
three-way handshake.
The following example enables the AP to send the TAG location report directly.
Ruijie(config-wlocation)# wlocation tag report enable
The following example disables the AP from sending the TAG location report directly.
Ruijie(config-wlocation)# no wlocation tag report enable

Enabling Simplified MU Location Report Function

Use this command to enable the AP to send reduced MU location packets in Wlocation mode on the fat AP. Use the no
form of this command to restore the default setting.
Command Function
Ruijie(config-wlocation)#wlocation mu report reduce Enables the AP to send reduced MU location packets.
enable
This function is disabled by default. If the network is enabled with the wireless location function and the location server is a
Ruijie device, you can use this command to decrease the bandwidth.
The following example enables the AP to send reduced MU location packets.
Ruijie(config-wlocation)# wlocation mu report reduce enable
The following example disables the AP to send reduced MU location packets.
Ruijie(config-wlocation)# no wlocation mu report reduce enable
Enabling AP to Filter Beacon Packets

Use this command to enable the AP to ignore beacon packets in Wlocation mode on the fat AP. Use the no form of this
Command Function
Ruijie(config-wlocation)#wlocation ignore beacon Enables the AP to ignore beacon packets.
enable
This function is disabled by default. Use this command to decrease the bandwidth consumed by beacon packets.
The following example enables the AP to ignore beacon packets.
Ruijie(config-wlocation)# wlocation ignore beacon enable
The following example disables the AP from ignoring beacon packets.
Ruijie(config-wlocation)# no wlocation ignore beacon enable
AP refers to AP320 or AP330 supporting WLAN location.
Networking Topology
Figure 1-3 WLAN Location Network Topology

Configuration Steps

Ruijie(config)# wlocation
Ruijie(config-wlocation)# wlocation enable
This command is used to enable WLAN location.
Ruijie(config-wlocation)# wlocation ae-ip 1.1.1.1
This command is used to configure the IP address of the location server.
Ruijie(config-wlocation)# wlocation mu enable
This command is used to enable MU device location according to application requirement.
Ruijie(config-wlocation)# wlocation tag enable
This command is used to enable TAG location according to application requirement.
Verification
AC5302_7#sh ap-config running

ap-config ap320
wlocation enable
wlocation ae-ip 1.1.1.1
wlocation mu enable
wlocation tag enable
Configuration Guide Configuring Wireless LAN Security

Release 11.1(5)B6
WLAN Security Configuration
1. Configuring Wireless LAN Security
2. Configuring WIDS
3. Configuring CPU Protection
4. Configuring NFPP
5. Configuring WAPI
Configuring Wireless LAN Security
Wireless LAN or WLAN security is a broad concept. This document focuses on the WLAN security based on the 802.11 or
Wired Equivalence Privacy (WEP), and the 802.11i standards.
Overview
WLAN security is an important component of WLAN system. Wireless network uses the open medium of electromagnetic
wave as the carrier for transmitting data signals, and there is no cable connection between both ends of communication. If
the transmission link is not properly encrypted, the risk of data transmission will increase considerably. Therefore, wireless
security is especially important in the WLAN network.
To enhance the security of wireless network, at least two security mechanisms shall be provided: authentication and
encryption.
 Authentication mechanism: The authentication mechanism allows verification of user identity, so that network
resources can only be used by restricted users (authorized users).
 Encryption mechanism: The encryption mechanism is used to encrypt the data transmitted on the wireless link, so
that such data can only be received and understood by anticipated users.
Basic Concepts
802.11i: new generation WLAN security standard -- an amendment to the original IEEE 802.11 in order to enhance its
weak encryption function. 802.11i proposes the concept of RSN (Robust Security Network), enhances the data encryption
and authentication performance of WLAN and makes various improvements in respect of the defects of WEP encryption
mechanism. The authentication scheme as suggested in 802.11i standard is based on 802.1X framework and Extensible
Authentication Protocol (EAP). The AES encryption algorithm is used for encryption operation.
RC4: In the field of cryptography, RC4 is the most widely applied stream encryption algorithm. It is one of symmetric
algorithms.
IV: Initialization Vector, the public cryptographic keying material in the encryption header.
EAPOL-KEY (EAP over LAN key): AP and STA carry out handshake via EAPoL-key frames.
PMK (Pairwise Master Key): The ultimate source of all cipher key data between the Supplicant and the Authenticator. It
can be dynamically generated upon the negotiation between the supplicant and the authentication server, or be directly
provided by the pre-shared key (PSK).
PTK (Pairwise Transient Key): PTK is the key derived from Pairwise Master Key (PMK), and is used for encryption and
integrity verification.
GMK (Group Master Key): The key used by an authenticator to derive the group transient key (GTK), and is usually a
group of random numbers generated by the authenticator.
GTK (Group Transient Key): Derived from the group master key (GMK) through cryptographic hash algorithm, and is used
to protect the key of broadcast and multicast data.
MIC (message integrity code): A hash value calculated over a set of protected data to guard against tampering.
Link Authentication
Link authentication refers to 802.11 authentication, which is a low-level authentication mechanism. It takes place earlier
than access authentication when STA and AP associate with 802.11. Before attempting to connect to the network, the
STA must be subject to 802.11 authentication, which can be considered as the starting point of the handshake process
before STA can be connected to network, as well as the first step of network connection.
IEEE 802.11 standard defines two link-level types of authentication:
 Open System Authentication
 Shared Key Authentication
Open System Authentication
Open System Authentication allows any user to access the wireless network. In this sense, no data protection is provided
actually (no authentication), which means: if the authentication type is set to open system authentication, then all STAs
requesting for authentication will all pass the authentication.
Open system authentication consists of two steps:
Step 1: STA requests for authentication by sending the authentication request, which contains the STA ID (typically the
MAC address).
Step 2: AP sends out authentication response containing a success or failure message about the authentication. If the
authentication result indicates "success", then STA and AP will carry out two-way authentication.
Figure 1 Open System Authentication
Shared Key Authentication
Shared key authentication is another authentication mechanism other than the open system authentication. STA and AP
need to be configured with the same shared key. The process of shared key authentication is detailed below:
Step 1: STA sends a authentication request to AP;
Step 2: AP will randomly generate a Challenge packet (a character string) which is then sent to STA;
Step 3: STA will copy the character string received to the new message, which is encrypted with the key before being sent
to AP;
Step 4: Upon receipt of this message, AP will decrypt the message with the key, and then compare the decrypted
character string with the character string formerly sent to STA. If they are same, it means that STA owns the same shared
key as the wireless device and the shared key authentication is successful. Otherwise, the shared key authentication is
failed.
Figure 2 Shared Key Authentication
Access Authentication
Access certification is a enhanced WLAN network security solution. When STA is associated with AP, the availability of
AP service depends on the result of access authentication. If the authentication is successful, then the wireless AP will
open this logical port for STA. Otherwise, the user is not allowed to access the network.
Two types of access authentication will be introduced below:
 PSK access authentication
 802.1x access authentication
PSK Access Authentication
PSK (Pre-shared key) is a kind of 802.11i authentication which uses the preconfigured static key for authentication. In
PSK authentication, the same pre-shared key needs to be configured at sides of both the wireless user and the wireless
access device. If the key is same, PSK access authentication will succeed; if the key is different, PSK access
authentication will fail.
802.1x Access Authentication
IEEE 802.1X protocol is a port-based network access control protocol. This authentication method implements
authentication and control of user devices at the port level of WLAN access device. If the user device connected to the
interface can pass the authentication, then it can access WLAN resources. Otherwise, it will be unable to access WLAN
resources.
A wireless network with 802.1x authentication function must have the following three elements before completing
port-based access control user authentication and authorization:
Supplicant
Generally it is installed on user's workstation. When the user needs to connect to the network, this client-side software will
be activated. After the user name and password required is entered, the client-side software will then sent out the access
request.
Authenticator
Wireless AP or communication device acting as wireless AP in the wireless network. Its primary function is to complete
the upload and download of user authentication information, and open or close the port according to the authentication
result.
Authentication server
It checks the identification (user name and password) information sent from client side to verify whether the user is entitled
to use the services provided by the network system, and instructs the authentication system to open or close the port
according to the authentication result.
Wireless Encryption
Compared with wired network, the wireless network is exposed to greater data security risks. Since all WLAN devices
share the same transmission medium in the area, any device can receive the data sent to all other devices. This feature is
a direct threat to the security of WLAN access data. IEEE 802.11 provides three kinds of encryption algorithms: Wired
Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES-CCMP).
 WEP encryption
 TKIP encryption
 AES-CCMP encryption
WEP Encryption
WEP (Wired Equivalent Privacy) is the designated data encryption method applied in the former IEEE 802.11 standard.
As the basis of WLAN security authentication and encryption, it is used to protect the privacy of data exchanged by
authorized users in WLAN and avoid data interception.
WEP uses RC4 algorithm to protect data privacy and realize authentication via the shared key. Without specifying the
scheme for key management, WEP generally configures and maintains the key in a manual way. WEP without key
allocation is called manual WEP or static WEP.
WEP encryption key generally has 64 bits or 128 bits. Since the 24-Bit IV (Initialization Vector) is generated by the system,
the shared key to be configured on AP and STA remains only 40 bits or 104 bits. In practice, WEP with 104-bit key has
widely replaced the WEP with 40-bit key, and it is also called WEP-104. Although WEP104 enhances the security of WEP
encryption to a certain extent, due to the limitation of R4 encryption algorithm and statically configured key, WEP
encryption is exposed to greater security risks, and is unable to guarantee data privacy and integrity and carry out the
authentication of access users.
TKIP Encryption
TKIP (Temporal Key Integrity Protocol) was an interim solution developed by IEEE 802.11 association to fix the encryption
mechanism of WEP. Like WEP encryption mechanism, it uses RC4 algorithm, but provides better protection for WLAN
service than the WEP encryption mechanism, as detailed below:
1) The key of static WEP is manually configured, and all users in one service areas share one same key. The key of
TKIP is dynamically generated, and each data packet transmitted contains a different key.
2) TKIP extends the length of key from WEP 40 bits to 128 bits and the length of Initialization Vector (IV) from 24 bits to
48 bits, well enhancing the security of WEP encryption.
3) TKIP supports MIC (Message Integrity Check) authentication and is capable of defending against replay attack.
AES-CCMP Encryption
AES-CCMP (Counter mode with CBC-MAC Protocol) is by now the most advanced wireless security protocol.
IEEE 802.11i requires the use of CCMP to provide all four security services: authentication, confidentiality, integrity, and
replay protection. CCMP utilizes the 128-bit AES (Advanced Encryption Standard) encryption algorithm for confidentiality
and CBC-MAC (Cipher Block Chaining Message Authentication Code) to guarantee data integrity and authentication.
As a brand-new advanced encryption standard, AES encryption algorithm adopts symmetric block encryption technique to
provide higher encryption performance than the RC4 algorithm applied in WEP/TKIP. Upon the final approval of IEEE
802.11i, it has become a new-generation encryption technique replacing WEP, offering better security protection for the
wireless network.
WPA Security Technique
WPA (Wi-Fi Protected Access) is a WLAN security technique developed by Wi-Fi Alliance on the basis of IEEE 802.11i
draft, aiming to replace the conventional WEP security technique and provide a interim advanced security solution for
WLAN devices while maintaining the compatibility with future security protocols. WPA can be considered as a sub-class of
IEEE802.11i, with core being IEEE 802.1X and TKIP.
During the past years, the wireless security protocol has witnessed substantial development. The encryption technique
has developed from the traditional WEP encryption to the AES-CCMP encryption of IEEE 802.11i, and the authentication
method has also developed from WEP shared-key authentication to 802.1x security authentication. With the introduction
of new protocols and new technologies, the entire network architecture has become more complicated. The existing WPA
security technique allows the application of diversified authentication and encryption methods to implement WLAN access
control, key management and data encryption. For example, the access authentication can adopt pre-shared key (PSK)
authentication or 802.1X authentication, while the encryption method can use TKIP or AES. The combination of WPA with
these encryption and authentication methods well guarantees the security of data link layer and ensures that only
authorized users can access WLAN network.
RSN Security Technique
RSN (Robust Secure Network) is known as WPA2 security mode, the second edition of WPA. It is developed by Wi-Fi
Alliance upon the official release of IEEE 802.11i. Since RSN supports encryption algorithm, it theoretically provides better
security performance than WPA.
Similar to WPA, the existing RSN security technique can also be combined with multiple authentication and encryption
methods to build a safer WLAN. Different from WPA, during the process of security capability advertisement and
negotiation, WPA uses WPA IE (Information Element) to identify security configuration information, while RSN adopts the
standard RSN IE.
WPA Operating Mechanism
WPA operating mechanism is shown below, and can be summarized into the following four phases:
Figure 3 WPA operating mechanism
The operating process of RSN (WPA2) is basically the same as that of WPA. For the operating mechanism of
RSN, please refer to the operating mechanism of WPA.
Security Capability Advertisement and Negotiation
The security capability advertisement takes place at the phase when STA and AP associate with 802.11:
1. WPA capability advertisement of AP
In order to advertise its support to WPA, AP will send out a Beacon frame with WPA IE (Information Element), which
contains the security configuration information of AP (including such safety configuration information as encryption
algorithm and authentication method).
2. Link authentication between STA and AP
STA sends an Open System Authentication request to AP, which will reply with the authentication result. For details,
please refer to the section of "Open System Authentication".
3. STA and AP associate with 802.11
STA will select the corresponding security configurations according to the IE information contained in AP advertisement,
and send the safety configurations selected to AP. At this phase, if STA doesn't support any encryption and authentication
method supported by AP, then AP may deny the request to establish connection; if AP doesn't support any encryption and
authentication method supported by STA, then STA won't establish connection with AP.
Secure access authentication
This phase mainly involves user authentication which will generate the Pairwise Master Key (PMK).
PMK is the ultimate source of all cipher key data. It can be dynamically generated upon the negotiation between STA and
the authentication server, or be directly provided by the pre-shared key (PSK) configured.
 For 802.1X authentication: PMK is generated upon the dynamic negotiation between STA and the authentication
server (as indicated in the authentication protocol). This process is transparent to AP, which will mainly complete the
upload and download of user authentication information, and open or close the port according to the authentication
result.
 For PSK authentication: PSK authentication doesn't have the process of PMK negotiation between STA and
authentication server. AP and STA will directly take the PSK configured as PMK.
STA and authentication server (for 802.1X authentication) will generate PMK for both sides only if the access
authentication is successful. For 802.1X access authentication, after successful authentication, the server will distribute
the PMK generated to AP.
Session Key Negotiation
This phase mainly involves communication key negotiation to generate PTK and GTK, which are used to encrypt the
unicast and multicast messages.
AP and STA will carry out 4-way WPA handshake via EAPOL-KEY frames. During this process, AP and STA will calculate
a 512-bit PTK on the basis of PMK, and divide this PTK into keys for multiple purposes: data encryption key, MIC key
(data integrity key), EAPOL-Key encryption key, EAPOL-Key integrity key and etc, which are used to provide encryption
and integrity protection for the subsequent unicast data frames and EAPOL-Key frames.
After successful 4-way handshake, AP will use certain fields of PTK to encrypt GTK and send the encrypted GTK to STA,
which will use PTK to decrypt GTK. GTK is a group of global encryption keys. AP uses GTK to encrypt broadcast and
multicast packets. All STAs associated with this AP can use the same GTK to decrypt the encrypted broadcast and
multicast packets sent by AP and check the MIC.
Enciphered data transmission
This phase mainly involves data encryption and transmission.
TKIP or AES encryption algorithm doesn't directly use the key generated from PTK/GTK as the key for packet encryption.
Instead, this key is used as the Base Key to generate a new key upon 2-step key mixing. A different key will be generated
during every packet transmission. In the subsequent communication, AP and STA will use this key to carry out encrypted
communication.
 IEEE Standard for Information technology— Telecommunications and information exchange between systems—
Local and metropolitan area networks— Specific requirements -2007
 WI-FI Protected Access – Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004
 Information technology—Telecommunications and information exchange between systems—Local and metropolitan

area networks—Specific requirements—802.11, 1999 IEEE Standard for Local and metropolitan area networks
“Port-Based Network Access Control” 802.1X™- 2004
 802.11i IEEE Standard for Information technology—Telecommunications and information exchange between
systems—Local and metropolitan area networks—Specific requirements
Default Configurations

Configure WEP encryption Disabled
Configure link authentication Open System Authentication
Configure WPA security mode Disabled
Configure RSN security mode Disabled
Configure TKIP encryption Disabled
Configure ASE encryption Disabled
Configure PSK authentication Disabled
Configure pre-shared key (PSK) NA
Configure 802.1X authentication Disabled
Configuration
In practical applications, different levels of wireless security policies shall be implemented as per different user needs.
Three security levels of the wireless security mechanism are shown below:
Security level Security Mechanism Description

Early wireless security mechanism featuring simple design
WEP encryption and authentication and convenient deployment; easy to crack.
Low
mechanism
 Applicable to ordinary home networks.
Besides the multiple improvements to WEP protocol, it

substantially enhances the security performance of wireless
networks through software upgrade without modifying the
PSK authentication and TKIP data
original deployment.
Medium security based second-generation
wireless security mechanism  Applicable to small businesses and home users
(network environment without a dedicated authentication
server)
Based on the IEEE 802.11i draft protocol, it is currently a

necessary option to build a secure WLAN.
802.1X authentication and
AES-CCMP data security based  Applicable to public facilities, network operators, large-
High
third-generation wireless security and medium-sized businesses, financial institutions and
mechanism etc (the dedicated authentication server must be
equipped).
Configuration Guide
Wireless security encryption mainly involves three configuration models, which are associated with different encryption
and authentication combinations. According to the actual networking needs, the user can refer to the above security levels
and select an appropriate security configuration models:
Security Mode Encryption Mode Authentication Mode Description
Configure static Static WEP Share-key -

WEP
TKIP PSK -
AES-CCMP 802.1X -
Configure WPA
TKIP 802.1X -
AES-CCMP PSK -
TKIP PSK -
AES-CCMP 802.1X (common)

recommended
Configure RSN configuration
(WPA2) TKIP 802.1X -
AES-CCMP PSK (common)

recommended
configuration
WPA and RSN security modes can be enabled simultaneously. If one WLAN enables WPA and RSN
simultaneously, then both security modes share the same encryption and authentication methods.
Configuring Static WEP
The following two configurations must be completed for the static WEP security encryption model:
 (Required) Configuring WEP encryption
 (Required) Configuring link authentication
Configuring WEP Encryption
WEP encryption mode is enabled by configuring the WEP encryption key. Execute the following commands.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# wlansec wlan-id Enters wireless security configuration mode. WLAN-ID
refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Ruijie(wlansec)# [ no ] security static-wep-key encryption Configures a WEP encryption key.

key-length [ ascii | hex ] key-index key key-length: Key length; available options: 40, 104 and 128;
unit: bit.
ascii: Key format is ASCII.
hex: Key format is HEX.
key-index: Key index; scope: 1-4.
key: The key.
Ruijie(wlansec)# show wlan security wlan-id Displays the security configuration of the specified WLAN.
The static WEP mode is disabled by default.
After configuring static WEP encryption key, the wireless security mode will automatically switch to the static
WEP mode.WEP supports four keys, but currently only the first key is valid.
Example: Configure the static WEP key of WLAN1 to 12345
Method 1: Use ASCII format:
Ruijie (config)#wlansec 1
Ruijie(wlansec)# security static-wep-key encryption 40 ascii 1 12345
Ruijie(wlansec)#show wlan security 1
Security Policy :static WEP // Security policy: static WEP
WEP auth mode :open
WEP index......... :0 // Key index is 0, and the corresponding value is 1.
WEP key is HEX :false // Whether to use HEX format to configure the key
WEP key length :5
WEP passphrase :
31 32 33 34 35 // Passphrase (displayed in HEX format): the corresponding ASCII key
is 12345
Method 2: Use HEX format:
Ruijie(wlansec)# security static-wep-key encryption 40 hex 1 3132333435
Security Policy :static WEP //Security policy: static WEP
WEP auth mode :open
WEP index......... :0 // Key index is 0, and the corresponding value is 1.
WEP key is HEX :true // Whether to use HEX format to configure the key
WEP key length :5
WEP passphrase :
is 12345
Configuring Link Authentication
WEP encryption mode can be used with one of the following two link authentication modes.
 Open System Authentication: WEP key will only be used for encryption. Even if the keys configured are different, the
user can still access the network, but the data transmitted subsequently will be discarded by the receiving end as a
result of the different keys. In one word, STA can connect to AP but cannot access Internet.
 Shared key authentication: WEP key will be used for authentication and encryption. If the keys are different, STA will
be unable to access the network.
Command Function
Ruijie(config)# wlansec wlan-id Enters wireless security configuration mode. WLAN-ID
refers to an existing WLAN ID. A WLAN must be created
Ruijie(wlansec)# security static-wep-key authentication Configures WEP authentication mode.
[ open | share-key ] By default, open system authentication will be used,
namely there will be no authentication.
open: Open system authentication mode.
share-key: Shared key authentication mode.
Ruijie(wlansec)# show wlan security wlan-id Displays the security configuration of the specified
WLAN.
wlan-id: The ID of the WLAN to be checked, in the range
from 1 to 512.
The default is open system authentication mode.
The shared key authentication mode can only be configured during WEP encryption configuration.
When configuring WPA and RSN security modes, AP must operate under the open system authentication
mode.
Example: Configure the link authentication mode of WLAN1 to shared key authentication:
Ruijie(wlansec)# security static-wep-key authentication share-key
Security Policy :static WEP
WEP auth mode : share-key // Link authentication mode: shared key authentication
WEP index......... :0
WEP key is HEX :true
WEP key length :5
WEP passphrase :
31 32 33 34 35
Configuring WPA Security Mode
Among the existing WPA security solutions, two encryption methods can be adopted: TKIP and AES-CCMP, and two
authentication methods can be applied: PSK authentication and 802.11x authentication. The combination of WPA with
these encryption and authentication methods well guarantees the security of data link layer and ensures that only
authorized users can access WLAN network.
Steps of WPA security encryption model are shown below:
 (Required) Enable WPA mode
 (Required) Configure WPA encryption mode
 (Required) Configure WPA authentication mode
 (Optional) Configure pre-shared key (PSK)
The following steps indicate how to enable WPA security mode. Encryption and authentication modes can only be
configured after the security mode is enabled.
Command Function
Enters wireless security configuration mode. WLAN-ID
Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created
Ruijie(wlansec)# security wpa [ enable | disable ] (Required) Enables/disables WPA security mode.
Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified
WLAN.
WPA authentication is disabled by default.
For devices like AP220-E V1.x, AP220-SH V1.x, AP220-SE V1.x and AP220-E (M) V1.5, when they are using
WPA security mechanism, the encryption mode and authentication mode shall be configured accordingly. If
only the encryption mode or the authentication mode is configured, or if none of them is configured, then
STA will be unable to connect to the wireless network. For devices like AP220-E V2.x, AP220-SH V2.x,
AP220-1 and AP220-SI, when they are using WPA security mechanism, the encryption mode and
authentication mode shall be configured accordingly. If only the encryption mode or the authentication mode
is configured, or if none of them is configured, then STA will be unable to connect to the wireless network,
but not in the encryption mode.
When using WPA security mechanism, AP must work under the open system authentication mode.
Example: Enable WPA security mode of WLAN10
Ruijie(wlansec)# security wpa enable
Configuring RSN Security Mode
Similar to WPA, RSN also needs to configure both the encryption mode and the authentication mode to guarantee the
security of data link layer and ensures that only authorized users can access the WLAN.
The following configurations must be completed for RSN security encryption model:
 (Required) Enabling RSN mode
 (Required) Configuring RSN encryption mode
 (Required) Configuring RSN authentication mode
 (Optional) Configuring pre-shared key (PSK)
The following steps indicate how to enable RSN security mode. Encryption and authentication modes can only be
configured after the security mode is enabled.
Command Function
Ruijie(wlansec)# security rsn [ enable | disable ] (Required) Configures RSN authentication for a WLAN.
WLAN.
The RSN authentication is disabled by default.
When using RSN security mechanism, the encryption mode and authentication mode shall be configured
accordingly. If only the encryption mode or the authentication mode is configured, or if none of them is
configured, then STA will be unable to connect to the wireless network.
When using RSN security mechanism, AP must operate under the open system authentication mode.
Wireless clients running Windows XP SP1/SP2 need an additional patch to support RSN security mode.
Example: Enable RSN security mode of WLAN10
Ruijie(wlansec)# security rsn enable
Configuring Security Encryption Mode
Configure the encryption mode of WPA/RSN in wireless security mode. WPA and RSN can both adopt the following two
encryption modes:
 TKIP encryption
 AES encryption
Command Function
Ruijie(wlansec)# security wpa ciphers [aes | tkip ] Configures the encryption mode of WPA to AES or TKIP,
enable or enable both.
WLAN.
WPA key negotiation mode is generally used together with TKIP algorithm or AES algorithm. Likewise, RSN
key negotiation mode is generally used together with AES algorithm or TKIP algorithm.
TKIP supports 802.11a/b/g. It does not support 802.11n.
Example: Enable RSN-AES encryption mode.
Ruijie(wlansec)# security wpa ciphers aes enable
Ruijie(wlansec)# show wlan security 10
Security Policy: WPA none (no AKM)
WPA version : WPA2(RSN)
AKM type :
pairwise cipher type:AES // Encryption mode: AES
group cipher type :AES
WLAN SSID :SSID_wlan10
wpa_passhraselen :
wpa_passphrase :
WEP auth mode :open
Configuring Security Authentication Mode
Configure the authentication mode of WPA/RSN in wireless security mode. WPA and RSN can both adopt the following
two authentication modes:
 PSK authentication
 802.1x authentication
Command Function

(Required) Configures WPA authentication mode to PSK
Ruijie(wlansec)# security wpa akm [ psk | 802.1x ]
or IEEE802.1X, or enable both. When the authentication
enable
mode is set to PSK, the PSK shall be configured.
WLAN.
To support WPA/RSN, AP must operate under the open system authentication mode.
After STA is associated with AP via WPA mode or RSN mode, if there is a Radius server in the network acting as the
authentication server, then STA can adopt 802.1x mode for authentication; if there is no Radius server in the network,
STA and AP can adopt PSK mode for authentication.
Example: Enable RSN-PSK authentication mode
Ruijie(wlansec)# security wpa akm psk enable
Security Policy : WPA PSK
AKM type : preshare key // Access authentication: PSK
pairwise cipher type:AES
wpa_passhraselen :
wpa_passphrase :
WEP auth mode :open
Configuring Pre-Shared Key (PSK)
When the authentication mode is set to PSK, the PSK shall be configured. This PSK will only make sense after PSK
authentication mode is configured.
Command Function
Configures PSK.
ascii : The ASCII password.
ascii-key: The ASCII password, containing 8-63
Ruijie(wlansec)# security wpa akm psk set-key { ascii
characters.
ascii-key | hex hex-key }
hex: Specifies the hexadecimal password.
hex-key: The hexadecimal password, containing 64
characters.
WLAN.
Example: Configure PSK to 12345
Ruijie(wlansec)# security wpa akm psk set-key ascci 12345
Security Policy : WPA none (no AKM)
AKM type : preshare key
wpa_passhraselen : 5 // Key length: 5 bytes
wpa_passphrase :
is 12345
WEP auth mode :open
Configuring MAB
In actual applications, there are some wireless devices that cannot be installed with 1X clients, but these devices need to
be connected to a wireless network requiring authentication. The MAB (MAC Authentication Bypass) which is a
MAC-address-based authentication mechanism without 1X clients can be used for such cases.
Command Function
Enables the MAB feature. Use the no form of this
Ruijie(wlansec)#dot1x-mab
command to remove the configuration.
MAB authentication is disabled by default.
This command is used to enable MAB authentication. It can be used in combination with PSK access authentication but
not with 802.1X access authentication.
The MAB feature cannot coexist with the other security modes in the same WLAN.
The following example enables MAB authentication for WLAN 1.
Ruijie(config)#wlansec 1
Ruijie(config-wlansec)# dot1x-mab
The following example disables MAB authentication for WLAN 1.
Ruijie(config-wlansec)# no dot1x-mab
To switch over the WLAN security policies, please delete the WLANSEC configuration corresponding to this
WLAN before configuring new security policies.
Configuring Authentication Parameters
Configuring Forbidcount for Key Exchange Failure
Use this command to configure the forbidcount after a four-way handshake fails to accomplish key exchange in WLAN
security configuration mode. Use the no or default form of this command to restore the default setting.
Command Function
Configures the forbidcount after a four-way handshake
fails to accomplish key exchange.
authtimeout forbidcount count
count: sets the forbidcount after a four-way handshake
fails to accomplish key exchange.
The default is 10.
The following example sets the forbidcount to 5 after a four-way handshake fails to accomplish key exchange.
Ruijie(config-wlansec)#authtimeout forbidcount 5
Configuring Forbidtime for Key Exchange Failure
Use this command to set the forbidtime after a four-way handshake fails to accomplish key exchange in WLAN security
configuration mode. Use the no or default form of this command to restore the default setting.
Command Function
Sets the forbidtime after a four-way handshake fails to
accomplish key exchange.
authtimeout forbidtime time
time: sets the forbidtime after a four-way handshake fails
to accomplish key exchange, in the unit of seconds.
The default is 5.
The following example sets the forbidtime to 6 seconds after a four-way handshake fails to accomplish key exchange,
Ruijie(config-wlansec)#authtimeout forbidtime 6
Configuring Retransmission Count for Multicast Key Agreement Packet
Use this command to set the retransmission count for the multicast key agreement packet in WLAN security configuration
mode. Use the no or default form of this command to restore the default setting.
Command Function
Sets the retransmission count for the multicast key
agreement packet.
authtimeout groupcount count
count: sets the retransmission count for the multicast key
negotiation packet.
The default is 7.
The following example set the retransmission count for the multicast key negotiation packet to 5.
Ruijie(config-wlansec)#authtimeout groupcount 5
Configuring Retransmission Count for Unicast Key Negotiation Packet
Use this command to set the retransmission count for the unicast key negotiation packet. Use the no or default form of
this command to restore the default setting.
Command Function
Sets the retransmission count for the unicast key
negotiation packet.
authtimeout paircount count
count: sets the retransmission count for the unicast key
negotiation packet.
The default is 7.
The following example sets the retransmission count for the unicast key negotiation packet to 5.
Ruijie(config-wlansec)#authtimeout paircount 5
Configuring Timeout Period for Multicast Key Negotiation Packet
Use this command to set the timeout period for the multicast key negotiation packet in WLAN security configuration mode.
Use the no or default form of this command to restore the default setting.
Command Function
Sets the timeout period for the multicast key negotiation
packet.
authtimeout grouptime timeout
timeout: sets the timeout period for the multicast key
negotiation packet, in the unit of milliseconds.
The following example sets the timeout period for the multicast key negotiation packet to 100 milliseconds.
Ruijie(config-wlansec)#authtimeout grouptime 100
Configuring Timeout period for Unicast Key Negotiation Packet
Use this command to set the timeout period for the unicast key negotiation packet in WLAN security configuration mode.
Command Function
Sets the timeout period for the unicast key negotiation
packet.
authtimeout pairtime timeout
timeout: sets the timeout period for the unicast key
negotiation packet, in the unit of milliseconds.
The following example sets the timeout period for the unicast key negotiation packet to 100 milliseconds.
Ruijie(config-wlansec)#authtimeout pairtime 100
Configuring Timeout for Jitter Prevention during Web Authentication
Command Function
Enters WLAN security configuration mode.
Ruijie(config)# wlansec wlan-id The wlan-id specifies an existing WLAN ID, which must be
created before this configuration.
Ruijie(wlansec)# webauth prevent-jitter timeout Sets the timeout for jitter prevention during Web
authentication. The range of timeout is from 0 to 86400 in
the unit of seconds. The default is 300 seconds.
Use the no webauth prevent-jitter or default webauth prevent-jitter command to restore the default setting.
Displaying Configurations
After completing the aforementioned configurations, you can execute the following show commands to display security
configurations in any mode.
Command Function
show wlan security wlan-id Displays the security configuration of the specified
WLAN.
show wlan stainfo summury Displays the authentication state of current user.
Example 1: Display security configurations of WLAN 10
Ruijie#show wlan security 10

Security Policy :WPA2(RSN) PSK
AKM type :preshare key
wpa_passhraselen :9
wpa_passphrase :
30 30 30 31 31 31 32 32 32 // Passphrase (displayed in HEX format): the corresponding
ASCII key is 000111222
WEP auth mode :open
Command Function
Security mode: static WEP, WPA none (no AKM), WPA
Security Policy
PSK, WPA 802.1x, unknown
WPA version WPA version: WPA, WPA2(RSN), WPA or WPA2(RSN)
AKM type Authentication type: preshare key, 802.1x, 802.1x or
preshare key
Type of unicast encryption: TKIP, AES, AES or TKIP,
pairwise cipher type
NONE
Type of multicast encryption: TKIP, AES, AES or TKIP,
group cipher type
NONE
WLAN SSID SSID of the specified WLAN
wpa_passhraselen Key length; unit: byte
wpa_passphrase Passphrase; unit: HEX
WEP auth mode Link authentication mode: open, share-key
Example 2: display the authentication state of current user.
Ruijie#show wlan stainfo summury

INDEX MAC-address WLAN ID VLAN ID Wireless-state PTK-state
1 00:23:cd:ad:d3:da 10 10 AUTH-and-ASSOC 11
Command Function
INDEX Index number

MAC-address MAC address of wireless client
WLAN ID ID of the WLAN used by wireless user
VLAN ID ID of the VLAN used by wireless user
Association state: not-AUTH (not associated);
Wireless-state Auth-and-Assoc (authorized and associated);
AUTH-not-ASSOC (authorized but not associated)
Key negotiation state; value scope: 1-11.
PTK-state
Value 11 indicates that key negotiation is completed.
The followings will only explain configurations related to encryption and authentication.
Configuring RSN Configuration
Network Topology
As shown below, the wireless AP is connected to the wireless AC via switch.
Figure 4 Networking diagram of RSN security mode
 As there is no dedicated authentication server, the wireless clients will use PSK authentication to access network.
 ASE encryption algorithm shall be used to ensure the high security of network data.
Configuration Tips
1) Create WLAN
2) Configure the security policy of the specified WLAN

3) Enable RSN security mode
4) Enable AES encryption mode
5) Enable PSK authentication mode and configure PSK
To configure WPA/RSN security mode, the open system authentication must be enabled
Configuration Steps
Apply the following configurations on AC:
Step 1: Create WLAN
1. Create a layer-3 virtual interface CVI on the basis of VLAN2
Ruijie(config)#vlan 2
Ruijie(config-vlan)#int vlan 2
Ruijie(config-if-VLAN 2)#exit
2. Create a WLAN with ID being 1024, and configure the mapping between WLAN1 and CVI 2, and then apply to radio 1
of all APs in the default AP group.
Ruijie(config)# wlan-config 100 pro-100 ssid_wlan100

Ruijie(config-wlan)#exit
Ruijie(config)#ap-group default
Ruijie(config-ap-group)#interface-mapping 100 2 radio 1
Ruijie(config-ap-group)# show group-ap intf-wlan-map default
WlAN ID SSID Vlan Id Radio id Mib index
--------- ------- ------------ ---------- ----------
100 ssid-wlan100 2 1 1
Step 2: Configure the security policy of WLAN1
1. Enable open system authentication. By default, the link authentication mode adopts open system authentication.
Ruijie(wlansec)# security static-wep-key authentication open
2. Enable RSN security mode
Ruijie(wlansec)#security rsn enable
3. Enable ASE encryption mode
Ruijie(wlansec)#security wpa ciphers aes enable
4. Enable PSK authentication mode and configure PSK to 12345678.

Ruijie(wlansec)# security wpa akm psk set-key ascci 12345678
Verifying Configurations
Step 1: Display the security configurations of WLAN 100.
Ruijie# show wlan security 100

Security Policy :WPA2(RSN)PSK
AKM type :preshare key
WLAN SSID :ssid_wlan100
wpa_passhraselen :8
wpa_passphrase :
31 32 33 34 35 36 37 38
WEP auth mode :open
Step 2: Display the authentication state of current user
Ruijie# show wlan stainfo summury

INDEX MAC-address WLAN ID VLAN ID Wireless-state PTK-state
1 00:23:cd:ad:d3:da 100 2 AUTH-and-ASSOC 11
Step 3: Enter correct and wrong passphrase on the wireless client to verify whether the security function is effective or not.
 By entering the correct PSK, the wireless client can successfully associate with AP and access Internet resources.
 By entering the wrong PSK, the wireless client will be unable to associate with AP and access Internet resources
(due to the difference in user terminals, some wireless clients may be able to associate with AP but unable to access
network).
Configuration Guide Configuring WIDS
Configuring WIDS
Overview
Compared with wired network, WLAN is convenient to deploy, flexible to use, cost-efficient and easy to expand, and is
thus applied more and more widely. However, due to the openness of WLAN channel, the wireless networks are
susceptible to a wide array of threats such as unauthorized APs, ad-hoc networks and different kinds of protocol attacks.
Therefore, security has become an important factor inhibiting the development of WLAN.
WIDS (Wireless Intrusion Detection System) provides early detection of malicious attacks and intrusions and helps the
network administrator to proactively discover the hidden defects of network and take necessary countermeasures.
Currently, WIDS mainly provides the following features:
 Rogue device detection, countermeasure
 IDS attack detection
 Frame filtering (black list and white list)
 User isolation
Basic Concepts of WIDS
Rogue device: Unauthorized or malicious device on the network. It can be an illegal AP, illegal bridge or unauthorized
Ad-hoc device.
Rogue AP:An unauthorized or malicious AP on the network, such as an unauthorized AP, misconfigured AP or an
attacker operated AP.
Ad-hoc device: A wireless client in ad-hoc mode can directly communicate with other stations without support from any
other device. Since no basic facility is provided for Ad-hoc network, there would be certain security threats.
IDS attack detection: WIDS can detect the malicious or unintentional attacks on the WLAN network, such as Flooding
attack, Spoof attack and Weak IV attack by wireless users.
Rogue Device Detection and Countermeasure
Network devices on the network can generally be divided into: illegal devices (Rogue devices) and legal devices. Rogue
devices may have security vulnerabilities or be controlled by the attacker, thus imposing severe threats and hazards to the
network security. The Rogue device detection feature of WIDS can help monitor the abnormal devices in the entire WLAN
and assist the network administrator to detect hidden defects of the network.
Rogue device detection can detect multiple Rogue devices in the WLAN: Rogue AP, Rogue Client, Rogue wireless bridge,
and Ad-hoc network. Currently, only the detection of Rogue AP and Ad-hoc network can be supported.
Rogue device detection is performed by APs operating in monitor mode. WIDS deploys some APs in the wireless network
and instructs them to operating in monitor mode in order to capture the wireless packets transmitted over air medium.
Besides listening for packets, AP will also send broadcast detection requests and wait for the reply messages. Each
device adjacent to this AP will all receive such detection request and give replies. In this way, the AP operating in monitor
mode can identify the types of surrounding devices according to these response frames. Meanwhile, the network
administrator can also monitor the abnormal devices in the entire WLAN by configuring detection rules.
Rogue device countermeasure is used to attack fake authentication release frame sent by rogue device address in the list
to countermeasure rogue device.
Configure the following different monitor modes to detect Rogue devices:
 Monitor AP:In this mode, AP will scan all devices in the WLAN, and will act only as the monitor AP instead of access
AP. When AP operates in Monitor mode, all WLAN services provided by this AP will be disabled. As shown in Fig 1,
AP 1 works as an access AP, and AP 2 works as a monitor AP to listen to all 802.11 frames and detect illegal
devices on the wireless network. AP 2 cannot provide wireless access services.
Figure 1-1 Detect Rogue devices in Monitor mode
 Hybrid AP:In this mode, AP can act as both access AP and Monitor AP. AP will scan devices in the WLAN and
provide WLAN data services. As shown in Fig 2, AP can both detect Rogue devices and provide WLAN access
services for Client1 and Client2.
Figure 1-2 Detect Rogue devices in Hybrid mode

After a Rogue device is detected, you can enable the countermeasures. The monitor AP downloads an attack list from the
AC according to the countermeasure mode and takes countermeasures against detected rogue devices. For example,
you the use the address of Rogue device to sent spoofed de-authentication frame to take countermeasure against the
Rogue device (this feature is not provided for the moment).
IDS Attack Detection
In order to timely detect and defend against malicious or unintentional attacks on the WLAN network, WIDS can detect
multiple kinds of intrusions or attacks. When attack is detected, WIDS will inform the network administrator of such attacks
through recording information or sending logs. The network administrator can timely adjust network configurations and
clear insecurity factors in the WLAN.
At present, IDS detection supports detection of the following three attacks:
 DDoS attack detection
 Flooding attack detection
 Spoof attack detection
 Weak IV detection
Flooding Attack Detection
A flooding attack refers to the case in which WLAN devices receive large volumes of frames of the same kind within a
short span of time and get overwhelmed. As a result, such WLAN devices are unable to respond to the requests from
legal users.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each
device. When the traffic density of a device exceeds the threshold configured by the network administrator, the device is
considered flooding the network and will be blocked. Flooding attack detection can be used in conjunction with dynamic
blacklist. When Flooding attack is detected by WIDS, if the dynamic blacklist feature is enabled, the detected wireless
client will be added to the blacklist, so as to make sure the WLAN system will no longer be subject to the attacks from such
device.
WIDS supports Flooding attack detection of the following frames:
 Authentication requests and de-authentication requests
 Association requests, disassociation requests and reassociation requests
 Probe requests
 Null data frames
 Action frames
Spoof Attack Detection
Spoof attack refers to the case in which a potential attacker sends a frame in the air on behalf of another device. For
instance, a spoofed de-authentication frame can cause a station to get de-authenticated from the network.
WIDS counters spoof attack by detecting broadcast de-authentication and disassociation frames. When such a frame is
received, this is identified as a spoofed frame, and the attack is immediately logged.
Weak IV Detection
Weak IV (Weak Initialization Vector) attack: During the process when WLAN uses WEP to encrypt each frame, the
attacker may intercept frames with weak IV to crack the shared key and eventually capture the enciphered messages.
When WLAN uses WEP to encrypt each frame, an IV will be generated for each frame. The IV and shared key are used to
generate a key string, which is encrypted with the plain texts to eventually generate the cipher texts. When a WEP frame
is sent, the IV used in encrypting the frame is also sent as part of the frame header. If a client generates IVs in an insecure
way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers.
When the shared secret key is compromised, the attacker can access network resources and threaten network security.
WIDS counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it will be
considered a defect and be immediately logged.
Frame Filtering
In WLAN network, WIDS can specify frame filtering rules to filter frames from wireless clients and thus implement access
control of wireless clients.
WIDS frame filtering function achieves wireless client access control through the following three types of filtering lists:
White List
White list contains MAC addresses of wireless clients whose frames can be processed. If the white list is used, only
wireless clients included in the white list can access the WLAN, and all frames from other wireless clients will be discarded
directly by AP, thus reducing the impacts of illegal frames on the wireless network.
Static Blacklist
The static blacklist contains the MAC addresses of wireless clients whose frames should be dropped. If the static blacklist
is used, then all frames from wireless clients included in the blacklist will be discarded directly by AP.
Dynamic Blacklist
The dynamic blacklist contains MAC addresses of wireless clients whose frames will be dropped. A client is dynamically
added to the list only if Flooding attack from this client is detected by WIDS. When WLAN detects the Flooding attack from
a terminal device, it will dynamically add the MAC address of this device into the blacklist and discard any frame received
from this device, allowing security protection of WLAN network.
User Isolation
Due to the mobility and uncertainty of wireless clients, the privacy of user information is especially important under certain
circumstances (especially in public places), and the direct access between clients shall be restricted. User isolation
enables the control of insecure access between wireless terminals in the wireless network (such as the access between
wireless clients via network neighborhood), avoiding the interception of personal information by others.
Without affect the normal network access of clients, user isolation can prevent clients from mutual access and ensure the
security of user services. The user isolation function can be divided into:
AP User Isolation
AP user isolation refers to the case where all users associated with the same AP cannot communicate directly with each
other. As shown below, Clients 1-4 access the network via the same AP. Wireless terminals can communicate with each
other while accessing Internet. After the AP user isolation function is enabled, Client 1-Client 4 associated with the same
AP won't be able to ping and communicate with each other, but they can still access Internet.
Figure 1-3 Networking diagram of AP user isolation

AC User Isolation
AC user isolation refers to the case where all users associated with the same AC (but not the same AP) cannot
communicate directly with each other.
As shown below, AP1 and AP2 are connected to the same AC via switch. Client 1 and Client 2 are connected to the
network via AP1, while Client 3 and Client 4 are connected to the network via AP2. Wireless terminals can communicate
with each other while accessing Internet. After the AC user isolation function is enabled, APs associated with the same
AC (but not the same AP) won't be able to communicate with each other, namely Client 1 cannot ping Client 3 and Client 4,
and Client 2 cannot ping Client 3 and Client 4. However, Client 1 can still ping Client 2, and Client 3 can still ping Client 4.
Client 1-Client 4 can maintain their access to Internet.
Figure 1-4 Networking diagram of AC user isolation
Default Configurations
Function Default Setting

AP operation mode Hybrid mode
Rogue device detection Rogue device detection disabled
MAC address list enabled; blank list
SSID list enabled; blank list
Vendor list enabled; blank list
Static attack list enabled; blank list
Default device aging duration is 1200 seconds
IDS attack detection Flooding attack detection disabled
Spoof attack detection disabled

Weak-IV detection disabled
Frame filtering White list, blank list
Static blacklist list, blank list
Dynamic blacklist function disabled
Default dynamic blacklist lifetime is 300 seconds
User isolation AP user isolation disabled
AC user isolation disabled
User isolation permit list is blank
Configuration
Configuring AP Operation Mode
Due to the existence of Rogue devices, the network administrator may want some of APs in the WLAN to operate in
monitor mode in order to capture the wireless packets transmitted over air medium in a real-time manner, identify the
surrounding devices by analyzing message format (including device type, SSID, BSSID and CHAN), and record these
information into the list of devices detected. AP can operate in any of the three modes: Normal, Monitor and Hybrid.
 Normal AP: Access AP. AP will transmit the data of WLAN users without monitoring these data.
 Monitor AP: Network device that scans or monitors wireless medium and attempts to detect attacker devices on the
wireless network. In this mode, AP will act only as the monitor AP instead of access AP.
 Hybrid AP: Act as both access AP and monitor AP. In this mode, AP can both scan devices in the WLAN and
provide WLAN data services.
AP operation mode can be configured on AC according to the following steps:
Command Function
Ruijie# config terminal Access global configuration mode.
Ruijie(config)# ap-config ap-name Enter the configuration mode of specified AP.
Ruijie(ap-config)# device mode {monitor | normal | Configure AP operation mode.
hybrid} The operation mode is hybrid mode by default.
Ruijie(ap-config)#show Display configurations.
AP operation mode can be configured on Fat AP according to the following steps:
Command Function
Ruijie# config terminal Access global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# device mode {monitor | normal | Configure AP operation mode.
hybrid} The operation mode is hybrid mode by default.
Ruijie(ap-config)#show Display configurations.
Configuring Rogue Device Detection
Configuring Detection Rules
Detection rule is the policy established for identifying Rogue devices. WIDS will check the frames according to the rule
configured in order to identify legal (Friendly) devices, unclassified devices and eventually illegal (Rogue) devices.
Rule for detecting Rogue devices:
Figure 2-1 Flow of Rogue device detection
The network administrator can preconfigure the policy for identifying legal devices, such as permitted MAC address list,
permitted SSID list and permitted vender list. Device failing to meet policy requirements will be considered as unclassified
devices or Rogue devices. As shown above, when the device detected meet the policy, it will be considered as a legal
(Friend) device, or else it will be considered as an unclassified device.
The Rogue device detection rule can be configured on AC and then be applied to all associated monitor APs.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config-wids)# device permit mac-address (Required) Configure the permitted MAC address list. By
mac-address default, no entry exists.
Ruijie(config-wids)# device pemit ssid ssid (Optional) Configure the permitted SSID list. By default,
no entry exists.
Ruijie(config-wids)# device pemit vendor bssid bssid (Optional) Configure the permitted vendor list. By default,
no entry exists.
Ruijie(config-wids)# show wids permitted { mac-address Display the permitted MAC/SSID/vendor list trusted by
| ssid | vendor } WIDS.
Configuring Static Attack List
AP operating in monitor mode will capture the wireless packets transmitted over air medium in a real-time manner and
record the scanning result into the list of detected devices. The administrator can learn about the currently network
devices through this list. When an abnormal device is detected, such device can be classified as Rogue device by adding
the MAC address of this device to the attack list. Of course, the administrator can also add the MAC address of a specific
device into the static attack list in advance. When the monitor AP detects the access of device with this MAC address, it
will consider this device as Rogue device.
Command Function
Ruijie(config-wids)# device attack mac-address (Optional) Configure static attack list. By default, no entry
mac-address exists.
Ruijie(config-wids)# show wids attack-list Display the entries of statically configured attack (Rogue)
list.
Configuring Device Aging Duration
The administrator can configure the aging duration of entries in the device detection list. Upon expiration of aging duration,
if the device is not detected again, this device will be removed from the list. If this device is already considered as Rogue
device, it will be transferred to the history record of Rogue devices.
Command Function
Ruijie(config-wids)# device aging duration duration Configure device aging duration.
Ruijie(config-wids)# show run Display configurations
Displaying and Clearing the Result of Rogue Device Detection
Display and clear the list of all WLAN devices detected, including legal devices, unclassified devices and illegal devices.
Command Function
show wids detected all Display the list of all WLAN devices detected.
reset wids detected all Clear the list of all WLAN devices detected.
Display and clear the list of all illegal and unclassified devices detected.
Command Function
show wids detected friendly Display all legal devices detected.
reset wids detected friendly Clear all legal devices detected.
show wids detected unclassified Display all unclassified devices detected.
reset wids detected unclassified Clear all unclassified devices detected.
Display and clear the record of devices detected and considered as illegal.
Command Function
show wids detected rogue ap Display the record of Rogue AP detected.
reset wids detected rogue ap Clear the record of Rogue AP detected.
show wids detected rogue adhoc Display the record of Rogue adhoc detected.
Display and clear the record of device with specified MAC address.
Command Function
show wids detected mac-address mac-address Display the record of detected device with specified
source MAC address.
reset wids detected mac-address mac-address Clear the record of detected device with specified source
MAC address.
Display and clear the record of Rogue devices deleted from the detection list as a result of timeout (this command is not
supported for the moment).
Command Function
show wids rogue-history Display the history record of Rogue devices.
reset wids rogue-history Clear the history record of Rogue devices.
Configuring IDS Attack Detection
Currently, WIDS is capable of detecting three types of intrusions: Flooding attack detection, Spoof attack detection and
Weak-IV detection. The process of detection is shown below.
Figure 2-2 Flow of IDS intrusion detection

Enabling IDS Intrusion Detection
In WIDS configuration mode, enable the corresponding IDS attack detection function to activate IDS attack detection. The
user can apply the corresponding counter-attack policies according to actual network conditions. The configuration steps
are shown below:
Command Function
Ruijie(config-wids)# attack-detection enable all (Optional) Enable all IDS attack detection functions,
including DDoS, Flooding, Spoof and Weak-IV attack
detection. This function is disabled by default.
Ruijie(config-wids)#attack-detection enable ddos (Required) Enable DDoS attack detection.
Ruijie(config-wids)#attack-detection enable flood (Required) Enable Flooding attack detection.
Ruijie(config-wids)#attack-detection enable spoof (Required) Enable Spoof attack detection.
Ruijie(config-wids)# attack-detection enable weak-iv (Required) Enable Weak-IV detection.
Ruijie(config-wids)# show run Display the enable/disable state of IDS intrusion
detection function
Configuring Packet Threshold and Statistics Interval
DDoS Attack Detection
Use these commands to set the packet threshold and interval of the specified DDoS attack detection packets in WIDS
configuration mode. Use the no form of these commands to restore the default setting.
Command Function
attack-detection ddos { arp-threshold num | Set the threshold and interval for the specified DDOS
icmp-threshold num | syn-threshold num | interval attack detection packets.
time } interval time: Sets DDOS detection interval in the range
from 10 to 60 in the unit of seconds.
arp-threshold num: Set the ARP packet threshold in the
range from 1 to 10000 in the unit of pps.
icmp-threshold num: Sets the ICMP packet threshold in
the range from 1 to 10000 in the unit of pps.
syn-threshold num: Sets the SYN packet threshold in
the range from 1 to 10000 in the unit of pps.
The default arp-threshold is 5pps, icmp-threshold 100pps, syn-threshold 5pps, and interval 30 seconds.
The following example sets the ARP packet threshold to 200pps.
Ruijie(config-wids)# attack-detection ddos arp-threshold 200
The following example restores the ARP packet threshold to the default setting.
Ruijie(config-wids)#no attack-detection ddos arp-threshold
Flooding Attack Detection
Use these commands to set the packet threshold and interval of the specified Flooding attack detection packets in WIDS
configuration mode. Use the no form of these commands to restore the default setting.
Command Function
attack-detection flood multi-mac { assoc | reassoc | Set the packet threshold and interval of the specified
disassoc | probe | action | auth | deauth | null-data } Flooding attack detection packets for multiple users.
threshold num interval time total: Specifies all types of packets.
assoc: Specifies the association packet.
reassoc: Specifies the reassocation packet.
disassoc: Specifies the disassociation packet.
probe: Specifies the probe request packet.
action: Specifies the action packet.
auth: Specifies the authentication packet.
deauth: Specifies the deauthentication packet.
null-data: Specifies the null data packet
threshold num: Sets the packet threshold in the range
from 1 to 5000.
interval time: Sets the statistics interval threshold in the
range from 10 to 60 in the unit of seconds.
attack-detection flood single-mac { total | assoc | Set the threshold and statistics interval of the specified
reassoc | disassoc | probe | action | auth | deauth | Flooding attack detection packets for one single user.
null-data } threshold num interval time
The default threshold is 500 and interval is 10 seconds for multiple users.
The default threshold is 300 and interval is 10 seconds for one single user.
The following example sets assoc to 200 and interval to 20000 milliseconds of assoc packets for multiple users.
Ruijie(config-wids)# attack-detection flood multi-mac assoc threshold 200 interval 20000
The following example restores assoc and interval to the default setting.
Ruijie(config-wids)#no attack-detection flood multi-mac assoc
The following example sets assoc to 200 and interval to 20000 milliseconds of assoc packets for one single user.
Ruijie(config-wids)# attack-detection flood single-mac assoc threshold 200 interval 20000
The following example restores assoc and interval to the default setting.
Ruijie(config-wids)#no attack-detection flood single-mac assoc
Spoof Attack Detection
Use this command to set the threshold and statistics interval for Spoofing attack detection packets in WIDS configuration
mode. Use the no form of this command to restore the default setting.
Command Function
attack-detection spoof { threshold num | interval time } Set the threshold and statistics interval for Spoofing
attack detection packets.
from 1 to 1000.
interval time: Sets the detection interval in the range
The default threshold is 1 and interval is 50 seconds.
The following example sets the threshold for Spoofing attack detection packets to 20.
Ruijie(config-wids)# attack-detection spoof threshold 20
The following example restores the Spoofing attack detection threshold to the default setting.
Ruijie(config-wids)#no attack-detection spoof threshold
Weak IV Detection
Use this command to set the threshold and interval for Weak IV attack detection packets in WIDS configuration mode.
Command Function
attack-detection spoof { threshold num | interval time } Sets the threshold and statistics interval for Weak IV
attack detection packets.
from 1 to 1000.
interval time: Sets the detection interval in the range
The following example sets the threshold for Weak IV attack detection packets to 200.
Ruijie(config-wids)# attack-detection weak-iv threshold 200
The following example restores the Weak IV attack detection threshold to the default setting.
Ruijie(config-wids)#no attack-detection weak-iv threshold
Configuring Maximum Number of IDS Attack Detection List Entries
Use this command to set the maximum number of IDS attack detection list entries on ACs or APs in WIDS configuration
mode. Use the no form of these commands to restore the default setting.
Command Function
attack-detection statistics ap-max num Sets the maximum number of IDS attack detection list
entries on the APs in the range from 1 to 1024.
The default is 2048 on Acs and 512 on APs.
The following example sets the maximum number of IDS attack detection list entries on the AP to 1000..
Ruijie(config-wids)# attack-detection statistics ap-max 1000
The following example restores the maximum number of IDS attack detection list entries on the AP to the default setting.
Ruijie(config-wids)#no attack-detection statistics ap-max

Displaying and Clearing IDS Attack Detection History
After completing the aforementioned configurations, you can use the show command to display IDS attack detection
history in any mode. In the privilege mode, use the reset command to clear IDS attack detection history information and
statistics information.
Display and clear IDS attack detection history (this command is not supported for the moment).
Command Function
show wids history Display IDS attack detection history.
reset history Clear IDS attack detection history.
Display and clear IDS attack detection statistics (this command is not supported for the moment).
Command Function
show wids statistics Display IDS attack detection statistics.
reset statistics Clear IDS attack detection statistics.
Configuring Frame Filtering
Frame filtering involves the configuration of white list, static blacklist and dynamic blacklist. When AP receives a data
frame, it will check the MAC address of this data frame. The process of frame filtering is shown below:
Figure 2-3 Figure Flow of frame filtering
Configuring White List
Configure white list in WIDS configuration mode. When an entry exists in the white list, the corresponding client will pass
frame filtering. The user can add or delete entries by executing relevant commands.
Command Function
Ruijie(config-wids)# [ no ] whitelist mac-address (Required) Configure white list.

mac-address Blank by default.
Ruijie(config-wids)# show wids whitelist Display white list
Configuring Static Blacklist
Configure static blacklist in WIDS configuration mode. When an entry exists in the blacklist, the corresponding client will
be denied to pass. The user can add or delete entries by executing relevant commands.
Command Function
Ruijie(config-wids)# [ no ] static-blacklist mac-address (Required) Configure static blacklist.
mac-address Blank by default.
Ruijie(config-wids)# show wids blacklist static Display static blacklist
Configuring Dynamic Blacklist
Enable dynamic blacklist in WIDS configuration mode. When Flooding attack is detected by WIDS, this associated client
will be dynamically added to the dynamic blacklist. The user can configure the lifetime of entries in the dynamic blacklist.
Upon expiration of lifetime, if the device is not detected again, the corresponding entry will be removed from the dynamic
blacklist.
The user can configure the dynamic-blacklist entries by executing relevant commands. Use the no form of this command
to restore the default setting.
Command Function
Ruijie(config-wids)# dynamic-blacklist enable (Required) Enable dynamic blacklist function.
Disabled by default.
Ruijie(config-wids)# dynamic-blacklist lifetime lifetime (Optional) Configure the lifetime of dynamic blacklist.
Default: 300 seconds.
Ruijie(config-wids)# dynamic-blacklist { ac-max | Set the maximum number of the dynamic blacklist entries
ap-max } num in the range from 1 to 4096 on ACs and in the range from
1 to 1024 on APs. The default is 2048 on ACs and 512 on
APs.
Ruijie(config-wids)# show wids blacklist dynamic Display dynamic blacklist.
Displaying and Clearing Frame Filtering Configurations
After completing the aforementioned configurations, you can use the show command to display the configurations of
static lists.
Command Function
show wids whitelist Display whitelist.

show wids blacklist static Display static blacklist.
After completing the aforementioned configurations, you can use the show command to display the dynamic blacklist. In
the privilege mode, use the reset command to clear relevant information in the dynamic blacklist.
Command Function
show wids blacklist dynamic Display dynamic blacklist.
reset ssid-filter { ssid all | in-ssid string | blacklist all | Remove one or all blacklists or whitelists based on all
blacklist all in-ssid string | whitelist all | whitelist all SSIDs or a specified SSID.
in-ssid string } ssid all: All SSIDs.
in-ssid ssid: A specified SSID.
The following example removes the blacklist and whitelist configuration based on all SSIDs.
Ruijie(config-wids)#reset ssid-filter ssid all
The following example removes the blacklist configuration based on all SSIDs
Ruijie(config-wids)#reset ssid-filter blacklist all
The following example removes the blacklist configuration based on SSID my-wlan.
Ruijie(config-wids)#reset ssid-filter blacklist all in-ssid my-wlan
The following example removes the whitelist configuration based on all SSIDs.
Ruijie(config-wids)#reset ssid-filter whitelist all
The following example removes the whitelist configuration based on SSID my-wlan.
Ruijie(config-wids)#reset ssid-filter whitelist all in-ssid my-wlan
Configuring Countermeasure to the Detected Rogue Device
The countermeasure mode is used to configure the countermeasure to the device. In the hybrid, monitor mode, AP can be
configured in 4 countermeasure modes:
 All rogue devices
 Static attack devices in the list
 The rogue AP
 The adhoc device
Command Function
Ruijie# configure terminal Enter the global configuration mode
Ruijie(config)# wids Enter the WIDS configuration
Ruijie(config-wids)# countermeasure enable Make it countermeasure, disable the default
Ruijie(config-wids)# countermeasure { config | all |
Configure the countermeasure mode.
adhoc | rouge }
Configuring the User Isolation

Enable the isolation function in the wireless device (the AP or the AC). When the device receives a certain user’s report, it
will judge if it’s the same device according to the resource port and the destination port in the information it forwards. If the
resource port and the destination port are on the same device, then discard the report; otherwise, normally forward the
report.
The user can also add the permitted interflow user table entry through configuring isolation permit list. If the MAC address
of two users on the same AP or AC is added into the user isolation permit list, then these two users can visit each other.
The process of enabling the user isolation function is showed in the picture below:
Figure 2-4 Figure Flow of user isolation
Configuring AP User Isolation
In WIDS configuration mode, enable AP user isolation by executing the following commands:
Command Function
(Required) Enable AP user isolation.
Ruijie(config-wids)# user-isolation ap enable
Ruijie(config-wids)#show run Display configurations
Configuring User Isolation on AP
In the WIDS configuration mode, enable the AP user isolation function based on WLAN to isolate users in the same
WLAN by executing the commands below:
Command Function
Ruijie(config)# wids Enter the WIDS configuration mode.
(Required) Enable AP user isolation based on WLAN.

Ruijie(config-wids)# user-isolation ssid-ap enable
Configuring User Isolation at AC
In WIDS configuration mode, enable AC user isolation function to enable different AP users isolation function at AC by
executing the following commands:
Command Function
Ruijie(config-wids)# user-isolation ac enable (Required) enable user isolation at AC. Close default.
iguring User Isolation Based on WLAN at AC
In the WIDS configuration mode, enable the AC user isolation function based on WLAN to enable different APs but the
same WLAN’s users isolation function on the AC by executing the commands below:
Command Function
Ruijie(config)# wids Enter the WIDS configuration mode.
(Required) enable the user isolation on AC. Disable the
Ruijie(config-wids)# user-isolation ac enable
default.
Ruijie(config-wids)# show run Display the configuration
Configuring User Isolation Permit List
The user may also configure isolation permit list to add entries of users which can communicate with each other. If the
MAC address of any one of two users associated with the same device is added into the user isolation permit list, then
these two users can communicate with each other. In WIDS configuration mode, configure user isolation permit list by
executing the following commands:
Command Function
(Optional) Configure user isolation permit list.
Ruijie(config-wids)# user-isolation permit-mac Blank by default. User isolation configuration based on
mac-address WLAN on AP is based on identifying BSSID of wireless
network.
The followings will only explain configurations associated to WIDS.

Network Topology
As shown below, the wireless access point AP1 is connected to the wireless AC and Internet via switch.
Figure 2-5 Figure Networking diagram of WIDS application
 AP must be able to provide access service for WLAN users and transmit data of WLAN users while scanning WLAN
devices to detect illegal APs on the network.
 Client1 (0000.0000.0001) is an illegal wireless client. All data frames from this client must be filtered and dropped.
 Client2 (0000.0000.0002) is a legal wireless client. All data frames from this client must be allowed and forwarded.
 AC must enable IDS attack detection function, and all wireless clients initiating Flooding attack must be added to the
dynamic blacklist.
Configuration Tips
 AP operating in Hybrid mode can both scan devices in the WLAN and provide WLAN data services. AP operates in
Hybrid mode by default.
 Configure Client1 (0000.0000.0001) as an entry of static blacklist, which will include the MAC addresses of wireless
clients whose frames should be dropped.
 Configure Client2 (0000.0000.0002) as an entry of while list, which will include the MAC addresses of wireless
clients whose frames should be forwarded.
 Enable Flooding attack detection and dynamic blacklist on AC. The dynamic blacklist contains MAC addresses of
wireless clients whose frames will be dropped. A client is dynamically added to the list only if Flooding attack from
this client is detected by WIDS.
Configuration Steps
Apply the following configurations on AC:
1) Configure the operating mode of AP1 to Hybrid mode (AP operates in Hybrid mode by default)
Ruijie(config)# ap-config AP001

Ruijie(ap-config)# device mode hybrid
Ruijie(ap-config)#exit
2) Configure white list
Ruijie(config)# wids
Ruijie(config-wids)# whitelist mac-address 0000.0000.0002
3) Configure static blacklist
Ruijie(config-wids)# static-blacklist mac-address 0000.0000.0001

4) Configure intrusion detection to detect Flooding attack
Ruijie(config-wids)#attack-detection enable flood

5) Configure dynamic blacklist
Ruijie(config-wids)# dynamic-blacklist enable
Verification
# Display the white list configured
Ruijie#show wids whitelist

---------- Whitelist Information -------------
num Mac-address
1 0000.0000.0002
# Display the blacklist configured
Ruijie#show wids blacklist static

------------ Static Blacklist Information -------------
num Mac-address
1 0000.0000.0001
Configuration Guide Configuring CPU Protection
Configuring CPU Protection
Overview
Functions
Malicious attacks are always detected in the network environment. Generally, in these attacks, lots of management and
protocol packets are fabricated. The switch is busy processing these attack packets and has no time to process normal
management and protocol packets. This causes destructive impact on switch security and network stability.
Ruijie network switch provides the CPU Protect Policy (CPP) function to effectively protect the network against malicious
attacks. By identifying packets and suppressing attack packets, the CPP function:
 Weakens the impacts of attack packets on the switch (switch processor protection).
 Ensures that the packets are processed in a balanced manner.
 Meanwhile, the CPP provides flexible packet policies to allow network administrators to implement optimal
configuration for specific network environments, thereby ensuring switch security and network stability.
Principles of CPU Protect
The CPP function protects switch processor resources and guarantees important packets using four technologies, that is,
packet identification and packet bandwidth control.
Packet identification
All packets to be sent to the switch for protocol processing are classified during packet identification, for example, ARP,
BPDU, and GVRP. (For data classification of each product, see Default Values of CPU Protect.)
Packet bandwidth control
An administrator can configure the bandwidth for packets of each type. In this way, high-speed attack packets can be
effectively suppressed on the network.
Configuration
Configuring the Bandwidth for Packets of Each Type
In global configuration mode, set the bandwidth for packets of each type using the following steps in global configuration
mode. Use the no form of this command to restore the default setting.
Command Function
Sets the bandwidth for receiving packets of a specified type for

on the CPU port.
arp: ARP packets.
bpdu: IEEE BPDU packets.
capwap-disc: CAPWAP Discover packets.
d1x: 802.1x EAPOL packets.
dhcp-option82: DHCP option82 packets.
dhcp-relay-client: DHCP relay client packets.
dhcp-relay-server: DHCP relay server packets.
dhcps: DHCP Snooping packets.
Ruijie(config)# cpu-protect type { arp | bpdu |
igmp: IGMP packets.
capwap-disc | d1x | dhcp-option82 |
ipmc: IPv4 multicast packets.
dhcp-relay-client | dhcp-relay-server | dhcps |
ipv6-nans: IPv6 neighbor discovery packets.
igmp | ipmc | ipv6-nans | isis | lldp | ospf | ospfv3 |
isis: ISIS packets.
pim | pppoe | rip | ripng |vrrp } pps value
lldp: LLDP packets.
ospf: OSPF packets.
ospfv3: OSPF version 3 packets.
pim: PIM packets.
pppoe: PPPOE packets.
rip: IPv4 RIP packets.
ripng: IPv6 RIP packets.
vrrp: VRRP packets.
value : Number of received packets per second, in the range
from 0 to 148810 in the unit of pps.
Ruijie# end Returns to privileged mode.
The default bandwidth for receiving ARP packets of each type is 100 pps(WS5302) or 10000ps (other).
The default bandwidth for receiving bpdu/capwap-disc/d1x | dhcp-option82/dhcp-relay-client/

dhcp-relay-server/dhcps/ipv6-nans/isis/lldp/ospf/pppoe/rip/vrrp packets is 128pps.
The default bandwidth for receiving igmp packets is 200pps(WS5302) or 500pps (other).
The default bandwidth for receiving igmc packets is 128pps.
The default bandwidth for receiving pim packets is 1000pps.
The default bandwidth for receiving ospfv3 packets is 600pps.
The default bandwidth for receiving ripng packets is 600pps.
The following example sets the bandwidth of BPDU packets to 200 pps.
Ruijie(config)#cpu-protect type bpdu pps 200

Set packet type bpdu pps 100.
Default Values of CPU Protect
The following table lists the packet types that can be identified by switches of various series and factory defaults. The
maximum packet bandwidth can be restored to their default values by using the no cpu-protect type command.
WS5708 series switches
Bandwidth
Packet Type Description
(pps)
arp ARP protocol packet 10000
bpdu IEEE BPDU packet 128
dhcp-relay-client DHCP Client packet of the DHCP Relay function 128
dhcp-relay-server DHCP Server packet of the DHCP Relay function 128
dhcps DHCP packet of the DHCP Snooping function 128
d1x 802.1X EAPOL packet 128
igmp IGMP packet 200
isis ISIS protocol packet 128
dhcp_option82 DHCP Option82 packet 128
ospf OSPF protocol packet 128
ospf3 OSPF Version3 protocol packet 600
rip IPv4 RIP protocol packet 128
ripng IPv6 RIP protocol packet 600
vrrp VRRP packet 128
capwap_disc Capwap discover packet 128
lldp LLDP link layer discover packet 128
pppoe PPPoE packet 128
AP series switches
Bandwidth
(pps)
tp-guard Topology Protection Protocol (TPP) packet 180
arp ARP packet 100
bpdu IEEE BPDU packet 128
dhcp_relay_client DHCP Relay function, DHCP Client packet 128
dhcp_relay_server DHCP Relay function, DHCP Server packet 128
dhcps DHCP Snooping function, DHCP packet 128
d1x 802.1X EAPOL packet 128
igmp IGMP packet 200
isis ISIS packet 128
dhcp_option82 DHCP Option82 packet 128
ospf OSPF packet 128
ospf3 OSPF Version3 packet 600
rip IPV4 RIP packet 128
ripng IPV6 RIP packet 600
Bandwidth
(pps)
vrrp VRRP packet 128
capwap_disc Capwap discover packet 128
lldp LLDP packet 128
pppoe Pppoe packet 128
Monitoring
The CPU Protect information that can be displayed through the switch includes the following:
Displaying Statistics about the Received Packets of a Specified Type
Use the following command to display the statistics about the received packets of each type in privileged EXEC mode.
Command Function
Displays statistics about the received packets of each type.
arp: ARP packets.
bpdu: IEEE BPDU packets.
capwap-disc: CAPWAP Discover packets.
d1x: 802.1x EAPOL packets.
dhcp-option82: DHCP Option82 packets.
dhcp-relay-client: DHCP relay client packets.
dhcp-relay-server: DHCP relay server packets.
Ruijie# show cpu-protect type { arp | bpdu | dhcps: DHCP Snooping packets.
capwap-disc | d1x | dhcp-option82 | igmp: IGMP packets.
dhcp-relay-client | dhcp-relay-server | dhcps | ipmc: IPv4 multicast packets.
igmp | ipmc | ipv6-nans | isis | lldp | ospf | ospfv3 | ipv6-nans: IPv6 neighbor discovery packets.
pim | pppoe | rip | ripng | vrrp } isis: ISIS packets.
lldp: LLDP packets.
ospf: OSPF packets.
ospfv3: OSPF version 3 packets.
pim: PIM packets.
pppoe: PPPOE packets.
rip: IPv4 RIP packets.
ripng: IPv6 RIP packets.
vrrp: VRRP packets.
The following example uses the show cpu-protect type arp command to display statistics about ARP packets:
Ruijie# show cpu-protect type arp

Slot Type Pps Total Drop
--------- ------------ --------- --------- ---------
MainBoard arp 200 15 0
Slot-2 arp 200 15 0
Displaying Configuration Information of All Packet Types
Use the following command to display the bandwidth of packets of each type in privileged EXEC mode.
Command Function
Ruijie# show cpu-protect summary Display configuration information of all packet types.
The following example uses the show cpu-protect summary command to display configuration information of all packet
types:
Ruijie#show cpu-protect summary

Type Pps
------------------- ---------
arp 200
dhcps 128
d1x 128
bpdu 128
lldp 128
dhcp-relay-server 128
dhcp-relay-client 128
dhcp-option82 128
capwap-disc 128
ipv6-nans 128
pppoe 128
ripng 600
ospf 128
ospfv3 600
isis 128
vrrp 128
igmp 200
pim 1000
ipmc 128
Configuration Guide Configuring NFPP
Configuring NFPP
Overview
NFPP is the abbreviation of Network Foundation Protection Policy.
NFPP Function
In the network, some malicious attacks put too much burden on the switch, thus the CPU of the switch cannot operate
normally.
DoS attack may lead to the consumption of a large amount of the switch memory, entries and other resources, resulting in
the system service failure.
A large amount of the packet traffic uses the CPU bandwidth, resulting in the handling failure of the protocol packet and
manage packet by the CPU, influencing the data forwarding, the device management of the administrator and the normal
device/network running.
A large amount of the packet traffic consumes massive CPU resources, making the CPU being in the high-load status and
influencing the device management of the administrator and the normal device running.
In the NFPP-enabled environment, it prevents the system from being attacked, releasing the CPU load and ensuring the
normal and stable operation of various system services and the whole network.
NFPP Principle
As shown in the Figure-1, the processes of the NFPP datagram processing include hardware filtering, CPU Protect Policy
(CPP), packet attack detection/rate-limit, Protocol/Manage/Route flow classification, focus rate-limit and ultimately the
application-layer handling.
The CPP classification and rate-limit configurations not only classify the CPU datagram according to the CPP service
classification principle, but also limit the rate of the packet transmission, preventing different packets from competing for
the bandwidth and resolving the problem that when a large amount of one packet flow attack occurs, it fails to handle
other packets in time. For example, with both the OSPF packet and BPDU packet in the NFPP-enabled device, if the
OSPF/BPDU packets consume a large amount of the CPU bandwidth, it will not influence receiving the BPDU/OSPF
packets.
In order to make full use of the NFPP function, you can modify the rate-limit value of each packet in CPU
Protect Policy according to specified network environment, you can also use the recommended value displayed after
executing the show cpu-protect summary command.
Figure 1-1 The data flow diagram of NFPP system

NFPP provides the host-based/port-based attack and rate-limit threshold configuration for the administrator to set in the
specific network flexibly to control the rate of receiving the packets based on the host/port. With the attack threshold
configured, after detecting the attack, the anti-attack policy implements the attack-warning or the isolation action. For the
isolation action, the anti-attack policy uses the hardware filter in order to make sure that the attack packets will not be sent
to the CPU and ensure the normal device operation.
After detecting an attack, NFPP sends the warning messages to the administrator. However, to avoid the
frequent displaying of the warning messages, the warning messages will not be shown again within the continuous
60s after the sending.
Frequently print the syslog consumes the CPU resources, to this end, NFPP writes the syslog on the attack detection
to the buffer area and specifies the print rate. No rate-limit is configured for the TRAP message.
As shown in the Table-1, the packet types are divided into Manage, Route and Protocol packet. Each packet type owns
the independent bandwidth. The bandwidth between the different types cannot be shared and the packet flow exceeding
the bandwidth threshold will be discarded. The packet flow classification ensures that the set packet type on the device
takes the precedence over other types of packet. The administrator can flexibly allocate the bandwidth of the three types
of the packet according to the actual network environment and make sure that the protocol and manage packets takes the
precedence of being handled for the purpose of normal protocol running and the administrator management, thereby
safeguarding the normal operation of each important function on the device and improving the anti-attack capability.
Packet Type Service Type defined in the CPP

tp-guard, dot1x, rldp, rerp, slow-packet, bpdu, isis dhcps, gvrp, ripng,
Protocol dvmrp, igmp, mpls, ospf, pim, pimv6, rip, vrrp, ospf3, dhcp-relay-s,
dhcp-relay-c, option82, tunnel-bpdu, tunnel-gvrp
unknown-ipmc, unknown-ipmcv6, ttl1, ttl0, udp-helper,
Route
ip4-packet-other, ip6-packet-other, non-ip-packet-other, arp
Manage ip4-packet-local, ip6-packet-local
After the classification rate-limit, focus on all the flow classification in a queue. If the process rate of one type of the
packets is low, the corresponding packets will accumulate in the queue, and consume the queue resources ultimately.
The administrator can configure the packet percent. If the length of the queue for one type of the packet is more than the
total queue length multiplied by the packet percent, the type of packets will be discarded.
Configuration
Default NFPP Configuration
The default configurations of NFPP are as follows:
Packet Type Default Traffic Bandwidth Default Packet Percent
Manage 3000PPS 30
Route 3000PPS 25
Protocol 3000PPS 45
ARP-guard
ARP-guard Overview
The IP address is translated into the MAC address by ARP protocol in the local area network(LAN). ARP protocol plays an
important role in the network security. ARP DoS attack sends a large amount of illegal ARP packets to the gateway,
preventing the gateway from providing the services. To deal with this attack, on one hand, you can configure the rate-limit
of the ARP packet; on the other hand, you can detect and isolate the attack source.
The ARP attack detection could be host-based or port-based. Host-based ARP attack detection could be classified into
the following two types again: source IP address/VID/port-based and source MAC address/VID/port-based. For each
attack detection, you can configure the rate-limit threshold and warning threshold. The ARP packet will be dropped when
the packet rate exceeds the rate-limit threshold. When the ARP packet rate exceeds the warning threshold, it will prompt
the warning messages and send the TRAP message. The host-based attack detection can isolate the attack source.
Besides, ARP-guard is able to detect the ARP scan. ARP scan is that the source MAC address on link layer is fixed while
the source IP address is changing, or the source MAC address and source IP address are fixed while the destination IP
address is changing. Ruijie products only support to detect the first ARP scan (the source MAC address on link layer is
fixed while the source IP address is changing).
It is worth mentioning that ARP-guard is only for the ARP DoS attack, rather than ARP fraud or dealing with the ARP
attack problems in the network.
Enabling ARP-guard
You can enable arp-guard in the NFPP configuration mode or in the interface configuration mode.
Command Function
Ruijie(config)# nfpp Enter the NFPP configuration mode.
Enable the arp-guard. This function is enabled by default.

Use the no form of this command to disable anti-ARP guard.
Ruijie(config-nfpp)# arp-guard enable Use the default form of this command to restore the default
setting. By default, the arp-guard is enabled.
By default, arp-guard is enabled.
Ruijie(config-nfpp)# end Return to the privileged EXEC mode.
Ruijie# interface interface-name Enter the interface configuration mode.
Enable the arp-guard on the interface. By default, arp-guard is

Ruijie(config-if)# nfpp arp-guard enable not enabled on the interface. Use the no or default form of this
Ruijie(config-if)# end Return to the privileged EXEC mode.
Ruijie# show nfpp arp-guard summary Display the configurations.
Ruijie# copy running-config startup-config Save the configurations.
With the arp-guard disabled, the monitored hosts and scan hosts are auto-cleared.
Configuring the isolated time
For the isolated time of the attacker, it can be configured in the global or interface configuration mode. By default, the
isolated time is configured in the global configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
Set the isolate time. The default is 0, which means no isolation.

Ruijie(config-nfpp)# arp-guard isolate-period seconds : The value is 0, or in the range from 30 to 86400 in the
[ seconds | permanent ] unit of seconds.
permanent: permanent isolation.
Ruijie(config)# interface interface-name Enter the interface configuration mode.
Set the isolate period. By default, the isolate period is not

configured.
Ruijie(config-if)# nfpp arp-guard isolate-period
second: The value is 0, or in the range from 30 to 86400 in the
[ seconds | permanent ]
unit of seconds.
permanent: permanent isolation.
Ruijie# show nfpp arp-guard summary Display the arp-guard parameter settings.
To restore the global isolated time to the default value, use the no arp-guard isolate-period or default arp-guard
isolate-period command in the NFPP configuration mode. If the isolated time has been configured on a port, you can use
the no arp-guard isolate-period command to remove the port-based isolated time configuration in NFPP configuration
mode.
Configuring the monitored time
If the isolated time is 0 (that is no isolation), the serviceview monitor will be performed to auto-monitor the attacker
according to the configured monitored period, providing the attacker information in the system. If the isolated time is but
not 0, the arp-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# arp-guard monitor-period Configure the monitored time in the range from 180 to
seconds 86400 in the unit of seconds. The default value is 600
Command Function
seconds.
To restore the monitored time to the default value, use the no or default form of this command in the NFPP configuration
mode.
If the isolated time is 0, the serviceview monitor will be performed to monitor the detected attacker, and the
timeout time will be the monitored period. In the process of the serviceview monitor, if the isolated time is but not 0,
the hardware isolation will be performed to isolate the attacker and the timeout time will be the isolated period. Only
be the monitored period valid when the isolated period is 0.
Modifying the isolated time from non-0 to 0 removes the attackers from the interface rather than performs the
serviceview monitor.
Configuring the trusted host
Use this command to set the trusted host in NFPP configuration mode. Use the no or default form of this command to
Command Function
Set the trusted host.
arp-guard trusted-host ip mac ip: set the IP address.
mac: set the MAC address.
Restore the default setting.
ip: set the IP address.
no arp-guard trusted-host { all | ip mac }
all: delete all trusted hosts.
After this function is enabled, the ARP packets are sent from the trusted host to CPU without rate limit or alarm notification.
Up to 500 hosts are supported.
The following example sets the host whose IP address and MAC address are 1.1.1.1 and 0000.0000.1111 respectively as
the trusted host.
Ruijie(config)# nfpp
Ruijie(config-nfpp)#arp-guard trusted-host 1.1.1.1 0000.0000.1111
Configuring the monitored host limit
Use this command to set the maximum number of monitored hosts. Use the no or default form of this command to restore
Command Function
Ruijie(config-nfpp)# arp-guard Configure the monitored host limit in the range from 1 to
monitored-host-limit seconds 4294967295. The default is 1000.
To restore the monitored host limit to the default value, use the no arp-guard monitored-host-limit command in the
NFPP configuration mode.
If the monitored host number has reached the default 1000, and the administrator sets the monitored host limit smaller
than 1000, the existent monitored hosts will not be deleted and it will prompt the message “%ERROR: The value that you
configured is smaller than current monitored hosts 1000, please clear a part of monitored hosts.” to notify the
administrator of the invalid configuration and removing a part of the monitored hosts.
It prompts the message that “% NFPP_ARP_GUARD-4-SESSION_LIMIT: Attempt to exceed limit of 1000

monitored hosts.” if the monitored host table is full.
Host-based rate-limit and attack detection
For the host-based attack detection, it can be classified into the following two types: source IP address/VID/port-based
and source MAC address/VID/port-based. For each attack detection, you can configure the rate-limit threshold and attack
threshold (also called warning threshold). The ARP packet will be dropped when the packet rate exceeds the rate-limit
threshold. When the ARP packet rate exceeds the warning threshold, it will prompt the warning messages and send the
TRAP message.
ARP-guard supports to detect the ARP scan, which is in 10s, 15s by default. If 15 or more than 15 ARP packets have
been received within 10s, and the source MAC address on link layer is fixed while the source IP address is changing, or
the source MAC address and source IP address are fixed while the destination IP address is changing, ARP scan is
detected and recorded in the syslog and the TRAP messages are sent.
It prompts the following message if the ARP DoS attack was detected:
%NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was

detected.(2009-07-01 13:00:00)
The content in brackets is the attack detection time.

The following example displays the describing information included in the sent TRAP messages:
ARP DoS attack from host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was detected.
If the isolated time is not set as 0 by the administrator, when the hardware isolation succeeds, it prompts:
%NFPP_ARP_GUARD-4-ISOLATED:Host <IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was isolated.

(2009-07-01 13:00:00)
Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was isolated.
When it fails to isolate the hardware due to a lack of memory or hardware resources, it prompts:
%NFPP_ARP_GUARD-4-ISOLATE_FAILED: Failed to isolate host

<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1>. (2009-07-01 13:00:00)
Failed to isolate host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1>.
It prompts the following message when the ARP scan was detected:
%NFPP_ARP_GUARD-4-SCAN: Host<IP=1.1.1.1,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was detected.

(2009-07-01 13:00:00)
ARP scan from host< IP=1.1.1.1,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was detected.
It saves the latest 256 pieces of records in the ARP scan table. When the ARP scan table is full, it prompts:
%NFPP_ARP_GUARD-4-SCAN_TABLE_FULL: ARP scan table is full.
It prompts the following message to remind the administrator that the configured rate-limit threshold is higher than the
attack threshold:
%ERROR: rate limit is higher than attack threshold 500pps.”
It prompts the following message to remind the administrator that the configured attack threshold is smaller than the
rate-limit threshold:
%ERROR: attack threshold is smaller than rate limit 300pps.”
It sets a policy to the hardware when isolating the attackers. When the hardware resources have been
exhausted, it prompts the message to inform the administrator.
When it fails to allocate the memory to the detected attackers, it prompts the message like
“%NFPP_ARP_GUARD-4-NO_MEMORY: Failed to alloc memory. ”to inform the administrator.
It contains only the latest 256 pieces of the records in the ARP scan table. When the ARP scan table is full, the
newest record will overwrite the oldest one.
The administrator can configure the host-based rate-limit and attack detection in the NFPP configuration mode and in the
interface configuration mode. Use the no or default form of these commands to restore the default setting.
Command Function
Configure the arp-guard rate-limit, ranging from 1 to 9999, 8 by

default.
Ruijie(config-nfpp)# arp-guard rate-limit per-src-ip: detect the hosts based on the source IP
{ per-src-ip | per-src-mac } pps address/VID/port;
per-src-mac: detect the hosts based on the source MAC
address/VID/port.
Configure the arp-guard attack threshold, ranging from 1 to
9999, 16 by default. . When the ARP packet number sent from
a host exceeds the attack threshold, the attack is detected and
ARP-guard isolates the host, records the message and sends
Ruijie(config-nfpp)# arp-guard attack-threshold
the TRAP packet.
{ per-src-ip | per-src-mac } pps
per-src-ip: detect the hosts based on the source IP
address/VID/port;
address/VID/port.
Configure the arp-guard scan threshold, in 10s, ranging from 1
to 9999. The default scan threshold is 15, in 10 seconds. If 15
or more than 15 ARP packets have been received within 10s,
and the source MAC address on link layer is fixed while the
source IP address is changing, or the source MAC address and
Ruijie(config-nfpp)# arp-guard scan-threshold
source IP address are fixed while the destination IP address is
pkt-cnt
changing, ARP scan is detected.
The feature of ARP scan is that the source MAC address on
link layer is fixed while the source IP address is changing, or
the source MAC address and source IP address are fixed while
the destination IP address is changing
Configure the rate-limit and attack threshold on the specified

interface. By default, the rate-limit threshold and the attack
threshold are not configured.
Ruijie(config-if)#nfpp arp-guard policy { per-src-ip rate-limit-pps: set the rate-limit threshold. The valid range is
| per-src-mac } rate-limit-pps attack-threshold-pps 1-9999.
attack-threshold-pps: set the attack threshold. The valid range
is 1-9999.
per-src-ip: to detect the hosts based on the source IP/VID/port;
per-src-mac: to detect the hosts based on the source

MAC/VID/port on the link layer.
Configure the arp-guard scan threshold value on each interface
Ruijie(config-if)#nfpp arp-guard scan-threshold
in the range from1 to 9999. By default, the sport-based scan
pkt-cnt
threshold is not configured.
Ruijie# show nfpp arp-guard summary Check the arp-guard parameter settings.
Port-based rate-limit and attack detection
You can configure the arp-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the ARP packet rate on a port exceeds the limit, the ARP packets are dropped. When the
ARP packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the ARP DoS attack was detected on a port:
%NFPP_ARP_GUARD-4-PORT_ATTACKED: ARP DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet :
ARP DoS attack was detected on port Gi4/1.
This section shows the administrator how to configure the port-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of these commands to restore the
default setting.
Command Function
Ruijie(config-nfpp)# arp-guard rate-limit per-port Configure the arp-guard rate-limit of the ARP packet on the
pps port, ranging from 1 to 9999, 100 by default.
Configure the arp-guard attack threshold, ranging from 1 to
Ruijie(config-nfpp)# arp-guard attack-threshold 9999, 200 by default. When the ARP packet number on a port
per-port pps exceeds the attack threshold, the CLI prompts and the TRAP
packets are sent.
Ruijie(config-if)#nfpp arp-guard policy per-port Configure the rate-limit and attack threshold on the specified
pps interface. By default, the rate-limit threshold and the attack
threshold are not configured.
rate-limit-pps: set the rate-limit threshold. The valid range is
Command Function
1-9999.
is 1-9999.
MAC address-based rate limit takes precedence over IP address-based rate limit. IP address-based rate limit
takes precedence over port-based rate limit.
It is recommended for the administrator to follow the following principle of configuring the host-based rate-limit and
attack threshold, in order to perform the best arp-guard function:
IP address-based rate-limit threshold < IP address-based attack threshold < source MAC address-based rate-limit
threshold < source MAC address-based attack threshold.
When configuring the rate limit on the port, you can refer to the user count on this port. For example, if 500 users
exist on a port, you can set the rate limit on this port to 500.
Clearing the monitored hosts
The isolated hosts can be recovered automatically after a period of the time. The administrator can use the following
command to clear the isolated hosts manually.
Command Function
If no parameter is specified, all hosts detected to be under

Ruijie# clear nfpp arp-guard hosts [ vlan vid ]
attack will be cleared. If any parameter is specified, only eligible
[ interface interface-id ] [ ip-address | mac-address ]
hosts will be cleared.
Clearing the ARP san table
The administrator can use the following command to clear the ARP scan table manually.
Command Function
Ruijie# clear nfpp arp-guard scan Clear the ARP scan table.
Displaying ARP-Guard Configuration
Use this command to display the arp-guard configurations.
Command Function
Command Function
Ruijie# show nfpp arp-guard summary Display the arp-guard configurations.
For example,
Ruijie# show nfpp arp-guard summary

(Format of column Rate-limit and Attack-threshold is per-src-ip/per-src-mac/per-port.)
Interface Status Isolate-period Rate-limit Attack-threshold Scan-threshold
Global Enable 300 4/5/60 8/10/100 15
G 0/1 Enable 180 5/-/- 8/-/- -
G 0/2 Disable 200 4/5/60 8/10/100 20
Maximum count of monitored hosts: 1000

Monitor period: 300s
Global refers to the global configuration.

Enable/disable the arp-guard.
In the format of source IP address-based rate-limit threshold / source MAC address-based rate-limit threshold /
port-based rate-limit threshold. In the same format of the Rate-limit. No configuration.
“4/5/60” indicates that the rate-limit threshold of source IP addresses is 4, the one of source MAC addresses and the
one of each port is 60.
The field Rate-limit in line G 0/1 is 5/-/-, indicating that the rate-limit threshold of the port G 0/1 to the source IP
address is 5 and no threshold is configured for source MAC addresses and ports.
Displaying trusted host configuration
Use this command to display the trusted host configuration in privileged EXEC mode.
Command Function
show nfpp arp-guard trusted-host Display the trusted host configuration.
The following example displays the trusted host.
Ruijie# show nfpp arp-guard trusted-host

IP address mac
--------- ------
1.1.1.1 0000.0000.1111
1.1.2.1 0000.0000.2222
Total：2 record(s)
Displaying monitored host configuration
Command Function
Display the arp-guard hosts statistics, including total host

Ruijie# show nfpp arp-guard hosts statistics
amount, isolated host amount and non-isolated host amount.
Display the isolated host information.

Ruijie#show nfpp arp-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under
[ interface interface-id ] [ ip-address | mac-address ] attack will be displayed. If any parameter is specified, only
eligible hosts will be displayed.
For example,
Ruijie#show nfpp arp-guard hosts statistics

success fail total
------- ---- -----
100 20 120
Meaning: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
Ruijie# show nfpp arp-guard hosts

If column 1 shows '*', it means "hardware do not isolate user" .
VLAN interface IP address MAC address remain-time(s)
---- -------- --------- ----------- -------------
1 Gi0/1 1.1.1.1 - 110
2 Gi0/2 1.1.2.1 - 61
*3 Gi0/3 - 0000.0000.1111 110
4 Gi0/4 - 0000.0000.2222 61
Total: 4 hosts
Ruijie# show nfpp arp-guard hosts vlan 1 interface G 0/1 1.1.1.1

If column 1 shows '*', it means "hardware do not isolate user".
---- -------- --------- ----------- -------------
1 Gi0/1 1.1.1.1 - 110
Total: 1 host
The preceding fields indicate VLAN number, interface, IP address, MAC address and remaining time of
isolation separately.
If "*" is displayed in the first column of a specific line, it means that this host is currently subject to software
monitoring or the hardware isolation has failed due to insufficient resources.
If the MAC address columm shows “-”, it means “the host is identified by the source IP address”; If the IP address
columm shows “-”, it means “the host is identified by the source MAC address”.
Displaying the ARP scan table
Command Function
Ruijie# show nfpp arp-guard scan statistics Display the arp-guard scan statistics.
Display the arp-guard scan information.

Ruijie#show nfpp arp-guard scan [ vlan vid ]
If no parameter is specified, the whole ARP scan table will be
[ interface interface-id ] [ ip-address ]
viewed, and if any parameter is specified, only eligible entries
[ mac-address ]
will be viewed.
For example,
Ruijie#show nfpp arp-guard scan statistics

ARP scan table has 4 record(s).
Meaning: The ARP scan table has four records in total.
Ruijie# show nfpp arp-guard scan

VLAN interface IP address MAC address timestamp
---- -------- ---------- ----------- ----------
1 Gi0/1 N/A 0000.0000.0001 2008-01-23 16:23:10
2 Gi0/2 1.1.1.1 0000.0000.0002 2008-01-23 16:24:10
3 Gi0/3 N/A 0000.0000.0003 2008-01-23 16:25:10
4 Gi0/4 N/A 0000.0000.0004 2008-01-23 16:26:10
Total: 4 record(s)
“timestamp” represents the time when the ARP scan was detected. For example, “2008-01-23 16:23:10” represents that
the ARP scan was detected at 16:23:10, Jan 23, 2008.
Ruijie# show nfpp arp-guard scan vlan 1 interface G 0/1 0000.0000.0001

VLAN interface IP address MAC address timestamp
---- -------- ---------- ----------- ----------
1 Gi0/1 N/A 0000.0000.0001 2008-01-23 16:23:10
Total: 1 record(s)
IP-guard
IP-guard Overview
As is known to all, many hacker attacks and the network virus invasions begin with the network scanning. To this end, a
large amount of the scanning packets take up the network bandwidth, leading to the abnormal network communication.
Ruijie Layer-3 device provides the IP-guard function to prevent the attacks from the hacker and the virus such as “Blaster”,
reducing the CPU burden of the layer-3 devices.
There are two types of the IP packet attack:

Scanning the destination IP address change: not only consumes the network bandwidth and increases the device
burden, but also is a prelude of the hacker attack.
Sending the IP packets to the inexistent destination IP address at the high-rate: for the layer-3 device, the packets
are directly forwarded by the switching chip without the consumption of the CPU resources if the destination IP address
exists. While if the destination IP address is inexistent, the ARP request packets are sent from the CPU to ask for the
corresponding MAC address for the destination IP address when the IP packets are sent to the CPU. It consumes the
CPU resources if many IP packets are sent to the CPU.
The workaround for this attack: on one hand, you may configure the IP packet rate-limit; on the other hand, you may
detect and isolate the attack source.
The IP attack detection could be host-based or port-based. Host-based ARP attack detection adopts the combination of
source IP address/VID/port-based. For each attack detection, you can configure the rate-limit threshold and warning
threshold. The IP packet will be dropped when the packet rate exceeds the rate-limit threshold. When the ARP packet rate
exceeds the warning threshold, it will prompt the warning messages and send the TRAP message. The host-based attack
detection can isolate the attack source.
It is worth mentioning that the IP-guard is for the attack of the IP packets with the destination IP address not the
host IP address. For the IP packet with the destination IP address the host IP address, use the CPP (CPU Protect
Policy) to limit the rate.
With the ip-guard enabled on the interface and the non-0 isolated period configured, it isolates the hosts attacked by the
IP packets.
Enabling IP-guard
You can enable ip-guard in the NFPP configuration mode or in the interface configuration mode. By default, the ip-guard is
enabled. Use the no or default form of these commands to restore the default setting.
Command Function
Ruijie(config-nfpp)# ip-guard enable Enable the ip-guard. By default, ip-guard is enabled.
Enable the ip-guard on the interface. By default,

Ruijie(config-if)# nfpp ip-guard enable
ip-guard is not enabled on the interface.
Ruijie# show nfpp ip-guard summary Display the configurations.

With the ip-guard disabled, the monitored hosts are auto-cleared.
For the isolated time of the attacker, it is configured in NFPP configuration mode. Use the no or default form of these
commands to restore the default setting.
Command Function
Configure the global isolated time. The value is is 0 or in the

Ruijie(config-nfpp)# ip-guard isolate-period range from 30 to 86400 in the unit of seconds. The default is 0
[seconds | permanent ] second, representing no isolation. Permanent represents
permanent isolation.
Configure the isolated time on the port. The value is 0 or from

Ruijie(config-if)# nfpp arp-guard isolate-period 180 to 86400 in the unit of seconds. By default, the isolated
[seconds | permanent ] time is configured globally. 0s represents no isolation.
Permanent represents permanent isolation.
Ruijie# show nfpp ip-guard summary Display the parameter settings.
To restore the global isolated time to the default value, use the no ip-guard isolate-period command in the NFPP
configuration mode. If the isolated time has been configured on a port, you can use the no ip-guard isolate-period
command to remove the port-based isolated time configuration in NFPP configuration mode.
not 0, the ip-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function

Command Function
Ruijie(config-nfpp)# ip-guard monitor-period Configure the monitored time in the range from 180 to 86400 in
seconds the unit of seconds. The default value is 600s.
To restore the monitored time to the default value, use the no ip-guard monitor-period command in the NFPP
configuration mode.
the hardware isolation will be performed to isolate the attacker, and the timeout time will be the isolated period. Only
Command Function
Ruijie(config-nfpp)# ip-guard monitored-host-limit Configure the monitored host limit, ranging in the range from 1
seconds to 4294967295. The default is 1000.
To restore the monitored host limit to the default value, use the no ip-guard monitored-host-limit or default ip-guard
monitored-host-limit command in the NFPP configuration mode.
It prompts the message that “% NFPP_IP_GUARD-4-SESSION_LIMIT: Attempt to exceed limit of 1000

Use the source IP address/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The IP packet will be dropped when
the packet rate exceeds the rate-limit threshold. When the IP packet rate exceeds the warning threshold, it will prompt the
warning messages and send the TRAP message.
It prompts the following message if the IP DoS attack was detected:
%NFPP_IP_GUARD-4- DOS_DETECTED:Host<IP=1.1.1.1,MAC= N/A,port=Gi4/1,VLAN=1> was detected.

(2009-07-01 13:00:00)
IP DoS attack from host<IP=1.1.1.1,MAC= N/A,,port=Gi4/1,VLAN=1> was detected.
%NFPP_IP_GUARD-4-ISOLATED:Host <IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was isolated.

(2009-07-01 13:00:00)
Host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was isolated.
%NFPP_IP_GUARD-4-ISOLATE_FAILED: Failed to isolate host <IP=1.1.1.1, MAC=

N/A,port=Gi4/1,VLAN=1>. (2009-07-01 13:00:00)
Failed to isolate host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1>.
It prompts the following message when the IP scan was detected:
%NFPP_IP_GUARD-4-SCAN: Host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was detected.

(2009-07-01 13:00:00)
IP scan from host< IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was detected.
It sets a policy to the hardware when isolating the attackers. When the hardware resources have been
exhausted, it prompts the message to inform the administrator.
“%NFPP_IP_GUARD-4-NO_MEMORY: Failed to alloc memory.” to inform the administrator.
This section displays the administrator how to configure the host-based rate-limit and attack detection in NFPP
configuration mode. Use the no or default form of these commands to restore the default setting.
Command Function
Configure the ip-guard rate-limit in the range from 1 to 9999 in

Ruijie(config-nfpp)# ip-guard rate-limit per-src-ip the unit of pps. The default is 20pps.
pps per-src-ip: detect the hosts based on the source IP
address/VID/port;
Configure the ip-guard attack threshold in the range from 1 to
9999, 20 by default. When the IP packet number sent from a
host exceeds the attack threshold, the attack is detected and
Ruijie(config)# ip-guard attack-threshold
IP-guard isolates the host, records the message and sends the
per-src-ip pps
TRAP packet.
address/VID/port;
Configure the ip-guard scan threshold, in 10s in the range from
Ruijie(config)# ip-guard scan-threshold pkt-cnt
1 to 9999 in the unit of pps. The default is 100 pps.

interface.
1-9999 and by default, it adopts the global rate-limit threshold
Ruijie(config-if)#nfpp ip-guard policy per-src-ip
value.
rate-limit-pps attack-threshold-pps
is 1-9999 and by default, it adopts the global attack threshold
value.
Configure the ip-guard scan threshold value on each interface
Ruijie(config-if)#nfpp ip-guard scan-threshold
in the range from 1 to 9999, in 10s. By default, the sport-based
pkt-cnt
scan threshold is not configured.
Ruijie(config-if)# show nfpp ip-guard summary Display the parameter settings.

You can configure the ip-guard rate limit and attack threshold on the port. The rate limit value must be less than the attack
threshold value. When the IP packet rate on a port exceeds the limit, the IP packets are dropped. When the IP packet rate
on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the IP DoS attack was detected on a port:
%NFPP_IP_GUARD-4-PORT_ATTACKED: IP DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)
IP DoS attack was detected on port Gi4/1.
configuration mode and in the interface configuration mode. Use the no or default form of these commands to restore the
default setting.
Command Function
Configure the ip-guard rate-limit of the IP packet on the port,

Ruijie(config)# ip-guard rate-limit per-port pps
ranging from 1 to 9999, 100 by default.
Configure the ip-guard attack threshold in the range from 1 to
Ruijie(config)# ip-guard attack-threshold per-port 9999, 2000 by default. When the IP packet number on a port
pps exceeds the attack threshold, the CLI prompts and the TRAP
packets are sent.
Ruijie(config-if)#nfpp ip-guard policy per-port Configure the rate-limit and attack threshold on the specified
rate-limit-pps attack-threshold-pps interface.
value.
value.
Ruijie(config-if)# show nfpp ip-guard summary Display the parameter settings.

The source IP address-based rate limit takes precedence over port-based rate limit.
Configuring the trusted hosts
Use the following commands to set the trusted host to make a host free from monitoring. The IP packets are allowed to be
sent to the CPU from the trusted host.
Command Function
Configure the IP address range for the trusted hosts. Up to 500

Ruijie(config-nfpp)# ip-guard trusted-host ip mask
pieces of IP addresses can be configured.
Ruijie(config-if)# show nfpp ip-guard trusted-host Display the trusted host settings.
In the NFPP configuration mode, use the no or default form of this command to delete a trusted host entry and use the all
form of this command to delete all trusted hosts.
For example: The following example deletes all trusted hosts:
Ruijie(config-nfpp)# no ip-guard trusted-host all
The following example deletes a trusted host entry:
Ruijie(config-nfpp)# no ip-guard trusted-host 1.1.1.1 255.255.255.255
It prompts that “%ERROR: Attempt to exceed limit of 500 trusted hosts. “to inform the administrator of the full
trusted host table.
If the IP address for the trusted host entry is the same to the one existing in the untrusted host list, the system will
auto-delete the entry according to the IP address.
It prompts that “%ERROR:Failed to delete trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the
failure of trusted host removal.
It prompts that “%ERROR:Failed to add trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the failure
of adding the trusted host.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 has already been configured.” to inform the
administrator of the exisitence of the trusted host to be added.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator of the
inexisitence of the trusted host to be deleted.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator if it fails to
allocate the memory for the trusted host.
Command Function

Ruijie# clear nfpp ip-guard hosts [ vlan vid ]
attack will be cleared. If any parameter is specified, only
eligible hosts will be cleared.
Displaying ip-guard configuration
Use this command to display the ip-guard configurations.
Command Function
Ruijie# show nfpp ip-guard summary Display the ip-guard configurations.
For example,
Ruijie# show nfpp ip-guard summary

Interface Status Isolate-period Rate-limit Attack-threshold Scan-threshold
Global Enable 300 4/-/60 8/-/100 15
G 0/1 Enable 180 5/-/- 8/-/- -
G 0/2 Disable 200 4/-/60 8/-/100 20


“4/-/60” indicates that the rate-limit threshold of source IP addresses is 4 and the one of each port is 60.
address is 5 and no threshold is configured for ports.
Command Function
Display the ip-guard hosts statistics, including total host

Ruijie# show nfpp ip-guard hosts statistics
Command Function
Display the isolated host information.

Ruijie#show nfpp ip-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under
[ interface interface-id ] [ ip-address | mac-address ] attack will be displayed. If any parameter is specified, only
Ruijie#show nfpp ip-guard hosts statistics

success fail total
------- ---- -----
100 20 120
Meaning: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
Ruijie# show nfpp ip-guard hosts

---- -------- --------- ----------- -------------
1 Gi0/1 1.1.1.1 ATTACK 110
2 Gi0/2 1.1.2.1 SCAN 61
Total: 2 hosts
Ruijie# show nfpp ip-guard hosts vlan 1 interface G 0/1 1.1.1.1

---- -------- --------- ----------- -------------
1 Gi0/1 1.1.1.1 ATTACK 110
Total: 1 host
The preceding fields indicate VLAN number, interface, IP address, reason for being monitored and remaining
time of isolation.
The fourth field Reason describes the reason why the host is monitored: ATTACK indicates that the speed of
sending IP packets of the host exceeds the attack threshold and SCAN indicates that the host is scanning a specific
network segment.
Displaying the trusted host configuration
Command Function
Command Function
Ruijie# show nfpp ip-guard trusted-host Display the trusted hosts.
For example,
Ruijie#show nfpp ip-guard trusted-host

IP address mask
--------- ------
1.1.1.0 255.255.255.0
1.1.2.0 255.255.255.0
Total: 2 record(s)
ICMP-guard
ICMP-guard Overview
The ICMP attack detection could be host-based or port-based. Host-based ICMP protocol is used to diagnose the network
trouble. Its basic principle is that the host sends an ICMP echo request packet, and the router/switch sends an ICMP echo
reply packet upon receiving the ICMP echo request packet. The “ICMP flood” attack is that the attacker sends a large
amount of the ICMP echo request packets to the destination device, resulting in the consumption of the CPU resources
and the erroe of the device working. The workaround for the “ICMP flood” attack: one one hand, you may configure the
ICMP packet rate-limit; on the other hand, you may detect and isolate the attack source.
ARP attack detection adopts the combination of source IP address/VID/port-based. For each attack detection, you can
configure the rate-limit threshold and warning threshold. The ICMP packet will be dropped when the packet rate exceeds
the rate-limit threshold. When the ICMP packet rate exceeds the warning threshold, it will prompt the warning messages
and send the TRAP message. The host-based attack detection can isolate the attack source.
Enabling ICMP-guard
You can enable icmp-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
icmp-guard is enabled.
Command Function
Ruijie(config-nfpp)# icmp-guard enable Enable the icmp-guard. By default, icmp-guard is enabled.
Enable the icmp-guard on the interface. By default, icmp-guard

Ruijie(config-if)# nfpp icmp-guard enable
is not enabled on the interface.
Command Function
Ruijie# show nfpp icmp-guard summary Display the configurations.
With the icmp-guard disabled, the monitored hosts are auto-cleared.
For the isolated time of the attacker, it can be configured in NFPP configuration mode.
Command Function
Configure the global isolated time. The value is 0 or from 30 to

Ruijie(config-nfpp)# icmp-guard isolate-period
86400 in the unit of seconds. The default is 0 seconds, which
means no isolation. Permanent represents permanent isolation.
Configure the isolated time on the port. The value is 0 or from

Ruijie(config-if)# nfpp arp-guard isolate-period
30 to 86400 in the unit of seconds. By default, the isolate period
is not configured.Permanent represents permanent isolation.
Ruijie# show nfpp icmp-guard summary Display the parameter settings.
To restore the global isolated time to the default value, use the no icmp-guard isolate-period or default icmp-guard
isolate-period command in the NFPP configuration mode. If the isolated time has been configured on a port, you can use
the no icmp-guard isolate-period command to remove the port-based isolated time configuration in NFPP configuration
mode.
Without the global and port-based isolated period configured(including set the interface isolated time 0), the serviceview
monitor will be performed to auto-monitor the attacker according to the configured monitored period, providing the
attacker information in the system. With the global or port-based isolated period configured, the ICMP-guard will perform
hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# icmp-guard monitor-period Configure the monitored time, ranging 180-86400s(one day).
seconds The default value is 600s.
To restore the monitored time to the default value, use the no icmp-guard monitor-period command in the NFPP
configuration mode.
Command Function
Ruijie(config-nfpp)# icmp-guard Configure the monitored host limit, ranging 1-4294967295. The
monitored-host-limit seconds default value is1000.
To restore the monitored host limit to the default value, use the no icmp-guard monitored-host-limit command in the
NFPP configuration mode.
It prompts the message that “% NFPP_ICMP_GUARD-4-SESSION_LIMIT: Attempt to exceed limit of 1000

Use the source IP address/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The ICMP packet will be dropped
when the packet rate exceeds the rate-limit threshold. When the ICMP packet rate exceeds the warning threshold, it will
prompt the warning messages and send the TRAP message.
It prompts the following message if the ICMP DoS attack was detected:
%NFPP_ICMP_GUARD-4- DOS_DETECTED:Host<IP=1.1.1.1,MAC= N/A,port=Gi4/1,VLAN=1> was detected.

(2009-07-01 13:00:00)
ICMP DoS attack from host<IP=1.1.1.1,MAC= N/A,,port=Gi4/1,VLAN=1> was detected.
%NFPP_ICMP_GUARD-4-ISOLATED:Host <IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was isolated.

(2009-07-01 13:00:00)
Host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1> was isolated.
%NFPP_ICMP_GUARD-4-ISOLATE_FAILED: Failed to isolate host <IP==1.1.1.1, MAC=

N/A,port=Gi4/1,VLAN=1>. (2009-07-01 13:00:00)
Failed to isolate host<IP=1.1.1.1, MAC= N/A,port=Gi4/1,VLAN=1>.
“%NFPP_ICMP_GUARD-4-NO_MEMORY: Failed to alloc memory.” to inform the administrator.
This section shows the administrator how to configure the host-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function

Configure the icmp-guard rate-limit, ranging from 1 to 9999, the

Ruijie(config-nfpp)# icmp-guard rate-limit default value is the half of the port-based global rate-limit.
per-src-ip pps per-src-ip: detect the hosts based on the source IP
address/VID/port;
Configure the icmp-guard attack threshold in the range from 1
to 9999 in the unit of pps. and the default value is the source IP
address-based rate limit. When the ICMP packet number sent
Ruijie(config)# icmp-guard attack-threshold from a host exceeds the attack threshold, the attack is detected
per-src-ip pps and ICMP-guard isolates the host, records the message and
sends the TRAP packet.
address/VID/port;

interface.
Ruijie(config-if)#nfpp icmp-guard policy per-src-ip
value.
rate-limit-pps attack-threshold-pps
value.
Ruijie(config-if)# show nfpp icmp-guard summary Display the parameter settings.
You can configure the icmp-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the ICMP packet rate on a port exceeds the limit, the ICMP packets are dropped. When the
ICMP packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the ICMP DoS attack was detected on a port:
%NFPP_ICMP_GUARD-4-PORT_ATTACKED: ICMP DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)
ICMP DoS attack was detected on port Gi4/1.

default setting.
Command Function
Configure the icmp-guard rate-limit of the ICMP packet on the

port, ranging from 1 to 9999.
The default values vary with different products:
For S26 series, the default value is 200;
For S2924G, the default value is 200;
For S3250E, the default value is 250;
For S3760, the default value is 420;
Ruijie(config)# icmp-guard rate-limit per-port pps
For S3760E, the default value is 250;
For S86 series, different default values vary with different
CMs--- (a) For M8606-CM and M8610-CM, the default value is
400; (b) For M8606-CM II, M8610-CM II and M8614-CM II, the
default value is 2000.
Configure the icmp-guard attack threshold, ranging from 1 to
Ruijie(config)# icmp-guard attack-threshold 9999. The default value is the port-based rate limit. When the
per-port pps ICMP packet number on a port exceeds the attack threshold,
the CLI prompts and the TRAP packets are sent.
Ruijie(config-if)#nfpp icmp-guard policy per-port Configure the rate-limit and attack threshold on the specified
value.
value.
Ruijie(config-if)# show nfpp icmp-guard summary Display the parameter settings.

The source IP address-based rate limit takes precedence over port-based rate limit.
Configuring the trusted hosts
Use the following commands to set the trusted host to make a host free from monitoring. The ping packets are allowed to
be sent to the CPU from the trusted host. Use the no or default form of this command to restore the default setting.
Command Function
Ruijie(config-nfpp)# icmp-guard trusted-host ip Configure the IP address range for the trusted hosts. Up to 500
mask pieces of IP addresses can be configured.
Ruijie(config-if)# show nfpp icmp-guard

Display the trusted host settings.
trusted-host
No trusted host is configured by default.For example: The following example delete all trusted hosts:
Ruijie(config-nfpp)# no icmp-guard trusted-host all
The following example deletes a trusted host entry:
Ruijie(config-nfpp)# no icmp-guard trusted-host 1.1.1.1 255.255.255.255
It prompts that “%ERROR: Attempt to exceed limit of 500 trusted hosts. “to inform the administrator of the full
trusted host table.
If the IP address for the trusted host entry is the same to the one existing in the untrusted host list, the system will
auto-delete the entry according to the IP address.
It prompts that “%ERROR:Failed to delete trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the
failure of trusted host removal.
It prompts that “%ERROR:Failed to add trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the failure
of adding the trusted host.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 has already been configured.” to inform the
administrator of the exisitence of the trusted host to be added.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator of the
inexisitence of the trusted host to be deleted.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator if it fails to
allocate the memory for the trusted host.
Command Function

Ruijie# clear nfpp icmp-guard hosts [ vlan vid ]
Displaying icmp-guard configuration
Use this command to display the icmp-guard configurations.
Command Function
Ruijie# show nfpp icmp-guard summary Display the icmp-guard configurations.
For example,
Ruijie# show nfpp icmp-guard summary

Interface Status Isolate-period Rate-limit Attack-threshold
Global Enable 300 4/-/60 8/-/100
G 0/1 Enable 180 5/-/- 8/-/-
G 0/2 Disable 200 4/-/60 8/-/100


“4/-/60” indicates that the rate-limit threshold of source IP addresses is 4 and the one of each port is 60.
Command Function
Ruijie# show nfpp icmp-guard hosts statistics Display the icmp-guard hosts statistics, including total host
Command Function
Display the isolated hosts information.

Ruijie#show nfpp icmp-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under
[ interface interface-id ] [ ip-address ] attack will be displayed. If any parameter is specified, only
For example,
Ruijie#show nfpp icmp-guard hosts statistics

success fail total
------- ---- -----
100 20 120
Indicates: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
Ruijie# show nfpp icmp-guard hosts

VLAN interface IP address remain-time(s)
---- -------- --------- -------------
1 Gi0/1 1.1.1.1 110
2 Gi0/2 1.1.2.1 61
Total: 2 hosts
Ruijie# show nfpp icmp-guard hosts vlan 1 interface G 0/1 1.1.1.1

VLAN interface IP address remain-time(s)
---- -------- --------- -------------
1 Gi0/1 1.1.1.1 80
Total: 1 host
isolation.
Displaying the trusted host configuration
Use the show nfpp icmp-guard trusted-host command to display the trusted hosts exempt from monitoring:
Command Function
Command Function
Ruijie# show nfpp icmp-guard trusted-host Display the trusted hosts.
For example,
Ruijie#show nfpp icmp-guard trusted-host

IP address mask
--------- ------
1.1.1.0 255.255.255.0
1.1.2.0 255.255.255.0
Total: 2 record(s)
DHCP-guard
DHCP-guard Overview
The DHCP protocol is widely used to dynamically allocate the IP address in the LAN, and plays an important role in the
network security. The “DHCP exhaustion” attack occurs in the way of broadcasting the DHCP request packets through
faking the MAC address. If there are too many DHCP request packets, the attacker may use up the addresses provided in
the DHCP server. To this end, a legal host fails to request for a DHCP IP address and access to the network. The
workaround for the “DHCP exhaustion” attack: one one hand, you may configure the DHCP packet rate-limit; on the other
hand, you may detect and isolate the attack source.
The DHCP attack detection could be host-based or port-based. Host-based ARP attack detection adopts the combination
of source IP address/VID/port-based. For each attack detection, you can configure the rate-limit threshold and warning
threshold. The DHCP packet will be dropped when the packet rate exceeds the rate-limit threshold. When the DHCP
packet rate exceeds the warning threshold, it will prompt the warning messages and send the TRAP message. The
host-based attack detection can isolate the attack source.
Enabling DHCP-guard
You can enable dhcp-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
dhcp-guard is enabled. Use the no or default form of this command to restore the default setting.
Command Function
Ruijie(config-nfpp)# dhcp-guard enable Enable the dhcp-guard. By default, dhcp-guard is enabled.
Ruijie(config-if)# nfpp dhcp-guard enable Enable the dhcp-guard on the interface. By default, dhcp-guard
is not enabled on the interface.
Ruijie# show nfpp dhcp-guard summary Display the configurations.
With the dhcp-guard disabled, the monitored hosts are auto-cleared.
For the isolated time of the attacker, it can be configured in the global or interface configuration mode. By default, the
isolated time is configured in the global configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
Configure the global isolated time, ranging 0s, 30-86400s(one

Ruijie(config-nfpp)# dhcp-guard isolate-period
day). The default value is 0s, representing no isolation.
Permanent represents permanent isolation.
Configure the isolated time on the port, ranging 0s,

Ruijie(config-if)# nfpp arp-guard isolate-period 180-86400s(one day). By default, the isolated time is
[ seconds | permanent ] configured globally. 0s represents no isolation. Permanent
represents permanent isolation.
Ruijie# show nfpp dhcp-guard summary Display the parameter settings.
To restore the global isolated time to the default value, use the no dhcp-guard isolate-period command in the NFPP
configuration mode. If the isolated time has been configured on a port, you can use the no dhcp-guard isolate-period
command to remove the port-based isolated time configuration in the interface configuration mode.
not 0, the DHCP-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# dhcp-guard monitor-period Configure the monitored time in the range from 180 to 86400 in
seconds the unit of seconds. The default is 600 seconds.
NFPP configuration modeIf the isolated time is 0, the serviceview monitor will be performed to monitor the
detected attacker, and the timeout time will be the monitored period. In the process of the serviceview monitor, if the
isolated time is but not 0, the hardware isolation will be performed to isolate the attacker, and the timeout time will be
the isolated period. Only be the monitored period valid when the isolated period is 0.
Command Function
dhcp-guard trusted-host mac
dhcp-guard trusted-host { all | mac } mac: set the MAC address.
After this function is enabled, the DHCP packets are sent from the trusted host to CPU without rate limit or alarm
notification. Up to 500 trusted hosts are supported.
The following example sets the host whose MAC address is 0000.0000.1111 as the trusted host.
Ruijie(config-nfpp)#dhcp-guard trusted-host 0000.0000.1111
Command Function
Ruijie(config-nfpp)# dhcp-guard Configure the monitored host limit in the range from 1 to
monitored-host-limit seconds 4294967295. The default is 1000.
NFPP configuration modeIf the number of monitored hosts has reached the default 1000, and the administrator sets the
monitored host limit smaller than 1000, the existent monitored hosts will not be deleted and it will prompt the message
“%ERROR: The value that you configured is smaller than current monitored hosts 1000, please clear a part of monitored
hosts.” to notify the administrator of the invalid configuration and removing a part of the monitored hosts.
It prompts the message that “% NFPP_DHCP_GUARD-4-SESSION_LIMIT: Attempt to exceed limit of 1000

Use the source MAC/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The DHCP packet will be dropped
when the packet rate exceeds the rate-limit threshold. When the DHCP packet rate exceeds the warning threshold, it will
prompt the warning messages and send the TRAP message.
It prompts the following message if the DHCP DoS attack was detected:
%NFPP_DHCP_GUARD-4- DOS_DETECTED:Host<IP=N/A,MAC=0000.0000.0001,port=Gi4/1,VLAN=1> was

detected. (2009-07-01 13:00:00)
DHCP DoS attack from host<IP= N/A,MAC=0000.0000.0001,port=Gi4/1,VLAN=1> was detected.
%NFPP_DHCP_GUARD-4-ISOLATED:Host <IP= N/A,MAC=0000.0000.0001,port=Gi4/1,VLAN=1> was

isolated. (2009-07-01 13:00:00)
%NFPP_DHCP_GUARD-4-ISOLATE_FAILED: Failed to isolate host


“%NFPP_DHCP_GUARD-4-NO_MEMORY: Failed to alloc memory.” to inform the administrator.
This section displays the administrator how to configure the host-based rate-limit and attack detection in the NFPP
default setting.
Command Function
Configure the dhcp-guard rate-limit, ranging from 1 to 9999, 5

Ruijie(config-nfpp)# dhcp-guard rate-limit by default.
per-src-mac pps per-src-mac: detect the hosts based on the source MAC
address/VID/port;
Configure the dhcp-guard attack threshold, ranging from 1 to
9999, 10 by default. When the DHCP packet number sent from
a host exceeds the attack threshold, the attack is detected and
Ruijie(config)# dhcp-guard attack-threshold
DHCP-guard isolates the host, records the message and sends
per-src-mac pps
the TRAP packet.
address/VID/port;

interface.
Ruijie(config-if)#nfpp dhcp-guard policy
value.
per-src-mac rate-limit-pps attack-threshold-pps
value.
Command Function
MAC/VID/port;
Ruijie(config-if)# show nfpp dhcp-guard summary Display the parameter settings.
You can configure the dhcp-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the DHCP packet rate on a port exceeds the limit, the DHCP packets are dropped. When
the DHCP packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the DHCP DoS attack was detected on a port:
%NFPP_DHCP_GUARD-4-PORT_ATTACKED: DHCP DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)
DHCP DoS attack was detected on port Gi4/1.
default setting.
Command Function
Configure the dhcp-guard rate-limit of the DHCP packet on the
Ruijie(config)# dhcp-guard rate-limit per-port pps
port, ranging from 1 to 9999, 150 by default.
Configure the dhcp-guard attack threshold, ranging from 1 to
Ruijie(config)# dhcp-guard attack-threshold 9999, 300 by default.
per-port pps When the DHCP packet number on a port exceeds the attack
threshold, the CLI prompts and the TRAP packets are sent.
Ruijie(config-if)#nfpp dhcp-guard policy per-port Configure the rate-limit and attack threshold on the specified
value.
Command Function
value.

Ruijie(config-if)# show nfpp dhcp-guard summary Display the parameter settings.
The source MAC address-based rate limit takes precedence over port-based rate limit.
Command Function

Ruijie# clear nfpp dhcp-guard hosts [ vlan vid ]
[ interface interface-id ] [ mac-address ]
Displaying dhcp-guard configuration
Use this command to display the dhcp-guard configurations.
Command Function
Ruijie# show nfpp dhcp-guard summary Display the dhcp-guard configurations.
For example,
Ruijie# show nfpp dhcp-guard summary

Global Enable 300 -/5/150 -/10/300
G 0/1 Enable 180 -/6/- -/8/-
G 0/2 Disable 200 -/5/30 -/10/50


“-/5/150” indicates that the rate-limit threshold of source MAC addresses is 5 and the one of each port is 150.
The field Rate-limit in line G 0/1 is -/6/-, indicating that the rate-limit threshold of the port G 0/1 to the source MAC
Use this command to display the trusted host configuration in privileged EXEC mode.
Command Function
show nfpp dhcp-guard trusted-host Display the trusted host configuration.
Ruijie# show nfpp dhcp-guard trusted-host

mac
------
0000.0000.1111
0000.0000.2222
Total：2 record(s)
Command Function
Display the dhcp-guard hosts statistics, including total host
Ruijie# show nfpp dhcp-guard hosts statistics
Ruijie#show nfpp dhcp-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under
[ interface interface-id ] [ mac-address ] attack will be displayed. If any parameter is specified, only
Ruijie#show nfpp dhcp-guard hosts statistics

success fail total
------- ---- -----
100 20 120
Ruijie# show nfpp dhcp-guard hosts


VLAN interface MAC address remain-time(s)
---- -------- ----------- -------------
*1 Gi0/1 0000.0000.0001 110
2 Gi0/2 0000.0000.2222 61
Total: 2 host(s)
Ruijie# show nfpp dhcp-guard hosts vlan 1 interface g 0/1 0000.0000.0001

If column 1 shows '*', it means "hardware failed to isolate host".
---- -------- ----------- -------------
*1 Gi0/1 0000.0000.0001 110
Total: 1 host(s)
isolation.
DHCPv6-guard
DHCPv6-guard Overview
The DHCPv6 protocol is widely used to dynamically allocate the IPv6 address in the LAN, and plays an important role in
the network security. Being similar to the DHCP attack, the DHCPv6 attack occurs in the way of broadcasting the DHCPv6
request packets through faking the MAC address. If there are too many DHCPv6 request packets, the attacker may use
up the addresses provided in the DHCPv6 server. To this end, a legal host fails to request for an IPv6 address and access
to the network. The workaround for the DHCPv6 attack: one one hand, you may configure the DHCPv6 packet rate-limit;
on the other hand, you may detect and isolate the attack source.
The DHCPv6 attack detection could be host-based or port-based. Host-based ARP attack detection adopts the
combination of source IP address/VID/port-based. For each attack detection, you can configure the rate-limit threshold
and warning threshold. The DHCPv6 packet will be dropped when the packet rate exceeds the rate-limit threshold. When
the DHCPv6 packet rate exceeds the warning threshold, it will prompt the warning messages and send the TRAP
message. The host-based attack detection can isolate the attack source.
Enabling DHCPv6-guard
You can enable dhcpv6-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
dhcpv6-guard is enabled. Use the no or default form of this command to restore the default setting.
Command Function
Ruijie(config-nfpp)# dhcpv6-guard enable Enable the dhcpv6-guard. By default, dhcpv6-guard is enabled.
Enable the dhcpv6-guard on the interface. By default,

Ruijie(config-if)# nfpp dhcpv6-guard enable
dhcpv6-guard is not enabled on the interface.
Ruijie# show nfpp dhcpv6-guard summary Display the configurations.
With the dhcpv6-guard disabled, the monitored hosts are auto-cleared.
For the isolated time of the attacker, it can be configured in NFPP configuration mode or interface configuration mode. By
default, the isolated time is configured in the global configuration mode.
Command Function
Configure the global isolated time in the range is from 30 to

Ruijie(config-nfpp)# dhcpv6-guard isolate-period 86400 in the unit of seconds. The default is 0 seconds,
[ seconds | permanent ] representing no isolation. Permanent represents permanent
isolation.
Ruijie(config-if)# nfpp arp-guard isolate-period Configure the isolated time on the port, ranging 0s,
[ seconds | permanent ] 180-86400s(one day). By default, the isolated time is

configured globally. 0s represents no isolation. Permanent
represents permanent isolation.
Ruijie# show nfpp dhcpv6-guard summary Display the parameter settings.
To restore the global isolated time to the default value, use the no dhcpv6-guard isolate-period command in the NFPP
configuration mode. If the isolated time has been configured on a port, you can use the no dhcpv6-guard isolate-period
command to remove the port-based isolated time configuration in the interface configuration mode.
If the isolated time is 0 second (that is no isolation), the serviceview monitor will be performed to auto-monitor the
attacker according to the configured monitored period, providing the attacker information in the system. If the isolated time
is but not 0 second, the DHCPv6-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# dhcpv6-guard monitor-period Configure the monitored time in the range from 180 to 86400 in
seconds the unit of seconds. The default is 600 seconds.
To restore the monitored time to the default value, use the no dhcpv6-guard monitor-period or default dhcpv6-guard
monitor-period command in the NFPP configuration mode.
Command Function

dhcpv6-guard trusted-host mac
no nd-guard trusted-host { all | mac } mac: set the MAC address.
After this function is enabled, the DHCPv6 packets are sent from the trusted host to CPU without rate limit or alarm
notification. Up to 500 trusted hosts are supported.
Ruijie(config-nfpp)#dhcpv6-guard trusted-host 0000.0000.1111
Command Function
Ruijie(config-nfpp)# dhcpv6-guard Configure the monitored host limit in the range from 1 to
monitored-host-limit seconds 4294967295. The default is1000.
To restore the monitored host limit to the default value, use the no dhcpv6-guard monitored-host-limit or default
dhcpv6-guard monitored-host-limit command in the NFPP configuration mode.
It prompts the message that “% NFPP_DHCPV6_GUARD-4-SESSION_LIMIT: Attempt to exceed limit of 1000

Use the source MAC/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The DHCPv6 packet will be
dropped when the packet rate exceeds the rate-limit threshold. When the DHCPv6 packet rate exceeds the warning
threshold, it will prompt the warning messages and send the TRAP message.
It prompts the following message if the DHCPv6 DoS attack was detected:
%NFPP_DHCPV6_GUARD-4- DOS_DETECTED:Host<IP=N/A,MAC=0000.0000.0001,port=Gi4/1,VLAN=1> was

detected. (2009-07-01 13:00:00)
DHCPV6 DoS attack from host<IP=N/A,MAC=0000.0000.0001,port=Gi4/1,VLAN=1> was detected.
%NFPP_DHCPV6_GUARD-4-ISOLATED:Host <IP= N/A,MAC=0000.0000.0001,port=Gi4/1,VLAN=1> was

isolated. (2009-07-01 13:00:00)
%NFPP_DHCPV6_GUARD-4-ISOLATE_FAILED: Failed to isolate host

“%NFPP_DHCPV6_GUARD-4-NO_MEMORY: Failed to alloc memory.” to inform the administrator.
This section shows the administrator how to configure the host-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode:
Command Function
Configure the dhcpv6-guard rate-limiting the range from 1 to

Ruijie(config-nfpp)# dhcpv6-guard rate-limit 9999.The default is 5 pps.
per-src-mac pps per-src-mac: detect the hosts based on the source MAC
address/VID/port;
Configure the dhcpv6-guard attack threshold in the range from

1 to 9999. The default is 10pps. When the DHCPv6 packet
number sent from a host exceeds the attack threshold, the
Ruijie(config)# dhcpv6-guard attack-threshold
attack is detected and DHCPv6-guard isolates the host,
per-src-mac pps
records the message and sends the TRAP packet.
address/VID/port;

interface.
Ruijie(config-if)#nfpp dhcpv6-guard policy value.
per-src-mac rate-limit-pps attack-threshold-pps attack-threshold-pps: set the attack threshold. The valid range
value.
MAC/VID/port;
Ruijie(config-if)# show nfpp dhcpv6-guard

Display the parameter settings.
summary
You can configure the dhcpv6-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the DHCPv6 packet rate on a port exceeds the limit, the DHCPv6 packets are dropped.
When the DHCPv6 packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are
sent.
It prompts the following message when the DHCPv6 DoS attack was detected on a port:
%NFPP_DHCPV6_GUARD-4-PORT_ATTACKED: DHCPV6 DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet:
DHCPV6 DoS attack was detected on port Gi4/1.
configuration mode and in the interface configuration mode:
Command Function
Configure the dhcpv6-guard rate-limit of the DHCPV6 packet

Ruijie(config)# dhcpv6-guard rate-limit per-port pps
on the port in the range from 1 to 9999. The default is150pps.
Configure the dhcpv6-guard attack threshold in the range
from 1 to 9999. The default is 300pps.
Ruijie(config)# dhcpv6-guard attack-threshold
When the DHCPV6 packet number on a port exceeds the
per-port pps
attack threshold, the CLI prompts and the TRAP packets are
sent.
Ruijie(config-if)#nfpp dhcpv6-guard policy per-port Configure the rate-limit and attack threshold on the specified
value.
value.
Ruijie(config-if)# show nfpp dhcpv6-guard

Display the parameter settings.
summary
The source MAC address-based rate limit takes precedence over port-based rate limit.
Command Function

Ruijie# clear nfpp dhcpv6-guard hosts [ vlan vid ]
[ interface interface-id ] [ mac-address ]
Displaying dhcpv6-guard configuration
Use this command to display the dhcpv6-guard configurations.
Command Function
Ruijie# show nfpp dhcpv6-guard summary Display the dhcpv6-guard configurations.
For example,
Ruijie# show nfpp dhcpv6-guard summary

Global Enable 300 -/5/150 -/10/300
G 0/1 Enable 180 -/6/- -/8/-
G 0/2 Disable 200 -/5/30 -/10/50


“-/5/150” indicates that the rate-limit threshold of source MAC addresses is 5 and the one of each port is 150.
The field Rate-limit in line G 0/1 is -/6/-, indicating that the rate-limit threshold of the port G 0/1 to the source MAC
Use this command to display the trusted host configuration in Privileged EXEC mode.
Command Function
show nfpp dhcpv6-guard trusted-host Display the trusted host configuration.
Ruijie# show nfpp dhcpv6-guard trusted-host

mac
------
0000.0000.1111
0000.0000.2222
Total：2 record(s)
Command Function
Display the dhcpv6-guard hosts statistics, including total host
Ruijie# show nfpp dhcpv6-guard hosts statistics
Ruijie#show nfpp dhcpv6-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under
[ interface interface-id ] [ mac-address ] attack will be displayed. If any parameter is specified, only
For example,
Ruijie#show nfpp dhcpv6-guard hosts statistics

success fail total
------- ---- -----
100 20 120
Ruijie# show nfpp dhcpv6-guard hosts

---- -------- ----------- -------------
*1 Gi0/1 0000.0000.0001 110
2 Gi0/2 0000.0000.2222 61
Total: 2 host(s)
Ruijie# show nfpp dhcpv6-guard hosts vlan 1 interface g 0/1 0000.0000.0001

If column 1 shows '*', it means "hardware failed to isolate host".
---- -------- ----------- -------------
*1 Gi0/1 0000.0000.0001 110
Total: 1 host(s)
ND-guard
ND-guard Overview
ND, the abbreviation of “Neighbor Discovery”, is responsible for the address resolution, router discovery, prefix discovery
and the redirection. ND uses the following 5 types of the ND packets: Neighbor Solicitation, Neighbor Advertisement,
Router Solicitation, Router Advertisement and Redirect, which are abbreviated as the NS, NA, RS and RA.
ND Snooping monitors the ND packets in the network, filters the illegal ND packets and associates the monitored IPv6
users with the interface to prevent the IPv6 address from being stolen. ND Snooping shall send the ND packets to the
CPU at the configured rate-limit to implement the ND-guard function, for sending the ND packets at the high rate leads to
the CPU attack.
ND-guard classifies the ND packets into the following three types: 1) NS-NA: the Neighbor Solicitation and the Neighbor
Advertisement, used for the address resolution; 2) RS: the Router Solicitation, used for the gateway discovery by the host;
RA and Redirect: the Router Advertisement and Redirect, used to advertise the gateway and prefix, and the better
next-hop.
At present, only the port-based ND packet attack detection is implemented. You may configure the rate-limit threshold and
the attack threshold for the ND packets. When the ND packet rate on a port exceeds the limit, the ND packets are dropped.
When the ND packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
Enabling ND-guard
You can enable ND-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
ND-guard is enabled. Use the no or default form of this command to restore the default setting.
Command Function
Ruijie(config-nfpp)# nd-guard enable Enable the nd-guard. By default, nd-guard is enabled.
Enable the nd-guard on the interface. By default, nd-guard is

Ruijie(config-if)# nfpp nd-guard enable
not enabled on the interface.
Ruijie# show nfpp dhcpv6-guard summary Display the configurations.
Configuring the trusted guard
Command Function
Ruijie(config)# nfpp Enter NFPP configuration mode.
Ruijie(config-nfpp)# nd-guard trusted-host mac Set the trusted host.
Ruijie(config-nfpp)# no nd-guard trusted-host { all Restore the default setting.

| mac } mac: set the MAC address.
Command Function
all: Deletes all trusted hosts.
After this function is enabled, the ND packets are sent from the trusted host to CPU without rate limit or alarm notification.
Up to 500 trusted hosts are supported.
Ruijie(config-nfpp)#nd-guard trusted-host 0000.0000.1111
You can configure the ND-guard rate-limit and attack threshold on the port. The rate-limit value must be less than the
attack threshold value. When the ND packet rate on a port exceeds the limit, the ND packets are dropped. When the ND
packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
ND Snooping divides the port into the untrusted port and the trusted port, which connect to the host and the gateway
respectively. The rate-limit threshold for the trusted port shall be higher than the one for the untrusted port because the
traffic for the trusted port is generally higher than the one for the untrusted port. With the ND Snooping enabled, the ND
Snooping advertises the ND-guard to set the rate-limit threshold and the attack threshold of the ND packets on the trusted
port as 800pps and 900pps respectively.
ND-guard treats the rate-limit threshold configured by the ND Snooping and the one configured by the administrator
equally, the latter configured threshold value overwrites the former configured one. In details, that is, if an administrator
configures the rate-limit threshold earlier than ND Snooping on the port, the rate-limit threshold configured by ND
Snooping overwrites the one configured by the administrator. Similarly, if ND Snooping configures the rate-limit threshold
earlier then the administrator on the port, the rate-limit threshold configured by the administrator overwrites the one
configured by ND Snooping.
When the administrator saves the settings, the rate-limit threshold configured by the ND Snooping saved into the
configuration file.
It prompts the following message when the NS-NA DoS attack was detected on a port:
%NFPP_ND_GUARD-4-PORT_ATTACKED: NS-NA DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)
NS-NA DoS attack was detected on port Gi4/1.
It prompts the following message when the RS DoS attack was detected on a port:
%NFPP_ND_GUARD-4-PORT_ATTACKED: RS DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)

RS DoS attack was detected on port Gi4/1.
It prompts the following message when the RA-REDIRECT DoS attack was detected on a port:
%NFPP_ND_GUARD-4-PORT_ATTACKED: RA-REDIRECT DoS attack was detected on port Gi4/1.

(2009-07-01 13:00:00)
RA-REDIRECT DoS attack was detected on port Gi4/1.
This section shows the administrator how to configure the port-based rate-limit and attack detection in NFPP configuration
mode and in the interface configuration mode. Use the no or default form of these commands to restore the default
setting.
Command Function
Ruijie(config)# nd-guard rate-limit per-port [ ns-na Configure the rate-limit of the ND packets on the port in the
| rs | ra-redirect ] pps range from 1 to 9999 in the unit of pps. The default is Lapps.
Configure the attack threshold in the range from 1 to 9999 in
the unit of seconds. By default, the default attack threshold for
Ruijie(config)# nd-guard attack-threshold per-port
the ns-na, rs and ra-redirect on each port is 30 seconds.
[ ns-na | rs | ra-redirect ] pps
When the ND packet number on a port exceeds the attack
threshold, the CLI prompts and the TRAP packets are sent.
Ruijie(config-if)# nfpp nd-guard policy per-port Configure the rate-limit and attack threshold on the specified
[ ns-na | rs | ra-redirect ] rate-limit-pps interface. By default, the rate-limit threshold and the attack
attack-threshold-pps threshold are not configured.
rate-limit-pps: set the rate-limit threshold in the range from1 to
9999.
attack-threshold-pps: set the attack threshold in the range
from1 to 9999.
Ruijie(config-if)# show nfpp nd-guard summary Display the parameter settings.
Displaying ND-guard configuration
Use this command to display the ND-guard configurations.
Command Function
Command Function
Ruijie# show nfpp nd-guard summary Display the ND-guard configurations.
For example,
Ruijie# show nfpp nd-guard summary

(Format of column Rate-limit and Attack-threshold is NS-NA/RS/RA-REDIRECT.)
Interface Status Rate-limit Attack-threshold
Global Enable 20/5/10 40/10/20
G 0/1 Enable 15/15/15 30/30/30
G 0/2 Disable -/5/30 -/10/50

In the format of NS-NA rate-limit threshold / RS rate-limit threshold / RA-redirect rate-limit threshold. In the same
format of the Rate-limit. No configuration.
For example, “-/5/30” indicates that no rate-limit threshold of neighbor requests/advertisement is configured on port
G 0/2. The rate-limit threshold of router requests is 5 and the rate-limit threshold of router advertisement and
redirection packets is 30.
NFPP configuration mode
Use this command to display the trusted host configuration in Privileged EXEC mode.
Command Function
show nfpp nd-guard trusted-host Display the trusted host configuration.
Ruijie# show nfpp nd-guard trusted-host

mac
------
0000.0000.1111
0000.0000.2222
Total：2 record(s)
NFPP Syslog
NFPP Syslog Overview
A NFPP log is generated in the NFPP syslog buffer area after detecting the attack. Use the NFPP log to generate the
syslog at the specified rate and delete the NFPP log from the NFPP syslog buffer area.
Configuring NFPP log-buffer entry number
The administrator can configure the NFPP log-buffer entry number in NFPP configuration mode.
Command Function
Configure the NFPP log buffer in the range from 0 to 1024, The
Ruijie(config-nfpp)# log-buffer entries number
default is 256.
Ruijie# show nfpp log summary Display the configurations.
Configuring the rate of generating NFPP syslog
The administrator can configure the rate of generating the NFPP syslog in NFPP configuration mode. Use the no or
default form of this command to restore the default setting.
Command Function
Set the rate of generating the syslog from the NFPP syslog
buffer area.
number_of_message /length_in_seconds: The rate of
generating the syslog. The correspondent information in the
NFPP syslog buffer area will be removed while generating the
syslog.
Ruijie(config-nfpp)# log-buffer logs number_of_message: The valid range is from 0 to1024. The
number_of_message interval length_in_seconds default is 1 second. 0 indicates that all syslogs are recorded in
the NFPP syslog buffer area and the syslog is not generated.
length_in_seconds: The valid range is from 0 to 86400 in the
unit of seconds. The default value is 30 seconds. 0 indicates to
generate the syslog immediately.
Setting the number_of_message and the length_in_seconds 0
indicates to generate the syslog immediately.
Command Function
Configuring NFPP syslog filtering
The administrator can filter the NFPP syslog and record the syslog in the specific VLAN or on the specific interface. Use
the no or default form of these commands to restore the default setting.
Command Function
Specify the syslog recorded in the VLAN;

Ruijie(config-nfpp)# logging vlan vlan-range
Specify the syslog recorded on the port.
Ruijie(config-nfpp)# logging interface interface-id

By default, all syslogs are recorded.
All logs are recorded by default.
Clearing NFPP syslog
Command Function
Ruijie# clear nfpp log Clear the NFPP syslog in the log-buffer area.
Displaying NFPP syslog
Command Function
Ruijie# show nfpp log summary Display the NFPP syslog configuration.
Display the NFPP syslog in the log-buffer area.

Ruijie# show nfpp log buffer [ statistics ] The parameter statistics shows the log number in the
log-buffer area.
The following example displays the NFPP syslog configuration:
Ruijie#show nfpp log summary

Total log buffer size : 10
Syslog rate : 1 entry per 2 seconds
Logging:
VLAN 1-3, 5
interface Gi 0/1
interface Gi 0/2
The following example displays the NFPP syslog number in the log-buffer area:
Ruijie#show nfpp log buffer statistics

There are 6 logs in buffer.
The following example displays the NFPP syslog buffer area:
Ruijie#show nfpp log buffer

Protocol VLAN Interface IP address MAC address Reason Timestamp
------- ---- -------- --------- ----------- ------ ---------
ARP 1 Gi0/1 1.1.1.1 - DoS 2009-05-30 16:23:10
ARP 1 Gi0/1 1.1.1.1 - ISOLATED 2009-05-30 16:23:10
ARP 1 Gi0/1 1.1.1.2 - DoS 2009-05-30 16:23:15
ARP 1 Gi0/1 1.1.1.2 - ISOLATE_FAILED 2009-05-30 16:23:15
ARP 1 Gi0/1 - 0000.0000.0001 SCAN 2009-05-30 16:30:10
ARP - Gi0/2 - - PORT_ATTACKED 2009-05-30 16:30:10
Protocol has the following values:
ARP (corresponding to ARP anti-attack)
IP (corresponding to IP anti-scanning)
ICMP (corresponding to ICMP anti-attack)
DHCP (corresponding to DHCP anti-attack)
DHCPv6 (corresponding to DHCPv6 anti-attack)
NS-NA (corresponding to neighbor requests and neighbor advertisements in ND anti-attack)
RS (corresponding to router requests in ND anti-attack)
RA-REDIRECT (corresponding to router advertisements and redirection packets in ND anti-attack)
name (name of the self-defined anti-attack)
Reason indicates reasons and it has five values:
DoS indicates that DoS attacks are detected.
ISOLATED indicates that attackers are isolated by the hardware successfully.
ISOLATE_FAILED indicates that isolating attackers fails.
SCAN indicates that scans are detected.
PORT_ATTACKED indicates that ports are attacked.

If the syslog buffer area is full, the subsequent syslog will be discarded and an entry with all attributes “-” will be
shown in the syslog buffer area. The administrator shall increase the capacity of the syslog buffer area or improve
the rate of generating the syslog.
The syslog that generated from the syslog buffer area carries with the event timestamp, for example:
%NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was
detected.(2009-07-01 13:00:00)
Configuration Guide Configuring WAPI
Configuring WAPI
Overview
WLAN Authentication and Privacy Infrastructure (WAPI) is an energetically promoted wireless security standard in China.
This protocol contains two parts: WLAN Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). WAI
is used for user authentication; WPI is used to encrypt transmitting data. WAPI is a necessary supplement for wireless
security and an essential function for wireless products to enter into the market.
Basic Concept
Three Entities for Accessing and Controlling WAPI
 Authenticator Entity (AE)
Authenticates ASUEs that except to access service. This entity resides in an AP or STA.
 Authentication Supplicant Entity (ASUE)
Applies for authentication before accessing service. This entity resides in an STA.
 Authentication Service Entity (ASE)
Provides mutual authentication service for the AE and ASUE. This entity resides in an ASU.
Working Principle
WAPI Information Elements
To allow an STA to recognize WAPI information and enable the WAPI security mechanism, you need to add WAPI
information elements to beacon frames, association request frames, re-association request frames, and inquiry request
frames. For APs, you need to add WAPI information elements to sent beacon frames and probe response frames
according to WAPI configuration of the APs. An AP can negotiate with an STA only when parsing association request
frames and re-association request frames meet the WAPI configuration conditions of the AP.
A WAPI information element with of a maximum of 255 bytes is shown as follows:
Figure Composition of a WAPI information element

The value of the Element ID field is 68.
The Length field specifies the number of bytes of the WAPI information element except for Element ID and Length.
The Version field specifies the version of WAPI. In this protocol specification, only version 1 is used.
The Authentication and key management (AKM) suite count field specifies the number of AKM mechanisms
supported by STAs.
This field contains AKM mechanisms supported by STAs. "m" is the value of the AKM suite count field.
The Unicast password suite count field specifies the number of unicast password algorithms supported by STAs.
The Unicast password suite field contains unicast password algorithms supported by STAs. "n" is the value of the
Unicast password suite count field.
The Multicast password suite field contains multicast password algorithms supported by STAs.
In the WAPI capability information field, bit 0 is the pre-authentication flag bit. Other bits are reserved.
The BKID count and BKID list fields are used only in association and re-association request frames sent to APs. The
BKID count field specifies the number of BKIDs in the BKID list field.
WAPI Authentication and Key Negotiation
WAI performs authentication and key management based on certificates and per-sharing keys (PSKs). The process of
authentication and key management based on certificates includes certificate authentication, unicast key negotiation, and
multicast key advertisement. This process based on PSKs is divided into unicast key negotiation and multicast key
advertisement. The following figure shows how these links interact with each other. The STA, AP, and ASU serve
respectively as the ASUE, AE, and ASE.
Figure Certificate authentication

Figure Unicast key negotiation
Figure Multicast or inter-site key advertisement
Packets between the STA and AP are authenticated based on the Ethernet field with the value of 0x88B4. Packets
between the AP and ASU are transmitted through UDP. The ASU uses the UDP port with the number of 3810. For the
formats of packets exchanged in each process, refer to WAPI Deployment Guide-2006
WPI Packet Encapsulation and Packet Encryption and Decryption
WPI encrypts and decrypt MPDUs generated at the MAC sub-layer but not processes WAI packets. An encrypted MPDU
is composed as follows:
Figure MPDU encapsulation structure
If the MAC header field contains the fourth address, the length of the field is 30 bytes; if not, the length of the field is 24
bytes. If the MAC header field contains a QoS sub-field, two bytes are added. Currently, WAPI does not define wireless
QoS and therefore does not support QoS.
The KeyIdx field specifies an index of USKID, MSKID, or STAKeyID, that is, a session key index of the packet.
The default value of the Reserve field is 0.
The value of the PN field is an integer, which specifies the number of the data packet. The number is used as the
initialization vector (IV) for data encryption and verification in OFB or CBC-MAC mode. The PN field of the data packet is
coded and sent in little-endian mode.
The PDU field includes MPDU data. The maximum length of this field is computed in the following formula: 2278 = 2312 –
18 (length of the WPI header) – 16 (length of MIC).
The FCS field specifies the MAC frame verification sequence.
The message integrity check (MIC) field is obtained by computing integrity verification data using an integrity verification
key in CBC-MAC mode. The following figure shows the composition of MIC.
Figure Integrity verification data
Integrity verification data is divided into the following parts:
First part:
Frame control field: Bits 4, 5, 6, 11, 12, and 13 are set to 0, and bit 14 is set to 1.
Sequence control field: Bits 4 to 15 are set to 0.
If the MAC frame header does not contain the fourth address, the six eight-bit groups of the field are all set to 0.
QoS field: It is contained in the MAC frame header or does not exist.
When an MIC is computed, ensure that the length of integrity verification data is an integral multiple of 16. If the length of a
part of integrity verification data is not an integral multiple of 16, extend this part by filling fewest 0s after it to compose an
integral multiple of 16.
Networking Topology
Figure Typical WAPI application on fat AP networking topology
As shown in the figure above, the WAPI terminals and RG-AP all support WAPI. The WAPI terminals, RG-AP, and
authentication server (AS hereinafter referred to ASU) all have a digital certificate file. When a WAPI terminal requests
access to the wireless network, the RG-AP authenticates the terminal through either of the two WAPI authentication
methods: digital certificate authentication and PSK authentication. If digital certificate authentication is performed, the
ASU is needed. The following figure shows a typical WAPI application on fit AP networking topology.
Figure Typical WAPI application on fit AP networking topology

As shown in the figure above, the RG-AC and two RG-APs are basic devices of the fit AP wireless network. The WAPI
terminals, RG-APs, and RG-AC all support WAPI. When a WAPI terminal requests access to the wireless network, the
RG-AC authenticates the terminal through WAPI. When WAPI authentication is completed, the WAPI terminal negotiates
with the RG-AC to generate a session key. Then, the RG-AC delivers the key to the specific RG-AP. When the WAPI
terminal receives or sends data packets, the RG-AP is responsible for encryption or decryption by using the key.
Protocol specifications involved are as follows:
WAPI Deployment Guidance – 2006: A reference of WAPI
GB 15629.11-2003/XG1-2006: Information technology-Telecommunications and information exchange between

systems-Local and metropolitan area networks-Specific requirements-Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer specifications-Modification List 1.
WAPI Multi-Certificate Deployment Technology: A multi-certificate authentication guidance literature
Configuration
Describing Default WAPI Configuration
The following table describes default WAPI configuration.
Feature Default setting
Enabling state of WAPI WAPI is disabled by default.
WAPI PSK authentication WAPI PSK authentication is disabled by default.

WAPI two-certificate authentication WAPI two-certificate authentication is disabled by default.
WAPI three-certificate authentication is disabled by

WAPI three-certificate authentication
default.
WAPI PSK No WAPI PSK is configured by default.
WAPI AE certificate No WAPI AE certificate is configured by default.
WAPI CA certificate No WAPI CA certificate is configured by default.
WAPI ASU certificate No WAPI ASU certificate is configured by default.
IP address of the WAPI ASU No IP address is configured for the WAPI ASU by default.
Enabling WAPI Security Mode
WAPI security mode is disabled by default. Only when it is enabled, an authentication mode can be configured.
Use the following commands to enable WAPI security mode in WLAN security configuration mode.
Command Function
Enters WLAN security configuration mode. wlan-id

Ruijie(config)# wlansec wlan-id specifies the number of an existing WLAN. Before
configuring this command, you must create the WLAN.
Ruijie(wlansec)# security wapi enable Enables WAPI security mode.
 Configuring WAPI security mode and displaying WAPI configuration and state are not supported on AP110-W or
AP120-W.
The WAPI security mode is disabled by default. To disable WAPI security mode, use the security wapi disable
command.
Configuration example
# Enable WAPI security mode.

Ruijie(config)# wlansec 1
Ruijie(wlansec)# security wapi enable
Configuring WAPI PSK Authentication
Before configuring WAPI PSK authentication mode, you must enable WAPI security mode.
Use the following commands to configure WAPI PSK authentication in WLAN security configuration mode.
Command Function

Ruijie(config)# wlansec wlan-id Enters WLAN security configuration mode.
Ruijie(wlansec)# security wapi psk enable Enables WAPI PSK authentication mode.
Configures a WAPI PSK.

ascii: Specifies an ASCII PSK.
ascii-key: The ASCII password, containing 8-63
Ruijie(wlansec)# security wapi psk set-key { ascii
characters.
ascii-key | hex hex-key }
hex: Specifies a hexadecimal PSK.
hex-key: The hexadecimal password, containing 64
characters.
The WAPI PSK authentication mode is disabled by default. To disable WAPI PSK authentication, use the security wapi
psk disable command.
# Configure WAPI PSK authentication and set the key to 12345678.

Ruijie(wlansec)# security wapi psk enable
Ruijie(wlansec)# security wapi psk set-key ascii 12345678
The length of the PSK must be 8 to 32 bits and is an even number because the PSK is in the hexadecimal
format.
If both WAPI authentication mode and the PSK are not configured, or either of them is not configured, WLAN users
cannot access a WLAN through WAPI PSK authentication mode.
Configuration for WAPI PSK authentication mode and that for a PSK do not following a specific order.
Configuring WAPI Certificate Authentication
Before configuring WAPI certificate authentication, you must enable WAPI security mode. Currently, devices support
WAPI two-certificate authentication and WAPI three-certificate authentication. The difference between them is that the CA
is isolated from the ASU in three-certificate authentication mode, but not in two-certificate authentication mode.
Before configuring two-certificate authentication mode, you must import a CA and CE certificates into the AE. Otherwise,
the configuration fails. In WAPI two-certificate authentication mode, a configured CA certificate is used as an ASU
certificate by default. If WAPI three-certificate authentication is needed, you must import an ASU certificate.
Use the following commands to enter WLAN security mode.
Command Function

Ruijie(config)# wlansec wlan-id Enter WLAN security configuration mode.
Perform the following operations in WLAN security configuration mode:
Enabling WAPI Two-Certificate Authentication Mode
Use the following command to enable WAPI two-certificate authentication in WLAN security configuration mode.
Command Function
Ruijie(wlansec)# security wapi 2-cert enable Enable WAPI two-certificate authentication mode.
Before configuring WAPI two-certificate authentication mode, ensure that WAPI security mode has been
enabled.
Two-certificate authentication mode and three-certificate authentication mode cannot be used synchronously.
To disable WAPI two-certificate authentication mode, use the security wapi 2-cert disable command.
Enabling WAPI Three-Certificate Authentication Mode
Use the following command to enable WAPI three-certificate authentication in WLAN security configuration mode.
Command Function
Ruijie(wlansec)# security wapi 3-cert enable Enable WAPI three-certificate authentication mode.
Before configuring WAPI three-certificate authentication mode, ensure that WAPI security mode has been
enabled.
Two-certificate authentication mode and three-certificate authentication mode cannot be used synchronously.
To disable WAPI three-certificate authentication mode, use the security wapi 3-cert disable command.
Configuring a CA Certificate
In WAPI two-certificate authentication mode, the CA is also the ASU. Therefore, a CA certificate is an ASU certificate. You
do not need to configure an ASU certificate separately.
In WAPI three-certificate authentication mode, the CA is separated from the ASU. The ASU certificate is issued by a
certificate management system. Therefore, you need to configure an ASU certificate separately. A CA certificate is only
used to verify a CA signature to determine whether the certificate is authorized.
Use the following command to configure a CA certificate in WLAN security configuration mode.
Command Function
Configure a CA certificate for WAPI authentication.

Ruijie(wlansec)# security wapi ca cert ca_certfile
ca_certfile: Specifies the name of the CA certificate file.
Before configuring a CA certificate, ensure that WAPI security mode has been enabled, and the certificate file
has been imported into the AE.
Configuring an ASU Address
The ASU runs authentication software and is connected with the AE through wires. During WAPI certificate authentication,
the ASU is used to transmit certificate authentication requests and authentication-related packets through UDP. Therefore,
you must specify an ASU IP address.
Use the following command to configure an IP address for the ASU in WLAN security configuration mode.
Command Function
Configure an IP address for the ASU.

Ruijie(wlansec)# security wapi asu address ip_address
ip_address: Specifies the IP address of the ASU.
Before configuring an address for the ASU, ensure that WAPI security mode has been enabled.
Configuring an ASU Certificate
An ASU certificate is needed in WAPI three-certificate authentication mode but not in WAPI two-certificate authentication
mode.
Use the following command to configure an ASU certificate in WLAN security configuration mode.
Command Function
Configure an ASU certificate.

Ruijie(wlansec)# security wapi asu cert asu_certfile asu_certfile: Specifies the name of the ASU certificate
file.
Before configuring an ASU certificate, ensure that WAPI security mode has been enabled, and the certificate
file has been imported into the AE.
Configuring an AE Certificate
The certificate is configured for the AE itself.
Use the following command to configure an AE certificate in WLAN security configuration mode.
Command Function
Configure an AE certificate.
Ruijie(wlansec)# security wapi ae cert ae_certfile
ae_certfile: Specifies the name of the AE certificate file.
Before configuring an AE certificate, ensure that WAPI security mode has been enabled, and the certificate file
has been imported into the AE.
Monitoring
Use the following command in privileged EXEC mode or global configuration mode or WLAN security configuration mode
to display configuration information about users that have been authenticated and are being authenticated through WAPI.
Command Function
Display information about users that have been

show wapi-sta summary authenticated and are being authenticated through WAPI
in the authenticated and authenticating lists.
 Configuring WAPI security mode and displaying WAPI configuration and state are not supported on AP110-W or
AP120-W.
This command can be used in any configuration mode except user configuration mode.
Configuring WAPI Two-Certificate Authentication Mode
Networking Topology
Figure 1 WAPI networking topology
As shown in the figure above, the AP is connected with the AC; the AC is connected with the AS.
CA certificate EccCA.cer and AE certificate EccAE.cer have been imported into the AC.
WAPI security mode has been enabled.
WAPI terminal devices are correctly connected.
Configuration Steps
Configure IP addresses for a VLAN and a WLAN.
# (The configuration process is omitted.) Set wlan-id to 1.

Configure WLAN security configuration mode for WLAN 1 and enable WAPI.
# Enter WLAN security configuration mode of WLAN 1.

Configure WAPI two-certificate authentication mode (the CA is also the ASU).
# Enable WAPI two-certificate authentication mode.
Ruijie(wlansec)# security wapi 2-cert enable
# Configure an ASU address.
Ruijie(wlansec)# security wapi asu address 192.168.1.123
# Configure a CA certificate.
Ruijie(wlansec)# security wapi ca cert EccCA.cer
# Configure an AE certificate.
Ruijie(wlansec)# security wapi ae cert EccAE.cer
Run the show running-config command to verify the configuration above.
Configuring WAPI Three-Certificate Authentication Mode
Networking Topology
Figure2 WAPI networking topology

As shown in the figure above, the AP is connected with the AC; the AC is connected with the ASU.
CA certificate EccCA.cer, ASU certificate EccASU.cer, and AE certificate EccAE.cer have been imported into the AC.
WAPI security mode and WAPI three-certificate authentication mode are enabled.
WAPI terminal devices are correctly connected.
Configuration Steps
Configure IP addresses for a VLAN and a WLAN.
# (The configuration process is omitted.) Set wlan-id to 1.
Configure WLAN security configuration mode for WLAN 1 and enable WAPI.
# Enter WLAN security configuration mode of WLAN 1.

Configure WAPI three-certificate authentication mode.

# Enable WAPI three-certificate authentication mode.
Ruijie(wlansec)# security wapi 3-cert enable
# Configure a CA certificate.
Ruijie(wlansec)# security wapi ca cert EccCA.cer
# Configure an ASU address.
Ruijie(wlansec)# security wapi asu address 192.168.1.123
# Configure an ASU certificate.
Ruijie(wlansec)# security wapi asu cert EccASU.cer
# Configure an AE certificate.
Ruijie(wlansec)# security wapi ae cert EccAE.cer
Run the show running-config command to verify the configuration above.

Release 11.1(5)B6
WLAN QoS Configuration
1. Configuring WLAN QoS

Configuration Guide Configuring WLAN QoS
Configuring WLAN QoS
Overview
WLANs compliant with 802.11 provide wireless access equally available to users. However, different applications may
have various requirements for networks, but the original 802.11 networks provide no mechanism for differentiating
between service priorities. As a result, it cannot provide access of different quality levels for different applications. In the
case, when a network is congested by the traffic, service messages requiring prioritized processing (such as voice
messages) and ordinary messages (such as those for browsing Web pages) will be dropped at the same probability. This
practice cannot well match the QoS mechanism of wired networks and falls short of the actual needs of applications.
WLAN QoS is able to deliver different quality levels of network services for different needs. Data messages having high
requirements for timeliness and reliability enjoy superior quality and are processed in priority, while ordinary data
messages having low requirements for timeliness will be given a lower priority for processing.
Basic Concepts
WMM (Wi-Fi multimedia): WMM is a wireless QoS protocol as a subset of the 802.11e standard. This protocol is used to
ensure that the messages of higher priority will be sent first, and thus applications such as voice and video will have better
quality.
AC (access category): WMM has four priority levels which are voice, video, best-effort and back-ground flows in the
sequence of priority from the highest to the lowest.
CAC (call admission control): CAC is used to limit the number of clients to use queues (voice and video queues) with high
priority to ensure that clients which have already been using the queues to enjoy sufficient bandwidth.
U-APSD (unscheduled automatic power-save delivery): U-APSD is a new energy-saving processing method defined by
WMM to improve energy conservation at clients.
SVP (SpectraLink Voice Priority): SVP is a voice priority mechanism defined by SpectraLink for WLANs to ensure voice
flows to enjoy higher priority in transmission.
WMM Services
The scheduling mode of DCF (distributed coordination function) in the IEEE 802.11 standard is based on the CSMA/CA
(carrier sense multiple access with collision avoidance) principle. As a result, all terminal users are equal in taking up the
channels.
IEEE 802.11e adds QoS features to WLANs based on 802.11. It takes quite a long time to standardize the protocol.
During the standardization process, the Wi-Fi Alliance defined WMM to ensure interconnectivity between devices with
QoS from different WLAN vendors. WMM enables WLANs to offer QoS.
WMM divides data messages into four AC queues. ACs of higher priority has a better chance to take up channels than
ACs of lower priority do, so it is possible to provide different quality of service for each type of messages.
Figure 1 Access types

WLAN QoS Traffic Rate Limit

To make the best use of limited network resources and serve more users, the devices should support traffic rate limit.
Data packets are allowed to go through if the data traffic is at the undertaken rate; data packets are dropped if the data
traffic is not at the undertaken rate.
Parameters for assessing traffic are described below:
Average-data-rate
The allowable average rate of flows, also known as the undertaken information rate
Burst-data-rate
The maximum allowable bust traffic, also known as the undertaken bust size. The set bust size must be longer than the
maximum message length.
Fair Scheduling
The fair scheduling allows STAs in the same RF range associate with the same AP to share the wireless network resource
provided by the AP, impartially sharing wireless network bandwidth. Using the fair scheduling can prevent the low-speed
STAs slowing down the entire wireless network throughput and provide a smoother network speed experience for STAs.
Besides, the fair scheduling function can intellectively monitor every STA network flow change, automatically adjust the
wireless bandwidth ratio of each STA and bring better wireless network experience to the clients.
Protocols and Specifications

IEEE 802.11e-2005: Amendment 8: Medium Access Control (MAC) Quality of Service
Enhancements, IEEE Computer Society
Wi-Fi: WMM Specification version 1.1

Features Default Setting
Activate WMM/QoS
Enabled by default.
service
Configure support for CAC admission, which is closed by default.
Configure WMM
Configure CAC admission policy, which is not configured by default.
service
Configure support for U-APSD energy-saving mode, which is closed by default.
Configure SVP mapping queue, which is not configured by default.
Configure WLAN
Not configured by default.
QoS rate limit
Configure fire
Enabled by default.
scheduling
Configuring WLAN QoS
WLAN QoS has the following configuration items:
 Configuring WLAN QoS rate limit
Configuring WLAN QoS Rate Limit

Based on actual conditions of the network, you may allow a flow to get only the resources which have been promised for it,
to avoid network congestion due to bust traffic.
The WLAN QoS rate limit function has the following options.
 AP-based rate limit

 Client-based rate limit
 WLAN-based rate limit
Configuring AP-based Rate Limit on APs
Configure the total traffic limit of the current AP in AP configuration mode. Use the no form of these commands to restore
Command Function
Ruijie(config)# ap-config ap-name Enters AP configuration mode

ap-name: Specifies the AP name.
Command Function
Ruijie(config-ap)# wlan-qos ap-based Configures AP-based uplink rate limit.

{ per-user-limit | total-user-limit } { down-streams | per-user-limit:
up-streams } average-data-rate average-data-rate Limits for each user on the WLAN.
burst-data-rate burst-data-rate total-user-limit:
Limits for the entire WLAN.
down-streams:
Downstream traffic limit of the AP.
up-streams:
Upstream traffic limit of the AP.
average-data-rate average-data-rate:
Specifies the average data rate limit in the range from 8 to
261120 in the unit of 8Kbps.
burst-data-rate burst-data-rate:
Specifies the bust data rate limit in the range from 8 to
Ruijie(config-ap)# wlan-qos ap-based Configures AP-based downlink rate limit.
{ per-user-limit | total-user-limit | per-ap-limit } per-user-limit:
down-streams average-data-rate average-data-rate Limits for each user on the WLAN.
per-ap-limit:
Limits WLAN Total for each AP.
down-streams:
Downstream traffic limit of the AP.
Ruijie(config)# wlan-qos ap-based total-user-limit Configures the intelligent total-user-limit for uplink traffic of
up-streams intelligent the current AP.
up-streams:
Total upstream traffic limit of the WLAN.
Intelligent:
Whether to enable intelligent per-ap-limit.
Ruijie(config)# wlan-qos ap-based total-user-limit Configures the intelligent total-user-limit for downlink traffic of
down-streams intelligent the current AP.
down-streams:
Total downstream traffic limit of the WLAN.
Intelligent:
The traffic limit and intelligent total-user-limit are disabled by default.
Configuring WLAN-based Rate Limit on APs
Configure the total traffic rate limit based on WLAN in WLAN configuration mode. Use the no form of these commands to
Command Function
Ruijie(config)# wlan-config wlan-id Enters WLAN configuration mode.
Ruijie(config-wlan)# [ no ] enable-qos (Mandatory) Activate/deactivate the QoS service.

The QoS service is activated by default.
Ruijie(config-wlan)# wlan-qos wlan-based Configures the total uplink traffic rate limit based on WLAN.
{ per-user-limit | total-user-limit | per-ap-limit } per-user-limit:
up-streams average-data-rate average-data-rate Limits for each user on the WLAN.
per-ap-limit:
up-streams:
Ruijie(config-wlan)# Configures the total downlink traffic rate limit based on
wlan-qos wlan-based { per-user-limit | total-user-limit WLAN.
| per-ap-limit } down-streams average-data-rate per-user-limit:
average-data-rate burst-data-rate burst-data-rate Limits for each user on the WLAN.
total-user-limit:
per-ap-limit:
down-streams:
burst-data-rate burst-data-rat:
Command Function
Ruijie(config-wlan)# wlan-qos wlan-based per-ap-limit Configures the intelligent per-ap-limit for uplink traffic of the
up-streams intelligent current WLAN.
up-streams:
Intelligent:
Ruijie(config-wlan)# wlan-qos wlan-based per-ap-limit Configures the intelligent per-ap-limit for downlink traffic of
down-streams intelligent the current WLAN.
per-ap-limit:
down-streams:
Intelligent:
These functions are disabled by default.
Configuring Fair Scheduling
Command Function
Ruijie(config)# ap-config ap-name Enters AP configuration mode.
Ruijie(config-wlan)# [ no ] fair-schedule Enables or disables the fair scheduling function
Ruijie# show ap-config run Shows the fair scheduling configuration
On the fat AP, configuring the fair schedule command is in (config) mode, use show run command to view
the configuration.
In the fit AP mode, the fair scheduling function can only be configured on the AC.
Specifying Fair Scheduling Priority

Use this command to specify the fair scheduling priority for a specified user in global configuration mode on APs and AC
configuration mode on ACs. Use the no sta-fair mac-address command to restore the default setting.
Command Function
sta-fair mac-address priority priority Specifies the fair scheduling priority for a specified user.
mac-address: specifies the user’s MAC address.
priority: sets the fair scheduling priority, in the range from 1
to 6.
This command is supported on ACs and fat APs.
The default is 1 for all STAs by default.
The following example sets the fair scheduling priority for user 0000.0000.0001 on the AC to 3.
Ruijie(config)# ac-controller
Ruijie(config-ac)# sta-fair 0000.0000.0001 priority 3
Enabling WQoS Traffic Statistics

Use this command to enable WQoS traffic statistics in global configuration mode on APs and AC configuration mode on
ACs. Use the no form of this command to restore the default setting.
Command Function
wqos fs enable Enables WQoS traffic statistics.
This command is supported on APs.
This function is disabled by default. When dot1x authentication and Web authentication are disabled, use this command to
enable WQoS traffic statistics. Otherwise, WQoS traffic statistics is enabled by default and this command becomes
invalid.
The following example enables WQoS traffic statistics for all APs associated with the AC.
Ruijie(config-ac)#wqos fs enable
Release 11.1(5)B6
WLAN Networking Configuration

1. Configuring WDS
Configuration Guide Configuring WDS
Configuring WDS
 The WDS encryption function is supported only on AP630-H
Overview
A wireless distribution system (WDS) enables interconnection of APs via wireless bridges or repeaters to allow connection
of a distributed network and expansion of wireless signals.
AP Working Mode
In a WDS network, APs work as autonomous ones. You may configure different working modes for the APs according to
the needs of the network. The roles of different working modes are described as follows:
Root AP: The wired interface of the AP is connected to the wired network; the wireless interface serves as a wireless
access point for connection with STAs (wireless terminals).
Root Bridge: The wired interface of the AP is connected to the wired network; the wireless interface serves as a wireless
bridge point for connection with non-root bridges.
Non-root Bridge: The wired interface of the AP is connected to the wired network; the wireless interface serves as a
wireless bridge point for connection with root bridges.
WDS Network Structure
Based on above AP working modes, WDS allows two network structures: point-to-point and point-to-multipoint.
Point-to-Point Structure
Since wireless devices are connected to each other, this structure is suitable for a network connecting two fixed points.
The network topology is shown below:
Root Bridge + one Non-root Bridge
The wired interface of the root bridge is connected to the wired network, and its wireless interface is connected to the
non-root bridge;
The wireless interface of the non-root bridge is connected to the root bridge, and its wired interface is connected to the
wired network;
Two separate wired networks are connected in a wireless manner through the wireless bridging between the root bridge
and the non-root bridge.
See the following figure.

Point-to-Multipoint Structure
Since wireless devices are connected from one point to multiple points, this structure is suitable for a network with a
central point and multiple remote points. The network topology is shown below:
Root Bridge + multiple Non-root Bridges
The root bridge serves as the root node, with its wireless interfaces being connected multiple non-root bridges.
The non-root bridges serve as leaf nodes, with their wireless interfaces being connected to the root bridge and wired
interface to the designated wired network.
If a root bridge is associated with multiple non-root bridges, it is possible to connect multiple separate wired networks by
wireless means.
Working Principles
Association with AP
Each AP is equivalent to a basic service set (BBS), and each BBS corresponds to a BBSID (which generally is the MAC
address of the AP). The AP’s periodically broadcasts Beacon frames containing the SSID (name of the wireless LAN) and
the BSSID. STAs listen to the Beacon frames; if the SSID in the Beacon frames is the same as the preset LAN name in
themselves, it will join the LAN via the AP. If an STA finds that multiple APs are sending Beacon, it will select one of the
APs for joining the LAN. Connection between the STA and the AP is through identification of the AP’s BSSID and
association with it.
For an AP, it cannot choose to be associated with other APs. The BSSID to be associated must be designated for the AP
for it to establish wireless connection with the corresponding APs. In the WDS network, the BSSID of the upper-level AP
should be designated for APs under other working modes except Root Bridge to associate the APs up to each level and
final form the corresponding network topology.
802.11 MAC Frame Address Structure

In the IEEE 802.11 standard, a MAC frame format has been defined for wireless technology. In the format, the MAC frame
header has four address fields, as shown in the figure below:
Depending on the transmission types of 802.11 MAC frames, the address structures of MAC frames may be of three
addresses or four addresses. MAC frames transmitted between APs and STAs has a three-address structure, while those
between has a four-address structure.
As shown in the figure below, when STA 1 communicates with STA 2, STA 1 sends a three-address MAC frame to AP 2
with the three addresses carrying the MAC addresses of AP2, STA 1 and STA 2 respectively (See Table STA 1->AP 2);
AP2 forwards the received MAC frame to STA 2 with the sequence of the three addresses being changed to those of STA
2, AP 2 and STA 1 (See Table AP 2->STA 2). When STA 1 communicates with STA 3, AP 2 forwards the MAC frame
received from STA 1 to AP 1 after converting the three-address structure into a four-address structure with the addresses
carrying the MAC addresses of AP 2, AP 1, STA 2 and STA 1 respectively (See Table AP 2->AP 1); AP1 forwards the
received MAC frame to STA 3 after converting the four-address structure into a three-address structure.
Transmission Type Address 1 Address 2 Address 3 Address 4
STA 1 -> AP2 RA = AP 2 TA = STA 1 DA = STA 2 N/A
AP 2 -> STA 2 RA = STA 2 TA = AP 2 SA = STA 1 N/A
AP 2 -> AP 1 RA = AP 1 TA = AP 2 DA = STA 3 SA = STA 1
Cached MAC Address Table

APs are able to learn MAC addresses in a dynamic manner and cache the MAC addresses and related information which
have been learnt in MAC address tables. Two MAC address tables are cached on each wireless interface: One table is for
caching information of the STAs associated with the current interface; while the other table is for caching information of
other accessible STAs and of next hops to such STAs.
When the wireless interface of an AP receives a MAC frame, it updates its cache table based on the source address of the
MAC frame, and search in the cached address table according to the destination MAC address. If the destination address
is the address of an STA associate with the current interface, it modifies the MAC frame to have a three-address structure
and forwards it locally. If the destination address is the address of an STA accessible to the current interface, it modifies
the MAC frame to have a four-address structure and forwards it to the AP at the next hop. If the destination address does
not exit, the MAC frame is dropped.
Configuring WDS
Configuring AP Working Mode

The working mode of APs must be configured on the wireless interfaces. Generally, an AP has 1-2 wireless interfaces, i.e.
radios. You may consider each wireless interface as an independent AP when configuring the working mode of the
wireless interface.
The configuration is described below. Use the no form of this command to restore the default setting.
Command Function
Ruijie(config)#interface dot11radio radio-id /0 Enters the configuration mode of the designated wireless
interface.
radio-id: Specify the radio of the AP. If radio-id is not
specified, it will apply to all radios of all APs within the AP
group.
Ruijie(config-if-Dot11radio X/Y)# station-role { root-ap | Configures the AP working mode.
root-bridge bridge-wlan wlan-id | non-root-bridge }
root-ap: Sets the AP working mode as non-bridge mode.
non-root-bridge: Sets the AP working mode as non-boot
bridge.
root-bridge: Sets the AP working mode as root bridge.
bridge-wlan wlan-id: WLAN ID used for root bridge.
Ruijie(config-if-Dot11radio X/Y)# show running-config Views the configuration result.
The default is non-bridge mode.
In fat AP mode, only the main interface can be used for bridging.
1. It is required to bind WLAN to related interfaces before bridging is configured on the non-root end.
2. It is recommend configure the same channel on both the non-root end and the root end to establish fast
bridging..
Configuring the Parent Node of Non-Root-Bridge
By Configuring BSSID
It is required to configure the BSSID of the parent node for non-root-bridge to establish bridging with the specified root.
The configurations are described below:
Command Function
Ruijie(config)#interface dot11radio radio-id /0 Enters configuration mode of the specified wireless
interface.
radio-id: The radio of the specified AP.
Ruijie(config-if-Dot11radio X/Y)# parent mac-address Configures the parent node of the non root bridge.
HHHH.HHHH.HHHH HHHH.HHHH.HHHH: BSSID of a specified root end as a fixed
access point.
Ruijie(config-if-Dot11radio X/Y)# show running-config Views the configuration.
The aging time of the parent node takes no effect currently.
By Configuring SSID
Use the non-root-bridge command to configure the SSID of the parent node to establish bridging with the specified root.
Command Function
Ruijie(config)#interface dot11radio radio-id /0 Enters configuration mode of the specified wireless
interface.
radio-id: The radio of the specified AP.
Ruijie(config-if-Dot11radio X/Y)# parent ssid ssid Configures the parent node of the non root bridge.
ssid ssid: SSID of a specified root end eligible for
roaming.
Configuring Non-root Pre-configuration

Use this command to configure non-root pre-configuration in interface configuration mode on APs and AP configuration
mode on ACs.
The configuration is described below:
Command Function
wds pre-config [ create | delete ] Creates non-root pre-configuration.

create: Creates pre-configuration only on fat APs.
delete: Deletes pre-configuration.
This command is pre-configuration for non-root fat APs working in the non-root fit mode.
The wds pre-config create command is configured only on fat APs. It specifies the current non-root
configuration of the fat AP as the pre-configuration of the non-root fit mode. Then, it restores the fat AP’s
default setting.
Before the noon-root fit AP works in the non-root fit mode, it must get pre-configured.
When the WDS bridge mode is disabled, use the wds pre-config delete command to delete configuration
files on the non-root end.
The following example pre-configures ruijie-root as its access root end on the fat AP.
Ruijie(config-if-Dot11radio 1/0)# station-role non-root-bridge

Ruijie(config-if-Dot11radio 1/0)# parent ssid ruijie-root
Ruijie(config-if-Dot11radio 1/0)# wds pre-config create
Ruijie(config-if-Dot11radio 1/0)# exit
Ruijie(config)# ap-mode fit
The following example removes WDS non-root pre-configuration on the AP.
Ruijie(config-if-Dot11radio 1/0)# wds pre-config delete
Configuring Bridge Coverage

Use this command to enable or disable bridge coverage (only in WDS bridging mode) in interface configuration mode on
APs and AP configuration mode on ACs.
Command Function
bridge with-client { enable | disable } Enables or disables bridge coverage.
enable: Enables bridge coverage.
disable: Disables bridge coverage.
This function is disabled by default. Only after this function is enabled will bridge coverage take effect in a WDS network.
It is recommended to disable this function.

In the non-root bridge working mode, only after being committed will the modified bridge with-client
command take effect.
The following example enables WDS bridge coverage in the root bridge mode on APs.
Ruijie(config-if-Dot11radio 1/0)# station-role root-bridge bridge-wlan 1

Ruijie(config-if-Dot11radio 1/0)# bridge with-client enable
The following example disables WDS bridge coverage on APs.
Ruijie(config-if-Dot11radio 1/0)# bridgewith-client disable
Showing WDS
Showing WDS Bridge Information on Fat APs

Use this command to display WDS bridge configuration in privileged EXEC mode.
Command Function
show dot11 wds-bridge-info interface-name Displays WDS bridge configuration.
interface-name: Dot11radio interface name.
 This command is supported on fat APs.
The following example displays WDS bridge configuration.
Ruijie#show dot11 wds-bridge-info 1/0

WDS-MODE: ROOT-BRIDGE
BRIDGE-WLAN:
Status OK
WlanID 1, SSID ruijie_root, BSSID 32d0.f822.3303
WBI 1/0
NONROOT 00d0.f822.3304
WBI 1/1
NONROOT 00d0.f822.3307

WDS-MODE: ROOT-BRIDGE
BRIDGE-WLAN:
Status WAITING
Wlanid 1

WDS-MODE: NONROOT-BRIDGE
MAC：00d0.f822.3304
WBI 1/0
ROOT 32d0.f822.3303
Release 11.1(5)B6
Access Service Configuration

1. Configuring Interface
2. Configuring MAC Address
3. Configuring VLAN
4. Configuring VLAN Group
5. Configuring LLDP
6. Configuring PPPoE Client

Configuration Guide Configuring Interface
Configuring Interface
Interface Overview
Ruijie device supports two types of interfaces: physical interface and logical interface. A physical interface is an interface
that has a corresponding physical hardware port on the device, for example, fast Ethernet interface and Gigabit Ethernet
interface.
A logical interface is an interface that has no corresponding physical hardware port on the device. A logical interface can
be associated with a physical interface or independent of physical interfaces. Examples are loopback interface, and tunnel
interface. For network protocols, physical interfaces and logical interfaces are treated in the same way.
The Ruijie series devices support the following types of interfaces:
Interface type Interface configuration name Standard compliance

Async serial port Async EIA/TIA RS-232
Sync serial port Serial V.24, V.35, EIA/TIA-449, X.21, EIA-530
FastEthernet
Fast Ethernet interface GigabitEthernet IEEE802.3, RFC894
Aggregateport
G.775, G.704,
E1/CE1 port E1
G.706, G.732
ISDN S/T port BRI ITU-T I.430
G.961,
ISDN U port BRI
ANSI T1.601
Dialer interface dialer —
Loopback interface Loopback —
NULL interface NULL —
Sub-interface Serial0.1 (example) —
Async serial port group Group-Aync —
Common Interface Configuration
Entering the Specified Interface Configuration Mode

Before you configure an interface, first enter the global configuration mode and then the specified interface configuration
mode by executing the following commands:
Command Function
Ruijie(config)# interface interface-type Create an interface and enter the specified interface
interface-number configuration mode.
Ruijie(config)# no interface interface-type
Delete the specified interface.
interface-number
For example, to enter port 0 of slot 0 of the Fast Ethernet, perform the following steps:
Ruijie# config terminal

Ruijie(config)# interface FastEthernet 0/0
 For the names of the various interface types, see the interface type table above.
 For E1/CE1 interfaces, the interface number consists of the slot number, port number and channel
number. For example, the first channel group of the third port of the E1/CE1 module in slot 2 is
represented as serial 2/3:1.
 Both the sync serial port and auxiliary port belong to the Async interface. The interfaces are numbered
in a way that the auxiliary interfaces come after the async serial ports. For example, when one 8-async
port subcard is inserted into the device, async ports 1-8 are numbered from Async 1 to Async 8 and
the auxiliary port is numbered as Async 9. If there is not any async serial port module on the device, the
number of the auxiliary port is Async 1.
Configuring Interface Range

Command Function
Enter interface configuration mode on multiple
interfaces in global configuration mode.
interface range { port-range | macro macro_name } port-range: Specifies the interface type and ID range, in
the form of interface-type slot-number/interface-number.
The interface can be either an Ethernet physical
interface or a loopback interface.

macro macro_name: Indicates the interface range.
Define the macro name of the interface range
define interface-range macro_name command in global configuration mode.
macro_name: Indicates the interface range.
Use the define interface-range command to define a range of interfaces as the macro name and then use the interface
range macro macro_name command to enter interface configuration mode on multiple interfaces.
The following example enters interface configuration mode on multiple interfaces by defining the macro name.
Ruijie(config)# define interface-range route1 gigabitEthernet 0/0-2

Ruijie(config)# interface range macro route1
Ruijie(config-if-range)# bandwidth 100
Configuring IP Addresses
Except the NULL interface, every interface has its own IP address, which you must consider when you use the interface.
There are the following commands:
Command Function
Ruijie(config-if)# ip address ip-address ip-mask Configure the IP address of the interface.
Ruijie(config-if)# no ip address Delete the IP address of the interface.
For the details about the IP address configuration, see the related chapter in IP Address and Service Configuration Guide.
Configuring Interface Descriptions

Interface descriptions are used to identify interfaces.
To configure an interface description, execute the following commands in the interface configuration mode:
Command Function
Describe the purpose of the specified interface; support
Ruijie(config-if)# description interface-description
a description string with up to 80 characters
Ruijie(config-if)# no description Delete the description of the interface
Setting the Maximum Transmit Unit (MTU)

The MTU is the feature of IP packets. It ranges 64 to 65535 bytes, depending on interface type. You can use the following
commands to set them:
Command Function
Ruijie(config-if)# mtu bytes Configure the MTU size.
Ruijie(config-if)# no mtu Restore the default value of the MTU.
Configuring Bandwidth
The Bandwidth is used for some routing protocols (for example, OSPF) to calculate the route metric and for the RSVP to
calculate the retained bandwidth. Modifying the interface bandwidth will not affect the data transmission rate of the
physical interface.
To configure the bandwidth of the interface, execute the following commands in the interface configuration mode:
Command Function
Ruijie(config-if)# bandwidth kilobits Configure the bandwidth
Ruijie(config-if)# no bandwidth Remove the setting of the bandwidth
Fixing the Interface Index

Use the snmp-server if-index persist command to fix the interface index when the there is no need to change the index after
creating or deleting the interface. Use the no form ofthis command to disable the setting.
Command Function
Ruijie(config-if)# snmp-server if-index persist Enable the function of fixing interface index.
Ruijie(config-if)# no snmp-server if-index persist Disable the function of fixing interface index.
The following example fixes the interface index.
Ruijie(config)# snmp-server if-index persist

Ruijie(config)#
Sending LinkTrap on Interface

Command Function
Send LinkTrap on an interface in interface configuration
snmp trap link-status
mode.
no snmp trap link-status Disable this function.
Use this command to decide whether to send LinkTrap on an interface (for instance, Ethernet interface, AP interface, and
SVI interface). If the function is enabled, the SNMP sends the LinkTrap when the link status of the interface changes.
The following example disables the interface from sending LinkTrap on the interface.
Ruijie(config)# interface gigabitEthernet 1/1

Ruijie(config-if)# no snmp trap link-status
The following example enables the interface to send Link trap.

Ruijie(config-if)# snmp trap link-status
Interface Monitoring and Maintenance
The list of the tasks for monitoring and maintaining the interfaces is as below:
Displaying Status and Statistics of Interface

Command Function
Display the status and statistics of the specified
interface in any CLI mode.
interface-type: (Optional) Specifies the interface type.
show interfaces [ interface-type interface-number ]
By default all interface types are displayed.
[ description ]
interface-number: Specifies the interface number. If the
interface type is specified, this parameter is mandatory.
description: Interface description, including link state.
You can use the show interface command to display the following information: interface and protocol status, MTU,
bandwidth, loopback status, interface queue policy and usage, protocol communication, interface packet input/output and
error, and link physical status. You can see that this command is the most commonly used one in checking the usage of
the data link layer on an interface.
On a low-speed interface, the default queue policy is WFQ.
On a high-speed interface, when the default policy is the FIFO queue policy, you can use this command to see the usage
of the queue: Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops; currently the output queue
uses 0, with the maximum of 40, packet drop of 0; the input queue currently use 0, with the maximum of 75, packet drop of
0.
The following example displays the information of FastEtheret 0 interface.
Ruijie# show interface fastEthernet 0/0

Index(dec):1 (hex):1
FastEthernet 0/0 is UP , line protocol is UP
Hardware is Nat-Semi DP83815DVNG FastEthernet, address is 0a0b.0c0d.0e0f (bia 0a0b.0c0d.0e0f)
Interface address is: 1.1.1.1/24
ARP type: ARPA,ARP Timeout: 3600 seconds
Interface IPv6 address is:
No IPv6 address
MTU 1500 bytes, BW 100000 Kbit
Encapsulation protocol is Ethernet-II, loopback not set
Keepalive interval is 10 sec , set
Carrier delay is 2 sec
Ethernet attributes:
Medium-type is Copper
Last link state change time: 2012-12-22 14:00:48
Time duration since last link state change: 3 days, 2 hours, 50 minutes, 50 seconds
Priority is 0
Admin duplex mode is AUTO, oper duplex is Unknown
Admin speed is AUTO, oper speed is Unknown

Flow control admin status is OFF,flow control oper status is OFF
Queueing strategy: FIFO
Output queue 0/40, 0 drops;
Input queue 0/75, 0 drops
Rxload is 1/255 ,Txload is 1/255
5 minutes input rate 0 bits/sec, 0 packets/sec
5 minutes output rate 0 bits/sec, 0 packets/sec
782 packets input, 88920 bytes, 0 no buffer
Received 782 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
The following example displays the information of the sync serial interface.
Ruijie# show interface serial 1/0

Index(dec):1 (hex):1
Serial 1/0 is UP , line protocol is UP
Hardware is Infineon DSCC4 PEB20534 H-10 serial
Interface IPv6 address is:
No IPv6 address
Encapsulation protocol is FRAME RELAY, loopback not set
LMI enq sent 1087, LMI status recvd 1026, LMI update recvd 0, DTE LMI up
LMI enq recvd 8, LMI status sent 0, LMI update sent 0
LMI DLCI 0 LMI type is CCITT, frame relay DTE interface broadcasts 0
Queueing strategy: WFQ
Rxload is 1/255 ,Txload is 1/255
output errors, 0 collisions, 809 interface resets
11 carrier transitions
V35 DCE cable
DCD=up DSR=up DTR=up RTS=up CTS=up
The following example displays the interface description.
Ruijie#
Ruijie#show interfaces gigabitEthernet 0/0 description

Interface Status Administrative Description
-------------------------------- -------- -------------- -----------
GigabitEthernet 0/0 up up connet_to_g0/1
Displaying Link-state-change Statistics

Command Function
Display the link state change statistics, including the
time and count, in any CLI mode.
show interfaces [ interface-type interface-number ] interface-type: (Optional) Specifies the interface type.
link-state-change statistics By default all interface types are displayed.
interface-number: Specifies the interface number. If the
interface type is specified, this parameter is mandatory.
If you do not specify an interface, the link state statistics of all interfaces are displayed.
The following example displays the statistics of GigabitEthernet 0/1 .
Ruijie# show interfaces GigabitEthernet 0/1 link-state-change statistics

Interface Link state Link state change times Last change time
------------ --------- ----------------------- -------------------
Gi 0/1 down 100 2012-12-24 15:00:00
Display Bandwidth Usage of Interface

Command Function
Display bandwidth usage of the interface in any CLI
mode.
show interfaces [ interface-type interface-number ] usage
interface-type interface-number: (Optional) specifies
the interface type and ID.
If you do not specify an interface, the bandwidth usage of all interfaces is displayed. Bandwidth refers to the actual link
bandwidth rather than the bandwidth parameter configured on the interface.
The following example displays bandwidth usage of interface GigabitEthernet 0/1.
Interface Bandwidth Bandwidth Usage

-------------------------------- ------------- ------------------
GigabitEthernet 0/0 1000000 Kbit 0.001840950%
Bandwidth refers to the interface link bandwidth, the maximum speed of link.
Display Received and Transmitted Packet Statistics

Command Function
Display the received and transmitted packet statistics in

any CLI mode.
interface-type interface-number: (Optional) Specifies
the interface type and ID.
show interfaces [ interface-type interface-number ]
increment: Displays the packet statistics increased
counters [ increment | error | rate | summary ]
during the last sample interval.
error: Displays error packet statistics.
rate: Displays packet receiving and transmitting rate.
summary: Displays packet statistics summary.
If you do not specify an interface, the packet statistics on all interfaces are displayed.
The following example displays packet statistics on interface GigabitEthernet 0/1.
Ruijie#show interfaces GigabitEthernet 0/1 counters

Interface : GigabitEthernet 0/1
5 minute input rate ：9144 bits/sec, 9 packets/sec
5 minute output rate ：1280 bits/sec, 1 packets/sec
Rxload : 1%
InOctets : 17310045
InPkts : 1000(Unicast: 10%, Multicast: 10%, Broadcast: 80%)
InUcastPkts : 100
InMulticastPkts : 100
InBroadcastPkts : 800
Txload : 1%
OutOctets : 1282535
OutPkts : 1000(Unicast: 10%, Multicast: 10%, Broadcast: 80%)
OutUcastPkts : 100
OutMulticastPkts : 100
OutBroadcastPkts : 800
Undersize packets : 0
Oversize packets : 0
collisions : 0
Fragments : 0
Jabbers : 0
CRC alignment errors : 0
AlignmentErrors : 0
FCSErrors : 0
dropped packet events (due to lack of resources): 0
packets received of length (in octets):
64:46264
65-127: 47427
128-255: 3478
256-511: 658
512-1023: 18016
1024-1518: 125
Packet increment in last sampling interval(5 seconds):

InOctets : 10000
InUcastPkts : 100
OutOctets : 10000
OutUcastPkts : 100
Rxload refers to the receive bandwidth usage and Txload refers to the Tx bandwidth usage. InPkts is the
total number of receive unicast, multicast and broadcast packets. OutPkts is the total number of transmit
unicast, multicast and broadcast packets.
Packet increment in last sampling interval (5 seconds) represents the packet statistics increased during the
last sample interval (5 seconds).
The following example displays the packet statistics on interface GigabitEthernet 0/1 increased during the last sample
interval.
Ruijie#show interfaces GigabitEthernet 0/1 counters increment

Interface : GigabitEthernet 0/1
Packet increment in last sampling interval(5 seconds):
InOctets : 10000
InUcastPkts : 100
OutOctets : 10000
OutUcastPkts : 100
The following example displays error packet statistics on interface GigabitEthernet 0/1.
Ruijie#show interfaces GigabitEthernet 0/1 counters increment

Interface UnderSize OverSize Collisions Fragments
------------ -------------------- -------------------- --------------------
--------------------
Gi0/1 0 0 0 0
Interface Jabbers CRC-Align-Err Align-Err FCS-Err
------------ -------------------- -------------------- --------------------
--------------------
Gi0/1 0 0 0 0
UnderSize is the number of valid packets smaller than 64 bytes.

OverSize is the number of valid packets smaller than 1518 bytes.
Collisions is the number of colliding transmit packets.
Fragments is the number of packets with CRC error or frame alignment error which are smaller than 64 bytes.
Jabbers is the number of packets with CRC error or frame alignment error which are smaller than 1518 bytes.
CRC-Align-Err is the number of receive packets with CRC error.
Align_Err is the number of receive packets with frame alignment error.
FCS-Err is the number of receive packets with FCS error.
The following example displays packet receiving and transmitting rate on interface GigabitEthernet 0/1.
Ruijie#show interface gigabitEthernet 0/1 counters rate

Interface Sampling Time Input Rate Input Rate Output Rate
Output Rate
(bits/sec) (packets/sec) (bits/sec)
(packets/sec)
------------ --------------------- -------------------- --------------------
-------------------- --------------------
Gi0/1 5 seconds 23391 23 124 0
Sampling Time is the time when packets are sampled. Input rate is packet receiving rate and Output rate is
packet transmitting rate.
The following example displays packet statistics summary on interface GigabitEthernet 0/1.
Ruijie#show interface gigabitEthernet 0/1 counters summary

Interface InOctets InUcastPkts InMulticastPkts InBroadcastPkts
------------- -------------------- -------------------- --------------------
--------------------
Gi0/1 1475788005 1389 45880503 11886621
Interface OutOctets OutUcastPkts OutMulticastPkts OutBroadcastPkts
------------- -------------------- -------------------- --------------------
--------------------
Gi0/1 6667915 6382 31629 13410
InOctets is the total number of packets received on the interface. InUcastPkts is the number of unicast
packets received on the interface. InMulticastPkts is the number of multicast packets received on the
interface. InBroadcastPkts is the number of broadcast packets received on the interface.
OutOctets is the total number of packets transmitted on the interface. OutUcastPkts is the number of unicast
packets transmitted on the interface. OutMulticastPkts is the number of multicast packets transmitted on the
interface. OutBroadcastPkts is the number of broadcast packets transmitted on the interface.
Clearing and Resetting Interface Counters

The statistics on the interface vary with the change of the communication. Sometimes, to avoid the interference of the past
communication statistics, you need to clear the statistics of the interface, so that the current statistics can faithfully reflect
the current communication state of the interface.
Command Function
Clear the communication statistics count of the interface
Ruijie# Clear counters [serial] | [async] | [FastEthernet]
shown by using the show interface command that is,
|…
resetting to 0.
Ruijie# clear interface [serial] | [async] | [FastEthernet]
Clear all state values of an interface.
|…
For example, before you use the clear counter command, use the show interface serial1/0 command to show the
information of the interface:

serial 1/0 is DOWN , line protocol is DOWN
Encapsulation protocol is PPP, loopback not set
RXload is 1 ,Txload is 1
LCP Closed
Closed: ipcp
V35 DTE cable
DCD=down DSR=down DTR=up RTS=up CTS=down
Ruijie# clear counter serial 1/0
Then, use the show interface command to show the information of the interface:

serial 1/0 is DOWN , line protocol is DOWN

Encapsulation protocol is PPP, loopback not set
RXload is 1 ,Txload is 1
LCP Closed
Closed: ipcp
V35 DTE cable
DCD=down DSR=down DTR=up RTS=up CTS=down
Shutting Down and Restarting the Interface

When necessary, the interface must be shut down, for example, when you replace the cables on the interface and then
restart the interface. The shutdown command allows you to shut down an interface, while the no shutdown command
allows you to restart the interface.
Basic Interface Configuration Example
Interface Description Configuration Example

The following example describes the function of an Ethernet interface:

Ruijie(config-if)# description Gateway_of_trans1ation
Ruijie(config-if)# ip address 192.168.12.1 255.255.255.0
Interface Shutdown Configuration Example

If an interface is idle, you can shut down it, as shown in the following example:
Ruijie(config)# Interface serial 1/0

Ruijie(config-if)# shutdown
Configuration Guide Configuring MAC Address
Configuring MAC Address
Overview
Layer-2 forwarding, a major function of the Ethernet Switch, is to forward the messages by identifying the data link layer
information. The switch forwards the messages to the corresponding interface through the destination MAC addresses
carried by the messages, and stores the information about the relationship between the destination MAC address and the
interface in the MAC address table.
All the MAC addresses in the MAC address table are associated with the VLAN. Different MAC addresses are allowed to
be in the same VLAN. Each VLAN maintains a MAC address table logically. It is possible that a MAC address learned by a
VLAN is unknown to other VLANs and shall be learned again.
The MAC address contains the following information:
Table1-1 MAC Address Entry
State VLAN MAC address Interface
 State: Dynamic, static or filtering address.

 VLAN: VLAN to which the MAC address belongs;
 MAC address: MAC address information in the entry;
 Interface: Interface of the MAC address.
The MAC address entries are updated and maintained by the following two ways:
 Learning addresses dynamically

 Configuring addresses manually
The switch searches for the corresponding outgoing forward interface according to the destination MAC address and the
VLAN ID for the message in the MAC address table, and then forwards the messages in unicast, multicast and broadcast
way.
 Unicast forwarding: if the switch searches for the corresponding entry of the packet destination MAC address and
VLAN ID in the MAC address table and the outgoing forward interface is sole, the packets are forwarded through this
interface.
 Multicast forwarding: if the switch searches for the corresponding entry of the packet destination MAC address and
VLAN ID in the MAC address table and this entry is correspondent with a group of outgoing forward interfaces, the
packets are forwarded through the interfaces directly.
 Broadcast forwarding: if the switch receives the packets destined to ffff.ffff.ffff, or it cannot search for the
corresponding entry in the MAC address table, the packets are sent to the VLAN to which belongs and forwarded
through the outgoing interfaces except for the incoming interface.
This chapter describes management of dynamic, static and filtering addresses. For the management of
multicast address, refer to IGMP Snooping Configurations.
Learning Addresses Dynamically

Dynamic Address
A dynamic address is the MAC address learnt automatically from the packets received by the switch. Only the dynamic
address be removed by the aging mechanism of the address table.
Address Learning Process
In general, the MAC address table is maintained by learning the dynamic address. The operation principle is:
1) The MAC address table in the switch is null and User A shall communicate with User B. User A sends the packet to
interface GigabitEthernet 0/2 and the MAC address for User A is learnt in the MAC address table.
There is no source MAC address for User B in MAC address table. Therefore, the switch sends the packets to all
ports except for the ports of User A in broadcast form. User C can receive the packets sent from User A and don’t
belong to User A.
Figure 1-1 Dynamic Address Learning (Step 1)
Table1-2 MAC Address Table1
Status VLAN MAC address Interface

Dynamic 1 00d0.f8a6.5af7 GigabitEthernet 0/2
2) Upon receiving the packets, User B will send them to User A through interface GigabitEthernet 0/3. The MAC address
for User A exits in the MAC address table. Therefore, the packets are forwarded to interface GigabitEthernet 0/2 in
the unicast form and the switch learns the MAC address for User B at the same time. The difference from the step
one is that User C cannot receive the packets sent from User B to User A.
Figure 1-2 Dynamic Address Learning (Step 2)
Table 1-3 MAC Address Table 2

Dynamic 1 00d0.f8a4.e9b6 GigabitEthernet 0/3
After the communication between User A and User B, the switch learns the source MAC addresses for User A and User B.
The mutual packets between User A and User B are forwarded in the unicast form and User C cannot receive them again.
In the stack system, the address tables of each member device are asynchronous. For example:
Suppose the device A and device B stack and the device A is the host, send the broadcast packets to the
device A, the port receiving the frames on the device A will learn the MAC1 address, which will be recorded
in the address table. Since the packets are broadcasted to the device B through the stack port, the stack port
on the device B will also learn this MAC1 address but not record it in the address table.
Removing the MAC address learned from the frame-receiving port on the device A, the MAC1 address in the
address table will also be removed. However, the stack port of the device B still learn this MAC address, the
inconsistency of the hardware address table of the master and slave devices occurs. Send the packets
destined to MAC1 address to other ports of the device A, those packets cannot be broadcasted to the device
B for the reason that the MAC1 address has already been learned by the stack port of the device B. After this
MAC address ages out, the packets are broadcasted to the port of the device B.
Because the address tables of the member devices in a stack are not synchronous and the hash table may
conflict, the address table may contain too many records and some records cannot age out in some extreme
conditions. For example, device A and device B are IRF member devices, and device A is the master device.
Device B, whose port Bport connects to the terminal device, such as PC sends broadcast packets. Since the
address tables of device A and device B are full and are not synchronous, device B may have an address of
mac1+vid1+Bport, but device A does not. The address is recorded in the address table, so the address table
contains more records. The user moves the terminal device, such as PC, of mac1 to Aport of device A from
Bport of device B, so that device A re-learns mac1+vid1 address. Because the address table of device A is
full and the mac1+vid1 address does not exist in the table, device A cannot learn the address successfully.
The IRF port broadcasts the packet to device B. Device B finds that the mac1+vid1 address already exists in
its table and overwrites the existing mac1+vid1+Bport address with the mac1+vid1+Aport address. Because
the mac1+vid1+Bport address in not removed from the address table and device B learns the
mac1+vid1+Aport address, the mac1+vid1+Bport will not age out even if the aging time expires. To solve this
problem, you can use the clear mac-address-table dynamic command to empty the address table.
Address Aging
The capacity of MAC address is restricted. The switch updates the MAC address list by learning new addresses and aging
out unused addresses.
For an address in the MAC address table, if the switch has not received any packet from the MAC address for a long time
(depending on the aging time), the address will be aged out and removed from the MAC address table.
Dynamic Address Learning Management

Ruijie high-density modular Ethernet switches support the management learning mode of the dynamic address.
MAC Address Learning Mechanism
Multiple line cards in the switch learn the MAC addresses, with each line card learning the MAC address independently.
The MAC address learn process is described as follows:
The User A under the Line Card1 sends the packets to the User B. Because the MAC address for the User B does not
exist on the switch, the packets will be sent to all line cards on the switch in broadcast form.
Figure 1-3 MAC Address Forward Process 1

The switch learns the address after receiving the packets from the User A. At this time, Line Card 1 and Line Card 2 both
receive the packets from the User A, so they learn the MAC address for the User A simultaneously.
Table1-4 Uniform MAC address Learning: MAC address table
MAC address table (Line card 1)

MAC address table(Line card 2)

After receiving the packets from the User A, the User B sends the reply packets to the Line Card1. Since the Line Card 1
has learned the MAC address for the User A, the packets will be sent to the port of User A in the unicast form and will not
be sent to the Line Card 2.
Figure 1-4 MAC Address Forward Process 2
For the reply packets sent by the User B are forwarded to the port of User A through the Line Card 1, the switch only learn
the Mac addresses on the Line Card 1 and the MAC address for User B cannot be learned on the Line Card 2.
Table1-5 MAC address Learning: MAC address table 2

Dynamic 1 00d0.f864.c9b6 GigabitEthernet 1/2

Figure1-5 MAC address Learning: Unicast and Multicast Packets Forward
When the User C under the Line Card 2 sends a packet to the User A, since the Line Card 2 has learned the MAC
address for the User A, the packet will be forwarded to the User A in the unicast form.
When the User C under the Line Card 2 sends a packet to the User B, since the Line Card 2 has learned the MAC
address for the User B, the packet will be forwarded in the broadcast form. At this time, the UserD that is in the same
VLAN of User C also receives the packet. The packet will be forwarded in the unicast form to the User B after being sent
to the Line Card 1.
Limit of Dynamic Addresses for a VLAN

The capacity of the MAC address table on the Ethernet switch is limited and shared by all VLANs. To prevent large
amount of dynamic addresses in a VLAN from occupying the whole MAC address table and disabling other VLANs to
learn the dynamic addresses which leads the packets in other VLANs to be forwarded in the broadcast way, the switch
provides the limit of dynamic addresses for a VLAN. The user can specify the number of dynamic addresses learned in
each VLAN and configure the upper limit of dynamic addresses for each VLAN.
For the VLAN with the limit of dynamic addresses configured, only the specified MAC addresses can be learned. The
MAC addresses that exceeds the upper limit are not learned and the packets destined to those MAC addresses are
forwarded in the broadcast form.
If the upper limit of the dynamic addresses for a VLAN is less than the number of the learned dynamic
addresses in the current VLAN, the Ethernet switch no longer learns the address in the VLAN and learns
again until the number of the addresses is less than the upper limit due to the address aging and deletion.
The MAC address duplication which duplicates the MAC address to the MAC address entry of the specified
VLAN is not limited by the number of dynamic MAC addresses learnt in this VLAN.
Static Address
A static address is a manually configured MAC address. A static address is the same as a dynamic address in terms of
function. However, you can only manually add and delete a static address rather than learn and age out a static address.
A static address is stored in the configuration file and will not be lost even if the device restarts.
By configuring the static address manually, you can bind the MAC address for the network device with the interface in the
MAC address table.
Filtering Address
A filtering address is a manually configured MAC address When the device receives the packets from a filtering address, it
will directly discard them. You can only manually add and delete a filtering address rather than age it out. A filtering
address is stored in the configuration file and will not be lost even if the device restarts.
If you want the device to filter some invalid users, you can specify their source MAC addresses as filtering addresses.
Consequently, these invalid users cannot communicate with outside through the device.
A filtering address is invalid for the packets sent to the CPU. For example, the L2 source MAC address for an
ARP packet is a filtering address, this ARP packet can still be sent to the CPU, but cannot be forwarded.
MAC Address Change Notification

The MAC address notification function is an effective way to let you know user changes for the devices in a network.
Figure 1-6 MAC address Change Notification
After the MAC address change notification is enabled, the MAC address change notification information is generated and
sent in the SNMP Trap message form to the specified NMS when the switch learns a new MAC address or ages out a
learned MAC address.
The notification about adding a MAC address lets you know a newcomer (identified by the MAC address) is using the
device. The notification about deleting a MAC address (in the case of that the user did not communicate with the device
within the aging time) lets you know that a user does not use the device any more.
When many users use the device, lots of MAC address changes may occur in a short period of time (for example, when
the device is powered on), incurring additional network traffic. In order to release network burden, you can set the time
interval of sending MAC address notifications. All the notification messages within the interval time will be bundled in one
SNMP Trap message. So one notification message includes multiple MAC address changes, reducing network traffic
significantly.
When a MAC address change notification is generated, it will be recorded in the MAC address notification history list.
Then even though the NMS has not been specified to receive the SNMP Trap message, the administrator can view the
information about address change by checking the MAC address notification history list.
MAC address change notification is effective only for dynamic addresses, not for static addresses and
filtering addresses.
IP address and MAC address Binding

Overview
IP address and MAC address binding lets you filter packets. After you bind an IP address and a MAC address, the switch
will only receive the IP packets whose source IP address and MAC address match the binding address ;or it will be
discarded.
Taking advantages of IP address and MAC address binding, you can check the legality of the input sources. Note that this
function takes precedence over 802.1X, port-based security and ACL effectiveness.
Address Binding Mode
The address binding mode divides into 3 modes: compatible, loose and strict. By default, the address binding mode is
strict. The following table lists the corresponding forwarding rules:
Mode IPv4 packet forward rule IPv6 packet forward rule

Strict Packets with IPV4+MAC are forwarded. No IPv6 packet is forwarded.
Loose Packets with IPV4+MAC are forwarded. All IPv6 packets are forwarded.
Compatible Packets with IPV4+MAC are forwarded. The IPv6 packets bound with the source MAC
addresses are forwarded.
Exceptional Ports for the Address Binding
By default, the IP address and MAC address binding function is effective on all ports. You can configure the exceptional
ports to make this address binding function ineffective on some ports.
Because the binding relationship on the uplink port is uncertain, generally the uplink port is configured as the
exceptional port. It is not necessary to check the IP address and MAC address binding on the uplink port.
Related Protocols
TM
IEEE Std 802.3 Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer
specifications
TM
IEEE Std 802.1Q Virtual Bridged Local Area Networks
Default MAC Address Table Configuration
Function Default
Dynamic address aging time 300 seconds
MAC address learning on a port Enabled
Limit of VLAN dynamic address Disabled
MAC address change notification Disabled
Clearing Dynamic Addresses

Command Function
Ruijie#clear mac-address-table dynamic Clear all dynamic addresses.

Ruijie#clear mac-address-table dynamic address Clear the specified MAC address.
mac-address vlan vlan-id mac-address: the specified MAC address to be cleared.
vlan-id: the specified VLAN to which the MAC address to be
cleared belongs.
Ruijie#clear mac-address-table dynamic interface Clear all dynamic addresses on the specified port or
interface-id [ vlan vlan-id ] Aggregate Port, or clear all dynamic addresses on all
interfaces.
Interface-id: the specified port or Aggregate Port;
vlan-id: the specified VLAN to which the dynamic address to
be cleared belongs.
Ruijie#clear mac-address-table dynamic vlan Clear all dynamic addresses in the specified
vlan-id VLAN.
vlan-id: the specified VLAN to which the dynamic address to
be cleared belongs.
The following example shows how to clear all dynamic addresses in VLAN 1 on interface GigabitEthernet 0/1:
Ruijie#clear mac-address-table dynamic interface GigabitEthernet 0/1 vlan 1
Viewing Configurations
Command Function
Ruijie# show mac-address-table dynamic Show all dynamic addresses.
Ruijie# show mac-address-table dynamic address Show the specified dynamic MAC address.
mac-address [ vlan vlan-id ] mac-address: the specified MAC address.
vlan-id: the specified VLAN to which the MAC address
belongs.
Ruijie# show mac-address-table dynamic Show all dynamic addresses on the specified port or
interface interface-id [ vlan vlan-id ] Aggregate Port.
Interface-id: the specified port or Aggregate Port;
vlan-id: the specified VLAN to which the dynamic address
belongs.
Ruijie# show mac-address-table dynamic vlan Show all dynamic addresses in the specified VLAN.
vlan-id vlan-id: the specified VLAN to which the dynamic address
belongs.
Ruijie# show mac-address-table count [ interface Show the statistics in the mac address table.
interface-id | vlan vlan-id ] interface-id: Show address entry statistics of the specified
interface.
vlan-id: Show address entry statistics of the specified VLAN.
The following example shows all dynamic MAC addresses in VLAN 1 on interface GigabitEthernet 0/1:
Ruijie#show mac-address-table dynamic interface gigabitEthernet 0/1 vlan 1

Vlan MAC Address Type Interface
---------- -------------------- -------- -------------------
1 0000.5e00.010c DYNAMIC GigabitEthernet 0/1
1 00d0.f822.33aa DYNAMIC GigabitEthernet 0/1

1 00d0.f822.a219 DYNAMIC GigabitEthernet 0/1
1 00d0.f8a6.5af7 DYNAMIC GigabitEthernet 0/1
The following example shows the statistics in the MAC address table:
Example 1: Show the number of entries of each type of MAC address.
Ruijie# show mac-address-table count

Dynamic Address Count : 30
Static Address Count : 0
Filtering Address Count: 0
Total Mac Addresses : 30
Total Mac Address Space Available: 8159
Example 2: Show the number of MAC addresses in VLAN 1.
Ruijie# show mac-address-table count vlan 1

Filter Address Count : 0
Example 3: Show the number of MAC addresses of interface g0/1.
Ruijie# show mac-address-table interface g0/1

Filter Address Count : 0
Setting the Address Aging Time
Setting the Aging Time

The following table shows how to set the aging time of address:
Command Function
Ruijie(config)# mac-address-table aging-time [ 0 Set the time for an address to be stored in the dynamic
|10-1000000 ] MAC address table after it has been learned. It is in the
range of 10 to 1000000 seconds, 300 seconds by
default. When you set the aging time as 0, the address
aging function is disabled and the learned addresses will
not be aged.
Ruijie(config)# no mac-address-table aging-time Restore the aging time to the default value.
The following example shows how to set the address aging time to 180 seconds:
Ruijie#configure terminal
Ruijie(config)#mac-address-table aging-time 180
Command Function
Ruijie)#show mac-address-table aging-time Show the aging time of all addresses.
The following example shows how to view the address aging time configurations:
Ruijie#show mac-address-table aging-time

Aging time : 180 seconds
The actual aging time may be different from the setting value for the MAC address table. However, it will not
be 2 times than the setting value.
Setting the Static MAC Addresses
Adding and Removing the Static MAC Addresses

To add a static address, execute the following commands:
Command Function
Ruijie(config)# mac-address-table static mac-address mac-addr: Specify the destination MAC address to which
vlan vlan-id interface interface-id the entry corresponds.
vlan-id: Specify the VLAN to which this address belongs.
interface-id: specify the interface (physical port or
aggregate port) to which the packet is forwarded.
Upon receiving the packets to the destination MAC address
in the VLAN, the switch will forward them to the interface.
Ruijie(config)# no mac-address-table static Remove the static MAC address entries.
mac-address vlan vlan-id interface interface-id
The following example shows how to configure the static address 00d0.f800.073c. When a packet to this address is
received in VLAN 4, it is forwarded to GigabitEthernet 0/3.
Ruijie(config)# mac-address-table static 00d0.f800.073c vlan 4 interface gigabitethernet 0/3

The following example shows how to remove the static address 00d0.f800.073c.
Ruijie(config)#no mac-address-table static 00d0.f800.073c vlan 4 interface gigabitethernet
0/3
Command Function
Ruijie# show mac-address-table static Show the information of all the static MAC addresses.
The following example shows how to view the information of all the static MAC addresses:

---------- -------------------- -------- -------------------
4 00d0.f800.073c STATIC GigabitEthernet 0/3
Setting the Filtering MAC Addresses
Adding and Removing the Filtering Addresses

To add a filtering address, execute the following command:
Command Function
Ruijie(config)# mac-address-table filtering mac-addr vlan mac-addr: Specify the MAC address to be filtered by the
vlan-id device.
vlan-id: Specify the VLAN to which this address
belongs.
Ruijie(config)# no mac-address-table filtering mac-addr Remove the filtering MAC address entries.
vlan vlan-id
The following example shows how to configure the filtering address 00d0.f800.073c. When a packet to or from this
address is received in VLAN 4, it will be discarded.
Ruijie(config)# mac-address-table filtering 00d0.f800.073c vlan 4
The following example shows how to remove the filtering address 00d0.f800.073c.
Ruijie(config)#no mac-address-table filtering 00d0.f800.073c vlan 4
Command Function
Ruijie# show mac-address-table filtering Show the information of all the filtering MAC
addresses.
The following example shows how to view the information of all the filtering MAC addresses:

---------- -------------------- -------- -------------------
4 00d0.f800.073c FILTER GigabitEthernet 0/3
Setting MAC Address Change Notification
Setting MAC Address Change Notification

By default, the global switch of MAC addresses is turned off, so the MAC address change notification function is disabled
on all interfaces.
To configure the MAC address change notification function, execute the following command:
Command Function
Ruijie(config)# snmp-server host host-addr traps Configure the NMS to receive the MAC address
[ version { 1 | 2c | 3 [ auth | noauth | priv ] } ] change notification.
community-string host-add: IP address of the receiver.
version: Specify the version of the SNMP Trap
message to be sent.
community-string: Specify the authentication name
carried with the SNMP Trap message.
Ruijie (config)#snmp-server enable traps Allow the switch to send the SNMP Trap message.
Ruijie(config)# mac-address-table notification Turn on the global switch of the MAC address change
notification function.
Ruijie(config)# mac-address-table notification { interval interval value :Interval of generating the MAC address
value | history-size value } change notification (optional), in the range of 1 to
3600 seconds, 1 second by default.
history-size value: Maximum number of the records in
the MAC notification history list, in the range of 1 to
200, 50 by default.
Ruijie(config-if)# snmp trap mac-notification { added | Enable the MAC address change notification on the
removed } interface.
added: Send a MAC address change notification
when a MAC address is added on this interface.
Removed: Send a MAC address change notification
when an address is deleted.
To disable the MAC address change notification function, use the no snmp-server enable traps command in the global
configuration mode. To turn off the global switch of the MAC address change notification function, use the no
mac-address-table notification command. To disable the MAC address change notification function on a specified
interface, use the no snmp trap mac-notification {added | removed} command in the interface configuration mode.
This example shows how to enable the MAC address change notification function, use public as the authentication name
to send a MAC address change notification to the NMS whose IP address is 192.168.12.54 at the interval of 40 seconds,
set the size of the MAC address change history list to 100, and enable the MAC address change notification function on
gigabitethernet 0/1 when a MAC address is added or removed.
Ruijie(config)# snmp-server host 192.168.12.54 traps public

Ruijie(config)# snmp-server enable traps
Ruijie(config)# mac-address-table notification
Ruijie(config)# mac-address-table notification interval 40
Ruijie(config)# mac-address-table notification history-size 100
Ruijie(config)# interface gigabitethernet 0/1
Ruijie(config-if)# snmp trap mac-notification added
Ruijie(config-if)# snmp trap mac-notification removed
Viewing the MAC Address change Notification Information
In the privileged EXEC mode, you can view the information on the MAC address table of the device by using the
commands listed in the following table:
Command Function
Ruijie# show mac-address-table notification Show the global configuration of the MAC address
change notification function.
Ruijie# show mac-address-table notification interface Show the configuration of the MAC address change
notification on the interface.
Ruijie# show mac-address-table notification history Show the history list of the MAC address change
notification.
The following examples show how to view the MAC address change notification.
View the global configuration of the MAC address change notification:
Ruijie# show mac-address-table notification

MAC Notification Feature : Enabled
Interval(Sec): 2
Maximum History Size : 154
Current History Size : 2
Ruijie# show mac-address-table notification interface
Interface MAC Added Trap MAC Removed Trap
---------------- -------------- ----------------
Gi0/1 Disabled Enabled
Gi0/2 Disabled Disabled
Gi0/3 Enabled Enabled
Ruijie# show mac-address-table notification history
History Index:1
Entry Timestamp: 15091
MAC Changed Message :
Operation VLAN MAC Address Interface
---------- ---- -------------- --------------------

Added 1 00d0.f808.3cc9 Gi0/1
Removed 1 00d0.f808.0c0c Gi0/1
History Index:2
Operation VLAN MAC Address Interface
----------- ---- ------------- --------------------
Added 1 00d0.f80d.1083 Gi0/1
MAC Address Table Management Configuration Example
Configuring Static MAC Addresses

Topological Diagram
As Figure-1-7 shows, the database server connects to the Ethernet switch through the interface GigabitEthernet 0/11, the
web server connects to the Ethernet switch through the interface GigabitEthernet 0/10, and the server administrator
connects to the switch through the interface GigabitEthernet 0/12. Other users access the web server through the
interface GigabitEthernet 0/5. All data are forwarded in VLAN 10.
Figure 1-7 Typical Configuration Topology
Application Requirements
The static MAC address configuration enables the data exchanged between the web server and the database server, the
administrator and the server to be forwarded in the unicast form, preventing these data from being forwarded in the
broadcast form in the user network and ensuring the security of the information exchanged between the web server and
the database server, the administrator and the server .
Configuration Tips
The following three key points shall be ensured when configuring the static MAC address entries:
 Specify the destination MAC address in the entry.

 Specify the Vlan to which this address belongs.

 Interface ID.
Upon receiving the packets to the destination MAC address in the VLAN, the switch will forward them to the specified
interface.
The following table shows the corresponding relationship among the MAC address, VLAN ID and interface ID in this
configuration example.
Role MAC Address VLAN ID Interface ID

Web server 00d0.3232.0001 VLAN2 Gi 0/10
Database server 00d0.3232.0002 VLAN2 Gi 0/11
Network administrator 00d0.3232.1000 VLAN2 Gi 0/12
Configuration Steps
! Enter global configuration mode.
Ruijie>en
! Add the static MAC addresses (Specify the VLAN and interface to which this address belongs).
Ruijie(config)#mac-address-table static 00d0.f8003232.0001 vlan 110 interface

GigabitEthernetgigabitEthernet 0/10
Ruijie(config)#mac-address-table static 00d0.f8003232.0002 vlan 110 interface
Ruijie(config)#mac-address-table static 00d0.f800.00033232.1000 vlan 110 interface
! Display the device configurations.
Verifications
Display the configured static MAC addresses.
Ruijie#show mac-address-table static

---------- -------------------- -------- -------------------
110 00d0.f8003232.0001 STATIC GigabitEthernet 0/10
110 00d0.f8003232.0002 STATIC GigabitEthernet 0/211
110 00d0.f800.00033232.1000 STATIC GigabitEthernet 0/312
Configuring Dynamic MAC Addresses Change Notification

Topological Diagram
As Figure 1-8 shows, the users connect to the switch through the interface GigabitEthernet 0/2.
Figure 1-8 Typical Configuration Topology

In order to facilitate network access management for an administrator, the following requirements are expected through
the configuration:
 Upon receiving a new MAC address or aging a learnt MAC address on the interface connected to the user, the
switch will record the address change information in the MAC address notification history list, so that the
administrator could view the information about address change by checking the MAC address notification history list.
 Meanwhile, the MAC address change notification will be sent in SNMP Trap message form to the specified NMS.
 When many users use the device, avoid generating lots of MAC address changes in a short period of time to reduce
network burden.
Configuration Tips
 Enable the MAC address change notification function globally, and configure the MAC address change notification
on the interface Gi 0/2.
 Configure the NMS host address, and enable the switch to actively send the SNMP Trap notification. The route from
the switch to the NMS (Network Management Station) should be reachable.
 Set the interval of sending the MAC address change notification to 300 seconds (the default interval is 1 second). All
the notification messages within the interval time will be bundled in one SNMP Trap message. So one notification
message includes multiple MAC address changes, reducing network traffic significantly.
Configuration Steps
The IP address of the device is shown in above figure.
Step1: Enable the global MAC address change notification function on the switch.
Ruijie>enable
Ruijie(config)#mac-address-table notification
Step2: Set the interval of sending MAC address change notification to 30 seconds.
Ruijie(config)#mac-address-table notification! Display the device configurations.
Step3: Enable the MAC address change notification function on the interface Gi 0/2.
Ruijie(config)#mac-address-table notification interval 30
! Enter Gi 0/2 interface configuration mode.
Ruijie(config)#interface gigabitEthernet 0/2
! Enable the device to send notification when an address is added on this interface.
Ruijie(config-if-GigabitEthernet 0/2)# snmp trap mac-notification added
! Enable the device to send notification when an address is deleted on this interface.
Ruijie(config-if-GigabitEthernet 0/2)# snmp trap mac-notification removed

Ruijie(config-if-GigabitEthernet 0/2)#exit
Step4: Configure the NMS which receives the MAC address change notification, with IP address being 192.168.1.10,
message format being Version 2c and authentication name being comefrom2.
Ruijie(config)#snmp-server host 192.168.1.10 traps version 2c comefrom2
Step5: Enable the device to actively send the Trap message.
Ruijie(config)# snmp-server enable traps
Verifications
Step1: Display the global configuration of MAC address change notification.
Ruijie#show mac-address-table notification

Interval(Sec): 300
Maximum History Size : 50
Current History Size : 0
Step2: Display the status of MAC address change notification function on the interface.
Ruijie#show mac-address-table notification interface gigabitEthernet 0/2

Interface MAC Added Trap MAC Removed Trap
----------- -------------- --------------
GigabitEthernet 0/2 Enabled Enabled
Step3: Display the MAC address table of the interface.
Ruijie#show mac-address-table interface gigabitEthernet 0/2

---------- -------------------- -------- -------------------
1 00d0.3232.0001 DYNAMIC GigabitEthernet 0/2

Step4: Verify the configuration.
Use the clear mac-address-table dynamic address 00d0.3232.0003 command to simulate the address aging.
! Display the global configuration of MAC address change notification function.
Ruijie#show mac-address-table notification

Interval (Sec): 30
Maximum History Size: 50
Current History Size: 1
! Display the MAC address change notification history list.
Ruijie#show mac-address-table notification history

History Index : 0
Operation:DEL Vlan:1 MAC Addr: 00d0.3232.0003 GigabitEthernet 0/2
Configuration Guide Configuring VLAN
Configuring VLAN
This chapter describes how to configure IEEE802.1q VLAN.
Overview
Virtual Local Area Network (VLAN) is a logical network divided on a physical network. VLAN corresponds to the L2
network in the ISO model. The division of VLAN is not restricted by the physical locations of network ports. A VLAN has
the same attributes as a common physical network. Except for no restriction on physical location, unicast, broadcast and
multicast frames on layer 2 are forwarded and distributed within a VLAN, not being allowed to directly go to other
VLANs.Therefore, when a host in a VLAN wants to communicate with another host in another VLAN, a layer 3 device
must be used, as shown in the following diagram.
You can define a port as the member of a VLAN. All the terminals connected to the specified port are part of the VLAN. A
network can support multiple VLANs. In this case, when you add, delete, and modify users in the VLANs, you do not need
to modify the network configuration physically.
Like a physical network, a VLAN is usually connected to an IP subnet. A typical example is that all the hosts in the same
IP subnet belong to the same VLAN. A layer 3 device must be used for communication between VLANs. Ruijie L3 devices
can perform IP routing between VLANs through SVI (Switch Virtual Interfaces). For the configuration about SVI, refer to
Interface Management Configuration and IP Unicast Routing Configuration.
Supported VLAN
Complying with IEEE802.1Q Standard, our products support up to 4094 VLANs(VLAN ID 1-4094 ), in which VLAN 1 is the
default VLAN that cannot be deleted.
VLAN Member Type

You can determine the frames that can pass a port and the number of VLANs that the port can belong to by configuring
the VLAN member type of the port. For the detailed description about VLAN member type , see the following table:
Member Type Port Feature

One access port can belong to only one VLAN, which
Access
must be specified manually.
By default, one Trunk port belongs to all the VLANs of the
device itself, and it can forward the frames of all the
Trunk (802.1Q)
VLANs. However, you can impose restriction by setting a
list of allowed VLANs.
Configuring a VLAN
A VLAN is identified by its VLAN ID. You can add, remove, and modify the VLANs in the range of 2 to 4094 on a device.
VLAN 1 is created by a device automatically and cannot be removed.
You can configure the member type of a port in a VLAN, add a port to a VLAN, and remove a port from a VLAN in the
interface configuration mode.
Saving the VLAN Configuration

To save the VLAN configuration in the configuration file, execute the copy running-config startup-config command in
the privileged EXEC mode. To view VLAN configuration, execute the show vlan command.
Default VLAN Configuration

The following table shows the default configuration of a VLAN.
Parameter Default Value

VLAN ID 1
VLAN Name VLAN xxxx, where xxxx is the VLAN ID
VLAN State Active
Creating/Modifying VLAN
In the privileged EXEC mode, you can create or modify a VLAN by executing the following commands.
Command Function
Enter a VLAN ID. If you enter a new VLAN ID, the device
Ruijie(config)# vlan vlan-id will create it. If you enter an existing VLAN ID, the device
modifies the corresponding VLAN.
(Optional) Name the VLAN. If you skip this step, the
device automatically assigns the VLAN a name of VLAN
Ruijie(config)# name vlan-name
xxxx, where xxxx is a 4-digit VLAN ID starting with 0. For
example, VLAN 0004 is the default name of VLAN 4.
To restore the name of a VLAN to its default, simply enter the no name/default name command.
The following example creates VLAN 888, names it test888, and saves its configuration into the configuration file:

Ruijie(config)# vlan 888
Ruijie(config-vlan)# name test888
Ruijie(config-vlan)# end
Deleting VLAN
You cannot delete the default VLAN (VLAN 1). The default is static VLAN.
In the global configuration mode, you can delete a VLAN by executing the following command.
Command Function
Ruijie(config)# no vlan { vlan-id | range vlan-range } Enter the VLAN ID that you want to delete.
Ruijie(config)# default vlan { vlan-id | range vlan-range } Enter the VLAN ID that you want to delete.
Configuration Guide Configuring VLAN Group
Configuring VLAN Group
Understanding VLAN Groups
Overview
A VLAN group including multiple VLANs can be associated with a wireless LAN (WLAN) to form mapping between a
WLAN and N VLANs, so that VLANs can be flexibly assigned to STAs that access the WLAN. VLANs can be assigned in
one of the two modes:
 The authentication server assigns VLANs to STAs that pass 802.1x authentication.
 VLANs are assigned to STA based on the idle situation of the address pool of the DHCP server.
The VLAN group function is used in the following network topology:

In the figure above, multiple STAs access the same WLAN. VLANs in the VLAN group associated with the
WLAN are assigned to the STAs. The STAs in the same WLAN can be assigned with the same or different
VLANs.
To better understand the subsequent configuration process, learn about the following concepts:
VLAN Group
VLAN group: You can add multiple VLANs to one VLAN group. When STAs access a WLAN, VLANs in the VLAN group
associated with the WLAN are assigned to the STAs
VLAN Assignment Mode

VLAN assignment mode: VLANs in each VLAN group can be assigned based on the 802.1x assignment VLAN or idle
status of the DHCP server address pool.
Working Principle
The process of assigning VLANs through 802.1x is as follows:
Before a user passes authentication, the VLAN that belongs to the user is the default VLAN of the VLAN group associated
with the current WLAN.
After the STA in the default VLAN is authenticated, the authentication server assigns a VLAN to the STA.
If the authentication server assigns a VLAN, packets sent by the STA are transmitted over the VLAN.
If the authentication server does not assign a VLAN to the STA, the packets from the STA are transmitted over the default
VLAN.
The process of assigning VLANs based on the VLAN assignment state of the address pool on the DCHP server is as
follows:
The device checks and records the VLAN assignment state of the DHCP server corresponding to each VLAN in a VLAN
group. If an STA sends multiple consecutive DHCP requests for a VLAN but receives no response, the device records the
VLAN assignment state of the DHCP server as not assignable.
When an STA accesses the WLAN, the device checks whether the VLAN assignment state of the DHCP servers
corresponding to VLANs in the VLAN group is assignable.
If such VLAN exists, the device assigns one of the VLANs randomly to the STA. Then, the STA applies for an IP address
to the DHCP server corresponding to the VLAN. After obtaining the IP address, the STA sends packets over the VLAN.
If there is no such VLAN, the device records the VLAN assignment state of the DHCP servers corresponding to all VLANs
in the VLAN group as not assignable.
None
The default VLAN group configuration is shown in the following table.

VLAN group No VLAN group is created.
VLAN assignment mode VLAN assignment mode is unspecified and must be
manually configured.
Default VLAN in the VLAN group to be assigned VLAN assignment mode is unspecified and must be
manually configured.
List of the VLANs in the VLAN group The VLAN group has no VLAN. VLANs must be manually
added.
VLAN group associated with a WLAN The WLAN is not associated with any VLAN group.
Configuring a VLAN Group
Use the following commands to create a VLAN group and associate it with a WLAN: (For details about these commands,
refer to command reference.)
Command Function
Creates a VLAN group and enters VLAN group
Ruijie(config)# vlan-group group-id
configuration mode.
Configures the VLAN assignment mode for the VLAN
group.
Ruijie(config-vlan-group)# vlan-assign-mode dot1x
dot1x: Indicates that the authentication server assigns
VLANs to users that pass the 802.1x authentication.
Configures the list of VLANs in the VLAN group.
Ruijie(config-vlan-group)# vlan-list vlan-list vlan-list: Specifies a VLAN list for a VLAN group. A VLAN
group includes up to 128 VLANs.
No VLAN group is configured by default.
The example below creates VLAN group 100, specifies the 802.1x-based VLAN assignment mode, adds VLANs 1-10 to
the VLAN group, and configures VLAN 1 as the default VLAN:
Ruijie(config)# vlan-group 100

Ruijie(config-vlan-group)# vlan-list 1-10
Ruijie(config-vlan-group)# default-vlan 1
Ruijie(config-vlan-group)# end
You can create a maximum of 128 VLAN groups.

You can added a maximum of 32 VLANs to a VLAN group.
Mapping a WLAN to a VLAN Group
On an AP, use the following commands to map a WLAN to a VLAN group: (For details about these commands, refer to
command reference.)
Command Function
Creates a WLAN and enter the WLAN configuration
Ruijie(config)# dot11 wlan wlan-id
mode.
Ruijie(dot11-wlan-config)# vlan-group group-id Maps a WLAN to the VLAN group.
Ruijie(dot11-wlan-config)# end Exits from the WLAN configuration mode.
Ruijie(config)# interface interface-name Enters WLAN sub-interface configuration mode.
Configures VLAN group encapsulation for the
Ruijie(config-subif)# encapsulation dot1Q [group] sub-interface.
{vlan-id | vlan-group-id} vlan –id: Specifies a VLAN ID.
vlan-group-id: VLAN group ID. The range is from 1 to
128.
Ruijie(config-subif)# end Exits from WLAN configuration mode.
The example below maps WLAN 100 to VLAN group 10 on a fat AP:
Ruijie(config)# dot11 wlan 100

Ruijie(dot11-wlan-config)# vlan-group-id 100
Ruijie(dot11-wlan-config)# end
Ruijie(config)# interface dot11radio 1/0.1
Ruijie(config-subif)# encapsulation dot1Q group 10
Ruijie(config-subif)# end
Ruijie(config)# interface dot11radio 1/0
Ruijie(config-if-Dot11radio 1/0)# wlan-id 100
On an AC, use the following commands to map a WLAN to a VLAN group.
Command Function
Creates an AP group and enter the AP group
Ruijie(config)# ap-group group-name
configuration mode.
Ruijie(config-ap-group)# interface-mapping wlan-id
Maps the WLAN to the VLAN group.
group group-id
Ruijie(config-ap-group)# end Exits from AP group configuration mode.
The example below maps WLAN 100 to VLAN group 100 for the AP group default on an AC:
Ruijie(config)# ap-group default

Ruijie(config-ap-group)# interface-mapping 100 vlan-group 100
Displaying VLAN Group Configuration
In privileged EXEC mode, use the following command to display VLAN group configuration.
Command Function
Displays configuration information about a specific VLAN
Ruijie# show vlan-group [ group-id ]
group or all VLAN groups.
The example below displays configuration information about all VLAN groups.
Ruijie# show vlan-group

VLAN-Group ID Default-VLAN Assign-Mode VLAN-List
------------- ------------ ----------------- ---------------------------------------
100 10 dhcp-server-state 1-10,21-30,51-70
120 NA dot1x 110-130,141-150
Typical WLAN-VLAN Mapping Configuration Examples
Examples for Configuring the 802.1x-Based VLAN Assignment Mode

In a WLAN, users are classified into leaders, staff, and visitors. They can access the device through the same WLAN but
with different access rights.
Network Topology
The network topology above is deployed as follows:
 Add VLANs 10, 20, and 30 to VLAN group 100.
 Map WLAN 1 to VLAN group 100. When an STA accesses WLAN 1, the authentication server authenticates the STA
through 802.1x. If the STA passes the authentication, the authentication server assigns VLAN 10 to leaders, VLAN
20 to staff, and VLAN 30 to visitors.
Key Points
 Map a WLAN to a VLAN group to form mapping between a WLAN and N VLANs. Assign different VLANs to the
STAs in the same WLAN.
 Configure 802.1x-based authentication for WLAN 1. Assign different VLANs to STAs in different WLANs.
Configuration Procedure
(1) Configure AP 1 and AP 2.
APs use the default shin AP plus aggregate forwarding mode. They are uniformly configured by the AC.
(2) Configure the AC.

Create different VLANs for different types of users.

Ruijie(config)# vlan range 10,20,30
Ruijie(config-vlan-range)# exit
Create a VLAN group, and add VLANs 10, 20, and 30 to the VLAN group. Set VLAN 30 as the default VLAN for visitors.
Ruijie(config)# vlan-group 100

Ruijie(config-vlan-group)# vlan-list 10,20,30
Ruijie(config-vlan-group)# default-vlan 30
Ruijie(config-vlan-group)# exit
Create WLAN 1 and configure 802.1x-based authentication as the authentication mode and AES as the encryption mode
for the WLAN.
Ruijie(config)# wlan-config 1 office_wifi

Ruijie(config-wlan)# exit
Ruijie(wlansec)# security wpa enable
Ruijie(wlansec)# security wpa akm 802.1x enable
Map WLAN 1 to VLAN group100.
Ruijie(config)# ap-group default

Ruijie(config-ap-group)# interface-mapping 1 vlan-group 100
(3) Configure the authentication server.
If different types of user accounts are opened on the authentication server, specify the VLAN to be assigned for each type
of users.
Displaying the Configuration
Display configuration information about the VLAN group on the AC.
Ruijie# Ruijie# show vlan-group

VLAN-Group ID Default VLAN Assign-Mode VLAN-List
------------- ------------ ----------- --------------------
100 30 dot1x 1020,30
Configuration Guide Configuring LLDP
Configuring LLDP
LLDP Overview
Drafted by IEEE 802.1AB, LLDP (Link Layer Discovery Protocol) can detect network topology change and identify what
the change is. With LLDP, a device sends local device information as TLV (Type, Length and Value) triplets in LLDP Data
Units (LLDPDUs) to the neighbor devices, and at the same time, stores the device information received in LLDPDUs sent
from the LLDP neighbors in a standard management information base (MIB) to be accessed by the network management
system.
Through LLDP, the network management system can learn about the state of topological connections, such as which
ports of the device are connected to other devices, the rate of ports on both sides of link, and whether the duplex mode is
matched. The network administrator can quickly locate and eliminate faults according to such information.
Basic Concepts
LLDPDU
LLDPDU refers to the data units encapsulated in LLDP packets, and comprises multiple TLV sequences, including three
fixed TLVs, a number of optional TLVs and an End of TLV. The detailed format of LLDPDU is shown in Fig 1:
Fig 1-1 LLDPDU format
 * M refers to fixed TLV.
 In LLDPDU, Chassis ID TLV, Port ID TLV, Time To Live TLV and End Of LLDPDU TLV are fixed TLVs, while other
TLVs are optional.
LLDPDU Encapsulation Format
LLDP packet supports two encapsulation formats: Ethernet II and SNAP (Subnetwork Access Protocols).
Ethernet II encapsulated LLDPDU format is shown in Fig 2:
Figure 1-2 Ethernet II encapsulated LLDPDU format

Specifically:
 Destination Address: destination MAC address. It is fixed to 01-80-C2-00-00-0E, a multicast address.
 Source Address: source MAC address, layer-2 MAC address of device.
 Ethertype: the Ethernet type, 0x88CC.
 LLDPDU: LLDP Data Unit.
 FCS: frame check sequence.
SNAP-encapsulated LLDPDU format is shown in Fig 3:
Figure 1-3 SNAP-encapsulated LLDPDU format
Specifically:
 Destination Address: destination MAC address. It is fixed to 01-80-C2-00-00-0E, a multicast address.
 Source Address: source MAC address, layer-2 MAC address of device.
 SNAP-encoded Ethertype: SNAP-encapsulated Ethernet type, AA-AA-03-00-00-00-88-CC.
 LLDPDU: LLDP Data Unit.
 FCS: frame check sequence.
TLV
TLVs encapsulated in LLDPDU can fall into two broad categories:
 Basic management TLVs
 Organizationally specific TLVs
Basic management TLVs are a group of basic TLVs for network management. The organizationally specific TLVs are
TLVs defined by standards organizations and other organizations, such as IEEE 802.1, IEEE 802.3 and etc.
3) Basic management TLVs
Basic management TLVs include two types of TLVs: fixed TLVs and optional TLVs. Fixed TLVs must be included in
LLDPDU, while optional TLVs can be included or excluded according to need.
Basic management TLVs are shown in Table 1:
Type Description Use in LLDPDU

End Of LLDPDU TLV End mark of LLDPDU, occupying 2 bytes Fixed
Chassis ID TLV Used to identify the device, and is Fixed
generally represented with MAC address
Port ID TLV ID of the LLDPDU sending port Fixed
Time To Live TLV Life of local information on the neighbor Fixed
device. When TLV with 0 TTL is received,
the corresponding neighbor information
must be deleted.
Port Description TLV Port description of LLDPDU sending port Optional
System Name TLV Name of the sending device Optional
System Description TLV Description of the sending device, Optional
including hardware/software version,
operating system and etc.
System Capabilities TLV Identifies the primary functions of the Optional
sending device, such as bridging, routing
and relaying.
Management Address TLV Management address, including interface Optional
number and OID (object Identifier).
Table 1 Basic management TLV
4) Organizationally specific TLVs
Different organizations (such as IEEE 802.1, IEEE 802.3, IETF or device suppliers) may define specific TLVs to advertise
specific information about the device, and OUI (Organizationally Unique Identifier) is used to identify different
organizations.
Organizationally specific TLVs are optional TLVs advertised in LLDPDU according to user's actual needs. Currently,
commonly found organizationally specific TLVs include:
1) IEEE 802.1 organizationally specific TLVs
IEEE 802.1 organizationally specific TLVs are shown in Table 2:
Type Description
Port VLAN ID TLV VLAN identifier of the sending port
Port And Protocol VLAN ID TLV Protocol VLAN identifier of the sending port
VLAN Name TLV Name of VLAN with which the device is configured
Protocol Identity TLV Protocols supported by the port
Table 2 IEEE 802.1 organizationally specific TLVs
2) IEEE 802.3 organizationally specific TLVs
IEEE 802.3 organizationally specific TLVs are shown in Table 3:

Type Description
MAC/PHY Configuration/Status TLV The bit-rate and duplex capabilities of the sending
port and support for auto negotiation.
Power Via MDI TLV Power supply capability of the port
Link Aggregation TLV Indicate the link aggregation capability of the port and
the aggregation status.
Maximum Frame Size TLV The maximum frame size supported by the port.
Table 3 IEEE 802.3 organizationally specific TLVs
3) LLDP-MED TLVs
LLDP-MED is the extension of IEEE 802.1AB LLDP protocol, so that the user can conveniently deploy VoIP (Voice Over
IP) network and fault detection. It provides multiple applications such as network policy configuration, device detection,
PoE management and directory management, providing a cost-effective and easy-to-use solution for deploying voice
devices in Ethernet.
LLDP-MED TLVs are shown in Table 4:
Type Description
LLDP-MED Capabilities TLV Whether the device supports LLDP-MED, the type of LLDP-MED TLV
encapsulated in LLDPDU, and the type of current device (network
connection device or endpoint)
Network Policy TLV Advertise VLAN configuration of the specific port, supported applications
(voice and video, for example), and the Layer 2 priorities.
Location Identification TLV Location identifier information for an endpoint, used to accurately locate
the endpoint in applications such as network topology collection.
Extended Power-via-MDI TLV Provide more advanced power supply management.
Inventory – Hardware Revision TLV Hardware version of MED device
Inventory – Firmware Revision TLV Firmware version of MED device
Inventory – Software Revision TLV Software version of MED device
Inventory – Serial Number TLV Serial number of MED device
Inventory – Manufacturer Name TLV Vendor name of MED device
Inventory – Model Name TLV Model name of MED device
Inventory – Asset ID TLV Asset ID of MED device, used for directory management and asset
tracking.
Table 4 LLDP-MED TLVs
Working Principles
Operating Modes of LLDP
LLDP provides three operating modes:
 TxRx: sending and receiving LLDPDUs.
 Rx Only: only sending LLDPDUs.

 Tx Only: only receiving LLDPDUs.
When the LLDP operating mode of a port changes, the port will initialize the protocol state machine. To prevent LLDP
from being initialized too frequently during times of frequent operating mode change, you can configure a re-initialization
delay.
Mechanism for Transmitting LLDPDUs
An LLDP-enabled port operating in TxRx mode or Tx Only mode will send LLDPDUs both periodically and when the local
device information changes. To avoid frequent LLDPDU sending during times of frequent local device information change,
an interval is introduced between two successive LLDPDUs. This interval can be configured manually.
LLDP provides two types of packets:
 Standard LLDPDUs: including the management and configuration information about local device.
 Shutdown LLDPDU: When LLDP sending mode is disabled or when the port is administratively shut down, shutdown
LLDPDU will be sent. Shutdown LLDPDU generally comprises Chassis ID TLV, Port ID TLV, Time To Live TLV and
End Of LLDP TLV, with the TTL in Time To Live TLV being 0. When the device receives shutdown LLDPDUs, it will
consider the neighbor on longer available and delete neighbor information.
When LLDP operating mode changes from shutdown or Rx to TxRx or Tx, or when a new neighbor is detected (namely
new LLDPDUs are received and no such neighbor information is stored locally), to allow the neighbor device to quickly
study the information about this device, the fast sending mechanism will be initiated. The fast sending mechanism adjusts
the LLDPDU sending interval to 1 second and continuously transmits a certain number of LLDPDUs.
Mechanism for Receiving LLDPDUs
A LLDP-enabled port operating in TxRx mode or Rx Only mode will be able to receive LLDPDUs, and will check the
validity of received LLDPDUs to verify they are new neighbor information or updates of existing neighbor information. The
neighbor information will be stored on the local device. Meanwhile, an aging timer will be set according to the value in TTL
TLV carried in the LLDPDU. If the TTL value is zero, the information is aged out immediately.
Protocol Specifications
The protocols and standards related to LLDP include:
 IEEE 802.1AB 2005: Station and Media Access Control Connectivity Discovery
 ANSI/TIA-1057: Link Layer Discovery Protocol for Media Endpoint Devices
Configuring LLDP Basic Functions
Function Default setting

Globally enable LLDP Enabled
Enable LLDP on the port Enabled
Operating mode of LLDP TxRx
Port re-initialization delay 2 seconds
LLDPDU transmit interval 30 seconds

LLDPDU transmit delay 2 seconds
Neighbor information aging timer 120 seconds
LLDPDU encapsulation format Ethernet II
Enable LLDP Trap Disabled
LLDP error detection Enabled
Enabling LLDP
By default, LLDP is enabled globally and on each port. To make LLDP take effect on certain ports, you must enable LLDP
both globally and on these ports.
Execute the following steps to disable LLDP globally and on each port.
Command Function
Ruijie(config)#no lldp enable Disable LLDP globally.
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)#no lldp enable Disable LLDP on the interface.
Ruijie(config-if)#show lldp status Display LLDP state.
To enable LLDP globally or on the port, execute "lldp enable" command.
Disabling the LLDP globally will disable LLDP on the device. Meanwhile, the device will send Shutdown
LLDPDUs to neighbor devices in order to delete the corresponding LLDP information.
The port can learn up to 5 neighbors.

If a neighbor device does not support the LLDP, but its downlink device does, the information of non-directly
connected devices may be learnt on the port as the neighbor device may forward the LLDP packets.
# Globally disable LLDP and display LLDP state.
Ruijie(config)#no lldp enable

Ruijie(config)#show lldp status
Global status of LLDP: Disable
Configuring LLDP Operating Mode

By default, LLDP is enabled on the interface and operates in TxRx mode. The user can change the operating mode to Tx
mode or Rx mode as needed. Execute the following steps to configure LLDP operating mode.
Command Function
Ruijie(config-if)#lldp mode { tx | rx | txrx } Configure LLDP operating mode. The configurable operating
modes include Tx, Rx and TxRx.
Ruijie(config-if)#show lldp status interface Display LLDP state on the interface.
interface-name
# Configure LLDP operating mode as Tx on the interface and display LLDP state on the interface
Ruijie(config)#interface gigabitethernet 0/1

Ruijie(config-if)#lldp mode tx
Ruijie(config-if)#show lldp status interface gigabitethernet 0/1
Port [GigabitEthernet 0/1]
Port status of LLDP : Enable
Port state : UP
Port encapsulation : Ethernet II
Operational mode : TxOnly
Notification enable : NO
Error detect enable : YES
Number of neighbors : 0
Number of MED neighbors : 0
Configuring the Advertisable TLVs

By default, all TLVs other than Location Identification TLV can be advertised on the interface. Execute the following steps
to configure advertisable TLVs on the interface.
Command Function
Ruijie(config-if)# lldp tlv-enable { basic-tlv { all | Configure the TLV types that the interface allows the port to
port-description | system-capability | advertise. By default, all TLVs other than Location Identification
system-description | system-name } | dot1-tlv TLV can be advertised on the interface.
{ all | port-vlan-id | protocol-vlan-id [ vlan-id ] |
vlan-name [ vlan-id ] } | dot3-tlv { all |
link-aggregation | mac-physic | max-frame-size
| power } | med-tlv { all | capability | inventory |
location { civic-location | elin } identifier id |
network-policy profile [ profile-num ] |

power-over-ethernet } }
Ruijie(config-if)# show lldp tlv-config interface Display the attributes of advertisable TLVs.
interface-name
When configuring basic management TLVs, IEEE 802.1 organizationally specific TLVs and IEEE 802.3
organizationally specific TLVs, if "all" parameter is specified, all corresponding optional TLVs will be
advertised.
When configuring LLDP-MED TLVs, if "all" parameter is specified, all LLDP-MED TLVs other than Location
Identification TLV will be advertised.
Configure to allow the advertisement of LLDP-MED MAC/PHY TLVs before that of LLDP-MED Capability
TLVs.
Configure to cancel the advertisement of LLDP-MED Capability TLVs before that of LLDP-MED MAC/PHY
TLVs.
When configuring LLDP-MED TLVs, the LLDP-MED Capability TLV shall be configured as advertisable in
order to further configure other LLDP-MED TLVs as advertisable.
In order not to advertise LLDP-MED Capability TLV, other LLDP-MED TLVs shall be configured as
non-advertisable, so that LLDP-MED TLVs are not advertised.
For the meaning of respective key words of "lldp tlv-enable", please refer to the descriptions given in
"LLDP-CREF".
When associating the device with an IP phone, you can configure the network policy TLV delivery policy to
the IP phone if it supports LLDP-MED. Then, the IP phone modifies the voice flow tag and QoS. At this time,
the voice VLAN function is not required, but it is required to configure the port connecting to the IP phone as
the QoS trusted port. If the IP phone does not support LLDP-MED, the voice VLAN configuration is required
and the phone MAC address must be manually configured to the voice VLAN OUI list.
# Configure to disable the advertisement of Port And Protocol VLAN ID TLV specified by IEEE 802.1.

Ruijie(config-if)#no lldp tlv-enable dot1-tlv protocol-vlan-id
Ruijie(config-if)#show lldp tlv-config interface gigabitethernet 0/1
LLDP tlv-config of port [GigabitEthernet 0/1]
NAME STATUS DEFAULT
------------------------------ ------ -------
Basic optional TLV:
Port Description TLV YES YES
System Name TLV YES YES
System Description TLV YES YES
System Capabilities TLV YES YES

Management Address TLV YES YES
IEEE 802.1 extend TLV:

Port VLAN ID TLV YES YES
Port And Protocol VLAN ID TLV NO YES
VLAN Name TLV YES YES
IEEE 802.3 extend TLV:

MAC-Physic TLV YES YES
Power via MDI TLV YES YES
Link Aggregation TLV YES YES
Maximum Frame Size TLV YES YES
LLDP-MED extend TLV:

Capabilities TLV YES YES
Network Policy TLV YES YES
Location Identification TLV NO NO
Extended Power via MDI TLV YES YES
Inventory TLV YES YES
Configuring the Management address Advertised in LLDPDU

The management address of a device is used by the network management system to identify and manage the device.
Execute the following steps to configure the management address to be advertised in LLDPDU:
Command Function
Ruijie(config-if)#lldp management-address-tlv Configure the management address advertised in the LLDP
[ ip-address ] packet.
Ruijie(config-if)#show lldp local-information Display LLDP local information about a specific interface.
interface interface-name
By default, the management address is advertised in LLDPDU, and is the IPv4 address of the lowest-ID
VLAN carried on the port. If IPv4 address is not configured for this VLAN, the next lowest-ID VLAN carried on
the port will be tried until the IPv4 address is obtained.
If the IPv4 address is still not found, the IPv6 address of the lowest-ID VLAN carried on the port will be tried.
If the IPv6 address is still not found, the MAC address of the device will be advertised as the management
address.
# Configure the management address advertised in LLDPDU as 192.168.1.1 and display the corresponding configuration.

Ruijie(config-if)#lldp management-address-tlv 192.168.1.1
Ruijie(config-if)#show lldp local-information interface GigabitEthernet 0/1
Lldp local-information of port [GigabitEthernet 0/1]
Port ID type : Interface name
Port id : GigabitEthernet 0/1
Port description :
Management address subtype : ipv4

Management address : 192.168.1.1
Interface numbering subtype : ifIndex
Interface number : 0
Object identifier :
802.1 organizationally information

Port VLAN ID : 1
Port and protocol VLAN ID(PPVID) : 1
PPVID Supported : YES
PPVID Enabled : NO
VLAN name of VLAN 1 : VLAN0001
Protocol Identity :

Auto-negotiation supported : YES
Auto-negotiation enabled : YES
PMD auto-negotiation advertised : 1000BASE-T full duplex mode, 100BASE-TX full duplex mode,
100BASE-TX half duplex mode, 10BASE-T full duplex mode, 10BASE-T half duplex mode
Operational MAU type : dot3MauType100BaseTXFD: 2 pair category 5 UTP, full duplex
mode
PoE support : NO
Link aggregation supported : YES
Link aggregation enabled : NO
Aggregation port ID : 0
Maximum frame Size : 1500
LLDP-MED organizationally information

Power-via-MDI device type : PD
Power-via-MDI power source : Local
Power-via-MDI power priority :
Power-via-MDI power value :
Model name : Model name
Configuring the Number of Fast Sent LLDPDUs

When a new neighbor is detected or when LLDP operating mode changes from shutdown or Rx to TxRx or Tx, to allow the
neighbor device to quickly study the information about this device, the fast sending mechanism will be initiated. The fast
sending mechanism shortens the LLDPDU sending interval to 1 second and continuously transmits a certain number of
LLDPDUs before restoring to the normal transmit interval.
Command Function
Ruijie(config)#lldp fast-count count Configure the number of fast sent LLDPDUs in the range from 1
to 10. The default is 3.
# Configure the number of fast sent LLDPDUs to 5.
Ruijie(config)#lldp fast-count 5
Global status of LLDP : Enable
Neighbor information last changed time :
Transmit interval : 30s
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
Notification interval : 5s
Fast start counts : 5
Configuring TTL Multiplier and LLDPDU Transmit interval

The value of Time To Live TLV in LLDPDU = TTL multiplier × LLDPDU transmit interval + 1. Therefore, the TTL of local
device information on the neighbor device can be controlled by adjusting TTL multiplier.
The LLDPDU transmit interval can be adjusted. Execute the following steps to configure TTL multiplier and LLDPDU
transmit interval.
Command Function
Ruijie(config)#lldp hold-multiplier value Configure TTL multiplier in the range from 2 to 10. The default is
4.
Ruijie(config)#lldp timer tx-interval seconds Configure LLDPDU transmit interval in the range from 5 to 32768
in the unit of seconds. The default is 30.
# Configure TTL multiplier to 3 and LLDPDU transmit interval to 20 seconds. By this time, the TTL of local device
information on the neighbor device is 61 seconds.
Ruijie(config)#lldp hold-multiplier 3
Ruijie(config)#lldp timer tx-interval 20

Hold multiplier : 3
Reinit delay : 2s
Transmit delay : 2s
Configuring LLDPDU Transmit Delay

An LLDP-enabled port will send LLDPDUs when the local device information changes. To avoid frequent LLDPDU
sending during times of frequent local device information change, we can configure LLDPDU transmit delay to control the
frequent transmission of LLDPDUs. The default transmit delay is 2 seconds. Execute the following steps to configure the
LLDPDU transmit delay.
Command Function
Ruijie(config)#lldp timer tx-delay seconds Configure LLDPDU transmit delay
Ruijie(config)#show lldp status Display LLDP state.
# Configure LLDPDU transmit delay to 3 seconds and display LLDP state.
Ruijie(config)#lldp timer tx-delay 3

Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 3s
Configuring Port Re-initialization Delay

When the LLDP operating mode of a port changes, the port will initialize the protocol state machine. To prevent LLDP
from being initialized too frequently during times of frequent operating mode change, you can configure port
re-initialization delay. Execute the following steps to configure port re-initialization delay:
Command Function
Ruijie(config)#lldp timer reinit-delay seconds Configure port re-initialization delay.
Ruijie(config)#show lldp status Display LLDP state.
# Configure the port re-initialization delay to 3 seconds and display LLDP state.
Ruijie(config)#lldp timer reinit-delay 3

Hold multiplier : 4
Reinit delay : 3s
Transmit delay : 2s
Configuring LLDP Trap

By configuring LLDP Trap, the LLDP information of local device (such as information about the detection of new neighbor
or the fault on the communication link) can be sent to the network management server. The administrator can monitor the
network operation status according to such information.
To prevent excessive LLDP traps from being sent, you can set an interval for sending LLDP Traps. If LLDP information
change is detected during this interval, traps will be sent to the network management server.
By default, LLDP Trap is disabled.
Execute the following steps to configure LLDP Trap:
Command Function
Ruijie(config)#lldp timer notification-interval Configure the interval for sending LLDP Traps in the range from
seconds 5 to 3600 in the unit of seconds. The default is 5.
Ruijie(config-if)#lldp notification remote-change Enable LLDP Trap. LLDP Trap is disabled by default.
enable
# Enable LLDP Trap and configure the interval for sending LLDP Traps to 10 seconds.
Ruijie(config)#lldp timer notification-interval 10

Ruijie(config-if)#lldp notification remote-change enable
Ruijie(config-if)#show lldp status
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s

------------------------------------------------------------
------------------------------------------------------------
Port state : UP
Operational mode : RxAndTx
Notification enable : YES
Configuring LLDP Error Detection

Configure LLDP error detection, including the detection of VLAN configurations on both sides of the link, port state
detection, port aggregation configuration detection, MTU configuration detection and loop detection. If any error is
detected by LLDP, LOG information will be printed to notify the administrator.
Execute the following steps to configure LLDP error detection:
Command Function
Ruijie(config-if)#lldp error-detect Configure LLDP error detection. LLDP error detection is enabled
by default.
interface-name
# Configure LLDP error detection.

Ruijie(config-if)#lldp error-detect
Port state : UP
Configuring LLDPDU Encapsulation Format

By default, LLDPDUs are encapsulated in Ethernet II frames. The configurable encapsulation formats include Ethernet II
and SNAP.
When configured to Ethernet II format, the device can only send and receive Ethernet II-encapsulated LLDP packets.
When configured to SNAP format, the device can only send and receive SNAP-encapsulated LLDP packets.
Execute the following steps to configure LLDPDU encapsulation format:
Command Function
Ruijie(config-if)#lldp encapsulation snap Configure LLDPDU encapsulation format to SNAP.
interface-name
To guarantee normal communication between local device and neighbor device, the same LLDPDU
encapsulation format must be used.
# Configure LLDPDU encapsulation format to SNAP and display the corresponding configuration.

Ruijie(config-if)#lldp encapsulation snap
Port state : UP
Port encapsulation : Snap
Displaying and Clearing Configurations

Command Function
Ruijie(config)# lldp network-policy profile Enter the LLDP network-policy configuration mode.
profile-num
Ruijie(config-lldp-network-policy)# { voice | Configure the LLDP network-policy.
voice-signaling } vlan { { vlan-id [ cos cvalue | dscp

dvalue ] } | { dot1p [ cos cvalue | dscp dvalue ] } |
none | untagged } no { voice | voice-signaling }
vlan
# Configure the LLDP packet advertised from interface 1 as follows:

Network Policy TLV: 1
voice VLAN ID: 3
cos: 4
dscp: 6
Ruijie#config
Ruijie(config)#lldp network-policy profile 1
Ruijie(config-lldp-network-policy)# voice vlan 3 cos 4
Ruijie(config-lldp-network-policy)# voice vlan 3 dscp 6
Ruijie(config-lldp-network-policy)#exit
Ruijie(config-if-GigabitEthernet 0/1)# lldp tlv-enable med-tlv network-policy profile 1
Configuring the Civic Address Information of a Device

Run the commands listed in the following table to configure the address information of a device.
Command Function
Ruijie(config)# lldp location civic-location identifier id Enters the LLDP Civic Address configuration mode
Ruijie(config-lldp-civic)# device-type device-type Configure the device type. The default device type is a
switch.
Ruijie(config-lldp-civic)# { country | state | county | city | Configure the LLDP civic address information.
division | neighborhood | street-group |
leading-street-dir | trailing-street-suffix | street-suffix |
number | street-number-suffix | landmark |
additional-location-information | name | postal-code |
building | unit | floor | room | type-of-place |
postal-community-name | post-office-box |
additional-code } ca-word
# Configure the address of device interface 1 as follows:

Device type: switch
Country: CH
City: Fuzhou
Postal-code: 350000
Ruijie#config
Ruijie(config)#lldp location civic-location identifier 1
Ruijie(config-lldp-civic)# country CH
Ruijie(config-lldp-civic)# city Fuzhou
Ruijie(config-lldp-civic)# postal-code 350000
Ruijie(config-lldp-civic)# exit
Ruijie(config-if-GigabitEthernet 0/1)# lldp tlv-enable location civic-location identifier 1
Configuring the Emergency Call Number

Run the commands listed in the following table to configure the emergency call number of a device.
Command Function
Ruijie(config)# lldp location elin identifier id Configure the emergency call number.
elin-location tel-number
# Configure the emergency call number of device interface 1 as 085285555556.
Ruijie#config
Ruijie(config)#lldp location elin identifier 1 elin-location 085283671111
Ruijie(config-if-GigabitEthernet 0/1)# lldp tlv-enable location elin identifier 1
Viewing and Clearing Configurations

Command Function
show lldp local-information [ global | interface Show the device information to be sent to a neighbor.
interface-name ]
show lldp location { civic-location | elin } { identifier id | Show the civic address information or emergency call
interface interface-name | static } number of a local device.
show lldp neighbors [ interface interface-name ] Show the device information about an adjacent neighbor.
[ detail ]
show lldp network-policy profile [ profile-num ] Show the LLDP network-policy configuration.
show lldp statistics [ global | interface interface-name ] Show the LLDP statistics.
show lldp status [ interface interface-name ] Show the LLDP status.
show lldp tlv-config [ interface interface-name ] Show the optional TLVs that can be advertised.
clear lldp statistics [ interface interface-name ] Clear LLDP statistics.
clear lldp table [ interface interface-name ] Clear the information about LLDP neighbors.
# Show the device information about an adjacent neighbor connecting a specified port.
Ruijie# show lldp neighbors detail

Lldp neighbor-information of port [GigabitEthernet 0/1]
Neighbor index : 1
Device type : LLDP Device
Update time : 12minutes 40seconds
Aging time : 5seconds
Chassis ID type : MAC address
Chassis id : 00d0.f822.33cd
System name : System name
System description : System description
System capabilities supported : Repeater, Bridge, Router
System capabilities enabled : Repeater, Bridge, Router
Management address subtype : 802 mac address

Management address : 00d0.f822.33cd
Interface numbering subtype :
Object identifier :
LLDP-MED capabilities :
Device class :
HardwareRev :
FirmwareRev :
SoftwareRev :
SerialNum :
Manufacturer name :
Asset tracking identifier :

Port description :

Port VLAN ID : 1
PPVID Enabled : NO
Protocol Identity :
Operational MAU type : speed(100)/duplex(Full)
PoE support : NO

Power-via-MDI device type :
Power-via-MDI power source :
For details about LLDP output information, see the description in LLDP Command Reference.
Typical LLDP Configuration Examples
Use LLDP to View Topological Connections

Devices required
Two Ethernet switches (Switch A and Switch B), one MED device (taking IP Phone as the example) and one NMS
(Network management System).
Configuration required
LLDP is enabled by default. No further configuration is needed.
Network Tpology
Fig 4 Basic topological diagram of LLDP

Configuration Tips
 LLDP operating mode on the port is TxRx.
 LLDPDU transmit times will use default values, namely LLDPDU transmit interval is 30 seconds and LLDPDU
transmit delay is 2 seconds.
Configuration Steps
By default, LLDP is enabled, and no further configuration is needed.
Verification
 Display the information about the neighbor device connecting with Switch A.
# Display the information about the neighbor device on Switch A.
Ruijie# show lldp neighbors gigabitethernet 0/2

Capability codes:
(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device
(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other
Local Intf Port ID Capability Aging-time

Gi 0/2 Gi 0/1 B,R 120
Total entries displayed: 1
The above messages show that the MAC address of neighbor device connected to port 2 of switch A is 00d0-f822-33cd
and the port connected is Gi 0/1. The neighbor device allows bridging and routing.
# Display the detailed information about the neighbor device connected to port Gi 0/2 of Switch A.
Ruijie# show lldp neighbor-information interface gigabitethernet 0/2

Lldp neighbor-information of port [GigabitEthernet 0/2]
Neighbor index : 1
Device type : LLDP Device

Update time : 5minute 39second
Chassis ID type : MAC address

Chassis id : 00d0.f822.33cd
System name : System name
System description : System description
System capabilities supported : Repeater, Bridge, Router
System capabilities enabled : Repeater, Bridge, Router
Management address subtype : 802 mac address

Management address : 00d0.f822.33cd
Interface numbering subtype :
Object identifier :
LLDP-MED capabilities :
Device class :
HardwareRev :
FirmwareRev :
SoftwareRev :
SerialNum :
Manufacturer name :
Asset tracking identifier :

Port description :

Port VLAN ID : 1
PPVID Enabled : NO
Protocol Identity :

Operational MAU type : dot3MauType1000BaseTFD: Four-pair Category 5 UTP, full

duplex mode
PoE support : NO

Power-via-MDI device type :
Power-via-MDI power source :
Use LLDP Error Detection Feature to Perform Error Detection

 Devices required
two Ethernet switches (Switch A and Switch B)
 Configuration required
LLDP is enabled by default. No further configuration is needed.
Network Topology
Fig 5 Basic topological diagram of LLDP
Configuration Tips
 LLDP operating mode on the port is TxRx.
 LLDPDU transmit times will use default values, namely LLDPDU transmit interval is 30 seconds and LLDPDU
transmit delay is 2 seconds.
 LLDP error detection is enabled by default. No further configuration is needed.
Configuration Steps
1. Configure the bit-rate of port Gi 0/1 of Switch A to 100M.
Ruijie#config
Ruijie(config-if)#speed 100
%Warning: the speed/duplex of port GigabitEthernet 0/1 may not match with it's neighbor.
The above messages show that bit-rate and duplex capabilities of port 1 may not match with that of port on neighbor
device.
Verification
While the administrator is carrying out VLAN configuration, port bit-rate and duplex configuration, aggregation port
configuration and port MTU configuration, if the information doesn't match with the configurations of neighbor device the
corresponding error messages will be prompted.
Configuration Guide Configuring PPPoE Client
Configuring PPPoE Client
 The PPPoE client function is supported only on AP110-W, AP120-W, AP320, AP330, AP530, AP3220, AP3220-P,
AP4210, APD-M, AP5280 & AP630-H.
Overview
PPPoE: Point-to-point Protocol Over Ethernet
Ruijie products support the PPPoE client on Ethernet interfaces, and are therefore able to connect to a host network by
accessing a remote hub through a simple access device. The PPPoE protocol enables the PPPoE server to control each
access client and perform relevant accounting.
Ruijie products support the auto dialing mode: no Dial-on-Demand Routing (DDR) but always online.
 The PPPoE client is applicable in scenarios where Internet access is implemented through ADSL.
The following sections describe the PPPoE client only.
 RFC2516: A Method for Transmitting PPP Over Ethernet (PPPoE)
 RFC1661: The Point-to-Point Protocol (PPP)
Applications
ADSL Scenario In a scenario where Internet access is implemented through the Asymmetric Digital
Subscriber Line (ADSL) technology, the device provides dialup and packet
forwarding functions.
ADSL Scenario
Scenario
In a scenario where Internet access is implemented through ADSL, the device provides dialup and packet forwarding
functions.
The dialup networking scenario is illustrated with Figure 0-1 as an example.
 The dialup function is enabled on the device. The device connects to a remote Internet service provider (ISP) over
an ADSL line, and obtains Internet access capability.
 Intranet PCs access the Internet through the device.
Figure 0-1
 Enable the dialup function on the device, and dial up to the Internet over the ADSL line.
Features
Basic Concepts
ISP
A network operator who provides users with Internet access service, information service, and value-added services
(VASs).
ADSL
A line on which users dial up to the Internet.
Data Flow
A flow of packets only forwarded by the device.
Interested Flow
A specific type of packets defined by users during configuration, which can trigger the device to start dialup.
Overview
Feature Description
Dialup to the Internet In a scenario where Internet access is implemented through the Asymmetric Digital Subscriber
Line (ADSL) technology, the device provides dialup and packet forwarding functions.
Dialup to the Internet

The device has Internet access capability after the dialup is complete; therefore, hosts in the intranet also have Internet
access capability.
Working Principle
Dialup corresponds to the negotiation process, whereas Internet access corresponds to the packet forwarding process.
Negotiation can be further divided into three parts: protocol negotiation, protocol keepalive, and protocol termination.
Protocol Negotiation
Protocol negotiation is divided into PPPoE negotiation and PPP negotiation.
During PPPoE negotiation, both parties confirm a unique peer, record the peer's MAC address, and establish a unique
session ID.
During PPP negotiation, the server checks the client's authentication information. If the client passes the authentication,
the server allocates an IP address to the client. If the client has already been configured with an IP address and the
configured IP address meets the server's requirements, the server will agree to use this IP address as the IP address of
the client.
After both protocols are up, the device has Internet access capability and prepares a Layer 2 (L2) header that is
necessary for data packet encapsulation.
Protocol Keepalive
After PPP is up, both parties periodically send LCP heartbeat packets to each other. If the party at one end does not
receive any heartbeat response from the other party, it actively terminates the protocol.
Protocol Termination
In certain cases, either party may actively terminate the protocol.
The initiating party sends a PPP termination packet to end the current PPP session, and then sends a PPPoE termination
packet to end the current PPPoE session.
After receiving the PPP termination packet, the passive party returns an acknowledgement packet to agree to the
termination of the PPP session; and after receiving the PPPoE termination packet, the passive party returns another
acknowledgement packet to agree to the termination of the PPPoE session.
Once either party receives a PPPoE termination protocol, the PPP session and the PPPoE session will immediately
terminate, even if it has not received any PPP termination protocol.
Packet Forwarding
Packet sending process: When a data packet is routed to the dialer interface, the device encapsulates the data packet
with the prepared L2 header information and ultimately sends the data packet from a physical port.
Packet receiving process: After a packet arrives at a physical port, the device marks the Layer 3 (L3) header position of
the packet, executes the next service, and ultimately sends the packet to a host in the intranet.
Related Configuration
Configuring the Ethernet Interface
By default, the following functions are disabled and there is no corresponding default value.
Run the pppoe enable command to enable the PPPoE client function on the interface.
Run the no pppoe enable command to disable the PPPoE client function on the interface.
Run the pppoe-client dial-pool-number pool-number no-ddr command to bind the Ethernet interface to a specific
logical dialer pool. The logical dialer pool provides automatic dialing and is always online.
Run the no pppoe-client dial-pool-number pool-number command to unbind the Ethernet interface from the specific
logical dialer pool.
Run the pppoe session mac-address H.H.H command to configure the MAC address of the PPPoE session.
Configuring the Logical Interface
By default, the following functions are disabled.
Run the interface dialer dialer-number command to add a specific logical interface and enter the configuration mode of
the logical interface.
Run the no interface dialer dialer-number command to delete the specific logical interface.
Run the ip address negotiate command to configure negotiation-based IP address acquisition.
Run the no ip address negotiate command to remove the configuration of negotiation-based IP address acquisition.
Run the dialer pool number command to associate a dialer pool, which corresponds to the dialer pool configured on the
Ethernet interface.
Run the no dialer pool number command to remove the association with the dialer pool.
Run the encapsulation ppp command to configure the encapsulation protocol PPP. PPPoE is established on the basis of
PPP.
Run the no encapsulation command to remove the encapsulation protocol configuration.
Run the mtu 1488 command to set the Maximum Transmit Unit (MTU) to 1488.
Run the no mtu command to remove the MTU configuration.
Run the dialer-group dialer-group-number command to associate a dialer triggering rule, which corresponds to the
dialer-list.
Run the no dialer-group command to remove the configuration of the dialer triggering rule.
Run the ppp chap hostname username command to configure the user name for CHAP authentication.
Run the no ppp chap hostname command to remove the user name configuration for CHAP authentication.
Run the ppp chap password password command to configure the password for CHAP authentication.
Run the no ppp chap password command to remove the password configuration for CHAP authentication.
Run the ppp pap sent-username username password password command to configure the user name and password
for PAH authentication.
Run the no ppp pap sent-username command to remove the user name and password configuration for PAH
authentication.
Configuring Mandatory Global Parameters
By default, the following functions are disabled and shall be configured according to actual requirements. If other
functional modules need to be used together, you also need to configure other global parameters.
Run the dialer-list number protocol protocol-name ip{ permit | deny | list access-list-number } command to define a
dialer triggering rule.
Run the no dialer-list number command to delete the configured dialer triggering rule.
Run the ip route 0.0.0.0 0.0.0.0 dialer dialer-number [ permanent ] command to configure a route. If you specify the
permanent option, the route will be always valid, even if the logical interface is within the enable-timeout period, in which
case the logical interface will be down.
Run the no ip route 0.0.0.0 0.0.0.0 dialer dialer-number command to remove the route.
Configuration
Mandatory configuration.
pppoe enable Enables the PPPoE client function.

pppoe-client dial-pool-number number Binds a logical dialer pool and specifies the
no-ddr dialing mode.
Configures the MAC address of the
pppoe session mac-address H.H.H
PPPoE session.
Adds a specific logical interface and enters
interface dialer dialer-number the configuration mode of the logical
interface.
Configuring Basic Functions ip address { negotiate | ip-addr Configures the IP address acquisition
of the PPPoE Client subnet-mask } mode.
dialer pool number Associates a dialer pool.
Configures the encapsulation protocol
encapsulation ppp
PPP.
mtu 1488 Sets the MTU to 1488.
dialer-group dialer-group-number Associates a dialer triggering rule.
Configures the user name for CHAP
ppp chap hostname username
authentication.
Configures the password for CHAP
ppp chap password password
authentication.
ppp pap sent-username username Configures the user name and password
password password for PAP authentication.
dialer-list number protocol protocol-name
Defines a dialer triggering rule.
ip { permit | deny | list access-list-number }
Configuring Basic Functions of the PPPoE Client
 The device initiates PPPoE negotiation, and completes the negotiation process, protocol keepalive, and protocol
termination.
 The device obtains Internet access capability after the negotiation is complete, and starts to forward a data flow
which is routed to the dialer interface.
Notes
 After the kernel module is uninstalled, users can still perform configuration management but negotiation and data
flow forwarding cannot be performed.
Configuration Steps
Enabling the PPPoE Client Function
 The configuration is mandatory.
 Perform this configuration in Ethernet interface configuration mode.
 Enable the PPPoE client function.
Binding a Logical Dialer Pool and Specifying the Dialing Mode
 Bind the Ethernet interface to a specific logical dialer pool and specify the dialer mode.
Configuring the MAC Address of the PPPoE Session
 Specify the MAC address of the PPPoE session for subinterface dialing.
Adding a Specific Logical Interface and Entering the Configuration Mode of the Logical Interface
 Perform this configuration in global configuration mode.
 Add a specific logical interface and enter its configuration mode.
Configuring the Way of Acquiring the IP Address of the Logical Interface
 Perform this configuration in logical interface configuration mode.
 Configure the way of acquiring the IP address of the logical interface.
Associating a Dialer Pool
 Associate the logical interface with a specific dialer pool.
Configuring the Encapsulation Protocol

 Configure the encapsulation protocol PPP on the logical interface.
Configuring the MTU of the Logical Interface
 Set the MTU of the logical interface to 1488.
Associating a Dialer Triggering Rule
 Associate a dialer triggering rule.
Configuring the User Name for CHAP Authentication
 Configure the user name for CHAP authentication.
Configuring the Password for CHAP Authentication
 Configure the password for CHAP authentication.
Configuring the User Name and Password for PAP Authentication
 Configure the user name and password for PAP authentication.
Defining a Dialer Triggering Rule
 Perform this configuration in global configuration mode.
 Define a dialer triggering rule.
Verification
 Check whether the dialer interface has acquired an IP address.
 Check whether a correct dialer interface route entry has been established on the device.
Related Commands
Enabling the PPPoE Client Function
Command pppoe enable

Syntax
Parameter N/A
Description
Configuration The interface on which the PPPoE client will be enabled must be a WAN Ethernet interface.
Usage
Binding a Logical Dialer Pool and Specifying the Dialing Mode
Command pppoe-client dial-pool-number number no-ddr

Syntax
Parameter number: number of the dialer pool
Description
Configuration The PPPoE client function must be enabled on the interface first.
Usage
Configuring the MAC Address of the PPPoE Session
Command pppoe session mac-address H.H.H

Syntax
Parameter H.H.H: MAC address
Description
Configuration The PPPoE client function must be enabled on the subinterface first.
Usage
Adding a Specific Logical Interface and Entering its Configuration Mode
Command interface dialer dialer-number

Syntax
Parameter dialer-number: interface number
Description
Configuration N/A
Usage
Configuring the Way of Acquiring the IP Address of the Logical Interface
Command ip address { negotiate | ip-addr subnet-mask }

Syntax
Parameter ip-addr: manually configured IP address
Description subnet-mask: manually configured subnet mask

Configuration If you select negotiate, the IP address of the dialer interface will be acquired through negotiation.
Usage If you manually specify the IP address of the dialer interface, the peer's consent is required during
negotiation for the device to work properly.
Associating a Dialer Pool
Command dialer pool number

Syntax
Parameter number: number of the dialer pool
Description
Configuration An Ethernet interface will be selected from the dialer pool as the dialer interface to perform dialing.
Usage
Configuring the Encapsulation Protocol
Command encapsulation ppp

Syntax
Parameter N/A
Description
Configuration N/A
Usage
Configuring the MTU of the Logical Interface
Command mtu 1488

Syntax
Parameter N/A
Description
Configuration Because Internet access is implemented through the PPPoE protocol, the L2 header of a packet is
Usage longer than that of a common Ethernet packet.
Associating a Dialer Triggering Rule
Command dialer-group dialer-group-number

Syntax
Parameter dialer-group-number: number of the dialer triggering rule
Description
Configuration If the DDR mode is specified, the device will be triggered to perform dialing only when a packet
Usage meeting the rule is routed to the dialer interface.
If the no-DDR mode is specified, the configuration will not take effect on the device.
Configuring the User Name for CHAP Authentication

Command ppp chap hostname username

Syntax
Parameter username: user name
Description
Configuration N/A
Usage
Configuring the Password for CHAP Authentication
Command ppp chap password password

Syntax
Parameter password: password
Description
Configuration N/A
Usage
Configuring the User Name and Password for PAP Authentication
Command ppp pap sent-username username password password

Syntax
Parameter username: user name
Description password: password
Configuration N/A
Usage
Defining a Dialer Triggering Rule
Command dialer-list number protocol protocol-name ip{ permit | deny | list access-list-number }
Syntax
Parameter protocol-name: protocol name
Description access-list-number: ACL number
Configuration N/A
Usage
The following configuration example describes configuration related to the PPPoE client only.
In the ADSL scenario, enable the PPPoE client function and access the Internet through an ADSL
line.
Scenario
Figure 0-2
Configuration
 Enable the PPPoE client function on the device, and add the interface Gi0/5 to the dialer pool.
Steps
A A# configure terminal
A(config)# interface GigabitEthernet 0/5
A(config-if)# pppoe enable
A(config-if)# pppoe-client dial-pool-number 1 no-ddr
A(config-if)# exit
A(config)# interface dialer 1
A(config-if)# ip address negotiate
A(config-if)# mtu 1488
A(config-if)# encapsulation ppp
A(config-if)# ip nat outside
A(config-if)# dialer pool 1
A(config-if)# dialer-group 1
A(config-if)# ppp chap hostname pppoe
A(config-if)# ppp chap password pppoe
A(config-if)# ppp pap sent-username pppoe password pppoe
A(config-if)# exit
A(config)# access-list 1 permit any
A(config)# dialer-list 1 protocol ip permit
A(config)# ip nat inside source list 1 interface dialer 1
A(config)# ip route 0.0.0.0 0.0.0.0 dialer 1
A(config)# end
A#
Verification Run the show ip interface brief | in dialer 1 command to check whether the dialer interface has
acquired an IP address.
Run the show ip route command to check whether a correct dialer interface route entry has been
established.
A# show ip interface brief | in dialer 1
dialer 1 49.1.1.127/32 YES UP
A# show ip route
Codes: C - connected, S - static, R - RIP, B - BGP

O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, dialer 1
C 10.10.3.0/24 is directly connected, GigabitEthernet 0/0
C 10.10.3.1/32 is local host.
C 10.202.172.1/32 is directly connected, dialer 1
C 49.1.1.127/32 is local host.
Common Errors
 The negotiation fails because the user name or password is incorrect.
 Intranet hosts cannot access the Internet because NAT configuration is incorrect.
 Intranet hosts cannot access the Internet because route configuration is incorrect.
Monitoring
Clearing Various Information
If you run the clear pppoe tunnel command while the device is operating, packet forwarding will be
interrupted due to tunnel clearance.
Function Command
Clears statistics about the DDR clear dialer [ interface-type interface-number ]
dialer interface.
Clears the tunnel. clear pppoe tunnel
Displaying the Running Status
Function Command
Displays information about the DDR show dialer [ interface type number ] [ maps ] [ pools ]
dialer.
Displays PPPoE status information. show pppoe { ref | session | tunnel }
Displaying Debugging Information
System resources are occupied when debugging information is output. Therefore, disable the debugging
switch immediately after use.
Command Function
debug dialer { pkt | Enables the DDR debugging switch.
mlp|callback|event }
debug ppp [ authentication | error Enables the PPP negotiation debugging switch.
| event | negotiation | packet ]
debug pppoe [ datas | errors | Enables the PPPoE negotiation debugging switch.
events | packets ]
Release 11.1(5)B6
IP Address & Application Configuration
1. Configuring IP Address and Service
2. Configuring ARP
3. Configuring IPv6
4. Configuring DHCP
5. Configuring DHCPv6
6. Configuring DNS
7. Configuring Network Connectivity Test Tools
8. Configuring TCP
9. Configuring IPv4/IPv6 REF
10. Configuring NAT

Configuration Guide Configuring IP Address and Service
Configuring IP Address and Service
IP Address Configuration
IP Address Overview
IP address is made up of 32 binary bits and expressed in the dotted decimal format for the convenience of writing and
description. In the dotted decimal format, the 32 binary bits are broken into four octets (1 octet equals to 8 bits). Each octet
is separated by a period (dot) in the range from 0 to 255. For example, 192.168.1.1 is an IP address in the dotted decimal
format.
An IP address is an address that IP protocols use to connect one another. A 32-bit IP address consists of two parts:
network address and local address. According to the first several bits of the network address of an IP address, an IP
address is divided into four categories.
Class A: Total of 128 class-A IP addresses. The highest bit is 0 followed by seven bits identifying Network ID, and the
remaining 24 bits identify Host ID.
8 16 24 32
Class A IP 0 Network ID Host ID

address
Class B: Total of 16,384 class B IP addresses. The highest two bits are 10 followed by 14 bits identifying Network ID, and
the remaining 16 bits identify Host ID.
8 16 24 32
Class B IP 1 0 Network ID Host ID

address
Class C: Totaol of 2,097,152 class C IP addresses. The highest three bits are 110 followed by 21 bits identifying Network
ID, and the remaining eight addresses identify Host ID.
8 16 24 32
Class C IP 1 1 0 Network ID Host ID

address
Class D: The highest four bits are 1110 and other bits are multicast IP address..
8 16 24 32
Class D IP 1 1 1 0 Multicast address

address
An IP address whose highest four bits are 1111 is prohibited. This type of IP address, also called Class E IP
address, is reserved.
When you build up a network, you should execute IP addressing according to the real network environment. To make the
network connect to the Internet, you need apply for IP addresses from a central authority, for example, the China Internet
Network Information Center (CNNIC) in China. It is the Internet Corporation for Assigned Names and Numbers (ICANN)
that is responsible for IP address allocation. However, a private network does not require the application of IP addresses.
It is recommended to assign private IP addresses for them.
The following table lists those reserved and available addresses by class.
Class Address Range Status
0.0.0.0 Reserved
Class A 1.0.0.0 to 126.0.0.0 Available
127.0.0.0 Reserved
128.0.0.0 to191.254.0.0 Available

Class B
191.255.0.0 Reserved
192.0.0.0 Reserved
Class C 192.0.1.0 to 223.255.254.0 Available
223.255.255.0 Reserved
Class D 224.0.0.0 to 239.255.255.255 Available
240.0.0.0 to 255.255.255.254 Reserved

Class E
255.255.255.255 Multicast
There are three blocks of IP addresses reserved for private networks that are not used in the Internet. Address translation
is required for a private network using one of these IP addresses to access the Internet. The following table details these
addresses, which are defined in RFC 1918.
Class IP Address Range Network Numbers
Class A 10.0.0.0 to 10.255.255.255 1

Class B 172.16.0.0 to 172.31.255.255 16
Class C 192.168.0.0 to 192.168.255.255 256
For the information on the assignment of IP address, TCP/UDP port and other codes, please refer to RFC 1166.
 The IPv4 functions of Ping and Traceroute are not supported on AP110-W.
IP Address Configuration Task List

The IP address configuration task list includes the following tasks, only the first one is required, others are optional
depending on your network requirements.
 Assigning IP Addresses to Network Interfaces (Required)

 Configuring IP Address for Bridge Virtual Interface (BVI) of Specified AP

 Disabling IP Routing (Optional)
 Handling Broadcast Packets (Optional)
 Configuring IP Address Through PPP Negotiation
 Configuring IP Address for Peer End through PPP Negotiation
 Enabling IP Address Pool
Assigning IP Addresses to Network Interfaces
Only a host has an IP address configured can it receive and send IP packets. If an interface is configured with an IP
address, this means that the interface supports running the IP protocol.
To assign an IP address to an interface, execute the following commands in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address ip-address mask Assign an IP address for the interface.
Ruijie(config-if)# no ip address Remove the IP address configuration for the interface.
A 32-bit mask identifies the network part of an IP address. In a mask, the IP address bit corresponding to 1 represetns
network ID and the IP address bit corresponding to 0 represents host ID. For example, the mask corresponding a Class A
IP address is 255.0.0.0. You can partition a network into multiple segments with a mask. The goal of network partition is to
use some bits of the host address of an IP address as the network address to reduce hosts and increase networks. At this
point, the mask is called subnet mask.
Theoretically, any bit of the host address of an IP address can be used as the subnet mask. Ruijie product
only supports continuous subnet masks from left to right starting from the network ID.
The interface-related IP address configuration task list includes the following tasks, only the first one is required, others
are optional depending on your network requirements.
 Assigning multiple IP addresses to an interface
Assigning multiple IP addresses to an interface
Ruijie product supports assigning multiple IP addresses for an interface with one being the primary IP address and others
being the secondary addresses. Theoretically, you can configure secondary addresses up your mind. A secondary IP
address can reside in the same or different network with the primary IP address. The secondary IP address will be used
frequently during the building of a network, for example, in the following cases:
 There may not enough host addresses for a network. For example, a LAN requires a Class C IP address to support
up to 254 hosts. However, when there are more than 254 hosts in the LAN, another Class C IP address is necessary.
Therefore, a host needs to connect two networks and thus needs configuring multiple IP addresses.
 Many older networks were built based on layer 2 bridges without partition. The use of secondary IP addresses
makes them easy to upgrade to IP-based routing networks. An IP address is assigned for every device in a subnet.
 Two subnets of a network might otherwise be separated by another network. By creating a subnet in each separated
subnets, you can connect the two separated subnets together by assigning secondary IP addresses. One subnet
cannot appear on two or more interfaces in a device.
Before configuring secondary IP addresses, you need to confirm that the primary IP address has been
configured. All the devices in a network should have the same secondary IP address. If you assign a
secondary IP address to a device but do not assign IP addresses for other devices, you can set it to the
primary IP address for them.
To assign a secondary IP address to an interface, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address ip-address mask
Assign a secondary IP address to the interface.
secondary
Ruijie(config-if)# no ip address ip-address Remove the secondary IP address configuration for the
mask secondary interface.
Configuring management IP and gateway
The Ruijie layer-2 switches allow you to configure management IP and gateway in the same command. Generally, the
layer-2 switches provide " gateway" command to configure a default gateway. Sometimes, the layer-2 switch is subject to
remote management via telnet, and the management IP and default gateway of the layer-2 switch must be modified. In
such a case, configuring either IP address or gateway will prevent you from configuring another command (as the
configuration has changed and this device can no longer be accessed via network). Therefore, we can use the gateway
keyword of IP address command to modify the management IP and default gateway.
This command is only supported on layer-2 device
To configure management IP and gateway at the same time, execute the following commands in interface configuration
mode:
Command Function
Ruijie(config-if)# ip address ip-address mask
Configure management IP and gateway.
gateway ip-address
Ruijie(config-if)# no ip address ip-address
Remove management IP and gateway configuration.
mask gateway
Disabling IP Routing
IP routing feature is enabled by default. Do not execute this command unless you sure that IP routing is not needed.
Disabling IP routing will make the equipment lose all the routes and the route forwarding function.
To disable IP routing, execute the following commands in the global configuration mode:
Command Function
Ruijie(config)# no ip routing Disable IP routing.
Ruijie(config)# ip routing Enable IP routing
The switch performs the checking of ip checksum towards the routing packets. If the ip checksum error
occurs, the routing halts. To this end, the unicast packets will be discarded directly and the multicast packets
will only be forwarded on Layer 2.
Handling Broadcast Packets
A broadcast packet is destined for all hosts in a physical network. Ruijie product supports two kinds of broadcast packets:
directed broadcast and flooding. A directed broadcast packet is sent to all the hosts in a specific network that the host IDs
of their IP addresses are all set to 1. While a flooding broadcast packet is sent to all the hosts whose IP addresses are all
set to 1. Broadcast packets are heavily used by some protocols, including the Internet protocol. Therefore, it is the basic
responsibility for a network administrator to manage and control broadcast packets.
Forwarding flooding broadcast packets may make the network overburden and thus influencing network operation. This is
known as broadcast storm. There are some ways to supress and restrict broadcast storm in the local network. However,
layer 2 network devices like bridges and switches will forward and propagate broadcast storm.
The best solution to solve the broadcast storm problem is to specify a broadcast address for each network, that is,
directed broadcast. This requires the IP protocol to use directed broadcast instead of flooding broadcast if possible.
For detailed description about broadcast, refer to RFC 919 and RFC 922.
To handle broadcast packets, perform the following tasks according to the network requirement.
 Enabling Directed Broadcast-to-Physical Broadcast Translation

 Establishing an IP Broadcast Address
Enabling Directed Broadcast-to-Physical Broadcast Translation
A directed broadcast IP packet is the one destined to the broadcast address of an IP subnet. For instance, the packet
destined to 172.16.16.255 is a directed broadcast packet. However, the node that generates this packet is not a member
of the destination subnet.
Upon the receipt of directed broadcast IP packets, the device indirectly connecting the destination subnet will forward the
packets in the same way as forwarding unicast packets. After the directed broadcast IP packets arrive the device directly
connecting the subnet, the device transforms them into flooding broadcast IP packets (whose destination address is all 1s
in general), and then send them to all the hosts within the subnet by means of broadcast on the link layer.
Enabling directed broadcast to physical broadcast translation on an interface allows the itnerface to forward the directed
broadcast IP packets to the directly connected network. This command will only affect the transmission of the directed
broadcast IP packets to the final destination subnet, not other directed broadcasts.
You can forward directed broadcast IP packets as required an interface by defining ACLs. Only those IP packets matching
the ACLs are translated from directed broadcasts to physical broadcasts.
To configure the directed broadcast-to-physical broadcast translation, execute the following command in the interface
configuration mode:
Command Function
Ruijie(config-if)# ip directed-broadcast Enable directed broadcast to physical broadcast
[access-list-number] translation on the interface.
Ruijie(config-if)# no ip directed-broadcast Restore the default setting.
Establishing an IP Broadcast Address
Currently, the most popular way is the destination address consisting of all 1s (255.255.255.255). Ruijie product can be
configured to generate any form of IP broadcast address and receive any form of IP broadcast packets.
To set a broadcast IP address other than 255.255.255.255, execute the following command in the interface configuration
mode:
Command Function
Ruijie(config-if)# ip broadcast-address ip-address Create a broadcast address.
Ruijie(config-if)# no ip broadcast-address Remove the configuration.
Setting ICMP Error Packet Transmission Rate
Setting ICMP Destination Unreachable Packet Transmission Rate
The default rate is 10 packets per 100 milliseconds.
Command Function
Sets the rate to send the ICMP destination unreachable
packets triggered by DF in the IP header in the global
configuration mode.
milliseconds: The refresh period of the token bucket, in
ip icmp error-interval DF milliseconds [ bucket-size ] the range from 0 to 2147483647 in the unit of
milliseconds. 0 indicates no limit on the rate to send
ICMP error packets. The default is 100.
bucket-size : The number of tokens in the bucket, in the
range is from 1 to 200. The default is 10.
no ip icmp error-interval DF milliseconds [ bucket-size ] Restores the default setting.
To prevent DoS attack, the token bucket algorithm is adopted to limit the rate to send ICMP error packets.
If IP packets need to be fragmented while the DF is set to 1, the device sends ICMP destination unreachable packets
numbered 4 to the source IP address for path MTU discovery. Rate limits on ICMP destination unreachable packets and
other error packets are needed to prevent path MTU discovery failure.
It is recommended to set the refresh period to an integral multiple of 10 milliseconds. If the refresh period is not an integral
multiple of 10 milliseconds, it is adjusted automatically. For example, 1 per 5 milliseconds is adjusted to 2 per 10
milliseconds; 3 per 15 milliseconds is adjusted to 2 per 10 milliseconds.
The following example sets the rate to send the ICMP destination unreachable packets triggered by DF in the IP header to
100 per second.
Ruijie(config)# ip icmp error-interval DF 1000 100
Setting Other ICMP Error Packet Transmission Rate
The default rate is 10 packets per 100 milliseconds.
Command Function
Sets the rate to send other ICMP error packets in the

global configuration mode.
milliseconds: The refresh period of the token bucket, in

ip icmp error-interval milliseconds [bucket-size] the range from 0 to 2147483647 in the unit of
milliseconds. 0 indicates no limit on the rate to send
ICMP error packets. The default is 100.
bucket-size : The number of tokens in the bucket, in the
range is from 1 to 200. The default is 10.
no ip icmp error-interval milliseconds [ bucket-siz ] Restores the default setting.
To prevent DoS attack, the token bucket algorithm is adopted to limit the rate to send ICMP error packets.
If IP packets need to be fragmented while the DF is set to 1, the device sends ICMP destination unreachable packets
numbered 4 to the source IP address for path MTU discovery. Rate limits on ICMP destination unreachable packets and
other error packets are needed to prevent path MTU discovery failure.
It is recommended to set the refresh period to an integral multiple of 10 milliseconds. If the refresh period is not an integral
multiple of 10 milliseconds, it is adjusted automatically. For example, 1 per 5 milliseconds is adjusted to 2 per 10
milliseconds; 3 per 15 milliseconds is adjusted to 2 per 10 milliseconds.
The following example sets the rate to send other ICMP error packets to 10 per second.
Ruijie(config)# ip icmp error-interval 1000 10
Configuring IP Address Through PPP Negotiation
Command Function
Configure an IP address for the interface through PPP
ip address negotiate
negotiation in interface configuration mode.
no ip address negotiate Restore the configuration.
Only the PPP interface of the router supports IP address configuration through PPP negotiation. After the interface is
configured with the ip address negotiate command, the peer end should be configured with the peer default ip address
command.
The following example obtains an IP address for the interface through PPP negotiation.
Ruijie(config)# interface dialer 1
Ruijie(onfig-if-dialer 1)# ip address negotiate
Configuring IP Address for Peer End through PPP Negotiation
No IP address is allocated to the peer end through PPP negotiaon by default..
Command Function
Allocate an IP address to the peer end through PPP
negotiation in interface configuration mode.
peer default ip address { ip-address | pool [pool-name] } ip-address: Allocates an IP address to the peer end.
pool-name: (Optional) Specifies the address pool name.
If not specified, the default address pool is used.
no peer default ip address Restore the default setting.
If the local end is configured with an IP address while the peer end not, you can enable the local end to allocate an IP
address to the peer end by configuring the ip address negotiate command on the peer end and the peer default ip
address on the local end.
This command is configured on PPP interface supporting encapsulation PPP or SLIP.
The peer default ip address pool command is used to allocate an IP address to the peer end from the address pool,
configured by using the ip local pool command.
The peer default ip address ip-address command is used to specify an IP address for the peer end. This command
cannot be configured on virtual template interfaces and asyn interfaces.
The following example enables interface dialer 1 to allocate IP address 10.0.0.1 to the peer end.
Ruijie(config)# interface dialer 1
Ruijie(config-if-dialer 1)# peer default ip address 10.0.0.1
Enabling IP Address Pool
Command Function
Enable the IP address pool function in global
ip address-pool local
configuration mode.
no ip address-pool local Disable this function.
This function is enabled by default. PPP users can allocate an IP address to the peer end from the IP address pool
configured. If you can use the no ip address-pool local command to disable this function and clear all configured IP
address pools.
The following example enables the IP address pool function.
Ruijie(config)# ip address-pool local

Creating IP Address Pool
No IP address pool is configured by default.
Command Function
Create an IP address pool in global configuration mode.
pool-name: Specifies the address pool name. The default
name is default.
ip local pool pool-name low-ip-address [ high-ip-address ] low-ip-address: The smart IP address in the address
pool.
high-ip-address: (Optional) The end IP address in the
address pool.
no ip local pool pool-name [ low-ip-address
[ high-ip-address ] ]
This command is used to create one or multiple IP address pools for PPP to allocate addresses to users.
The following example creates an IP address pool named quark ranging from 172.16.23.0 to 172.16.23.255.
Ruijie(config)#ip local pool quark 172.16.23.0 172.16.23.255
Monitoring and Maintaining IP Address

To monitor and maintain your network, perform the tasks described in the following sections.
 Displaying System and Network Status
Displaying System and Network Status
You can show the contents of the IP routing table, cache, and database. Such information is very helpful in
troubleshooting the network. You also can display information about reachability of local network and discover the routing
path that the packets of your device are taking through the network.
To display system and network status, execute the following commands in the privileged EXEC mode:
Command Function
Ruijie# show ip interface [ interface-type
Display the IP status information of an interface.
interface-number | brief ]
Ruijie# show ip route [ network [ mask ] ] Show the routing table.
Ruijie#show ip route Show the brief information of the routing table.
Ruijie# ping ip-address [ length bytes ] [ ntimes times ]
Test network reachability.
[ timeout seconds ]
Ruijie# show ip raw-socket [ num ] Display IPv4 raw sockets.
Ruijie# show ip sockets Display all IPv4 sockets.
Ruijie# show ip udp [ local-port num ] Display IPv4 UDP sockets.
Ruijie# show ip udp statistic Display IPv4 UDP socket statistics.
Ruijie# show ip pool [ pool-name ] Display the IP address pool.

IP Address Configuration Examples

This chapter provides some IP address configuration examples as follows:
 Secondary IP Address Configuration Example
Secondary IP Address Configuration Example
Configuration requirements:
Figure 19-1 shows IP address assignment and network device connection.
Secondary IP address configuration example
Configure RIPv1. You can see the routes of 172.16.2.0/24 on router C and the routes of 172.16.1.0/24 on router D.
Configuration of the Routers:
RIPv1 does not support classless-based routes. This means masks are not carried with routing advertisement.
172.16.1.0/24 and 172.16.2.0/24 that belong to the same netowrk are separated by the Class C network 192.168.12.0/2.
Generally, router C and router D cannot routes from each other. According to one feature of RIP, the mask of the route to
be received should be set to the same value as that of the interface network if the route and the interface network belong
to the same network. By configuring routers A and B, you can build a secondary netowrk 172.16.3.0/24 on the network
192.168.12.0/24 to link the two separated subnets. The following presents a configuraiton description of routers A and B.
Router A:

ip address 172.16.3.1 255.255.255.0 secondary
ip address 192.168.12.1 255.255.255.0
!
ip address 172.16.1.1 255.255.255.0
!
router rip
network 172.16.0.0
network 192.168.12.0
Router B:
ip address 172.16.3.2 255.255.255.0 secondary

ip address 192.168.12.2 255.255.255.0
!
ip address 172.16.2.1 255.255.255.0
!
router rip
network 172.16.0.0
network 192.168.12.0
IP Service Configuration
IP Service Configuration Task List

The IP service configuration includes the following optional configuration tasks. You can perform the task according to the
requirements:
 Configuring the default gateway

 Managing IP connections
Managing IP Connections
The IP protocol stack offers a number of services to control and manage IP connections. Internet Control Message
Protocol (ICMP) provides many of these services. Once a network problem occurs, a router or access server will send an
ICMP message to the host or other rotuers. For detailed information on ICMP, see RFC 792.
To manage various aspects of IP connections, perform the optional tasks described in the following sections:
 Enabling ICMP Protocol Unreachable Messages

 Enabling ICMP Redirect Messages
 Enabling ICMP Mask Reply Messages
 Setting the IP MTU
 Configuring IP Source Routing
Enabling the ICMP Protocol Unreachable Message
When a router receives a non-broadcast packet destined to it, and this packet uses an IP protocol that it cannot handle, it
will return an ICMP protocol unreachable message to the source address. Similarly, if the router is unable to forward the
packet because it knows of no route to the destination address, it sends an ICMP host unreachable message. This feature
is enabled by default.
To enable this service, execute the following command in the interface configuration mode:
Command Function
Enable the ICMP protocol unreachable and host
Ruijie(config-if)# ip unreachables
unreachable messages.
Disable the ICMP protocol unreachable and host

Ruijie(config-if)# no ip unreachables
unreachable messages.
Enabling the ICMP Redirect Message
Routes are sometimes less than optimal. For example, it is possible for the device to be forced to resend a packet through
the same interface on which it was received. If the device resends a packet through the same interface on which it was
received, it sends an ICMP redirect message to the originator of the packet telling the originator that the gateway to this
destination address is another device in the same subnet. Therefore the originator will transmit the packets based on the
optimized path afterwards. This feature is enabled by default.
To enable the ICMP redirect message, execute the following command in the interface configuration mode:
Command Function
Enable the ICMP redirect message. It is enabled by
Ruijie(config-if)# ip redirects
default.
Ruijie(config-if)# no ip redirects Disable the ICMP redirect message.
Enabling the ICMP Mask Reply Message
Occasionally, a network device needs to know the mask of a subnetwork in the Internet. To obtain this information, the
device can send the ICMP mask request message. The receiving device will send the ICMP mask reply message. Ruijie
product can respond the ICMP mask request message. This function is enabled by default.
To enable the ICMP mask reply message, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip mask-reply Enable the ICMP mask reply message.
Ruijie(config-if)# no ip mask-reply Restore the default setting.
Setting the IP MTU
All interfaces have a default MTU (Maximum Transmission Unit) value. All the packets which are larger than the MTU
have to be fragmented before sending. Otherwise it is unable to be forwarded on the interface.
Ruijie product allows you to adjust the MTU on an interface. Changing the MTU value can affect the IP MTU value, and
the IP MTU value will be modified automatically to match the new MTU. However, changing the IP MTU value has no
effect on the value of MTU.
The interfaces of a device in a physical network should have the same MTU for a protocol.
To set the IP MTU, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip mtu bytes Set the MTU in the range from 68 to 1500 bytes.
Ruijie(config-if)# no ip mtu Restore the default setting.
Configuring IP Source Routing
Ruijie product supports IP source routing. Upon receiving an IP packet, the device will check its IP header like strict
source route, loose source route and recorded route, which are defined in RFC 791. If one of these options is enabled, the
device performs appropriate action. Otherwise, it sends an ICMP error message to the source and then discards the
packet. Our product supports IP source routing by default.
To enable IP source routing, execute the following command in the interface configuration mode:
Command Function
Ruijie(config)# ip source-route Enable IP source routing.
Ruijie(config)# no ip source-route Disable IP source routing.

Configuration Guide Configuring ARP
Configuring ARP
 Configuring Address Resolution Protocol (ARP) (Optional)
Configuring Address Resolution Protocol (ARP)
Every device in a LAN has two addresses: local address and network address. Local address is contained in the header of
the frames on the data link layer. Disputably, the correct term is data link layer address. Since this local address is
handled in the MAC sub-layer of the data link layer, it is normally called MAC address representing an IP network device
in a network. Network address represents a device in the Internet and indicates the network to which the device belongs.
For inter-communication, a device in a LAN must know the 48-bit MAC address of another device. The ARP can resolve
the MAC address upon an IP address and the reversed ARP (RARP) can resolve the IP address upon a MAC address.
You can resolve the MAC address in two ways: ARP and Proxy ARP. For the information on ARP, Proxy ARP and RARP,
refer to RFC 826, RFC 1027, and RFC 903.
ARP binds the IP and MAC Address. It can resolve the MAC address upon an IP address. Then, the relationship between
the IP address and the MAC address is stored in the ARP cache. With the MAC address, a device can encapsulate the
frames of the data link layer and send them to the LAN in the Ethernet II-type by default. However the frames can also be
encapsulated into other types of Ethernet frame (for example, SNAP).
The principle of RARP is similar to ARP. RARP resolves the IPaddress upon a MAC address. RARP is configured on
non-disk workstation in general.
Normally, a device can work without any special address resolution configuration. Ruijie product can manage address
resolution by.
Configuring ARP Statically

The ARP offers dynamic IP address to MAC address mapping. It is not necessary to configure ARP statically in most
cases. By configuring ARP statically, Ruijie product can respond to the ARP request from other IP addresses.
To configure static ARP, execute the following command in the global configuration mode:
Command Function
Define static ARP. Only arpa type is supported for
Ruijie(config)# arp ip-address mac-address arp-type
arp-type.
Ruijie(config)# no arp ip-address Restore the default setting.
Enabling ARP Learning

This function is enabled by default
Command Function
arp-learning enable Dnable ARP learning in interface configuration mode.
no arp-learning enable Disable this function.
After the device learns the dynamic ARP and turns it to the static ARP through Web, it is recommended to enable ARP
learning. Otherwise, it is not recommended to enable this function. If this function is disabled with dynamic ARP existing,
you can turn dynamic ARP to static ARP through Web. You can also clear the dynamic ARP using the clear arp
command to deny the specified user’s access to Internet. Otherwise, the dynamic ARP will be aged and then cleared.
After this function is disabled, the AnyIP function and trust ARP detection are disabled.
The following example enables ARP learning.
Ruijie(config)# interface gi 0/0

Ruijie(config-if-GigabitEthernet 0/0)# arp-learning enable
The following example disbales ARP learning.

Ruijie(config-if-GigabitEthernet 0/0)# arp-learning enable
Setting ARP Encapsulations

So far Ruijie products only support Ethernet II type ARP encapsulations, also known as ARPA keyword.
ARP Timeout Setting

ARP timeout takes effect for only the dynamically learned IP address to MAC address mapping. The shorter the timeout,
the truer the mapping table saved in the ARP cache is , but the more network bandwidth the ARP occupies. Hence the
advantages and disadvantages should be weighted. Generally it is not necessary to configure the ARP timeout time
unless there is a special requirement.
To configure ARP timeout time, execute the following command in the interface configuration mode:
Command Function
Configure the ARP timeout time in the range from 0 to
Ruijie(config-if)# arp timeout seconds
2147483 in the unit of seconds, with 0 not being aged.
Ruijie(config-if)# no arp timeout Restore the default setting.
Enabling Egress Gateway Trusted ARP

Command Function
Enable egress gateway trusted ARP in interface
arp trust-monitor enable
configuration mode.
no arp trust-monitor enable Restore the default setting.
The egress gateway trusted ARP is different from GSN trusted ARP. With this function enabled, the device sends a
unicast request for confirmation when learning an ARP table entry. The device learns the ARP table entry after receiving
the response. When the device receives the ARP packet, only if the ARP table entry is aged or incomplete and the ARP
packet is a response packet will the packet be handled. After egress gateway trusted ARP is enabled, the aging time of
the ARP table entry turns to 60 seconds. After this function is disabled, the aging time restores to 3600 seconds.
The following example enables egress gateway trusted ARP.

Ruijie(config-if-GigabitEthernet 0/0)# arp trust-monitor enable
The following example disables engress gateway trusted ARP.
Ruijie(config-if-GigabitEthernet 0/0)# no arp trust-monitor enable
Configuring ARP Limit on Interface

The default is 0.
Command Function
Set the maximum number of ARP learned on the
interface in interface configuration mode.
limit: sets the maximum number of ARP learned on the
arp cache interface-limit limit
interface, including static and dynamic ARPs, in the
range from 0 to the number supported on the interface. 0
indicates that the number is not limited.
no arp cache interface-limit Restore the default setting.
This function can prevent ARP attacks from generating ARP entries to consume resources limit must be no smaller than
the number of ARPs learned on the interface. Otherwise, the configuration does not take effect.
The following example sets the maximum number of ARP learned on the interface to 300.

Ruijie(config-if-GigabitEthernet 0/0)# arp cache interface-limit 300
The following example restores the default setting.

Ruijie(config-if-GigabitEthernet 0/0)# no arp cache interface-limit
Configuring Unresolved ARP Entry Limit

The default is the ARP table size supported by the device.
Command Function
Set the maximum number of the unresolved ARP entries
in global configuration mode.
arp unresolve number number: The maximum number of the unresolved ARP
entries in the range from 1 to the ARP table size
supported by the device.
no arp unresolve Restore the default setting.
If there are a large number of unresolved entries in the ARP cache table and they do not disappear after a period of time,
this command can be used to limit the number of the unresolved entries.
The following example sets the maximum number of the unresolved items to 500.
Ruijie(config)# arp unresolve 500
Monitoring and Maintaining IP Address
To monitor and maintain your network, perform the tasks described in the following sections.
 Clearing Caches and Tables

 Displaying System and Network Status
Clearing Caches and Tables

You can remove all contents of a particular cache, table, or database, including:
 1) Clearing ARP cache;
Command Function
Remove a dynamic ARP mapping record from the ARP
cache table and clear an IP route cache table..
trusted: deletes trusted ARP entries. Dynamic ARP
entries are deleted by default.
vrf vrf_name: deletes dynamic ARP entries of the
specified VRF instance. The default is the public
instance.
ip: deletes ARP entries of the specified IP address. If
trusted value is specified, trusted ARP entries are
Ruijie# clear arp-cache [ vrf vrf_name | trusted ] [ ip
deleted; otherwise, all dynamic ARP entries are deleted
[mask ] ] | interface interface-name ]
which is the default.
mask: deletes ARP entries in a subnet mask. If trusted
value is specified, trusted ARP entries in the subnet
mask are deleted; otherwise, all dynamic ARP entries are
deleted. The dynamic ARP entry specified by the IP
address is deleted by default.
interface interface-name: deletes dynamic ARP entries
on the specified interface. Dynamic ARP entries are
deleted on all interfaces by default.
This command can be used to refresh an ARP cache table.
On a NFPP-based (Network Foundation Protection Policy) device, it receives one ARP packet for every
mac/ip address per second by default. If the interval of two clear arp times is within 1s, the second response
packet will be filtered and the ARP packet will not be resolved for a short time.
The following example deletes all dynamic ARP mapping records.

Ruijie# clear arp-cache
The following deletes the dynamic ARP entry 1.1.1.1.
Ruijie# clear arp-cache 1.1.1.1
The following example deletes the dynamic ARP entry on interface SVI1.
Ruijie# clear arp-cache interface Vlan 1
Displaying System and Network Status

You can show the contents of the IP routing table, cache, and database. Such information is very helpful in
troubleshooting the network. You also can display information about reachability of local network and discover the routing
path that the packets of your device are taking through the network.
To display system and network status, execute the following commands in the privileged EXEC mode :
Command Function
Ruijie# show arp Show the ARP table.
Ruijie# show ip arp Show the IP ARP table.
Configuration Guide Configuring IPv6
Configuring IPv6
IPv6 Overview
As the Internet is growing rapidly and the IPv4 address space is exhausting, the limitation of the IPv4 is more obvious. The
research and practice of the next generation of the Internet Protocol becomes popular. Furthermore, the IPng workgroup
of the IETF determines the protocol specification of IPng referred to as IPv6. Refer to RFC2460 for details.
Key Features of Ipv6:
 More Address Space
The length of address will be extended to 128 bits from the 32 bits of Ipv4. Namely, there are 2^128-1 addresses for IPv6.
The IPv6 adopts the hierarchical address mode and supports multiple-level IP address assignment, for example, from the
Internet backbone network to the internal subnet of enterprises.
 Simplified Format of Packet Header
The design principle of new IPv6 packet header is to minimize the overhead. For this reason, some non-critical fields and
optional fields are removed from the packet header and placed into the extended packet header. The length of the IPv6
address is 4 times of IPv4 address; its packet header is only 2 times of IPv4 header. The improved IPv6 packet header is
more efficient for forwarding, for instance, there is no checksum in the IPv6 packet header and it is not necessary for the
IPv6 router to process the fragment during forwarding (the fragment is completed by the originator).
 High-efficient hierarchical Addressing and Routing Structure
The IPv6 adopts the aggregation mechanism and defines flexible hierarchical addressing and routing structure, and
several networks at the same level is presented as a unified network prefix at the higher level of routers. So it obviously
reduces the entries that the router must maintain and greatly minimizes the routing and storage overhead.
 Simple Management: Plug and Play
Simplify the management and maintenance of the network node by the implementation of a series of auto-discovery and
auto-configuration functions. Such as the Neighbor Discovery, the MTU Discovery, the Router Advertisement, the Router
Solicitation and the Auto-configuration technologies provide related service for the plug and play. It should be mentioned
that the IPv6 supports such address configuration methods as the stateful and the stateless. In the IPv4, the dynamical
host configuration protocol (DHCP) implements the automatic setting of the host IP address and related configuration,
while the IPv6 inherits this auto-configuration service of the IPv4 and refers to it as the Stateful Auto-configuration.
Furthermore, the IPv6 also adopts an auto-configuration service, referred to as the Stateless Auto-configuration. During
the stateless auto-configuration, the host obtains the local address of the link, the address prefix of local device and some
other related configuration information automatically.
 Security
The IPSec is an optional extended protocol of the IPv4, while it is only a component of the IPv6 used to provide security.
At present, the IPv6 implements the Authentication Header (AH) and Encapsulated Security Payload (ESP) mechanisms.
Where, the former authenticates the integrity of the data and the source of the IP packet to ensure that the packet does
come from the node marked by the source address, while the latter provides the data encryption function to implement the
end-to-end encryption.
 More Excellent QoS Support
The new field in the IPv6 packet header defines how to identify and process the data flow. The Flow Label field in the IPv6
packet header is used to identify the data flow ID, by which the IPv6 allows users to put forward the requirement for the
QoS of communication. The router can identify all packets of some specified data flow by this field and provide special
processing for these packet on demand.
 Neighbor Nodes Interaction-specific New Protocol
The Neighbor Discovery Protocol of the IPv6 uses a series of IPv6 control information message (ICMPv6) to carry out the
interactive management of the neighbor nodes (the nodes of the same link). The Neighbor Discovery Protocol and
high-efficient multicast and unicast Neighbor Discovery message replace previous broadcast-based address resolution
protocol (ARP) and the ICMPv4 router discovery message.
 Extensibility
The IPv6 provides powerful extensibility and the new features can be added to the extended packet header after the IPv6
packet header. Unlike the IPv4, the packet header can only support the option of up to 40 bytes, while the size of the IPv6
extended packet header is only limited by the maximum bytes of the whole IPv6 packet.
The IPv6 supports the following features:
 IPv6 Protocol
 IPv6 Address Format
 Type of IPv6 Address
 ICMPv6
 IPv6 Neighbor Discovery
 Path MTU Discovery
 ICMPv6 Redirection
 Address Conflict Detection
 IPv6 Stateless Auto-configuration
 IPv6 Address Configuration
 IPv6 Route Forwarding (supporting static route configuration)
 Configuration of various IPv6 parameters
 Diagnosis Tool Ping IPv6
IPv6 Address Format

The basic format of an IPv6 address is X : X : X : X : X : X : X : X, where X is a 4 hex integers (16 bits). Each digit contains
4 bits of information, each integer contains 4 hex digits and each address contains 8 integers, so it is total for 128 bits.
Some legal IPv6 addresses are as follows:
2001:ABCD:1234:5678:AAAA:BBBB:1200:2100
800 : 0 : 0 :0 : 0 : 0 : 0 : 1
1080 : 0 : 0 : 0 : 8 : 800 : 200C : 417A

These integers are hex integers, where A to F denote 10 to 15 respectively. Each integer in the address must be denoted
and the starting 0 needs not be denoted. Some IPv6 address may contain a series of 0s (such as the examples 2 and 3).
Once this condition occurs, the “: :” is allowed to denote this series of 0s. Namely, the address 800:0:0:0:0:0:0:1 can be
denoted as: 800 :: 1.
These two colons denote that this address can be extended to the complete 128-bit address. In this way, the 16-bit group
can be replaced with two colons only when they are all 0s and the two colons can only present for one time.
In the mixture environment of IPv4 and IPv6, there is a mixture denotation method. The lowest 32 bits in an IPv6 address
can be used to denote an IPv4 address. The address can be expressed in a mixture mode, i.e., X: X : X : X : X : X : d . d .
d . d. Where, the X denotes a 16-bit integer, while d denotes an 8-bit decimal integer. For instance, the address 0 : 0 : 0 : 0 :
0 : 0 : 192 .168 . 20 : 1 is a legal IPv6 address. After the abbreviated expression method is used, this address can be
denoted as follows: : : 192.168. 20. 1. One of the typical example is the IPv4-compatible IPv6 address, which is expressed
in the “::A.B.C.D” mode, i.e., “::1.1.1.1”; the other typical example is the IPv4-mapped IPv6 address, which is expressed in
the “::FFFF:A.B.C.D” and used to invert the IPv6 address to the IPv6 address, i.e., map the IPv4 address”1.1.1.1” to the
IPv6 address”::FFFF:1.1.1.1”.
For the IPv6 address is divided into two parts such as the subnet prefix and the interface identifier, it can be denoted as an
address with additional numeric value by the method like the CIDR address. Where, this numeric value indicates how
many bits represent the network part (the network prefix). Namely the IPv6 node address indicates the length of the prefix,
and the length is differentiated from the IPv6 address by the slash. For instance: 12AB::CD30:0:0:0:0/60,The length of the
prefix used for routing in this address is 60 bits.
Type of IPv6 Address

In RFC4291, there are the following three defined types of IPv6 addresses:
 Unicast: Identifier of a single interface. The packet to be sent to a unicast address will be transmitted to the interface
identified by this address.
 Anycast: Identifiers of a set of interfaces. The packet to be sent to an anycast address will be transmitted to one of
the interfaces identified by this address (select the nearest one according to the routing protocol).
 Multicast: Identifiers of a set of interfaces (In general, they are of different nodes). The packet to be sent to a
Multicast address will be transmitted to all the interfaces which are added to this multicast address.
The broadcast address is not defined in the IPv6.
The following will introduce these types of addresses one-by-one:
Unicast Addresses
The unicast address is divided into unspecified address, loopback address, link-level local address, site-level local
address and global unicast address. Now the site-level local address has been repealled, the unicast addresses excepting
for the unspecified address, loopback address and thhe link-level local address are all global unicast addresses.
1. Unspecified Address
The unspecified address is 0:0:0:0:0:0:0:0, generally abbreviated as ::.

1. If there is no unicast address when the host is rebooting, use the unspecified address as the source address, send
the router request and obtain the prefix information from the gateway to auto-generate the unicast address.
2. When configuring the IPv6 address for the host, check whether the IPv6 address conflicts with the address for other
hosts in the same network segment or not. If so, use the unspecified address as the source address to send the
neighbor request message.
2. Loopback Address
The loopback address is 0:0:0:0:0:0:0:1, abbreviated as ::1, which is equal to the IPv4 address 127.0.0.1 and used when
the node sends the packets to itself.
3. Link-level Local Address
The format of link-level local address:
The link-level local address is used to number the host on the single network link. The address of former 10-bit
identification for the prefix is the link-level local address. The router will not forward the message of the source address or
the destination address with the link-level local address forever. The intermediate 54-bit of this address is 0. The latter 64
64
indicates the interface identifier, this part allows the single network to connect to up to 2 -1 hosts.
4. Site-level Local Address
The format of site-level local address:
The site-level local address can be taken to transmit the data within the site, and the router will not forward the message of
the source address or the destination address with the site-level local address to Internet. Namely, such packet can only
be forwarded within the site, but cannot be forwarded to out of the site. Suppose that the site is the LAN for a company,
the site-level local address is similar to the IPv4 private address, i.e., 192.168.0.0/16. The RFC3879 has repealled the
site-level local address.
5. Global Unicast Address
The format of global unicast address:

One class of the global unicast address is the IPv6 address embedded with IPv4 address, which is used to interconnect
the IPv4 nodes and the IPv6 nodes and divided into IPv4-compatible IPv6 address and the IPv4-mapped IPv6 address.
The format of IPv4-compatible IPv6 address:
The format of IPv4-mapped IPv6 address:
The IPv4-compatible IPv6 address is mainly used to the automatic tunneling, which supports both the IPv4 and IPv6. The
IPv4-compatible IPv6 address will transmit the IPv6 packet via the IPv4 router in the tunneling way. Now the
IPv4-compatible IPv6 address has been repealled. The IPv6 address of an IPv4 mapping is used to access the nodes that
only support IPv4 by IPv6 nodes. For example, when one IPv6 application of the IPv4/IPv6 host requests the resolution of
a host name (the host only supports IPv4), the name server will internally generate the IPv6 addresses of the IPv4
mapping dynamically and return them to the IPv6 application.
Multicast Addresses
The format of the IPv6 multicast address is shown as follows:
| 8 | 4| 4| 112 bits |
+----------+----+----+-----------------------------------------------------------------+
|11111111|flgs|scop| group ID |
+----------+----+----+-----------------------------------------------------------------+
The first byte of the address format is full 1, which denote a multicast address.
 Flag field:
It consists of 4 bits.At present, only the fourth bit is specified. The bit is used to indicate whether the address is a known
multicast address specified by Internet Number Constitution or a temporary multicast address used in a specific condition.
If this flag bit is 0, it indicates this address is a known multicast address. If this bit is 1, it indicates that this address is a
temporary one. Other 3 flag bits are reserved for future use.
 Range field:
Composed of 4 bits and used to denote the range of multicast. Namely, whether the multicast group contains the local
node, the local link and the local site or any position nodes in the IPv6 global address space.
 Group Identifier field:
112 bits long and used to identify a multicast group. Depending on whether a multicast address is temporary or known and
the range of the address, a multicast identifier can denote different groups.
The multicast address of the IPv6 is this type of address taking FF00::/8 as the prefix One multicast address of an IPv6
usually identifies the interfaces of a serial of different nodes. When one message is sent to one multicast address, this
message will be distributed to the interfaces of each node with this multicast address. One node (host or router) should
add the following multicast:
 The multicast address of all nodes for the local link is FF02::1
 The prefix of the multicast address for the solicited node is FF02:0:0:0:0:1:FF00:0000/104
If they are routers, it is necessary to add the multicast address FF02::2 of all routers for the local link.
The multicast address of the solicited node corresponds to the IPv6 unicast and anycast address, so it is necessary for the
IPv6 node to add corresponding multicast address of the solicited node for each configured unicast address and anycast
address. The prefix of the multicast address for the solicited node is FF02:0:0:0:0:1:FF00:0000/104, another 24 bits are
comprised of the unicast address or the lower 24 bits of the anycast address, for instance, the multicast address of the
solicited node corresponding to the FE80::2AA:FF:FE21:1234 is FF02::1:FF21:1234,
The multicast address of solicited node is usually used to the neighbor solicitation (NS) message. The format of the
solicited node is shown as follows:
Anycast Addresses
The anycast address is similar with the multicast address as more than one node shares an anycast address. The
difference is that only one node expects to receive the data packet of the anycast address, while all nodes of the multicast
address members expect to receive all packets sending to this address. The anycast address is assigned to normal IPv6
unicast address space, so the anycast address cannot be differentiated from the unicast address from the style. For this
reason, each member of all anycast addresses has to be configured explicitly to identify the anycast address.
The anycast address can only be assigned to the router, but cannot be assigned to the host. Furthermore,
the anycast address cannot be taken as the source address of the message.
The RFC2373 predefines an anycast address, referred to as the anycast address of the subnet router. The following
diagram shows the anycast address format of the subnet router, which consists of the subnet prefix followed by a series of
0s (as the interface identifier).
Where, the subnet prefix identifies a specified link (subnet) and the packet to be sent to the anycast address of the subnet
router will be distributed to a router of this subnet. The anycast address of the subnet router is usually used for some node
which needs to communicate with one router of the remote subnet.
IPv6 Packet Header Structure

The format of the IPv6 packet header is shown as the figure below:
The IPv4 packet header takes 4 bytes as the unit; the IPv6 packet header takes 8 bytes as the unit and the total length of
the packet header is 40 bytes. In the IPv6 packet header, the following fields are defined:
 Version:
The length is 4 bits. For IPv6, the field must be 6.
 Traffic Class:
The length is 8 bits. It indicates a type of service provided to the packey and is equal to the “TOS” in the IPv4.
 Flow Label:
The length is 20 bits used to identify the packets of the same service flow. One node can be taken as the sending source
of several service flows. Flow label and source node IP address identify a service flow uniquely.
 Payload Length:
The length is 16 bits, including the byte length of payload and the length of various IPv6 extension options (if any). In other
words, it includes the length of an IPv6 packet except for the IPv6 header itself.
 Next Header:
This field indicates the protocol type in the header field following the IPv6 header. Similar to the IPv4 protocol field, the
Next Header field can be used to indicate whether the upper level is TCP or UDP. It can also be used to indicate whether
an extended IPv6 header exists.
 Hop Limit:
The length is 8 bits. When one router forwards the packet for one time, this field will reduce 1. If this field is 0, this packet
will be discarded. It is similar to the life span field in the IPv4 packet header.
 Source Address (Source Address):
The length is 128 bits. It indicates the sender address of an IPv6 packet.
 Destination Address (Destination Address):
The length is 128 bits. It indicates the receiver address of an IPv6 packet.
At present, the following extended headers are defined for the IPv6:
 Hop-by-Hop Options:
This extended header must directly follow an IPv6 header. It contains the option data that must be checked by each node
along the path.
 Routing Header (Routing (Type 0)):
This extended header indicates the nodes that a packet will go through before reaching the destination. It contains the
address table of various nodes that the packet goes through. The initial destination address of the IPv6 header is the first
one of a series of addresses in the routing header, other than the final destination address of the packet. After receiving
this packet, the node of this address will process the IPv6 header and the routing header, and send the packet to the
second address of the routing header list. It repeats this step until the packet reaches the final destination.
 Fragment Header (Fragment):
This extended header is used to fragment the packets longer than the MTU of the path between the source node and
destination node.
 Destination Option Header (Destination Options):
This extended header replaces the IPv4 option field. At present, the only defined destination option is to fill the option with
an integer multiple of 64 bits (8 bytes) when necessary. This extended header can be used to carry the information
checked by the destination node.
 Upper-layer Extended Header (Upper-layer header):
It indicates the the upper layer transmission protocol, such as TCP(6) and UDP(17).
Furthermore, the extended header of the Authentication and the Encapsulating Security Payload will be described in the
IPSec section. At present, the IPv6 implemented by us cannot support the IPSec.
IPv6 Path MTU Discovery

As with the path MTU discovery of the IPv4, the path MTU discovery of the IPv6 allows one host to discover and adjust the
size of the MTU in the data transmission path.
Furthermore, when the data packet to be sent is larger than the MTU of the data transmission path, the host will fragment
the packets by itself. This behavior makes it not necessary for the router to process the fragment, and thus save resources
and improve the efficiency of the IPv6 network.
The minimum link MTU is 68 bytes in the IPv4, indicating that the links along the path over which the packets
are transmitted should support at least the link MTU of 68 bytes. The minimum link MTU is 1280 bytes in the
IPv6. It is strongly recommended to use the link MTU of 1500 bytes for the link in the IPv6.
IPv6 Neighbor Discovery

The main functions of the IPv6 Neighbor discovery protocol include Router Discovery, Prefix Discovery, Parameter
Discovery, Address Auto-configuration, Address Resolution(ARP), Next-hop Confirmation, Neighbor Unreachability Check,
Address Conflict Check and Redirection. Neighbor discovery defines 5 types of ICMP message, which are Router
Solicitation(ICMP type133), Router Advertisement(ICMP type134), Neighbor Solicitation or ARP request (ICMP type135),
Neighbor Advertisement or APR response(ICMP type136) and ICMP redirection message(ICMP type137).
The following describes the neighbor discovery function in detail:
Address Resolution
A node must get the link layer address of another node before communicating with it. At this time, it should send the
neighbor solicitation (NS) message to the solicitated multicast address of the IPv6 address of the destination node. The
NS message also contains the link layer address of itself. After receiving this NS message, the destination node responds
with a message, referred to as neighbor advertisement (NA), with its link layer address. After receiving the response
message, the source node can communicate with the destination node.
The following is the neighbor solicitation procedure:

Neighbor Unreachability Detection
Enabling the Neighbor Unreachability Detection function to send the IPv6 unicast packet to the neighbor whose reachable
time expires.
Neighbor Unreachability Detection and sending the IPv6 packet to the neighbor can be co-processed. During the
detection, it continues to forward the IPv6 packet to the neighbor.
Address Conflict Detection
After configuring the IPv6 address to the host, enabling the address conflict detection function to check whether the IPv6
address in the link is sole or not.
Router, Prefix and Parameter Advertisement
The router sends the Router Advertisement (RA) to all the local nodes of the link periodically.
The following figure shows the process of sending the Router Advertisement (RA):
In general, the Router Advertisement (RA) contains the contents below:
 One or more IPv6 address prefixes used for the on-link confirmation or the stateless address auto-configuration.
 Effective period of the IPv6 address prefix.
 Usage of the host auto-configuration (Stateful or stateless).

 Information for the default router (namely, determine whether this router is taken as the default router. If yes, it will
announce the time as the default router itself).
 Other information for configuration such as the hop limit, the MTU and the neighbor solicitation retransmission
interval.
The Router Advertisement (RA) is also used to respond to the Router Solicitation (RS) message sent by the host. The
Router Solicitation (RS) message allows the host to obtain the auto-configuration information immediately without waiting
for the router to send the Router Advertisement (RA). If there is no unicast address when the host is activated, the Router
Solicitation (RS) message sent by the host will use the unassigned address (0:0:0:0:0:0:0:0) as the source address of the
solicitation message. Otherwise, the existing unicast address is taken as the source address, while the Router Solicitation
(RS) message uses the multicast address (FF02::2) of all routers for the local link as the destination address. As the
response router solicitation (RS) message, the Router Advertisement (RA) message will use the source address of the
solicitation message as the destination address (if the source address is the unassigned address, it will use the multicast
address FF02::1) of all nodes for the local link.
The following parameters can be configured in the Router Advertisement (RA) message:
Ra-interval: Interval of sending the Router Advertisement (RA).
Ra-lifetime: Router lifetime, namely whether the device is acted as the default router of the local link and the time as this
role.
Prefix: IPv6 address prefix of the local link, which can be used for the on-link confirmation or the stateless address
auto-configuration, including the configuration of other parameters for the prefix.
Rs-initerval: Interval of sending the neighbor solicitation message.
Reachabletime: Time maintained after considering the neighbor reachable.
We configure the above parameters in the IPv6 interface property.
1. By default, no Router Advertisement (RA) message is sent actively on the interface. To do so, you can
use the command no ipv6 nd suppress-ra in the interface configuration mode.
2. In order to make the stateless address auto-configuration of the node work normally, the length of the
prefix for the router advertisement (RA) message should be 64 bits.
Redirection
After receiving the IPv6 packets, the router discovers the better next-hop and sends the ICMP redirection message to
notify the host of the better next-hop. Next time the host sends the IPv6 packets to the better next-hop directly.
 The IPv6 function is not supported on AP110-W.

IPv6 Configuration
The following will introduce the configuration of various function modules of the IPv6 respectively:
Configuring IPv6 Address

This section describes how to configure an IPv6 address on an interface. By default, no IPv6 address is configured.
Once an interface is created and its link status is UP, the system will automatically generate the local link
address for the interface. At present, the IPv6 doesn’t support anycast address.
To configure an IPv6 address, execute the following commands in the global configuration mode:
Command Function
Ruijie#configure terminal Enter the global configuration mode.
Enter the interface configuration mode.
Ruijie(config)#interface interface-id Note that the no switchport command shall be used to
switchover the layer-2 port to the layer-3 interface.
Enable the IPv6 protocol on an interface. If this command
is not run, the system automatically enables the IPv6
Ruijie(config-if)#ipv6 enable
protocol when you configure an IPv6 address for an
interface.
Configure the IPv6 unicast address for this interface. The
key word Eui-64 indicates the generated IPv6 address
consists of the configured address prefix and the 64-bit
Ruijie(config-if)#ipv6 address ipv6-address/prefix-length interface ID.
Note: Whether the key word eui-64 is used, it is
necessary to enter the complete address format to delete
Ruijie(config-if)#ipv6 address ipv6-prefix/prefix-length an IPv6 address (Prefix + interface ID/prefix length).
[eui-64] When you configure an IPv6 address on an interface,
then the IPv6 protocol is automatically enabled on the
interface. Even if you use no ipv6 enable, you cannot
disable the IPv6 protocol.
Ruijie(config-if)#end Return to the privileged EXEC mode.
Ruijie#show ipv6 interface interface-id View the IPv6 interface information.
Ruijie#copy running-config startup-config Save the configuration.
Use the no ipv6 address ipv6-prefix/prefix-length [eui-64] command to delete the configured IPv6 address.
The following is an example of the configuration of the IPv6 address:
Ruijie(config)# interface GigabitEthernet 0/1

Ruijie(config-if)# ipv6 enable
Ruijie(config-if)# ipv6 address fec0:0:0:1::1/64
Ruijie(config-if)# end
Ruijie(config-if)# show ipv6 interface GigabitEthernet 0/1

Interface GigabitEthernet 0/1 is Up, ifindex: 1
address(es):
Mac Address: 00:00:00:00:00:01
INET6: fe80::200:ff:fe00:1 , subnet is fe80::/64
INET6: fec0:0:0:1::1 , subnet is fec0:0:0:1::/64
Joined group address(es):
ff01:1::1
ff02:1::1
ff02:1::2
ff02:1::1:ff00:1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds<160--240>
ND router advertisements live for 1800 seconds
Configuring ICMPv6 Redirection

This section will describe how to configure the ICMPv6 redirection function on the interface. By default, the redirection
function of the IPv6 on the interface is enabled. The router needs to send the redirection message to the source during
packet forwarding in the following cases:
 The destination address of the message is not a multicast address;

 The destination address of the message is not the router itself;
 The output interface of the next hop determined by the device for this message is the same as the interface this
message received, namely, the next hop and the originator is of the same link;
 The node identified by the source IP address of the packet is a neighbor of the local router. Namely, this node exists
in the router’s neighbor table.
The router other than the host can generate the redirection message, and the router will not update its
routing table when it receives the redirection message.
To enable redirection on the interface, execute the following commands in the global configuration mode:
Command Function

Ruijie(config-if)#ipv6 redirects Enable the IPv6 redirection function.
Ruijie#show ipv6 interface interface-id Show the interface configuration.
Use the no ipv6 redirects command to disable the redirection function. The following is an example to configure the
redirection function:

Ruijie (config-if)# ipv6 redirects
Ruijie (config-if)# end
Ruijie # show ipv6 interface GigabitEthernet 0/1
address(es):
Mac Address: 00:d0:f8:00:00:01
INET6: fe80::2d0:f8ff:fe00:1 , subnet is fe80::/64
ff01:1::1
ff02:1::1
ff02:1::2
ff02:1::1:ff00:1
MTU is 1500 bytes
Configuring Static Neighbor

This section will describe how to configure a static neighbor. By default, the static neighbor is not configured. In general, a
neighbor learns and maintains its status by the Neighbor Discovery Protocol (NDP) dynamically. Moreover, you can
configure the static neighbor manually.
To configure the static neighbor, execute the following commands in the global configuration mode.
Command Function
Ruijie(config)#ipv6 neighbor ipv6-address interface-id

Configure a static neighbor on the interface.
hardware-address
Ruijie(config)#end Return to the privileged EXEC mode.
Ruijie#show ipv6 neighbors View the neighbor list.
Use the no ipv6 neighbor ipv6-address interface-id command to delete the specified neighbor. The following is an
example to configure a static neighbor on GigabitEthernet 0/1:
Ruijie(config)# ipv6 neighbor fec0:0:0:1::100 GigabitEthernet 0/1 00d0.f811.1234

Ruijie (config)# end
Ruijie# show ipv6 neighbors verbose fec0:0:0:1::100
IPv6 Address Linklayer Addr Interface
fec0:0:0:1::100 00d0.f811.1234 GigabitEthernet 0/1
State: REACH/H Age: - asked: 0
Configuring Address Conflict Detection

This section describes how to configure address conflict detection times. Address conflict detection is mandatory to assign
unicast addresses to interfaces. The goal is to dectect the uniqueness of an address. The address conflict detection
should be carried out for the manual configuration address, the stateless auto-configuration address or the statefull
auto-configuration address. However, it is not necessary to carry out the address conflict detection under the following two
conditions:
 The management prohibits the address conflict detection, namely, the number of the neighbor solicitation messages
sent for the address conflict detection is set to 0.
 The configured anycast address can not be applied to the address conflict detection.
Furthermore, if the address conflict detection function is not disabled on the interface, the system will enable the address
conflict detection process for the configured address when the interface changes to the Up status from the Down status.
The following is the configuration procedure of the quantity of the neighbor solicitation message sent for the address
conflict detection:
Command Function
The quantity of the neighbor solicitation message sent for
the address conflict detection. When it is configured to 0,
Ruijie(config-if)#ipv6 nd dad attempts attempts any neighbor solicitation message is denied.
Enable the address conflict detection function on the
interface.
Ruijie#show ipv6 interface vlan 1 View the IPv6 information on the interface.
Use the no ipv6 nd dad attempts command to restore the default value. The following is an example to configure the
times of the neighbor solicitation (NS) message sent for the address conflict detection on the SVI1:

Ruijie(config-if)# ipv6 nd dad attempts 3
Ruijie# show ipv6 interface GigabitEthernet 0/1
Ruijie(config)# interface vlan 1
Ruijie(config-if)# ipv6 nd dad attempts 3
Ruijie# show ipv6 interface vlan 1
address(es):
ff01:1::1
ff02:1::1
ff02:1::2
ff02:1::1:ff00:1
MTU is 1500 bytes
Clearing Dynamic IPv6 Neighbors

Command Function
Clear the dynamic IPv6 neighbors in privileged EXEC
mode.
vrf-name: VRF name. All global IPv6 neighbors are
cleared without specified VRF name by default.
clear ipv6 neighbors [ vrf vrf-name ] [ oob ] [ interface-id ]
oob: clears the dynamic IPv6 neighbors discovered by
neighbors on MGMT interface.
interface-id: Interface name. Clear the dynamically
learned IPv6 neighbors on the specified interface.
This command does not clear all the dynamic neighbors on authentication VLAN.
Note that the static neighbors will not be cleared.
The following example clears the dynamic IPv6 neighbors.
Ruijie# clear ipv6 neighbors
Configuring Other Interface Parameters

The IPv6 parameters on an interface fall into 2 parts, one is used to control the behavior of the router itself, the other is
used to control the contents of the router advertisement (RA) sent by the router to determine what action should be taken
by the host when it receives this router advertisement (RA).
The following will introduce these commands one by one:
Command Function
Ruijie(config-if)#ipv6 enable Enable the IPv6 function.
(Optional) Define the retransmission interval of the
Ruijie(config-if)#ipv6 nd ns-interval milliseconds neighbor solicitation message, in ms, the default value is
1000ms.
(Optional) Define the time when the neighbor is
considered to be reachable, in ms, the default value is
30000ms.
Ruijie(config-if)#ipv6 nd reachable-time milliseconds Note: as specified in RFC4861, the reachable time of a
neighbor should be increased or decreased at random on
the basis of the configured time in the range of 0.5 to 1.5
of the configured time.
Ruijie(config-if)# ipv6 nd prefix { ipv6-prefix/prefix-length |
default } [ [ valid-lifetime preferred-lifetime ] | [ at valid-date (Optional) Set the address prefix to be advertised in the
preferred-date ] | [infinite { infinite | preferred-lifetime } ] ] router advertisement (RA) message.
[ no-advertise ] | [ [ off-link ] [ no-autoconfig ] ]
(Optional) Set the TTL of the router in the router
advertisement (RA) message, namely the time as the
Ruijie(config-if)#ipv6 nd ra-lifetime seconds default router. 0, indicates that the router will not act as
the default router of the direct-connected network. The
default value is 1800s.
(Optional) Set the time interval for the router to send the
router advertisement (RA) message periodically, in
second, and the default value is 200s.
Ruijie(config-if)#ipv6 nd ra-interval {seconds min-max With the min-max specified, the actual interval of the
min_value max_value} message sending is a random value between the
minimum and maximum value. Without the min-max
specified, the actual interval of the message sending is
approximately 1.2/0.8*the configured value.
(Optional) Set the “managed address configuration” flag

bit of the router advertisement (RA) message, and
determine whether the host will use the stateful
Ruijie(config-if)#ipv6 nd managed-config-flag auto-configuration to obtain the address when it receives
this router advertisement (RA).
By default, the flag bit is not configured for the router
advertisement (RA) message.
(Optional) Set the “other stateful configuration” flag bit of
the router advertisement (RA) message, and determine
whether the host will use the stateful auto-configuration
Ruijie(config-if)#ipv6 nd other-config-flag to obtain other information other than the address when it
receives this router advertisement (RA).
(Optional) Set whether suppress the router
advertisement (RA) message in this interface.
Ruijie(config-if)#ipv6 nd suppress-ra
Show the ipv6 interface of the interface or the information
Ruijie#show ipv6 interface [ interface-id ] [ ra-info ]
of RA sent by this interface.
Ruijie#copy running-config startup-config (Optional) Save the configuration.
The no command of above commands can be used to restore the default value. For details, refer to IPv6 Command
Reference.
Configuring Frequency to Send ICMPv6-Oversize Error Packets

The default milliseconds is 100 and bucket-size is 10.
Command Function
Set the frequency with which ICMPv6-oversize error
packets are sent in global configuration mode.
milliseconds: Sets the refresh interval of the token
bucket, in the range from 0 to 2147483647 in the unit of
ipv6 icmp error-interval too-big milliseconds
seconds. Setting the value to 0 indicates that the
[ bucket-size ]
frequency with which ICMPv6 error packets are sent is
not fixed.
bucket-size: Sets the number of tokens in the token
bucket, in the range from 1 to 200.
no ipv6 icmp error-interval too-big milliseconds
[ bucket-size ]
The token bucket algorithm is adopted to set the frequency with which ICMPv6 error packets are sent so as to prevent
Denial of Service (DoS) attack,
If the forwarded IPv6 packet is greater than the egress IPv6 MTU in size, the router discards the IPv6 packet and sends
the ICMPv6-oversize error packet to the source IPv6 address. This kind of ICMPv6 error packet is used for IPv6 path MTU
discovery. If there are too many ICMPv6 error packets, the ICMPv6-oversize error packet may not be sent, causing IPv6
path MTU discovery failure. Therefore, it is recommended to set the frequency of ICMPv6-oversize error packet and other
ICMPv6 error packet respectively. Note that ICMPv6 redirect packet is not an ICMPv6 error packet and Ruijie sets the
frequency of the ICMPv6 redirect packet the same as that of other ICMPv6 error packet.
For the timer is accurate to 10 milliseconds, it is recommended to set the refresh interval of the token bucket to an integer
multiple of 10 milliseconds. If the refresh interval is not an integer multiple of 10 milliseconds, it is converted automatically.
For example, the frequency of 1 per five milliseconds turns out to be 2 per 10 milliseconds; the frequency of 3 per 15
milliseconds is converted to 2 per 10 milliseconds.
The following example sets the frequency with which ICMPv6-oversize error packets are sent to 100 per second.
Ruijie(config)# ipv6 icmp error-interval too-big 1000 100
Configuring Frequency to Send Other ICMPv6 Error Packets

The default milliseconds is 100 and bucket-size is 10.
Command Function
Set the frequency with which other ICMPv6 error packets
are sent in global configuration mode.
milliseconds: Sets the refresh interval of the token
bucket, in the range from 0 to 2147483647 in the unit of
ipv6 icmp error-interval milliseconds [ bucket-size ] seconds. Setting the value to 0 indicates that the
frequency with which ICMPv6 error packets are sent is
not fixed.
bucket-size: Sets the number of tokens in the token
bucket, in the range from 1 to 200.
no ipv6 icmp error-interval milliseconds [ bucket-size ] Restore the default setting.
The token bucket algorithm is adopted to set the frequency with which ICMPv6 error packets are sent so as to prevent
Denial of Service (DoS) attack,
If the forwarded IPv6 packet is greater than the egress IPv6 MTU in size, the router discards the IPv6 packet and sends
the ICMPv6-oversize error packet to the source IPv6 address. This kind of ICMPv6 error packet is used for IPv6 path MTU
discovery. If there are too many ICMPv6 error packets, the ICMPv6-oversize error packet may not be sent, causing IPv6
path MTU discovery failure. Therefore, it is recommended to set the frequency of ICMPv6-oversize error packet and other
ICMPv6 error packet respectively. Note that ICMPv6 redirect packet is not an ICMPv6 error packet and Ruijie sets the
frequency of the ICMPv6 redirect packet the same as that of other ICMPv6 error packet.
For the timer is accurate to 10 milliseconds, it is recommended to set the refresh interval of the token bucket to an integer
multiple of 10 milliseconds. If the refresh interval is not an integer multiple of 10 milliseconds, it is converted automatically.
For example, the frequency of 1 per five milliseconds turns out to be 2 per 10 milliseconds; the frequency of 3 per 15
milliseconds is converted to 2 per 10 milliseconds.
The following example sets the frequency with which other ICMPv6 error packets are sent to 10 per second.
Ruijie(config)# ipv6 icmp error-interval 1000 10
Configuring Unresolved Neighbor Table Entry Limit

The default is 0. (The maximum number is the neighbor table size supported by the device)
Command Function
Set the maximum number of the unresolved neighbor
table entries in global configuration mode.
number: Sets the maximum number of the unresolved
ipv6 nd unresolved number
neighbor table entries, in the range from 1 to the neighbor
table size supported by the device. 0 indicates the
number is not limited.
no ipv6 nd unresolved Restore the default setting.
This command is used to prevent unresolved ND table entries generated by malicious scan attacks from consuming table
entry resources,
The following example sets the maximum number of the unresolved neighbor table entries to 200.
Ruijie(config)# ipv6 nd unresolved 200
Configuring Dynamic Neighbors Limit on the Interface

The default is 0.
Command Function
Set the maximum number of neighbors learned on the
interface in interface configuration mode.
value: Sets the number of neighbors learned on the
ipv6 nd cache interface-limit value
interface, including the static and dynamical neighbors, in
the range from 0 to the number supported by the device.
0 indicates the number is not limited.
no ipv6 nd cache interface-limit Restore the default setting.
This function can prevent neighbor entries generated by malicious neighbor attacks from consuming memory. value must
be no smaller than the number of neighbors learned on the interface. Otherwise, the configuration does not take effect.
The following example sets the maximum number of neighbors learned on the interface to 100.

Ruijie(config-if-GigabitEthernet 0/1)# ipv6 nd cache interface-limit 100
IPv6 Monitoring and Maintenance
It is mainly used to provide related command to show some internal information of the IPv6 protocol, such as the ipv6
information, the neighbor table and the route table information of the interface.
Command Function
show ipv6 interface [ interface-id ] [ ra-info ] Display the IPv6 information of the interface.
Show ipv6 neighbors [vrf vrf-name] [ verbose ]
Display the neighbor information.
[ interface-id ] [ ipv6-address ]
Show ipv6 route [vrf vrf-name] [static | local | connected
Display the information of the IPv6 routing table.
| bgp | rip | ospf | isis ]
show ipv6 raw-socket [ num ] Display all IPv6 raw sockets.
show ipv6 sockets Display all IPv6 sockets.
show ipv6 udp [ local-port num ] [ peer-port num ] Display all IPv6 UDP sockets.
show ipv6 udp statistics Display IPv6 UDP socket statistics.
1. View the IPv6 information of an interface.
Ruijie# show ipv6 interface

interface GigabitEthernet 0/1 is Down, ifindex: 1
address(es):
ff01:1::1
ff02:1::1
ff02:1::2
ff02:1::1:ff00:1
MTU is 1500 bytes
2. View the information of the router advertisement (RA) message to be sent of an interface
Ruijie# show ipv6 interface ra-info

GigabitEthernet 0/1: DOWN
RA timer is stopped
waits: 0, initcount: 3
statistics: RA(out/in/inconsistent): 4/0/0, RS(input): 0
Link-layer address: 00:00:00:00:00:01
Physical MTU: 1500
Flags: !M!O, Adv MTU: 1500

ND advertised retransmit time is 0 milliseconds
ND advertised CurHopLimit is 64
Prefixes: (total: 1)
fec0:1:1:1::/64(Def, Auto, vltime: 2592000, pltime: 604800, flags: LA)
3. View the neighbor table information of the IPv6.
Ruijie# show ipv6 neighbors

IPv6 Address Linklayer Addr Interface
fe80::200:ff:fe00:1 0000.0000.0001 GigabitEthernet 0/1
State: REACH/H Age: - asked: 0
fec0:1:1:1::1 0000.0000.0001 GigabitEthernet 0/1 State: REACH/H Age: - asked: 0
Configuration Guide Configuring DHCP
Configuring DHCP
Introduction to DHCP
The DHCP (Dynamic Host Configuration Protocol), specified in RFC 2131, provides configuration parameters for hosts
over the Internet. The DHCP works in the client/server mode. The DHCP server assigns IP addresses for the hosts
dynamically and provides configuration parameters.
The DHCP assigns IP address in three ways:
1. Assign IP addresses automatically. The DHCP server assigns permanent IP addresses to the clients;
2. Assign IP addresses dynamically. The DHCP server assigns IP addresses that will expire after a period of time to the
clients (or the clients can release the addresses by themselves);
3. Configure IP addresses manually. Network administrators specify IP addresses and send the specified IP addresses to
the clients through the DHCP.
Among the above mentioned three methods, only dynamic assignment allows reuse of the IP address that the client does
not need any more.
The format of DHCP message is based on that of BOOTP (Bootstrap Protocol) message. Hence, it is necessary for the
device to be able to act as the BOOTP relay agent and interact with the BOOTP client and the DHCP server. The function
of BOOTP relay agent eliminates the need of deploying a DHCP server in every physical network. The DHCP is detailed
in RFC 951 and RFC 1542.
Introduction to the DHCP Server
As specified in RFC2131, the DHCP server of Ruijie is implemented to assign and manage IP addresses for the DHCP
clients. The DHCP operation process is shown in the following figure.
Process of requesting an IP address:
1. The host broadcasts a DHCPDISCOVER packet in the network to locate the DHCP server;
2. The DHCP server sends a DHCPOFFER packet in unicast form to the host, including IP address, MAC address,
domain name and address lease period;
3. The host sends a DHCPREQUEST packet in broadcast form to formally request the server to assign the provided IP
address;
4. The DHCP server sends a DHCPACK packet in unicast form to the host to confirm the request.
The DHCP client may receive the DHCPOFFER packets from multiple DHCP servers, and accept any
DHCPOFFER packet. However, the DHCP client usually accepts the first received DHCPOFFER packet
only. The address specified in the DHCPOFFER packet from the DHCP server is not necessarily the finally
assigned address. Generally, the DHCP server reserves this address until the client sends a formal request.
The goal of broadcasting the DHCPREQUEST packet is to let all the DHCP servers that send the DHCPOFFER packet
receive this packet and then release the IP address specified in the DHCPOFFER packet.
If the DHCPOFFER packet sent to the DHCP client contains invalid parameters, the DHCP client sends the
DHCPDECLINE packet to refuse the assigned configuration.
During negotiation, if the DHCP client does not respond to the DHCPOFFER packet in time, the DHCP server will send
the DHCPNAK packet to the DHCP client, initiating the address request process again.
The advantages of using the DHCP server of Ruijie for network construction are:
 Decrease network access cost. Generally, dynamic address assignment costs less than static address assignment.
 Simplify configuration tasks and reduce network construction cost. Dynamic address assignment significantly
simplifies equipment configuration, and even reduces deployment cost if devices are deployed in the places where
there are no professionals.
 Centralized management. During configuration management on several subnets, any configuration parameter can
be changed simply by modifying and updating configurations in the DHCP server.
Introduction to the DHCP Client
The DHCP client can obtain IP addresses and other configuration parameters from the DHCP server automatically. The
DHCP client brings the following advantages:
 Save device configuration and deployment time.

 Reduce the possibility of configuration errors.
 Centrally manage IP address assignment.
The DHCP Client are supported on the Ethernet interface, FR, PPP, HDLC interfaces.
Introduction to the DHCP Relay Agent
The DHCP relay agent forwards DHCP packets between the DHCP server and the DHCP clients. When the DHCP clients
and the server are not located in the same subnet, a DHCP relay agent must be available for forwarding the DHCP
request and response messages. Data forwarding by the DHCP relay agent is different from general forwarding. In
general forwarding, IP packets are unaltered and the transmission is transparent. However, upon receiving a DHCP
message, the DHCP relay agent regenerates and forwards a DHCP message.
From the perspective of the DHCP client, the DHCP relay agent works like a DHCP server. From the perspective of the
DHCP server, the DHCP relay agent works like a DHCP client.
Configuring DHCP
To configure DHCP, perform the following tasks, of which the first three tasks are mandatory.
 Enabling the DHCP Server and the DHCP Relay Agent (required)
 Configuring DHCP Excluded Addresses (required)
 Configuring DHCP Address Pool (required)
 Binding Address Manually (optional)
 Configuring the Ping Times (optional)
 Configuring Ping Packet Timeout (optional)
 Ethernet interface DHCP client configuration (optional)
 DHCP Client Configuration in PPP Encapsulation link (optional)
 DHCP Client Configuration in FR Encapsulation link (optional)
 DHCP Client Configuration in HDLC Encapsulation link (optional)
Configuring DHCP Excluded Addresses

Unless configured particularly, the DHCP server tries to assign all the subnet addresses defined in the address pool to the
DHCP clients. If you want to reserve some addresses, such as those that have been assigned to servers or devices, you
must define clearly that these addresses cannot be assigned to the DHCP clients.
To configure the addresses that cannot be assigned to the DHCP clients, execute the following commands in the global
configuration mode:
Command Function
Ruijie(config)# ip dhcp excluded-address Define a range of IP addresses that the DHCP server will
low-ip-address [ high-ip-address ] not assign to the DHCP clients.
Ruijie(config)# no ip dhcp excluded-address
Remove the configuration.
low-ip-address [ high-ip-address ]
A good practice in configuring the DHCP server is to prohibit the DHCP server from assigning any address that has been
assigned specifically. This provides two advantages: 1) No address conflict will occur; 2) When DHCP assigns addresses,
the time for detection is shortened and thus DHCP will perform assignment more efficiently.
Configuring DHCP Address Pool

Both DHCP Address assignment and DHCP parameters sent to the client should be defined in the DHCP address pool. If
no DHCP address pool is configured, addresses cannot be assigned to the DHCP clients even though the DHCP server
has been enabled. However, if the DHCP server has been enabled, the DHCP relay agent is always working regardless of
the DHCP address pool.
You can give a meaningful name that can be memorized easily to the DHCP address pool. The name of address pool
contains characters and digits. Ruijie product allows you to define multiple address pools. The IP address of the DHCP
relay agent in the DHCP request packet is used to determine which address pool is used for address assignment.
 If the DHCP request packet does not contain the IP address of the DHCP relay agent, the address that is in the same
subnet or network as the IP address of the interface that receives the DHCP request packet is assigned to the DHCP
client. If no address pool is defined for this network segment, address assignment fails.
 If the DHCP request packet contains the IP address of the DHCP relay agent, the address that is in the same subnet
or network as this address is assigned to the DHCP client. If no address pool is defined for this network segment,
address assignment fails.
To configure a DHCP address pool, perform the following tasks as appropriate, of which the first three tasks are
mandatory:
 Configure an address pool name and enter its configuration mode (required)
 Configure a subnet and its mask for the address pool (required)
 Configure the default gateway for the DHCP client (required)
 Configure the address lease period (optional)
 Configure the domain name of the DHCP client (optional)
 Configuring the domain name server (optional)
 Configure the NetBIOS WINS server (optional)
 Configure the NetBIOS node type for the DHCP client (optional)
Enabling/disabling DHCP Address Pool
By default, the DHCP address pool is enabled after it is configured.
Command Function
Enable or disable the DHCP address pool in DHCP
address pool configuration mode.
pool-status { enable | disable }
enable: Enables the address pool.
disable: Disables the address pool.
The following example disables the address pool.
Ruijie(dhcp-config)# pool-status disable
Configuring an Address Pool Name and Enter Its Configuration Mode
To configure an address pool name and enter the address pool configuration mode, execute the following command in the
global configuration mode:
Command Function
Configuring an address pool name and enter the address

Ruijie(config)# ip dhcp pool dhcp-pool
pool configuration mode
The address pool configuration mode is shown as “Ruijie(dhcp-config)#”.
Enabling Calculation of Network Number and Mask of Dynamic Address Pool
Command Function
Enable the fit AP to calculate the network number and
dynamic-pool mask of the dynamic DHCP address pool according to
the MAC address in ap-config/ap-group mode.
no dynamic-pool Remove the setting.
This command is configured on the server of the AC.
The following example enables the fit AP to calculate the network number and mask of the dynamic DHCP address pool
according to the MAC address
Ruijie(config-group) # dynamic-pool
Configuring the Boot File for the DHCP Client
The boot image file is the one used when the client starts. The boot image file is often the operation system to be
downloaded by the DHCP client.
To configure the boot file for the DHCP client, execute the following command in the address pool configuration mode:
Command Function
Ruijie (dhcp-config)# bootfile filename Configure the name of the boot file for the DHCP client.
Configuring the Default Gateway for the DHCP Client
The IP address of the default gateway must be in the same network as the IP address of the DHCP client.
To configure the default gateway for the DHCP client, execute the following command in the address pool configuration
mode:
Command Function
Ruijie(dhcp-config)# default-router address
Configure the default gateway.
[ address2…address8 ]
Configuring the Address Lease Period
The lease for the address that the DHCP server assigns to the client is one day by default. The client should request to
renew when the lease period is going to expire. Otherwise, it cannot use this address when the lease period expires.
To configure the address lease period, execute the following command in the address pool configuration mode:
Command Function
Ruijie(dhcp-config)# lease { days [ hours ] [ minutes ] |
Configure the address lease period.
infinite }
Configuring the Domain Name of the DHCP Client
The domain name of the DHCP client can be specified. In this way, the domain name suffix will be automatically added to
the incomplete host name to form a complete host name when the DHCP client accesses the network resources using the
host name.
To configure the domain name of the DHCP client, execute the following command in the address pool configuration
mode:
Command Function
Ruijie(dhcp-config)# domain-name domain Configure the domain name.
Configuring the Domain Name Server
A DNS server should be specified for domain name resolution when the DHCP client accesses the network resources
using a host name.
To configure a domain name server for the DHCP client, execute the following command in the address pool configuration
mode:
Command Function
Ruijie(dhcp-config)# dns-server address
Configure a DNS server.
Configuring the NetBIOS WINS Server
WINS is a domain name resolution service from Microsoft that the TCP/IP network uses to resolve a NetNBIOS name to
an IP addresses. The WINS server runs in Windows NT. After started, the WINS server will receive a registration request
from the WINS client. When the WINS client is being shut down, it will send a name release message to the WINS server
to guarantee the consistency of available computers between the WINS database and the network.
To configure a NetBIOS WINS server for the DHCP client, execute the following command in the address pool
configuration mode:
Command Function
Ruijie(dhcp-config)# netbios-name-server address
Configure a DNS server.
Configuring the NetBIOS Node Type for the DHCP Client
There are four types of NetBIOS nodes for Microsoft DHCP client:
 Broadcast. The NetBIOS name is resolved in the broadcast mode;

 Peer-to-peer. The WINS server is asked directly to resolve the NetBIOS name;
 Mixed. First, the name is resolved in the broadcast mode, and then the WINS server is connected to resolve the
name;
 Hybrid. First the WINS server is asked directly to resolve the NetBIOS name. If there is no response, the NetBIOS
name is resolved in the broadcast mode.
By default, the Windows operation systems support broadcast or hybrid type NetBIOS nodes. If no WINS server is
configured, the node is of broadcast type. If a WINS server is configured, the node is of hybrid type.
To configure the NetBIOS node type for the DHCP client, execute the following command in the address pool
configuration mode:
Command Function
Ruijie(dhcp-config)# netbios-node-type type Configure the NetBIOS node type.
Configuring the Network Number and Mask of the DHCP Address Pool
To configure dynamic address binding, you must configure the subnet and its mask for the new address pool. A DHCP
address pool provides the DHCP server with an address space that can be assigned to clients. All the addresses in the
address pool are available for the DHCP clients unless address exclusion is configured. The DHCP server assigns the
addresses in the address pool in sequence. If an address already exists in the binding table or this address is detected to
be already present in this network segment, the DHCP server will check the next address until it assigns a valid address.
To configure the subnet and its mask of the DHCP address pool, execute the following commands in the address pool
configuration mode:
Command Function
Ruijie(dhcp-config)# network Configure the network number and mask of the DHCP
network-number mask address pool.
For the DHCP dynamic address pool of Ruijie products, addresses are assigned based on the physical
address and ID of a DHCP client. This means there should not be two leases for the same DHCP client in
the DHCP dynamic address pool. If path redundancy occurs between the DHCP client and the DHCP server
(the DHCP client can reach the DHCP server by the direct path or relay path), the DHCP server may fail to
assign addresses.
To solve this problem, administrators should avoid path redundancy between the DHCP clients and the
DHCP sever in other ways like adjusting physical links or network paths.
Configuring DHCP Address Pool to Allocate Address as per Option82
Generally, the DHCP relay agent will insert an option of "Option 82" to carry relevant information about the client during
the process of packet forwarding (such as the VLAN to which the client belongs, slot number, port number or user's 1X
class). Upon receipt of such packets, the DHCP server will allocate addresses according to the specific information about
clients by analyzing Option 82 information. For example, Option 82 can be utilized to allocate a certain range of IP
addresses to clients belonging to a certain VLAN or user class. This feature can be used when it is needed to allocate a
specific range of IP addresses according to user's network allocation information (such as VLAN, slot number or port
number) or user's priority.
Each DHCP address pool can allocate addresses using Option 82 information. Option 82 information will be matched and
classified, and we can specify the allocable address range for the corresponding class. One DHCP address pool can be
associated with multiple classes, and different address ranges can be specified for each class.
During the process of address allocation, we can first determine the allocable address pool according to the network
segment to which the client belongs, and then further determine its CLASS according to Option 82 information, so as to
allocate IP address from the address range corresponding to the CLASS. When a request packet matches multiple
classes in the address pool, address will be allocated from the address ranges corresponding to these classes in the order
that the classes are configured in the address pool. If the class has not allocable address, the address range for next
matching class will be used, and the like. Each class corresponds to one address range, and the addresses must be
allocated from low to high. Multiple classes can be configured with the same address range. If the class associated with
the address pool is specified but the corresponding network scope is not configured, then the default address range of this
class shall be same as that of the address pool to which this class belongs.
To configure the CLASS associated with address pool and the address range corresponding to the class, execute the
following commands in address pool configuration mode:
Command Function
Ruijie(dhcp-config)# class class-name Configure the name of associated class, and enter the
class configuration mode of address pool.
Ruijie(config-dhcp-pool-class)# address range Configure the corresponding address range.
low-ip-address high-ip-address
1. When the class configured cannot be found in global class, a global class will be created automatically;
2. The associated class configured in the address pool may conflict with the static manual binding, and
therefore must not be configured at the same time.
3. Up to 5 classes can be configured for each address pool.
Refreshing Trusted ARP Allocation

Command Function
ip dhcp refresh arp Refresh the trusted ARP allocation in global configuration
mode.
The following example refreshes the trusted ARP allocation.
Ruijie(config)#ip dhcp refresh arp
Enabling Trusted ARP Update During Address Allocation

Command Function
update arp Enable DHCP to add trusted ARP when allocating
addresses in DHCP address pool configuration mode.
no update arp Restore the default setting
defaut update arp Restore the default setting
The trusted ARP has a higher priority than the dynamic ARP and cannot be overwritten.
The following example enables DHCP to add trusted ARP when allocating addresses.
Ruijie(dhcp-config)# update arp
Enabling AM Rule Configuration Mode

Command Function
address-manage Enabling AM rule configuration mode in global
configuration mode.
This command is configured on the DHCP server and used in combination with supervlan.
The following example enters the AM rule configuration mode.
Ruijie(config)#address-manage
Configuring AM Rule
Command Function
Defining an AM rule in AM rule configuration mode.
ip-address: IP address
match ip ip-address netmask [ interface ] [ add/remove ] netmask: Subnet mask
vlan vlan-list interface: Interface ID
add/remove: Adds or removes the specified VLAN
vlan-list: VLAN ID
no match ip ip-address netmask [ interface] Restore the default setting.
[ add/remove] vlan vlan-list
With this function enabled, all DHCP clients without VLAN+port/VLAN configuration obtain addresses in the rule.
If the DHCP client obtains a static address in subvlan, he gets the static address in whichever subvlan. The AM rule
configuration is based on VLAN and applies to only static addresses.
The following example defines an AM rule.
Ruijie(config-address-manage)#match ip 192.168.11.0 255.255.255.0 GigabitEthernet 0/10 vlan

10
Configuring Default AM Rule

Command Function
Defining an AM rule in AM rule configuration mode.
match ip default ip-address netmask ip-address: IP address
netmask: Subnet mask
no match ip default ip-address netmask Restore the default setting.
With this function enabled, all DHCP clients without VLAN+port/VLAN configuration obtain addresses in the default rule.
The following example defines a default AM rule.
Ruijie(config-address-manage)#match ip default 192.168.12.0 255.255.255.0

Configuring Class
Configuring Option82 Matching Information for CLASS
The specific Option82 matching information corresponding to each CLASS can be configured after entering CLASS
configuration mode in global mode. One CLASS can match multiple Option 82 information, and it is considered matched if
the packet matches any information. If no matching information is configured for CLASS, then this CLASS can match any
request packets carrying Option 82 information. The address can only be allocated from the corresponding address pool
after the request packet matches a specific CLASS.
To configure global CLASS and the Option 82 information corresponding to the CLASS, execute the following commands
in global configuration mode:
Command Function
Ruijie(config)# ip dhcp class class-name Configure CLASS name and enter global CLASS
configuration mode.
Ruijie(config-dhcp-class)# relay agent information Enter Option 82 matching information configuration
mode.
Ruijie(config-dhcp-class-relayinfo)# relay-information Configure specific Option 82 matching information.
hex aabb.ccdd.eeff… [*] Aabb.ccdd.eeff.. is a hexadecimal number
* means imperfect matching mode. It is considered
matched if the information before * is matched.
1. Global CLASS can have up to 20 matches.
Configuring Remark Information for CLASS
To configure remark information to describe the meaning of CLASS, execute the following commands in global
configuration mode:
Command Function
Ruijie(config)# ip dhcp class class-name Configure CLASS name and enter CLASS configuration
mode.
Ruijie(config-dhcp-class)#remark used in #1 building Configure remark information.
Configuring whether or not to use CLASS Allocation
To configure address allocation using CLASS, execute the following commands in global configuration mode:
Command Function
Ruijie(config)# ip dhcp use class Configure address allocation using CLASS.
This command is enabled by default. Execute NO command to disable address allocation using CLASS.
Manual Address Binding

Address binding refers to the IP address to MAC address mapping for the DHCP clients. You can bind addresses in two
ways.
 Manual binding: Configure the static IP address to MAC address mapping for the DHCP client on the DHCP server
manually. Manual binding actually offers a special address pool;
 Dynamic binding: Upon receiving a DHCP request from the DHCP client, the DHCP server dynamically assigns an
IP address from the DHCP address pool to the DHCP client, and thus mapping the IP address to the MAC address
for the DHCP client.
To define manual address binding, you first need to define a host address pool for each manual binding, and then define
the IP address and hardware address (MAC address) or ID for the DHCP client. Generally, a client ID instead of a MAC
address, is defined for the Microsoft clients. The client ID contains media type and MAC address. For the codes of media
types, refer to Address Resolution Protocol Parameters in RFC 1700. The code of Ethernet type is “01”.
To configure the manual address binding, execute the following commands in the address pool configuration mode:
Command Function
Define the name of the DHCP address pool and enter the
Ruijie(config)# ip dhcp pool name
DHCP configuration mode.
Ruijie(dhcp-config)# host address Define an IP address for the DHCP client.
Ruijie(dhcp-config)# hardware-address Define a hardware address for the DHCP client, such as
hardware-address type aabb.bbbb.bb88
Ruijie(dhcp-config)# client-identifier Define an ID for the DHCP client, such as
unique-identifier 01aa.bbbb.bbbb.88
(Optional) Define the client name using standard ASCII
characters. Don't include domain name in the client
Ruijie(dhcp-config)# client-name name
name. For example, if you define the mary host name, do
not define as mary.rg.com
Configuring Ping Times

By default, when trying to assign an IP address from the DHCP address pool to a DHCP client , the DHCP server will ping
the IP address twice (one packet for each time). If there is no response, the DHCP server considers this address an idle
address and assigns it to the DHCP client. If there is a response, the DHCP server considers that this address is in use
and tries to assign another address to the DHCP client until an address is assigned successfully.
To configure the number of Ping packets, execute the following commands in the global configuration mode:
Command Function
Configure the number of Ping packets before the DHCP
Ruijie(config)# ip dhcp ping packets number server assigns an address. If it is set to 0, the Ping
operation is not performed. The default value is 2.
Configuring Ping Packet Timeout

By default, the DHCP server considers the IP address inexistent if it has not received a response within 500 milliseconds
after pinging an IP address. You can adjust the Ping packet timeout.
To configure the Ping packet timeout, execute the following commands in the global configuration mode:
Command Function
Ruijie(config)# ip dhcp ping Configure the Ping packet timeout for the DHCP server.
timeout milliseconds The default value is 500ms.
Configuring the DHCP Client on the Ethernet Interface

Ruijie products support obtaining the IP address dynamically assigned by the DHCP server on an Ethernet interface.
To configure the DHCP client on the Ethernet port, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP.
Configuring the DHCP Client in the PPP Encapsulation Link

Ruijie products support obtaining the IP address dynamically assigned by the DHCP server on a PPP encapsulation
interface.
To configure the DHCP client, execute the following command in the interface configuration mode:
Command Function
Configuring the DHCP Client in the FR Encapsulation Link

Ruijie products support obtaining the IP address dynamically assigned by the DHCP server on an FR encapsulation
interface.
Command Function
Configuring the DHCP Client in the HDLC Encapsulation Link

Ruijie products support obtaining the IP address dynamically assigned by the DHCP server on an HDLC encapsulation
interface.
Command Function
For some product in v10.1, DHCP client supports obtaining the IP address assigned by the DHCP server in
the point-to-point link of PPP, HDLC, FR encapsulation.
Monitoring and Maintaining Information
Monitoring and Maintaining the DHCP Server

Three types of commands are available for monitoring and maintaining the DHCP server:
 Clear commands, used to clear such information as DHCP address binding, address conflict and server
statistics;
 Debug commands, used to output necessary debugging information. Such commands are mainly used to diagnose
and fix faults;
 Show commands, used to show information about DHCP.
Ruijie products provide five clear commands. To clear information, execute the following commands in the command
execution mode:
Command Function
Ruijie# clear ip dhcp binding { address | *} Clear the DHCP address binding information.
Ruijie# clear ip dhcp conflict { address | *} Clear the DHCP address conflict information.
Ruijie# clear ip dhcp server statistics Clear the DHCP server statistics.
Ruijie# clear ip dhcp history{ * | mac-address } Clear the DCHP history.
Ruijie# clear ip dhcp relay statistics Clear the DHCP relay statistics.
Clear statistics about the packet processing rate of every
Ruijie# clear ip dhcp server rate
module.
To debug the DHCP server, execute the following command in the command execution mode:
Command Function
Ruijie# debug ip dhcp server [ events | packet ] Debug the DHCP server.
To show the working status of the DHCP server, execute the following commands in the command execution mode:
Command Function
Ruijie# show ip dhcp binding [ address ] Show the DHCP address binding information.
Ruijie# show ip dhcp conflict Show the DHCP address conflict information.
Ruijie# show ip dhcp server statistics Show the DHCP server statistics.
Ruijie# show ip dhcp relay-statistics Show the DHCP relay statistics.
Ruijie# show ip dhcp socket Show the socket used by the DHCP server.
Monitoring and Maintaining the DHCP Client

There are two types of commands for monitoring and maintaining the DHCP client. The following operations can be
performed on the DHCP client:
 Debug commands, used to output necessary debugging information. Such commands are mainly used to diagnose
and clear faults.
 Show commands, used to show information about DHCP.
To debug the DHCP client, execute the following command in the command execution mode:
Command Function
Ruijie# debug ip dhcp client Debug the DHCP client.
To show information about the lease that the DHCP client obtains, execute the following command in the command
execution mode:
Command Function
Ruijie# show dhcp lease Show the information about DHCP lease.
Example of Configuring Address Pool to Support Option82
In the following example, an address pool of "net82" is defined; the address pool is in the network segment of
172.16.1.0/24, and the associated classes include class1, class2, class3 and class4. Class1 will allocate addresses from
the range of 172.16.1.1-172.16.1.8; class2 will allocate addresses from the range of 172.16.1.9-172.16.1.18; class3 will
allocate addresses from the range of 172.16.1.19-172.16.1.28; class4 has no defined address range, and will allocate
addresses from the range of entire network segment. Configure class1 to match Option 82 information of 0100002120,
class2 to match 0106020145, class3 to match 06020506*, and class4 to match any information.
!
ip dhcp class class1
relay agent information
relay-information hex 0100002120
!
relay-information hex 0106020145
!
relay-information hex 06020506*
!
!
ip dhcp pool net82
network 172.16.1.0 255.255.255.0
class class1
address range 172.16.1.1 172.16.1.8
class class2
address range 172.16.1.9 172.16.1.18
class class3
address range 172.16.1.19 172.16.1.28
class class4
Typical DHCP Configuration Example
Topological Diagram
Fig 2 Diagram of DHCP example
Switch A can serve as a DHCP Sever to allocate dynamic IP addresses to one part of clients and fixed IP addresses to
another part of clients.
DNS Server can provide domain name resolution service for the IP addresses allocated by DHCP server to clients,
namely the clients can access network resources via host names. WINS Server can translate host names into IP
addresses for hosts communicating through NETBIOS protocol.
Configuration Tips
1. Enable DHCP server on Switch A and create an address pool to configure dynamic IP address allocation. Meanwhile,
create an address pool to bind IP address manually.
2. Specify the address of Domain Name Server (addresses of DNS Server and WINS Server in this example) and domain
name of client in the corresponding address pool.
This example only illustrates the configuration of DHCP Server related features on Switch A. As for Switch B,
all access users will belong to VLAN 1 by default. Access PC will obtain a dynamically allocated IP address.
If you are in need of other applications, please refer to the relevant configurations.
Configuration Steps
Step 1: On Switch A, create a new DHCP address pool and configure dynamic IP address allocation.
! Configure the name of address pool as "dynamic" and enter DHCP configuration mode.
SwitchA #configure terminal

SwitchA (config)#ip dhcp pool dynamic
! In DHCP configuration mode, configure an IP address network allocable to clients and configure the default gateway of
this network segment.
SwitchA (dhcp-config)#network 192.168.1.0 255.255.255.0

SwitchA (dhcp-config)#default-router 192.168.1.1 255.255.255.0
Step 2: Specify the DNS Server of "dynamic" address pool and configure the domain name of client.
! Assuming that the IP address of DNS Server is 192.168.1.2; configure Domain Name Server in the address pool and
configure the domain name of client as ruijie.com.
SwitchA (dhcp-config)#dns-server 192.168.1.2

SwitchA (dhcp-config)#domain-name ruijie.com
Step 3: Specify the WINS Server of "dynamic" address pool and configure the NetBIOS node type of client.
! Assuming that the IP address of WIN Server is 192.168.1.3; configure NetBIOS WINS server in the address pool and
configure the NetBIOS node type as Hybrid.
SwitchA(dhcp-config)#netbios-name-server 192.168.1.3
SwitchA(dhcp-config)#netbios-node-type h-node
Step 4: Configure excluded addresses in global mode.
! As shown above, IP addresses of 192.168.1.1, 192.168.1.2 and 192.168.1.3 have been allocated to the gateway, DNS
server and WINS server. By configuring excluded addresses, these addresses won't be allocated to clients.
SwitchA (dhcp-config)#exit
SwitchA (config)#ip dhcp excluded-address 192.168.1.1 192.168.1.3
Step 5: Create another address pool and manually bind the IP address.
! Configure the name of address pool as "static" and enter DHCP configuration mode.
SwitchA (config)#ip dhcp pool static
! Manually bind the IP address of 192.168.1.4/24 to the MAC address of 0013.2049.9014, with client name being "admin".
Note: The identifier for identifying the client shall indicate the network media type ("01" for Ethernet), namely the identifier
of the client corresponding to the manually bound MAC address shall be 0100.1320.4990.14.
SwitchA (dhcp-config)#host 192.168.1.4 255.255.255.0

SwitchA (dhcp-config)#client-identifier 0100.1320.4990.14
SwitchA (dhcp-config)#client-name admin
Step 6: Specify the gateway address corresponding to the "static" address pool.
! Configure gateway address as 192.168.1.1/24.
SwitchA (dhcp-config)#default-router 192.168.1.1 255.255.255.0
Step 7: Specify the DNS Server of "static" address pool and configure the domain name of client.
! Assuming that the IP address of DNS Server is 192.168.1.2; configure Domain Name Server in the address pool and
configure the domain name of client as ruijie.com.
SwitchA (dhcp-config)#dns-server 192.168.1.2

SwitchA (dhcp-config)#domain-name ruijie.com
Step 8: Specify the WINS Server of "static" address pool and configure the NetBIOS node type of client.
! Assuming that the IP address of WIN Server is 192.168.1.3; configure NetBIOS WINS server in the address pool and
configure the NetBIOS node type as Hybrid.
SwitchA(dhcp-config)#netbios-name-server 192.168.1.3
SwitchA(dhcp-config)#netbios-node-type h-node
SwitchA(dhcp-config)#exit
Step 9: Configure the SVI interface of client.
! By default, all access clients belong to VLAN 1; configure the SVI of VLAN 1 as 192.168.1.1/24.
SwitchA(config)#interface vlan 1
SwitchA(config-if)#ip address 192.168.1.1 255.255.255.0
Step 10: Enable DHCP Server on Switch A.
SwitchA(dhcp-config)#exit
SwitchA(config)#service dhcp
Verification
Step 1: Display the configurations of Switch A.
SwitchA#show running-config
!
service dhcp
!
ip dhcp excluded-address 192.168.1.1 192.168.1.3
!
ip dhcp pool dynamic
netbios-node-type n-node
netbios-name-server 192.168.1.3
domain-name ruijie.com
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.2
default-router 192.168.1.1 255.255.255.0
!
ip dhcp pool static
client-name admin
client-identifier 0100.1320.4990.14
host 192.168.1.10 255.255.255.0
netbios-node-type n-node
netbios-name-server 192.168.1.3
domain-name ruijie.com
dns-server 192.168.1.2
default-router 192.168.1.1 255.255.255.0
!
interface VLAN 1
no ip proxy-arp
ip address 192.168.1.1 255.255.255.0
Step 2: Connect two PCs to Switch B, with the MAC address of one PC being 0013.2049.9014. View the IP address
allocated by DHCP Server on Switch A.
SwitchA#show ip dhcp binding

IP address Client-Identifier/ Lease expiration Type Hardware address
192.168.1.4 0100.e04c.70b7.e2 000 days 23 hours 48 mins Automatic
192.168.1.10 0100.1320.4990.14 Infinite Manual
Configuration Guide Configuring DHCPv6
Configuring DHCPv6
DHCPv6 Overview
Along with the development of IPv6 network, IPv6-based network is being applied more and more widely. As the
framework proposed at the beginning of IPv6 design, the automatic configuration of network nodes has become a key
feature of IPv6 network. In the new network framework, the concepts of stateless configuration and stateful configuration
were brought forward. Through stateless auto-configuration, the new nodes in the network can complete all configurations
via Route Advertisement; while in stateful auto-configuration, the network nodes need interact with relevant configuration
server in the network in order to complete the configuration of network address and other parameters. As the only stateful
configuration model developed at the present time, DHCPv6 is fully described in RFC3315.
Comparatively complete description on the application model of DHCPv6 has been given in RFC3315 (Dynamic Host
Configuration Protocol for IPv6). Similar to the framework of sDHCPv4, the application model of DHCPv6 is composed of
the DHCP server, DHCP clients and DHCP relay. The configuration parameters can be obtained through the interaction
between DHCP clients and DHCP server, while the DHCP relay can link the DHCP clients with the DHCP server outside
the local link. The message interaction and parameter maintenance basically follow the practices of DHCPv4, but
DHCPv6 do give proper consideration to the message structure and process according to the new network.
In IPv6 network, the auto-configuration of network nodes can be divided into:
 Stateless auto-configuration: Network nodes will acquire configuration parameters from route advertisement.
 Stateful auto-configuration: Network nodes will acquire configuration parameters from the DHCPv6 server.
Fig 1-1 DHCPv6 stateful auto-configuration
As shown in the above figure, the new network node (host or interface) will send a multicast message (Solicit) to all the
DHCPv6 servers and DHCPv6 relays in the local link (address: FF02::1:2; port: 547), and the DHCPv6 servers will send
the unicast Advertise reply message after receiving such message. After selecting the DHCP server, the DHCP clients will
send the Request message to solicit for configuration information, and the DHCP server will send Reply message after
completing the allocation of parameters.
As mentioned above, such a 4-message interaction is very similar to the 4-message interaction in DHCPv4 (Discover -
Offer - Request - Ack). Certainly, DHCPv6 has made further modifications and expansions.
 Multicast is used instead of broadcast because broadcast has been abolished in the IPv6 network.
 By utilizing the option of Rapid Commit, the 4-message interaction can be simplified into 2-message interaction
(Solicit - Reply).
 New DHCP message structure, DHCPv6 has made huge modifications to the original DHCPv4 message, and has
removed optional parameters in the header of DHCP message. Only few fields to be used in all interactions are
preserved. Other optional fields are all encapsulated in the option field of the DHCP message. During the interaction
with the DHCP server and the DHCP relay, the DHCP message sent by the DHCP client to the DHCP server will be
wholly encapsulated in the DHCP relay message as an option.
 New address parameters. As mentioned above, in DHCPv6, the address field is deleted from the fixed header of the
DHCP message, and the entire address parameters and relevant time parameters are encapsulated in an option
called IA (Identity Association). Each DHCPv6 client is associated with one IA, and each IA can contain multiple
addresses and relevant time information. The corresponding IA can be generated in accordance with the type of
address, such as IA_NA (Identity association for non-temporary addresses) and IA_TA (Identity association for
temporary addresses).
 New DHCP client/server identifier, namely DUID (DHCP Unique Identifier).
 Stateless DHCPv6 auto-configuration. During the auto-configuration of network nodes, the address configuration is
independent from parameter configuration, and each corresponding configuration can be acquired via the DHCP
protocol, which means network nodes can acquire other non-address parameters from the DHCPv6 server.
Compared with the allocation method used in DHCPv4, this is a critical change. Relevant information is detailed in
RFC3736.
 Prefix delegation. Apart from IPv6 address, network prefix can also be delegated via DHCPv6. This also accredits to
the definition of IA in DHCPv6. A prefix can be delegated to the client in the form of address (or time parameter, etc)
only by expanding the type of IA. Such a new type of IA is called IA_PD (Identity Association for Prefix Delegation),
and it is detailed in RFC3633.
Introduction to the DHCPv6 Server
IPv6 address allocation method
In the IPv6 network, a 128-bit IPv6 address is usually written in the hexadecimal format, making it difficult to allocate
addresses manually. As the IPv6 address format is inconvenient for people to identify, the automatic allocation method for
IPv6 addresses is a key part in network planning. To allocate addresses without or with minimum man-made interference,
many applications have been developed to handle addresses and parameters allocated to IPv6 hosts. Several IPv6
address allocation methods are described as follows:
 Manual allocation
The method is to configure an IPv6 address statically through manual allocation. The method is applicable to configuration
of router interfaces and static network parameters. Manual allocation method may lead to many errors.
 Stateless automatic address allocation
The stateless address auto-configuration is to allocate addresses to IPv6 nodes without man-made interference. If this
method is applied on one IPv6 node, this node must be connected with at least one IPv6 router through the network. The
IPv6 router is configured by the administrator to send Router Advertisement messages on the link. Such messages will be
received by the IPv6 node connected to the router and the node will configure the IPv6 address and routing parameters.
 State DHCPv6 method

The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) defined by RFC3315 enables DHCP Server to send
configuration parameters such as IPv6 address to IPv6 nodes. The protocol enables adding network addresses flexibly
and using them repeatedly.
 DHCPv6-PD method
The DHCPv6 Prefix Delegation (DHCPv6-PD) method defined by RFC3633 is developed based on DHCPv6. In the
typical DHCPv6 method, DHCPv6 Server allocates state IPv6 addresses to DHCPv6 Client. Developed based on
DHCPv6, the DHCPv6-PD method enables the DHCPv6-PD Server to allocate a complete subnet and other network and
interface parameters to DHCPv6-PD Client by allocating Prefix Delegation information.
 Stateless DHCPv6 method
The stateless DHCPv6 method combines characteristics of the stateless automatic address allocation and state DHCPv6
method. The device can use the stateless automatic address allocation method to obtain the IPv6 address and use
DHCPv6 to obtain other parameters, which cannot be obtained by using the stateless automatic address allocation
method. The device can use the information to complete the configuration.
In network planning, the above-mentioned IPv6 address and parameter allocation methods can be used
concurrently.
Ruijie DHCPv6 Server supports IPv6 address and prefix allocation. The IPv6 address allocation is to allocate IPv6
addresses automatically to DHCPv6 Client. The prefix allocation realizes flexible and automatic site-level configuration to
control the site address space flexibly. Network terminals such as PCs can use stateless or state automatic configuration
to realize automatic configuration of addresses and other network parameters.
Ruijie DHCPv6 Server also supports DHCPv6-PD Server. DHCPv6 Server and DHCPv6-PD Server are collectively
referred to as DHCPv6 Server.
Application of DHCPv6
The DHCPv6 server realizes the allocation of IAPD and IANA. The allocation of IANA refers to the automatic allocation of
IPv6 address to the DHCP client, which is similar to DHCPv4. The allocation of IAPD allows flexible site-level
auto-configuration to control the address range of sites. Terminal devices (such as PC) can realize auto-configuration of
address via stateless auto-configuration or stateful auto-configuration.
Fig 1-2 Prefix-based DHCPv6 application

The above figure illustrates the application of prefix-based DHCPv6 in IPv6 network.
 Core router runs prefix delegation (PD) based DHCPv6 server.
 IPv6 multi-service router runs the DHCPv6 client on the interface connecting to the core router, acquiring prefix
space from the core router and storing it in the global prefix pool of IPv6.
 IPv6 multi-service router enables auto-configuration on the interface connecting to the desktop computer and runs
interface-based router advertisement or address assignment (NA) based DHCPv6 server.
 The desktop computer completes address and parameter configuration via ND or address assignment (NA) based
DHCPv6 client.
 In the above model, DHCPv6 fulfils the following functions:
 The DHCP client (host, node) sends out prefix delegation (PD) based multicast solicit message within the link to look
for DHCPv6 servers.
 The DHCP servers will send unicast advertisement message to the DHCP client after receiving such solicitation
message.
 The DHCP client will select one server and send a multicast request message.
 The DHCP server will then send a unicast reply message to complete address assignment.
In the IPv6 network, DHCPv6 can be applied to enable user terminals to obtain IPv6 addresses and related parameters
automatically.
Figure 1-3 DHCPv6 communication process

A typical DHCPv6 communication process:
1) DHCPv6 client sends a Solicit packet with the destination address of FF02::1:2 and destination UDP port of 547 to
demand the DHCP service. All the DHCPv6 servers in the network segment will receive the packet.
2) After receiving the Solicit packet, each DHCPv6 server will send an Advertise packet in reply through unicast to state
that it can provide the DHCP service.
3) The DHCPv6 client will choose a server among those that have sent the Advertise packets to it, and send a Request
packet with the destination address of FF02::1:2 and destination UDP port of 547 to announce the server that has
been chosen by it. All the DHCPv6 servers in the network segment will receive the packet.
4) After the DHCPv6 server that has been chosen receives the Request packet, it will send a Reply packet through
unicast to announce the IP address allocated for the DHCPv6 client and other information.
FF02::1:2 is used to identify all the DHCPv6 servers and relays in the same network segment.
The Solicit and Request packets use this address as the destination address. The packets are only
transmitted within the network segment.
DUID Overview
DUID means the DHCP Unique Identifier. The RFC3315 defines that each DHCPv6 device (including the client, relay and
server) must have a DHCPv6 unique identifier for identification during the exchange of DHCPv6 messages between
devices. DUID cannot be used for any other purposes. For all DHCPv6 devices, DUID must be designed as unrepeatable
and fixed for any devices. For example, a device's DUID must remain the same when any part of the device is replaced. A
DUID has a maximum length of 128 bytes. The protocol provides three types of DUID definitions:
 DUID based on link-layer address plus time, DUID-LLT;
 DUID assigned by vendor based on enterprise number, DUID-EN; and
 link-layer address, DUID-LL
Currently, Ruijie DHCPv6 devices apply DUID-LL. The structure of the DUID-LL is as follows:
Figure 1-4
In the structure, the DUID type is DUID, DUID-LL type value is 0x0003; the Hardware type is hardware, the hardware type
supported by the device is Ethernet, the value is 0x0001; Link layer address is the address of the link layer, and the value
is the device's MAC address.
DHCPv6 address allocation
Unlike DHCPv4, Server in DHCPv6 allocates an identity association (IA) rather than an address to each Client. DHCPv6
Server will allocate addresses on the IA basis and each IA has an IAID unique identifier. The identity association identifier
(IAID) is generated by DHCPv6 Client. Each IA is only corresponding to one Client and can contain multiple addresses.
The Client can allocate addresses in the IA to other interfaces on the device. Addresses contained in an IA can be divided
into the following three types:
 Non-temporary address (NA), globally unique address;
 Temporary address (TA), with few related applications;
 Prefix delegation (PD);
According to the types of addresses contained in IAs, IAs can be divided into three types, namely IA_NA, IA_TA and
IA_PD. Ruijie DHCPv6 Server supports IA_NA and IA_PD, but not IA_TA.
DHCPv6 Bindings
The DHCPv6 Bindings is a group of manageable address information structures. The binding is based on the IA and can
be identified by Server and Clients. The binding data on Server records the IA allocated to each Client and other
configuration information. Each Client can apply for several bindings. Binding data on the Server is managed in the
binding table and can be searched by DUID, IA-Type and IAID.
DHCPv6 packet type
RFC3315 provides that DHCPv6 can use UDP546 and 547 ports to send and receive packets. The DHCPv6 Client uses
port 546 to receive packets, while DHCPv6 Server and Relay use port 547 to receive packets. RFC3315 defines that
packets of the following types can be exchanged among DHCPv6 Server, Client and Relay:
 Types of packets that can be sent by Client to Service: Solicit, Request, Confirm, Renew, Rebind, Release, Decline
and Information-request;
 Types of packets that can be sent by Server to Client: Advertise, Reply and Reconfigure;
 Types of packets that can be sent by Relay to Relay or Server: Relay-forward;
 Types of packets that can be sent by Server or Relay to Relay: Relay-reply;
To simplify the DHCP communication process, not all types of packets are used. Users can decide which type of packets
should be used based on the DHCPv6 options carried by packets. The DHCP data also vary with the options chosen. In
terms of packet types and functions, DHCPv6 is similar with DHCPv4. Although DHCPv6 packets are adjusted to new
networks and processes, some packet types in DHCPv6 are corresponding to those in DHCPv4. The following table
outlines the corresponding relationship between packet types of DHCPv6 and DHCPv4:
DHCPv6 packet type DHCPv4 packet type

Solicit (1) DHCPDISCOVER
Advertise (2) DHCPOFFER
Request (3), Renew (5), Rebind (6) DHCPREQUEST
Reply (7) DHCPACK / DHCPNAK
Release (8) DHCPRELEASE
Information-request (11) DHCPINFORM
Decline (9) DHCPDECLINE

Confirm (4) None
Reconfigure (10) DHCPFORCERENEW
Relay-forward (12), Relay-reply (13) None
The Reconfigure type of packets is not supported by Ruijie DHCPv6 Server. Please refer to the Guide for
DHCP Configuration chapter for information about DHCPv4.
Working principle of DHCPv6 Server
The application mode of DHCPv6 is generally developed based on the framework of DHCPv4. The application mode of
DHCPv6 comprises Server, Client and Relay. Configuration parameters are obtained through communication between
Client and Server. Relay can connect Client with Server that is not on the local link. In terms of the exchange of packets
and maintenance of parameters, DHCPv6 is generally similar with DHCPv4. However, it has adjusted the packet structure
and handling process to new networks. Comparison between DHCPv6 and DHCPv4
 DHCPv6 applies a new packet structure. Original DHCPv4 packets have been largely modified. Optional parameters
in DHCPv5 packet heads are removed, with only a few fields required for exchange of all packets left. Other optional
fields are encapsulated as options in the option domain of packets.
 DHCPv6 applies new address parameters. As mentioned above, the address field in the fixed packet head in
DHCPv4 is removed in DHCPv6. All the address parameters and related time parameters are encapsulated in the IA
option. Each DHCPv6 Client is associated with an IA and each IA may contain several addresses and related time
information; the corresponding type of IA, such as IA_NA, IA_TA or IA_PD, will be generated according to the
address type;
 DHCPv6 adopts a new client service-end identifier, namely DUID;
 DHCPv6 supports the stateless automatic DHCPv6 configuration, which means that when automatic configuration is
being performed on a network node, the address and parameters can be configured separately, and each
configuration can be obtained through the DHCP method. Therefore, network nodes can obtain parameters in
addition to addresses through a DHCPv6 server. This is a substantial difference from the allocation mode of
DHCPv4.
 DHCPv6 supports prefix-based allocation so that in addition to IPv6 addresses, network prefixes can also be
allocated through DHCPv6.
DHCPv6's basic application mode is shown in the following figure:

Figure 1-5 Typical DHCPv6 address allocation
A typical DHCPv6 address allocation process is shown in the following figure:
5) DHCPv6 Client sends a multicast Solicit packet with the destination address of FF02::1:2 and destination UDP port
of 547 on the local link. All the DHCPv6 Servers and Relays on the local link will receive the packet.
6) After DHCPv6 Servers receive the packet, they will send unicast Advertise packets in reply;
7) After DHCPv6 Client chooses a Server, it will send a multicast Request packet with the destination address of
FF02::1:2 and destination UDP port of 547 on the local link.
8) After the DHCPv6 Server receives the Request packet, it will send an unicast Reply packet in reply and the
configuration process completes.
The DHCPv6 communication process involves four packets and is similar with the DHCPv4 communication process,
which also involves four packets (Discover, Offer, Request and Ack). The special option Rapid Commit can be used to
shorten the communication process to involve only two packets (Solicit and Reply). The Client can add this option into the
Solicit packet. The Server will send the Reply packet after receiving the packet. The shortened process is shown as
follows:
Figure 1-6 Shortened 2-packet communication
A Relay can be added between Server and Client to perform the address allocation between Client and Server on
different network segments. The request packet sent by Client will be encapsulated as an option in the Relay-forward
packet and sent to Server. After the request is obtained by Server from the request message, the reply message will be
encapsulated in the Relay message option of the Relay-reply packet and the Relay-reply packet will be sent to Relay. The
reply message will be forwarded to Client after being obtained. The process is shown as follows:
Figure 1-7 Communication between Server, Relay and Client
When the Client's network connection changes, Client will send the Confirm packet to Server to inquire whether the
resource allocated by Server previously is available. After Server receives the packet, it will send a Reply packet to Client.
The process is shown as follows:
Figure 1-8 Server replies to a Confirm packet
If Client adopts the stateless address configuration but obtains other parameters through the DHCP method, the Client will
send a Information-request packet to Server. After Server receives the packet, it will send a Reply packet to Client. The
process is shown as follows:
Figure 1-9 Server replies to an Information-request packet
Protocol specification
 See RFC3315 for the DHCPv6 protocol specification;
 See RFC3633 for the DHCPv6-PD protocol specification;
 The DHCPv6 server function is not supported on AP110-W or AP120-W.

Introduction to the DHCPv6 Client

The DHCPv6 client can automatically acquire prefix space and other configuration parameters from the DHCPv6 server.
After obtaining the prefix space, the DHCP client will store it in the global prefix space pool of IPv6, and then such prefix
space can be assigned to other interfaces via prefix partition for prefix advertisement.
The DHCPv6 client gets relevant parameters based on interface, such as Domain Name Server, SNTP server. Relevant
parameters configurations depend on the validity of interface.
 The DHCPv6 client function is not supported on AP110-W or AP120-W.
Introduction to the DHCPv6 Relay

The DHCPv6 relay forwards DHCPv6 messages between the DHCPv6 server and the DHCP client. When the DHCP
server and the DHCP client are not in the same physical network, the DHCP relay is responsible for forwarding the DHCP
solicit and reply messages. The forwarding process is different from routing forwarding, which features transparent
transmission. Generally, the router will not modify the contents of IP packets. Upon receiving the DHCP message, the
DHCP relay will regenerate and forward another one.
The DHCP relay is just like a DHCP server for the DHCP clients and a DHCP client for the DHCP server.
Functions of DHCPv6 Relay Agent
With the help of DHCPv6 Relay Agent, the DHCPv6 server can provide services for DHCPv6 clients in other network
segments; without DHCPv6 Relay Agent, the DHCPv6 server can only provide services for DHCPv6 clients in the same
network segment.
Figure 1-10 Functions of DHCPv6 Relay Agent
Functions of DHCPv6 Relay Agent are described as follows (corresponding to the numbers in the figure):
1) It enables the DHCPv6 relay, the gateway that has enabled DHCPv6 Relay Agent, to receive packets sent by the
DHCPv6 client to the DHCPv6 server.
2) It enables the DHCPv6 relay to encapsulate packets received (sent by the DHCPv6 client to DHCPv6 server) in the
Relay-Forward packet and send it in the unicast manner to the specified DHCPv6 server.
3) It enables the DHCPv6 server to encapsulate the reply in the Relay-Reply packet after it receives the Relay-Forward
packet and send it to the DHCPv6 relay in the unicast manner.
4) It enables the DHCPv6 relay to restore the packet (sent by the DHCPv6 server to the DHCPv6 client) after it receives
the Relay-Reply packet and send it to the DHCPv6 client in the unicast manner.
In the address lease renewal, rebinding and release processes on a DHCPv6 client and the configuration
refreshing process on a server, the DHCPv6 Relay Agent plays a similar role.
Protocol specification
 RFC3315 Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
DHCPv6 Configuration
Configure the DHCPv6 Server
Default configuration
The following table outlines the default configuration of the DHCPv6 Server.
Function and feature Default setting

DHCPv6 Server function Disabled
DHCPv6 configuration information pool Not configured
Configuring the DHCPv6 Server function
This task involves how to create and configure a DHCPv6 configuration information pool, and how to associate this pool
with the DHCPv6 server on the interface.
To configure the DHCPv6 server, run the following commands:
Command Function
Configures the local prefix pool of the DHCPv6 server

Ruijie(config)# ipv6 local pool poolname
prefix. By default, no local prefix pool of the DHCPv6
prefix/prefix-length assigned-length
server prefix is configured.
Configures the DHCPv6 configuration information pool
Ruijie(config)# ipv6 dhcp pool poolname and enter pool configuration mode. By default, no
DHCPv6 server pool is configured.
Configures a domain name that can be assigned to the
Ruijie(config-dhcp)#domain-name domain DHCPv6 client. Use the no form of this command to
Configures a DNS server that can be assigned to the
Ruijie(config-dhcp)#dns-server ipv6-address DHCPv6 client. Use the no form of this command to
Ruijie(config-dhcp)#prefix-delegation Configures an address prefix that can be assigned to
ipv6-prefix/prefix-length client-DUID [ lifetime ] the IAPD of a specific DHCP client.
Configures a prefix pool for the DHCPv6 server, and

Ruijie(config-dhcp)#prefix-delegation pool poolname
address prefix can be delegated to the DHCP clients
[lifetime { valid-lifetime | preferred-lifetime } ]
from this prefix pool.
Configures an IANA address prefix for the DHCPv6
Ruijie(config-dhcp)#iana-address prefix server, and IANA address can be assigned to the DHCP
ipv6-prefix/prefix-length [ lifetime { valid-lifetime | clients within the scope of addresses designated by this
preferred-lifetime } ] prefix. Use the no form of this command to restore the
default setting.
Ruijie(config-dhcp)#exit Exits DHCPv6 pool configuration mode.
Ruijie(config)#interface type number Enters interface configuration mode.
Ruijie(config-if)#ipv6 dhcp server poolname Enables the DHCPv6 server on this interface. The valid
[ rapid-commit ] [ preference value ] range is from 1 to 100 and the default value is 0.
For example:
# Configure a configuration information pool named pool 1 and configure the domain name, DNS Server, IA_NA, IA_PD
and etc. Enable the DHCPv6 Server function on the FastEthernet 0/1 interface.

Ruijie(config)# ipv6 local pool client-prefix-pool 2008:10::/64 78
Ruijie(config)# ipv6 dhcp pool pool1
Ruijie(config-dhcp)# domain-name example.com
Ruijie(config-dhcp)# dns-server 2008:1::1
Ruijie(config-dhcp)# prefix-delegation 2008:2::/64
0003000100d0f82233ac
Ruijie(config-dhcp)# prefix-delegation pool client-prefix-pool lifetime 2000 1000
Ruijie(config-dhcp)# iana-address prefix 2008:50::/64
Ruijie(config-dhcp)# exit
Ruijie(config)# interface fastethernet 0/1
Ruijie(config-if)# ipv6 dhcp server pool1
DHCPv6 Server does not support allocation of gateway addresses for clients. To do this, the RA notification
function Ruijie(config-if)# no ipv6 nd suppress-ra must be enabled on the device.
The flag bit "managed address configuration" in the Router Announcement (RA) packet should also be set to
decide whether the host that receives the RA should use the stateful automatic configuration to obtain the
addresses. By default, the flag bit in the RA packet is not set:
Ruijie(config-if)# ipv6 nd managed-config-flag
The flag bit "other stateful configuration" in the RA packet is set to decide whether the host that receives the
RA should use the stateful automatic configuration to obtain information other than the addresses. By default,
the flag bit in the RA packet is not set by Ruijie(config-if)# ipv6 nd other-config-flag
Finally, disable the prefix notification function: Ruijie(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length
no-advertise
When the address pool prefix or prefix mask in the address pool information is revised, the lease information
of the corresponding address pool will be deleted. In this case, DHCPv6 Server may allocate an address or
address prefix that has been allocated previously to a new request to trigger an address conflict. Please note
that generally, after an address pool is created to allocate addresses or prefixes, the address pool's prefix or
prefix mask should be revised unless it is necessary to do so.
Configuring the stateless DHCPv6 Server function
The stateless DHCPv6 Server does not need to configure the prefix pool. Given that the Client has obtained the address
though RA, the Server only needs to provide the Client with other configuration information. The configuration process is
described as follows:
Command Function
Ruijie(config)# ipv6 dhcp pool poolname Configures the DHCPv6 configuration information pool
and enter pool configuration mode.
Ruijie(config-dhcp)# domain-name domain Configures a domain-name that can be allocated to
DHCPv6 Client.
Ruijie(config-dhcp)# dns-server ipv6-address Configures the DNS Server that can be provided to the
DHCPv6 Client.
Ruijie(config-dhcp)# exit Exits DHCPv6 pool configuration mode.
Ruijie(config)# interface interface-name Enters interface configuration mode.
Ruijie(config-if)# ipv6 dhcp server poolname Enables the DHCPv6 Server on the interface.
[ rapid-commit ] [ preference value ]
Ruijie(config-if)# ipv6 nd other-config-flag Sets the flag bit "other stateful configuration" in IPv6 RA.
Example:
# Configure a configuration information pool named pool1 and configure the domain name, DNS Server and etc. Enable
the DHCPv6 Server function on the FastEthernet 0/1 interface, and set the flag bit in IPv6 RA.

Ruijie(config-if)# ipv6 nd other-config-flag
DHCPv6 Server does not support allocation of gateway addresses for clients. To do this, the RA notification
function Ruijie(config-if)# no ipv6 nd suppress-ra must be enabled on the device.
Configuring DHCPv6 Server to Set CAPWAP AC IPv6 address
By default, no option52 is created after pool configuration on the DHCPv6 server is complete.
Command Function
Configure the DHCPv6 Server to set the CAPWAP AC
option52 ipv6-address IPv6 address in DHCPv6 pool configuration mode.
ipv6-address: Sets the CAPWAP AC IPv6 address.
no option52 ipv6-address Restore the default setting.
This command can be used to set multiple CAPWAP AC IPv6 addresses. The newly added IPv6 address does not
overwrite the old one.
The following example configures the domain-name address.
Ruijie(config-dhcp)# option52 2008:1::1
Showing the DHCPv6 Server configuration
Use the following commands to display information about DHCPv6 Server configuration and state:
Command Function
show ipv6 dhcp Displays the device's DUID information in the privileged
EXEC mode/ interface configuration mode / gloabl
configuration mode.
show ipv6 dhcp binding Displays the DHCPv6 server's address binding
information in the privileged EXEC mode.
show ipv6 dhcp conflict Displays the DHCPv6 server's address conflict
information in the privileged EXEC mode.
show ipv6 dhcp interface Displays the DHCPv6 interface information in the
privileged EXEC mode.
show ipv6 dhcp pool Displays the DHCPv6 pool information in the privileged
EXEC mode.
show ipv6 dhcp server statistics Displays the DHCPv6 statistics in the privileged EXEC
mode.
show ipv6 local pool [ poolname ] Display the local prefix pool configuration and usage in
the privileged EXEC mode.
# Example:
Ruijie# show ipv6 dhcp

This device's DHCPv6 unique identifier(DUID): 00:03:00:01:00:d0:f8:22:33:b0
Ruijie# show ipv6 dhcp binding

Client DUID: 00:03:00:01:00:d0:f8:22:33:ac
IAPD: iaid 0, T1 1800, T2 2880
Prefix: 2001:20::/72
preferred lifetime 3600, valid lifetime 3600
expires at Jan 1 2008 2:23 (3600 seconds)
Ruijie# show ipv6 dhcp interface

VLAN 1 is in server mode
Server pool dhcp-pool
Rapid-Commit: disable
Ruijie# show ipv6 dhcp pool

DHCPv6 pool: dhcp-pool
DNS server: 2011:1::1
Domain name: example.com
Ruijie# show ipv6 dhcp server static

DHCPv6 server statistics:
Packet statistics:
DHCPv6 packets received: 7
Solicit received: 7
Request received: 0
Confirm received: 0
Renew received: 0
Rebind received: 0
Release received: 0
Decline received: 0
Relay-forward received: 0
Information-request received: 0
Unknown message type received: 0
Error message received: 0
DHCPv6 packet sent: 0

Advertise sent: 0
Reply sent: 0
Relay-reply sent: 0
Send reply error: 0
Send packet error: 0
Binding statistics:
Bindings generated: 0
IAPD assigned: 0
IANA assigned: 0
Configuration statistics:
DHCPv6 server interface: 1
DHCPv6 pool: 0
DHCPv6 iapd binding: 0
Configure the DHCPv6 Client

This task involves how to enable DHCPv6 client function and prefix solicitation on the interface.
To configure the DHCPv6 Client, run the following commands:
Command Function
Ruijie (config)# interface type number Enters interface configuration mode.
Ruijie (config-if)#ipv6 dhcp client pd prefix-name Enables the DHCPv6 client and prefix solicitation on the
[rapid-commit] interface.
For example:

Ruijie(config-if)# ipv6 dhcp client pd pd_name
Configuring stateless DHCPv6 Client
The configuration process is described as follows:
Command Function
Ruijie(config)# interface type number Enters interface configuration mode.
Ruijie(config-if)# ipv6 enable Enables the IPv6 function on the interface.
Example:

Ruijie(config-if)# ipv6 enable
Re-enable the DHCPv6 Client on the interface.
The task explains how to re-enable DHCPv6 Client on an interface.
The configuration process is described as follows:
Command Function
Ruijie#clear ipv6 dhcp client interface-type Re-enables the DHCPv6 Client on the interface.
interface-number
Example:
Ruijie# clear ipv6 dhcp client fastethernet 0/1
Enabling DHCPv6 Client Mode and Requesting IANA Address
Command Function
Enable DHCPv6 client mode and request the IANA
address from the DHCPv6 server in interface
ipv6 dhcp client ia [ rapid-commit ] configuration mode.
rapid-commit: Allows the two-message interaction
process.
no ipv6 dhcp client ia Restore the default setting.
This command is used to enable DHCPv6 client mode and request the IANA address from the DHCPv6 server,
The rapid-commit key allows the two-message interaction process between the client and the server. After the key is
configured, the solicit message transmitted by the client contains the rapid-commit option.
The following example enables the request for the IANA address on the interface.
Ruijie(config-if)# ipv6 dhcp client ia
Configure the DHCPv6 Relay Agent
Default configuration
Function and feature Default setting

DHCPv6 Relay Agent function Disabled
DHCPv6 Relay Agent server address Unspecified
Configuring the DHCPv6 Relay function
This task enables the DHCPv6 relay function on the interface, and configures the address used for relay forwarding.
To configure the DHCPv6 relay, run the following commands:
Command Function
Ruijie(config)# interface type number Enters interface configuration mode.
Ruijie(config-if)#ipv6 dhcp relay destination ipv6-address Enables the DHCPv6 relay on the interface, and
[ interface-type interface-number ] designate the address for relay forwarding.
Ruijie(config-if)# end Exits from the interface mode.
Use the following command to show the destination address of the DHCPv6 Relay:
show ipv6 dhcp relay destination { all | interface interface-type interface-number }
Use the following command to delete the destination address of the DHCPv6 Relay:
no ipv6 dhcp relay destination ipv6-address [ interface-type interface-number ]
Example: Enable the DHCPv6 Relay Agent function with the destination address of 3001::2 on the interface VLAN 1.
Ruijie(config)#interface vlan 1
Ruijie(config-if)#ipv6 dhcp relay destination 3001::2
Ruijie(config-if)#end
The IPv6 DHCP Relay Destination command can only be used on the layer-3 interface;
One device can be configured with 20 Relay Agent Destinations at most;
When Destination configures multicast addresses, the interface numbers must be specified behind the
addresses.
Showing/clearing DHCPv6 Relay information
Command Function
show ipv6 dhcp relay destination { all | interface Shows the DHCPv6 Relay's destination address.
interface-type interface-number }
show ipv6 dhcp relay statistics Shows the DHCPv6 Relay Agent's packet statistics.
clear ipv6 dhcp relay statistics Clears the DHCPv6 Relay Agent's packet statistics.
Example: Show the DHCPv6 Relay's destination address.
Ruijie# show ipv6 dhcp relay destination all

Interface: Vlan1
Destination address(es) Output Interface
3001::2
Example: Show the DHCPv6 Relay Agent's statistics.
Ruijie# show ipv6 dhcp relay statistics

Packets dropped : 2
Error : 2
Excess of rate limit : 0
Packets received : 28
SOLICIT : 0
REQUEST : 0
CONFIRM : 0
RENEW : 0
REBIND : 0
RELEASE : 0
DECLINE : 0
INFORMATION-REQUEST : 14
RELAY-FORWARD : 0
RELAY-REPLY : 14
Packets sent : 16
ADVERTISE : 0
RECONFIGURE : 0
REPLY : 8
RELAY-FORWARD : 8
RELAY-REPLY : 0
Typical configuration examples
Typical DHCPv6 Server configuration example

Networking demand
In the user environment, the most common practice is to deploy DHCPv6 Server in the core or convergent position of the
network to allocate the entire subnet's IP addresses and manage the allocation.
Networking topology
As shown in the following figure, enable the DHCPv6 Server function on the convergent device to allocate IPv6 address
and other network configuration information for PCs in the subnet. The range of IA_NA addresses that can be allocated is
configured on the Server. When a PC sends a request for address allocation, the Server will calculate an available
address in the IA_NA address range and allocate it to the PC after it receives the request. In addition, the Server provides
other information including DNS Server addresses and domain names. To ensure that the DHCPv6 Server function takes
effect, the IP address in the same network segment with the IA_NA should be configured on the layer-3 interface where
the Server function is enabled.
Figure 1-11 DHCPv6 Server networking topology

Key points
If the core device serves as the DHCPv6 Server, the device's CPU and memory occupancy rates will rise. When Clients
increase, the pressure on the Server will rise. Therefore, a high-performance or separate device should be used as the
DHCPv6 Server.
Configuration process
Enable the DHCPv6 Server function on the convergence gateway device:
# Configure a configuration information pool named pool 1 and configure the domain name, DNS Server, IA_NA and etc.
Enable the DHCPv6 Server function on the vlan 1 interface.

Ruijie(config-dhcp)# iana-address prefix 2008:50::/64
Ruijie(config-if)# ipv6 address 2008:50::1/64
Ruijie(config-if)# no ipv6 nd suppress-ra
Ruijie(config-if)# ipv6 nd managed-config-flag
Ruijie(config-if)# ipv6 nd other-config-flag
Ruijie(config-if)# ipv6 nd prefix 2008:50::/64 no-advertise
Showing verification
Show the configuration of the DHCPv6 Server on the convergence gateway device:
Ruijie# show ipv6 dhcp interface

VLAN 1 is in server mode
Server pool pool1
Rapid-Commit: disable
Ruijie# show ipv6 dhcp pool

DHCPv6 pool: pool1
Domain name: example.com
Ruijie# show ipv6 dhcp server statistics

DHCPv6 server statistics:
Packet statistics:
DHCPv6 packets received: 7
Solicit received: 7
Request received: 0
Confirm received: 0
Renew received: 0
Rebind received: 0
Release received: 0
Decline received: 0
Relay-forward received: 0
Information-request received: 0
Unknown message type received: 0
Error message received: 0
DHCPv6 packet sent: 0

Advertise sent: 0
Reply sent: 0
Relay-reply sent: 0
Send reply error: 0
Send packet error: 0
Binding statistics:
Bindings generated: 0
IAPD assigned: 0
IANA assigned: 0
Configuration statistics:
DHCPv6 server interface: 1
DHCPv6 pool: 0
DHCPv6 iapd binding: 0
Typical DHCPv6 Relay configuration example

Networking demand
Device1 enables the DHCPv6 Relay Agent with the destination address of 3001::2; Device2 enables the DHCPv6 Relay
Agent with the destination address of FF02::1:2 (for all Server and Relay multicast packets) to continue relaying the
packet to other servers. The layer-3 interface whose egress interface is specified as the upper destination address is gi
0/1.
Networking topology
Figure 1-12 DHCPv6 Relay Agent networking topology

Key configuration points
Enable the DHCPv6 Relay Agent function on the gateway and designate the known server address or next-level Relay
address as the destination.
Configuration process
 Enable the DHCPv6 Relay Agent function on the convergence gateway device Device1 with the destination address
of 3001::2:
Ruijie#config
Enter configuration commands, one per line. End with CNTL/Z
Ruijie(config-if)# ipv6 dhcp relay destination 3001::2
 Enable the DHCPv6 Relay Agent function on the convergence gateway device Device2 with the destination address
of FF02::1:2:
Ruijie#config
Enter configuration commands, one per line. End with CNTL/Z
Ruijie(config-if)#ipv6 dhcp relay destination FF02::1:2 interface gi 0/1
Checking the configuration effect
 Show the configuration of DHCPv6 Relay Agent on Device 1.

Interface: Interface vlan 1
Server address(es) Output Interface
3001：：2
 Show the configuration of DHCPv6 Relay Agent on Device 2.

Interface: Interface vlan 1
Server address(es) Output Interface
FF02::1:2 gi0/1
Configuration Guide Configuring DNS
Configuring DNS
DNS Overview
Each IP address may present a host name consisting of one or more strings separated by the decimal. Then, all you need
to do is to remember the host name rather than IP address. This is the function of the DNS protocol.
There are two methods to map from the host name to the IP address: 1) Static Mapping: A device maintains its host name
to IP address mapping table and uses it only by itself. 2) Dynamic Mapping: The host name to IP address mapping table is
maintained on the DNS server. In order for a device to communicate with others by its host name, it needs to search its
corresponding IP address on the DNS server.
The domain name resolution (or host name resolution) is the process that the device obtains IP address which
corresponds to the host name by the host name. The Ruijie switches support the host name resolution locally or by the
DNS. During the resolution of domain name, you can firstly adopt the static method. If it fails, use the dynamic method
instead. Some frequently used domain names can be put into the resolution list of static domain names. In this way, the
efficiency of domain name resolution can be increased considerably.
Configuring Domain Name Resolution
Default DNS Configuration

The default configurations of DNS are as follows:
Attribute Default Value

Enable/disable the DNS resolution service Enable
IP address of DNS server None
Static Host List None
Maximum number of DNS servers 6
Enabling DNS Resolution Service

This section describes how to enable the DNS resolution service.
Command Function
Ruijie(config)# ip domain-lookup Enable DNS domain name resolution.
The command no ip domain-lookup is used to disable the DNS domain name resolution function.
The following example disables the DNS domain name resolution function.
Ruijie(config)# no ip domain-lookup
Configuring the DNS Server

This section describes how to configure the DNS server. The dynamic domain name resolution can be carried out only
when the DNS Server is configured.
The no ip name-server [ ip-address | ipv6-address ]command can be used to remove the DNS server. Where, the
ip-address parameter indicates the specified DNS server to be removed. If this parameter is omitted, all the DNS servers
will be removed.
Command Function
Add the IP address of the DNS Server. The switch will
add a DNS Server when this command is executed every
time. If the domain name can’t be obtained from the first
Ruijie(config)# ip name-server { ip-address |
DNS Server, the switch will send the DNS request to the
ipv6-address }
subsequent several servers until the correct response is
received. The system can support six DNS servers at
most.
Configuring the Host Name to IP/IPv6 Address Mapping Statically

This section describes how to configure the host name to IP/IPv6 address mapping. The switch maintains a host name to
IP/IPv6 address corresponding table, which is also referred to as the host name to IP/IPv6 address mapping table. You
can obtain the mapping table in two ways: manual configuration and dynamic learning.
Command Function
Configure the host name to IP address mapping
Ruijie(config)# ip host host-name ip-address
manually.
Configure the host name to IPv6 address mapping
Ruijie(config)# ipv6 host host-name ip-address
manually.
This command with the parameter no can be used to remove the mapping between the host name and IP/IPv6 address.
Clearing the Dynamic Buffer Table of Host Names

This section describes how to clear the dynamic buffer table of host names. If the command clear host or clear host * is
entered, the dynamic buffer table will be cleared. Otherwise, only the entries of specified domain names will be cleared.
Command Function
Clear the dynamic buffer table of host names.
Ruijie# clear host [ host-name ]
The host names configured statically will not be removed.
Displaying Domain Name Resolution Information

This section describes how to display the DNS configuration. All domain name information is displayed by default.
Command Function
Display the DNS configuration.
Ruijie# show hosts hostname: displays the specified domain name
information,
Ruijie# show hosts

Name servers are:
192.168.5.134 static
Host type Address TTL(sec)

www.163.com static 192.168.5.243 ---
Typical DNS Configuration Examples
Example of Static DNS Configuration
Topological Diagram
Figure1 Network topology for static DNS configuration
Since the network device Ruijie-A will frequently access the host of destination.com, we can use static DNS to access the
host of IP 1.1.1.20 through the domain name of destination.com, so as to enhance the efficiency of domain resolution.
Configuration Tips
 Make sure the route between device and host is reachable.

 The mapping between host name and IP address is correct.
Configuration Steps
Manually configure the mapping between host name and IP address. In this example, configure the host name to
"destination.com" and the corresponding IP address to 1.1.1.20.
Ruijie-A(config)#ip host destination.com 1.1.1.20
Verifications
Step 1: View DNS information. Key point: the mapping between host and IP address shall be correct.
Ruijie-A #show host

Name servers are:

destination.com static 1.1.1.20 ---
Step 2: Execute "ping destination.com" command to verify the result.
Ruijie-A #ping destination.com

Translating "destination.com"...[OK]
Sending 5, 100-byte ICMP Echoes to 1.1.1.20, timeout is 2 seconds:
< press Ctrl+C to break >
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
From the above information, we can learn that Ruijie-A has successfully accessed the host with IP address being 1.1.1.20
through the host name of destination.com by means of static DNS.
Example of Dynamic DNS Configuration
Topological Diagram
Figure2 Network topology for dynamic DNS configuration
 The IP address of DNS server is 192.168.31.206/24.

 The network device is the DNS client and can access the host of 10.1.1.2 through the host name of host.com by
means of dynamic DNS.
Configuration Tips
 The route between DNS client, DNS server and access PC shall be reachable.
 DNS shall be enabled. The DNS feature is enabled by default.
 The IP address of DNS server has been correctly configured.
Configuration Steps
Step 1: Configure DNS server
Different DNS servers need to be configured differently. Please configure DNS server according to the actual conditions.
Configure the mapping between host and IP address on DNS server. In this example, configure host name as "host.com"
and IP address as 10.1.1.2/24.
Step 2: Configure DNS client
The route between DNS client, DNS server and access PC shall be reachable. The interface IP configurations are shown
in the topological diagram.
! DNS shall be enabled. The DNS feature is enabled by default.
Ruijie(config)#ip domain-lookup
! Configure the IP address of DNS server as 192.168.31.206
Ruijie(config)#ip name-server 192.168.31.206
Verifications
Step 1: Execute "ping host.com" command to verify the result.
Ruijie#ping host.com
Translating " host.com "...[OK]

!!!!!
From the above information, we can learn that the client device can ping the host, and the corresponding destination IP is
10.1.1.2. Through dynamic DNS, the host with IP address being 10.1.1.2 can be accessed through the host name of
host.com.
Step 2: View DNS information. Key point: the host name and IP address.
Ruijie#show host
Name servers are:
192.168.31.206 static

host.com dynamic 10.1.1.2 3503
From the above information, we can learn that the mapping between host name and host IP is correct.
Configuration Guide Configuring Network Communication Detection Tools
Configuring Network Communication Detection Tools
Ping Connectivity Test
To test the connectivity of a network, many network devices support the Echo protocol. The protocol sends a special
packet to a specified network address and waits for a response. This allows you to evaluate the connectivity, delay and
reliability of a network. The ping tool provided by RGOS can effectively help users diagnose and locate the connectivity
problems in a network.
The Ping command runs in the user EXEC mode and privileged EXEC mode. In the user EXEC mode, only basic ping
functions are available. However, in the privileged EXEC mode, extended ping functions are available.
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP
Ruijie# ping [ oob | vrf vrf-name | ip ] [ address [ length
length ] [ ntimes times ] [ timeout seconds ] [ data data ] Test the network connectivity.
[ source source ] [ df-bit ] [ validate ] [ detail ] ]
The basic ping function can be performed in either the user EXEC mode or the privileged EXEC mode. By default, this
command sends five 100-byte packets to the specified IP address. If the system receives a response within the specified
time (2 seconds by default), it shows "!" . Otherwise, it shows ".". Finally, the system shows statistics. This is a normal ping
example:
Ruijie# ping 192.168.5.1

!!!!!
The extended ping function can be performed in the privileged EXEC mode only. This function allows you specify the
number of packets, packet length, and timeout. As with the basic ping function, the extended ping also shows statistics.
The following is an example of the extended ping:
Ruijie ping 192.168.5.197 length 1500 ntimes 100 data ffff source 192.168.4.190 timeout 3
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
Ruijie#
Ping IPv6 Connectivity Test
To test the connectivity of a network, many network devices support the Echo protocol. The protocol sends a special
packet to a specified network address and waits for a response. This allows you to evaluate the connectivity, delay and
reliability of a network. The ping tool provided by RGOS can effectively help users diagnose and locate the connectivity
problems in a network.
The Ping ipv6 command runs in the user EXEC mode and privileged EXEC mode. In the user EXEC mode, only basic
ping IPv6 functions are available. However, in the privileged EXEC mode, extended ping IPv6 functions are available.
Command Function
Ruijie# ping [ vrf vrf-name | [ oob] ipv6 ] [ ip-address
[ length length ] [ ntimes times ] [ timeout seconds ] Test the network connectivity.
[ data data ] [ source source ] [ detail ] ]
The basic ping function can be performed in either the user EXEC mode or the privileged EXEC mode. By default, this
command sends five 100-byte packets to the specified IP address. If the system receives a response within the specified
time (2 seconds by default), it shows "!" . Otherwise, it shows ".". If the response does not match the request, the system
shows “C” and outputs statistics. This is a normal ping example:
Ruijie# ping ipv6 2000::1

Sending 5, 100-byte ICMP Echoes to 2000::1, timeout is 2 seconds:
!!!!!
The extended ping function can be performed in the privileged EXEC mode only. This function allows you specify the
number of packets, packet length, and timeout. As with the basic ping function, the extended ping also shows statistics.
The following is an example of the extended ping:
Ruijie# ping ipv6 2000::1 length 1500 ntimes 100 data ffff source 2000::2 timeout 3
Sending 100, 1000-byte ICMP Echoes to 2000::1, timeout is 3 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
Traceroute Connectivity Test
The Traceroute command is mainly used to check the network connectivity. It shows all the gateways that a packet
passes through from the source to the destination and exactly locates the fault when the network fails.
One of the network transmission rules is that the number in the TTL field in the packet will decrease by 1 every time when
a packet passes through a gateway. When the number in the TTL field is 0, the gateway will discard this packet and send
an address unreachable error message back to the source. According to this rule, the execution of the traceroute
command is as follows: At first, the source sends a packet whose TTL is 1 to the destination address. The first gateway
sends an ICMP error message back, indicating that this packet cannot be forwarded for TTL timeout. Then, the first
gateway re-sends the packet after the TTL domain adds 1. Likewise, the second gateway returns a TTL timeout error and
the process lasts until the packet reaches the destination address. By recording every address returning the ICMP TTL
timeout message, you can draw the entire path passed by the IP packet from the source address to the destination
address.
The traceroute command can run in the user EXEC mode (enables basic functions) and the privileged EXEC mode
(enables extended functions). The command format is as follows:
Command Function
Ruijie# traceroute [oob | vrf vrf-name | ip] [adress [probe
number ] [source source] [timeout seconds] [ttl minimum Trace the path that a packet passes through.
maximum]]
By default, seconds is 3 seconds, number is 3, minimum and maximum are 1 and 255.
The following are two examples that apply traceroute. In one example, network connectivity is good. In another example,
some gateways in a network are not connected.
 traceroute example where network connectivity is good:

Ruijie# traceroute 61.154.22.36
Tracing the route to 61.154.22.36
1 192.168.12.1 0 msec 0 msec 0 msec
2 192.168.9.2 4 msec 4 msec 4 msec
3 192.168.9.1 8 msec 8 msec 4 msec
4 192.168.0.10 4 msec 28 msec 12 msec
5 202.101.143.130 4 msec 16 msec 8 msec
6 202.101.143.154 12 msec 8 msec 24 msec
7 61.154.22.36 12 msec 8 msec 22 msec
As you can see, to access the host with an IP address of 61.154.22.36, the network packet passes throuth gateways 1 to
6 from the source address. Meanwhile, you can know the time that the network packet spennds to reach a gateway. This
is very useful for network analysis.
 traceroute example where some gateways in a network are not connected:

Ruijie# traceroute 202.108.37.42
Tracing the route to 202.108.37.42
1 192.168.12.1 0 msec 0 msec 0 msec
2 192.168.9.2 0 msec 4 msec 4 msec
3 192.168.110.1 16 msec 12 msec 16 msec
4 * * *
5 61.154.8.129 12 msec 28 msec 12 msec
6 61.154.8.17 8 msec 12 msec 16 msec
7 61.154.8.250 12 msec 12 msec 12 msec
8 218.85.157.222 12 msec 12 msec 12 msec
9 218.85.157.130 16 msec 16 msec 16 msec
10 218.85.157.77 16 msec 48 msec 16 msec
11 202.97.40.65 76 msec 24 msec 24 msec

12 202.97.37.65 32 msec 24 msec 24 msec
13 202.97.38.162 52 msec 52 msec 224 msec
14 202.96.12.38 84 msec 52 msec 52 msec
15 202.106.192.226 88 msec 52 msec 52 msec
16 202.106.192.174 52 msec 52 msec 88 msec
17 210.74.176.158 100 msec 52 msec 84 msec
18 202.108.37.42 48 msec 48 msec 52 msec
As you can see, to access the host with an IP address of 202.108.37.42, the network packet passes through gateways 1
to 17 from the source address and there is failure in gateway 4.
Traceroute IPv6 Connectivity Test
The Traceroute ipv6 command is mainly used to check the network connectivity. It shows all the gateways that a packet
passes through from the source to the destination and exactly locates the fault when the network fails.
For network transmission, refer to the previous section.
The traceroute ipv6 command can run in the user EXEC mode (enables basic functions) and the privileged EXEC mode
(enables extended functions). The command format is as follows:
Command Function
Ruijie# traceroute [vrf vrf-name | [oob] ipv6 ] [ address
[ probe number ] [ timeout seconds ] [ ttl minimum Trace the path that a packet passes through.
maximum ]]
By default, seconds is 3 seconds, number is 3, minimum and maximum are 1 and 255.
The following are two examples that apply traceroute ipv6. In one example, network connectivity is good. In another
example, some gateways in a network are not connected.
 traceroute ipv6 example where network connectivity is good:

Ruijie# traceroute ipv6 3004::1
Tracing the route to 3004::1
1 3000::1 0 msec 0 msec 0 msec
4 3004::1 4 msec 28 msec 12 msec
As you can see, to access the host with an IP address of 3004::1, the network packet passes throuth gateways 1 to 4 from
the source address. Meanwhile, you can know the time that the network packet spennds to reach a gateway. This is very
useful for network analysis.
 traceroute ipv6 example where some gateways in a network are not connected:
Ruijie# traceroute ipv6 3004::1
Tracing the route to 3004::1

4 * * *
5 3004::1 4 msec 28 msec 12 msec
As you can see, to access the host with an IP address of 3004::1, the network packet passes through gateways 1 to 5
from the source address and there is failure in gateway 4.
Clear Rping Entries
Command Function
Clear Rping entries in Privileged EXEC mode.
clear rping table [ all | [ping-object owner test-name] |
Owner: User index
[ trace-object owner test-name ] ]
test-name: Test index
The following example clears all Rping entries.
Ruijie# clear rping table all
The following example clears the specified Rping entry.
Ruijie# clear rping table user ruijie
Displaying Rping Information
Command Function
Display Rping information in privileged EXEC
show rping detail mode/global configuration mode/interface configuration
mode.
This command is used to display the Rping information such as numbers of test accounts and users.
The following example displays Rping information.
Ruijie#show rping detail

Total owner number: 2
Total test number: 4
owner: user1
test name: taget_1 storage type: volatile
test name: taget_2 storage type: nonVolatile
owner: user2
test name: taget_1 storage type: permanent
test name: taget_2 storage type: readOnly
Configuration Guide Configuring TCP
Configuring TCP
Overview
TCP module provides a reliable and connective IP-based transmission layer protocol for the application layer.
The application layer sends data streams represented in 8-bit bytes for Internet transmission to the TCP layer, which
separates the data streams into packet segments with proper size. The maximum segment size (MSS) is generally limited
by the maximum transmission unit (MTU) of the data link layer of the network to which the computer is connected. After
that, TCP transmits the result packets to the IP layer, which will then transmit the said packets through the network to the
TCP layer of receiving terminal.
To ensure no packet loss, TCP assigns a sequence number to each byte, and the sequence number also ensures that
packets transmitted to the receiving terminal are received in sequence. The receiving terminal will then reply with an ACK
to confirm the receipt of each byte. If no ACK is received within the reasonable Round Trip Time (RTT), then the
corresponding byte (assumed lost) will be retransmitted by the sender.
 With regard to data accuracy and validity, TCP uses a checksum function to verify the data. The checksum must be
calculated while the date is sent or received. In the meantime, MD5 authentication can also be utilized to encrypt the
data.
 To ensure reliability, TCP applies the mechanisms of timeout retransmission and piggybacking.
 The sliding window protocol is applied to implement flow control. According to the protocol, all unconfirmed packets
within the window will be retransmitted.
 The widely recognized TCP congestion control algorithm (also called AIMD algorithm) is applied to implement
congestion control. This algorithm mainly involves: 1) additive increase, multiplicative decrease; 2) slow start; 3)
response to timeouts.
Configuring TCP
Changing the Timeout for Establishing TCP Session

Establishing TCP session requires a three-way handshake: the local end sends a SYN packet, the remote end responds
with a SYN+ACK packet, and then the local end responds with an ACK.
 After the local end sends SYN, if the remote end doesn't respond with SYN+ACK, the local end will continuously
retransmit SYN packets until a specified number of retransmissions are reached or until the timeout timer expires.
 After the local end sends SYN and the remote end responds with SYN+ACK, if the local end no longer responds with
ACK, the remote end will retransmit continuously until a specified number of retransmissions is reached or until the
timeout timer expires. (Such as SYN attack).
Execute the following command to configure the timeout value for SYN packet (the maximum time from SYN transmission
to successful three-way handshake), namely the timeout for establishing TCP session.
Command Function
Change the timeout value for

Ruijie(config)# ip tcp synwait-time seconds establishing TCP session.
Range: 5-300 seconds; default: 20
Use the no ip tcp synwait-time command to restore the default value.
 This command only applies to both IPv4 and IPv6 TCP.
Changing Window Size

The TCP receiving buffer is utilized to buffer the data received from the peer end. These data will be subsequently read by
the application program. Generally, the window size of TCP packets implies the size of free space in the receiving buffer.
For sessions featuring greater bandwidth ratio and excess data, increasing the size of receiving buffer will provide notable
TCP transmission performance. The sending buffer is utilized to buffer the data of application program. Each byte in the
buffer has its sequence number, and byte with sequence number acknowledged will be removed from the sending buffer.
Increasing the sending buffer will improve the interaction between TCP and application program and thus enhance the
performance. However, increasing the receiving buffer and sending buffer will result in more memory consumption of
TCP.
Command Function
Change the size of receiving buffer and sending buffer for
Ruijie(config)# ip tcp window-size size TCP session.
Range: 128-65535 << 14 bytes; default: 65535.
Use the no ip tcp window-size command to restore the default value.
This command doesn't apply to the existing TCP session; it only applies to the newly established TCP
session.
This command will apply to both the receiving buffer and sending buffer.
Sending the Reset Packet When the Port is Unreachable

Command Function
Send reset packet when the port-unreachable TCP

Ruijie(config)# ip tcp send-reset
packet is received.
Use the no ip tcp send-reset command to restore default setting.
The ip tcp not-send-rst command in RGOS 10.x is compatible in RGOS 11.0. When you run this command, it is
converted to the no ip tcp send-reset command automatically.
Limiting the Maximum Segment Size of TCP Session

MSS (Maximum Segment Size) refers to the maximum size of the payload of a TCP packet, excluding TCP options.
During the three-way handshake for establishing a TCP session, one important job is to carry out MSS negotiation. Both
sides will insert MSS option into the SYN packet to indicate the maximum size of segment that can be received by the
local end, namely the maximum size of segment that can be sent by the remote end. Both sides will take the lower of the
MSS value sent locally and that received from the remote end as the maximum segment size of this session. The methods
for calculating the value of MSS option while sending SYN packet are shown below:
 Default MSS = Outgoing IPv4/v6 MTU- IPv4/v6 header-TCP header.

Generally speaking, if mtu is affected by certain application configured on the egress interface, such application will
configure the mtu accordingly, such as tunnel port, vpn port and etc.
The mss calculated cannot exceed the size of receiving buffer or the ip tcp mss configured by the user.
Otherwise, the lower of them will be used.
If certain options are supported by this session, then the size obtained after 4-byte alignment of the option
must be subtracted from mss. For example, the size of MD5 option is 18 bytes, and 20 bytes will be obtained
after alignment.
The rmss value obtained here is the value of mss option in the syn packet sent. For example, BGP adjacency is generally
established in the directly connected network, and the mss of such session is 1500-20-20-20=1440.
The function of IP TCP MSS is to limit the MSS of the pending TCP session. The negotiated MSS cannot exceed the
value configured.
Command Function
Limit the maximum segment size of TCP session.

Ruijie(config)# ip tcp mss max-segment-size
Range: 68-10000 bytes.
Use the no ip tcp mss command to restore the default setting.
Enabling PMTU Discovery

The TCP Path MTU (PMTU) is implemented as per RFC1191. This feature can improve the network bandwidth utilization
ratio. When the user uses TCP to transmit mass data, this feature can substantially enhance the transmission
performance.
Command Function
Enable PMTU discovery.

age-timer minutes: The time interval for further discovery
Ruijie(config)# ip tcp path-mtu-discovery [ age-timer after discovering PMTU. Range: 10-30 minutes. Default:
minutes | age-timer infinite ] 10.
age-timer infinite: No further discovery after discovering
PMTU.
According to RFC1191, after discovering PMTU, TCP can use greater MSS to discover new PMTU, and the time interval
thereof is specified with the parameter age-timer. When the PMTU discovered by the device is smaller than the MSS
negotiated, the device will try to discover greater PMTU as per the aforementioned time interval. Such discovery process
will not end until PMTU reaches the value of MSS or until user stop this timer. To turn off the timer, use the parameter
age-timer infinite.
Use the no ip tcp path-mtu-discovery command to disable PMTU discovery.
 This command applies to only IPv4 TCP.
This command doesn't apply to the existing TCP session; it only applies to the newly established TCP
session.
Configuring the MSS Option Value of SYN Packets Sent and Received on the
Interface
The TCP Path MTU (PMTU) is implemented as per RFC1191. This feature can improve the network bandwidth utilization
ratio. When the user uses TCP to transmit mass data, this feature can substantially enhance the transmission
performance.
When the client initiates a TCP session, it negotiates the maximum payload of TCP packets through the MSS option field
of TCP SYN packet. The MSS value of client's SYN packet implies the maximum payload of TCP packets sent by the
server, and vice versa.
As shown below, PC may fail to access the server through http, because the MSS of 1460 will be negotiated between PC
and server, but such MSS cannot pass R1 and R2 (R1 and R2 are connected through tunnel, with MTU lower than 1500).
Figure 1-1
In such a case, we can configure the following command on port (1) and port (2) of R2 to change the MSS option value of
SYN packet, so as to change the MSS value negotiated for the TCP session going through port (1) and port (2).
Command Function
Configure the MSS option value of SYN packets sent and

Ruijie(config-if)# ip tcp adjust-mss max-segment-size received on the interface.
Set the MSS option value of the TCPv6 SYN packet.
Ruijie(config-if)# ipv6 tcp adjust-mss max-segment-size
Use the no form of this command to remove the configuration. In such a case, the MSS option value of packets won't be
changed when the interface sends and receives SYN packets.
Configuring this command on the interface will change the MSS option of SYN packets received or sent by the interface to
the MSS value configured on the interface. It is suggested to configure the same value on the ingress interface and egress
interface, or else the MSS option of SYN packets going through the device will be changed to the lower of two values
configured.
 The MSS value of SYN+ACK packet won't be changed.
Enabling the TCP Keepalive Function

The function is disabled by default.
Command Function
Enable the TCP keepalive function in global configuration

mode.
interval num1: The interval of sending the keepalive
packet, in the range from1 to 120 in the unit of seconds,
The default is 75.
ip tcp keepalive [ interval num1 ] [ times num2 ]
times num2: Keepalive packet sending times, in the
[ idle-period num3 ]
range from 1 to 10. The default is 6.
idle-period num3: Idle time, the time period during which
the peer end does not send any packet to the local end,
in the range from 60 to 1800 in the unit of seconds. The
default is 900.
no ip tcp keepalive Restore the default setting.
The keepalive function enables TCP to detect whether the peer end is operating properly.
Suppose the keepalive function is enabled together with default interval, times and idle-period settings. TCP begins to
send the keepalive packet at an interval of 75 seconds if it does not receive any packet from the peer end in 900 seconds.
The TCP connection is considered invalid and then disconnected automatically if the device sends the keepalive packet
for six consecutive times without receiving any TCP packet from the peer end. This command applies to both IPv4 and
IPv6 TCP.
The following example enables the TCP keepalive function on the device and sets the idle-period and interval to180 and
60 respectively. If the device sends the keepalive packet for four consecutive times without receiving any TCP packet from
the peer end, the TCP connection is considered invalid.
Ruijie(config)# ip tcp keepalive interval 60 times 4 idle-period 180

Monitoring and Maintenance
Command Function
Display basic information about the current TCP
Ruijie# show tcp connect
sessions.
Ruijie# show tcp pmtu Display information about TCP PMTU.
Ruijie# show tcp port Display information about the current TCP port.
Display the information about current IPv6 TCP
Ruijie# show ipv6 tcp connect
connection.
Ruijie# show ipv6 tcp connect statistics Display the current IPv6 TCP connection statistics.
Ruijie# show ipv6 tcp pmtu Display information about IPv6 TCP PMTU.
Ruijie# show ipv6 tcp port Display the current IPv6 TCP port status.
Configuration Guide Configuring IPv4/IPv6 REF
Configuring IPv4/IPv6 REF
Overview
To adapt to the needs of high-end devices, currently we are using "Prefix Tree + Adjacency" Express Forwarding model to
achieve fast forwarding. In case the device only caches partial information of the core routing table, the central CPU will
have to add cache entries again if the cache fails. Express Forwarding maintains a mirror image of the entire core routing
table in order to relieve CPU load and guarantee the stability of routing performance.
Express Forwarding uses the following two components to create the mirror image of routing table:
 Prefix Tree
This is an IP prefix tree organized as per the longest matching principle to look up adjacent nodes. In practice, the data
structure for constructing Prefix Tree is generally different form the Radix Tree of core routing table. A data structure called
M-Tries Tree is used to realize faster lookup. The Prefix Tree created by M-Tries Tree will consume more memory than
Radix Tree, and the update of Prefix and node information will be comparatively time-consuming, but higher lookup
performance can be realized.
 Adjacency
Adjacent node, including the output interface information of routed packets, such as next hop list, next processing unit,
link-layer output encapsulation and etc. When packets matches with such adjacent node, the packets will be encapsulated
and forwarded by calling the transmit function of this node. To facilitate lookup and update, the adjacent nodes will
generally form a hash table. To support router load balancing, the next-hop entries of adjacent nodes are organized into a
load balancing table. Adjacent node may not include next-hop information, or may include the index number of next
processing unit (such as other line cards, multi-service card and etc).
Express Forwarding comprises three steps:
1) Express Forwarding to de-encapsulate packets;

2) Use Prefix Tree to look up the next-hop adjacent node of packet route;
3) After matching to the next-hop adjacent node, the final egress interface of packets will be determined according to
the information of adjacent node, and packets will be encapsulated according to the type of egress interface.
IP packet forwarding is mainly achieved by the switching chip. Therefore, such forwarding information needs to be
downloaded from the API provided by SSP to the chip in order to achieve hardware-based express forwarding. The IP
express-forwarding module is responsible for maintaining router forwarded information and configuring the lower layer, but
will not forward packets.
Configuring Express Forwarding Load Balancing Policy
Fast forwarding supports load balancing of packets, and currently two IP address based load balancing policies are
supported. In EF model, when route prefix IP/MASK is associated with multiple next hops (multipath routing), this route
will be associated with a load balancing table and achieve load balancing according to its weight. When IP packets match
with this load balancing table as per the longest prefix, Express Forwarding will select one of the paths to forward packets
according to the hash IP address of packets.
 Perform load balancing as per the destination IP of IP packets and include destination address of packets in the hash;
path with greater weight value will be selected. The policy is used by default.
 Perform load balancing as per the destination IP and source IP of IP packets and include destination IP and source
IP of packets in the hash; path with greater weight value will be selected.
To configure load balancing policy, execute the following commands in global configuration mode:
Command Function
Ruijie(config)# ip ref load-sharing algorithm Configure load balancing algorithm to a source IP and
original destination IP pair.
Disable source IP + destination IP based load balancing
Ruijie(config)# no ip ref sharing algorithm original algorithm and restore to the default destination IP based
load balancing algorithm.
The above commands are router-specific commands.
Express Forwarding table Maintenance and Monitoring
The express forwarding module only passively receives and maintains the external routing information, and will not
actively insert or delete any routing information. Therefore, express forwarding mainly provides the statistics of existing
routes.
To monitor and maintain the express forwarding table, the following commands are provided:
 Global statistics
 Adjacency table
 Packet forwarding path
 Routes in express forwarding table
 Synchronize express forwarding table to hardware forwarding table
Global Statistics
Global statistics refers to the data structure related information in the existing fast forwarding table, including the number
of existing routes, the number of adjacent nodes, the number of load balancing tables and the number of weighted nodes.
Command Function
Ruijie# show ip ref Display statistics in the existing express forwarding table.
Adjacency Table
In the express forwarding table, adjacency list is one of the important data structure. Execute the following commands to
view existing adjacency information:
Command Function
Ruijie# show ip ref adjacency [ glean | local | ip-address
Display the information about the specified adjacent node
| interface interface_type interface_number | discard |
or all adjacent nodes.
statistics ]
In the event of the following cases, the adjacency table will be used to forward packets.
 Direct route, such as 1.1.0.0/16 vlan1

 A route with longer mask than the direct route, such as 1.1.1.0/24 vlan2 2.2.2.2
 Neighbor with direct route, such as 1.1.1.1.
Packets with destination IP address being 1.1.1.1 will be forwarded according to the information of adjacency 1.1.1.1, as
1.1.1.1/32 is the longest match route.
Packet Forwarding Path

The router forwarding of packets is performed based on the IP address of packets. If the source IP address and
destination IP address of packets are specified, then the forwarding path of such packets will be definitive. Executing the
following command and specifying the source IP and destination IP of packets will display the actual forwarding path of
such packets, such as packet discarding, CPU submission or forwarding. The interface through which the packets are
forwarded can also be learned.
Command Function
Ruijie# show ip ref exact-route [ oob | vrf vrf_name ]
Display the IPv4 REF exact route.
source_ipaddress dest_ipaddress
The above commands are router-specific commands.
Routes in Express Forwarding Table

Express forwarding receives external route advertisement and maintains its own express forwarding table, which is a
mirror image of core routing table sharing same routing information. Execute the following commands to display relevant
routing information in the express forwarding table.
Command Function
Display all the routing information in the IPv4 REF table.

Ruijie# show ip ref route [ oob | vrf vrf_name ] [ default | If no default route is specified, all routing information in
ip mask | statistics ] the express forwarding table will be displayed, including
routes, default route and ordinary gateway routes.
Configuration Guide Configuring NAT
Configuring NAT
Overview
Before Network Address Translation (NAT) configuration, it is necessary to understand the allocation of internal local
addresses and internal global addresses. Perform the following configuration tasks according to different requirements.
 NAT-capable AP products include AP630 V1.0, AP5280 V1.0, AP4210 V1.0, AP3220-P V1.0, AP3220 V1.0,
AP120-W V1.0, AP530-I V1.5, AP530-I V1.0, AP330-I V2.0, AP330-I V1.X & AP320-I V2.0.
Configuring NAT
Configuring Static NAT for Internal Source Addresses

To enable an internal network to communicate with an external network, you need to configure NAT to translate internal
private IP addresses into a globally unique IP address. In this case, you can choose to configure static NAT or dynamic
NAT or even both of them.
Static NAT is to establish a one-to-one permanent mapping between internal local addresses and internal global
addresses. It is necessary when an external network uses a fixed global address to access hosts on an internal network.
To configure static NAT, run the following commands in global configuration mode:
Command Function
Ruijie(config)# ip nat inside source static Defines the static translation relationship of internal source
local-address global-address [permit-inside] [vrf addresses.
vrf_name]
Ruijie(config)# interface interface-type Enters interface configuration mode.
interface-number
Ruijie(config-if)# ip nat inside Defines the internal network the interface connects to.

interface-number
Ruijie(config-if)# ip nat outside Defines the external network the interface connects to.
The above configuration is the simplest one. You may configure several inside and outside interfaces.
Dynamic NAT is to establish a temporary mapping between internal local addresses and the internal global address pool,
which will be deleted after a while. To configure dynamic NAT, run the following commands in global configuration mode:
Command Function
Ruijie(config)# ip nat pool address-pool start-address Defines a global IP address pool.

end-address {netmask mask | prefix-length
prefix-length}
Command Function
Ruijie(config)# access-list access-list-number permit Defines an ACL. Only the IP addresses that match the ACL
ip-address wildcard are translated.
Ruijie(config)# ip nat inside source list Defines the dynamic translation relationship of internal source
access-list-number pool address-pool [vrf vrf_name] addresses.
interface-number

interface-number
Only source addresses that match the ACL are translated. Note that the last rule of the ACL contains a deny
any statement. The ACL should not permit a wide range of IP addresses to be translated; otherwise,
unexpected results will be received.
Configuring NAPT for Internal Source Addresses

Traditional NAT generally defines a one-to-one mapping and cannot enable all hosts on an internal network to
communicate with an external network. NAPT allows multiple internal local addresses to be mapped to an internal global
address.
NAPT is classified into static NAPT and dynamic NAPT. Static NAPT maps the designated port of a designated internal
host to a designated global port, whereas static NAT maps an internal address to a global address.
To configure static NAPT, run the following commands in global configuration mode:
Command Function
Ruijie(config)# ip nat inside source static {UDP | TCP} Defines the static translation relationship of internal source
local-address port global-address port [permit-inside] addresses.
[vrf vrf_name]
interface-number

interface-number
Ruijie(config-if)# ip nat outside Defines the external network the interface connects to
Dynamic internal source address translation mentioned in previous section has automatically completed the internal
source address dynamic NAPT and the configuration is to run the following command in global configuration mode.
Command Function
Command Function
Ruijie(config)# ip nat pool address-pool start-address

Defines a global IP address pool. For NAPT, only one IP
end-address {netmask mask | prefix-length
address is defined.
prefix-length}
Ruijie(config)# access-list ccess-list-number permit Defines an ACL. Only the IP addresses that match the ACL
ip-address wildcard are translated.
Ruijie(config)# ip nat inside source list Defines the dynamic translation relationship of source
access-list-number {[ pool address-pool] | [interface address. The translation effect is the same with or without
interface-type interface-number]} overload [vrf overload, which is only for compatibility with mainstream
vrf_name] manufacturers.
Ruijie(config)# interface interface-type
Enters interface configuration mode.
interface-number

interface-number
NAPT may use the IP addresses in the address pool or directly uses the IP address of the interface. Generally, one
address is enough to meet the address translation need of a network and can be translated into up to 64,512 addresses.
In case of insufficient addresses, you can add IP addresses to the address pool.
Configuring NAT Overlap

Address Overlapping refers to the fact that two private networks in need of interconnection are allocated the same IP
address or one private network and public network are allocated the same global IP address. Communication is
impossible between two network hosts with overlapping addresses since they deem their counterparts are in the local
network. NAT overlap is configured to solve this problem by presenting the address of external network host as that of
another network host and vice versa.
NAT Overlap configuration is actually divided into two parts: 1) Internal source address translation configuration; and 2)
External source address translation configuration, which is only needed by an external network that has addresses
overlapped with the inner network. Static NAT or dynamic NAT may be adopted for external source address translation.
To configure static NAT for external source addresses, run the following command in global configuration mode:
Command Function
Ruijie(config)# ip nat outside source static Defines the static translation relationship of external source
global-address local-address [vrf vrf_name] addresses.
interface-number

interface-number
Configuring TCP Load Balancing

When TCP traffic overload is detected on an internal host, more hosts can be deployed to balance the TCP traffic. In this
case, you may use NAT for TCP traffic load balancing. NAT creates a virtual host, which corresponds to several real hosts,
to provide TCP services, so that destination addresses are polled for load balancing. To configure destination address
polling, run the following commands in global configuration mode:
Command Function
Ruijie(config)# ip nat pool address-pool start-address Defines an IP address pool. The IP addresses of all real
end-address {netmask mask | prefix-length hosts are included in the pool.
prefix-length}
Ruijie(config)# access-list access-list-number permit Defines an ACL to match the IP address of a virtual host.
ip-address wildcard The ACL should be an extended ACL used to match
destination IP addresses.
Ruijie(config)# ip nat inside destination list Defines the dynamic translation relationship of internal
access-list-number pool address-pool [vrf vrf_name] destination addresses.
interface-number

interface-number
Dynamic Translation of Internal Source Addresses

In the following configuration, local and global addresses are allocated from the NAT address pool of Net200, which
defines the address range from 200.168.12.2 to 200.168.12.100. A NAT entry is created only when a packet whose
internal source address matches ACL 1.
!
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
ip address 200.168.12.1 255.255.255.0
ip nat outside
!
ip nat pool net200 200.168.12.2 200.168.12.100 netmask 255.255.255.0
ip nat inside source list 1 pool net200
!
access-list 1 permit 192.168.12.0 0.0.0.255
Reuse of Internal Global Addresses

Reuse of internal global address is equivalent to NAPT actually. RGOS 8.1 and later versions automatically implement
NAPT for dynamic NAT. In the following configuration, local and global addresses are allocated from NAT address
pool—Net200, which only defines one IP address 200.168.12.200 that can be reused. A NAT entry is created only when a
packet whose internal source address matches ACL 1.
!
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
ip address 200.168.12.200 255.255.255.0
ip nat outside
!
ip nat inside source list 1 pool net200
Whether correct NAT entries can be created can be checked by looking up the NAT mapping
table.
Ruijie# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.168.12.200:2063 192.168.12.65:2063 168.168.12.1:23 168.168.12.1:23
Static NAPT for Internal Source Addresses

Static NAPT may be used for creating a virtual server.Creating a virtual server here refers to setting up a server and
mapping it to an external network through static NAPT. Thus, access to the virtual server with a global address is diverted
to an internal server.
The following example describes how to map IP address 192.168.12.3 of an internal web server to a global IP address
200.198.12.1 of port 80. The configuration script is as follows:
!
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
ip address 200.198.12.1 255.255.255.0
ip nat outside
!
ip nat inside source static tcp 192.168.12.3 80 200.198.12.1 80
For details, see the “Configuring a local server” section.
TCP Load Balancing

A virtual host address is defined in the following configuration so that all TCP connections to this virtual host from external
networks will be processed by multiple real hosts for load balancing. Realhosts defines a real host address pool, while
ACL 1 defines the IP address of the virtual host. Traffic from hosts on an external network must be routed to this virtual
host. The following configuration applies only to TCP traffic. Note that an extended ACL must be configured to match
destination IP addresses.
!
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
ip address 200.198.12.1 255.255.255.0
ip nat outside
!
ip nat pool realhosts 10.10.10.2 10.10.10.3 netmask 255.255.255.0 type rotary
ip nat inside destination list 100 pool realhosts
!
access-list 100 permit ip any host 10.10.10.100
!
Whether correct NAT entries can be created can be checked by looking up the NAT mapping table.
Ruijie# sh ip nat translations

tcp 10.10.10.100:23 10.10.10.2:23 100.100.100.100:1178 100.100.100.100:1178
tcp 10.10.10.100:23 10.10.10.3:23 200.200.200.200:1024 200.200.200.200:1024
Load balancing among Multiple Outside Interfaces

If several WAN ports of a device are used as outside interfaces, load is balanced among these WAN ports by bandwidth.
When one WAN port is faulty, the load will be automatically routed to other normal ports. By default, the load is distributed
according to global destination addresses of NAT. In the following example, load is balanced between two WAN ports of a
RSR series router.
4) Interface GigabitEthernet 0/0 connects to a telecom network.

5) Interface GigabitEthernet 0/1 connects to the education network.
The topology is as follows:

Figure 1
The configuration is as follows:
# Configure an ACL to allow internal network users to access internet.
# Configure GigabitEthernet 0/2 to connect to the internal network..

ip nat inside
ip address 10.29.0.253 255.255.255.0
!
# Configure a static IP address for WAN port 0 which connects to the telecom network.

ip nat outside
ip address 218.4.53.238 255.255.255.0
!
# WAN port 1 connects to the education network.

ip nat outside
ip address 172.16.253.18 255.255.255.0
!
# Configure a NAT address pool. NAT provides multiple Outside ports. If GigabitEthernet 0/0 is configured as the Outside
port, the IP address of the port is set to 218.4.53.238; if GigabitEthernet 0/1 is configured as the Outside port, the IP
address of the port is set to 172.16.253.18.
ip nat pool setup_build_pool prefix-length 24

address 61.155.18.17 61.155.18.18 match interface GigabitEthernet 0/0

address 210.28.160.100 210.28.160.110 match interface GigabitEthernet 0/1
# Enable internal source address translation of NAT
ip nat inside source list 99 pool nbr_setup_build_pool
# Configure that traffic is routed to two WAN ports by default.
ip route 0.0.0.0 0.0.0.0 FastEthernet 1/0 202.101.98.1

ip route 0.0.0.0 0.0.0.0 dialer 1
!
Configuring a Local Server

To configure a local server means to map one or more hosts to a network access server (NAS), so that users on the WAN
can access desired services. As shown in Figure 2, three servers (an FTP server, a web server, and an E-mail server) are
deployed on the internal network. It is expected that hosts on the WAN can access the three servers and common users
of the internal network can access Internet by using the gateway as a NAS. For Ruijie products, static NAT is used for
server access and dynamic NAT is used for Internet access.
Figure 2 Configuring a local server
To realize these functions, static NAT needs to be configured.
# Enter privileged user mode
Ruijie> enable
# Enter global configuration mode

# Enter WAN port 0 configuration mode

Ruijie(config)#interface fastethernet 1/0
# Configure the IP address of the WAN port
# Configure the WAN port as the connection-sharing Internet access port
Ruijie(config-if)# ip nat outside
# Enable the WAN port
Ruijie(config-if)# no shut
# Return to common user mode
Ruijie#
# The system prompts that the link to the WAN port is Up.
%LINK CHANGED: Interface FastEthernet 1/0, changed state to up

%LINE PROTOCOL CHANGE: Interface FastEthernet 1/0, changed state to UP
# Enter LAN port configuration mode
# Configure the IP address of the LAN port
# Configure the LAN port as the connection-sharing internet access port
Ruijie(config-if)# ip nat inside
# Enable the LAN port
Ruijie(config-if)# no shut
Ruijie#
%LINK CHANGED: Interface FastEthernet 0/0, changed state to up
%LINE PROTOCOL CHANGE: Interface FastEthernet 0/0, changed state to UP
# Configure default route to access to internet
Ruijie(config)# ip route 0.0.0.0 0.0.0.0 fastethernet 1/0 218.5.19.1
# Configure a default route for Internet access
Ruijie(config)# ip route 0.0.0.0 0.0.0.0 fastethernet 1/0 218.5.19.1

# Configure an ACL for NAT application
Ruijie(config)# access-list 1 permit any
# Configure a connection sharing rule to allow common internal users to access Internet over a device
Ruijie(config)#ip nat inside source list 1 interface fastethernet 1/0
# Configure static mapping of the FTP server
Ruijie(config)# ip nat inside source static tcp 192.168.0.2 20 218.5.19.2 20

# Configure static mapping of the web server
# Configure static mapping of the E-mail server

Ruijie(config)# end
Ruijie#
# Configure a password for Telnet access
Ruijie(config)# line vty 0 4

Ruijie(config-line)# password remoteuser
Ruijie(config-line)# end
Ruijie#
Ruijie(config)# enable secret private
# Configure a device name
Ruijie(config)# host RUIJIE

RUIJIE(config)# end
RUIJIE#
# Save the configuration
RUIJIE# write
Building configuration...
[OK]
RUIJIE#
# Verify the configuration
RUIJIE# show running-config

Current configuration:
!
!
hostname NBR
!
!
!
access-list 1 permit any
!
!
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
ip address 218.5.19.2 255.255.255.0
ip nat outside
!
ip nat inside source list 1 interface FastEthernet 1/0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet 1/0 218.5.19.1
!
line con 0
line vty 0 4
password remoteuser
login
!
end
RUIJIE#
NAT Configuration in case of multiple VRF instances

The following example shows the NAT implementation when there are multiple VRF instances. An IP address may be
found in different VRF instances and needs to be translated into different source IP addresses during NAT. In this case,
you must specify the target VRF domain of NAT.
ip vrf 1
ip vrf 2

ip vrf forward 1
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
ip vrf forward 1
ip address 100.168.12.200 255.255.255.0
ip nat outside
!
ip vrf forward 2
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
ip vrf forward 2
ip address 200.168.12.200 255.255.255.0
ip nat outside
!
ip nat inside source list 1 pool net100 vrf 1

ip nat inside source list 1 pool net200 vrf 2
Whether correct NAT entries can be created can be checked by looking up the NAT mapping
table.
Ruijie# show ip nat translations vrf 1
tcp 100.168.12.200:2063 192.168.12.65:2063 168.168.12.1:23 168.168.12.1:23
Ruijie# show ip nat translations vrf 2
tcp 200.168.12.200:2063 192.168.12.65:2063 168.168.12.1:23 168.168.12.1:23
VPN NAT configuration example

On a MPLS network, NAT can be used to implement VRF traversal.
Figure 3
Configure MPLS
mpls ip
Configure PBR
route-map vrfdata permit 10

match ip address 150
set vrf data
Specify an ACL
ip access-list extended 100

10 permit ip 10.0.0.0 0.255.255.255 any
10 permit ip any 20.1.1.0 0.0.0.255
Configure VRF domains
ip vrf data
rd 200:1
route-target both 200:1
ip vrf v1
rd 100:1
route-target export 100:1
ip vrf v2
rd 100:2
route-target export 100:2
Deploy MPLS on a public network interface

ip nat outside
ip ref
ip address 10.3.1.3 255.255.255.0
label-switching
mpls ip
duplex auto
speed auto
Configure PBR on a private network interface for NAT deployment

ip vrf forwarding v1
ip nat inside
ip policy route-map vrfdata
ip ref
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet 0/1.1
encapsulation dot1Q 100
ip vrf forwarding v2
ip nat inside
ip policy route-map vrfdata
ip address 10.1.1.1 255.255.255.0
Configure the loopback interface for advertising routes
interface Loopback 0
ip ref
ip address 3.3.3.3 255.255.255.255
router bgp 100
bgp router-id 3.3.3.3
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback 0
address-family ipv4
neighbor 4.4.4.4 activate
exit-address-family
address-family vpnv4 unicast
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both
neighbor 4.4.4.4 route-map hzb out
exit-address-family
address-family ipv4 vrf data
maximum-prefix 10000
network 0.0.0.0
redistribute connected
redistribute static
exit-address-family
address-family ipv4 vrf v1
redistribute static
exit-address-family
address-family ipv4 vrf v2
exit-address-family
router ospf 1
router-id 3.3.3.3
network 0.0.0.0 255.255.255.255 area 0
mpls router ldp
ldp router-id interface Loopback 0 force
Configure NAT to take effect on VRF data packets
ip nat pool abc 100.1.1.1 100.1.1.1 netmask 255.255.255.0

ip nat inside source static 10.1.1.2 100.1.1.1 vrf data
Specify a blackhole route
ip route vrf data 100.1.1.1 255.255.255.255 Null 0

Release 11.1(5)B6
IP Routing Configuration
1. Configuring NSM
2. Configuring FPM
Configuration Guide Configuring NSM
Configuring NSM
IP Routing Configuration
Enabling IP Routing
By default, IPv4/IPv6 routing is enabled.
Command Function
Ruijie(config)# ip routing Enable IPv4 routing.
Use the no form of the corresponding command to disable IPv4/IPv6 routing.
Configuring Static Routes

Static routes are manually configured so that the packets can be sent to the specified destination network go through the
specified route.
You can configure multiple (within the specified upper limit) static routes at the same time. No more static route can be
added if the upper limit is reached.
To configure static routes, execute the following commands in the global configuration mode:
Command Function
Ruijie(config)# ip route network net-mask { ip-address | Configure IPv4 static routes.
interface [ ip-address ] } [ distance ] [ tag tag ]
[ permanent ] [ weight number ] [ disable | enable ]
Ruijie(config)# ipv6 route ipv6-prefix / prefix-length Configure IPv6 static routes.
{ ipv6-address | interface [ ipv6-address ] } [ distance ]
[ tag tag ] [ weight number ]
Ruijie(config)# ip static route-limit number Configure the upper limit of IPv4 static routes.
Ruijie(config)# ipv6 static route-limit number Configure the upper limit of IPv6 static routes.
To delete static routes or cancel the upper limit of static routes, run the no form of the corresponding command.
If they are not deleted, Ruijie product will always retain the static routes. However, you can replace the static routes with
the better routes learned by the dynamic routing protocols. Better routes mean that they have smaller distances. All routes
including the static ones carry the parameters of the administrative distance. The following table shows the administrative
distances of various sources of Ruijie product:
Route source Default Administrative Distance

Directly connected networks 0
Static route 1
OSPF route 110
ISIS route 115
RIP route 120
Unreachable route 255
The static route redistribution shall be configured if the static routes are advertised by the dynamic routing
protocols such as RIP and OSPF.
When a port is “down”, all routes to that port will disappear from the routing table. In addition, when Ruijie product fails to
find the forwarding route to the next-hop address, the static route will also disappear from the routing table.
By default, the weight of static route is 1. To view the static routes of non-default weight, execute the show ip route
weight command. When there are load balanced routes to an IP address, the switch will assign traffic by their weights.
The higher the weight of a route is, the more the route forwards. Router WCMP limit is 32, while the switch WCMP limit is
related to product model because the weights supported by various chips are different. For the detailed information about
the route weight value of specific model, please refer to the product specification paper.
When the sum of load-balancing route weights exceeds WCMP limit, the exceeded routes will not take effect. For example,
if the WCMP limit on a device is 8, only one static route configuration is effective:
Ruijie(config)#ip route 10.0.0.0 255.0.0.0 172.0.1.2 weight 6

Ruijie(config)#ip route 10.0.0.0 255.0.0.0 172.0.1.4 weight 6
Ruijie(config)#show ip route 10.0.0.0
Routing entry for 10.0.0.0/8
Distance 1, metric 0
Routing Descriptor Blocks:
*172.0.1.2, generated by "static"
Ruijie(config)#show ip route weight
------------[distance/metric/weight]-----------
S 10.0.0.0/8 [1/0/6] via 172.0.1.2
The maximum number of static routes is 1024 by default. If the number of static routes configured exceeds the specified
upper limit, they will not be automatically deleted, but the addition will fail.
To view the configuration of IP route, execute the show ip route command to view the IP routing table. For details, refer
to Protocol-independent Command Configuration.
Configuring Default Route

Not all devices have a complete network-wide routing table. To allow every device to route all packets, it is a common
practice that the powerful core network is provided with a complete routing table, while the other devices have a default
route set to this core router. Default routes can be transmitted by the dynamic routing protocols, and can also be manually
configured on every router.
Default routes can be generated in two ways: 1) manual configuration. For details, see Configuring Static Routes in the
last section; 2) manually configuring the default network.
Most internal gateway routing protocols have a mechanism that transmits the default route to the entire
routing domain. The device that needs to transmit the default route must have a default route.
The transmission of the default route in this section applies only to the RIP routing protocol. The RIP always
notifies the “0.0.0.0/0” network as the default route to the routing domain.
For general static routes, execute the following commands in the global configuration mode:
Command Function
Ruijie(config)# ip default-network network Configure the default network.
Ruijie(config)# no ip default-network network Delete the default network.
To generate the default routes by using the default-network command, the following condition must be met:
The default network is not a directly-connected port network, but is reachable in the routing table.
Under the same condition, the RIP can also transmit the default route. Alternatively, there is another way to
do so, that is, by configuring the default static route or learning the 0.0.0.0/0 router via other routing
protocols.
If the router has a default route, whether learned by the dynamic routing protocol or manually configured, when you use
the show ip route command, the “gateway of last resort” in the routing table will show the information of the last gateway.
A routing table may have multiple routes as alterative default routes, but only the best default route becomes the “gateway
of last resort”.
Configuring the Number of Equivalent Routes

If the load balancing function is needed, you can set the number of equivalent routes for control. An equivalent route is an
alternative path to the same destination address. When there is only one equivalent route, one destination address can be
configured with only one route, and the load balancing function is cancelled.
Command Function
Ruijie(config)# maximum-paths number Limit the number of equivalent routes.
The upper limit of equivalent routes varies by product series. The upper limit is 32 for routers, while it depends on specific
chips for switches. During configuration, refer to the system prompt.
The no form of this command restores the default number of equivalent routes.
This command is valid for both ipv4 and ipv6. That is to say, after configuring this command, the maximum numbers of the
equivalent route path to IPv4 and IPv6 destination are the same value configured.
Route-Map Configuration
Route-map is a collection of filter policy for the routing protocol and policy route, independent from the detailed routing
protocol. Route-map is used to filter and modify the routing information for the routing protocol, and control the packet
forwarding for the policy route.
Defining the Routing Map

To define the routing map, use the following command in the global configuration mode:
Command Function
Ruijie(config)# route-map route-map-name [ [ permit |
Define the routing map.
deny ] sequence ]
Ruijie(config)# no route-map route-map-name [ { permit |
Remove the routing map.
deny } sequence ]
When you configure the rules for a routing map, you can execute one or multiple match or set commands. If there is no
match command, all will be matched. If there is no set command, not any action will be taken.
Whether a routing map supports the match command and the set command, it depends on applications associated with
the routing map. The general instructions are as follows:
 When you configure commands associated with a routing map, the system displays a prompt when the configured
match command or the set command is inapplicable to the applications associated with the routing map.
 When you configure a routing map, the match command, or the set command, the system displays a prompt when
any match command or set command is inapplicable to any application associated with the routing map.
The two instructions are inapplicable to associating policy routes with routing maps.
Route Redistribution
Configuring Route Redistribution

To support the routers to run multiple routing protocol processes, Ruijie product provides the function for redistributing the
route information from one routing process to another routing process. For example, you can redistribute the routes in the
OSPF routing area to the RIP routing area , or those in the RIP routing area to the OSPF routing area. Routes can be
redistributed among all the IP routing protocols.
In route redistribution, the routing maps are often used to enforce conditional control over the mutual route redistribution
between two routers.
To redistribute routes from one routing area to another and control route redistribution, execute the following commands in
the routing process configuration mode:
Command Function
Ruijie(config-router)# redistribute protocol [ process-id ]

Set route redistribution.
[ metric metric ] [ metric-type metric-type ] [ match internal |
Protocol (protocol type): bgp, connected, isis, rip,
external type | nssa-external type ] [ [ tag tag ] [ route-map
static
route-map-name ] [ subnets ]
Ruijie(config-router)# default-metric metric Set the default metric for all redistributed routes.
Route redistribution may easily cause loops, so you must be very careful in using them.
When the route redistribution is configured in the OSPF routing process, the metric of 20 is allocated to the
redistributed routes with the type of Type-2 by default. This type belongs to the least credible route of the
OSPF.
Configuring Default Route Distribution

To advertise the default route, it is necessary for routing protocol to introduce the default route to the process, or enforce
generating a default route.
To distribute the default route, execute the following commands in the routing process configuration mode:
Command Function
Introduce the default route to the routing
protocol process and advertise the route default.
always(optional): a default route is always
introduced to the process no matter whether the
Ruijie(config-router)# default-information originate [ always ]
default route exists in the local routing table or not.
[ metric metric ] [ metric-type type ] [ route-map map-name ]
metric(optional): set the metric value for the
introduced default route.
metric-type(optional): set the default route type.
route-map(optional): filter and set the default route.
To cancel introducing default route to the routing protocol process and advertise the cancellation, run the no form of the
corresponding command.
Route Filtering Configuration

Route filtering is the process to control the incoming/outgoing routes so that the router only learns the necessary and
predictable routes, and only advertise the necessary and predictable routes to external trusted devices. The divulgence
and chaos of the routes may affect the running of the network. Particularly for telecom operators and financial service
networks, it is essential to configure route filtering.
Controlling Route Updating Advertising
To prevent other routers or routing protocols from dynamically learning one or more route message, you can configure the
control over route updating advertising to prevent the specified route update.
To prevent route updating advertising, execute the following commands in the routing process configuration mode:
Command Function
According to ACL rules, permit or deny some routes.
Ruijie(config-router)# distribute-list { [ access-list-number |
Prefix: This keyword specifies the prefix list for
access-list-name ] | prefix prefix-list-name out [ interface-type
filtering routes. The prefix list should be separately
interface-number | protocol ]
configured by using the ip prefix-list command.
Ruijie(config-router)# no distribute-list
{ [ access-list-number | access-list-name ]
| prefix prefix-list-name } out [ interface-type interface-number
| protocol ]
When you configure the OSPF, you cannot specify the interface and the features are only applicable to the
external routes of the OSPF routing area.
Controlling Route Updating processing
To avoid processing some specified routes of the incoming route update packets, you can configure this feature. This
feature does not apply to the OSPF routing protocol.
To control route updating processing, execute the following commands in the routing process configuration mode:
Command Function
According to ACL rules, permit or deny receiving distributed
routes.
Ruijie(config-router)# distribute-list
Prefix: This keyword specifies the prefix list for filtering
{ [ access-list-number | access-list-name] | prefix
routes. The prefix list should be separately configured by
prefix-list-name [ gateway prefix-list-name] | gateway
using the ip prefix-list command.
prefix-list-name } in [ interface-type interface-number ]
Gateway: Use the prefix list to filter the routes distributed
according to the source of the routes.
Ruijie(config-router)# no distribute-list
{ [ access-list-number | name] | prefix
prefix-list-name [ gateway prefix-list-name ] | gateway
prefix-list-name } in [ interface-type interface-number ]
Example of Route-map Configuration

The routing map can be configured very flexibly to be used on the route redistribution and policy-based routing. No matter
how the routing map is used, the configuration principle is the same, except that different command sets are used. Even if
it is used on the route redistribution, different routing protocols can use different commands with the routing map.
In the following example, the OSPF routing protocol redistributes only the RIP routes whose hops are 4. In the OSPF
routing area, the type of the routes is external route type-1, the initial metric is 40, and the route tag is 40.
# Configure OSPF
Ruijie(config)# router ospf 1

Ruijie(config-router)# redistribute rip subnets route-map redrip
Ruijie(config-router)# network 192.168.12.0 0.0.0.255 area 0
# Configure the access control list
Ruijie(config)# access-list 10 permit 200.168.23.0 0.0.0.255
# Configure the routing map
Ruijie(config)# route-map redrip permit 10

Ruijie(config-route-map)# match metric 4
Ruijie(config-route-map)# set metric 40
Ruijie(config-route-map)# set metric-type type-1
Ruijie(config-route-map)# set tag 40
In the following configuration example, the RIP routing protocol redistributes only the OSPF routes whose tag is and initial
metric is 10.
# Configure RIP
Ruijie(config)# router rip

Ruijie(config-router)# version 2
Ruijie(config-router)# redistribute ospf 1 route-map redospf
Ruijie(config-router)# network 200.168.23.0
# Configure routing map
Ruijie(config)# route-map redospf permit 10

Ruijie(config-route-map)# match tag 10
Ruijie(config-route-map)# set metric 10
In the following configuration example, the OSPF routing protocol redistributes the RIP routes. Since the unsupported
rule for the route-map application has been configured, after redistributing the route-map, the printed message prompts
that the application not support the corresponding rule.
# Configure route-map
Ruijie(config)# route-map redrip permit 10

Ruijie(config-route-map)# match length 1 3
Ruijie(config-route-map)# match route-type external Ruijie(config-route-map)# set level
backbone
# Configure OSPF

Ruijie(config-router)# redistribute rip subnets route-map redrip

% ospf redistribute rip not support match length
% ospf redistribute rip not support match route-type
% ospf redistribute rip not support set level backbone
Example of Static Route Redistribution

Configuration requirements
One router exchanges route information with other routers via the RIP. In addition, there are three static routes. The RIP is
only allowed to redistribute two routes: 172.16.1.0/24 and 192.168.1.0/24.
Detailed Configurations of the Routers
This is a common distribution list-based route filtering configuration example in practice. Note that the metric is not
specified for the routes to be redistributed in the following configuration. Since a static route will be redistributed,the RIP
will automatically assign the metric. In the RIP configuration, the version must be specified and the route aggregation must
be disabled for the access list allows the 172.16.1.0/24 route. To advertise the route, the RIP protocol must first support
the classless route, and the route cannot be aggregated to the 172.16.0.0/16 network.
# Configure the static route
Ruijie(config)# ip route 172.16.1.0 255.255.255.0 172.200.1.2

# Configure RIP

Ruijie(config-router)# version 2
Ruijie(config-router)# redistribute static
Ruijie(config-router)# distribute-list 10 out static
Ruijie(config-router)# no auto-summary
# Configure the extended ACL
Ruijie(config)# access-list 10 permit 192.168.1.0

Example of Dynamic Route Protocol Redistribution

Configuration requirements
The connection among four routers is shown in the Figure-1. Router A belongs to the OSPF routing area, Router C
belongs to the RIP routing area, Router D belongs to the BGP routing area and Router B is connected to three routing
areas. Router A advertises the two routes of 192.168.10.0/24 and 192.168.100.1/32, Router C advertises the network
routes of 200.168.3.0/24 and 200.168.30.0/24, and Router D advertises the network routes of 192.168.4.0/24,
192.168.40.0/24.
Figure-1 Example of Dynamic Routing Protocol Redistribution
On Router B, the OSPF redistributes the RIP routes with the route Type-1, redistributes the BGP routes carrying with the
community attribute 11:11. The RIP redistributes the 192.168.10.0/24 route in the OSPF routing area whose metric is 3,
amd advertises a default route to the RIP routing area.
 The specific configuration of the routers
When the routing protocols redistribute routes among them, the simple route filtering can be controlled by the distribution
list. However, different attributes must be set for different routes, and this is not possible for the distribution list, so the
routing map must be configured for control. The routing map provides more control functions than the distribution list, and
it is more complex to configure. Therefore, do not use the routing map if possible for simple configuration of the router.
The following example does not use the routing map.
Router A configuration:
# Configure the network interface

Ruijie(config)# interface loopback 1
Ruijie(config-if)# no ip directed-broadcast
# Configure the OSPF

Router B configuration:

Ruijie(config)# interface Serial 1/0
#Configure the OSPF and set the redistribution route type

Ruijie(config-router)# redistribute rip metric 100 metric-type 1 subnets
#Configure the RIP and use the distribution list to filter the redistributed routes

Ruijie(config-router)# redistribute ospf 12 metric 3
Ruijie(config-router)# distribute-list 10 out ospf
Ruijie(config-router)# no auto-summary
# Configure the BGP
Ruijie(config)# router bgp 2

Ruijie(config-router)# neighbor 192.168.24.4 remote-as 4
Ruijie(config-router)# address-family ipv4
Ruijie(config-router-af)# neighbor 192.168.24.4 activate
Ruijie(config-router-af)# neighbor 192.168.24.4 send-community
# Configure the route-map
Ruijie(config)# route-map ospfrm

Ruijie(config-route-map)# match community cl_110
# Define the access list
# Define the community list
Ruijie(config)# ip community-list standard cl_110 permit 11:11

Router C configuration:

Ruijie(config)# interface serial 1/0
# Configure the RIP

Router D configuration:

Ruijie(config)# interface serial 1/0
# Configure the BGP
Ruijie(config)# router bgp 4

Ruijie(config-router)# neighbor 192.168.24.2 remote-as 2
Ruijie(config-router)# redistribute connected route-map bgprm
Ruijie(config-router)# address-family ipv4
Ruijie(config-router-af)# neighbor 192.168.24.2 activate
Ruijie(config-router-af)# neighbor 192.168.24.2 send-community
# Configure the route-map
Ruijie(config)# route-map bgprm

Ruijie(config-route-map)# match community 22:22
OSPF routes found on router A:
O E1 192.168.30.0/24 [110/101] via 192.168.12.2, 00:04:07, FastEthernet0/1

O E1 192.168.3.0/24 [110/101] via 192.168.12.2, 00:04:07, FastEthernet0/1
RIP routes found on Router C:
R 192.168.10.0/24 [120/2] via 192.168.23.2, 00:00:00, Serial1/0

R 192.168.10.0/24 [120/2] via 192.168.23.2, 00:00:00, Serial1/0
Configuration Guide Configuring FPM
Configuring FPM
Overview
The flow platform (FPM) is a platform for the acceleration of packet service processing. Because IP packets have the flow
attribute, the FPM provides services with the function to identify the flow attribute of IP packets before service processing,
so as to improve service processing efficiency. The FPM is a fundamental platform. It is loaded upon system startup. The
configuration commands described in this document are provided to implement FPM configuration and management. In
general, the default configuration of the FPM can already meet practical requirements.
The following sections describe the FPM only.
N/A
Applications
Configuring the packet receiving threshold A standalone device serves as the gateway to forward packets.
Configuring loose TCP status check Perform active/standby switchover in the AS environment.
Configuring the Packet Receiving Threshold
Scenario
When the device receives a large number of repeated TCP connection requests in a local area network (LAN), no
legitimate connection can be established if the device cannot receive any handshake response packet from the peer. In
this case, attacks probably occur. You can perform FPM configuration to restrict the number of TCP connection requests,
so as to effectively defend against such attacks.
 Enable the strict packet status tracing function on the forwarding device.
 Configure a low TCP-SYN-SENT packet threshold.

Configuring Loose TCP Status Check
Scenario
Loose TCP status check should be configured on the device to prevent flow interruption during active/standby switchover
of the device. Then a connection can be established and packets can be forwarded as long as one end sends an ACK
packet, so that the connection is not interrupted at all during the active/standby switchover.
 Configure loose TCP status check on the backup device.
Features
Basic Concepts
Flow Entry
A flow entry, as a physical resource for the device to identify and manage all connections of an IP session, records basic
information about the current IP session. The corresponding protocols include ICMP, TCP, UDP, and RAWIP.
Overview
Feature Description
Transparent transmission when the flow This feature ensures that the existing flows are not interrupted when the flow
table is full table is full.
Flow entry aging This feature reclaims invalid flow entries.
Number of packets permitted in a flow This feature prevents IP packet flooding attacks.
TCP status tracing This feature filters out packets on illegitimate TCP connections.
Strict packet status tracing This feature performs packet threshold check.
Loose TCP status check This feature allows the establishment of a connection with only ACK packets.
Transparent Transmission of Packets When the Flow Table Is Full
Working Principle
The acceleration of IP service processing relies on a flow table. Flow table resources are configured according to the
current product hardware configuration and generally can meet application requirements in an application environment. In
some extreme environments, however, flow table resources could be exhausted, causing the failure to establish flows.
With this feature, packets are transparently transmitted instead of establishing any flow on wireless products when the
flow table is full, and service processing is not accelerated, thereby ensuring that service flows are not interrupted.
Flow Entry Aging
Working Principle
The aging of a flow entry means that the device actively withdraws the flow entry when there is no data exchange in a
certain period of time. If a session attack occurs, the flow table will be full, causing the failure to establish sessions. The
aging of the flow table is designed to solve this problem. For flow entries of different data types, their aging time shall be
set according to actual service requirements. For flows of different service data types, different aging time shall be set
according to different states of the flows. For example, the aging time of a TCP flow in SYN status is different from that of a
TCP flow in ESTABLISH status. For example again, when a port scanning attack occurs on a network, abundant flow table
resources of the system are occupied, and then appropriate aging time can be configured for flows established on these
connections according to the states of the flows, so as to effectively reclaim flow entries and avoid flow interruption.
Configuring appropriate aging time can help to reduce "useless" flow entries in the flow table while meeting the
requirement for exchanging service data flows.
Number of Packets Permitted in a Flow
Working Principle
For each flow in the current status, there is a counter that records the number of packets processed in the flow. An
attacker may send a large number of packets of a certain type to wage a traffic attack, in which case other types of
packets cannot be processed in time. You can configure the number of packets permitted to pass in a flow in a certain
status, so as to solve this problem and meet the requirement for exchanging service data flows.
TCP Status Tracing
Working Principle
A complete handshake process is required for the establishment of a TCP connection; otherwise, the connection is
illegitimate or the packets are attack packets. The FPM needs to trace the states of TCP connections, so as to distinguish
flows that are established over TCP session connections in various states and determine whether the connections are
legitimate. In some special scenarios such as asymmetrical routing, however, the states of TCP connections cannot be
traced and then this function should be disabled.
Packet Threshold for Flows in Various States
Working Principle
For a flow in a certain status established over a connection, there is an upper limit on the number of packets permitted on
the legitimate connection. If this upper limit is exceeded, a packet flooding attack probably occurs, occupying the
forwarding resources of the system. Therefore, you can configure a packet threshold for flows in various states so as to
effectively defend against such attacks.
Loose TCP Status Check
Working Principle
A complete handshake process is required for the establishment of a legitimate TCP connection. In some cases such as
active/standby switchover, however, probably a handshake process has been performed for the current TCP connection
but only no corresponding information exists. In such cases, the system requires only ACK packets. For this purpose, the
FPM provides loose TCP status check.
Configuration
(Optional) It is used to manage FPM.
Disables the function to transparently

Ip session direct-trans-disable transmit packets when the flow table is
Configuring the full.
Functions of the ip session timeout Configures the flow entry aging time.
FPM Configures the number of packets that can
ip session threshold be received for each flow in a certain
status.
ip session tcp_state-inspection-enable Enables the TCP status tracing function.
Configures packet threshold for flows in
ip session track-state-strictly
various states.
Enables the loose TCP status transition
ip session tcp-loose
check function.
Disabling Transparent Transmission of Packets When the Flow Table Is Full
 For some special services such as network address translation (NAT) applied on wireless products, the FPM should
not allow the transparent transmission of packets without flow establishment.
Notes
 Currently this function is available on wireless products only.
 By default, packets can be transparently transmitted without flow establishment when the flow table is full.
Configuration Steps
 Optional configuration.
 By default, packets can be transparently transmitted without flow establishment when the flow table is full. You can
use the ip session direct-trans-disable command to disable the function.
Command Syntax ip session direct-trans-disable

Parameter Description
Defaults Packets can be transparently transmitted without flow establishment when the flow table is full.
Configuration Usage Use the no form of this command to enable the transparent transmission function.
Verification
 Use the show run command to check whether the configuration includes ip session direct-trans-disable. If no, the
transparent transmission function is enabled.
Scenario If the NAT service is required on the current wireless device, you need to disable the transparent
transmission function because the NAT service does not allow the transparent transmission of
IP packets without flow establishment.
Configuration Steps Disable transparent transmission of packets without flow establishment when the flow table is
full.
Ruijie(config)# ip session direct-trans-disable
Verification Use the show run command to verify that the configuration includes ip session
direct-trans-disable.
Common Errors
N/A
Configuring the Flow Entry Aging Time
 Reasonably make use of system flow table resources so as to reduce "useless" flow entries in the flow table and
meet the requirement for exchanging service data flows.
Notes
 There is a default aging time upon system initialization, which can meet practical requirements in most scenarios.
Therefore, the configuration is optional.
 Because a certain time is required before the system detects the corresponding flow, the actual aging time is slightly
later than the configured aging time.
Configuration Steps
Configuring the Aging Time
 By default, a flow entry ages within the default aging time. If the default aging time does not meet the requirement,
you can use the ip session timeout command to change it. The longer the aging time, the longer the time-to-live
(TTL) of the flow entry.
 Perform this configuration on the corresponding forwarding device.
Command Syntax ip session timeout {icmp-closed | icmp-connected | icmp-started | rawip-closed |

rawip-connected | rawip-established | rawip-started | tcp-close-wait | tcp-closed |
tcp-established | tcp-fin-wait1 | tcp-fin-wait2 | tcp-syn-receive | tcp-syn-sent | tcp-syn-sent2
| tcp-time-wait | udp-closed | udp-started | udp-connected | udp-established} { num }
Parameter icmp-closed: Sets the aging time of ICMP flows in closed status, which is 10 seconds by default
Description and ranges from 5 to 60.
icmp-connected: Sets the aging time of ICMP flows in connected status, which is 10 seconds by
default and ranges from 5 to 120.
icmp-started: Sets the aging time of ICMP flows in started status, which is 10 seconds by default
and ranges from 5 to 120.
rawip-closed: Sets the aging time of RAWIP flows in closed status, which is 10 seconds by
rawip-connected: Sets the aging time of RAWIP flows in connected status, which is 300 seconds
by default and ranges from 10 to 300.
rawip-established: Sets the aging time of RAWIP flows in established status, which is 300
seconds by default and ranges from 10 to 600.
rawip-started: Sets the aging time of RAWIP flows in started status, which is 300 seconds by
tcp-close-wait: Sets the aging time of TCP flows in tcp-close-wait status, which is 60 seconds by
tcp-closed: Sets the aging time of TCP flows in tcp-closed status, which is 10 seconds by default
tcp-established: Sets the aging time of TCP flows in tcp-established status, which is 1,800
seconds by default and ranges from 300 to 604,800.
tcp-fin-wait1: Sets the aging time of TCP flows in tcp-fin-wait1status, which is 60 seconds by
tcp-fin-wait2: Sets the aging time of TCP flows in tcp-fin-wait2status, which is 60 seconds by
tcp-syn-sent: Sets the aging time of TCP flows in tcp-syn-sent status, which is 10 seconds by
tcp-syn_sent2: Sets the aging time of TCP flows in tcp-syn_sent2 status, which is 10 seconds by
tcp-syn-receive: Sets the aging time of TCP flows in tcp-syn-receive status, which is 10 seconds
tcp-time-wait: Sets the aging time of TCP flows in tcp-time-wait status, which is 10 seconds by

udp-closed: Sets the aging time of UDP flows in closed status, which is 10 seconds by default
udp-connected: Sets the aging time of UDP flows in connected status, which is 30 seconds by
udp-established: Sets the aging time of UDP flows in established status, which is 600 seconds
udp-started: Sets the aging time of UDP flows in started status, which is 10 seconds by default
num: Sets the aging time
Defaults Default values apply.
Configuration Usage Use the no form of the commands to restore the default aging time.
Verification
 Use the show run command to check whether the configuration includes ip session timeout. If no, the default
aging time applies.
Scenario If there are a large number of UDP-established flows which occupy a great space of the flow table
on the current forwarding device, you can shorten the aging time of the UDP-established flows to
improve aging efficiency.
Configuration Steps The current forwarding device is a FW card located in slot 2 of device 1. Set the aging time of
flows in udp-established status to 120 seconds.
Ruijie(config)# ip session 1 2 timeout udp-established 120
Verification Check the aging time of flows in udp-established status on the device in slot 2 of device 1. The
aging time should be 120 seconds.
Use the show run command to verify that the configuration contains the following item:
ip session 1 2 timeout udp-established 120
This indicates that the aging time is 120 seconds.
Common Errors
Configuring the Number of Packets Permitted in a Flow
 An attacker may send a large number of packets of a certain type to wage a traffic attack, in which case other types
of packets cannot be processed in time. You can configure the number of packets permitted in a flow in a certain
status, so as to solve this problem and meet the requirement for exchanging service data flows.
Notes
 There is a default packet count upon system initialization, which can meet practical requirements in most scenarios.
Therefore, the configuration is optional.
 The check function here is disabled by default. To enable the check function, you need to configure packet threshold
check for flows in various states first.
Configuration Steps
 By default, a flow is judged according to the default number of packets permitted to pass in the flow. If the default
number of packets permittedz to pass does not meet the requirement, you can use the ip session threshold
command to change the number of packets allowed to pass in the corresponding flow. The greater the value, the
more packets permitted to pass in the flow.
 Perform this configuration on each forwarding device as necessary.
Command ip session threshold {icmp-closed | icmp-started | rawip-closed | tcp-syn-sent | tcp-syn-receive

Syntax | tcp-closed | udp-closed } { num }
Parameter icmp-closed: Sets the number of packets permitted to pass in each ICMP flow in closed status,
Description which is 10 by default and ranges from 1 to 2,000,000,000.
icmp-started: Sets the number of packets permitted to pass in each ICMP flow in started status,
which is 300 by default and ranges from 5 to 2,000,000,000.
rawip-closed: Sets the number of packets permitted to pass in each RAWIP flow in closed status,
tcp-syn-sent: Sets the number of packets permitted to pass in each TCP flow in syn-send status,
tcp-syn-receive: Sets the number of packets permitted to pass in each TCP flow in syn-receive
status, which is 20 by default and ranges from 5 to 2,000,000,000.
tcp-closed: Sets the number of packets permitted to pass in each TCP flow in closed status, which is
20 by default and ranges from 5 to 2,000,000,000.
udp-closed: Sets the number of packets permitted to pass in each UDP flow in closed status, which
is 10 by default and ranges from 1 to 2,000,000,000.
num: Sets the number of packets permitted to pass
Configuration Use the no form of the command to restore the default number of packets permitted to pass.
Usage
Verification
 Use the show run command to check whether the configuration includes ip session threshold. If no, the default
values about the number of packets permitted to pass apply.
Scenario When a large number of ping packets exist on a network, a flooding attack probably occurs. You can
configure the number of packets permitted to pass in each ICMP flow in icmp-started status, so as to
deny such ping packets.

Configuration The current forwarding device is a FW card located in slot 2 of device 1. Set the number of packets
Steps permitted to pass in each ICMP flow in icmp-started status to 10.
Ruijie(config)# ip session 1 2 threshold icmp-started 10
Verification On the device in slot 2 of device 1, check configuration information about the number of packets
permitted to pass in each ICMP flow in icmp-started status. The number should be 10.
Use the show run command to verify that the configuration contains the following item:
ip session 1 2 threshold icmp-started 10
This indicates that the number of packets permitted to pass in each ICMP flow in icmp-started status is
10.
Common Errors
Enabling the TCP Status Tracing Function
 The TCP status tracing function needs to be enabled on corresponding wireless products.
Notes
 By default, the TCP status tracing function is disabled on wireless products.
Configuration Steps
 By default, the TCP status tracing function is disabled on wireless products. You can use the ip session
tcp-state-inspection-enable command to enable the TCP status tracing function.
Command Syntax ip session tcp-state-inspection-enable

Parameter
Description
Defaults The TCP status tracing function is disabled.
Configuration Use the no form of this command to restore the TCP status tracing function to the default.
Usage
Verification
 Use the show run command to check whether the configuration includes ip session tcp-state-inspection-enable.
If no, the TCP status tracing function is disabled.
Scenario The TCP status tracing function needs to be enabled on the current wireless forwarding device.
Configuration Enable the TCP status tracing function on the device.

Steps
Ruijie(config)# ip session tcp-state-inspection-enable
Verification Use the show run command to verify that the configuration includes ip session
tcp-state-inspection-enable.
Common Errors
Configuring Packet Threshold Check for Flows in Various States
 Perform this configuration to enable the packet threshold check function and disable the current flow when packets
are unreachable.
Notes
Configuration Steps
 You can use the ip session track-state-strictly command to enable the strict packet status tracing function.
 The packet threshold check function needs to be enabled in a scenario such as the scenario where attacks are
waged using a certain type of packet.
Command Syntax ip session track-state-strictly

Parameter N/A
Description
Defaults The strict packet status tracing function is disabled.
Configuration Usage Use the no form of this command to restore the default configuration.
Verification
 Use the show run command to check whether the configuration includes ip session track-state-strictly. If no, the
strict packet status tracing function is disabled.
Scenario If ICMP flooding attacks occur in the current network environment, packet threshold check is needed.
In this case, perform this configuration to enable the packet threshold check function.
Configuration The current forwarding device is a FW card located in slot 2 of device 1. Enable the strict packet
Steps status tracing function on the forwarding device.
Ruijie(config)# ip session 1 2 track-state-strictly
Verification Use the show run command to verify that the configuration includes ip session track-state-strictly.
Common Errors
Configuring Loose TCP Status Check
 A flow can be directly established with only ACK packets.
Notes
 By default, the establishment of a flow with an ACK packet is not allowed on FW products but enabled on EG
products.
 This configuration is optional.
Configuration Steps
 By default, the loose TCP status check function is disabled on FW products. You can use the ip session tcp-loose
command to enable the loose TCP status check function. By default, the loose TCP status check function is enabled
on all wireless and EG products.
 The loose TCP status check function is required on the standby device in a scenario such as active/standby
switchover.
Command Syntax ip session tcp-loose

Parameter N/A
Description
Configuration Usage Use the no form of this command to restore the default configuration.
Verification
 Use the show run command to check whether the configuration includes ip session tcp-loose. If no, the loose TCP
status check function is disabled.
Scenario The current forwarding device is a FW card located in slot 2 of device 1. Active/standby
switchover is required in the current environment. Perform this configuration on the backup
device.
Configuration Steps Enable the loose TCP status check function on the device in slot 2 of device 1.
Ruijie(config)# ip session 1 2 tcp-loose
Verification Use the show run command to verify that the configuration includes ip session tcp-loose.
Common Errors
Monitoring
If you run the clear command while the device is operating, services may be interrupted arising from the loss
of important information.
Function Command
Clears counters about the IPv4 clear ip fpm counters
packets.
Clears counters about the IPv6 clear ip v6fpm counters
packets.
Displaying the Running Status
Function Command
Displays the counters about the show ip fpm counters
IPv4 packets
Displays the counters about the show ip v6fpm counters
IPv6 packets
Displays IPv4 packet flow show ip fpm flows
information
Displays IPv4 packet flow show ip fpm flows filter
information except specific IPv4
packet flows
Displays IPv6 packet flow show ip v6fpm flows
information
Displays IPv6 packet flow show ip v6fpm flows filter

information except specific IPv6
packet flows
Displays IPv4 flow statistics show ip fpm statistics
Displays IPv6 flow statistics show ip v6fpm statistics
Release 11.1(5)B6
Security Configuration
1. Configuring Web Authentication
2. Configuring AAA
3. Configuring RADIUS
4. Configuring 802.1X
5. Configuring ARP Check
6. Configuring Global IP-MAC Binding
7. Configuring DHCP Snooping
8. Configuring IP Source Guard
9. Configuring IGMP Snooping
10.Configuring ACL
11.Configuring SCC
12.Configuring Password Policy
13.Configuring SSH
Configuration Guide Configuring Web Authentication
Configuring Web Authentication
Overview
WEB authentication is an authentication method for the port to control the authority of user access network. Users can
perform access authentication by using the ordinary browser software, rather than installing the special client
authentication software.
When the unauthenticated user accesses the network, the switch forces the user to log in to a special website. The user
can access services for free. When the user needs to access other information in the internet, the user should be
authenticated in the WEB authentication server. The user can use the internet resource only when the authentication
succeeds.
If the user tries to access other outer network through HTTP, the user is forced to access the WEB authentication website.
This is called forced authentication.
WEB authentication provides convenient management function for users. The portal websites can provide the
advertisement, community service and personalized services.
Basic Concepts
HTTP intercept and HTTP redirection are involved in WEB authentication.
 HTTP Intercept
HTTP intercept indicates that the switch intercepts the HTTP packets that should be forwarded. These HTTP packets are
sent by the users who are connected to the port of the switch. For example, when a user accesses the network through IE
browser, the switch should forward these HTTP requests to the gateway. If the HTTP intercept function is enabled, these
packets cannot be forwarded.
After the HTTP intercept function is enabled, the switch should forward the HTTP connection requests of users to itself. In
this event, a connection session is created between the switch and users. The switch enables the HTTP redirection
function to recommend the redirection page to users. A page is popped on the user's browser. This page can be an
authentication page or a link for software download.
In the WEB authentication function, you can set the information about the HTTP packets that need or need not be
intercepted, including the connected physical port, the users who send the packets and the destination port. Usually the
HTTP request packets sent by the unauthenticated users are intercepted and those sent by the authenticated users are
not intercepted. HTTP intercept is the basis of WEB authentication. The intercept may trigger the WEB authentication.
 HTTP Redirection
According to the HTTP protocol, after a user's browser sends the HTTP GET or HEAD request packet, if the receiving end
provides resources, the 200 response packet is used. If no resource is provided, the 302 response packet is used. A new
site path is provided in the 302 response packet. After receiving the response, the user can re-send the HTTP GET or
HEAD request packet to the new site.
HTTP redirection is an important link for WEB authentication and is performed after HTTP intercept. This HTTP
redirection function uses the features of the 302 packet in the HTTP protocol. The HTTP intercept process creates a
connection session between the switch and users. The user sends the HTTP GET or HEAD packet to the switch, which is
supposed to be sent to other sites. After the switch receives the packet, the 302 packet is sent back for response. The site
path of the redirection page is added in the 302 packet. The user re-sends a request packet to the site path and then
obtains the redirection page.
Working Principle
The following figure shows the typical networking mode for WEB authentication. The networking is composed of three
basic roles: the authentication client, access switch and WEB authentication server.
Figure 1-1 Working principle of WEB authentication
 Roles of WEB authentication:

 Authentication client: It is the client system installed in the user terminal device, the browser running the HTTP
protocol, and it sends the HTTP request when accessing the internet.
 Access device: It is usually the access layer device in the network topology, such as the L2 switch, connecting to the
user terminal device. The WEB authentication is enabled on the device.
 Convergence device: It is usually the convergence layer device in the network topology, such the L3 switch,
connecting to the access layer device. The WEB authentication can also be enabled on the convergence device if
the downlink access device does not enable the WEB authentication.
 WEB authentication server: It is the authentication server system that receives the authentication request sent by the
authentication client. It provides portal services for free and the interface based on the WEB authentication. It
interactively authenticates the client authentication information with the access device.
 The main steps for WEB authentication:
 The access device intercepts all the HTTP requests sent by the unauthenticated users and re-directs to the WEB
authentication server before the authentication. In this event, an authentication page is displayed on the browser of
the user.
 During the authentication process, the user enters the authentication information such as the user name, password
and check code on the authentication page, and then interacts the information with the authentication server for
implementing the identity authentication.
 After the authentication succeeded, the WEB authentication server informs the access device that the user has
passed the authentication. The access device will allow the user to access the Internet;
Usage restrictions on WEB authentication solution:
The WEB authentication function can be enabled only on the FastEthernet or GigabitEthernet port.
If an interface is the member of aggregation ports, WEB authentication cannot be set on the interface. If a
member of aggregation ports is added to an interface enabling the WEB authentication function , the WEB
authentication function of this interface will be automatically disabled and the authenticated users on this
interface will be cleared. The WEB authentication configuration on this interface will also be cleared in the
meantime. The configuration will not be automatically recovered if the interface exits from the aggregation
ports. You must re-configure the function.
For the users passed the authentication, the WEB authentication on the access device, need perform following
binding: IP address+MAC address+PORT. Therefore, some restriction will be generated:
If set ACL on the controlled WEB port, after the IP address+MAC address binding passes authentication, ACL
does not take effect.
It cannot be used with GSN and port security.

WEB authentication cannot be used with the global IP address and MAC address binding function at the same
time. The globally enabled IP+MAC address binding function may result in the failure of network access,
even though the user authentication succeeds.
WEB authentication cannot be used with the IP address+MAC address binding function of DHCP Snooping at
the same time.
Affected by the hardware capacity of the access device, enabling the ARP CHECK or the security channel may
result in reducing the number of the available authenticated users (especially the security channel function).
If both above-mentioned functions are enabled, the hardware resources may be exhausted and the WEB
authentication cannot be performed. In addition, if the WEB authentication is already enabled, and then
enabling ARP CHECK or the security channel may fail. Hence, it is not suggested to enable the WEB
authentication and the security channel at the same time.
When the WEB authentication and 802.1 authentication of the access device are jointly used, please pay
attention to followings:
The port-based 802.1x authentication and WEB authentication are enabled on the same port of the access
device. If the 802.1x authentication is implemented for a user on the port, the WEB authentication of other
users will not be performed. If the 802.1x authentication and WEB authentication based on the MAC address
of a port are enabled at the same time, the authentication modes of different users are not be effected.
The 802.1x authentication and the WEB authentication are enabled on the same port of the access device, the
WEB authentication of the user featuring the same IP address is no longer triggered if the 802.1x
authentication is performed at first.
The dynamic VLAN hop function for 802.1x authentication cannot be used with WEB authentication on the
same port of the access device at the same time.
Protocols & Standards
For the functions related to HTTP redirection, refer to the HTTP 1.1 Protocol (RFC1945).
The following table describes the default configurations for WEB authentication.
Features Default Value

Set HTTP redirection address. None

Set HTTP redirection homepage. None
Set the key to communicate between the access device
None
and the authentication server.
Set the SNMP parameters between the access device and
None
the authentication server.
Enable the WEB authentication on the port. Disabled
Set the redirected HTTP port. The destination port is 80.
Set the maximum HTTP session number for each
3
unauthenticated user.
Set timeout of keeping redirection connection. 3 seconds
Set the range of network resources free for authentication. None
Set the update interval of the online user information. 60 seconds
Set the IP address range of the users who need no
None
authentication.
Set the user offline detection mode. None
Basic Features
The WEB authentication configuration is performed on the access device. In the event of no configuration, the WEB
authentication of the access device is in the default status; this means the WEB authentication is disabled. The WEB
authentication function can work normally after all basic characteristics are configured. The following describes how to
configure the basic characteristics for WEB authentication.
 Setting HTTP redirection address

 Setting the homepage of the authentication page
 Setting the key to communicate between the access device and authentication server
 Setting the SNMP parameters between the access device and authentication server
 Enabling WEB authentication on the port
Setting HTTP Redirection Address

In order to use the WEB authentication function, set the IP address of HTTP redirection. When the access device detects
that the unauthenticated user tries to access the network through HTTP, the access device redirects the user's access
request in the authentication page to guide the user to initiate authentication to the authentication server.
In common cases, the authentication page is provided by the authentication server. Hence the IP address of HTTP
redirection should be the authentication server IP address. The redirection IP address is set as a special network resource
free of authentication. The unauthenticated users can directly perform HTTP communication with the IP address.
The IP address of HTTP redirection is not set by default. Perform the following steps to set the IP address of HTTP
redirection.
Command Function
Ruijie (config )# http redirect ip-address Set the IP address of HTTP redirection.
Ruijie (config )# show http redirect Display the configuration for HTTP redirection.
To clear the IP address of HTTP redirection, perform the no http redirect command in the global configuration mode.
# Set the IP address of the authentication server to 176.10.0.1.

Ruijie(config)# http redirect 176.10.0.1
Ruijie(config)# show http redirect
The authentication server can be a comprehensive portal server, which can not only provide WEB
authentication, but also provide software download of SU client. When a user needs to use the 802.1x
authentication to access the Internet, in the case of the SU client software is uninstalled, the user can be
redirected to the comprehensive portal server when the user accesses the Internet through a browser. After
downloading and installing the SU client software, the user can pass the 802.1x authentication to access the
Internet. This configuration is required when configuring the automatic client acquisition.
Setting HTTP Redirection Homepage

In order to use the WEB authentication function normally, set the HTTP redirection homepage; that is, the authentication
page (or comprehensive portal homepage). When WEB authentication for a user is performed, the information of the WEB
authentication page is displayed for the user to perform WEB authentication.
HTTP redirection homepage is not set by default. Perform the following steps to set HTTP redirection homepage URL.
Command Function
The homepage URL for authentication page setting is
Ruijie (config )# http redirect homepage url-string url-string beginning with http:// or https://, which is not
case sensitive. The maximum length is 255 characters.
Ruijie (config )# show http redirect Display the configuration for HTTP redirection.
To clear the homepage address of the authentication page, use the no http redirect homepage command in the global
configuration mode.
# Set the homepage of the authentication page to http://www.WEB-auth.net/login.html .

Ruijie(config)# http redirect homepage http://www.WEB-auth.net/login.html
The homepage address can be a comprehensive portal server, which can not only provide WEB authentication
but also provide SU client software download. When a user needs to pass the 802.1x authentication for
accessing the internet, if the SU client software is not be installed, the user can be redirected to the
comprehensive portal server when the user accesses the Internet through a browser. After downloading and
installing the SU client software, the user can pass 802.1x authentication to access the Internet.
This configuration is required when configuring the automatic client acquisition.
If a user enters the homepage address of the server in the browser address bar, the user can directly access
the homepage or download resources in the page without redirection. As redirection is not performed, the
switch has no information of the user or necessary security parameters between the switch and the
authentication server. Hence the authentication for the user may fail. In order to perform authentication,
users do not directly access the homepage of the server.
Setting the Communication Key between the Access Device and Authentication
Server
In order to use the WEB authentication function normally, set the communication key between the switch and
authentication server. When the switch detects that the unauthenticated user tries to access the network, the switch
redirects the user's access request to display the authentication page to guide the user to initiate authentication to the
authentication server. During authentication, the key between the access device and the authentication server encrypts
some data to enhance the security.
No key is set by default when the access device communicates with the authentication server. Perform the following steps
to set the key.
Command Function
Set the key to communication between the switch and
Ruijie (config )# WEB-auth portal key key-string authentication server. The maximum length of the key is
255 characters.
Display the global configuration and statistics information
Ruijie (config )# show WEB-auth
for WEB authentication.
To clear the key to communicate between the access device and the authentication server, use the no WEB-auth key
command in the global configuration mode.
# Set the key to communicate between the switch and authentication server to WEB-auth.


Ruijie(config)# WEB-auth portal key WEB-auth
Ruijie(config)# show WEB-auth
Setting the SNMP Parameters between the Access Device and Authentication Server
SNMP/MIB is used to manage the authenticated users between the access device and authentication server. Use MIB to
manage the authentication user table on the access device. The authentication server accesses the MIB to obtain related
statistic information of the user and control the online and offline of users. When a user is offline, the access device sends
the SNMP-Inform message to the authentication server.
In order to use the WEB authentication function normally, set the SNMP parameters between the access device and
authentication server. Perform the following steps.
Command Function
Set the SNMP Community function which can be used for
the authentication server to manage the online users on
Ruijie (config )# snmp-server community
the switch.
community-string rw
community-string: Community character string.
rw: Set MIB to RW which supports read-write operation.
Set that the switch can send the WEB authentication
message outward. The message type includes Trap and
Ruijie (config )# snmp-server enable traps WEB-auth
Inform.
WEB-auth is the message of WEB authentication.
Set the destination host, type, version and Community of
sending the WEB authentication message.
ip-address: The IP address of the destination host; that
is, the address of the authentication server.
Inform: Set the message that sends the SNMP-Inform
type. As the switch sends a message to the
authentication server when the user is offline, in order to
Ruijie (config )# snmp-server host ip-address inform prevent message lost, adopt SNMP-Inform, rather than
version 2c community-string WEB-auth SNMP-Trap.
version 2c: SNMPv2 and later versions support the
SNMP-Inform type. Hence you cannot set the version to
SNMPv1.
community-string: Send the Community character string
used when the SNMP-Inform is sent.
WEB-auth: Specify that the preceding parameters are
adopted when the WEB authentication message is sent.
For the SNMP configuration commands and other detailed information, refer to the section of SNMP Configuration.
Configuration Examples:
# Set the SNMP parameters between the access device and authentication server (IP address: 176.10.0.1). Set SNMP
Community to WEB-auth and send the parameters used by the SNMP-Inform message.

Ruijie(config)# snmp-server community WEB-auth rw
Ruijie(config)# snmp-server enable traps WEB-auth
Ruijie(config)# snmp-server host 176.10.0.1 inform version 2c WEB-auth WEB-auth
The SNMP communication parameters listed above are based on SNMPv2. You can adopt SNMPv3 to set
higher security for SNMP communication between the access device and the authentication server. For
SNMPv3, SNMP Community is set to SNMP User and the version of SNMP-Inform is SNMPv3. Other
security parameters related to SNMPv3 should also be set additionally. For the detailed information, refer to
related section of the SNMP Configuration.
Enabling WEB Authentication on the Port

WEB authentication is a port-based function. The WEB authentication function is disabled on the port by default. The
users connected to the port do not perform WEB authentication.
Enable the WEB authentication function on the port and set the port to the controlled port for WEB authentication by
performing the following steps.
Command Function
Ruijie (config )# interface interface-name Enter the port configuration mode.
Ruijie (config-if )# WEB-auth
Enable WEB authentication on the port.
port-control
Ruijie (config-if )# show WEB-auth port-control Display the WEB authentication message on the port.
In order to disable WEB authentication, use the no WEB-auth port-control command in the interface configuration mode.
Configuration examples:
# Enable WEB authentication on the port FastEthernet 0/14.

Ruijie(config-if-FastEthernet 0/14)# WEB-auth port-control
Ruijie(config-if-FastEthernet 0/14)# show WEB-auth port-control
Configuration
Configuring the Optional Characteristics for WEB Authentication

Except for the basic characteristics of WEB authentication, other items are optional and sometimes they may be
mandatory for some special applications. If the optional items are not be configured manually, they are configured by
default. The following describes how to configure the optional characteristics for WEB authentication.
 Setting the redirection HTTP ports

 Setting the maximum HTTP session number for each unauthenticated user
 Setting timeout of holding the redirection connection
 Setting the range of network resources free for authentication
 Setting the update interval of the online user information
 Setting the IP address range of the users without requiring the authentication
 Setting the user offline detection mode
 Setting the URL format of redirect packets
Setting the Redirection HTTP Ports
When a user accesses the network resources, for example, use a browser to access the Internet, the user sends HTTP
packets. The switch intercepts these HTTP packets sent by the user to make sure that the user is accessing the network
resources. When the access device detects that an unauthenticated user accesses the network resources, it blocks the
user to access the network resources and an authentication page is displayed for the user.
The switch intercepts those HTTP packets sent by the user on port 80 by default to detect whether the user accesses the
network resources.
To add the access device to intercept the HTTP packets of the special port number sent by the user, perform the following
steps.
Command Function
Set the redirection of the HTTP requests sent by users on
specified destination ports.
Ruijie (config )# http redirect port port-num
A maximum of 10 destination port numbers can be
configured, including the port number 80.
Ruijie (config-if )# show http redirect Display the configuration for HTTP redirection.
To set the redirection of the HTTP requests sent by users on specified destination ports, use the no http redirect port
port-num command in the global configuration mode.
# Set redirection of the HTTP requests sent by users on the specified destination port number 8080.

Ruijie(config)# http redirect port 8080
# Set no redirection of the HTTP requests sent by users on the specified destination port number 80.

Ruijie(config)# no http redirect port 80
While configuring the automatic client acquisition, this configuration is required if you want to add a new access
device to intercept the HTTP packets with the specified port number sent by the users.
The management protocol ports commonly used on the access device (for example: port numbers 22, 23, and
53), and the reserved port inside the system cannot be set to redirection ports. Actually the HTTP protocol
seldom uses a port number smaller than 1000, except for the 80 port. In order to avoid conflict with the
well-known TCP protocol port, do not set a port with a small port number as the redirection port, unless
necessary.
Setting the Maximum HTTP Session Number for Each Unauthenticated User
When an unauthenticated user accesses the network resources, the user PC sends HTTP session connection requests.
The access device intercepts these HTTP packets and requires the user for WEB authentication through redirection. In
order to prevent an authenticated user initiating excessive HTTP connection request so that to save resources of the
access device, the access device should limit the maximum HTTP session number of the unauthenticated user.
The authentication for users may occupy an HTTP session, while other application of the user may also occupy the HTTP
session. Hence it is not recommended to set the maximum HTTP session number of the unauthenticated user to 1. The
value is set to 3 by default.
Perform the following steps to modify the maximum HTTP session number of the unauthenticated user.
Command Function
Set the maximum HTTP session number of each
Ruijie (config )# http redirect session-limit session-num
unauthenticated user to session-num, rang from 1 to 10.
In order to recover the maximum HTTP session number of the unauthenticated user to 3, use the no http redirect
session-limit command in the global configuration mode.
# Set the maximum HTTP session number of an unauthenticated user to 4.


Ruijie(config)# http redirect session-limit 4
When the authentication page of a user for WEB authentication cannot be displayed frequently, the maximum
HTTP session number may limit the display. In this event, it is recommended for users to shut down some
applications that may occupy HTTP session and then perform WEB authentication.
Setting Timeout of Holding Redirection Connection
Set the timeout of holding redirection connection. When the unauthenticated user accesses the network resources
through HTTP, the TCP connection requests are intercepted. The TCP connection is created with the switch. After the
connection is created, the access device needs wait the GET/HEAD packet of HTTP sent by users, and then replies the
HTTP redirection packet to disable the connection. This setting can prevent users from sending the GET/HEAD packet
and occupying TCP connection for a long time. The timeout of holding redirection connection is 3 seconds by default.
Perform the following steps to modify the timeout of holding redirection connection.
Command Function
Set the timeout of keeping redirection connection
Ruijie (config )# http redirect timeout seconds (second ):
seconds ranging from 1 to 10.
In order to recover the timeout of holding redirection connection to 3 seconds, use the no http redirect timeout command
in the global configuration mode.
Configuration examples;
# Set the timeout of keeping redirection connection to 4 seconds.

Ruijie(config)# http redirect timeout 4

Setting the Range of Network Resources Free for Authentication
When the WEB authentication/802.1x authentication is enabled on a port, the unauthenticated users should pass WEB
authentication/802.1x authentication to access the network resources. If the unauthenticated users are allowed to access
some network resources free for authentication, use the related commands to set the network resources free for
authentication. After the network resources are set free for authentication, all users including the unauthenticated users
can access the website to access the network resources free for authentication. The unauthenticated users cannot access
the network resources which are not set free for authentication by default.
Perform the following steps to set the network resources free for authentication.
Command Function
Set the network resources free for authentication and the
maximum number is 50.
Ruijie (config )# http redirect direct-site ip-address
If the switch enables the ARP Check function, perform
[ ip-mask ] [ arp ]
ARP binding for the network resources free for
authentication and configure arp keywords.
To cancel the network resources that are set free for authentication, use the no http redirect direct-site ip-address
[ ip-mask ] [ arp ] command in the global configuration mode.
# Set a free website in the campus network 172.16.x.x as the network resources free for authentication.

Ruijie(config)# http redirect direct-site 172.16.0.0 255.255.0.0
Set the network resources free for authentication and hardware entry resources of the shared device of
unauthenticated users. The sum of the number should not exceed 50. The available number may decrease
caused by other security functions that occupy entries. In order to set more addresses, use the IP address +
mask mode.
When ARP CHECK is enabled, set the gateway that connects the L2 switch to the PC as the network resources
free for authentication.

The http redirect direct-site command is used to configure the access address of free authentication. While
the http redirect command is used to configure the address for web authentication server. Both the
addresses configured using the two commands can be accessed without authentication, but the actual use
of two commands are different. Therefore, it is suggested not to use the http redirect direct-site command to
configure the address for the web authentication server, as this may cause misunderstanding.
The following precautions shall be paid attention to when configuring automatic client acquisition: Setting the
network resources for free authentication takes effect on the 802.1x controlled port only after the global client
download function is enabled. This function is not affected by GSN or ACL, it means the IP address free for
authentication cannot be blocked by GSN or filtered by ACL. ARP binding must be performed on the S29
series switch. Therefore, the arp keyword of this command does not take effect for the S29 series switch.
(This keyword will be added automatically even through it is not set.)
Setting the Update Interval of the Online User Information
The access device maintains the online user information and needs to update the online user information regularly,
including the online time, to monitor the network resources using by the online users. For example, when the user online
time is longer than or equal to the online time limit, the user is blocked to use the network resources. The access device
updates the online user information once every 60 seconds by default.
Perform the following steps to modify the update interval of the online user information.
Command Function
Set the update interval of the online user information to
Ruijie (config )# WEB-auth update-interval seconds
seconds, ranging from 30 to 3600 seconds.
Display the global configuration information and statistics
Ruijie (config-if )# show WEB-auth
information for WEB authentication.
To recover the update interval of the online user information to 60 seconds, use the no WEB-auth update-interval
# Set the update interval of the online user information to 30 seconds.

Ruijie(config)# WEB-auth update-interval 30
Ruijie(config)# show WEB-aut
Setting the IP Address Range of the Unauthenticated Users
If the IP address of the unauthenticated user is in the range, the user can access all reachable network resources without
WEB authentication. No unauthenticated user is set by default. All users must pass WEB authentication to access the
network resources.
Perform the following steps to set unauthenticated users.
Command Function
Set the unauthenticated users with a maximum number
of 50.
If the port item is set, bind the user IP address with the
Ruijie (config )# WEB-auth direct-host ip-address
port of the access device.
[ ip-mask ] [ port interface-name ] [ arp ]
If the switch enables the ARP Check function, perform
ARP binding for the user IP address free for
authentication and configure arp keywords.
To cancel the unauthenticated user, use the no WEB-auth direct-host ip-address [ip-mask] command in the global
configuration mode.
Configuration example;
# Set the user featuring IP address 176.10.0.1 as the unauthenticated user.

Ruijie(config)# WEB-auth direct-host 176.10.0.1
The following lists the conditions that the function of the unauthenticated user can take effect: On the controlled
port for WEB authentication; The setting does not take effect in other cases; Not affected by GSN or ACL, it
means the IP address of the user cannot be blocked by GSN or filtered by ACL.
Setting the User Offline Detection Mode
Check whether the user is offline based on the traffic. If the user traffic does not increase within 15 minutes, it is
considered the user is offline. This command is only a supplement used to detect whether the user is offline, which may
have some risk of wrong detection.
You can detect whether the user is offline with following three modes.
 The user clicks Offline in the authentication page;

 For the link-based detection mode, when the switch detects that the user port is in LinkDown mode and no longer
detects LinkUp within 1 minute, it is considered the user is offline;
 For the user traffic based detection mode, if the user traffic does not increase within 15 minutes, it is considered the
user is offline.
Among the three modes, modes 1 and 2 are forced detection and mode 3 is optional detection. Modes 1 and 2 are used to
detect whether the user is offline by default. The traffic-based mode is not set to detect whether the user is offline by
default.
Perform the following steps to set the unauthenticated user.
Command Function
Set the traffic-based mode to detect whether the user is
Ruijie (config )# WEB-auth offline-detect-mode flow
offline.
In order to disable the user traffic based mode to detect whether the user is offline, use the no WEB-auth
offline-detect-mode flow command in the global configuration mode.
# Set the user traffic based mode to detect whether the user is offline.

Ruijie(config)# WEB-auth offline-detect-mode flow
Setting the VLAN-based Web Authentication
The convergence layer device is connected with access device (layer-2 device) via TRUNK, and user (PC) is connected
to the access device. Enable Web authentication on the convergence device and configure the VLAN that can pass
authentication. If user's VLAN belongs to the VLAN that can pass authentication, it can be authenticated, or else it will be
rejected. We can bind user's IP address, MAC address and VLAN ID.
To enable VLAN-based Web authentication and configure the list of allowed VLANs, execute the following steps:
Command Function
Ruijie (config )# web-auth allow-vlan list Configure to support VLAN-based web authentication.
Ruijie (config )# show web-auth allow-vlan Display the list of VLANs supporting VLAN-based Web
authentication.
To disable VLAN-based Web authentication, execute "no web-auth allow-vlan" in global configuration mode.
# Configure VLAN 1, 2, 3 and 5 as authentication-allowed VLANs.


Ruijie(config)# web-auth allow-vlan 1-3,5
Ruijie(config)# show web-auth allow-vlan
Preconditions for VLAN-based web authentication to take effect: This feature is only supported when web
authentication is enabled on the convergence-layer device (including S3250E, S3760E, S5750, S5760E,
S78 and S86 series switches); Web authentication must be enabled on the port connecting
convergence-layer device and the downlink access layer device;
The port connecting convergence-layer device and the downlink access-layer device must operating in TRUNK
mode;
Setting the URL Format of Redirect Packets
Use these commands to set or remove the URL format of redirect packets in template configuration mode.
Command Function
fmt { ace | ruijie | custom } Sets the URL format of redirect packets.
fmt custom [ encry { md5 | des | des_ecb | des_ecb3 | Sets the custom format of redirect packets.
none } ] [ user-ip userip-str ] [ user-mac usermac-str ]
[ user-vid uservid-str ] [ user-id userid-str ] [ nas-ip
nasip-str ] [ nas-id nasid-str ] [ nas-id2 nasid2-str ]
[ ac-name acname-str ] [ ap-mac apmac-str ] [ url url-str ]
[ ssid ssid-str ] [ port port-str ] [ ac-serialno ac-sno-str ]
[ ap-serialno ap-sno-str ] [ additional extern-str ]
no fmt custom [ user-ip ] [ user-mac ] [ user-vid ] Removes the configuration.
[ user-id ] [ nas-ip ] [ nas-id ] [ nas-id2 ] [ ac-name ]
[ ap-mac ] [ url ] [ ssid ] [ port ] [ ac-serialno ]
[ ap-serialno ] [ additional ]
Use this command to adjust the URL format according to the portal server. The ace parameter is only valid in
1st generation template configuration mode.
Configuring the Automatic Client Acquisition

The actual 802.1x deployment creates a headache for the IT engineers due to the high-workload of deploying clients (SU,
Supplicant software of Ruijie). With the introduction of the automatic client acquisition solutions, the clients can be fast
deployed with time and labor saving, which improves the working efficiency.
When the unauthenticated users access the network resources via the browser, they are redirected to the page for the
server downloading, which allows the unauthenticated users to download the client software and resolve the client
deployment difficulties easily.
The follow sections describe how to configure the automatic SU clients acquisition in detail.
 Setting the global client download switch

 Setting the HTTP redirection address
 Setting the redirection HTTP port
 Setting the homepage address for the client to download servers
 Setting the maximum HTTP session number for each unauthenticated user
 Setting the timeout of holding the redirection connection
 Setting the range of network resources free for authentication
Influenced by the hardware capacity of access devices, enabling the ARP CHECK or security channel function
may result in reducing the number of available authenticated users (especially the security channel function).
Enabling the automatic client acquisition if both above-mentioned functions enabled may exhaust hardware
resources in extreme cases, resulting in 802.1x authentication failure. In addition, the above functions may
fail on the condition that the 802.1x authentication is enabled. Therefore, it is not suggested to enable the
automatic client acquisition solution and the security channel function at the same time.
Setting the HTTP Redirection Address
In order to use the automatic client acquisition function, set the IP address of HTTP redirection. When the access device
detects that the unauthenticated user tries to access the network through HTTP, the access device redirects the user's
access request in the client download page to guide the user to download, install and authenticate the client.
In common cases, the client download page is provided by the download server. Hence the IP address of HTTP
redirection should be the download server IP address. The redirection IP address is set as a special network resource free
of authentication. The unauthenticated users can directly perform HTTP communication with the IP address.
The IP address of HTTP redirection is not set by default. To set the HTTP Redirection Address, refer to the related
configuration commands in the setting HTTP redirection address section of Configuring the Basic Characteristics of WEB
Authentication Configuration.
Setting the Redirection HTTP Ports
When a user accesses the network resources, for example, use a browser to access the Internet, the user sends HTTP
packets. The access device intercepts these HTTP packets sent by the user to make sure that the user is accessing the
network resources. When the access device detects that an unauthenticated user accesses the network resources, it
blocks the user to access the network resources and an client download page is displayed for the user.
The access device intercepts those HTTP packets sent by the user on port 80 by default to detect whether the user
accesses the network resources.
To add the access device to intercept the HTTP packets of the special port number sent by the user, refer to the related
configuration commands in the setting the Redirection HTTP Ports section of Configuring the Optional Characterists for
WEB Authentication.
Setting the Homepage of the Server for Client Download
Before enabling the automatic client acquisition, the homepage address for client download service must be configured.
When an unauthenticated user accesses the network, the information of this page is displayed for the user to download
the client.
Client download service homepage is not set by default. To set the homepage of the server for client download, refer to
the related configuration commands in the Setting HTTP Redirection Homepage section of Basic Characteristics of WEB
Authentication Configuration.
Setting the Maximum HTTP Session Number for Each Unauthenticated User
When an unauthenticated user accesses the network resources, the user PC sends HTTP session connection requests.
The access device intercepts these HTTP packets and requires the user for WEB authentication through redirection. In
order to prevent an authenticated user initiating excessive HTTP connection request so that to save resources of the
access device, the access device should limit the maximum HTTP session number of the unauthenticated user.
The authentication for users may occupy an HTTP session, while other application of the user may also occupy the HTTP
session. Hence it is not recommended to set the maximum HTTP session number of the unauthenticated user to 1. By
default, the global maximum HTTP session number for each unauthenticated user is 255, and the maximum HTTP
session number for each unauthenticated user on each port is 300.
To set the maximum HTTP session number for the unauthenticated user, refer to the Setting the Maximum HTTP Session
Number For Each Unauthenticated User section of Configuring the Optional Characterists for WEB Authentication.
Setting Timeout of Holding Redirection Connection
To set the timeout of holding redirection connection, refer to the “Setting Timeout of Holding Redirection Connection
section of Configuring the Optional Characterists for WEB Authentication”.
Command Function
configure terminal Enter the global configuration mode.
Set the timeout of keeping redirection connection
http redirect timeout seconds (second ):
seconds ranges from 1 to 10.
show http redirect Display the configuration for HTTP redirection.
end Return to the privileged EXEC mode.
write Save the configuration.
In order to recover the timeout of holding redirection connection to 3 seconds, use the no http redirect timeout command
in the global configuration mode.
Configuration examples;
# Set the timeout of holding redirection connection to 4 seconds.

Ruijie(config)# http redirect timeout 4
Setting the Range of Network Resources Free for Authentication
To set the range of network resources free for authentication, refer to the “Setting the Range of Network Resources Free
for Authentication” section of Configuring the Optional Characterists for WEB Authentication.
Displaying the HTTP Redirection Configuration Acquired Automatically by Clients
In the privileged EXEC mode, perform the following steps to display the HTTP redirection configuration acquired
automatically by clients.
Command Function
show http redirect Displays the configuration for HTTP redirection.
The following example displays the HTTP redirection configuration acquired automatically by clients.
Ruijie# show http redirect

http redirect settings
server : 172.16.0.1
port : 80 8080
homepage : http://www.su-download.net/
session-limit : 3
timeout : 3
direct-site
Address Mask ARP Binding
--------------- ---------------- -----------
176.10.0.1 255.255.255.255 On
176.10.5.0 255.255.255.128 Off
Configuring the Web-auth Portal Server
Enabling the Ruijie Portal Server
Use this command to enable the Ruijie portal server in global configuration mode. Use the no form of this command to
restore the default setting. Ruijie portal server is enabled by default.
Command Function
no web-auth portal extention Enables the Ruijie portal server.
The following example enables the Ruijie portal server.
Ruijie (config)# no web-auth portal extension

Ruijie (config)# http redirect url-fmt ext1
Enabling Portal Server Check
Use this command to enable portal server check in global configuration mode. Use the no form of this command to restore
the default setting. Portal server check is disabled by default.
Command Function
web-auth portal-check [ interval intsec ] [ timeout tosec ]

Enables portal server check.
[ retransmit retires ]
It is recommended to use this command when there are multiple servers. The following example enables portal server
check.
Ruijie (config)# web-auth portal-check interval 20 timeout 2 retransmit 2
Enabling Portal-Escape Function
Use this command to enable portal-escape function in global configuration mode. Use the no form of this command to
restore the default setting. This function is disabled by default.
Command Function
web-auth portal-escape Enables portal-escape function.
Use this command together with web-auth portal-check command to sustain key services when the portal server is
abnormal. The following example enables portal-escape function.
Ruijie (config)# web-auth portal-escape
Configuring the Communication Key
Use this command to set the communication key between the access device and the authentication server in global
configuration mode. Use the no form of this command to clear the communication key between the redirected Web
request of a user and the authentication server.
Command Function
Sets the communication key between the access device
web-auth portal key key-string
and the authentication server.
To use the Web authentication function, the communication key between the access device and the authentication server
must be set. The following example sets the communication key between the access device and the authentication server
to web-auth.
Ruijie(config)# web-auth portal key web-auth
Monitoring
The following describes how to view the configuration and status for WEB authentication.
 Displaying the configuration of the HTTP redirection

 Displaying the user range free for the WEB authentication
 Displaying the configuration information for the WEB authentication on the port
 Displaying the user information for the WEB authentication
Displaying the Configuration of the HTTP Redirection

Use the following command to view the configuration of HTTP redirection in the privileged EXEC mode.
Command Function
Ruijie# show http redirect Displays the configuration of HTTP redirection.
The following is an example of viewing the configuration of HTTP redirection.

HTTP redirection settings:
server: 192.168.32.123
port: 80 8000
homepage: http://192.168.32.123:8888/ePortal/index.jsp
session-limit: 10
timeout: 5
Direct sites:
Address MASK ARP Binding
---------------- ---------------- -----------
61.233.3.215 255.255.255.255 On
61.233.3.220 255.255.255.255 Off
192.168.5.140 255.255.255.255 Off
218.30.66.101 255.255.0.0 Off
218.30.66.101 255.255.255.255 Off
Direct hosts:
Address Mask Port ARP Binding
---------------- ---------------- ---------- ------------
192.168.1.1 255.255.255.255 Fa0/1 On
Displaying the User Range Free for the WEB Authentication

Use the following command to view the user range free for WEB authentication in the privileged EXEC mode
Command Function
Ruijie# show WEB-auth
Displays the user range free for WEB authentication.
direct-host
The following is an example of displaying the user range free for WEB authentication:
Ruijie# show WEB-auth direct-host

direct-host
--------------- ---------------- ---------- ----------
192.168.0.1 255.255.255.255 Fa0/2 On
192.168.4.11 255.255.255.255 Fa0/10 On
192.168.5.0 255.255.255.0 Fa0/16 Off
Displaying the Configuration Information for the WEB Authentication on the Port
Use the following command to display the configuration information for WEB authentication in the privileged EXEC mode.
Command Function
Ruijie# show WEB-auth Displays the configuration information for WEB

port-control authentication on the port.
The following is an example of displaying the configuration information for WEB authentication on the port:
Ruijie# show WEB-auth port-control

Port Control
------------------------- ----------
FastEthernet 0/1 On
FastEthernet 0/2 Off
......
Displaying the Information of the WEB Authenticated Users

Use the following command to display the online information of all users or specified users in the privileged EXEC mode.
Command Function
Ruijie# show WEB-auth Displays the online information of all users or specified
user [ ip-address ] users.
The following is an example of displaying the online information of all users or specified users:
Ruijie# show WEB-auth user

Current user num : 4
Address Online Time Limit Time Used Status

--------------- ------- ------------- -------------- --------
192.168.0.11 On 0d 01:00:00 0d 00:15:10 Active
192.168.0.13 On 0 0d 00:00:59 Active
192.168.0.25 Off 0 0 Create
192.168.0.46 Off 0d 01:00:00 0d 01:00:00 Destroy
Ruijie# show WEB-auth user 192.168.0.11

Address : 192.168.0.11
Mac : 00d0.f800.2233
Port : Fa0/2
Online : On
Time Limit : 0d 01:00:00
Time Used : 0d 00:15:10
Time Start : 2009-02-22 20:05:10
Status : Active
Displaying the List of VLANs supporting VLAN-based Web Authentication

In privileged EXEC mode, execute the following commands to display the list of VLANs supporting VLAN-based Web
authentication:
Command Function
Displays the list of VLANs supporting VLAN-based Web
Ruijie# show web-auth allow-vlan
authentication.
The following example displays the list of VLANs supporting VLAN-based Web authentication.
Ruijie# show web-auth allow-vlan

Allow-vlan list : 1-3,5
Displaying the Authentication-Exempted Configuration

Use this command to display the authentication-exempted configuration in privileged EXEC mode.
Command Function
show http redirect Displays the authentication-exempted configuration.
The following example displays the authentication-exempted configuration

HTTP redirection settings:
server: 192.168.197.79
port: 80 443
homepage: http://192.168.197.79:8080/eportal/index.jsp
session-limit: 255
timeout: 3
Direct sites: 3
--------------- --------------- -----------
192.168.5.120 255.255.255.255 Off
192.168.58.112 255.255.255.255 Off
192.168.197.0 255.255.255.0 Off
Direct arps: 0
Address Mask
--------------- ---------------
Direct hosts: 0
--------------- --------------- -------------- -------------
Configuration Examples for WEB Authentication

 The network consists of the WEB authentication server, DHCP server, straight-through server (website), DNS server,
core device (such as S86 series switches), convergence device (such as S57 series switches), switches (S26 series
switches ), and user PCs.
 The access device needs support the WEB authentication function (only the S26 series switches).
Network Topology
Figure 1-1 Network topology for the WEB authentication scheme
 The user PC connects to the access device, which connects to the convergence access device. The convergence
access device connects to the core access device. Users can access Internet through the core switch.
 The server is installed in the server area and it connects to the core access device through an internal network.
 PC1 obtains the IP address from the DHCP server: 192.168.4.11. PC2 obtains the IP address from the DHCP server:
192.168.4.12. The gateway address of PC1 and PC2 is 192.168.4.1.
 The domain name of the WEB authentication server is www.WEB_auth.com, which can be resolved by the internal
DNS server. The URL of the WEB authentication page is http://www.WEB_auth.com/WEBportal/index.jsp. If the
internal DNS server is not deployed, directly set the IP address of the WEB authentication server in URL.
 There is a public server in the service area; the users can access the internet without authentication.
Configuration Tips
Precautions on the WEB Authentication Solution:
 If the WEB authentication function is enabled on the port, the DHCP and DNS packets sent by users, even the
unauthenticated user, can pass through. The users can obtain the IP address and resolute the domain name.
 In order to prevent TCP attack, the maximum user connection number before authentication is limited. The default
number is 3 and the maximum is 10. The user PC may initiate multiple HTTP connections sent by either the browser
or other software, such as the chatting, download or video software, or even Trojan horse virus. Other software may
occupy the connection, thus resulting in the failure of creating connections by the browser. Hence the authentication
may fail. To solve the problem, pay attention during the deployment. If the users enabling WEB authentication uses
excessive automatic connection software before accessing the Internet, disable the software.
 WEB authentication requires the user PC to initiate HTTP connections. Before initiating the connections, the user PC
should obtain the IP address resolved by the DNS server and ARP packets of the gateway. In this event, the switch
allows the ARP request packets sent to the gateway by the unauthenticated user. The ARP spoofing may occur. If a
user spoofs other user’s IP address under the same VLAN and sends the ARP packets to the gateway, the gateway
may learn the incorrect ARP. Other users under the same VLAN may be affected.
Configuration Steps
 Set the IP address of the authentication server and the communication key with the authentication server on the
access device.
Ruijie# config
Ruijie(config)# http redirect 192.168.3.1
Ruijie(config)# WEB-auth portal key WEB_auth_s26_1
 Set the homepage address of the authentication page on the access device.
Ruijie(config)# http redirect homepage http://www.WEB_auth.com/WEBportal/index.jsp
 Set the SNMP parameters between the access device and authentication server.
Ruijie(config)# snmp-server community WEB_auth_key
Ruijie(config)# snmp-server enable traps WEB-auth
Ruijie(config)# snmp-server host 192.168.3.1 inform version 2c WEB_auth_key WEB-auth
Ruijie(config)# exit
 Enable the WEB authentication function on Fa0/2 and Fa0/3 ports on the access device.
Ruijie(config)# interface range fa0/2-3
Ruijie(config-if-range)# WEB-auth port-control
Ruijie(config-if-range)# exit
 Set the range of the network resources free for authentication on the access device and set the public server as the
straight through website.
Ruijie(config)# http redirect direct-site 192.168.5.1
If the ARP Check function is enabled, the arp item should be added.
Ruijie(config)# http redirect direct-site 192.168.5.1 arp

 If the ARP Check function is enabled, the IP addresses of the gateway must be set in the range of resources free for
authentication, and enable the arp item to ensure that the PC can send the DNS and the ARP requests before
authentication.
Set the gateway IP address 192.168.4.1 that connects to the PC within the range of network resources free for
authentication on the access device.
Ruijie(config)# http redirect direct-site 192.168.4.1 arp

 Set the range of IP addresses of the users who need no authentication on the access device.
Ruijie(config)# WEB-auth direct-host 192.168.4.12
If the ARP Check function is enabled, the arp item should be added.
Ruijie(config)# WEB-auth direct-host 192.168.4.12 arp
If PC1 wants to access internet, it is redirected to the WEB authentication server. After the authentication succeeds, PC1
can access Internet. PC2 can directly access Internet without authentication.
Verification
 Display the configuration of HTTP redirection.

http redirect settings
server : 192.168.3.1
port : 80
homepage : http://www.WEB_auth.com/WEBportal/index.jsp
session-limit : 3
timeout : 3
direct-site
--------------- ---------------- -----------
192.168.4.1 255.255.255.255 On
192.168.5.1 255.255.255.255 On
direct-host
--------------- ---------------- ---------- ----------
192.168.4.12 255.255.255.255 Fa0/3 On
 Display the user range free for authentication.
Ruijie# show WEB-auth direct-host
direct-host
--------------- ---------------- ---------- ----------
192.168.4.12 255.255.255.255 Fa0/3 On
 Display the authentication configuration and statistic information on the port.
Ruijie# show WEB-auth port-control
Port Control
------------------------- ----------
FastEthernet 0/2 On
FastEthernet 0/3 On
......
Configuration Guide Configuring AAA
Configuring AAA
The access control is used to control who can access the network server and which services can be accessed by the
users on the network. The authentication, authorization and accounting (AAA) is a key security mechanism for access
control.
Overview
Authentication, Authorization and Accounting (shortened as AAA) provide a consistence framework for configuring the
authentication, authorization and accounting functions, which are supported by Ruijie products.
The AAA provides the following services in a modular manner:
 Authentication: It verifies whether a user can access, where the RADIUS protocol or Local can be used. The
authentication is the method to identify a user before his/her access to the network and network services. The AAA is
configured by the definition of a naming list for authentication method and application of it on every interface. The
method list defines the authentication type and execution order. Before a defined authentication is executed, the
method list must be applied on a specific interface. The default method list is exceptional. If no other method list is
defined, the default method list will automatically apply on all interfaces. The defined method list overwrites the
default method list. All authentication methods other than the local, line password and allowing authentication must
be defined with AAA.
 Authorization: This means authorizing the user with services. The AAA authorization is implemented through
defining a series of attributes that describe the operations authorized on users. These attributes can be stored on the
network device or the RADIUS security server remotely. All authorization methods must be defined with AAA. When
the AAA authorization is enabled, it is automatically applied on all interfaces of the network device.
 Accounting: This means recording the user's usage of network resources. When the AAA accounting is enabled, the
network access server starts to send the user's network resource usages to the RADIUS security server through
statistics records. Every accounting record is composed of attribute pairs and stored in the security server. These
records can be read for analysis by special software to implement the accounting, statistics and tracing for the user's
network resource usage. All accounting methods must be defined with AAA. When the AAA accounting is enabled, it
is automatically applied on all interfaces of the network device.
The AAA of some products only provides the authentication function. For all problems with product
specifications, contact the market or technical support personnel.
Although the AAA is the primary access control method, Ruijie products also provide simple control access beyond of the
range of AAA, such as the local username authentication, line password authentication and so on. The difference lies in
the degree of their network protection, and the AAA provides the security protection at a higher level.
The AAA has the following advantages:
 Flexibility and controllability

 Expandability
 Standardized authentication
 Multiple backup systems
Basic Principles
The AAA can dynamically configure authentication, authorization and accounting for a single user (line) or server. It
defines the authentication, authorization and accounting by means of creating method lists and then applies them on
specific services or interfaces.
Method List
Because the authentication for users can be implemented in a variety of ways, you need to use the method list to define
the sequence of using different method to perform authentication for the users. The method list can define one or more
security protocols for authentication, so that there are backup systems available for the authentication in case of the
failure of the first method. Ruijie products work with the first method in the method list for user authentication, and then
select the next method in the method list if no reply from the first method. This process goes on till an authentication
method listed successfully allows communication or all methods listed are used up. If all methods listed are used up but
the communication is not allowed, it declares failure of authentication.
Only when there is no reply from a method, Ruijie products will attempt the next method. During the
authentication, if the user access is refused by a method, the authentication process ends and no other
methods will be attempted.
Figure 1-1 Typical AAA Network Topology
The figure above illustrates a typical AAA network configuration, including two security servers: R1 and R2 are both
RADIUS servers, and one NAS (Network Access Server) acting as the RADIUS server.
Supposed the system administrator has defined a method list. R1 is used first to capture the identity information, then R2,
and finally the local username database on the NAS. If a remote PC user attempts to access the network via dialup, the
NAS first queries the authentication information from R1. If the user passes the authentication on R1, R1 sends a
SUCCESS reply to the NAS, and thus the user's access to the network is allowed. If R1 returns FAIL reply, the user's
access is refused and the disconnected. If R1 has no reply, the NAS regards it as ERROR and queries authentication
information from R2. This process continues for the remaining methods till the user passes the authentication, is refused
or the session is terminated. If ERROR is returned for all methods, the authentication fails and the user is disconnected.
The REJECT response is not the same as the TIMEOUT response. REJECT means the user fails to comply
with the standard in the available authentication database and does not pass the authentication, thus the
access request will be refused. TIMEOUT means there is no reply from the security server to the
authentication. When an ERROR is detected, the AAA selects the next authentication method in the method
list to continue the authentication process.
In this chapter, take RADIUS for example of the configuration of the related authentication, authorization and
accounting of the AAA security server. For the TACACS+, refer to TACACS+ Configuration.
Configuration
Basic Configuration
First you shall decide which security solution to choose, evaluate the potential security risks in the specific network and
take the proper measures to prevent unauthorized accesses. For the security risk evaluation and the possible security
solutions, see “Chapter 2, Security Overview.” We recommend using AAA as much as possible to guarantee the
network security.
Overview
The AAA configuration may become simple when the basic operation process of AAA is understood. On Ruijie network
devices, the AAA is configured through the following steps:
 Enable AAA by using the global configuration command aaa new-model.

 Configure the security protocol parameters if you decide to use the security server, such as RADIUS.
 Define the authentication method list by using the aaa authentication command.
 Apply the method list on specific interface or line, if necessary.
When the specific method list is applied, if no named method list is clearly specified, the default authentication
method list will apply.
As a result, if you do not want to use the default authentication method list, you shall specify a method list.
For complete descriptions of the commands mentioned in this chapter, see the related chapters in the Security
Configuration Command Reference.
Enabling AAA
It is required to enable AAA first to be able to use the AAA security features.
To enable AAA, execute the following command in global configuration mode:
Command Function
Ruijie (config)# aaa new-model Enables AAA.
Disabling AAA
To disable AAA, execute the following command in global configuration mode:
Command Function
Ruijie (config)# no aaa new-model Disables AAA.
Configuration Steps
Command Function
Configuring Local Login Authentication 3 Configuring Authentication
Defining AAA Authentication Method List 3 Configuring Authentication
Applying Method List on Specific Interface or
4 Configuring Authentication
Line
Configuring RADIUS Security Protocol
2 Configuring RADIUS
Parameters
Enabling RADIUS Authorization 5 Configuring Authorization
If you are using AAA for authentication, see Configuring Authentication.
Configuring Authentication
The authentication allows the user’s identity verification before the user of network resources. In most cases, the
authentication is implemented with the AAA security features. We recommend using AAA as much as possible.
Defining AAA Authentication Method List
To configure the AAA authentication, the first step is to define a named list of the authentication method, and then the
applications use the defined list for authentication. The method list defines the authentication type and execution order.
The defined authentication methods must be applied on specific interfaces before they can be executed. The default
method list is exceptional. When not configured, all applications will use the default method list.
The method list is just a list to define the authentication method to be queried in turn to verify the user’s identity. The
method list can define one or more security protocols for authentication, so that there are backup systems available for the
authentication in case of the failure of the first method. Ruijie products work with the first method in the method list for user
authentication, and then select the next method in the method list if no reply from the first method. This process goes on
until an authentication method listed successfully allows communication or all methods listed are used up. If all methods
listed are used up but the communication is not allowed, it declares failure of authentication.
Only when there is no reply from a method, Ruijie products will attempt the next method. During the
authentication, if the user access is refused by a method, the authentication process ends and no other
methods will be attempted.
Example of Method List
In a typical AAA network configuration, there are two servers: R1 and R2 are both RADIUS servers. Suppose the network
administrator has chosen a security solution, and the NAS authentication uses an authentication method to authenticate
the Telnet connection: First, R1 is used for the user authentication. If no reply, R2 will be used. If there is no reply from
both R1 and R2, the local database of the access server will perform the authentication. To configure the above
authentication list, run the following commands:
Command Function
configure terminal Enter global configuration mode.
Configure a default authentication method list, where
"default" is the name of the method list. The protocols
Ruijie (config)#aaa authentication login default included in this method list are listed behind the name in
group radius local the order by which they will be queried. The default
method list is applied on all applications.
If the system administrator hopes to apply this method list on a specific Login connection, he/she must create a named
method list and then apply it on the specific connection. The example below applies the authentication method list on line
2 only.
Command Function
configure terminal Enters global configuration mode.
Ruijie (config)#aaa new-model Turns on the AAA switch.
Ruijie (config)#aaa authentication login test Defines a method list named "test" in global configuration
group radius local mode.
Ruijie (config-line)#line vty 2 Enters VTY line 2 configuration mode.
In line configuration mode, apply the method list named
Ruijie(config-line)#login authentication test
“test” on the line.
If a remote PC user attempts to Telnet the network access server (NAS), the NAS first queries the authentication
information from R1. If the user passes the authentication on R1, R1 sends a ACCEPT reply to the NAS, and thus the
user's access to the network is allowed. If R1 returns the REJECT reply, the user's access is refused and then
disconnected. If R1 does not respond, NAS considers TIMEOUT and queries the authentication information from R2. This
process continues for the remaining methods until the user passes the authentication, is refused or the session is
terminated. If all servers (R1 and R2) return TIMEOUT, the authentication will be performed by the NAS local database.
The REJECT response is not the same as the TIMEOUT response. REJECT means the user fails to comply
with the standard in the available authentication database and does not pass the authentication; thus the
access request will be refused. TIMEOUT means there is no reply from the security server to the
authentication. When a TIMEOUT is detected, the AAA selects the next authentication method in the method
list to continue the authentication process.
Authentication Types
Ruijie products support the following authentication types:
 Login Authentication -- the authentication of the user terminal logging in the NAS CLI.
 Enable Authentication -- the authentication of improving the CLI authority after the user terminal logs in the NAS CLI.
 PPP Authentication -- the authentication of PPP dial user.
 DOT1X (IEEE802.1x) Authentication -- the authentication of the IEEE802.1x access user.
General Steps in Configuring AAA Authentication
The following tasks are common for the configuration of AAA authentication.
 Enable AAA by using the global configuration command aaa new-model.

 Configure the security protocol parameters if you decide to use the security server, such as RADIUS. See
Configuring Radius and Configuring TACACS+ for details.
 Define the authentication method list by using the aaa authentication command.
 Apply method list on a specific interface or line, if possible.
TACACS+ is not supported by the DOT1X authentication of Ruijie products.
Configuring the AAA Login Authentication
This section deals with how to configure the AAA Login authentication methods supported by Ruijie products:
Only after the AAA is enabled through the command aaa new-model in global configuration mode, the AAA
security features are available for your configuration. For the details, see AAA Overview.
In many cases, the user needs to Telnet the network access server (NAS). Once such a connection is set up, it is possible
to configure NAS remotely. To prevent unauthorized accesses to the network, it is required to authenticate the user’s
identity.
The AAA security services make it easy for the network devices to perform line-based authentication. No matter which line
authentication method you decide to use, you just need to execute the aaa authentication login command to define one
or more authentication method list and apply it on the specific line that needs the line authentication.
To configure the AAA login authentication, execute the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Enable AAA.
Ruijie (config)#aaa authentication login { default Define an accounting method list, or repeat this
|list-name } method1 [ method2...] command to define more.
Ruijie (config)#line vty line-num Enter the line that needs to apply the AAA authentication.
Ruijie (config-line)#login authentication
Apply the method list on the line.
{ default|list-name }
The keyword "list-name" is used to name the created authentication method list, which can be any string. The keyword
"method" means the actual algorithm for authentication. Only when the current method returns ERROR (no reply), the
next authentication method will be attempted. If the current method returns FAIL, no authentication method will be used
any more. To make the authentication return successfully, even if no specified methods reply, it is possible to specific
"none" as the last authentication method.
In the example below, it is possible to pass the identity authentication even if the RADIUS server returns TIMEOUT. aaa
authentication login default group radius none
Since the keyword "none" enables any dialup user to pass the authentication even if the security server has no
reply, it is used only as the backup authentication method. We suggest not using the "none" identity
authentication in general cases. In special case when all possible dialup users are trustful, and no delay due
to system fault is allowed for the user's work, it is possible to use "none" as the last identity authentication
method in case the security server has no reply. And we recommend adding the local authentication method
before the “none” authentication method.
Keyword Description
local Use the local username database for authentication
none Do not perform authentication
Use the server group for authentication. At present, the
group radius
RADIUS server group is supported.
subs Use the subs database for authentication.
The table above lists the AAA login authentication methods supported by Ruijie products.
Using the Local Database for Login Authentication
To configure the login authentication with local database, it is required to configure the local database first. Ruijie products
support authentication based on the local database. To establish the username authentication, run the following
commands in global configuration mode:
Command Function
Ruijie(config)#username name [ password password ]
Establish the username authentication using the
or
password, or the access list.
username name [ access-class number ]
username name [ privilege level ] (Optional) Set the privilege level for the user.
(Optional) Set the command auto-executed after the user
username name [ autocommand command ]
login.
end Return to privileged EXEC mode.

show running-config Confirm the configuration.
To define and apply the local login authentication method list, run the following commands:
Command Function
Ruijie#configure terminal () Enter global configuration mode.
Ruijie(config)#aaa new-model Turn on the AAA switch.
Ruijie(config)#aaa authentication login {default |
Define the local method list.
list-name} local
Ruijie(config)#end Return to privileged EXEC mode.
Ruijie#show aaa method-list Confirm the configured method list.
Ruijie(config)#line vty line-num Enter line configuration mode
Ruijie(config-line)#login authentication {default |
Apply the method list.
list-name}
Ruijie(config-line)#end Return to privileged EXEC mode.
Ruijie#show running-config Confirm the configuration.
Using RADIUS for Login Authentication
To configure the RADIUS authentication server for login authentication, it is first required to configure the RADIUS server.
Ruijie products support the authentication based on the RADIUS server. To configure the RADIUS server, run the
following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#radius-server host ip-address [ auth-port
Configure the RADIUS server
port ] [ acct-port port ]
Ruijie#show radius server Display the RADIUS server.
After the RADIUS server is configured, make sure of successful communication with the RADIUS server before
configuring the RADIUS for authentication. For details of the RADIUS server configurations, see Configuring RADIUS.
Now it is possible to configure the RADIUS server based method list. Run the following commands:
Command Function
Ruijie (config)#aaa authentication login
{ default | list-name } group radius
Ruijie (config)#end Return to privileged EXEC mode.
Ruijie (config)#lline vty line-num Enter line configuration mode
Ruijie (config-line)#login authentication { default |
list-name }
Ruijie (config-line)#end Return to privileged EXEC mode.
Ruijie#show running-config Confirm the configuration.
Configuring the AAA Enable Authentication
This section deals with how to configure the AAA Enable authentication methods supported by Ruijie products:
In many cases, the user needs to Telnet the network access server (NAS). After passing the authentication, the user
enters the Command Line Interface (CLI) and is assigned an initial command execution privilege (0-15 level). User can
execute different commands in different levels and use the show privilege command to display the current level. For the
details, see using the CLI.
After logging in the CLI, user can use the enable command to improve the privilege level if fail to execute some
commands due to low initial privilege level. To prevent the unauthorized access to the network, the identity authentication,
named Enable authentication, is necessary when improving the privilege level.
To configure the AAA Enable authentication, execute the following commands in global configuration mode:
Command Function
Ruijie(config)#aaa authentication enable default Define an enable authentication method list, for example
method1 [method2...] RADIUS.
It can only define one enable authentication method list globally, so it is unnecessary to define the name of the method list.
The keyword "method" means the actual algorithm for authentication. Only when the current method returns ERROR (no
reply), the next authentication method will be attempted. If the current method returns FAIL, no authentication method will
be used any more. To make the authentication return successfully, even if no specified methods reply, it is possible to
specify none as the last authentication method.
Once configured, the enable authentication method takes effect. When user executes enable command in privileged
EXEC mode, it prompts to authenticate if the user wants to switch over a higher privilege level. It is unnecessary to
authenticate if the privilege level to be set is lower than or equal to the current one.
The current username will be recorded if the Login authentication (except for none method) is done when the
user enters the CLI. At this time, if the Enable authentication processes, it will not prompt to input the
username and the user can use the same username of Login authentication. Note that the password input
must be consistent.
The username information will not be recorded if there is no Login authentication when entering the CLI, or the
none method is used. At this time, if the Enable authentication processes, the user shall input the username
again. This username will not be recorded, so the user shall input it every time when the Enable
authentication processes.
Some authentication methods can bind the security level. Then in the process of authentication, except for the returned
response based on the security protocol, it is necessary to verify the bound security level. If the service protocol can bind
the security level, the level shall be verified while authenticating. If the bound level is higher than or equal to the level to be
configured, the enable authentication and level switchover succeed. But if the bound level is lower than the level to be
configured, the enable authentication fails, prompting the error message and keeping the current level. If the service
protocol fails to bind the security level, the user can configure the level without verification of the bound level.
Now only RADIUS and Local authentication support to bind the security level. To this end, only the security
levels of these two methods are checked.
Using the Local Username Database for Enable Authentication
When processing the enable authentication with local database, you can configure the user privilege level while
configuring the local users. By default, the privilege level is 1. To configure the enable authentication with local database,
it is first required to configure the local database and configure the privilege level. To establish the username
authentication, run the following commands in global configuration mode:
Command Function
Ruijie (config)#username name [ password password ] Establish the local username and set the password.
Ruijie (config)#username name [ privilege level ] Set the user privilege level. (Optional)
To define the local Enable authentication method list, run the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa authentication enable default local Define the local method list.
Using RADIUS for Enable Authentication
The standard RADIUS server can pass the privilege level bound with the Service-Type attribute (the standard attribute
number is 6) and can specify the privilege with 1 or 15 level. The extended RADIUS server (for example, SAM) can
configure the privilege level of the administrator (the private attribute number is 42) and can specify 0-15 privilege level.
For the details of the RADIUS server, see Specifying the RADIUS Private Attribute Type in Configuring RADIUS.
To configure the RADIUS authentication server for enable authentication, it is required to first configure the RADIUS
server, then the RADIUS server–based enable authentication method list. Run the following commands in global
configuration mode:
Command Function
Ruijie (config)#aaa authentication enable default group
Define RADIUS authentication method.
radius
Ruijie (config)#show aaa method-list Confirm the configured method list.
Configuring the AAA Authentication for PPP User
PPP is a link-layer protocol carrying the network-layer datagram in the point-to-point link. In many circumstances, the user
accesses to the NAS (Network Access Server) by asynchronous or ISDN dial. Once the connection has been set up, the
PPP negotiation will be enabled. To prevent the unauthorized access to the network, the identity authentication is required
for the dialed user in the process of PPP negotiation.
This section deals with how to configure the AAA Enable authentication methods supported by Ruijie products. To
configure the AAA Enable authentication, execute the following commands in global configuration mode:
Command Function
Define a PPP authentication method list. RADIUS,
Ruijie (config)#aaa authentication ppp {default |
TACACS+ remote authentication and using the local
list-name} method1 [method2...]
database are the supported authentication methods.
Enter the asynchronous or ISDN interface that needs to
Ruijie (config)#interface interface-type interface-number
apply the AAA authentication.
Ruijie (config-if-type ID)#ppp authentication { chap | Apply the method list on the asynchronous or ISDN
pap } { default | list-name } interface.
For the detailed configuration method for the PPP, see the related chapter in Configuring PPP, MP.
Configuring the AAA Authentication for 802.1x User
IEEE802.1x is a standard of Port-Based Network Access Control, providing the point-to-point secure access for the LAN,
and a means of the authentication of the user connecting to the LAN device.
This section deals with how to configure the 802.1x authentication methods supported by Ruijie products. To configure the
AAA Enable authentication, execute the following commands in global configuration mode:
Command Function
Ruijie(config)#aaa new-model Enable AAA.
Define an IEEE802.1x authentication method list.
Ruijie (config)#aaa authentication dot1x { default |
RADIUS remote authentication and local database
list-name } method1 [ method2...]
authentication are the supported authentication methods.
Ruijie (config)#dot1x authentication list-name Apply the method list to 802.1x.
For the detailed configuration method for the IEEE802.1x, see the related chapter in Configuring 802.1x.
Configuring AAA 2nd Generation Web Authentication
To configure the AAA second-generation Web authentication, run the following commands in the global configuration
mode:
Command Function
Enable AAA second-generation Web authentication and

configure the second-generation Web authentication
method list.
default: When this parameter is used, the following
defined authentication method list is used as the default
method for the second-generation Web authentication.
list-name: Name of second-generation Web
authentication method list, which could be any character
Ruijie (config)# aaa authentication web-auth { default | strings.
list-name } method1 [ method2 ] method: It must be one of the keywords: local, none,
subs and group. One method list can contain up to four
methods.
local: Uses the local user name database for
authentication.
none: Does not perform authentication.
group: Uses the server group for authentication. At
present, the RADIUS server group is supported.
subs: Uses the subs database for authentication.
Ruijie (config)# no aaa authentication web-auth { default Enter the line to which the AAA Exec authorization
| list-name } method is applied.
If the AAA second-generation Web security service is enabled on the device, users must use AAA for the
second-generation Web authentication negotiation. You must use the aaa authentication web-auth
command to configure a default or optional method list for the PPP user authentication.The next method can
be used for authentication only when the current method does not work.
The following example defines an AAA sslvpn authentication method list named rds_web. In the authentication method
list, the RADIUS security server is first used for authentication. If the RADIUS security server does not respond, the local
user database is used for authentication.
Ruijie(config)#aaa new-model
Ruijie(config)# aaa authentication web-auth rds_web group radius none
Configuring Failed Authentication Lockout of Login User
To prevent login user from decoding password, use commands to limit the attempt times. If a user has attempted more
than the limited times, he/she will not login during the lockout.
In global configuration mode, use the following commands to configure login parameters:
Command Function
Ruijie (config)#aaa local authentication attempts

Set attempt times of login user.
<1-2147483647>
Ruijie(config)#aaa local authentication Configure lockout-time(hour) when the user has
lockout-time<1-2147483647> attempted more than the limited times.
Ruijie#show aaa user lockout Display current lockout user list.
Ruijie#clear aaa local user lockout { all | user-name <
Clear lockout user list.
word > }
By default, login attempt times are 3 and the lockout time is restricted to 900 minutes.
Enabling the System to Print the Syslog for AAA Authentication Success
By default, the system prints the syslog informing AAA authentication success, and 5 syslog entries are printed per
second.
Command Function
Enable the system to print the syslog informing AAA
Ruijie(config)# aaa log enable
authentication success.
Set the rate of printing the syslog informing AAA
num: The number of syslog entries printed per second.
Ruijie(config)# aaa log rate-limit num
The range is from 0 to 655,535.
0 indicates the printing rate is not limited.
The default is 5.
Disable the system to print the system informing AAA
Ruijie (config)# no aaa log enable
Ruijie (config)# no aaa log rate-limit Restore the default printing rate.
The following example disables the system to print the syslog informing aaa authentication success..
Ruijie(config)# no aaa log enable
The following example sets the rate of printing the syslog informing AAA authentication success to 10.
Ruijie(config)# aaa log rate-limit 10
Example of Authentication Configuration
The example below illustrates how to configure the network device to use “RADIUS + local” for authentication.
Ruijie(config)# aaa new-model

Ruijie(config)# username Ruijie password starnet
Ruijie(config)# radius-server host 192.168.217.64
Ruijie(config)# aaa authentication login test group radius local
Ruijie(config)# line vty 0
Ruijie(config-line)# login authentication test

!
aaa new-model
!
!
aaa authentication login test group radius local
username Ruijie password 0 starnet
!
radius-server host 192.168.217.64
!
line con 0
line vty 0
login authentication test
line vty 1 4
!
!
In the example above, the access server uses the RADIUS server (IP 192.168.217.64) to perform authentication for the
login users. If the RADIUS server has no reply, the local database will be used for the identity authentication.
Example of Terminal Service Application Configuration
In the environment of the terminal service application, the terminal first connects to the asynchronous console, then offers
the service accessing the network server. However, if AAA is enabled, the Login authentication is necessary in all lines.
To access the server, the terminal must pass the Login authentication and it influences the terminal service. User can
separate two lines by configuration that makes the line using the terminal service directly connects the server without the
Login authentication, and ensures the device security by the Login authentication of the line connecting the device. That is
to say, the user can configure a login authentication list specific for the terminal service but the authentication method as
none. Then apply the configured list to the line with terminal service enabled, while other lines connecting the local device
are unchanged. Thereof the terminal can skip the local login authentication.
The example below illustrates the configuration steps:

Ruijie(config)# username Ruijie password starnet
Ruijie(config)# radius-server key test
Ruijie(config)# aaa authentication login test group radius local
Ruijie(config)# aaa authentication login terms none
Ruijie(config)# line tty 1 4
Ruijie(config-line)# login authentication terms
Ruijie(config-line)# exit
Ruijie(config)# line tty 5 16
Ruijie(config-line)# exit

Ruijie(config)# show running-config
!
aaa new-model
!
!
aaa authentication login test group radius local
aaa authentication login terms none
!
radius-server key 7 093b100133
!
line con 0
line aux 0
line tty 1 4
login authentication terms
line tty 5 16
line vty 0 4
!
!
In the example above, the access server uses the RADIUS server (IP 192.168.217.64) to perform authentication for the
login users. If the RADIUS server has no reply, the local database will be used for the identity authentication. Login
authentication is unnecessary for tty 1-4 is the used line of the terminal service, while other tty and vty lines needs the
login authentication.
Configuring Authorization
The AAA authorization enables the administrator to control the user’s use of the services or the rights. After the AAA
authorization service is enabled, the network device configures the user sessions by using the user configuration file
stored locally or in the server. After the authorization is completed, the user can only use the services allowed in the profile
or has the allowed rights.
Authorization Types
Ruijie products support the following AAA authorization methods:
 Exec authorization method – the user terminal logs in the NAS CLI and is granted the privilege level (0-15 level).
 Command authorization method – after the user terminal logs in the NAS CLI, the specific commands are
authorized.
 Network authorization method – grant the available service to the user session on the network.
Only TACACS+ supports the command authorization method. For the detailed information, please see
TACACS+ Configuration.
Preparations for Authorization
The following tasks must be completed before configuring the AAA authorization.
 Enable the AAA server. For the details, see AAA Overview.
 (Optional) Configure the AAA authentication. The authorization is done after the user passes the authentication. But
sole authorization can also be done without authentication. For details of the AAA authentication, see Configuring
Authentication.
 (Optional) Configure security protocol parameters. If the security protocol is required for authorization, it is required
to configure the security protocol parameters. The network authorization only supports RADIUS; the Exec
authorization supports RADIUS and TACACS+. For details of the RADIUS, see Configuring RADIUS. For details of
the TACACS+, see Configuring TACACS+.
 (Optional) If the local authorization is required, it is required to use the username command to define the user rights.
Configuring Command Authorization
To authorize the command executed by the user who has logged in the NAS CLI, use the following command in global
configuration mode.
Command Function
Authorize the command executed by the user who has
logged in the NAS CLI.
level: Command level to be authorized, 0-15.
default: When this parameter is used, the following
defined method list is used as the default method for
command authorization.
aaa authorization commands level { default | list-name }
list-name: Name of the user authorization method list,
method1 [ method2..]
which could be any character strings.
method: It must be one of the keywords: none and
group. One method list can contain up to four methods.
none: Dose not perform authorization.
group: Uses the server group for authorization. At
present, the TACACS+ server group is supported.
RGOS supports authorization of the commands executed by the users. When the users input and attempt to execute a
command, AAA sends this command to the security server. This command is to be executed if the security server allows
to. Otherwise, it will prompt command deny.
It is necessary to specify the command level when configuring the command authorization, and this specified command
level is the default command level.
The configured command authorization method must be applied to terminal line which requires the command
authorization. Otherwise, the configured command authorization method is ineffective.
The following example uses the TACACS+ server to authorize the level 15 command:
Ruijie(config)# aaa authorization commands 15 default group tacacs+
Configuring Authorization List
To enable AAA authorization, execute the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa authorization exec network { default
Define the AAA Exec authorization method.
| list-name } method1 [ method2|…]
Ruijie (config)#aaa authorization network { default |
Define the AAA Command authorization method.
list-name } method1 [ method2|…]
Configuring AAA Exec Authorization
The Exec authorization grants the privilege level of command execution for the user terminal logs on the network access
server (NAS). You can use the show privilege command to display the specific level after the user logs in the NAS CLI
successfully (by telnet, for example).
No matter which Exec authorization method you decide to use, you just need to execute the aaa authorization exec
command to define one or more authorization method list and then apply to the specific line that needs the Exec
authorization.
To configure the AAA Exec authorization, run the following commands in global configuration mode:
Command Function
Define the AAA Exec authorization method. If you need
Ruijie (config)#aaa authorization exec network{ default |
to define multiple methods, execute this command
repeatedly.
Enter the line to which the AAA Exec authorization
Ruijie (config)#line vty line-num
method is applied.
Ruijie (config)#authorization exec { default | list-name } Apply the method to the line.
The keyword "list-name" is used to name the created authorization method list, which can be any string. The keyword
"method" means the actual algorithm for authorization. Only when the current method returns ERROR (no reply), the next
authorization method will be attempted. If the current method returns FAIL, no authorization method will be used any more.
To make the authorization return successfully, even if no specified methods reply, it is possible to specific "none" as the
last authorization method.
In the example below, it is possible to pass the Exec authorization even if the RADIUS server returns TIMEOUT：
aaa authorization exec default group radius none
Command Function
local Use the local username database for Exec authorization.
none Do not perform Exec authorization.
group radius Use RADIUS for Exec authorization.
group tacacs+ Use Tacacs+ for Exec authorization.
The table above lists the AAA Exec authorization methods supported by Ruijie products.
The exec authorization is always used together with the login authentication, and they can be applied to the
same line at the same time. But note that it is possible to have different results of the authentication and the
authorization towards the same user because they can use different methods and servers. If the exec
authorization fails, even though the login authentication has passed, the user can not access the CLI.
Using the Local Username Database for Exec Authorization
To configure the Exec authorization with local database, it is required to configure the local database first. You can
configure the user privilege level while configuring the local user. By default, the privilege level is 1. Run the following
Command Function
Ruijie (config)#username name [ password password ] Establish the local username and set the password.
Ruijie (config)#username name [ privilege level ] Set the user privilege level. (Optional)
To define the local Exec authorization method list, run the following commands:
Command Function
Ruijie (config)#aaa authorization exec { default | list-nam
e} local
Ruijie (config)#line vty line-num Enter line configuration mode.
Ruijie (config-line)#authorization exec { default |
list-name }
Using RADIUS for Exec Authorization
To configure the RADIUS server for Exec authorization, it is required to first configure the RADIUS server. For the details
of the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS serve–based method list can be configured. Run the following
Command Function
Ruijie (config)#aaa authentication enable { default |

list-name } group radius
Ruijie (config)#authorization exec { default | list-name } Apply the method list.
Example of Configuring Exec Authorization
The example below illustrates how to configure exec authorization. The local login authentication and the “RADIUS+local”
exec authorization are used when the user on the vty line 0-4 logs in. The access server uses the RADIUS server with IP
address 192.168.217.64 and shared keyword test. The local username and password are Ruijie, and the privilege level is
6.
Ruijie(config)# username Ruijie password Ruijie
Ruijie(config)# username Ruijie privilege 6
Ruijie(config)# aaa authentication login mlist1 local
Ruijie(config)# aaa authentication exec mlist2 group radius local
Ruijie(config-line)# login authentication mlist1
Ruijie(config-line)# authorization exec mlist2
!
aaa new-model
!
aaa authorization lexec mlist2 group radius local
aaa authentication login mlist1 local
!
username Ruijie password Ruijie
username Ruijie privilege 6
!
Radius-server host 192.168.217.64
!
line con 0
line vty 0 4
authorization exec mliat2
login authentication mlist1
!
end
Configuring AAA Network Authorization
Ruijie products support the network authorization over the network connection including PPP, SLIP. The network
authorization makes the network connection obtain the service like traffic, bandwidth, and timeout and so on. The network
authorization only supports the RADIUS. The authorization information assigned from the server is encapsulated in the
RADIUS attribute. For different network connection application, it is possible that this authorization information are
different.
Now the configuration does not support the 802.1X AAA authorization, while the 802.1X is implemented by
using other commands. For the details of the 802.1X authorization, see Configuring 802.1X.
To configure the AAA network authorization, run the following commands in global configuration mode:
Command Function
Define the AAA network authorization method. If you
Ruijie (config)#aaa authorization network{ default |
need to define multiple methods, execute this command
repeatedly.
The keyword "list-name" is used to name the created authorization method list, which can be any string. The keyword
"method" means the actual algorithm for authorization. Only when the current method returns ERROR (no reply), the next
authorization method will be attempted. If the current method returns FAIL, no authorization method will be used any more.
To make the authorization return successfully, even if no specified methods reply, it is possible to specific "none" as the
last authorization method.
Using RADIUS for Network Authorization
To configure the RADIUS server for network authorization, it is required to first configure the RADIUS server. For the
details of the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS server-based method list can be configured. Run the following
Command Function
Ruijie (config)#aaa authentication network {default |
list-name } group radius
Example of Configuring Network Authorization
The example below illustrates how to configure network authorization.


Ruijie(config)# aaa authorization network test group radius local
!
aaa new-model
!
aaa authorization network test group radius none
!
!
Configuring Accounting
The AAA accounting function enables you to trace the services and network resources used by the user. After the
accounting function is enabled, the network access server or router sends the user's network accesses to the RADIUS
security server by means of attribute pair. You may use some analysis software to analyze these data to implement the
billing, audition and tracing function for the user's activities.
Accounting Types
Ruijie products currently support the following accounting types:
 Exec Accounting -- record the accounting information of entering to and exiting from the CLI of the user terminal
logged in the NAS CLI.
 Command Accounting – record the specific command execution information after the user terminal logs in the NAS
CLI.
 Network Accounting – record the related information on the user session on the network.
Only TACACS+ supports the command accounting function. For the detailed information, please see
TACACS+ Configuration.
Preparations for Accounting
The following tasks must be completed before the AAA accounting is configured:
 Enable the AAA service. For the details, see AAA Overview.
 Define the security protocol parameters. It is required to configure the security protocol parameters for accounting.
The network accounting only supports RADIUS; the Exec accounting supports RADIUS and TACACS+; the
Command accounting supports TACACS+ only. For details of the RADIUS, see Configuring RADIUS. For details of
the TACACS+, see Configuring TACACS+.
 (Optional) Configure the AAA authentication. The accounting is done after the user passes the authentication (for
example, Exec accounting). In some circumstances, the accounting can also be done without authentication. For
details of the AAA authentication, see Configuring Authentication.
Configuring AAA Exec Accounting
The exec accounting records the information of entering to and exiting from the CLI of the user terminal logged in the NAS.
When the user terminal logs in and enters the NAS CLI, it sends the accounting start information to the security server.
When the user terminal exits from the CLI, it sends the accounting stop information to the server.
Only after the user terminal logs in the NAS passes the login authentication, the exec accounting starts. If no
login authentication or none authentication method is configured, no exec accounting will be processed. For
the same user terminal, if it sends no accounting start information to the security server when logging in, no
accounting stop information will be sent when logging out.
To configure the AAA Exec accounting, run the following commands in global configuration mode:
Command Function
Define the AAA Exec accounting method list. If you need
Ruijie (config)#aaa accounting exec { default | list-name }
to define multiple method lists, execute this command
start-stop method1 [ method2…]
repeatedly.
Enter the line to which the AAA Exec accounting is
Ruijie (config)#line vty line-num
applied.
Ruijie (config)#accounting exec { default | list-name } Apply the method list to the line.
The keyword "list-name" is used to name the created accounting method list, which can be any string. The keyword
"method" means the actual algorithm for accounting. Only when the current method returns ERROR (no reply), the next
accounting method will be attempted. If the current method returns FAIL, no accounting method will be used any more. To
make the accounting return successfully, even if no specified methods reply, it is possible to specific "none" as the last
accounting method.
The keyword "start-stop" is used for the network access server to send the accounting information at the start
and end of the network service to the security server.
Using the RADIUS for Exec Accounting
To configure the RADIUS server for Exec accounting, it is required to first configure the RADIUS server. For the details of
the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS server-based method list can be configured. Run the following
Command Function
Ruijie (config)#aaa accounting exec { default | list-name }
Define RADIUS accounting method.
start-stop group radius

Ruijie (config)#accounting exec { default | list-name } Apply the method list.
Example of Configuring Exec Accounting
The example below illustrates how to configure exec accounting. The local login authentication and the RADIUS exec
authorization are used when the user on the vty line 0-4 logs in. The access server uses the RADIUS server with IP
address 192.168.217.64 and shared keyword test. The local username and password are Ruijie

Ruijie(config)# username Ruijie password Ruijie
Ruijie(config)# aaa authentication login auth local
Ruijie(config)# aaa accouting exec acct start-stop group radius
Ruijie(config-line)# login authentication auth
Ruijie(config-line)# accounting exec acct
!
aaa new-model
!
aaa accounting exec acct start-stop group radius
aaa authentication login auth local
!
username Ruijie password Ruijie
!
!
line con 0
line vty 0 4
accounting exec acct
login authentication auth
!
end
Configuring AAA Network Accounting
The network accounting provides the accounting information about user session, including the packet number, bytes, IP
address and username. Now the network accounting only supports RADIUS.
The format of RADIUS accounting information varies with the RADIUS security server. The contents of the
account records may also vary with Ruijie products’ version.
To configure the AAA network accounting, run the following commands in global configuration mode:
Command Function
Define the AAA network accounting method list. If you
Ruijie (config)#aaa accounting network{ default |
need to define multiple method lists, execute this
list-name } start-stop method1 [ method2|…]
command repeatedly.
The keyword "list-name" is used to name the created accounting method list, which can be any string. The keyword
"method" means the actual algorithm for accounting. Only when the current method returns ERROR (no reply), the next
accounting method will be attempted. If the current method returns FAIL, no accounting method will be used any more. To
make the accounting return successfully, even if no specified methods reply, it is possible to specific "none" as the last
accounting method.
Using RADIUS for Network Accounting
To configure the RADIUS server for network accounting, it is required to first configure the RADIUS server. For the details
of the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS server–based method list can be configured. Run the following
Command Function
Ruijie (config)#aaa accounting network { default |
Define RADIUS accounting method.
list-name } start-stop group radius
Example of Configuring Network Accounting
The example below illustrates how to configure network authorization using RADIUS.

Ruijie(config)# aaa accounting network acct start-stop group radius
!
aaa new-model
!
aaa accounting network acct start-stop group radius
!

!
Monitoring AAA User
To view the information of the current login users, run the following commands in privileged EXEC mode:
Command Function
show aaa user { all | lockout | by-id session-id | Display the information of the current AAA user.
by-name user-name }
It is used to display user information through both user-name and session-id. To tell username from session-id
of the displayed information, by-name and by-id are added to this command.
The following example displays the AAA user’s information.
Ruijie#show aaa user all

-----------------------------
Id ----- Name
2345687901 wwxy
-----------------------------
Ruijie# show aaa user by-id 2345687901
-----------------------------
Id ----- Name
2345687901 wwxy
Ruijie# show aaa user by-name wwxy
-----------------------------
Id ----- Name
2345687901 wwxy
-----------------------------
Ruijie# show aaa user lockout
Name Tries Lock Timeout(min)

-------------------------------- ---------- ---------- ------------
Displaying Accounting Update Information
To view the accounting update information, run the following commands in privileged EXEC mode:
Command Function
show aaa accounting update Display the accounting update information.
The following example displays the accounting update information.
Ruijie# show aaa accounting update

Configuring VRF-supported AAA Group
Virtual Private Networks (VPNs) provide a secure method for bandwidth share on the ISP backbone network. One VPN is
the collection of the sharing routes. The user station is linked with the service vendor network via one to multiple interfaces.
The VPN routing table is also called VPN routing//forwarding(VRF) table. AAA can specify the VRF for each self-defined
server group.
In global configuration mode, use the following command to configure VRF for the AAA group:
Command Function
Configure the RADIUS server group and enter server
Ruijie (config)#aaa group server radius gs_name
group configuration mode.
Ruijie (config)#ip vrf forwarding vrf_name Specify the VRF for the group.
It is valid for the product supporting VRF function.
Configuring Domain-name-based AAA Service

The domain-name-based AAA service configurations include:
 Overview
 Domain-name-based AAA service configuration tasks
 Domain-name-based AAA service configuration note
 Domain-name-based AAA service configuration example
The domain-name-based AAA service is only applied to the IEEE802.1x authentication service. For the
detailed IEEE802.1x protocol configurations, please see the chapter of 802.1x Configuration.
Overview
In the multi-domain environment, one NAS(Network Access Server) can provide the AAA service for the users in different
domains. Due to the different user attributes(such as the username, password, service type, privilege, ect) in each domain,
it needs to tell them apart by setting the domain method and set the attribute collection for each domain, including the AAA
service method list.
Ruijie products support the following types of username:1. userid@domain-name 2. domain-name\userid 3.

userid.domain-name 4. Userid
For the type4 username, i.e., userid, without the domain-name, its domain-name is default.
The followings are the basic principles for the domain-name-based AAA service:
 Resoluting the domain-name carried by the user

 Searching for the user domain according to the domain-name
 Searching for the AAA service method list-name according to the domain configurations
 Searching the corresponding method list according to the method list-name in the system
 Providing the AAA service using the method list
One of the abovementioned steps fails, the AAA service cannot be used.
The following is the typical topology in the multi-domain environment:
Figure-2 Typical Topology for the Multi-domain Network
Domain-name-based AAA Service Configuration Tasks
The system supports up to 32 domains.
Enabling AAA
Command Function
For the detailed command descriptions, please see the chapter of Enabling AAA.
Defining the AAA Service Method list
Command Function
Ruijie (config)#aaa authentication dot1x { default |
Define the IEEE802.1x authentication method list.
Ruijie(config)#aaa accounting network { default |

Define the Network accounting method list.
list-name } start-stop method1 [ method2...]
Ruijie (config)#aaa authorization network { default |
Define the Network authorization method list.
For the detailed command descriptions, please see the chapters of Configuring authentication, Configuring accounting
and Configuring authorization..
Enabling the Domain-name-based AAA Service Switch
Command Function
Ruijie (config)#aaa domain enable Enable the domain-name-based AAA service switch.
Creating the Domain
You shall follow the following rules when searching for the domain-name matched the username:
 Support the single character, such as “.”, “\”, “@” to tell the username and the domain-name apart.
 The single “@” character is followed by the character string “domain-name”. With multiple “@” characters in the
username, use the character string following the last “@” character as the domain-name. For example, if the
username is a@b@c@d, use the a@b@c as the username and use the d as the domain-name.
 The single “\” character follows the character string “domain-name”. With multiple “\” characters in the username, use
the character string priors to the first “\” character as the domain-name. For example, if the username is a\b\c\d, use
the b\c\d as the username and use a as the domain-name.
 The single “.” character is followed by the character string “domain-name”. With multiple “.” characters in the
username, according to the pre-settings, use the character string following the last “.” character as the domain-name.
For example, if the username is a.b.c.d, use the a.b.c as the username and use the d as the domain-name.
 If all characters of “.”, “\” and “@” exist in the username, when matching the domain-name, use the rules in sequence
of the “@”, “\” and “.” characters.
Command Function
Create the domain and enter the domain configuration
Ruijie (config)#aaa domain domain-name
mode.

The domain-name-based AAA service supports the domain name in the length of up to 64 characters, which is
not case-sensitive.
Configuring the Domain Attribute Collection
Use the following commands to select the AAA service method list in the domain configuration mode:
Command Function
Ruijie (config-aaa-domain)#authentication dot1x In the domain configuration mode, select the
{ default | list-name } authentication method list.
Ruijie (config-aaa-domain)#accounting network { default In the domain configuration mode, select the accounting
| list-name } method list.
Ruijie (config-aaa-domain)#authorization network In the domain configuration mode, select the
{ default | list-name } authorization method list.
Use this command to configure the domain state:
Command Function
Ruijie (config-aaa-domain)#state { block | active } In the domain configuration mode, set the domain state.
Use this command to check whether the username carries with the domain-name information:
Command Function
In the domain configuration mode, check whether the
Ruijie (config-aaa-domain)#username-format
username carries with the domain-name information
{ without-domain | with-domain }
when the NAS is interacting with the server.
Use this command to set the maximum user number supported in the domain:
Command Function
In the domain configuration mode, set the maximum user
Ruijie (config-aaa-domain)#access-limit num limit in the domain. By default, no user limit has been
configured (only valid for the 802.1x user).
To select the AAA service method list in the domain configuration mode, the AAA service method list is defined
before entering the domain configuration mode. Or the configurations are inexistent when selecting the AAA
method list-name.
With the domain-name-based AAA service enabled, if there is no domain information carried by the username,
use the default domain; if there is no configurations for the user domain in the system, the user is determined
to be illegal and provides no AAA service.
In the domain configuration mode, without the method list configured, use the default method list in the system.
Displaying the domain configuration
Use the following command to display the domain-name-based AAA service information in thepriviledged EXEC mode/
global configuration mode/interface configuration mode
Command Function
Display the current domain-name-based AAA service

show aaa domain [ domain-name ]
information
Domain-name-based AAA Service Configuration Notes
The followings are the domain-name-based AAA service configuration notes:
 With the domain-name-based AAA service enabled, use the method list in the domain. Without the service enabled,
use the method list selected according to the access protocol(such as 802.1x, ect) for the AAA service. For example,
without the service enabled, use the dot1x authentication authen-list-name, dot1x accounting acct-list-name
authen-list-name and dot1x accounting acct-list-name acct-list-name commands to provide the AAA service for
the authentication and accouting method list name.
 With the domain-name-based AAA service enabled, by default, there is no default domain, and user shall manually
set the default domain-name as “default”. After the configuration, user that not carries with the domain information
provides the AAA service using the default domain. Without the default domain configured, the user that not carries
with the domain information fails to use the AAA service.
 If the domain information is carried by the auth-user but the domain is not configured on the device, it fails to provide
the AAA service for the user.
 The AAA service method list selected by the domain must be consistent with the one defined by the AAA service. Or
it fails to provide the AAA service for the users in the domain.
 The domain name carried by the user shall be accurately matched with the one configured on the device. For
example, the domain.com and the domain.com.cn have been configured on the device, and the request message
carried by the user is aaa@domain.com, the device determines that the user belongs to the domain.com but not the
domain.com.cn.
Domain-name-based AAA Service Configuration Example
The following is an example of configuring the domain-name-based AAA service:

Ruijie(config)# aaa authentication dot1x default group radius
Ruijie(config)# aaa domain domain.com
Ruijie(config-aaa-domain)# authentication dot1x default
Ruijie(config-aaa-domain)# username-format without-domain
After the configuration, with the user a1 in the RADIUS server, use the 802.1x client to login the server for authentication
by keying in the username a1@domain.com and the correct password. The following displays the related domain-name
information:
Ruijie#show aaa domain domain.com
=============Domain domain.com=============
State: Active
Username format: Without-domain
Access limit: No limit
802.1X Access statistic: 0
Selected method list:

authentication dot1x default
Typical AAA Application
Network Topology
Figure 3 Typical AAA Application Topology
For better security management for the Network Access Server device (NAS device for short) in the Figure-3, the
followings are the network requirements:
 The administrators shall have their individual usernames and passwords for the convenience of the account
management.
 The user authentication methods are divided into local authentication and collection authentication. The method of
combining the collection-authentication with the local-authentication shall be adopted, with the
collection-authentication mainly-used and the local-authentication as backup. In the process of the
collection-authentication, the RADIUS server authentication shall be passed first; if there is no reply, it will switch to
the local authentication.
 Different users can be configured to access to the specified network device during the authentication.
 User management priority: divide the network management users into the super users and ordinary users, wherein
the super users own the priority of reading and writing while the ordinary users own the reading priority only.
 The user authentication information, the authorization information and the network information are recorded in the
server for the display and audit later (This example uses the TACACS+ for the accounting.)
Configuration Tips
From the analysis of “Network Requirements”, we can see that deploying the AAA function can address the above
requirements, which is to dynamically configure the ID authentication, authorization and accounting type for the user(line)
or the server. Define the ID authentication, authorization and accounting type by creating the method list, and apply the
method list to the specified service or interface. For the details, see the following “Configuration Steps”.
Configuration Steps
#Enable AAA:
Enable the AAA function on the device
# Configure the security server:
The network security server takes the responsibility for the authentication, the authorization and the accounting. The user
information are stored in the server and the software of the server can record, calculate and analyze the various
information via the syslog.
! Configure the RADIUS server information (The shared key for the communication between the device and the RADIUS
server is Ruijie.)
Ruijie(config)#radius-server host 10.1.1.1

Ruijie(config)#radius-server key ruijie
! Configure Tacacs+ server information (The shared key for the communication between the device and the Tacacs+
server is redgiant.)
Ruijie(config)#tacacs-server host 10.1.1.2

Ruijie(config)#tacacs-server key redgiant
# Configure the local user:
! Configure the password encryption (The key information for the local password and the security server are saved and
shown in the simply-encrypted format)
Ruijie(config)#service password-encryption
! Configure the local user database (Configure the username and the password, and set the user privilege level)
Ruijie(config)#username bank privilege 10 password yinhang

Ruijie(config)#username super privilege 15 password star
Ruijie(config)#username normal privilege 2 password normal
Ruijie(config)#username test privilege 1 password test
! Configure the local enable password for the local enable authentication
Ruijie(config)#enable secret w
！! Configure the line login password (With the AAA function enabled, the login password of the terminal line takes no
effect. So the line login password configuration is to prevent the login failure with the AAA function disabled.)
Ruijie(config)#line vty 0 15
Ruijie(config-line)#password w
! Configure the line user privilege level (With the Exec authorization disabled, or no Exec authorization method list is
applied in the line and no default Exec authorization method list, the configure line user privilege level should be used.)
Ruijie(config-line)#privilege level 10
# Configure the authentication
 Login authentication
The Login authentication is used to control the user access. There are two methods to define the authentication method
list: 1) RADIUS; 2) Local.
! Configure login authentication method list and apply it to the corresponding line
Ruijie(config)# aaa authentication login hello group radius local

Ruijie(config-line)# login authentication hello
To prevent the user from using the exhaust algorithm to crack the password during the Login authentication, AAA is used
to limit the user Login attempts. When the authentication attempts reach the configured limit, the user would fail to log in
for the lockout time (By default, the login authentication attempt is 3 times and the lockout time is 15 hours.)
! Configure the authentication attempt 2 times and the authentication lockout-time 10 hours
Ruijie(config)#aaa local authentication attempts 2

Ruijie(config)#aaa local authentication lockout-time 10
 Enable authentication
The Enable authentication is used to switch the user privilege level. An authentication process is needed before the user
switches the privilege level to the super user using the enable command. There are two methods to define the
authentication method list: 1) RADIUS; 2) Local. The Enable authentication can only set the default method list, which will
be auto-applied after the configuration.
! Configure the enable authentication method list
Ruijie(config)#aaa authentication enable default group radius local
# Configure the authorization
 Exec authorization
The Exec authorization is used to control the user command privilege level. For example, level 15 is the super user, level
14 is the configuration user, and level 2 is the ordinary user. The remote Exec authorization takes precedence over the
local one.
! Configure the exec authorization method list and apply it to the line
Ruijie(config)#aaa authorization exec shouquan group tacacs+ local

Ruijie(config-line)#authorization exec shouquan
! Configure the exec authorization for the console (By default, the exec authorization is not for the console.)
Ruijie(config)#aaa authorization console

 Command authorization
The Command authorization is used to offer the execution privilege of the key commands only to the administrators. The
Command authorization authorizes the level of the command but not of the current user. The RADIUS protocol is not
supported.
! Configure the Command authorization method list and apply it to the line.
Ruijie(config)#aaa authorization commands 2 abc group tacacs+ local
Ruijie(config-line)#authorization commands 2 abc
# Configure the accounting
 Exec accounting
The Exec accouting is used to send the messages of the user login and logout to the server for the displaying, statistics
and the auditing.
! Configure the exec accouting method list and apply it to the line
Ruijie(config)#aaa accounting exec default start-stop group tacacs+

 Command accounting
The Command accouting is used to send the commands of a specific level executed by the user to the server for the
displaying, statistics and the auditing.
! Configure the command accounting method list and apply it to all lines
Ruijie(config)#aaa accounting commands 2 default start-stop group tacacs+
Verification
Step 1: Use the show running-config command to display the current configurations:
Ruijie#show running-config
......
!
aaa new-model
aaa local authentication attempts 2
aaa local authentication lockout-time 10
aaa authorization exec shouquan group tacacs+ local
aaa authorization commands 2 abc group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 2 default start-stop group tacacs+

aaa authentication login hello group radius local
aaa authentication enable default group radius local
!
username bank password 7 09361c1c2f041c4d
username bank privilege 10
username super password 7 093c011335
username super privilege 15
username normal password 7 09211a002a041e
username normal privilege 2
username test password 7 093b100133
service password-encryption
!
tacacs-server key 7 072c062b121b260b06
tacacs-server host 10.1.1.2
radius-server key 7 072c16261f1b22
enable secret 5 $1$2MjW$xr1t0s1Euvt76xs2
!
line con 0
line vty 0 4
authorization exec shouquan
authorization commands 2 abc
privilege level 10
login authentication hello
password 7 0938
line vty 5 15
authorization exec shouquan
authorization commands 2 abc
privilege level 10
login authentication hello
password 7 005d
!
end
Step 2: In the actual application, use the show aaa user { id | all } command to display the current AAA user information.
AAA Multi-domain Authentication Application
Network Topology
Figure-4 AAA multi-domain Authentication Application Topology

Configure the Network Access Server (NAS, short for the device) to enable the domain-name-based AAA service,
including the authentication, authorization and the accounting:
 Use the 802.1x client for the login authentication with the username PC1@ruijie.com or PC2@ruijie.com.cn or
PC3@ruijie,.net and the password.
 User network management: classify the users into the super users and the ordinary users, wherein the super users
are able to read and write while the ordinary users are able to read only.
 The user authentication, authorization and network action messages are saved in the authentication server for the
displaying and the auditing.
Configuration Key Points
Configure the domain-name-based AAA service to address the above network requirements.
This example takes the 802.1x client for example; therefore the network device must support 802.1x client access,
otherwise, this example cannot be applied.
Configuration Steps
#Enable AAA:
Enable the AAA function on the device
# Configure the security server:
The network security server takes the responsibility for the authentication, the authorization and the accounting. The user
information is stored in the server and the software of the server can record, calculate and analyze the various information
via the syslog.
! Configure the RADIUS server information (The shared key for the communication between the device and the RADIUS
server is Ruijie.)
Ruijie(config)#aaa group server radius g1

Ruijie(config-gs-radius)#server 10.1.1.1
Ruijie(config-gs-radius)#exit
# Configure the local user:
! Configure the password encryption (The key information for the local password and the security server are saved and
shown in the simply-encrypted format.)
Ruijie(config)#service password-encryption
! Configure the local user database (Configure the username and the password, and set the user privilege level.)
Ruijie(config)#username bank privilege 10 password yinhang

Ruijie(config)#username super privilege 15 password star
Ruijie(config)#username normal privilege 2 password normal
Ruijie(config)#username test privilege 1 password test
! Configure the local enable password for the local enable authentication
# Define the AAA service method list
! Configure dot1x authentication
Ruijie(config)#aaa authentication dot1x renzheng group radius local
! Configure network authorization
Ruijie(config)#aaa authorization network shouquan group radius
! Configure network accounting
Ruijie(config)#aaa accounting network jizhang start-stop group radius
# Enable the domain-based AAA service switch
Ruijie(config)#aaa domain enable
# Create the domain and configure the domain attribute collection
! Create the domain
Ruijie(config)#aaa domain ruijie.com
! Associate the AAA service method list

Ruijie(config-aaa-domain)#authentication dot1x renzheng

Ruijie(config-aaa-domain)#authorization network shouquan
Ruijie(config-aaa-domain)#accounting network jizhang
! Configure the domain state
Ruijie(config-aaa-domain)#state active
! Configure the username without the domain
Ruijie(config-aaa-domain)#username-format without-domain
! Ruijie(config)#aaa authentication dot1x renzheng group g2
Ruijie(config)#aaa authorization network shouquan group g2
!
Ruijie(config)#aaa accounting network jizhang start-stop group g2
!
The configurations of the ruijie.com.cn and the ruijie.net are similar.
Verification
Step 1: Use the show running-config command to display the current configurations (Take the domain name ruijie.com
for example.):
......
!
aaa new-model
aaa domain enable
!
aaa domain ruijie.com
authentication dot1x renzheng
accounting network jizhang
authorization network shouquan
username-format without-domain
!
!
aaa group server radius g1
server 10.1.1.1
!
server 10.1.1.2
!
server 10.1.1.3
!
!
aaa accounting network jizhang start-stop group g2
aaa authorization network shouquan group g2

aaa authentication dot1x renzheng group g2
!
no service password-encryption
!
radius-server key ruijie
Step 2: Display the domain-based AAA service domain information:
Ruijie#show aaa domain
=============Domain ruijie.com=============
State: Active
Username format: Without-domain
Access limit: No limit
802.1X Access statistic: 0
Selected method list:

authentication dot1x renzheng
authorization network shouquan
accounting network jizhang
Configuration Guide Configuring RADIUS
Configuring RADIUS
Overview
The Remote Authentication Dial-In User Service (Radius) is a distributed client/server system that works with the AAA to
perform authentication for the users who are attempting to make connection and prevent unauthorized access. In the
implementation of our product, the RADIUS client runs on the router or the network access server (NAS) to send the
authentication requests to the central RADIUS server. The central center includes all information of user authentication
and network services.
Since the RADIUS is a completely-open protocol, it has become a component and been installed in such systems as
UNIX and WINDOWS 2000, so it is the security server most widely used for the time being.
The running process of the RADIUS is as follows:
 Prompt the user to enter username and password.

 The username and the encrypted password are sent to the RADIUS server via the network.
 The RADIUS returns one of the following responses:
 The user authentication passes.
 The user authentication fails and it prompts to reenter the username and password.
 The RADIUS server sends the challenge request to gather more authentication information from the user.
 The user authorization information is included in the ACCEPT response.
Here is a typical RADIUS topology:
Typical RADIUS network configuration
Configuration
To configure Radius on the network device, perform the following tasks first:
 Enable AAA. For the details, see AAA Overview.

 Define the RADIUS authentication method list by using the aaa authentication command. For details about how to
use "aaa authentication" to define the authentication method list, see Configuring Authentication.
 Apply the defined authentication list on the specific line; otherwise the default authentication list will be used for
authentication. For more details, see Configuring Authentication.
After the configuration is completed, you may start to configure the RADIUS. The configuration of the RADIUS consists of
the following parts:
 Configuring Radius Protocol Parameters

 Specify the RADIUS authentication.
Configuring RADIUS Protocol Parameters

Before configuring the Radius on the network device, the network communication shall operate perfectly on the Radius
server. To configure RADIUS protocol parameters, run the following commands:
Command Function
radius-server host [ oob ] { ipv4-address | ipv6-address }
[ auth-port port-number ] [ acct-port port-number ] [ test Specify a RADIUS security server host. Use the no form
username name [ idle-time time ] [ ignore-auth-port ] of this command to restore the default setting.
[ ignore-acct-port ] ] [ key [ 0 | 7 ] text-string ]
Configure the sharing password for the communication
radius-server key string
between the device and Radius server
Specify the times of sending requests before the router
radius-server re-transmit retries
confirms Radius invalid (3 by default)
Specify the waiting time before the router resend request
radius-server timeout seconds
(2 s by default)
Specify the waiting time before the server is considered
radius-server deadtime minutes dead in case of no response to the request sent by the
device (5 minutes by default).
To configure the RADIUS, it is necessary to configure the RADIUS Key. The sharing password on the network
device and the sharing password on the Radius server must be the same.
Specifying the RADIUS Authentication

This means defining the authentication method list for the Radius after the Radius server is specified and the Radius
authentication sharing password is defined. Since the RADIUS authentication is done via AAA, it is required to execute
the aaa authentication command to define the authentication method list and specify the authentication method as
RADIUS. For more details, see AAA Configurations.
Specifying Standard RADIUS Attribute Type

This chapter introduces configuration of Radius standard attribute type. Now the RADIUS Calling-Station-ID attribute (the
attribute type is 31) is supported.
Configuring Calling-Station-ID Format
The RADIUS Calling-Station-ID attribute is used to identify the NAS when the NAS is sending the request packets to the
RADIUS server. The contents of the RADIUS Calling-Station-ID are character strings, which can be in multiple formats.
The MAC address for the NAS is usually used as the content of the Calling-Station-ID to solely identify the NAS. The table
below lists the formats of the MAC address:
Format Description
The standard format specified by the IETF （ RFC3580 ).
ietf ‘-’ is used as the separator, for example:
00-D0-F8-33-22-AC.
Normal format representing the MAC address. ‘. ’is used
normal
as the separator. For example: 00d0.f833.22ac.
No format and separator. By default, unformatted is used.
unformatted
For example: 00d0f83322ac.
To configure the RADIUS Calling-Station-ID MAC-based attribute format, run the following commands:
Command Function
radius-server attribute 31 mac format { ietf | normal | Configure the RADIUS Calling-Station-ID MAC-based
unformatted } attribute format. The default format is unformatted.
Specifying Private RADIUS Attribute Type

Use this command to set the private attribute type value in global configuration mode. Use the no form of this command to
Command Function
radius attribute { id | down-rate-limit | dscp | mac-limit |
Set the private attribute type value.
up-rate-limit } vendor-type type
The contents in this section enable configuring freely the type of private attributes. The default configurations are as
follows:
Default configurations of our product private attribute recognition:
ID Function Type
1 max down-rate 1
2 qos 2
3 user ip 3
4 vlan id 4
5 version to client 5
6 net ip 6
7 user name 7
8 password 8
9 file-diractory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max up-rate 16
17 version to server 17
18 flux-max-high32 18
19 flux-max-low32 19
20 proxy-avoid 20
21 dailup-avoid 21
22 ip privilige 22
23 login privilige 42
24 limit to user number 50
Extended manufacturer ID default configuration:
ID Function TYPE
1 max down-rate 76
2 qos 77
3 user ip 3
4 vlan id 4
6 net ip 6
7 user name 7
8 password 8
9 file-diractory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max up-rate 75
20 proxy-avoid 20
21 dailup-avoid 21
22 ip privilige 22
Two functions cannot be configured with the same type number.
Here is an example on how to configure the private type for network device:
Ruijie# show radius vendor-specific

id vendor-specific type-value
---- -------------------- ----------
1 max down-rate 76
2 qos 77
3 user ip 3
4 vlan id 4
6 net ip 6
7 user name 7
8 password 8
9 file-diractory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max up-rate 75
20 proxy-avoid 20
21 dailup-avoid 21
22 ip privilige 22
Ruijie# configure
Ruijie(config)# radius attribute 24 vendor-type 67
Ruijie(config)# show radius vendor-specific
id vendor-specific type-value
---- -------------------- ----------
1 max down-rate 76
2 qos 77
3 user ip 3
4 vlan id 4
6 net ip 6
7 user name 7
8 password 8
9 file-diractory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max up-rate 75
20 proxy-avoid 20
21 dailup-avoid 21
22 ip privilige 22
Ruijie(config)#
Ruijie(config)#
Identifying All RADIUS Standards and Private Attributes

Use this command to extend RADIUS not to differentiate the IDs of private vendors in global configuration mode. Use the
no form of this command to restore the default setting. By default, only the private vendor IDs of Ruijie are recognized.
Command Function
Extend RADIUS not to differentiate the IDs of private
radius vendor-specific extend
vendors.
The following example extends RADIUS so as not to differentiate the IDs of private vendors:
Ruijie(config)# radius vendor-specific extend
Analyzing Flow Control Value of RADIUS CLASS Attributes

Use this command to analyze the flow control value of the RADIUS CLASS attributes in global configuration mode. Use
the no form of this command to restore the default setting.This function is disabled by default.
Command Function
Analyze the flow control value of the RADIUS CLASS

attributes.
user-flow-control: Analyzes flow control value in the
radius-server attribute class user-flow-control CLASS attribute.
{ format-16bytes | format-32bytes } format-16bytes: Sets the format of flow control value to
16 bytes.
format-32bytes: Sets the format of flow control value to
32 bytes.
This command is required if the server pushes the flow control value through the CLASS attribute. The following example
analyzes the flow control value of the CLASS attribute and sets the format to 52 bytes.
Ruijie(config)#radius-server attribute class user-flow-control format-32bytes
Configuring the Reachability Detection for RADIUS server

The device maintains the reachability state of each RADIUS server configured: reachable or unreachable. The device
won't send the authentication, authorization and accounting requests of the access user to an unreachable RADIUS
server, unless all RADIUS servers in the RADIUS server group are all unreachable.
The device can carry out active detection of the specified RADIUS server, and this feature is disabled by default. If you
enable active detection of the specified RADIUS server, the device will periodically send detection requests
(authentication requests or accounting requests) to the RADIUS server. The corresponding interval will be:
 RADIUS server in reachable state: the default interval for active detection is 60 minutes.
 RADIUS server in unreachable state: fixed to 1 minute.
To enable active detection of the specified RADIUS server, the following conditions must be met: Testing user
name for this RADIUS server has been configured on the device. At least one tested port of this RADIUS
server (authentication port or accounting port) has been configured on the device.
For a RADIUS server in reachable state, the device will considered this RADIUS server unreachable if the
following two conditions are met: The time configured by "radius-server dead-criteria time seconds" is
exceeded after correct response is last received from this RADIUS server. After correct response is last
received from this RADIUS server, the number of tries to send requests to this RADIUS server when no
correct response is received has exceeded the number set by "radius-server dead-criteria tries number".
For a RADIUS server in unreachable state, the device will considered this RADIUS server reachable if any of
the following conditions is met: Correct response is received from this RADIUS server. The duration that this
RADIUS server remains unreachable exceeds the time set by "radius-server deadtime", and active
detection of this RADIUS server is not enabled. The authentication port or accounting port of this RADIUS
server is updated on the device.
RADIUS server reachability detection allows the user to configure the dead-criteria conditions for a RADIUS server and
active detection.
To configure RADIUS dead-server detection, execute the following commands in global configuration mode:
Command Function
Globally configure the dead-criteria conditions for a
Ruijie (config)# radius-server dead-criteria { time RADIUS server to be marked as dead.
seconds [ tries number ] | tries number } The default value of “seconds” is 60, and the default
value of “number” is 10.
Configure the duration for the device to stop sending
Ruijie (config)# radius-server deadtime minutes request packets to the RADIUS server in unreachable
state (default: 0 minute).
Configure the IP address of remote RADIUS server,
Ruijie (config)# radius-server host [ oob ] { ipv4-address |
specify the authentication port and accounting port, and
ipv6-address } [ auth-port port-number ] [ acct-port
specify relevant parameters of active detection (testing
port-number ] [ test username name [ idle-time time ]
user name, interval for active detection of RADIUS server
[ ignore-auth-port ] [ ignore-acct-port ] ] [ key [ 0 | 7 ]
in reachable state, and whether the authentication port or
text-string ]
the accounting port shall be neglected).
The dedicated testing user name shall be used. This user name must not be used by other valid access users,
so as not to affect the authentication, authorization or accounting of other valid users.
Configuring Accounting Update Packet Re-transmission

To configure accounting update packet re-transmission for the second generation Web authentication user, use the
following command in the global configuration mode. Use the no form of this command to restore the default setting.
Command Function
radius-server account update re-transmit Configure accounting update packet re-transmission.
This command is used to configure accounting update packet re-transmission for the second generation Web
authentication user exclusively.
Ruijie(config)#radius-server account update re-transmit
Enabling RADIUS to Support Cui Function

To enable RADIUS to support the Cui function, use the following command in the global configuration mode. This function
is disabled by default. Use the no form of this command to restore the default setting.
Command Function
radius support cui Enable RADIUS to support the Cui function.
The following example enables RADIUS to support the Cui function.
Ruijie(config)# radius support cui
Specifying Source Port for Sending RADIUS Packets

To configure the source port to send RADIUS packets, use the following command in the global configuration mode. Use
the no form of this command to restore the default setting.
Command Function
Configure the source port to send RADIUS packets.
radius-server source-port port
port : The port number, in the range from 0 to 65535.
The default is a random number.
The following example configures source port 10000 to send RADIUS packets.
Ruijie(config)# radius-server source-port 10000
Showing Accounting Statistics for RADIUS Server

To display RADIUS accounting statistics, use the following command in the global configuration mode / privileged EXEC
mode/ interface configuration mode.
Command Function
show radius acct statistics Display RADIUS accounting statistics.
The following example displays RADIUS accounting statistics.
Ruijie#show radius acct statistics

Accounting Servers:
Server Index..................................... 1
Server Address................................... 192.168.1.1
Server Port...................................... 1813
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 1
Retry Requests................................... 1
Accounting Responses............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 1
Showing Authentication Statistics for RADIUS Server

To display RADIUS authentication statistics, use the following command in the global configuration mode / privileged
EXEC mode/ interface configuration mode.
Command Function
show radius auth statistics Display RADIUS authentication statistics.
The following example displays RADIUS authentication statistics.
Ruijie#show radius auth statistics

Authentication Servers:
Server Index..................................... 1
Server Address................................... 192.168.1.1
Server Port...................................... 1812
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Monitoring
To monitor the RADIUS, execute the following commands in the privileged user mode:
Command Function
Turn on the Radius debug switch to view the Radius
debug radius event
debug information
Configuring Radius
In a typical Radius network configuration diagram, the RADIUS server performs authentication for the visiting users,
enables the accounting function for the visiting users and records the network usage of the users.
The RADIUS server can be a component that comes with the Windows 2000/2003 server (IAS) or the UNIX
system, or the special server software of some manufacturers.
Here is an example on how to configure the Radius for network device:


auth-port 1645 acct-port 1646
Ruijie(config)# radius-server key aaa
Ruijie(config)# aaa authentication login test group radius
Ruijie(config)# end
Ruijie# show radius server
Server IP: 192.168.12.219
Accounting Port: 1646
Authen Port: 1645
Server State: Ready
Ruijie(config)#line vty 0
Ruijie(config-line)#login authentication test
Ruijie(config-line)#end
!
aaa new-model
!
!
aaa authentication login test group radius
!
!
radius-server host 192.168.12.219 auth-port 1645 acct-port 1646
!
line con 0
line vty 0
line vty 1 4
!
Configuring Radius IPv6

In the typical RADIUS network configuration diagram, RADIUS server authenticates the access users, enables accounting
of access users and records the network service usage by users.
RADIUS server shall be running Windows 2008 Server or other dedicated IPv6 server software recognized by
the manufacturer.
The following example shows how to configure RADIUS on the network device:

Ruijie(config)# radius-server host 3000::100 auth-port 1645 acct-port 1646

Ruijie(config)# radius-server key aaa
Ruijie(config)# aaa authentication login test group radius
Ruijie(config)# end
Server IP: 3000::100
Authen Port: 1645
Test Username: <Not Configured>
Test Idle Time: 60 Minutes
Test Ports: Authen and Accounting
Server State: Active
Current duration 765s, previous duration 0s
Dead: total time 0s, count 0
Statistics:
Authen: request 15, timeouts 1
Author: request 0, timeouts 0
Account: request 0, timeouts 0

!
aaa new-model
!
!
aaa authentication login test group radius
!
!
!
radius-server host 3000::100 auth-port 1645 acct-port 1646
radius-server key aaa
!
line con 0
line vty 0
line vty 1 4
!
Configuration Guide Configuring 802.1X
Configuring 802.1X
Overview
In an IEEE 802 LAN, users can access the network device without authorization and authorization as long as they are
connected to the network device. Therefore, an unauthorized user can access the network unobstructed by connecting
the LAN. As the wide application of LAN technology, particularly the appearance of the operating network, it is necessary
to address the safety authentication needs of the network. It has become the focus of concerns in the industry that how to
provide user with the authentication on the legality of network or device access on the basis of simple and cheap Ethernet
technologies. The IEEE 802.1X protocol is developed under such a context.
As a Port-Based Network Access Control standard, the IEEE802.1X provides LAN access point-to-point security access.
Specially designed by the IEEE Standardization Commission to tackle the safety defects of Ethernet, this standard can
provide a means to authenticate the devices and users connected to the LAN by utilizing the advantages of IEEE 802
LAN.
The IEEE 802.1X defines a mode based on Client-Server to restrict unauthorized users from accessing the network.
Before a client can access the network, it must first pass the authentication of the authentication server.
Before the client passes the authentication, only the EAPOL (Extensible Authentication Protocol over LAN) packets can
be transmitted over the network. After successful authentication, normal data streams can be transmitted over the
network.
By using 802.1X, our switches provide Authentication, Authorization, and Accounting (AAA).
 Authentication: It is used to determine whether a user has the access, restricting illegal users.
 Authorization: It authorizes the services available to users, controlling the rights of valid users.
 Accounting: It records users' use of network resources, providing the supporting data for charging.
The 802.1X is described in the following aspects as below:
 Device Roles
 Authentication Initiation and Packet Interaction During Authentication
 States of Authorized Users and Unauthorized Users
 Topology of Typical Applications
Device Roles
In the IEEE802.1X standard, there are three roles: supplicant, authenticator, and authentication server. In practice, they
are the Client, network access server (NAS) and Radius-Server.
 Supplicant:
The supplicant is a role played by the end user, usually a PC. It requests for the access to network services and
acknowledges the request packets from the authenticator. The supplicant must run the IEEE 802.1X client. Currently, the
most popular one is the IEEE802.1X client carried by Windows XP. In addition, we have also launched the STAR
Supplicant software compliant of this standard.
 Authenticator:
The authenticator is usually an access device like the switch. The responsibility of the device is to control the connection
status between client and the network according to the current authentication status of that client. Between the client and
server, this device plays the role of a mediator, which requests the client for username, verifies the authentication
information from the server, and forwards it to the client. Therefore, the switch acts as both the IEEE802.1X authenticator
and the RADIUS Client, so it is referred to as the network access server (NAS). It encapsulates the acknowledgment
received from the client into the RADIUS format packets and forwards them to the RADIUS Server, while resolving the
information received from the RADIUS Server and forwards the information to the client.
The device acting as the authenticator has two types of ports: controlled Port and uncontrolled Port. The users connected
to a controlled port can only access network resources after passing the authentication, while those connected to a
uncontrolled port can directly access network resources without authentication. We can control users by simply
connecting them to an controlled port. On the other hand, the uncontrolled port is used to connect the authentication
server, for ensuring normal communication between the server and switch.
 Authentication server:
The authentication server is usually an RADIUS server, which works with the authenticator to provide users with
authentication services. The authentication server saves the user name and password and related authorization
information. One server can provide authentication services for multiple authenticators, thus allowing centralized
management of users. The authentication server also manages the accounting data from the authenticator. Our 802.1X
device is fully compatible with the standard Radius Server, for example, the Radius Server carried on Microsoft Win2000
Server and the Free Radius Server on Linux.
Authentication Initiation and Packet Interaction during Authentication

The supplicant and the authenticator exchange information by EAPOL protocol, while the authenticator and authentication
server exchange information by RADIUS protocol, completing the authentication process with such a conversion. The
EAPOL protocol is encapsulated on the MAC layer, with the type number of 0x888E. In addition, the standard has
required for an MAC address (01-80-C2-00-00-03) for the protocol for packet exchange during the initial authentication
process.
The following diagram shows a typical authentication process, during which the three role devices exchange packets with
one another.
Figure 1-1
This is a typical authentication process initiated by users (in some special cases, the switch can actively initiate
authentication request, whose process is the same as that shown in the diagram, except that it does not contain the step
where the user actively initiates the request).
States of Authorized Users and Unauthorized Users

The 802.1X determines whether the users on the port are allowed to access the network according to the authentication
status of the port. Since we expand the 802.1X based on users, we determine whether a user is allowed to access
network resources according to the authentication status of that user under a port. All users under an uncontrolled port
can use network resources, while those under a controlled port can access network resources only if they are authorized.
When a user just initiates an authentication request, its status is unauthorized, in which case it cannot access the network.
When it passes the authentication, its status changes to be authorized, in which case it can use the network resources.
If the workstation does not support 802.1X while the machine is connected with the controlled port, when the equipment
requests the username of the user, the workstation will not respond to the request due to no support. This means that the
user is still unauthorized and cannot access the network resources.
On the contrary, if the client supports 802.1X, while the connected switch does not: The EAPOL-START frames from the
user are not responded, and the user deems it connected port as an uncontrolled port and directly uses network
resources, when the user fails to receive any response after it sends the specified number of EAPOL-START frames.
On a 802.1X-enabled device, all ports are uncontrolled ports by default. We can set a port as a controlled port, to impose
authentication over all the users under that port.
When a user has passed authentication (the switch has received success packets from the RADIUS Server), the user is
authorized and therefore can freely use network resources. If the user fails in the authentication and remains in the
unauthenticated status, it is possible to initiate authentication once again. If the communication between the switch and
the RADIUS server is faulty, the user is still unauthorized and therefore still cannot use the network.
When the user sends the EAPOL-LOGOFF packets, its status changes from authorized to unauthorized.
When a port of the switch changes to the LINK-DOWN status, all the users on the port change to be in the unauthorized
status.
When the device restarts, all users on the device turn into the unauthorized status.
To force a user to pass the authentication, you can add a static MAC address.
Topology of Typical Applications

Scheme 1: The 802.1X-enabled device is used as the access layer device
Figure 1-2
Requirements of this solution:
 The user supports 802.1X. That is, it is installed with the 802.1X client (Windows XP carried, Star-supplicant or other
IEEE802.1X compliant client software).
 The access layer device supports IEEE 802.1X.
 One or multiple RADIUS compliant servers are available as the authentication server.
Key points for configuration of this solution:

 The ports connected to the Radius Server and the uplink ports are configured as uncontrolled ports, so that the
switch can normally communicate with the server and the authorized users can access network resources through
the uplink interface.
 The ports connected to the user must be set as controlled ports to control the accessed users, and the users
cannot access network resources unless they first pass the authentication.
Characteristics of this solution:
 Each 802.1X-enabled switch is responsible for a small number of clients, thus offering higher speed. The devices are
mutually independent, and the restart operation of the device does not affect the users connected with other devices.
 User management is performed on the Radius Server in a centralized manner. The administrator does not have to
know which switch a user is connected to, making management much easier.
 The administrator can manage the device on the access layer through the network.
Scheme 2: The 802.1X-enabled device is used as the convergence layer device
Figure 1-3
Requirements of this solution:
 The user supports 802.1X. That is, it is installed with the 802.1X client (Windows XP carried, Star-supplicant or other
IEEE802.1X compliant client software).
 The access layer device should be able to transparently transmit IEEE 802.1X. frames (EAPOL)
 The convergence layer device supports 802.1X (playing the role of the authenticator)
 One or multiple RADIUS compliant servers are available as the authentication server.
Key points for configuration of this solution:
 The ports connected to the Radius Server and the uplink ports are configured as uncontrolled ports, so that the
switch can normally communicate with the server and the authorized users can access network resources through
the uplink interface.
 The ports connected to the access layer switches must be set as controlled ports to control the accessed users, and
the users cannot access network resources unless they first pass the authentication.
Characteristics of this solution:
 The convergence layer device must be of high quality since the network is large and numerous users are connected,
since any of its faults may cause the failures of many users to normally access the network.
 User management is performed on the Radius Server in a centralized manner. The administrator does not have to
know which switch a user is connected to, making management much easier.
 The access layer device can be the less expensive non-NM switches (as long as they support transparent
transmission of EAPOL frames).
 The administrator cannot manage the device on the access layer through the network.
Configuration
Default Configuration of 802.1X

The following table lists some defaults of the 802.1X
Item Default
Authentication DISABLE
Accounting DISABLE
Radius Server *No default
*ServerIp *1812
*Authentication UDP port *No default
*Key
Accounting Server *No default
*ServerIp *1813
*Accounting UDP port
All port types Uncontrolled port (all ports can perform communication
directly without authentication)
Timed re-authentication Off
Timed reauth_period 3,600 seconds
Interval between two authentication requests 10 seconds
Re-transmission interval 3 seconds
Maximum intermissions 3
Client timeout period 3 seconds, if within which no response is received from the
client, the communication is deemed as a failure
Server timeout period 5 seconds, if within which no response is received from the
server, the communication is deemed as a failure
Lists of authenticable hosts under a port No default
Precautions for Configuring 802.1X

 You can perform the following configuration only to the products that support 802.1X.
 The 802.1X can run on both L2 device and L3 device.
 It is required to configure the IP address of the authentication server before the Radius-server authentication mode
can operate normally.
 You cannot enable 1X authentication on the 802.1Q TUNNEL port.
 You cannot enable 1X authentication for Aggregate Port.
 If the 1x function is enabled on only one port of a switch, all the port will send the 1x protocol packets to the CPU.
 Security addresses of static ports can access the Internet without authentication. If there is authorization, the
addresses must comply with authorization binding to access the Internet. When the port-based transferable
authentication mode and port security are used concurrently, the learned addresses become security addresses and
cannot be transferred.
 When the port-based transferable authentication mode and port security are used concurrently, if an authenticated
address is aged securely by a port, the port must be re-authenticated to communicate.
 After the port-based transferable authentication mode passes the authentication, and port security is enabled, the
port must be re-authenticated to communicate.
 If there is IP and MAC binding, the authentication mode cannot be switched between the port-based one and
user-based one.
Configuring the communication between the device and Radius server

The Radius Server maintains the information of all users: user name, password, authorization information and accounting
information. All users are managed on the Radius Server in a centralized manner, without being distributed over various
switches, making easier management for the administrator.
In order for the switch to normally communicate with the RADIUS SERVER, you must set the following parameters:
Radius Server end: You must register a Radius Client. At registration, you must supply the Radius Server switch’s IP
address, authentication UDP port (add the accounting UDP port, if needed), and the agreed key for communication
between the switch and Radius Server, and select EAP support for the Client. The procedure for registering one Radius
Client on the Radius Server varies with different software settings. Please refer to the appropriate document.
Device end: The following settings are necessary at the device end to ensure the communication between the device and
the server: Configure the IP address of the Radius Server, authentication (accounting) UDP port and the agreed password
for the communication with the server.
In the global configuration mode, you can set the communication between the switch and the Radius Server via the
following steps:
Command Function
Ruijie (config)#radius-server host ip-address [ auth-port port] Configure the RADIUS server.
[ acct-port port]
Ruijie (config)#radius-server key string Configure RADIUS key.
Ruijie#show radius server Show the RADIUS server.
You can use the no radius-server host ip-address auth-port command to restore the authentication UDP port of the
Radius Server to its default. You can use the no radius-server key command to delete the authentication key of the
Radius Server. The following example sets the Server IP as 192.168.4.12, authentication UDP port as 600, and the key as
agreed password:

Ruijie(config)# radius-server host 192.168.4.12 auth-port 600
Ruijie(config)# radius-server key MsdadShaAdasdj878dajL6g6ga
Ruijie(config)# end
 The officially agreed authentication UDP port is 1812.

 The officially agreed accounting UDP port is 1813.
 No less than 16 characters are recommended for the agreed password between the device and the Radius Server.
 The port of the device to connect the Radius Server shall be configured as uncontrolled port.
Setting the 802.1X Authentication Switch

When the 802.1X authentication is enabled, the switch will impose authentication over the host connected to the
controlled port, and the hosts that fail the authentication are not allowed to access the network.
In the global configuration mode, you can enable the 802.1X authentication by performing the following steps:
Command Function
Ruijie (config)#radius-server host ip-address Configure the RADIUS server.
[auth-port port ] [acct-port port]
Ruijie (config)#radius-server key string Configure RADIUS Key.
Ruijie (config)#aaa authentication dot1x auth Configure the 802.1X authentication method list.
group radius
Ruijie (config)#dot1x authentication list-name 802.1X applies authentication method list
Ruijie#show running-config Display the configuration.
In case of the domain-name-based AAA service switch is enabled, that is when the aaa domain enable
command is configured, the authentication method list chosen by the dot1x authentication command will
not be used. Instead, the authentication method list configured by the domain where the user locates will be
used. For detailed configuration, see Configuring the AAA Service Based on Domain Names.
The following example enables 802.1X authentication:

Ruijie(config)# radius-server key starnet
Ruijie(config)# aaa authentication dot1x authen group radius
Ruijie(config)# dot1x authentication authen

Ruijie(config)# end
!
aaa new-model
!
aaa authentication dot1x authen group radius
!
!
radius-server key 7 072d172e071c2211
!
!
!
dot1x authentication authen
!
interface VLAN 1
ip address 192.168.217.222 255.255.255.0
no shutdown
!
!
line con 0
line vty 0 4
!
end
To apply the RADIUS authentication method in the 802.1X, configure the IP address of the Radius Server and make sure
normal communication between the device and the Radius Server. Without the coordination of the Radius Server, the
switch cannot perform authentication. For setting the communication between the Radius Server and the switch, please
see the previous section.
Enabling Multi-Account Authentication

Use this command to enable multi-account authentication for users with single MAC address in global configuration mode.
Use the no form of this command to restore the default setting. This function is disabled by default.
Command Function
dot1x multi-account enable Enable multi-account authentication for users with single
MAC address.
Use the command to enable the multiple-account authentication if you want to switch the username in the authentication
or re-authentication, especially in the windows domain authentication.
The following example enables the multiple-account authentication.
Ruijie(config)# dot1x multi-account enable

Enabling Timed Re-authentication

The 802.1X can ask users for re-authentication at periodical intervals, to prevent authorized users from being used by
other users. This can also detect disconnection, making more accurate charging. In addition to the re-authentication
switch, you can also define the re-authentication interval, which is 3600 seconds by default. In the case of charging based
on duration, you should determine the re-authentication interval according to the specific network size, which should be
sufficient while as accurate as possible.
In the global configuration mode, you can enable/disable re-authentication and set the re-authentication interval by
performing the following steps.
Command Function
Ruijie (config)#dot1x re-authentication Enable timed re-authentication.
Ruijie (config)#dot1x timeout re-authperiod time Set the re-authentication interval.
Ruijie#show dot1x Display the 802.1X configuration.
You can use the no dot1x re-authentication command to disable timed re-authentication, and use the no dot1x timeout
re-authperiod command to restore the re-authentication interval to the default. Use show dot1x re-authentication to
display the re-authentication configuration.
The following example enables re-authentication and sets the re-authentication interval as 1000 seconds.

Ruijie(config)# dot1x re-authentication
Ruijie(config)# dot1x timeout re-authperiod 1000
Ruijie(config)# end
Ruijie# show dot1x
802.1X Status: Disabled
Authentication Mode: EAP-MD5
Authed User Number: 0
Re-authen Enabled: Enabled
Re-authen Period: 1000 sec
Quiet Timer Period: 10 sec
Tx Timer Period: 3 sec
Supplicant Timeout: 3 sec
Server Timeout: 5 sec
Re-authen Max: 3 times
Maximum Request: 3 times
Filter Non-RG Supp: Disabled
Client Online Probe: Disabled
Eapol Tag Enable: Disabled
Authorization Mode: Disabled
If re-authentication is enabled, please pay attention to the reasonableness of the re-authentication interval, which must be
set according to the specific network size.
Changing the Quiet Time

When the user authentication fails, the switch does not allow that user to re-authenticate until a specified period, which is
referred to as quiet period. This value functions to protect the device from malicious attacks. The default interval for quiet
period is 10 seconds. A shorter quiet period may speed up re-authentication for the users.
In the global configuration mode, you can set the quiet period by performing the following steps:
Command Function
dot1x timeout quiet-period seconds Set the quiet period after authentication failure.
show dot1x Display the 802.1X configuration.
Use show dot1x timeout quiet-period command to display the configuration. In the example below the quiet period
value is set as 500 seconds:

Ruijie (config)# dot1x timeout quiet-period 500
Ruijie(config)# end
Setting the Packet Re-transmission Interval

After the device sends the EAP-request/identity, it re-sends that message if no response is received from the user within a
certain period. By default, this value is 3 seconds. You should modify this value to suit the specific network size.
In the global configuration mode, you can set the packet re-transmission interval by performing the following steps:
Command Function
Ruijie(config)#dot1x timeout tx-period seconds Set the packet re-transmission Interval.
The following example sets the packet re-transmission interval as 100 seconds:

Ruijie(config)# dot1x timeout tx-period 100
Ruijie(config)# end
Setting the Maximum Number of Requests

If the switch does not receive response within the ServerTimeout after it sends an authentication request to the Radius
Server, it will re-transmit the packets. The maximum number of requests is the maximum Re-transmission requests of the
device, and the authentication fails if this number is exceeded. By default, this value is 3. You should modify this value to
suit the specific network size.
In the global configuration mode, you can set the maximum number of intermissions by performing the following steps:
Command Function
Ruijie(config)#dot1x max-req count Set the maximum number of packet re-transmissions.
You can use the no dot1x max-req command to restore the maximum number of packet re-transmissions to its default.
The following example sets the maximum number of packet intermissions to 5:

Ruijie(config)# dot1x max-req 5
Ruijie(config)# end
Setting the Maximum Re-Auth Attempts

When the user authentication fails, the device attempts to perform authentication for the user once again. When the
number of attempts exceeds the maximum number of authentications, the switch believes that this user is already
disconnected, and ends the authentication process accordingly. By default, the number is 3. However, you can modify this
value.
In the global configuration mode, you can set the maximum re-auth attempts by performing the following steps:
Command Function
Ruijie (config)#dot1x reauth-max count Set the maximum re-auth attempts.
You can use the no dot1x reauth-max command to restore the default setting. Use show dot1x reauth-max command
to display the configuration. The following example sets the maximum re-auth attempts to 3:

Ruijie(config)# dot1x reauth-max 3
Ruijie(config)# end
Setting the Server-timeout

This value indicates the maximum response time of the Radius Server. If the switch does not receive the response from
the Radius Server within this period, it deems the authentication as a failure.
In the global configuration mode, you can set the Server-timeout and restore its default by performing the following steps:
Command Function
Ruijie (config)#dot1x timeout server-timeout time Set the maximum response time of the Radius Server. You
can use the no option of the command to restore its default.
Configuring 802.1X Accounting

Our 802.1X has implemented the accounting function. Accounting is based on interval. In other words, the 802.1X records
the length of the period between the first successful authentication of the user and the user’s log-off or when the switch
detects user disconnection.
After the first successful user authentication, the switch sends an accounting start request to the server. When the user
gets off-line or the switch finds that the user has got off line or when the physical connection of the user is broken, the
switch sends an accounting end request to the server. The server group records this information in the database of the
server group. Based on such information, the NMS can provide the basis for accounting.
Our 802.1X stresses the reliability of accounting, and it specially supports the backup accounting server to avoid failures
of the accounting server. When a server can no longer provide the accounting service due to various reasons, the switch
will automatically forward the accounting information to another backup server. This greatly improves the reliability of
accounting.
When a user exits by itself, the accounting duration is accurate. When the connection of the user is broken by accident,
the accounting accuracy depends on the re-authentication interval (the switch detects the disconnection of a user by using
the re-authentication mechanism).
To enable the accounting function of the device, the following settings are necessary on the device:
 On the Radius Server, register the switch as a Radius Client, like the authentication operation.
 Set the IP address of the accounting server.
 Set the accounting UDP port.
 Enable the accounting service on the precondition that the 802.1X has been enabled.
In the privileged EXEC mode, you can set the accounting service by performing the following steps:
Command Function
Ruijie (config)#aaa new-model Enable the AAA function
Ruijie (config)#aaa group server radius gs Configure the accounting server group.
Ruijie (config-gs-radius)#server address acct-port Add a server to the server group.
port-id
aaa accounting network acct start-stop group gs Configure the accounting method list.
Ruijie (config-gs-radius)# dot1x accounting Apply the accounting method list for the 802.1X.
list-name
The no aaa accounting network command deletes the accounting method list. The no dot1x accounting command
restores the default dot1x accounting method. The following example sets the IP address of the accounting server to
192.1.1.1, that of the backup accounting server to 192.1.1.2, and the UDP port of the accounting server to 1200, and
enables 802.1X accounting:

Ruijie(config)# aaa group server radius acct-use
Ruijie(config-gs-radius)# server 192.168.4.12 acct-port 1200
Ruijie(config-gs-radius)# server 192.168.4.13 acct-port 1200
Ruijie(config-gs-radius)# exit
Ruijie(config)# aaa accounting network acct-list start-stop group acct-use
Ruijie(config)# dot1x accounting acct-list
Ruijie(config)# end
Ruijie# write memory
The agreed accounting key must be the same as that of the Radius Server and authentication.
The accounting function cannot be enabled unless the AAA is enabled.
The accounting is impossible unless the 802.1X authentication passes.
By default, the accounting function of the 802.1X is disabled.
For the database format of accounting, see the related Radius Server documentation.
In case of the domain-name-based AAA service switch is enabled, that is when the aaa domain enable
command is configured, the accounting method list chosen by the dot1x accounting command will not be
used. Instead, the accounting method list configured by the domain where the user locates will be used. For
detailed configuration, see Configuring the AAA Service Based on Domain Names.
Also, the account update is supported. After the account update interval is set on the NAS device, the NAS device will
send account update packets to the Radius Server at periodical intervals. On the Radius Server, you can define the
number of periods before which the account update packet of a user is not received from the NAS device, the NAS or user
will be regarded as off-line. Then, the Radius Server can stop the accounting of the user, and delete the user from the
on-line user table.
In the global configuration mode, you can set the account update function by performing the following steps:
Command Function
Ruijie (config)#aaa accounting update Set the account update function.
You can disable the account update service by using the no aaa accounting update command.

Ruijie(config)# aaa accounting update
Ruijie(config)# end
Ruijie# write memory
The following chapters introduce the propriety features of ’Ruijie network products:
To make it easy for broadband operators and to accommodate use in special environments, our 802.1X has been
expanded on the basis of the account (such expansion is completely based on the standard, and has totally compatible
with IEEE 802.1X).
Configuring the IP authorization mode

The 802.1X implemented by Ruijie Network can force the authenticated users to use fixed IP. By configuring the IP
authorization mode, the administrator can limit the way the user gets IP address. There are four IP authorization modes:
DISABLE, DHCP SERVER, RADIUS SERVER and SUPPLICANT. They are detailed below respectively:
 DISABLE mode (default): The device has no limitation for the user IP, and the user only needs to pass the
authentication to be able to access the network.
 DHCP SERVER mode: The user IP is obtained via specified DHCP SERVER, and only the IP allocated by the
specified DHCP SERVER is considered legal. For the DHCP mode, it is possible to use DHCP relay option82 to
implement a more flexible IP allocation policy with the 802.1X. Here is a typical diagram for the plan:
Figure 1-2
The user initiates IP requests via the DHCP Client. The network device with dhcp relay option82 converges the user
authority on the SAM server to construct the option82 field and encapsulate it in the DHCP request message. That
option82 field consists of “vid + permission”. The DHCP Server chooses different allocation policies by using the option82
field.
In this mode, it is required to configure the DHCP Relay and the related option82. If the DHCP relay function is enabled
and the option82 policy is selected, see the DHCP Relay Configuration Guide and Command References for the
configuration.
RADIUS SERVER mode: The user IP is specified by the RADIUS SERVER. The user can only use the IP specified by the
RADIUS SERVER to be able to access the network.
SUPPLICANT mode: The IP bound to the user is the IP of the PC during the SUPPLICANT’s authentication. After the
authentication, the user can only use that IP to be able to access the network.
The application models in the four modes are as follows:

 DISABLE mode: Suitable for the environment with no limits for the users. The user can access the network once
he/she passes the authentication.
 DHCP SERVER mode: The user PC gets the IP address via DHCP. The administrator configures the DHCP RELAY
of the device to limit the DHCP SERVER that the users can access. In this way, only the IPs allocated by the
specified DHCP SERVER are legal.
 RADIUS SERVER mode: The user PC uses fixed IP. The RADIUS SERVER is configured with <user-IP> mapping
relations that are notified to the device via the Framed-IP-Address attributes of the device. The user has to use that
IP to be able to access the network.
 SUPPLICANT mode: The user PC uses fixed IP. The SUPPLICANT notifies the information to the device. The user
has to use the IP at authentication to be able to access the network.
When the user switches modes, it will cause all authenticated users to get offline. So, it is recommended to
configure the authentication mode before the use.
Releasing Advertisement
Our 802.1X allows you to configure the Reply-Message field on the Radius Server. When authentication succeeds, the
information of the field is shown on our 802.1X client of Star-Supplicant, by which the operators can release some
information.
Such information is shown at the first user authorization, but not at re-authentication. This avoids frequently disturbing the
user.
The window for showing the advertisement information supports html, which converts the http://XXX.XXX.XX in the
message into links capable of direct switching, for easier browsing.
Releasing of the advertising information:
 The operator configures the Reply Message attribute on the Radius Server end.
 Only our Star-supplicant client supports such information (free for the users of our switch), while other clients cannot
see the information, which however does not affect their normal use.
 No setting is required at the device end.
Authorization
To make it easier for operators, our products can provide services of different qualities for different types of services, for
example, offering different maximum bandwidths. Such information is all stored on the Radius Server, and the
administrator does not need to configure every switch.
Since the Radius has no standard attribute to represent the maximum data rate, we can only transfer the authorization
information by the manufacturer customized attribute.
The general format of the definition is as follows:
Figure 0-3
Figure 0-4
For the maximum data rate, you need to fill in the following values:
The unit of the maximum data rate is kbps.
For users with the maximum data rate of 10M, you need to fill in the following values:
Figure 0-5
For the customized header, follow those provided above. The maximum data rate is 10M, that is, 10000kbsp, and makes
0x00002710 in the Hex system. You only need to fill in the corresponding field.
This function calls for no settings on the device end, and works as long as the device end supports authorization.
Configuring the Authentication Mode

In the standard, the 802.1X implements authentication through the EAP-MD5. The 802.1X designed by Ruijie can perform
authentication through both the EAP-MD5 (default) mode and the CHAP and PAP mode. The advantage of the CHAP is
that it reduces the communication between the switch and the RADIUS SERVER, thus alleviating the pressure on the
RADIUS SERVER. Same as the CHAP mode, the communication between the PAP and RADIUS SERVER occurs only
once. Although the PAP mode is not recommended for its poor security, it can meet the special needs of the user in some
cases. For example, when the security server used only supports the PAP authentication mode, this mode can be
selected to fully exploit the existing resources, protecting the existing investment.
In the global configuration mode, you can set the authentication mode of the 802.1X by performing the following steps in
Command Function
Ruijie (config)#dot1x auth-mode { eap | chap | pap } Configure the authentication mode.
eap: Enables EAP-MD5 authentication mode.
chap: Enables CHAP authentication mode.
pap: Enables PAP authentication mode.
Ruijie#show dot1x Display the configuration.
The following example configures the authentication mode to the CHAP mode.

Ruijie(config)# dot1x auth-mode CHAP
Ruijie(config)# end
Ruijie# show dot1x
Authentication Mode: CHAP
Re-authen Enabled: Disabled
Client Oline Probe: Disabled
Authorization Mode: Group Server
Configuring the backup authentication server

Our 802.1X-based authentication system can support the backup server. When the master server is down due to various
reasons, the device automatically issues a server submission authentication request to the method list server group.
In the privileged EXEC mode, you can set the backup authentication server by performing the following steps:
Command Function
Ruijie (config)#aaa group server radius gs-name Configure the server group.
Ruijie (config-gs-radius)#server sever Configure the server.
Ruijie (config-gs-radius)#server server-backup Configure the backup server.
Ruijie#show dot1x Display the configuration.
The following example configures 192.168.4.12 to be the backup server:


Ruijie# aaa new-model
Ruijie(config)# aaa group server radius auth-ll
Ruijie(config-gs-radius)# server 192.168.4.1
Ruijie(config-gs-radius)# server 192.168.4.12
Ruijie(config-gs-radius)# end
Ruijie#
Configuring and Managing Online Users

’Ruijie devices provide management for authenticated users via SNMP. The administrator can view the information of the
authorized users via SNMP, and forcedly log off a user. The user forcedly logged off must pass the authentication again
before it can use network resources.
This function calls for no configuration on the device.
Implementing User-IP Binding

With our clients and by correctly configuring the Radius Server, you can implement unique user-IP binding. A user must
undergo authentication by using the IP address allocated by the administrator. Otherwise, authentication will fail.
For this function, you do not need to configure the switch. The user needs to use our client and the administrator needs to
configure the Radius Server.
Port-based Traffic Charging

In addition to the duration-based billing, ’Ruijie network devices provide the traffic-based billing function in case each port
of the equipment has only one user access.
This function calls for no configuration on the device but need the support of the Radius server.
Implementing Automatic Switching and Control of VLAN

To implement the auto-switching of the dynamic VLAN, the user VLAN shall be assigned and configured by the remote
RADIUS server. The remote RADIUS server encapsulates the VLAN assignment information through the defined RADIUS
attributes. After receiving those information and the user authentication, the access device automatically adds the port
where the user is to the VLAN assigned by the RADIUS server. It is unnecessary of the manual configuration for the
administrator.
You shall use the show dot1x summary command to on the access device to view the actual VLAN where the user is.
Use the show dot1x user id command to view the VLAN assigned by the RADIUS server.
The access device is able to receive the VLAN assigned by the RADIUS server in two ways of the extension RADIUS
attributes and the standard RADIUS attributes.
The RADIUS server assigns the VLAN to the access device using the standard-extension attributes. The server
encapsulates the extension attributes into the No.26 RADIUS standard attributes. The extension manufacturing ID is in
hex 0x00001311. By default, the extension attribute type is 4, you can use the radius attribute 4 vendor-type type
command to set the extension attribute type number to assign the VLAN. For the configuration command, see RADIUS
Configuration.
The access device supports the RADIUS server to use the standard RADIUS attributes to assign the VLAN, including the
following attribute combinations:
 No.64 Attribute Tunnel-Type

 No.65 Attribute Tunnel-Medium-Type
 No.81 Attribute Tunnel-Private-Group-ID
 And for the auto-switching of the dynamic VLAN application, the valid range is:
 Tunnel-Type=VLAN(13)
 Tunnel-Medium-Type=802(6)
 Tunnel-Private-Group-ID=VLAN ID or VLAN Name
 For the details, see the RFC2868 and the RFC3580.
The processing steps of receiving the assigned VLAN for the access device are: 1. use the assigned VLAN attribute as
the VLAN name and view that whether there is the same VLAN name on the access device; 2. if there is the same VLAN
name, the port where the user is switches to the VLAN automatically; if there is no same VLAN name, then the assigned
VLAN attribute will be used as the VLAN ID; 3. if the VLAN ID is valid(within the VLAN ID range of the system supported),
the port where the user is auto-switches to this VLAN; if the VLAN ID is 0, no VLAN assignment information exist; 4.
except for those conditions mentioned above, the user authentication is faulty.
Only the ACCESS port and the TRUNK port are supported by the access device for the 802.1X authentication. In other
port modes, it fails to enable the auto-switching function of the dynamic VLAN. The following describes the conditions of
the VLAN auto-switching function on the ACCESS and TRUNK ports:
VLAN auto-switching function on the ACCESS port
Without the assigned VLAN configured on the device, if the assigned VLAN is identified as the VLAN ID by the device, the
device will create the VLAN with the corresponding VLAN ID and switch the auth-port to the newly- created VLAN; while if
the assigned VLAN is identified as the VLAN name by the device, the user authentication will be faulty.
With the assigned VLAN configured on the device, if the assigned VLAN is set as the VLAN not supporting the
auto-switching on the ACCESS port, the user authentication will be faulty; while if the assigned VLAN is set as the VLAN
supporting the auto-switching on the ACCESS port, the user authentication and the auto-switching implementation of the
assigned VLAN will be successful.
The following lists the VLANs not supporting the auto-switching on the ACCESS port:
 Private VLAN
 Remote VLAN
 Super VLAN, including Sub VLAN
Native VLAN configuration on the TRUNK port
For the TRUNK port with the authentication enabled, set the assigned VLAN as the Native VLAN for the port to be
authenticated.
Without the assigned VLAN configured on the device, if the assigned VLAN is identified as the VLAN ID by the device, the
Native VLAN for the port to be authenticated will be set as the assigned VLAN; while if the assigned VLAN is identified as
the VLAN name by the device, the user authentication will be faulty.
With the settings of the assigned VLAN configured on the device, if the assigned VLAN is set as the VLAN not supporting
the auto-switching on the TRUNK port, the user authentication will be faulty; while if the assigned VLAN is set as the
VLAN supporting the auto-switching on the TRUNK port, the user authentication will be successful and the Native VLAN
for the port to be authenticated will be set as the assigned VLAN.
The following lists the VLANs not supporting the auto-switching on the TRUNK port:
 Private VLAN
 Remote VLAN
Native VLAN configuration on the HYBRID port
For the HYBRID port with the MAC VLAN disabled, handling methods for the assigned VLAN are as below:
Without the assigned VLAN configured on the device, if the assigned VLAN is identified as the VLAN ID, the device will
automatically create the corresponding VLAN and allows the assigned VLAN to pass current HYBRID port without TAG,
and changes the Native VLAN of the port to the assigned VLAN. In such case, the user authentication will be successful.
While if the assigned VLAN is identified as the VLAN name and the corresponding VLAN ID cannot be found by the device,
the user authentication will be faulty.
With the settings of the assigned VLAN configured on the device, if the assigned VLAN is set as the VLAN not supporting
the auto-switching on the HYBRID port, or the designated VLAN has existed in the TAG VLAN list carried by the HYBRID
port, the user authentication will be faulty; or else, the assigned VLAN can pass the current HYBRID port without TAG and
the Native VLAN of the port is changed to the assigned VLAN. In such case, the user authentication will be successful.
With the MAC VLAN enabled on the HYBRID port, handling methods for the assigned VLAN are as blow:
If the VLAN assigned by the authentication server is not existent in the device (MAC VLAN requires that the
corresponding VLAN must be statically configured and existent), or the assigned VLAN has been added to the HYBRID
port with TAG carried, or the VLAN type is not supported by MAC VLAN (see the description in MAC-VLAN-SCG.doc), the
user authentication will be faulty; or else, the device creates the MAC VLAN entry dynamically according to the
authentication server assigned VLAN and user MAC address, the user authentication will be successful.
When the user goes offline, the MAC VLAN entry is deleted dynamically.
The following lists the VLANs not supporting the auto-switching on the HYBRID port:
 Private VLAN
 Remote VLAN
When the MAC VLAN is not enabled on the port, VLAN assignment changes the Native VLAN of this port, but
the Native VLAN configured by commands is not changed. The priority of the assigned VLAN is higher than
the VLA configured by commands. That is, the Native VLAN that takes effect after the authentication is
assigned VLAN, and the Native VLAN configured by commands takes effect after the user goes offline.
When the MAC VLAN is enabled on the port and the authentication mode is based on MAC, VLAN assignment
is implemented through dynamically generating MAC VLAN entry without changing the Native VLAN of this
port.
For the HYBRID port with MAC VLAN enabled or disabled, VLAN assignment will fail if the assigned VLAN has
been added to the port with TAG carried.
If the MAC VLAN is enabled on the port, VLAN assignment will create the MAC VLAN entry with the network
mask being all Fs. For example, the MAC address of the authenticated user is 00d0.f800.0001, the entry
with VLAN: VLAN-radius (the VLAN delivered under the server), MAC address: 00d0.f800.0001 and mask:
FFFF.FFFF.FFFF will be created. If the MAC address of 802.1X user is overridden by the statically
configured MAC address in the MAC VLAN entry with the network mask being not all Fs, For example, if the
following entry with VLAN: VLAN-static (manually configured VLAN), MAC address: 00d0.f800.0001, and
mask: FFFF.FFFF.0000 is configured manually, the two MAC addresses must be same, that is VLAN-radius
and VLAN-static must be the same; otherwise, the following abnormalities about 802.1X users of VLAN
assignment will occur: (The following listed do not cover all abnormalities)
802.1X users can be authenticated successfully, but the legal data packets will be dropped after the
authentication, resulting in network access failure.
After the user sends EAPOL-LOGOFF message to goes offline, the authentication server still shows that user
is online as the 802.1X authentication entry is still in the device.
To enable the dynamic VLAN auto-switching function on an interface, run the following commands:
 Enable the AAA function
Command Function
For the details, see AAA Configuration.
 Set the RADIUS server
Command Function
Ruijie (config)#radius-server host host-ip Configure the RADIUS server.
Ruijie (config)#radius-server key text Configure the RADIUS server shared key.
For the details, see RADIUS Configuration.
 Enable the method list

Command Function
Ruijie (config)#aaa authentication dot1x list1 group Configure the authentication method list1.
radius
Ruijie (config)#aaa accounting network list2 Configure the accounting method list2.
start-stop group radius
For the details, see AAA Configuration.
 802.1X method list
Command Function
Ruijie (config)#dot1x authentication list1 Select list1 as the authentication method list, which is
configured in step 3.
Ruijie (config)#dot1x accounting list2 Select list2 sd the authentication method list, which is
configured in step 3.
 Display the dynamic VLAN auto-switching settings
Command Function
show dot1x user id session_id Display the user information in session-id, including the
dynamic VLAN auto-switching information.
show dot1x summary
Display the actual VLAN where the user is.
The VLAN auto-switching function is configured on access devices. For the related precautions, see the chapter of Other
Precautions of 802.1X Configuration.
Shielding Proxy Server and Dial-up

The two major potential threats to network security are: The user sets its own proxy server and the user makes dial-up to
access the network after authentication. Star switches provide the function to shield proxy servers and dial-up
connections.
To implement this function needs no settings on the device end and needs only the corresponding attributes configured on
the Radius server end. Since the Radius has no standard attributes to indicate the maximum data rate, we can transfer
the authorization information only through the manufacturer custom attributes. For the general format defined, see the
Authorization section.
The proxy server shielding function defines the Vendor type of 0x20, and the dial-up shielding function defines the Vendor
type of 0x21.
The Attribute-Specific field is a 4-byte manufacturer defined attribute, which defines the actions taken against proxy server
access and dial-up access. 0x0000 means normal connection, without shielding detection. 0x0001 means shielding
detection.
To shield the access via the proxy server, you should fill in the following information:
Figure 0-6
To shield the access via the dial-up connection, you should fill in the following information:
Figure 0-7
Configuring Dynamic ACL Assignment

802.1X supports ACL assignment from server and dynamic installation of the assigned ACL. Our product support
installing acl by default. They will install acl dynamically on condition that the allowed acl is set on the server and is
assigned after the successful user authentication.
To implement dynamic acl assignment, you need to set the port as mac-based authentication mode or port-based
single-user authentication mode. For the configuration, please refer to the related command configuration manual.
In single-host authentication mode, it supports to renew acl when reauthenticating. That is, acl takes effect
when the authenticated user sets acl on the server and reauthenticates.
The mac-based authentication mode does not support ACL update when re-authenticating. That is to say, ACL
of the authenticated user can only be assigned once. The new acl is ignored and the original acl remains if
the acl changes when re-authenticating.
Supported acl type: extension type which can explain acl function on our switch.
Execute the following command if you need to support dynamic acl assignment on the server which is not authenticated
by our company.
Ruijie(config)# radius vendor-specific extend
Configuring to Permit Station Move

By default, after an 802.1X user passes authentication on a certain port, the MAC address of this user will be bound to this
port and is not allowed to present on any other port.
However, under certain circumstances, after user passes authentication, it may need to move to other ports. For example:
a separate switch is deployed between 802.1X authentication enabled switch and user PC to connect them. When user
directly pulls out the network cable and moves from port 1 to port 2, since port 1 didn't receive the Down event and is
unaware that the user is disconnected, the PC connected to port 2 won't be able to pass authentication and access
network.
To enable the user to access network after being switched to port 2, configure to allow station-move in global
configuration mode. When user appears on port 2, the user on port 1 will be forced to disconnect from network, and
re-authentication will be initiated on port 1. The user can move between different ports of the same device or even across
different devices. The user can also move between controlled ports, or move from a controlled port to an uncontrolled
port.
Execute the following steps to allow MAC move:
Command Function
Ruijie (config)# station-move permit Permit authenticated station move.
Ruijie (config)# end Return to privileged EXEC mode.
Ruijie# show dot1x Display 802.1X global configuration.
Ruijie(config)# station-move permit
You can use this command if you want an online station to move to another physical place (with a different port
NO. or VLAN) and get re-authenticated while keeping online. If there is MAC address spoofing on the
network, after enabling MAC move, authenticated users may be preempted by fake users.
If the user doesn't move to another port but change IP address on the original port or unplug/replug the network
cable, the re-authentication process will be triggered.
If user's MAC address is configured as a static MAC address, the user won't be able to move.
Configuring Local Authentication

The local database can be used to authenticate accessed users when there is no RADIUS server or the RADIUS server is
not used for authentication.
Perform the following steps to configure local authentication:
Command Function
Ruijie (config)# aaa new-model Enable AAA.
Ruijie (config)# aaa authentication dot1x mlist local Configure the 802.1X authentication method list mlist to
perform local authentication.
Ruijie (config)# username xxx password xxx Create a local user xxx.
Ruijie (config)# dot1x authentication mlist It indicates the application method list mlist.
Ruijie (config)# dot1x auht-mode pap/chap Configure the authentication method as PAP or CHAP.
Ruijie (config)# end Return to the privileged mode.
Ruijie# show running-config Display all configurations.
After local authentication is configured, the local database is used to authenticate users. This function also
applies to MAC bypass authentication. It only needs to create a local user with the username and password
being the MAC address.
Configuring Maximum Number of Auth-Users on Controlled Interfaces

Use this command to set the maximum auth-user number on controlled interfaces in interface configuration mode. Use
the no form of this command to restore the default setting. The default is 1000000.
Command Function
Set the maximum auth-user number on controlled
dot1x default-user-limit num
interfaces.
num: The maximum number allowed by a controlled
interface, in the range from 1 to 1000000.
Use the show dot1x dynamic-vlan command to display the 802.1X setting.
The following example sets the maximum auth-user number on a controlled interface.

Ruijie(config)# interface fa 0/10
Ruijie(config-if)# dot1x default-user-limit 1000
Ruijie(config)# end
Ruijie#
Configuring Authentication Timeout

Use this command to set the authentication timeout between the device and the supplicant in global configuration mode.
The default is 3 seconds.
Command Function
Set the authentication timeout between the device and the

dot1x timeout supp-timeout seconds
supplicant.
seconds: Authentication timeout between the device and
the supplicant The range is from 0 to 65535 seconds.
The following example sets the authentication timeout between the device and the supplicant to 10s:

Ruijie(config)# dot1x timeout supp-timeout 10
Ruijie(config)# end
Ruijie# show dot1x
802.1X Status: Enabled
Authorization Mode: Group Server
Enabling 801X authentication for Encryption

Use this command to enable the 802.1X authentication for only encryption purpose in WLAN security configuration mode.
WEB authentication functions in place of 802.1X for authentication purpose. Use the no form of this command to restore
the default setting. This function is disabled by default.
Command Function
dot1x encryption only Enable the 802.1X authentication for only encryption
purpose.
The following example enables the 802.1X authentication for only encryption purpose.
Ruijie(config-wlansec)#dot1x encryption only
Enabling Interface IP Authorization

Use this command to enable interface IP authorization in interface configuration mode. Interface IP authorization is
disabled on interfaces by default.
Command Function
dot1x authorization ip-auth-mode { disable | Enable interface IP authorization.

supplicant | radius-server | dhcp-server | mixed } disable: Disables interface IP authorization.
supplicant: Enables supplicant authorization mode.
radius-server: Enables Radius server authorization mode.
dhcp-server: Enables DHCP server authorization mode.
mixed: Enables mixed authorization mode.
Supplicant authorization mode supports only Ruijie supplicant.
Radius-server authorization mode requires the server to allocate IP addresses by framed-ip.
DHCP-server authorization mode requires the server to enable DHCP snooping or DHCP relay.
Mixed authorization mode supports multiple authorization methods.
Interface IP authorization mode is prior to global configuration mode. The following example enables supplicant
authorization mode.
Ruijie(config-if-GigabitEthernet 0/1)# dot1x authorization ip-auth-mode supplicant
Enabling RADIUS Server Bypass Function

Use this command to enable the RADIUS server bypass function and support the bypass WLAN in global configuration
mode. Use the no form of this command to restore the default setting. This function is disabled by default.
Command Function
Enable the RADIUS server bypass function and support the
dot1x event server-invalid action bypass-wlan
bypass WLAN.vlan-list: configures the MAB VLANs.
wlan-id
wlan-id: The ID of the bypass WLAN
Use this command to enable the RADIUS server bypass function and support the bypass WLAN. The following example
enables the RADIUS server bypass function.
Ruijie(config)#dot1x event server-invalid action bypass-wlan 10
Configuring the Maximum Number of Authentication Requests

To set the maximum auth-request number, use the following command in the global configuration mode. The default is 3.
Command Function
dot1x max-req count During interaction between the dot1x and the server, the
dot1x will send a request to the server again if it does not
receive a response from the server within a certain period of
time. Use this command to set the maximum number of
authentication requests sent to the server.
count: Maximum auth-request number sent to the server.
Use the show dot1x command to display the 802.1X configuration.
The following example sets the maximum auth-request number to 7.


Ruijie(config)# dot1x max-req 7
Ruijie(config)# end
Ruijie#
’’’Configuring Logging Rate-Limit

Use this command to set the logging rate-limit in global configuration mode. Use this command to restore the default
setting. The default is 5 logs per second.
Command Function
dot1x logging rate-limit value Set the logging rate-limit.
value: Logging rate
0: logging rate is not limited.
The default setting is recommended. Lower the limit in case of much online/offline which raises CPU occupation. The
following example sets the logging rate-limit to 20 logs per second.
Ruijie(config)# dot1x logging rate-limit 20
Clearing 802.1X Authentication Users

To clear 802.1X authentication users based on IP addresses or session IDs, use the following commands in the privileged
EXEC mode.
Command Function
clear dot1x user name name-str name-str: The username of the 802.1X authentication user
clear dot1x user id session-id Clear 802.1X authentication users based on session IDs.
session-id: Session ID
clear dot1x user ip ip-addr Clear 802.1X authentication users according to IP
addresses.
ip-addr: IP address
clear dot1x user mac mac-addr Clear 802.1X authentication users based on MAC
addresses.
mac-addr: MAC address
clear dot1x user all Clear all the 802.1X authentication users on the device.
Enabling IP Address-Triggered Accounting

Use this command to enable IP address-triggered accounting in global configuration mode. Use the no form of this
command to restore the default setting. This function is disabled by default.
Command Function
dot1x valid-ip-acct enable Enable IP address-triggered accounting.
Use this command to enable accounting only when users obtain valid IP addresses. The following example enables IP
address-triggered accounting.
Ruijie(config)#dot1x valid-ip-acct enable

Configuring IP Address-Triggered Accounting Timeout

Use this command to configure IP address-triggered accounting timeout in global configuration mode. Use the no form of
this command to restore the default setting. The default is 5 minutes.
Command Function
dot1x valid-ip-acct timeout time Configure IP address-triggered accounting.
The SNMP server will not start accounting until users obtain IP addresses. In this case, use this command to configure the
IP address-triggered accounting timeout. The following example configures IP address-triggered accounting timeout.
Ruijie(config)#dot1x valid-ip-acct timeout 10
Configuring User Info-Triggered Accounting Timeout

Use this command to configure user info-triggered accounting timeout in global configuration mode. Use the no form of
this command to restore the default setting. The default is 5 minutes.
Command Function
dot1x valid-ip-acct timeout time Configure user info-triggered accounting.
Enabling MAB function in WLAN

Use this command to enable MAB function in WLAN security configuration mode. Use the no form of this command to
restore the default setting. This function is disabled by default.
Command Function
dot1x-mab Enable MAB function.
(Optional) Use this command to enable MAB function for MAC-based security authentication in WLAN.
The following example enables MAB function in WLAN.
Ruijie(config-wlansec)# dot1x-mab
Enabling users to Send Online/Offline Traps

Use this command to enable users to send online/offline traps in global configuration mode. Use the no form of this
command to restore the default setting. This function is disabled by default.
Command Function
dot1x user-trap enable Enable users to send online/offline traps.
Use this command to enable users to send online/offline traps to the SNMP server. The following example enables STAs
to send online/offline traps.
Ruijie(config)# dot1x user-trap enable
Enabling Traffic Detection

Use this command to enable traffic detection in WLAN security configuration mode. Use the no form of this command to
disable this function. By default, this function is enabled on ACs and disabled on APs.
Command Function
dot1x offline-detect {[interval val] | [flow num]} Enable traffic detection.
val: Traffic detection interval in the unit of minutes
The default is 15 minutes.
num: Traffic threshold in the unit of KB
The default is 0 KB.
(Optional) Use this command to prevent the device from accounting when a STA has been offline. The traffic detection
parameters configured in WLAN security configuration mode are prior to those configured in global configuration mode.
The following example enables traffic detection.
Ruijie(config)# dot1x offline-detect interval 5 flow 20
Enabling Debug Information Print

Use this command to enable debug information print for a user with a specified MAC address in global configuration mode.
Use the no form of this command to clear the debug information. Debug information of all authentication users is printed
by default.
Command Function
dot1x dbg-filter H.H.H Enable debug information print for a user with a specified
MAC address.
H.H.H: The MAC address of a device
Use this command to print the debug information of a specific user. If you want to locate the fault on the network where
there are multiple users.
The following example enables debug information print.
Ruijie(config)# dot1x dbg-filter 00d0.f800.0001
Restoring 802.1X configuration to Default Setting

Use this command to restore 802.1X configuration to the default setting in global configuration mode.
Command Function
dot1x default Restore 802.1X configuration to the default setting.
The following example restores 802.1X configuration to the default setting.

Ruijie(config)# dot1x default
Ruijie(config)# end
Ruijie# end
Monitoring
Our 802.1X provides a full range of state machine information, which is very useful for network management and can be
used by the administrator to monitor user status in real time and make easy troubleshooting.
 Viewing the Radius Authentication and Accounting Configuration

 Viewing the Number of Current Users
 Viewing the List of the Addresses Authenticable
 Viewing the User Authentication Status Information
 Displaying the 820.1X Client Probe Time Configuration
 Example of Configuring 802.1X Port-Based Dynamic VLAN Skip
Displaying the Radius Authentication and Accounting Configuration

Run the show radius server command to check the related configuration of the Radius Sever, and run the show aaa
user command to view the user-related information.

Server IP: 192.168.5.11
Authen Port: 1812
Server State: Ready
Displaying the Number of Current Users

Our 802.1X allows you to view the numbers of two types of users: one is the number of current users, and the other is that
of the authorized users. The number of current users refers to the total number of users authenticated (whether
successfully or unsuccessfully), while the number of authorized users means the total number of users authorized.
In the privileged EXEC mode, run the show dot1x command to check the current number of users and authenticated
users, 1x configuration, including the current number of users and authenticated users.
The following example displays the 802.1X configuration:
Ruijie# show dot1x

Authorization Mode: Disabled
MAC Move Permit: Enabled
Displaying the User Authentication Status Information

The administrator can view the authentication status of the current users of the switch for easier troubleshooting.
In the interface configuration mode, you can view the user authentication status information by performing the following
steps:
Command Function
show dot1x summary Display the user authentication status information.
It is convenient to display the 802.1X authentication summary according to the MAC address or username.
The following example displays the user authentication status information.
Ruijie(config)#sh dot1x summary

ID Username MAC Interface VLAN Auth-State Backend-State Port-Status
User-Type Time
--------- ---------- -------------- --------- ---- --------------- ------------- -----------
--------- ------------------
16777228 6c626dd... 6c62.6dd5.84ac Gi0/5 2 Authenticated Idle Authed
static 0days 0h 0m 2s
16777229 6c626dd... 6c62.6dd5.84b4 Gi0/5 2 Authenticated Idle Authed
16777217 0023aea... 0023.aeaa.4286 Gi0/5 2 Authenticated Idle Authed
static 0days 0h 0m32s
16777227 6c626dd... 6c62.6dd5.84af Gi0/5 2 Authenticated Idle Authed
16777218 6c626dd... 6c62.6dd5.84aa Gi0/5 2 Authenticated Idle Authed
16777230 6c626dd... 6c62.6dd5.84ad Gi0/5 2 Authenticated Idle Authed
16777222 6c626dd... 6c62.6dd5.84a8 Gi0/5 2 Authenticated Idle Authed
16777220 6c626dd... 6c62.6dd5.84ab Gi0/5 2 Authenticated Idle Authed
16777226 6c626dd... 6c62.6dd5.84ae Gi0/5 2 Authenticated Idle Authed
16777224 6c626dd... 6c62.6dd5.84a9 Gi0/5 2 Authenticated Idle Authed
Ruijie(config)#show dot1x u
Ruijie(config)#show dot1x user i
Ruijie(config)#show dot1x user id 16777226
User name: 6c626dd584ae

User id: 16777226
Type: static
Mac address is 6c62.6dd5.84ae
Vlan id is 2
Access from port Gi0/5
Time online: 0days 0h 3m55s
Max user number on this port is 0
No accounting
Permit proxy user
Permit dial user
IP privilege is 0
user acl-name 6c626dd584ae_6_0_0 :
Ruijie(config)#show dot1x user mac 6c62.6dd5.84a9
User name: 6c626dd584a9

User id: 16777224
Type: static
Mac address is 6c62.6dd5.84a9
Vlan id is 2
Time online: 0days 0h 4m 7s
No accounting
Permit proxy user
Permit dial user
IP privilege is 0
user acl-name 6c626dd584a9_6_0_0 :
Ruijie(config)#show dot1x user name 6c626dd584a9
User name: 6c626dd584a9

User id: 16777224
Type: static
Mac address is 6c62.6dd5.84a9
Vlan id is 2
No accounting
Permit proxy user

Permit dial user
IP privilege is 0
user acl-name 6c626dd584a9_6_0_0 :
Example of Configuring 802.1X Port-based Dynamic VLAN Assignment

In a school, there are three types of user groups as shown below:
 Students
 Trusted students (such as student cadres)
 Teaching and administrative staff
Fundamental requirements are shown below:
 Each member of these three user groups can be connected to any port of the access device and join the
corresponding VLAN.
 Complete data isolation shall be achieved between VLANs corresponding to three user groups, namely the
members of one group cannot exchange data with members of another group.
Network topology is shown below:
Figure 11 Typical topology of dynamic VLAN assignment
Configuration example is shown below
 Configure RADIUS server

Include a managerial access device of 192.168.197.241, which uses the default authentication and accounting ports of
1812 and 1813 and the shared key of "shared".
Configure the VLAN for users of user group "students"
 Tunnel-Type = "VLAN",
 Tunnel-Medium-Type = "IEEE-802",
 Tunnel-Private-Group-ID = "students"
Configure the VLAN for users of user group "trusted_students"
 Tunnel-Private-Group-ID = "trusted_students"
Configure the VLAN for users of user group "staff"
 Tunnel-Private-Group-ID = "staff"
 Configure access switch

 Turn on AAA switch
configure terminal
aaa new-model
 Configure RADIUS server
configure terminal
radius-server key shared
 Configure authentication method list
configure terminal
aaa authentication dot1x default group radius
aaa accounting network default start-stop group radius
 802.1X to select the authentication method list
configure terminal
dot1x authentication default
dot1x accounting default
 Create VLANs to join after user authentication
configure terminal
vlan 2
name students
vlan 3
name trusted_students
vlan 4
name staff
 Create the management IP for access device
configure terminal
interface vlan 1
ip address 192.168.197.241 255.255.255.0
By far, user's needs can be met.
Other Precautions
 Concurrent use of 1X and ACL
In the non-IP authorization mode, if you enable the 802.1X authentication function of a port and at the same time
associate one ACL with a interface, the ACL takes effect on the basis of the MAC address. In other words, only the
packets from the source MAC addresses of the authenticated users can pass ACL filtering, and the packets from other
source MAC addresses will be discarded. The ACL can only work on the basis of the MAC address.
For example, if the authenticated MAC address is 00d0.f800.0001, then all the packets from the source MAC address of
00d0.f800.0001 can be switched. If the port is associated with an ACL, the ACL will further filter these packets that can be
switched, for example, rejecting the ICMP packets from the source MAC address of 00d0.f800.0001.
 The restrictions for the condition that the users on the interface have being authenticated or the users have been
authenticated:
The port mode cannot be modified, such as the command switchport mode trunk cannot be used.
The port Access VLAN cannot be modified in the ACCESS mode.
The port Allowed VLAN and Native VLAN cannot be modified in the TRUNK mode.
The port cannot exit from or be added to the AP port.
 The restrictions for the condition that the users in the VLAN have being authenticated or the users have been
authenticated:
VLAN cannot be deleted
VLAN type cannot be modified, such as the command private-vlan primary cannot be used.
 GVRP cannot be co-used with the dynamic VLAN auto-switching function.

 802.1X function can be co-used with other access control functions, such as the port security, IP+MAC binding,ect.
When those access control functions are co-used, the packets can enter the switch on the condition that those
packets must address all access controls.
 After the Native VLAN of the port is changed, effective VLAN-switching functions (such as: GUEST VLAN, FAIL
VLAN, VLAN assignment and IAB authentication with switching VLAN) on the Trunk port or Hybrid port will cause the
users in other VLANs can access the network without authorization. Therefore, it is suggest the aforementioned
VLAN-switching function is enabled on the Access port only.
802.1X-based AAA Services

Network Topology
Figure 12 Network topology for the 802.1X-based AAA service
To ensure the validity of network access, the following requirements must be met:
 It is required that access users on each port must be subject to 1X authentication in order to control Internet access
(unauthenticated users won't be able to access network);
 Only our client software (supplicant) can be used as the client for 802.1X authentication;
 Accounting shall be based on online time, and accounting update packets will be periodically sent to Radius Server
(real-time accounting packets will be sent to RADIUS server every 15 minutes);
 After sending the authentication request to RADIUS server, the device will resend the request if no reply is received
within 5 seconds, and will try for totally 6 times;
 Online monitoring of users to prevent authenticated user from being preempted by other users and to detect whether
the user is disconnected;
 To protect server from hostile attacks, the access user can only initialize re-authentication after 500 seconds if it fails
in authentication. Meanwhile, after trying for over 5 times, this user will be considered as disconnected and the
authentication process will end.
Configuration Tips
 Turn on AAA switch and configure the communication between device and RADIUS SERVER; configure 802.1X
authentication and configure the device port for client access as controlled port (here we take port F0/1 as the
example); (corresponding to paragraph 1 of "Application Needs")
 Filter non-Ruijie supplicant (corresponding to paragraph 2 of "Networking requirements")
 Configure 802.1X accounting and accounting update, and configure the interval of accounting update packets
(corresponding to paragraph 3 of " Networking requirements ")
 Configure the reply timeout timer of Radius Server as 5s, and configure the maximum authentication retries as 6
times (corresponding to paragraph 4 of " Networking requirements ")
 Configure periodic re-authentication of device (corresponding to paragraph 5 of " Networking requirements ")
 Configure the quiet period for failed authentication as 500s (waiting time) and configure the maximum authentication
retries as 5 times (corresponding to paragraph 6 of " Networking requirements ")
Configuration Steps
Step 1: Configure relevant attributes of Radius Server

 Login SAM Security Accounting Management System and click "System Management - Device Management" to
insert information about NAS device. The required configuration include: "Device IP" - 192.168.217.81, "Device
Group" - haha, "Device Type" - switch, "Specific Model" - S21XX and later, "Device Key" - Ruijie, "Read/Write
Community" - weilin, "Device Aging Duration" - 3s, as shown below:
Figure 0-8
 Click "User Management - User Management" to insert user information. The required configuration include:
"Username" - qq, "Password" - 1234567, "User Group" - ceshi, as shown below:
Figure 0-9
Step 2: Configure access switch "SwitchA"
! Turn on AAA switch
! Configure RADIUS server
! Configure RADIUS Key
! Configure dot1x authentication method list
Ruijie(config)#aaa authentication dot1x hello group radius
! Apply dot1x authentication method list
Ruijie(config)#dot1x authentication hello
! Configure 802.1X accounting method list
! Apply 802.1X accounting method list

Ruijie(config)#dot1x accounting jizhang
! Configure accounting update
Ruijie(config)#aaa accounting update
! Configure the accounting update interval as 15 minutes
Ruijie(config)#aaa accounting update periodic 15
! Configure the reply timeout timer of Radius Server as 5s
Ruijie(config)#dot1x timeout server-timeout 5
! Configure maximum transmission retries as 6 times
Ruijie(config)#dot1x max-req 6
! Enable periodic re-authentication
Ruijie(config)#dot1x re-authentication
! Configure the re-authentication interval as 1000s
Ruijie(config)#dot1x timeout re-authperiod 1000
! Configure the quiet period of device as 500s
Ruijie(config)#dot1x timeout quiet-period 500
! Configure the maximum authentication retries of device as 5 times
Ruijie(config)#dot1x reauth-max 5
! Configure the default route of device
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.217.1
! Configure the IP address of device
Ruijie(config-if-VLAN 1)#ip address 192.168.217.81 255.255.255.0
Step 3: Use authentication client (such as supplicant) to carry out authentication; type in the correct username and
password and select the network adapter, and the authentication will succeed after a few seconds.
Verify Configurations
Step 1: Display the authentication state information of current user in order to eliminate faults.
Ruijie#show dot1x summary

ID MAC Interface VLAN Auth-State Backend-State Port-Status User-Type
-------- -------------- --------- ---- --------------- ------------- ----------- ---------
1 00d0.f864.6909 Fa0/1 1 Authenticated Idle Authed static
Step 2: Display detailed information about authenticated user.
Ruijie#show dot1x user id 1

User name: qq
User id: 1
Type: static
Mac address is 00d0.f864.6909
Vlan id is 1
Access from port Fa0/1
User ip address is 192.168.217.82
Authorization session time is 20736000 seconds
Supplicant is private
Start accounting
Permit proxy user
Permit dial user
IP privilege is 0
user acl-name qq_1_0_0 :
Step 3: Display 1X configuration about the existing number of users and the number of authenticated users;
Ruijie#show dot1x
802.1X Status: enable

Authentication Mode: eap-md5
Total User Number: 1(exclude dynamic user)
Authed User Number: 1(exclude dynamic user)
Dynamic User Number: 0
Re-authen Enabled: enable
Private supplicant only: enable
Client Online Probe: disable
Eapol Tag Enable: disable
Authorization Mode: disable
Step 4: Display Radius authentication and accounting related configuration;
Ruijie#show radius server
Server IP: 192.168.32.120

Authen Port: 1812

Server State: ready
Application of 802.1X port-based dynamic VLAN assignment

Network Topology
Figure 13 Topology for 802.1X port-based dynamic VLAN assignment
Networking requirements
A company has three user groups, namely "development" department, "finance" department and "market" department.
The following needs must be met:
 Each member of these three user groups can be connected to any port of the access device and join the
corresponding VLAN after successful authentication ("development" department to join VLAN2, "finance"
department to join VLAN3, and "market" department to join VLAN4).
 Complete data isolation shall be achieved between VLANs corresponding to three user groups, namely the
members of one group cannot exchange data with members of another group.
Configuration Tips
 Turn on AAA switch and configure the communication between device and RADIUS SERVER;
 Configure 802.1X authentication and configure the device port for client access as controlled port;
 Enable dynamic VLAN assignment on the corresponding interface;
 Create VLANs to join after user authentication.
Configuration Steps
Step 1: Configure relevant attributes of Radius Server (Only key configuration will be described below, and we will not give
other unnecessary details):
 ! Click "User Management - User Group Management" and add the corresponding user group (taking user group
"development" as the example):
Figure 0-10
 ! Click "User Management - User Management" to insert the basic information about user and corresponding VLAN
information (taking user group "development" as the example; the VLAN to which the user belongs is configured as
Figure 0-11
Figure 0-12
Step 2: Configure access switch "SwitchA"
! Configure RADIUS key

! Create VLANs to join after user authentication
Ruijie(config-vlan)#name development
Ruijie(config-vlan)#exit
Ruijie(config-vlan)#name finance
Ruijie(config-vlan)#name market
! Configure uplink port F0/24 as the trunk port.

Ruijie(config-if-FastEthernet 0/24)#switchport mode trunk
Step 3: Use client to complete authentication. After successful authentication, the CLI will display:
"%DOT1X-4-TRANS_AUTHOR: Setting interface FastEthernet 0/1 author-VLAN 2 succeeded."
We can see that the user has been assigned to VLAN2.
Step 1: Display the authentication state information of current user to see the true VLAN to which the user belongs.

-------- -------------- --------- ---- --------------- ------------- ----------- ---------
User name: st
User id: 5
Type: static
Vlan id is 2

Authorization vlan is 2
Start accounting
Permit proxy user
Permit dial user
IP privilege is 0
user acl-name st_1_0_0 :
Application of 802.1X port-based Guest VLAN and VLAN assignment

Network Topology
Figure 14 Topology for 802.1X port-based Guest VLAN and VLAN assignment
The client accesses network through 802.1X authentication. RADIUS server is the authentication server, and FTP server
is the server used by the client for software downloading and pack upgrade while it belongs to VLAN10. Radius Server is
used for authentication, authorization, accounting and dynamic VLAN assignment, and it belongs to VLAN1. The
Internet-connecting port F0/24 of switch belongs to VLAN2. The following needs must be met:
 If the switch receives no reply after sending authentication request packets (EAP-Request/Identity) for the configured
number of tries, F0/1 will join the Guest VLAN (VLAN10). By this time, both Supplicant and FTP Sever belong to
VLAN10, and Supplicant can access FTP Server and download 802.1X client.
 After successful authentication, RADIUS server will assign VLAN2. By this time, both Supplicant and F0/24 belong to
VLAN2, and Supplicant can access Internet.
Configuration Tips
 Enable dynamic VLAN assignment on the corresponding interface;
 Configure whether or not enable guest VLAN on the corresponding interface.
Configuration Steps
Configure access switch "SwitchA":
! Configure the VLANs to which the port belong:

Ruijie(config-if-FastEthernet 0/3)#switchport access vlan 10
Ruijie(config-if-FastEthernet 0/3)#exit
Ruijie(config-if-FastEthernet 0/24)#switchport access vlan 2
Ruijie(config-if-FastEthernet 0/24)#exit
Step 1: If no reply is received after sending authentication request packets (EAP-Request/Identity) for the configured
number of tries, the user connected to the port will automatically join VLAN10. The CLI will prompt:
%DOT1X-5-TRANS_DEFAULT_TO_GUEST: Transformed interface FastEthernet 0/1 from default-vlan 1

to guest-vlan 10 ok.
Step 2: The user downloads 802.1X client. After successful authentication, the CLI will prompt:
%DOT1X-4-TRANS_AUTHOR: Setting interface FastEthernet 0/1 author-vlan 2 succeeded.
1. Display the authentication state information of current user:

-------- -------------- --------- ---- --------------- ------------- ----------- ---------
User name: st
User id: 8
Type: static
Vlan id is 2
Authorization vlan is 2
Start accounting
Permit proxy user
Permit dial user
IP privilege is 0
user acl-name st_1_0_0 :
Application of port-based 1X authentication and IP authorization

Network Topology
Figure15 topology for port-based 1X authentication and IP authorization

The client accesses network through 802.1X authentication. RADIUS server is the authentication server. The following
application needs must be met:
 When the active server fails due to certain reason, the device can automatically submit authentication request to the
next server in the method list.
 When a user connected to one port of device passes the authentication, all users connected to this port will be able
to access network freely.
 Dynamic user is not allowed to move between multiple authentication ports.
 The IP of an authenticated user must be assigned by the RADIUS Server, namely the authenticated user can only
use the IP specified by RADIUS Server to access network.
Configuration Tips
 Configure active/standby server group
 Configure the control mode of user authentication under the corresponding port as port-based authentication;
 Configure to prohibit dynamic user from moving between ports;
 Configure IP authorization mode as radius Server mode.
Configuration Steps
Configure access switch "SwitchA":

! Configure server group (select active server and standby server)
Ruijie(config)#aaa group server radius rj

! Configure dot1x authentication list
! Configure IP authorization mode of device as RADIUS Server mode
Ruijie(config)#aaa authorization ip-auth-mode radius-server
Step 1: Display the authentication state information of current user:

-------- -------------- --------- ---- --------------- ------------- ----------- ---------
none 00d0.f864.6909 Fa0/1 1 Authenticated Idle Authed Dynamic
Step 2: Move this user to another authenticated port. It can be found that the user won't be able to access network.
Configuration Guide Configuring ARP Check
Configuring ARP Check
Overview
ARP check function filters all ARP packets on the logic interface and drops all illegal ARP packets, avoiding the ARP fraud
in the network and improving the network stability.
Ruijie switches support multiple IP security application(such as IP Source Guard, global IP+MAC binding, port security),
which effectively filter the user IP packets and avoid the illegal user to use the network resources. The ARP check function
generates the corresponding ARP filtering information according to the legal user information (IP or IP+MAC),
implementing the illegal ARP packet filtering in the network.
Figure 1-1 ARP Check and Other Security Functions
As shown in the above figure, ARP check function checks whether the Sender IP field or the <Sender IP, Sender MAC>
field of all ARP packets on the logic interface matches with the legal user information(IP or IP+MAC), and the ARP
packets that not match with the legal user information. The ARP check function supported security function modules
include:
 Check the IP field only: IP mode for the port security and the IP source guard.
 Check the IP+MAC field: IP+MAC binding mode for the port security, global IP+MAC binding, 802.1x IP authorization,
IP Source Guard, GSN binding function.
There are two modes of ARP check: enabled, disabled mode. By default, the ARP check function is disabled.
 In the enabled mode
ARP check function is enabled or disabled according to the current security function running state on the switch.
Enabling/disabling the following functions may trigger to enable/disable the ARP Check function:
 Global IP+MAC binding

 802.1X IP authorization
 IP Source Guard
 GSN binding
Adding the legal user for the first time or removing the last legal user may trigger to enable/disable the ARP check
function:
 IP+MAC binding mode for the port security

 IP-only mode for the port security
ARP check is enabled no matter whether there is security configuration. If there is no legal user on the port, all the ARP
packets from this port will be discarded.
 In the disabled mode
ARP packet on the port is not checked.
Enabling ARP check of port security addresses will decrease the maximum number of the security addresses
of binding IP on all the ports by half.
Configuration
Use the following commands to configure ARP check in interface configuration mode:
Command Function
Ruijie (config )#interface interface-id Enter interface configuration mode.
Ruijie (config-if )# arp-check Enable ARP check.
Ruijie (config-if )# no arp-check Disable ARP check.
The ARP check function can be configured on the Layer2 interfaces only.
Monitoring
Use the following command to display ARP check entries on the interface:
Command Function
Ruijie#show interface { interface-type interface-number } Display the ARP check entries.
arp-check list
The example below displays the ARP check entry:
Ruijie#show interfaces arp-check list

Interface Sender MAC Sender IP Policy Source
------------------------ ---------------- ---------------- --------------------
Gi 0/1 00D0.F800.0003 192.168.1.3 address-bind

Gi 0/1 00D0.F800.0001 192.168.1.1 port-security
Gi 0/4 192.168.1.3 port-security
Gi 0/5 00D0.F800.0003 192.168.1.3 address-bind
Gi 0/7 00D0.F800.0006 192.168.1.6 AAA ip-auth-mode
Gi 0/8 00D0.F800.0007 192.168.1.7 GSN
Configuration Guide Configuring Global IP-MAC Binding
Configuring Global IP-MAC Binding
Setting IP Address and MAC address Binding
In the global mode, to configure IP address and MAC address binding, execute the following commands.
Command Function
Ruijie(config)# address-bind { ip-address | ipv6-address } Configure IP address and MAC address binding.
mac-address
Ruijie(config)# address-bind install Enable the address binding function.
To cancel the IP address and MAC address binding, use the no address-bind { ip-address | ipv6-address } mac-address
To disable the address binding function, execute the no address-bind install command.
The following example shows how to bind the IP address and MAC address:
Ruijie(config)#address-bind 192.168.5.1 00d0.f800.0001
Ruijie(config)#address-bind install
Problem: In the stack environment, if one switch learns the MAC address when receiving the IP packets not
correspond to the address binding, this MAC address can only be learned by the chip of that switch and
cannot be learned by the chips of other switches in the stack environment.
 Phenomenon: In the stack environment, if one switch learns the MAC address when receiving the IP packets not
correspond to the address binding, this address entry is displayed using the show mac command and the IP packets
can still be broadcasted to other stack switches. The MAC address learning is normal when receiving the non-IP
packets or the IP packets correspond to the address binding.
Workaround: N/A.
After executing the address-bind install command but the IP+MAC binding is not configured, then allow all
packets to be transmitted on the interface.
Setting the Address Binding Mode
In the global mode, to configure the address binding mode, execute the following commands.
Command Function
Ruijie(config)# address-bind ipv6-mode { compatible | Configure the address binding mode.
loose | strict }
Ruijie(config)# no adress-bind ipv6-mode Restore to the default address binding mode.
The following example shows how to set the address binding mode to strict:
Ruijie(config)#address-bind ipv6-mode strict
In the IPv6 mode, DHCP Snooping address binding, port security MAC+IP address binding functions are
enabled at the same time.
Mode IPv4 packet forward rule IPv6 packet forward rule

Strict Only packets with Only IPv6 packets with IPv6 security address configured are allowed
IPV4+MAC are forwarded. to be forwarded.
Loose Only packets with All IPv6 packets are allowed to be forwarded.
IPV4+MAC are forwarded.
Compatible Only packets with Only IPv6 packets bound with the source MAC address or the security
IPV4+MAC are forwarded. address configured are allowed to be forwarded.
Setting the Exceptional Ports for the IP Address and MAC Address
Binding
To make the IP address and MAC address binding not to take effect on some ports, you can set these ports as
exceptional ports. To configure an exceptional port, execute the following command in the global configuration mode.
Command Function
Ruijie(config)#address-bind uplink interface-id Configure the exceptional port for the IP address and MAC
address binding.
interface-id: port or Aggregate port
Use the no address-bind uplink interface-id command to cancel the configuration of the specified exceptional port.
The following example shows how to set the interface GigabitEthenet 0/1 to the exceptional port:
Ruijie(config)# address-bind uplink GigabitEthernet 0/1
Displaying Configuration
Use the following commands to display the IP-to-MAC address binding on the device.
Command Function
Ruijie# show address-bind Display the IP-to-MAC address binding on the device.
Ruijie# show address-bind uplink Display exceptional interface information on the device.
Configure IP-to-MAC address binding:
Ruijie#show address-bind
Total Bind Addresses in System : 1
IP Address Binding MAC Addr
--------------- ----------------
192.168.5.1 00d0.f800.0001
Configuration Guide Configuring DHCP Snooping
Configuring DHCP Snooping
Overview
DHCP
The DHCP protocol is widely used to dynamically allocate the recycled network resources, for example, IP address. A
typical IP acquisition process using DHCP is shown below:
The DHCP Client sends a DHCP DISCOVER broadcast packet to the DHCP Server. The Client will send the DHCP
DISCOVER again if it does not receive a response from the server within a specified time.
After the DHCP Server receives the DHCP DISCOVER packet, it allocates resources to the Client, for example, IP
address according to the appropriate policy, and sends the DHCP OFFER packet.
After receiving the DHCP OFFER packet, the DHCP Client sends a DHCP REQUEST packet to obtain the server lease
and notify other servers of receiving the address allocated by the server.
After receiving the DHCP REQUEST packet, the server verifies whether the resources are available. If so, it sends a
DHCP ACK packet. If not, it sends a DHCP NAK packet. Upon receiving the DHCP ACK packet, the DHCP Client starts to
use the resources assigned by the server in condition that the ARP verification resources are available. If it receives the
DHCP NAK packet, the DHCP Client will send the DHCP DISCOVER packet again.
DHCP Snooping
DHCP Snooping monitors users by snooping the packets exchanged between the clients and the server. DHCP
Snooping can filter DHCP packets and illegal servers by proper configuration. Some terms and functions used in DHCP
Snooping are explained below:
 DHCP Snooping TRUST port: Because the packets for obtaining IP addresses through DHCP are in the form of
broadcast, some illegal servers may prevent users from obtaining IP addresses, or even cheat and steal user
information. To solve this problem, DHCP Snooping classifies the ports into two types: TRUST port and UNTRUST
port. The device forwards only the DHCP reply packets received through the TRUST port while discarding all the
DHCP reply packets from the UNTRUST port. In this way, the illegal DHCP Server can be shielded by setting the
port connected to the legal DHCP Server as a TRUST port and other ports as UNTRUST ports.
 DHCP Snooping binding database: By snooping the packets between the DHCP Clients and the DHCP Server,
DHCP Snooping combines the IP address, MAC address, and VID, port and lease time into a entry to form a DHCP
Snooping user database. DHCP Snooping checks the validity of DHCP packets that pass through the device,
discards illegal DHCP packets, and records user information to create a DHCP Snooping binding database for ARP
inspection and query. The following DHCP packets are considered illegal:
 The DHCP reply packets received on the UNTRUST ports, including DHCPACK, DHCPNACK, DHCPOFFER, etc.
 DHCP Client values in the source MAC and DHCP packets are in different packets when MAC check is enabled.
 DHCPRELEASE packets whose port information is inconsistent with that in the DHCP Snooping binding database.
DHCP Snooping Information Option

Some network administrators want to assign IP address to current users upon their positions. That is, they want to assign
IP addresses to users according to the information on the network equipments that users connect so that the switch can
add the user-related device information to the DHCP request packet in DHCP option way while performing DHCP
Snooping. According to RFC3046, the option number used is 82. You can obtain more user information by uploading
option82 to the content server. As a result, you can assign IP addresses accurately. The format of option82 uploaded by
DHCP Snooping is shown as follows:
Agent Circuit ID
Agent Remote ID
DHCP Snooping Related Security Functions

In the DHCP-enabled network, the general problem facing administrator is that some users use private IP addresses
rather than dynamically obtaining IP addresses. As a result, some users using dynamic IP addresses cannot access the
network, making network application more complex. In dynamic DHCP binding mode, the device records how legal users
obtain IP addresses during the course of DHCP Snooping for security purpose. There are three ways of security control.
The first one is to enable address binding for legal users in conjunction with the IP Source Guard function; the second one
is to use DAI to check the validity of users by controlling ARP; the third one is to bind the ARP message of legal users in
conjunction with the ARP Check function. It should be noted that given the limit of hardware entries in the first mode, the
switch supports limited DHCP users. Where there are too many users on the switch, some legal users may not access the
network for they cannot add hardware entries. In addition, the second method will influence the performance of the switch
at a large extent, because all ARP messages are forwarded and processed by CPU.
For the details on the priorities of DHCP Snooping and other security functions, refer to Port Security White Paper and
Security Function Deployment White Paper.
DHCP Snooping and IP Source Guard

The IP Source Guard function maintains an IP source address database. By setting the user information of the database
(IP and MAC) to be the hardware filtering entry, it allows the corresponding users to access the network. For details, refer
to IP Source Guard Configuration.
By snooping the DHCP process, the DHCP Snooping maintains a user IP address database and offers it to the IP Source
Guide function for filtering so that only the users dynamically obtaining IP address can access the network.
Furthermore, the DHCP binding filters IP packets rather than ARP messages. To enhance security and prevent from ARP
Spoofing, check the ARP validity of DHCP bound users. For more information, refer to DAI Configuration.
DHCP Snooping and ARP Inspection

ARP Inspection checks all the ARP messages travelling through the switch. DHCP Snooping needs to offer the database
information for ARP Inspection to use. After receiving an ARP message, the DAI-enabled switch queries the database
bound by the DHCP Snooping. The ARP message is learned and forwarded only when its source MAC, source IP and
port are matched or otherwise it is dropped.
DHCP Snooping and ARP Check

As with ARP Inspection, ARP Check checks all the ARP messages travelling through the switch. DHCP Snooping needs
to offer the database information for ARP Check to use. After receiving an ARP message, the ARP Check-enabled switch
queries the database bound by the DHCP Snooping. The ARP message is learned and forwarded only when its source
MAC, source IP and port are matched or otherwise it is dropped.
Other Configuration Precautions

The DHCP Snooping function and the DHCP Option82 function of 802.1xare mutually exclusive. That is, you cannot
enable the DHCP Snooping function and the DHCP Option82 function of 802.1x at the same time.
DHCP Snooping snoops only the DHCP process of users. ARP Inspection is necessary to restrict users to use the IP
address assigned by the DHCP protocol for Internet access. However, ARP Inspection needs to check all ARP messages,
which will influence the overall performance of the switch.
When the DHCP client with Hybrid interface connects to the DHCP Server through untagged VLAN, the share VLAN
should be enabled and the untagged VLAN should be set to be share VLAN. For the number of share VLANs supported,
refer to Section Share VLAN Configuration of Configuration Guide.
Configuration
Enabling DHCP Snooping

The DHCP Snooping function of the device is disabled by default. To enable DHCP Snooping and then monitor DHCP
packets, execute the following command.
Command Function
Ruijie (config )# [ no ] ip dhcp snooping Enable or disable DHCP Snooping.
The following example demonstrates how to enable the DHCP Snooping function of the device:

Ruijie(config)# ip dhcp snooping
Ruijie(config)# end
DHCP Snooping and Private VLAN function cannot enabled at the same time.
Enabling Filtering the DHCP Request Message on the Port

By default, filtering the DHCP request message is disabled on the port. To enable this function, execute the following
command.
Command Function
Ruijie (config )# interface interface Enter the interface configuration mode.
Ruijie (config )# [ no ] ip dhcp snooping suppression Enable or disable filtering the DHCP request message.
The following example demonstrates how to enable filtering the DHCP request message:

Ruijie(config-if)# ip dhcp snooping suppression
Enabling DHCP Snooping in VLAN

This command enables DHCP Snooping in the VLAN.
Command Function
Ruijie (config )# [ no ] ip dhcp snooping vlan { vlan-rng |
Enable DHCP Snooping in the VLAN.
{ vlan-min [ vlan-max ] } }
The following example enables the DHCP Snooping in VLAN1000:

Ruijie(config)# ip dhcp snooping vlan 1000
Ruijie(config)# end
Configuring DHCP Source MAC Address Check Function

After configuring this command, the device will match the MAC address of the DHCP Request packet from the UNTRUST
port against the one in the client field and discard unmatched packet. By default, this function is not enabled.
To configure the source MAC address check function, execute the following command:
Command Function
Ruijie (config )# [ no ] ip dhcp snooping verify Enable or disable the source MAC address check
mac-address function.
The following example enables the DHCP source MAC address check function:

Ruijie(config)# ip dhcp snooping verify mac-address
Ruijie(config)# end
Configuring DHCP Snooping Information Option

By default, this function is disabled. After configuring this command, when DHCP Snooping forwards the packets,
option82 will be added to all DHCP request packets and removed from all reply packets.
Command Function
Ruijie (config )# [ no ] ip dhcp snooping Enable or disable the DHCP Snooping information
Information option option.
The following configuration enables DHCP Snooping information option:

Ruijie(config)# ip dhcp snooping information option
Ruijie(config)# end
After this function is configured, DHCP relay option82 function configured on the device will be ineffective.
Writing the DHCP Snooping Database to Flash Periodically

By default, this function is disabled. DHCP Snooping provides a command to write the DHCP Snooping database to the
flash periodically in order to prevent loss of DHCP user information when the device restarts due to an electricity failure.
Command Function
Specify the interval at which the switch writes the DHCP
Ruijie (config )# [ no] ip dhcp snooping
database to the flash.
database write-delay [ time ]
time: 600s to 86400s. The default value is 0.
The following example sets the interval at which the switch writes the DHCP database to the flash to 3600s:

Ruijie(config)# ip dhcp snooping database write-delay 3600
Ruijie(config)# end
You need to set a proper time for writing to the flash since erasing and writing to the flash frequently shortens
its life. A shorter time helps to save the device information more effectively. A longer time reduces the times
of writing to the flash and increases service life of flash.
Writing DHCP Snooping Database to Flash Manually

To prevent loss of DHCP user information when the device restarts due to an electricity failure, the administrator can write
the DHCP Snooping binding database to the flash manually.
Command Function
Ruijie (config )# ip dhcp snooping database Write the DHCP Snooping binding database to the flash
write-to-flash manually.
The following example demonstrates how to write the DHCP Snooping binding database to the flash:

Ruijie(config)# ip dhcp snooping database write-to-flash
Ruijie(config)# end
Configuring a Port as a TRUST Port

By default, all the ports are UNTRUST ports. After configuring this command, a port is set as the TRUST port and
connected to the legal DHCP server.
Command Function
Ruijie (config )# interface interface-id Enter the interface configuration mode.
Ruijie (config-if )# [ no ] ip dhcp snooping trust Set the port as a trust port.
The following example sets GigabitEthernet 4/1 as a TRUST port:


Ruijie(config-if)# ip dhcp snooping trust
Configuring the Maximum Number of VLAN-Bound Users

Use this command to set the maximum number of users bound with the VLAN. Use the no form of this command to
restore the default setting in interface configuration mode. This function is disabled by default,
Command Function
Set the maximum number of users bound with the VLAN
in interface configuration mode.
ip dhcp snooping vlan vlan-word max-user user-number vlan-word: The VLAN range.
user-number: The maximum number of users bound with
the VLAN.
This function combined with the corresponding topology can prevent illegal DHCP packet attacks.
The following example sets the maximum number of users bound with VLAN 1-10 and VLAN 20 to 30 respectively.

Ruijie(config-if-GigabitEthernet 0/1)# ip dhcp snooping vlan 1-10,20 max-user 30
Ruijie(config-if-GigabitEthernet 0/1)# end
Clearing Dynamic User Information from the DHCP Snooping Binding Database
To clear dynamic user information from the DHCP Snooping binding database, execute the following command.
Command Function
Ruijie# clear ip dhcp snooping binding Clear information from the current database.
The following example clears information from the current database manually:
Ruijie# clear ip dhcp snooping binding
Monitoring
Displaying DHCP Snooping

To display DHCP Snooping, execute the following command:
Command Function
Ruijie# show ip dhcp snooping Display the configuration of DHCP Snooping.
For example:
Ruijie# show ip dhcp snooping

Switch DHCP snooping status : ENABLE
DHCP snooping Verification of hwaddr field status : DISABLE

DHCP snooping database write-delay time : 0 seconds
DHCP snooping option 82 status : ENABLE
DHCP snooping Support Bootp bind status : ENABLE
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernet 4/1 NO 100
Displaying the DHCP Snooping Database

To display the DHCP Snooping database, execute the following command:
Command Function
Display the user information in the DHCP Snooping
Ruijie# show ip dhcp snooping binding
binding database.
For example:
Ruijie# show ip dhcp snooping binding

Total number of bindings: 1
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ------------ ------------- ----- --------------------
001b.241e.6775 192.168.12.9 863996 dhcp-snooping 1 GigabitEthernet 0/5
Network Topology
Figure 8
The DHCP client obtains the IP address dynamically through the legal DHCP server.
Prevent other users from setting private DHCP servers.
Configuration Points
Enable the DHCP Snooping function on the access device (Switch B), and set the uplink port (Gi0/1 ) as the trusted port.
Configuration Steps
Configure the Switch B
Step 1, enable the DHCP Snooping function.
Ruijie(config)#ip dhcp snooping
Step2, configure the uplink port as the trusted port.

Ruijie(config-if-GigabitEthernet 0/1)#ip dhcp snooping trust
Displaying Verifications
Step 1, check the configuration for the Switch B. Key points: whether the DHCP Snooping function is enabled or not,
whether the trusted port configured is the uplink port.
!
ip dhcp snooping
!
ip dhcp snooping trust
Step2, display the DHCP Snooping configuration of the Switch B. Key points: whether the trusted port is correctly.
Ruijie#show ip dhcp snooping

Switch DHCP snooping status : ENABLE
DHCP snooping Verification of hwaddr status : DISABLE
DHCP snooping database write-delay time : 0 seconds
DHCP snooping option 82 status : DISABLE
DHCP snooping Support bootp bind status : DISABLE
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
GigabitEthernet 0/1 YES unlimited
Step3, display the information about the DHCP Snooping binding database.
Ruijie#show ip dhcp snooping binding

------------------ --------------- ------------ ------------- ----- --------------------
0013.2049.9014 172.16.1.2 86207 dhcp-snooping 1 GigabitEthernet 0/11
Configuration Guide Configuring IP Source Guard
Configuring IP Source Guard
Overview
In the typical DHCP-enabled network, the DHCP server is responsible for managing and allocating addresses for hosts.
The hosts apply for legal network addresses from the DHCP server. DHCP is helpful for administrators to manage
network addresses and avoid address conflict.
Figure 1 Normal DHCP Address Allocation
However, the server/client mode cannot guarantee the efficiency and security of network address management. The
traditional DHCP mode is required to have higher security characters because of the illegal packets or even attack
packets from the clients (as shown in Figure 3) and various feigned servers (as shown in Figure 2 ) in the network.
DHCP Snooping solves the problem. The security problem of traditional DHCP mode can be solved by enabling DHCP
Snooping on the device connecting the DHCP server with the DHCP clients. DHCP Snooping divides the network into two
parts: untrusted network that shields all the DHCP Server response packets in the network and checks the security of the
request from the client; trusted network that forwards the request received from legal client to the server in that trusted
network which allocates and manages addresses.
Figure 2 Network with feigned DHCP server

Figure 3 Network with feigned DHCP client attack
Figure 4 Network protected by DHCP Snooping
By filtering DHCP packets, DHCP Snooping shields feigned servers and block the attacks from the clients. However, it
cannot control the users assign IP addresses privately. Those users easily lead to conflict of network addresses and be
harm to the management of network addresses. To prevent the clients from assigning addresses privately in the DHCP
network, enable IP Source Guard on the device connecting the DHCP server to the DHCP clients. DHCP Snooping-based
IP Source Guard ensures that DHCP clients access network resources properly and block the users who assign
addresses privately to access.
Understanding IP Source Guard

IP Source Guard maintains a hardware-based IP packet filtering database to filter packets, guaranteeing that only the
users matching the database can access network resources.
The hardware-based IP packet filtering database is the key for IP Source Guard to enable efficient security control in
DHCP applications. This database is on the basis of DHCP Snooping database. After IP Source Guard is enabled, the
DHCP Snooping database is synchronized with the hardware-based IP packet filtering database. In this way, IP Source
Guard can strictly filter IP packets from clients on the device with DHCP Snooping enabled.
By default, once IP Source Guard is enabled on a port, all the IP packets traveling through the port (except for DHCP
packets) will be checked on the port. Only the users attaining IP addresses through DHCP and the configured static
binding users can access the network.
IP Source Guard supports source MAC- and source IP-based filtering or source IP-based filtering. In the former case, IP
Source Guard will check the source MAC and source IP addresses of all packets and only allow those packets matching
the hardware-based IP packet filtering database to pass through. In the latter case, IP Source Guard checks the source IP
addresses of IP packets.
Other Configuration Precautions

IP Source Guard is based on DHCP Snooping, namely port-based IP Source Guard takes effect only on the untrusted port
under the control of DHCP Snooping, not on the trusted port or the interfaces in the VLAN not controlled by DHCP
Snooping.
Configuration
Configuring IP Source Guard on the Interface

By default, IP Source Guard is disabled on the interface and all the users connecting to the interface can use the network.
After enabling IP Source Guard on the interface, it will filter the IP packets of the users connecting to the interface
according to the hardware-based IP packet filtering database.
Command Function
Ruijie (config )# interface interface-id Enter the interface configuration mode.
Enable IP Source Guard on the interface.
Ruijie (config-if )# [ no ] ip verify source [ port-security ]
Use port-security to set MAC-based filtering.
The following example enables IP Source Guard on interface1:

Ruijie(config-if)# ip verify source
The application of IP Source Guard is combined with DHCP Snooping. That is to say, port-based IP Source
Guard only takes effect on untrusted port under the control of DHCP Snooping.
Configuring Static IP Source Address Binding User

Under certain circumstances, users under certain ports may expect to statically use certain IP addresses. This feature can
be realized by adding static user information into the IP source binding database.
Command Function
Ruijie# configure terminal Enter configuration mode
Add static IP source binding user into the database. If the
Ruijie (config )# [ no ] ip source binding mac-address interface is not specified, the binding entry will apply to all
vlan vlan-id ip-address [interface interface-id | wlan binding interfaces on the VLAN.
wlan-id | ip-mac | ip-only ] ip-mac: global IP+MAC binding;
ip-only: global IP binding.
The following example shows how to bind a static user to port 9 of the device:

Ruijie(config)# ip source binding 00d0.f801.0101 vlan 1 192.168.4.243 interface FastEthernet
0/9
Excluding a VLAN from the IP Source Guard Configuration

To exclude a VLAN from the IP source guard configuration on the port, use the following commands in the interface
configuration mode/WLAN security configuration mode. This function is disabled by default.
Function
Command
Exclude a VLAN from the IP source guard configuration
on the port.
ip verify source exclude-vlan vlan-id
vlan-id: The ID of VLAN excluded from the IP source
guard configuration.
no ip verify source exclude-vlan vlan-id Restore the default setting.
This command is used to exclude a VLAN from the IP source guard configuration. IP packets in this VLAN are forwarded
without being checked and filtered.
Once the IP source guard function is disabled, the excluded VLAN is cleared automatically.
This command is supported on the wired L2 switching port, AP port, subinterface and WLAN.
Only when the IP source guard configuration is enabled on the port can a VLAN be excluded.
The following example configuration configures the IP source guard configuration for the port and excludes a VLAN.

Ruijie(config-if-GigabitEthernet 0/1)# ip verify source
Ruijie(config-if-GigabitEthernet 0/1)# ip verify exclude-vlan 1
Ruijie(config-wlansec)# ip verify source
Ruijie(config-wlansec)# ip verify exclude-vlan 1
Ruijie(config-wlansec)# end
Monitoring
Displaying IP Source Guard Filtering Entry

Use this command to display IP Source Guard filtering entry.
Command Function
Ruijie# show ip verify source [ interface interface-id ]
Display IP Source Guard filtering entry.
[wlan wlan-id]
For example:
Ruijie # show ip verify source

NO. INTERFACE FILTERTYPE FILTERSTATUS IPADDRESS MACADDRESS
VLAN TYPE
----- -------------------- ----------- --------------------- ---------------
---------------
-------- -------------
1 Global IP+MAC Inactive-system-error 192.168.0.127 0001.0002.0003
1
Static
2 GigabitEthernet 0/5 IP-ONLY Active 1.2.3.4 0001.0002.0004 1
DHCP-Snooping
3 Global IP-ONLY Active 1.2.3.7 0001.0002.0007 1
Static
4 Global IP+MAC Active 1.2.3.6 0001.0002.0006 1
Static
5 GigabitEthernet 0/1 UNSET Inactive-restrict-off 1.2.3.9 0001.0002.0009
1
DHCP-Snooping
6 GigabitEthernet 0/5 IP-ONLY Active Deny-All
7 WLAN 1 IP-ONLY Active Deny-ALL
Displaying Hardware-based IP Packet Filtering Database

Use this command to display the related information of hardware-based IP packet filtering database.
Command Function
Ruijie# show ip source binding [ ip-address ]
[ mac-addres s] [ dhcp-snooping ] [ static] [ vlan vlan-id ] Display the hardware-based IP packet filtering database.
[ interface interface-id ]
For example:
Ruijie# show ip source binding

----------- ---------- ---------- ------- ---- ------
0000.0000.0001 1.0.0.1 infinite static 1 FastEthernet2/1
FastEthernet 0/1
Network Topology
Deployment
The user can only use the IP address dynamically allocated by a valid DHCP server or statically allocated by the
administrator to access network. IP packets with source IP different from the IP addresses contained in the hardware
filtering list of switch will be blocked to ensure network security.
Configuration Tips
Configure IP Source Guard and DHCP Snooping on the access device (Switch A) to meet the requirements:
 Configure the uplink port (GigabitEthernet 0/1) as trusted port to avoid DHCP server spoofing.
 Enable IP Source Guard on PC-connecting ports (GigabitEthernet 0/2 and GigabitEthernet 0/3).
 The user with IP address assigned by the administrator can be configured through IP Source Guard static binding (IP
address: 192.168.216.4; MAC address: 0000.0000.0001).
Configuration Steps
Configure Switch A
Step 1: Enable DHCP Snooping.
Ruijie(config)#ip dhcp snooping
Step 2: Configure the uplink port as the trusted port of DHCP Snooping.

Ruijie(config-if-GigabitEthernet 0/1)#ip dhcp snooping trust
Step 3: Enable IP Source Guard on the port directly connected with PC
Ruijie(config)#interface range gigabitEthernet 0/2-3

Ruijie(config-if-range)#ip verify source port-security
Ruijie(config-if-range)#exit
Step 4: Configure static binding user
Ruijie(config)#ip source binding 0000.0000.0001 vlan 1 192.168.216.4 interface

gigabitEthernet 0/2
Verification
Step 1: Check the configurations of Switch A. Key points: whether DHCP Snooping has been enabled, whether the uplink
port has been configured as the trusted port, whether IP Source Guard has been enabled on the user-connecting port,
and whether the static binding entries are correct.
ip dhcp snooping
!
ip source binding 0000.0000.0001 vlan 1 192.168.216.1 interface GigabitEthernet 0/2
!
ip dhcp snooping trust
!
ip verify source port-security
!
ip verify source port-security
Step 2: Display DHCP Snooping user binding database
Ruijie#show ip dhcp snooping binding

------------------ --------------- ------------ -------------
00e0.4c70.b7e2 192.168.216.3 86228 dhcp-snooping 1 GigabitEthernet 0/2
Step 3: Display the IP hardware filtering list jointly generated through DHCP Snooping user binding database and static
bindings:
Ruijie#show ip source binding

------------------ --------------- ------------ -------------
0000.0000.0001 192.168.216.4 infinite static 1 GigabitEthernet 0/2
00e0.4c70.b7e2 192.168.216.3 86171 dhcp-snooping 1 GigabitEthernet 0/2
Step 4: Display the filtering entries of IP Source Guard:
Ruijie#show ip verify source

Interface Filter-type Filter-mode Ip-address Mac-address VLAN
-------------------- ----------- ----------- --------------- -------------- --------
GigabitEthernet 0/2 ip+mac active 192.168.216.4 0000.0000.0001 1
GigabitEthernet 0/2 ip+mac active 192.168.216.3 00e0.4c70.b7e2 1
GigabitEthernet 0/2 ip+mac active deny-all deny-all
GigabitEthernet 0/3 ip+mac active 192.168.216.4 0013.2049.9014 1
GigabitEthernet 0/3 ip+mac active
Configuration Guide Configuring IGMP Snooping
Configuring IGMP Snooping
 The IGMP snooping function is not supported on AP110-W or AP120-W.
Overview
Internet Group Management Protocol, abbreviated as IGMP Snooping, is an IP multicast flow mechanism running in the
VLAN, and used to manage and control the IP multicast flow forwarding in the VLAN and belongs to the Layer2 multicast
function. The IGMP Snooping function described below is in the VLAN, and the related ports are the member ports in the
VLAN.
The device running IGMP Snooping sets up the mapping for the port and the multicast address by analyzing the received
IGMP packets, and forwards the IP multicast packets based on the mapping. As shown in the Figure 1, with IGMP
Snooping enabled, the IP multicast packets are broadcasted in the VLAN; while with IGMP Snooping enabled, the known
IP multicast packets are not broadcasted in the VLAN but sent to the specified recipient.
Figure 1 Contrast between VLAN with IGMP Snooping disabled and VLAN with IGMP Snooping enabled
Ruijie multicast products support both the layer 2 multicast (IGMP Snooping) function and the layer 3
multicast(Multicast-routing) function. That is to say, to realize better packet forwarding function, Ruijie device supports not
only the layer 3 multicast route forwarding, but also the snooping in the VLAN.
(Two Types of IGMP Snooping Ports

As shown in the Figure 2, the Router is connected with the multicast source. The IGMP Snooping is enabled on the
SwitchA. Host A and Host C are receives (that is, the IP multicast group member )
Figure 2 IGMP Snooping Port Type
 Multicast Router Port: the switch is connected with the multicast router(the Layer3 multicast device), take the
SwitchA interface Eth0/1 for example. All router ports on the switch(including the dynamic and static ports) are
recorded in the router port list. By default, the router port corresponds to the recipient of the multicast data in the
VLAN, and can also be added to the IGMP Snooping forwarding list.
 Member Port: the abbreviation of the IP multicast group member port, also named Listener Port, representing the
port connected with the IP multicast group member on the switch, take the SwitchA interface Eth0/2, Eth0/3 and
Eth0/4 for example. All member ports on the switch(including the dynamic and static ports) are recorded in the IGMP
Snooping forwarding list.
The Aging Timer of Dynamic Port
Type Description Events triggering timer Activity after timeout
Enable a timer for each

Receive the IGMP general
Aging timer for the dynamic dynamic router port. The Remove the port from the
query packet or the IP PIM
router port timeout time is the aging router port list.
Hello packet.
time of the dynamic router
port.
Enable a timer for each

dynamic member port. The Remove the port from the
Aging timer for the dynamic Receive the IGMP query
timeout time is the aging IGMP Snooping multicast
member port packet.
time of the dynamic group forwarding list.
member port.
Operation Mechanism of IGMP Snooping
General Group Query and Specific Group Query
IGMP querier sends the general query packets to all hosts and routers(with the address: 224.0.0.1) in the local network
segment periodically to query for the IP multicast group member in the network segment. Upon receiving the IGMP
general query packets, the switch forwards those query packets to all ports in this VLAN, and processes the
packet-receiving port as follows:
 If this port has already been in the router port list, reset the aging timer.
 If this port has not been in the router port list, add the port to the list and enable the aging timer.
After receiving the IGMP general query packets, the multicast device enable the aging timer for all member ports. Set the
aging time as the maximum respond time of the IGMP query packets. When the aging time is 0, no member port receives
the multicast flow and the port will be removed from the IGMP Snooping forwarding list.
After receiving the IGMP specific-group query packets, the multicast device enable the aging timer for all member ports in
the specific group. Set the aging time as the maximum respond time of the IGMP query packets. When the aging time is 0,
no member port receives the multicast flow and the port will be removed from the IGMP Snooping forwarding. For the
IGMP specific-group source query packets, it is no need to update the aging timer.
Membership Report
In the following circumstances, the host sends the IGMP membership report to the IGMP querier:
 After receiving the IGMP query(general or specific-group query) packets, the IP multicast group member host
responds to the received packets.
 If the host wants to join in an IP multicast group, it will take the initiative to send the IGMP membership report to the
IGMP querier and claim to join in the IP multicast group.
Upon receiving the IGMP membership report message, the switch forwards the message through all router ports in the
VLAN, analyzes the IP multicast group address from the message to add to the host, and deals with the packet-receiving
port as follows:
 If the corresponding forwarding entry of IP multicast group is inexistent, create a forwarding entry, add the dynamic
member port to the outgoing port list, and enable the aging timer.
 If the corresponding forwarding entry of IP multicast group exists but the outgoing port list excludes the port, add the
dynamic member port to the outgoing port list, and enable the aging timer.
 If the corresponding forwarding entry of IP multicast group exists and the outgoing port list includes the port, reset
the aging timer.
Leaving the Multicast Group
When leaving the IP multicast group, the host notifies the multicast router of the leave event by sending the IGMP leave
group packets. At present, Ruijie products provide two ways of leaving:
 Automatic leave: Upon receiving the IGMP leave group packets from a dynamic member port, the switch forwards
those packets to the router ports, and enables a timeout timer for the member port. If the switch fails to receive the
corresponding response packets before the timeout, it will age relevant member ports.
 Fast leave: Upon receiving the IGMP leave group packets from a dynamic member port, the switch forwards those
packets to the router ports, and deletes relevant member ports.
Working Modes of IGMP Snooping

 DISABLE: The IGMP Snooping does not work in this mode. That is, the switch does not snoop the IGMP messages
between the host and the router. Multicast frames are forwarded in the VLAN in the broadcast form.
 IVGL(Independent VLAN Group Learning): In this mode, the multicast flows in different VLANs are independent. A
host can only request multicast flows to the router interface in the same VLAN. Upon receiving the multicast flow in
any VLAN, the switch forwards the flow to the member port in the same VLAN.
 SVGL(Shared VLAN Group Learning): In this mode, the hosts in different VLANs share the same multicast flow. A
host can request multicast flows across VLANs. By designating a Shared VLAN, you can only forward the multicast
flows received in this Shared VLAN to other member ports in different VLANs. In the SVGL mode, IGMP Profile
must be used to divide the multicast address range, within which the multicast flow can be forwarded across VLANs.
By default, all group range is not within the SVGL range and all multicast flows are dropped. As shown in Figure-3:
 IVGL-SVGL mode: also known as promiscuous mode. In this mode, the IVGL mode and the SVGL mode can
co-exist. Use IGMP Profile to divide a set of multicast address range to the SVGL, within which the member port of
the multicast forwarding entry can be forwarded across VLANs and without which the member ports are forwarded in
the same VLAN.
SVGL mode and IVGL-SVGL mode conflict with the IP multicast function.
PIM Snooping must depend on either IVGL or IVGL-SVGL mode of IGMP Snooping.
IGMP Profiles are used to define the range of group addresses for other functions' reference.
Multicast VLAN
Figure 3 Multicast Flow in the Shared VLAN forwarding across VLANs

Multicast VLAN is a typical application that can be realized when IGMP Snooping is running in the SVGL or IVGL-SVGL
mode. As shown above, when the switch runs the SVGL or IVGL-SVGL mode of IGMP Snooping, it sets the VLAN where
the user host resides as the sub VLAN. In this way, when the user host requests multicasting at the same time, the switch
can send the packet to each sub VLANs as long as the multicast router duplicates one copy of the multicast packet to the
shared VLAN.
If the switch runs the IVGL mode of IGMP Snooping, the multicast router needs to duplicates a separate copy of multicast
data in each user VLAN. This results in not only waste of network bandwidth but also additional pressure for the layer-3
device.
Relationship between IGMP Snooping and QinQ

After IGMP Snooping is enabled and dot1q-tunnel port is configured on the device, IGMP packets received from
dot1q-tunnel port will be handled in two ways through IGMP Snooping:
1st way: Create multicast entries on the VLAN to which IMGP packets belong, and forward IMGP packets on such VLAN.
For example: It is assumed that IGMP Snooping has been enabled on the device; port A is a dot1q-tunnel port; the default
VLAN of port A is VLAN 1, and packets from VLAN 1 and VLAN 10 can pass through port A. When multicast requests of
VLAN 10 are sent to port A, IGMP Snooping will create the multicast entry of VLAN 10 and forward the multicast requests
to the router port of VLAN 10.
2nd way: Create multicast entries on the default VLAN to which dot1q-tunnel belong, and forward multicast packets on the
default VLAN of dot1q-tunnel port after inserting the VLAN Tag of the default VLAN of dot1q-tunnel port. For example: It is
assumed that IGMP Snooping has been enabled on the device; port A is a dot1q-tunnel port; the default VLAN of port A is
VLAN 1, and packets from VLAN 1 and VLAN 10 can pass through port A. When multicast requests of VLAN 10 are sent
to port A, IGMP Snooping will create the multicast entry of VLAN 1 and insert the VLAN Tag of VLAN 1 into multicast
requests before forwarding the multicast requests to the router port of VLAN 1.
IGMP Snooping Querier

In a multicast network running IGMP, a Layer-3 multicast device acting as the IGMP querier is responsible for sending
IGMP general queries, so that all Layer-3 multicast devices can establish and maintain multicast forwarding entries, thus
to forward multicast traffic correctly at the network layer.
However, in a network without layer-3 multicast device, a layer-2 multicast device does not support IGMP, and therefore
cannot realize the relevant functions of IGMP querier. By enabling IGMP snooping on a layer-2 device, the layer-2 device
can establish and maintain multicast forwarding entries at the data link layer, thus to forward multicast traffic correctly at
the data link layer.
Multicast Security Control
Multicast Access Control
IGMP itself cannot control whether or not a user can join a specific multicast group. Since the multicast traffic is replicated
at the access node, it is important to control whether or not a user can obtain a multicast video stream at the access node
as it can guarantee the security of video data and benefit of the carrier and avoid illegal users. Currently, the customized
Profile can be preconfigured on the user port through the feature of device management, so as to permit or deny user
joining, control multicast service and avoid illegal users from occupying network resources when controlling the access to
one or multiple multicast programs. Through similar functions, precise control of user access to multicast programs can
also be realized at the access node, such as multicast preview. We can also control the number of programs accessible to
a specific user, thus effectively protecting the network bandwidth resources.
The multicast devices released by Ruijie can realize diversified control of users:
 Port-based control of user access to multicast traffic

Under certain circumstances, you may need to control user’s access to multicast traffic on the port. By this time, you
can configure the port-based multicast filter. Detailed configurations are described in the section of "Configure port
filter".
 VLAN-based control of user access to multicast traffic
Under certain circumstances, you may need to control VLAN's access to multicast traffic. By this time, you can
configure the VLAN-based multicast filter. Detailed configurations are described in the section of "Configure VLAN
filter".
 Port-based control of the amount of multicast traffic accessible to user
If the user requests multiple multicast programs on the same port, it will impose great pressure on network
bandwidth. By configuring the number of multicast programs allowed on the port, we can effectively control the
multicast programs that can be requested by the user. Detailed configurations are given in the section of "Configure
IGMP Filtering".
 Multicast preview
For certain multicast video streams, if the user doesn't have access to such video streams but the service provider
wants to the user to preview such video streams within the preview interval, the device shall be able to support
user-based multicast preview.
Source Port Check
IGMP SNOOPING source port check enhances network security.
IGMP SNOOPING source port check is intended to limit the ingress of IGMP multicast traffic. When IGMP Snooping
source port check is disabled, video streams entering from any port are considered valid, the multicast device will forward
them to registered member ports as per IGMP Snooping forwarding table. When IGMP Snooping source port check is
enabled, only the multicast traffic entering from router port will be considered valid, and layer-2 multicast device will then
forward them to the registered ports. Multicast traffic entering from non-router port will be considered invalid and
discarded.
IGMP Snooping source port check needs to use Masks. The definition of Masks is detailed in "Access Control
List Configuration". Masks are shared among address binding, source port check and ACL, and the total
number of available masks depends on the product. Since masks are limited in number, these three features
will be affected by each other. Enabling address binding needs to occupy two masks, and enabling source
port check will also occupy two masks; the available masks for ACL depends on the fact that whether these
two features have been enabled. Assuming that ACL can by default use up to 8 masks, if address binding or
source port check is enabled, the total number of masks available to ACL will drop to 6. If address binding
and source port check are enabled at the same time, the masks available to ACL will drop to 4. In contrast, if
ACL uses multiple masks and the remaining number of masks cannot meet the needs of these two
applications, the system will prompt that masks resource is used up when enabling address binding and
source port check. When one of these three features cannot run normally due to the restriction in masks,
normal application of such feature can be achieved by reducing the masks used by other two features. For
example, when three features are enabled at the same time, the system will prompt that masks are used up
when enabling port check. You can disable address binding (remove all address bindings) or delete the ACE
of ACL occupying multiple masks, so that the source port check can be enabled normally.
When enabling IGMP Snooping or configuring router port, if source port check is enabled, source port check
may fail due to the inadequate masks resources. The system will prompt: Source port check applying failed
for hardware out of resources. At this time, other resources shall be released first and then source port check
shall be enabled again.
Source IP Check
Among the multicast devices released by Ruijie, certain products support IGMP SNOOPING source IP check, further
enhancing network security.
IGMP SNOOPING source IP check is intended to limit the source IP address of IGMP multicast traffic. When IGMP
Snooping source IP check is disabled, all incoming video streams are considered valid, the layer-2 multicast device will
forward them to registered member ports as per IGMP Snooping forwarding table. When IGMP Snooping source IP check
is enabled, only the multicast traffic with the configured source IP address will be considered valid, and the multicast
device will then forward them to the registered ports. Multicast traffic with other source IP addresses will be considered
invalid and discarded.
Configuration
After layer-2 multicasting is enabled on the Private VLAN or Super VLAN, if the multicast source exists in the
Sub-VLAN, another route entry needs to be duplicated and the ingress is the Sub-VLAN in which the
multicast streams enter. As the ingress validity check is required for multicast forwarding, one more multicast
hardware entry will be occupied with one less multicast capacity. It is recommended to configure the master
VLAN as the ingress for multicast streams on the Private VLAN and Super VLAN, the other Sub-VLAN as
egress VLAN connected to the host to receive multicast streams.
When the layer-2 multicasting is enabled on the Private VLAN or Super VLAN, it is recommended to configure
the port Access as the forwarding egress of multicast streams. If the forwarding egress of multicast streams
is configured as port Trunk, it may forward multiple duplicate multicast streams.
After the IGMP Snooping function is enabled, multicast protocol packets within the VLAN will be broadcast by
software instead of hardware in the VLAN. The forwarding performance by software is lower than that by
hardware. Therefore, if there are massive multicast protocol packets to be forwarded in the VLAN; you are
advised to disable the IGMP Snooping function to ensure the forwarding performance of multicast protocol
packets.
If a VLAN is configured as a remote VLAN and the IGMP Snooping function on the VLAN is disabled, you can
still configure IGMP Snooping related to the VLAN, for example, the VLAN-based configuration of router
ports and member ports. However, the configuration does not take effect.
Disabling IGMP Snooping

Command Function
Ruijie(config)# no ip igmp snooping Disable the IGMP Snooping for all VLANs.
Ruijie(config)# no ip igmp snooping vlan vid Disable the IGMP Snooping for a specified VLAN.
Ruijie (config)#show ip igmp snooping vlan vid Enable the IGMP Snooping for a specified VLAN.
By default, with IGMP Snooping globally enabled, the IGMP Snooping function is auto-enabled in all VLANs. Use the no
ip igmp snooping vlan command to disable the IGMP Snooping function for a specified VLAN.
This example disables the IGMP Snooping:

Ruijie(config)# show ip igmp snooping
IGMP Snooping running mode: DISABLE
Source port check: Disable
Source ip check: Disable
IGMP Fast-Leave: Disable
IGMP Report suppress: Disable
This example disables the IGMP Snooping for VLAN 3:

Ruijie(config)# no ip igmp snooping vlan 3
Ruijie(config)# show ip igmp snooping
IGMP Snooping running mode: IVGL
Source port check: Disable
vlan 1
-------------
IGMP Snooping :Enabled
Multicast router learning mode :pim-dvmrp
IGMPv2 immediate leave :Disabled
vlan 2
-------------
vlan 3
-------------
IGMP Snooping :Disabled
vlan 4
-------------
With the IGMP Snooping enabled in the VLAN, the MLD Snooping function must also be enabled if the IPv6
multicast is applied in the VLAN.
Configuring the Route Port

Static Router Ports
Command Function
Ruijie(config)# ip igmp snooping vlan vid mrouter
Set the interface as the static router interface.
interface interface-id
Ruijie(config)# no ip igmp snooping vlan vlid mrouter
interface interface-id
No static route interface is configured by default.
In SVGL mode, if Sub VLAN is not configured, only the configuration of the static router port belonging to the
Shared VLAN will take effect. Other ports can be configured but the configuration will not take effect. If Sub
VLAN is configured, the configuration of the static router port belonging to the Shared VLAN or non-sub
VLAN will take effect. Other ports can be configured but the configuration will not take effect.
In IVGL-SVGL mode, if Sub VLAN is not configured, the configuration of the static router ports of all VLANs will
take effect. If Sub VLAN is configured, the configuration of the static router port belonging to the Shared
VLAN or non-sub VLAN will take effect. Other ports can be configured but the configuration will not take
effect.
In IVGL mode, the configuration of the static router ports of all VLANs will take effect.
Dynamic Router Ports
Command Function
Ruijie(config)# ip igmp snooping vlan vlan-id mrouter Enable the dynamic learning function for the router port in
learn pim-dvmrp the VLAN. By default, the function is enabled.
Ruijie(config)# no ip igmp snooping vlan vlan-id Disable the dynamic learning function for the router port in
mrouter learn pim-dvmrp the VLAN and clear all router ports learned dynamically.
If the dynamic router port has not received IGMP group-general query packet or PIM Hello packet before its aging is timed
out, the switch will delete the port from the list of router ports.
Example: Set Ethernet interface 1/1 as the static router port and enable dynamic learning function of router ports in the
VLAN1:

Ruijie(config)# ip igmp snooping vlan 1 mrouter interface gigabitEthernet 1/1
Ruijie(config)# ip igmp snooping vlan 1 mrouter learn pim-dvmrp
Ruijie(config)# end
Ruijie# show ip igmp snooping mrouter
Vlan Interface State
---- ------------------- ------
1 GigabitEthernet 1/1 static
1 GigabitEthernet 0/2 dynamic
Ruijie# show ip igmp snooping mrouter learn

Vlan learn method
---- ------------------
1 pim-dvmrp
Configuring Member Port

Configuring Static Member Port
Command Function
Statically configure a port to receive a certain multicast flow.
Ruijie(config)# ip igmp snooping vlan vlid static • vid: vid of multicast flow
ip-addr interface interface-id • ip-addr : multicast group address
• interface-id: Interface ID
Ruijie(config)# no ip igmp snooping vlan vid static • vid: of multicast flow
ip-addr interface interface-id • ip-addr : multicast group address
• interface-id: Interface ID
If a host connected to a port needs to receive IP multicast data sent to a specific IP multicast group regularly, add the port
statically to this IP multicast group, making it a static member port.
Use no ip igmp snooping vlan vlan-id static ip-addr interface interface-id to delete the static member of IGMP
Snooping.
This example configures a static member port of IGMP snooping:

Ruijie(config)# ip igmp snooping vlan 1 static 233.3.3.4 interface GigabitEthernet 0/7
Ruijie(config)# end
Ruijie(config)# show ip igmp snooping gda
Abbr: M - mrouter
D - dynamic
S - static
VLAN Address Member ports
---- -------------- -----------------------------
1 233.3.3.4 GigabitEthernet 0/7(S)
Configuring the Aging Time for the Dynamic Route Port
Command Function
Configure the survival time for IGMP dynamic member
Ruijie(config)# ip igmp snooping host-aging-time time ports in the range from 1 to 65535 in the unit of seconds.
The default is 260.
Restore the default maximum response time of 260s to
Ruijie(config)# no ip igmp snooping host-aging-time
the IGMP query packet.
The aging time of a dynamic member port refers to the time set for this port when it receives the IGMP join-in packet sent
by a host to join a specific IP multicast group.
After receiving the IGMP join-in packet, the aging timer of this dynamic member port will be reset to host-aging-time. If the
timer is timed out, it is considered that no user host that receives multicast packets exists under this port. The multicast
device will remove the port from the member ports of IGMP Snooping. After this command is configured, the value of an
aging timer set for dynamic member ports when they receive the IGMP join-in packet is host-aging-time. This
configuration takes effect when the next join-in packet is received and the currently-started timer of member ports will not
be updated.
Example: Configure the aging time of IGMP dynamic ports to 30s:

Ruijie(config)# ip igmp snooping host-aging-time 30
Configuring the Maximum Response Time of the IGMP Query Message
Command Function
Set the maximum response time of the IGMP Query
Ruijie(config)# ip igmp Snooping
message in the range from 1 to 65535 in the unit of
query-max-response-time seconds
seconds.. The default is 10.
Ruijie(config)# no ip igmp Snooping
Restore the maximum response time to the default value.
query-max-response-time
After receiving IGMP general group query packets, the multicast device will reset the aging timer for all dynamic member
ports to query-max-response-time. If the timer is timed out, it is considered that no user host that receives multicast
packets exists under this port. The multicast device will remove the port from the member ports of IGMP Snooping.
After receiving IGMP query packet from a specific group, the multicast device will reset the aging timer for all dynamic
member ports of this specific group to query-max-response-time. If the timer is timed out, it is considered that no user host
that receives multicast packets exists under this port. The multicast device will remove the port from the member ports of
IGMP Snooping.
For the source query packet for a specific group of IGMPv3, no timer is updated. This configuration takes effect when the
next query packet is received and the timer started currently will not be updated.
The following example configures the maximum response time of the IGMP Query message to 15s:

Ruijie (config) # ip igmp snooping query-max-response-time 15
Configuring Fast-Leave
Command Function
Enable the fast-leave function. By default, this function is
Ruijie(config)# ip igmp snooping fast-leave enable
disabled.
Ruijie(config)# no ip igmp snooping fast-leave enable Restore the default setting.
Port fast-leave means that when receiving from a port the IGMP leave group message sent from a host for leaving certain
IP multicast group, a switch will directly remove the port from the list of member ports in the corresponding forwarding
entry. If there is only one receiver connecting to the port on the switch, you may enable the port fast-leave function to save
band width and resources. This function applies when only one requester exists on the relevant port.
The following example enables the fast–leave function:

Ruijie(config)# ip igmp snooping fast–leave enalbe
Configuring IGMP Snooping Suppression

Command Function
Enable IGMP Snooping suppression. By default, this
Ruijie (config )# ip igmp snooping suppression enable
function is enabled.
Ruijie (config )# no ip igmp snooping suppression
Disable IGMP Snooping suppression.
enable
Whenever a member port receives an IGMP Report packet, it will transmit this packet to the router port. If the member port
of a VLAN receives multiple identical Report packets within a query interval, the router port will receive multiple identical
Report packets. If the Report packet suppression function is enabled, the router port only forwards the first received IGMP
Report packet of a specific IP multicast group within a query interval. Otherwise, the router port will forward out all
received IGMP Report packets. The IGMP Report packet suppression function can reduce the number of packets on the
network.
The following example enables the IGMP Snooping suppression function:

Ruijie(config)# ip igmp snooping suppression enable
Configuring Source Port Check

Command Function
Ruijie(config)# ip igmp snooping source-check port Enable source port check.
Ruijie(config)# no ip igmp snooping source-check port Disable source port check.
Configuring VLAN Filter

Command Function
Apply Profile to this VLAN. The range of profile number if

Ruijie(config)# ip igmp snooping vlan num filter
1-1024. By default, a VLAN is not associated with any
profile-number
profile.
Delete the profile associated to the VLAN, which will then
Ruijie(config-if)# no ip igmp snooping vlan num filter
permit all groups.
Under certain circumstances, you may need to control the reception of multicast traffic on the egress of specific VLAN.
VLAN-based filter well meets such need.
You can apply an IMGP Profile to a VLAN. If IMGP Report packets are received on the port belong to this VLAN, the
layer-2 multicast device will verify whether the multicast address to be joined by this port falls within the range permitted
by IGMP Profile. If yes, the port will join and process subsequently.
The following example shows how to configure the VLAN filter:

Ruijie(config)# interface fastEthernet 0/1
Ruijie(config-if)# ip igmp snooping vlan 2 filter 1
Configuring IGMP Snooping Querier

Enabling IGMP Snooping Querier
Command Function
Ruijie(config)# ip igmp snooping querier Globally enable IGMP querier.
Ruijie(config)# no ip igmp snooping querier Globally disable IGMP querier.
Ruijie(config)# ip igmp snooping vlan num querier Enable IGMP Snooping querier for a specific VLAN.
Ruijie(config)# no ip igmp snooping vlan num querier Disable IGMP Snooping querier for a specific VLAN.
Configuring the Source IP for the IGMP Snooping Querier
Command Function
Ruijie(config)# ip igmp snooping querier address

Globally configure querier source IP address.
a.b.c.d
Ruijie(config)# no ip igmp snooping querier address Globally disable querier source IP address.
Ruijie(config)# ip igmp snooping vlan num querier Configure the source IP address for the querier of a
address a.b.c.d specific VLAN.
Ruijie(config)# no ip igmp snooping vlan num querier Cancel the source IP address for the querier of a specific
address VLAN.
The following example shows how to globally configure the source IP address of IGMP querier:

Ruijie(config)# ip igmp snooping querier address 192.168.2.2
Example: Configure the source IP address for the querier of a specific VLAN.

Ruijie(config)# ip igmp snooping vlan 2 querier address 192.168.2.2
Configuring the Maximum Response Time to Queries
Command Function
Ruijie(config)# ip igmp snooping querier Globally configure the maximum response time to
max-response-time seconds queries. The default value is 10 seconds.
Ruijie(config)# no ip igmp snooping querier Globally restore the maximum response time to queries to
max-response-time default value.
Ruijie(config)# ip igmp snooping vlan vid querier Configure the maximum response time to query packets
max-response-time seconds of a specific VLAN. The default is 10 seconds.
Ruijie(config)# no ip igmp snooping vlan vid querier Restore the default maximum response time to query
max-response-time packets.
The following example shows how to configure the maximum response time to queries:

Ruijie(config)# ip igmp snooping querier 20
Example: Configure the maximum response time to query packets of a specific VLAN:

Ruijie(config)# ip igmp snooping vlan 2 querier 20
Configuring the Query Interval
Command Function
Ruijie(config)# ip igmp snooping querier query-interval Globally configure the interval for periodically sending
num IGMP queries. The default value is 60 seconds.
Ruijie(config)# no ip igmp snooping querier Globally restore the interval for periodically sending IGMP
query-interval queries to default value.
Configure the interval for periodically sending IGMP query
Ruijie(config)# ip igmp snooping vlan num querier
packets of a specific VLAN. The default value is 60
query-interval num
seconds.
Ruijie(config)# no ip igmp snooping vlan num querier Restore the default interval for periodically sending IGMP
query-interval query packets of a specific VLAN.
The following example shows how to globally configure the query interval:

Ruijie(config)# ip igmp snooping querier query-interval 300
Example: Configure the query interval of a specific VLAN:

Ruijie(config)# ip igmp snooping vlan 2 querier query-interval 300
Configuring Non-Querier Expiration Timer
Command Function
Ruijie(config)# ip igmp snooping querier timer expiry

Globally configure querier expiration timer.
num
Ruijie(config)# no ip igmp snooping querier timer Globally configure querier expiration timer to the default
expiry value.
Ruijie(config)# ip igmp snooping vlan num querier Configure the non-querier timeout period of a specific
timer expiry num VLAN.
Ruijie(config)# no ip igmp snooping vlan num querier Configure the non-querier timeout period of a specific
timer expiry VLAN to default.
The following example shows how to globally configure querier expiration timer:

Ruijie(config)# ip igmp snooping querier timer expiry 70
Example: Configure the non-querier timeout period of a specific VLAN.

Ruijie(config)# ip igmp snooping vlan 2 querier timer expiry 70
Configuring IGMP Version Number
Command Function
Globally configure IGMP version number (1-2). Default

Ruijie (config )# ip igmp snooping querier version num
value: 2.
Globally restore IGMP version number to the default
Ruijie (config )# no ip igmp snooping querier version
value.
Ruijie (config )# ip igmp snooping vlan num querier Configure the IGMP version of the querier on a VLAN,
version num which ranges from 1 to 2; the default is 2.
Ruijie (config )# no ip igmp snooping vlan num querier Restore the default IGMP version of the querier on a
version VLAN.
The following example shows how to globally configure IGMP version number:

Ruijie(config)# ip igmp snooping querier version 1
Example: Configure the IGMP version of the querier on a VLAN,

Ruijie(config)# ip igmp snooping vlan 2 querier version 1
Monitoring
Showing IGMP Snooping Information

Command Function
View the current operation mode and global configuration
Ruijie# show ip igmp snooping
of IGMP Snooping.
The following example uses the show ip igmp snooping command to view the IGMP Snooping configuration
information:

IGMP-snooping mode : IVGL
SVGL vlan-id : 1
SVGL profile number : 0
Source port check : Disabled
Source ip check : Disabled
IGMP Fast-Leave : Disabled
IGMP Report suppress : Disable
vlan 1
-------------
IGMP Snooping state: Enabled
Multicast router learning mode: pim-dvmrp
IGMPv2 fast leave: Disabled
IGMP VLAN querier: Disable
Showing the Route Interface

Command Function
Ruijie# show ip igmp snooping mrouter Show the router interface information of IGMP Snooping
The following example uses the show ip igmp snooping command to view the router interface information of IGMP
Snooping:
Ruijie# show ip igmp snooping mrouter

Multicast Switching Mroute Port
D: DYNAMIC
S: STATIC
(*, *, 1):
VLAN(1) 1 MROUTES:
GigabitEthernet 0/2(S)
Showing and Clearing the Forwarding Table of IGMP Snooping

To view the forwarding rule of each port in the multicast group, that is, the GDA(Group Destination Address) table,
execute the following commands in the privileged EXEC mode:
Command Function
View the forwarding table of IGMP Snooping,
Ruijie# show ip igmp snooping gda-table
namely the Group Destination Address (GDA ) table.
Clear the GDA table.
Ruijie# clear ip igmp snooping gda-table

This command cannot be used to delete static
member ports. Use the no or default form of
this command to restore the default setting.
Example: View the GDA table:
Ruijie# show ip igmp snooping gda-table

Multicast Switching Cache Table

D: DYNAMIC
S: STATIC
M: MROUTE
(*, 233.3.6.29, 1):
VLAN(1) 3 OPORTS:
GigabitEthernet 0/3(S)
GigabitEthernet 0/2(M)
GigabitEthernet 0/1(D)
(*, 233.3.6.30, 1):

VLAN(1) 2 OPORTS:
GigabitEthernet 0/2(M)
GigabitEthernet 0/1(D)
If IGMP Snooping is enabled on Private-VLAN or Super-VLAN, the established entries of GDA forwarding table
are all based on the master VLAN of the Private-VLAN or Super-VLAN. The forwarding table entry indicates
that all forwarding egresses can receive multicast stream information from the master VALN. For the
multicast stream information from the Sub VLAN, the forwarding rules must comply with that of the
Private-VLAN or Super-VLAN. In this case, each GDA forwarding table entry may correspond to multiple
hardware forwarding table entries. As a result, the capacity of the forwarding table entry may lower than the
desired value.
Showing Source Port Check Status

Command Function
View the current operation mode and global configuration
of IGMP Snooping.
This example shows the source port check status of IGMP Snooping:

IGMP Snooping running mode: IVGL
Source port check: Enable
IGMP Globle Querier: Disable
IGMP Preview: Disable
IGMP Preveiw group aging time : 300(Seconds)
Dynamic Mroute Aging Time : 300(Seconds)
Tunnel IGMP Packet: Disable
Showing IGMP Port Filter

Command Function
Ruijie# show ip igmp snooping interface interface-id View IGMP port filter information.
The following example views the IGMP Filtering information.
Ruijie# show ip igmp snooping interface GigabitEthernet 0/7

Interface Filter Profile number max-groups
------------------- --------------------- -----------
GigabitEthernet 0/7 1 4294967294
Showing IGMP Snooping Querier

Command Function
Ruijie# show ip igmp snooping querier View IGMP Querier information.
Ruijie# show ip igmp snooping querier detail View the details of IGMP Querier.
The following example views the IGMP Querier information.
Ruijie# show ip igmp snooping querier detail

Vlan IP Address IGMP Version Port
-----------------------------------------------------------
Global IGMP switch querier status

--------------------------------------------------------
admin state : Enable
admin version : 2
source IP address : 1.1.1.1
query-interval (sec) : 125
max-response-time (sec) : 10
querier-timeout (sec) : 60
Vlan 1: IGMP switch querier status

--------------------------------------------------------
admin state : Enable
admin version : 2
operational state : Disable
operational version : 2
Vlan 2: IGMP switch querier status

--------------------------------------------------------
admin state : Disable
admin version : 2
operational state : Disable
operational version : 2
Configuration Guide Configuring ACL
Configuring ACL
Overview
As part of Ruijie security solution, an access control list (ACL) is used to provide a powerful traffic filtering function.
Currently, Ruijie products support many access lists.
Depending on networks conditions, you can choose different ACLs to control data flows.
ACLs is the shortened form of Access Control Lists, or Access Lists. It is also popularly called firewall, or packet filtering in
some documentation. ACL controls the messages on the device interface by defining some rules: Permit or Deny.
According to usage ranges, they can be divided into ACLs and QoS ACLs.
By filtering the data streams, you can restrict the communication data types in the network and restrict the users of the
network and the device they can use. When data streams pass the switch, ACLs classify and filter them, that is, check the
data streams input from the specified interface and determine whether to permit or deny them according to the matching
conditions.
To sum up, the security ACL is used to control which dataflow is allowed to pass through the network device. The QoS
policy performs priority classification and processing for the dataflow.
ACLs consist of a series of entries, known as Access Control Entry (ACE). Each entry specifies its matching condition and
behavior.
Access list rules can be about the source addresses, destination addresses, upper layer protocols, time-ranges or other
information of data flows.
Why to Configure ACL

There are many reasons why we need configure access lists. Some of them are as follows:
 Restrict route updating: Control where to send and receive the route updating information.
 Restrict network access: To ensure network security, by defining rules, make users unable to access some services.
(When a user only need access the WWW and E-mail services, then other services like TELNET are disabled). Or,
allow users to access services only during a given period or only allow some hosts to access networks.
Figure 1-1 is a case. In the case, only host A is allowed to access Finance Network, while Host B is disallowed to do so.
See Figure 1-1.
Figure 1-1 Using Access List to Control Network Access

When to Configure ACL

Depending on your requirements, you can select the basic access list or dynamic access list. In general, the basic access
list can meet the security requirement. However, experienced hackers may use some software spoof source address and
cheat the devices so as to gain accesses. Before the user can access the network, the dynamic access list requires the
pass of authentication so that the hackers are difficult to invade the network. So, in some sensitive areas the dynamic
access list can be used to ensure the network security.
A inherent problem of all access lists is electric spoofing, the behavior of providing spoof source addresses to
deceive switches Even you use the dynamic list, a spoofing problem occurs. During the valid access period
of an authenticated user, a hacker may use a counterfeit user address and accesses the network. There are
two methods to resolve the problem. One method is to set free time for a user to access the network as little
as possible, making it hard for a hacker to attack the network. Another method is to use the IPSEC
encryption protocol to encrypt network data, ensuring that all the data entering switches are encrypted.
Access lists are usually configured in the following locations of network devices:
 Devices between the inside network and outside network (such as the Internet)
 Devices at the borders of two parts in a network
 Devices on the access control port
The execution of the ACL statements must follow the order in the table strictly. Starting from the first statement, once the
header of a packet matches a conditional judge statement in the table, the sequential statements are ignored.
Input/output ACL, Filtering Domain Template and Rule

When a device interface receives a message, the input ACL checks whether the message matches an ACE of the ACL
input on the interface. When a device interface is ready to output a message, the output ACL checks whether the
message matches an ACE of the ACL output on the interface.
When detailed filtering rules are formulated, all or some of the above eight items may be used. As long as the message
matches one ACE, the ACL processes the message as the ACE defined (permit or deny). The ACE of an ACL identifies
Ethernet messages according to some fields of Ethernet messages. The fields include the following:
Layer-2 fields:
 48-bit source MAC address (all the 48 bits must be declared)

 48-bit destination MAC address (all the 48 bits must be declared)
 16-bit layer-2 type field
Layer 3 fields:
 Source IP address field (you can specify all the 32 bits of the IP address, or specify a type of streams of the defined
subnet)
 Destination IP address field (you can specify all the 32 bits of the IP address, or specify a type of streams of the
defined subnet)
 Protocol type fields
Layer-4 fields:
 You can specify one UDP source port, destination port, or both
 You can specify one UDP source port, destination port, or both
The filtering domain consists of the fields in the packets based on which the packets are identified and classified when you
create an ACE. A filtering domain template is the definition formed by these fields. For example, when one ACE is
generated, you want to identify and classify messages according to the destination IP field of a message. When another
ACE is generated, you want to identify and classify messages according to the source IP address field of a message and
the source port field of UDP. In this way, these two ACEs use different filtering domain templates.
Rules refer to the values of the ACE mask. For example, one ACE is:
permit tcp host 192.168.12.2 any eq telnet
In this ACE, the filtering domain template is a collection of the following fields: Source IP Address Fields, IP Protocol
Fields and Destination TCP Port Fields. Corresponding values (rules) are respectively as follows: Source IP Address=host
192.168.12.2; IP Protocol=tcp; TCP Destination Port=telnet.
Figure 1-2 Analysis of the ACE: permit tcp host 192.168.12.2 any eq telnet
A filtering domain template can be the collection of L3 fields (Layer 3 Field) and L4 fields (Layer 4 Field) or the
collection of multiple L2 fields (Layer 2 Field). However, the filtering domain templates of a standard and
extended ACL cannot be the collection of L2 and L3, L2 and 4, L2 and L3, or L4 fields. To use the
combination of L2, L3 and L4 fields, it is possible to apply the Expert ACLs.
When associating SVI with the ACL at the outbound direction, you should note that:
Standard IP ACL, extended IP ACL, extended MAC ACL and expert ACL are supported. There are some
limits on matching the destination IP address and the destination MAC address in an ACL. When you
configure to match the destination MAC address in an extended MAC ACL or expert ACL and then apply this
ACL to the outbound direction of SVI, the entry will be set, but will not take effect. If you need to match the
destination IP address not in the subnet IP range of the associated SVI in the standard IP ACL, extended IP
ACL or expert ACL, this ACL will not take effect. For example, VLAN 1’s IP address is 192.168.64.1
255.255.255.0. Now you create an ACL with the ACE of deny udp any 192.168.65.1 0.0.0.255 eq 255 and
apply this ACL at the egress of VLAN 1. This ACL will not function for the destination IP address is not in the
subnet IP range of VLAN 1. If the ACE is deny udp any 192.168.64.1 0.0.0.255 eq 255, this ACL will take
effect.
When configuring and applying the expert ACL to the outbound direction of the interface, failure occurs in
controlling the non-IP packets transmitted on the interface by using the ACL permit and deny rules if some
ACEs in the ACL contain L3 matching information (such as IP and L4 port).
When applying the ACL, the tagged MPLS packet matching is invalid if the ACEs in the ACL (including the IP
access list and expert extended access list) match with the non-L2 field (such as SIP and DIP).
ACL logging
To enable you to learn of the ACL running status on the device, you need to determine whether to specify the output
option for packet-matching logs. If you specify the option, the packet-matching log information is exported when the
matching rule is satisfied. The ACL logging information contains the ACE log information. That is, the device periodically
records the ACE information in packets, including the number of packets matching the ACE. The following is an example:
*Sep 9 16:23:06: %ACL-6-MATCH: ACL 100 ACE 10 permit icmp any any, match 78 packets.
To properly control the number and frequency of exporting logs, ACL logging supports the configuration of the log output
intervals, involving configuring log output intervals respectively for IPv4 ACL and IPv6 ACL.
An ACE with the ACL logging option uses more hardware resources. If all the configured ACEs carry the ACL
logging option, the ACE capacity on the device decreases by a half.
By default, the log output interval is 0 for ACL logging. That is, no log is exported. After you specify the ACE
output option for packet-matching logs, you need to configure the output interval for ACL logging, so that the
required logs can be exported.
For an ACE with the ACL logging option:
No packet-matching log related to the ACE is exported if no packet is matched within the specified interval;
Packet-matching logs related to the ACE are exported after the time interval is due if packets are matched
with the specified interval. Specifically, the packet hit count is the number of packets matched with the ACE
within the interval, counted from the last time the ACE exports logs to the current time the ACE exports logs.
ACL-Matching Packet Count

To facilitate network management, you may need to know whether an ACE matches packets and the number of the
matched packets. Therefore, the ACL provides the ACE-based matching-packet count function. You can enable or
disable this function for all ACEs in an ACL at a time. The following types of ACLs support this function:
IP access lists
MAC access lists
Expert access lists
IPv6 access lists.
In addition, you can use the ACL statistic clearing command to reset the matching-packet count to zero for recounting.
Configuration
Configuring IP Access List

To configure access lists on a device, you must specify unique names or numbers for the access lists of a protocol to
uniquely identifying each access list inside the protocol. The following table lists the protocols that can use numbers to
specify access lists and the number ranges of access lists that can be used by each protocol.
Protocol Number Range

Standard IP 1-99, 1300 - 1999
Extended IP 100-199, 2000 - 2699
Guide to configure IP Access List
When you create an access list, defined rules will be applied to all packet messages on a switch. The switch decides
whether to forward or block a packet messages by judging whether the packet matches a rule.
Basic Access Lists include standard access lists and extended access lists. The typical rules defined in access lists are
the following:
 Source address
 Destination address
 Upper layer protocol
 Time range
Standard IP access lists (1 – 99, 1300 – 1999) forward or block packets according to source addresses. Extended IP
access lists (100 – 199, 2000 – 2699) use the above four combinations to forward or block packets. Other types of access
lists forward or block packets according to related codes.
A single access list can use multiple separate access list sentences to define multiple rules. Where, all sentences use a
same number or name to bind these sentences to a same access list. However, the more the used sentences are, the
more difficult to read and understand an access list.
Implicating “Deny Any Data Flow” Rule Sentence
The ending part of each access list implicates a “Deny any data flow” rule sentence. Therefore, if a packet matches no
rule, then it is denied, as shown in the following example:
access-list 1 permit host 192.168.4.12
This list allows only the message of host 192.168.4.12 and denies any other host. This is because the list contains the
following rule statement at the end: access-list 1 deny any
Here is another example:
access-list 1 deny host 192.168.4.12
If the list contains the only statement above, the messages from any host will be denied on the port.
It is required to consider the routing update message when defining the access list. Since the end of the access
list “denies all dataflow”, this may cause all routing update messages blocked.
Order to Input Rule Sentences
Each added rule is appended to the access list. If a sentence is created, then you cannot delete it separately and can only
delete the whole access list. Therefore, the order of access list sentences is very important. When deciding whether to
forward or block packets, a switch compares packets and sentences in the order of sentence creation. After finding a
matching sentence, it will not check other rule sentences.
If you have created a sentence and it allows all data flows to pass, then the following sentences will not be checked, as
shown in the following example:
access-list 101 deny ip any any

access-list 101 permit tcp 192.168.12.0 0.0.0.255 eq telnet any
Because the first rule sentence denies all IP messages, the host telnet message of the 192.168.12.0/24 network will be
denied. Because the switch discover that the messages match the first rule sentence, it will not check other rule
sentences.
Configuring IP Access List
The configuration of the basic access list includes the following steps:
 Define a basic access list

 Apply the access list to a specific interface.
There are two methods to configure a basic access list.
Method 1: Run the following command in the global configuration mode:
Command Function
Ruijie(config)# access-list id { deny | permit } { src Defines an access list
src-wildcard | host src | any | interface idx } [ time-range
tm-rng-name ]
Ruijie(config)# interface interface Selects the interface to which the access list is to be
applied.
Ruijie(config-if)# ip access-group id { in | out } Applies the access list to the specific interface
Method 2: Run the following command in the ACL configuration mode:
Command Function
Ruijie(config)# ip access-list { standard | extended } { id | Enters the access list configuration mode.
name }
Ruijie (config-xxx-nacl)# [ sn ] { permit | deny } {src Adds table entries for ACL. For details, please see
src-wildcard | host src | any } [ time-range tm-rng-name ] command reference.
Ruijie(config-xxx-nacl)# exit Exits from the access control list mode.
applied.
Ruijie(config-if)# ip access-group id { in | out } Applies the access list to the specific interface.
Method 1 only configures the numerical value ACL. Method 2 can configure the names and numerical value
ACL, and specify the table entry priorities (in the devices that support ACE priorities).
Displaying IP ACL
To monitor access lists, run the following command the in privileged user mode:
Command Function
Ruijie# show access-lists [ id | name ] [ summary ] Displays the access list.
Ruijie #show access-lists

Extended IP access list 101
10 deny ip any host 11.1.1.2 log (3 matches)
20 permit ip any any log (10690 matches)
30 deny ip host 192.168.21.59 any log (101 matches)
40 permit tcp host 192.168.21.59 any eq ftp log
50 permit ip host 192.168.21.59 any log
Configuring Extended MAC Address-based Access Control List

To configure MAC address-based access control lists on a device, you must specify unique names or numbers for the
access lists of a protocol to uniquely identifying each access list inside the protocol. The following table lists the range of
the numbers that can be used to specify MAC access lists.

Extended MAC Access List 700-799
Configuration Guide of Extended MAC Address-based Access Control List
When a MAC access list is created, the defined rules will be applied to all packet messages on a switch. The switch
decides whether to forward or block a packet message by judging whether the packet matches a rule.
The typical rules defined in MAC access lists are the following:
 Source MAC address

 Destination MAC address
 Ethernet protocol type
 Time-range
The MAC extended access list (number 700 – 799) forwards or blocks the packets based on the source and destination
MAC addresses, and can also match the Ethernet protocol type.
A single MAC access list can use multiple separate access list sentences to define multiple rules. Where, all sentences
use a same number or name to bind these sentences to a same access list.
Configuring Extended MAC Address-based Access Control List
The configuration of an MAC access list includes the following steps:
 Define an MAC access list

 Apply the access list to a specific interface
There are two methods to configure an MAC access list.
Command Function
Ruijie(config)# access-list id { deny | permit } { any | host Defines an access list. For details about commands,
src-mac-addr } { any | host dst-mac-addr } [ ethernet-type ] please see command reference.
[ cos cos ]
applied.
Ruijie(config-if)# mac access-group id { in | out } Applies the access list to the specific interface
Command Function
Ruijie(config)# mac access-list extended { id | name } Enters the access list configuration mode
Ruijie (config-mac-nacl)# [ sn ] { permit | deny } { any | Adds table entries for ACL. For details about
host src-mac-addr } { any | host dst-mac-addr } commands, please see command reference.
[ ethernet-type ] [ cos cos ]
Ruijie(config-mac-nacl)# exit Exits from the access control list mode and select the
Ruijie(config)# interface interface interface to which the access list is to be applied.
Ruijie(config-if)# mac access-group { id | name } { in | out } Applies the access list to the specific interface
Method 1 only configures the numerical value ACL. Method 2 can configure the names and numerical value
ACL, and specify the table entry priorities (in the devices that support ACE priorities).
Displaying the MAC Extended Access List Configuration
To monitor access lists, please run the following command the in privileged EXEC mode:
Command Function
Ruijie# show access-lists [ id | name ] Displays the basic access list.
Configuring Expert Extended Access List

To configure expert extended access lists on a device, you must specify unique names or numbers for the access lists of
a protocol to uniquely identifying each access list inside the protocol. The table below lists the number range of the Expert
access list.

Expert extended access list 2700-2899
Configuration Guide of Expert Extended Access List
When you create an expert extended access list, defined rules will be applied to all packet messages on a switch. The
switch decides whether to forward or block a packet messages by judging whether the packet matches a rule.
The typical rules defined in expert access lists are the following:
 All information in basic access lists and MAC extended access lists
 VLAN ID
Expert extended access lists (2700 – 2899) are the syntheses of basic access lists and MAC extended access lists and
can filter VLAN IDs.
A single expert access list can use multiple separate access list sentences to define multiple rules. Where, all sentences
use a same number or name to bind these sentences to a same access list.
Configuring Expert Extended ACL
The configuration of an expert access list includes the following steps:
 Define an expert access list

 Apply the access list to a specific interface (application particular case)
There are two methods to configure an expert access list.
Command Function
Ruijie (config)# access-list id { deny | permit } [ prot | Defines an access list. For details about
{ [ ethernet-type ] [ cos cos ] } ] [ vid vid ] { src src-wildcard | host commands, please see command reference.
src | interface idx } { host src-mac-addr | any } { dst dst-wildcard
| host dst | any } { host dst-mac-addr | any } ] [ precedence
precedence ] [ tos tos ] [ dscp dscp ] [ fragment ] [ time-range
tm-rng-name ]
Ruijie(config)# interface interface Selects the interface to which the access list is to
be applied.
Ruijie(config-if)# expert access-group { id | name } { in | out } Applies the access list to the specific interface
Command Function
Ruijie(config)# expert access-list extended { id | name } Enters the access list configuration mode
Ruijie (config-exp-nacl)# [ sn ] { permit | deny } [ prot | Adds table entries for ACL. For details about
{ [ ethernet-type ] [ cos cos ] } ] [VID vid ] { src src-wildcard | host commands, please see command reference.
src | interface idx} {host src-mac-addr | any } { dst dst-wildcard |
host dst | any } { host dst-mac-addr | any } ] [ precedence
precedence ] [ tos tos ] [ dscp dscp ] [ fragment ] [ time-range
tm-rng-name ]
Ruijie(config-exp-nacl)# exit Exit s from the access control list mode.
Ruijie(config)# interface interface Selects the interface to which the access list is to
be applied.
Ruijie(config-if)# expert access-group { id | name } { in | out } Applies the access list to the specific interface
Method 1 only configures the numerical value ACL. Method 2 can configure names and the numerical value
ACL. In a version supporting priority table entries, method 2 can also specify the priorities of table entries
(the [sn] option in a command).
Displaying the Expert Extended ACL Configuration
To monitor access lists, please run the following command the in privileged user mode:
Command Function
Ruijie# show access-lists [ id | name ] Displays the expert access list.
Configuring IPv6-based Extended Access List
Configuring IPv6 Extended Access List
The configuration of an IPv6-based access list includes the following steps:
 Define an IPv6 access list

 Apply the access list to a specific interface (application particular case)
There is the following method to configure a basic access list. Run the following command in the ACL configuration mode:
Command Function
Ruijie(config)# ipv6 access-list name Enters the access list configuration mode
Ruijie (config-ipv6-nacl)# [ sn ] { permit | deny } prot
{ src-ipv6-prefix/prefix-len | host src-ipv6-addr | any } Adds table entries for ACL. For details about
{ dst-ipv6-pfix/pfix-len | any | host dst-ipv6-addr } [ dscp dscp ] commands, please see command reference.
[ flow-label flow-label ] [ time-range tm-rng-name ]
Ruijie(config-exp-nacl)# exit Exits from the access control list mode.
Selects the interface to which the access list is to
Ruijie(config)# interface interface
be applied.
Ruijie(config-if)# ipv6 traffic-filter name { in | out } Applies the access list to the specific interface
Displaying the IPv6 Extended Access List Configuration
To monitor access lists, please run the following command the in privileged user mode:
Command Function
Ruijie# show access-lists [ name ] Displays the basic access list.
Ruijie #show access-lists

ipv6 access-list extended v6-list
petmit ipv6 ::192.168.4.11 any (203 matches)
deny any any (1 matches)
An IPv6 ACL supports any one of the following three matching areas:
sip, dip
protocol, sip, l4_src, l4_dst, dscp, flow_label, range
protocol, dip, l4_src, l4_dst, dscp, flow_label, range
An ACL cannot match all the above areas. Besides, the IPv6 ACL does not support the fragment matching.
Besides, when an ACL match sip and dip at the same time, it cannot support the matching of type code of
icmp or source and destination port.
Other Related Configurations
Configuring the ACL80

The ACL80 is also call the custom access list, which means matching the first 80 bytes of the message to filter the
messages. A message consists of a series of byte flows. The ACL80 enables the user to perform match filtering by bits in
the specified 16 bytes of the first 80 bytes in the message.
The SMAC/DMAC/SIP/DIP/ETYPE of the packets are not contained in any fields. In other words, you can
select to match the above fields or other 16 bytes.
For any 16-byte field, it is possible to compare or not the configured value by bits. In other words, it allows setting any bit
of those 16 bytes as 0 or 1. There are two factors in filtering any byte: filtering rule and filter domain template. The bits of
the both are one-to-one corresponding. The filtering rule specifies the value of the field to be filtered. The filter domain
template specifies whether to filter the related fields in the filtering rule (“1” indicates matching the bit in the corresponding
filtering rule, 0 for not). Therefore, when it is time to match a bit, it is required to set 1 for the corresponding bit in the filter
domain template. If the filter domain template bit is set as 0, no match will be done no matter what the corresponding bit is
in the filtering rule.
Creating an Advanced Expert Access List
Command Function
Creates an advanced expert access list and place
the device in expert advanced access list
Ruijie(config)# expert access-list advanced name
configuration mode.
name: Name of the advanced expert access list
For example,

Ruijie(config-exp-dacl)# permit 00d0f8123456 ffffffffffff 0
Ruijie(config-exp-dacl)# deny 00d0f8654321 ffffffffffff 6
The user custom access control list matches any byte of the first 80 bytes in the layer-2 data frames according to the user
definitions, and then performs corresponding processing for the messages. To use the user custom access control list
correctly, it is necessary to have in-depth knowledge about the structure of layer-2 data frame. The following illustrates the
first 64 bytes in a layer-2 data frame (each letter indicates a hexadecimal number, and each two letters indicate a byte).
AA AA AA AA AA AA BB BB BB BB BB BB CC CC DD DD
DD DD EE FF GG HH HH HH II II JJ KK LL LL MM MM
NN NN OO PP QQ QQ RR RR RR RR SS SS SS SS TT TT
UU UU VV VV VV VV WW WW WW WW XY ZZ aa aa bb bb
In the figure above, the meaning of each letter and the value of offset are shown below:
Letter Meaning Offset Letter Meaning Offset

A Destination MAC 0 O TTL field 34
B Source MAC 6 P Protocol ID 35
C VLAN tag field 12 Q IP checksum 36
D Data frame length field 14 R Source IP address 38
E DSAP field 18 S Destination IP address 42
F SSAP field 19 T TCP source port 46
G Ctrl field 20 U TCP destination port 48
H Org Code field 21 V Sequential number 50
I Encapsulated data type 24 W Confirmation field 54
J IP version No. 26 XY IP header length and reservation 58
bits
K TOS field 27 Z Reservation bit and flags bit 59
L IP packet length 28 a Windows size field 60
M ID 30 b Others 62
N Flags field 32
As shown in the above table, the offset of each field is it offset in the SNAP+tag 802.3 data frame. In the user custom
access control list, the user can use two parameters, the rule mask and offset, to abstract any byte from the first 80 bytes
of the data frame, and then compare it with the user defined rule to filter the matched data frame for corresponding
processing. The user defined rule can be some fixed attributes of the data. For example, the user wants to filter all the
TCP messages by defining the rule as “06”, rule mask as “FF” and offset as 35. Here, the rule mask and offset work
together to abstract the contents of the TCP protocol ID field in the received data frame, and compare it with the rule to
filter all TCP messages.
ACL80 supports matching against Ethernet packets, 803.3 SNAP packets, and 802.311c packets. If the value
for matching DSAP to the cnt1 field is set to AAAA03, it indicates to match the 803.3 SNAP packets. If the
value is set to E0E003, it indicates to match the 803.311c packets. This field cannot be set to match Ethernet
packets.
Configuration note:
The ACL180 has only 16 bytes for matching. If the 16 bytes are used, no fields other than the 16 bytes can
be matched. For example:

Ruijie(config-exp-dacl)# permit 11223344556677889900aabbccd deeff
ffffffffffffffffffffffffffffffff 50
If you use the following command to add another ACE:
Ruijie(config-exp-dacl)#permit 11223344556677889900aabbccd deeff

ffffffffffffffffffffffffffffffff 54
The configuration will fail because the 16 bytes are used by the first ACE. To match the second ACE, you must firstly
delete the first ACE.
Configuring TCP Flag Filtering Control

The TCP Flag filtering feature provides a flexible mechanism. At present, TCP Flag filtering control supports the match-all
option. Namely, when the TCP Flags in a received message exactly match those defined in the ACL table entry, the
message will be checked by the ACL rule. A user can define any combination of TCP Flags to filter some messages with
specific TCP Flags.
For example,
permit tcp any any match-all rst
Allow the messages with a TCP Flag RST set and 0 in other positions to pass
permit tcp any any established
Allow the packet whose TCP Flag RST or ACK is set to pass, disregarding whether other positions are set.
When the protocol number of the naming ACL and numerical value configuration is TCP, you can select to
configure this filtering feature. MAC extended and IP standard ones do not have this function.
Please configure a TCP Flag by following these steps:
Command Function
Ruijie(config)# ip access-list extended { id | name } Enters the access list configuration mode
Ruijie(config-ext-nacl)# [ sn ] { permit | deny } tcp source

source-wildcard [ operator port ] destination Adds table entries for ACL. For details about
destination-wildcard [ operator port ] [ match-all flag-name ] commands, please see command reference.
[ precedence precedence ]
Exits from the access control list mode and select
Ruijie(config-exp-nacl)# exit
the interface to which the access list is to be
applied.
Or
Exits from the access control list mode and select
Ruijie(config)# interface interface the interface to which the access list is to be
applied.
Ruijie(config-if)# ip access-group { id | name} { in | out } Applies the access list to the specific interface
The following example explains how to configure a TCP Flag
 Enable permission and password

Ruijie> enable
Ruijie#
 Enter the global configuration mode.
Ruijie(config)#
 Enter the ACL configuration mode.
Ruijie(config)# ip access-list extended test-tcp-flag
Ruijie(config-ext-nacl)#
 Add an ACL entry
Ruijie(config-ext-nacl)# permit tcp any any match-all rst
Ruijie(config-ext-nacl)# permit tcp host 1.1.1.1 any established
 Add a deny entry
Ruijie(config-ext-nacl)# deny tcp any any match-all fin
 End
Ruijie(config-ext-nacl)# end
 Show
Ruijie# show access-list test-tcp-flag
ip access-lists extended test-tcp-flag
10 permit tcp any any match-all rst
20 deny tcp any any match-all fin
Configuring ACL Entries by Priority

To embody the ACE priority, there are standards for each ACL to normalize the ACE arranging method under the ACL by
using the numbered start point – increment mode, as detailed below:
 ACE is sorted in the ascend order in the chain table by the sequential numbers.
 Starting from the start point number, if no number is specified, it increases by step on the basis of the previous ACE
number.
 To specify number, the ACE is inserted in sorting mode, and the increment ensures new ACE can be inserted
between two adjacent ACEs.
 The ACL specifies the start point number and the number increment.
The ip access-list resequence {acl-id| acl-name} sn-start sn-inc command is available, with details in the related
command reference.
Whenever the above command is run, the ACEs will be re-sorted under the ACL list. For example, the ACE numbers
under the ACL named tst_acl is as follows:
In the beginning
ace1: 10
ace2: 20
ace3: 30
The ACE numbers are as follows after “ip access-list resequence tst_acl 100 3” is run:
Ruijie(config)# ip access-list resequence tst_acl 100 3

ace1: 100
ace2: 103
ace3: 106
When adding ace4 without entering sn-num, the numbers are as follows:
Ruijie(config-std-nacl)# permit …
ace1: 100
ace2: 103
ace3: 106
ace4: 109
When adding ace5 by entering seq-num = 105, the numbers are as follows:
Ruijie(config-std-nacl)# 105 permit …

ace1: 100
ace2: 103
ace5: 105
ace3: 106
ace4: 109
The reference of the numbers is to implement the priority adding ace mode.
Delete ACE
Ruijie(config-std-nacl)# no 106
ace1: 100
ace2: 103
ace5: 105
ace4: 109
The above numbers can also facilitate deleting ACE.

Configuring ACL Based on Time-range

You can run the ACLs based on time, for example, make the ACL take effect during certain periods in a week. For this
purpose, you must first set a Time-Range.
Time-Range implementation depends on the system clock. If you want to use this function, you must assure that the
system has a reliable clock.
In the privileged configuration mode, you can create a time-range by performing the following steps:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Ruijie(config)# time-range time-range-name Identifies a time-range by using a meaningful display
character string as its name
Ruijie(config-time-range)# absolute [ start time date ] end Sets the absolute time range (optional).
time date For details, see the configuration guide of
time-range.
Ruijie(config-time-range)# periodic day-of-the-week time to Sets the periodic time range (optional).
[day-of-the-week] time
Ruijie# show time-range Verifies the configurations.
Ruijie# copy running-config startup-config Saves the configuration.
Ruijie(config)# ip access-list extended 101 Enters the ACL configuration mode.
Ruijie(config-ext-nacl)# permit ip any any time-range Configures the ACE of a time-range.
time-range-name
The length of the name should be 1-32 characters, which should not include any space.
You can set one absolute time range at most. The application based on time-ranges will be valid only in this
time range.
You can set one or more periodic intervals. If you have already set a running time range for the time-range,
the application takes effect at periodic intervals in that time range.
The following example shows how to deny HTTP data streams during the working hours in a week by using the ACLs as
example:
Ruijie(config)# time-range no-http

Ruijie(config-time-range)# periodic weekdays 8:00 to 18:00
Ruijie(config)# end
Ruijie(config)# ip access-list extended limit-udp
Ruijie(config-ext-nacl)# deny tcp any any eq www time-range no-http
Ruijie(config-ext-nacl)# exit
Ruijie(config-if)# ip access-group no-http in
Ruijie(config)# end
Example of displaying time range:
Ruijie# show time-range

time-range entry: no-http(inactive)
periodic Weekdays 8:00 to 18:00
time-range entry: no-udp
periodic Tuesday 15:30 to 16:30
Configuring Security Tunnel

Due to application requirements, you may need to enable packets with certain features to bypass the access control. For
example, you may need to enable DHCP packets to bypass the dot1x entry check before dot1x authentication, or enable
a PC to obtain an IP address before authentication. To achieve these, you can use a security tunnel. If you run the
security tunnel configuration command to apply for a security ACL globally or to an interface, the security ACL works as a
security tunnel. The security tunnel is also an ACL. It can be configured globally or based on an interface, while a common
ACL is configured based on an interface or VLAN. When a packet accesses an interface, the system firstly checks
whether the packet meets the matching criteria of the security tunnel. If yes, the packet bypasses the access control
check, such as the port security check, dot1x check, and Ip+MAC binding check, so that the packet directly enters the
switch. The security tunnel applied globally is effective for all non-exceptional interfaces. However, a global security tunnel
becomes invalid if it co-exists with a non-global security tunnel on an interface.
Note that the "deny" behavior of an ACL is invalid when applied to a security tunnel. In addition, the ACL ending
part contains no "deny any" rule sentence. If a packet does not meet the matching criteria of the security
tunnel, the packet proceeds to the access control check as required by the process.
You can set a maximum of eight exceptional interfaces for each global security tunnel. Besides, an
exceptional interface of a global security tunnel cannot be used to set an interface-based security tunnel.
Existing access control functions involve 802.1x authentication, port security, global Ip+MAC binding, GSN
binding, and Ip Source Guard.
A security tunnel is invalid when the interface-based movable authentication mode is enabled.
In the privileged configuration mode, execute the following commands to configure a global security tunnel:
Command Function
Ruijie(config)# security global access-group acl-name Configures a global security tunnel.
In the privileged configuration mode, execute the following commands to set an exception port:
Command Function
Ruijie# interface interface-id Enters the interface configuration mode.
Ruijie(config)# security uplink enable Sets the interface as an exception port..
In the privileged configuration mode, execute the following commands to configure a security tunnel on the interface:
Command Function

Ruijie# interface interface-id Enters the interface configuration mode.
Ruijie(config)# security access-group acl-name Configures a security tunnel on the interface.
The following example shows how to configure a security tunnel on a security port where IP+MAC binding is configured,
so that IPX packets can pass:
Set port 4 as security port and bind IP address and MAC address
Ruijie(config)#interface FastEthernet 0/4

Ruijie(config-if)#switchport port-security
Ruijie(config-if)#switchport port-security mac-address 0000.0000.0011 ip-address 192.168.6.3
Only the packets whose source IP address is 192.168.6.3 and MAC address is 0000.0000.0011 can flow in the device
from port 4. To receive IPX packets, set a security tunnel as follows:
Ruijie#configure
Ruijie(config)#expert access-list extended safe_channel
Ruijie(config-exp-nacl)#permit ipx any any
Ruijie(config-exp-nacl)#exit
Ruijie(config)#security global access-group safe_channel
Or configure a security tunnel on the interface:
Ruijie#configure
Ruijie(config)#expert access-list extended safe_channel
Ruijie(config-exp-nacl)#permit ipx any any
Ruijie(config-exp-nacl)#exit
Ruijie(config)#interface FastEthernet 0/4
Ruijie(config-if)#security access-group safe_channel
Configuring the List Remark

The ACL remark and ACE remark functions are provided for the ACL configuration and display.
Up to one ACL remark and 2048 ACE remarks are configured in one ACL.
The length of each remark is 100 bytes.
In the privileged configuration mode, execute the following commands to configure the ACL remark:
Command Function
Ruijie(config)# ip access-list standard id Enters the ACL configuration mode.
Ruijie(config-std-nacl)# list-remark comment Configures the list remark.
You can also execute the following commands to set the ACL remark:
Command Function
Sets the ACL remark. The procedure is similar for
Ruijie(config)# access-list id list-remark comment
other types of ACLs.
In the privileged configuration mode, execute the following commands to configure the ACE remark:
Command Function
Ruijie(config)# ip access-list standard id Enters the ACL configuration mode.
Ruijie(config-std-nacl)# remark comment Configures the ACE remark.
You can also execute the following commands to set the ACE remark:
Command Function
Sets the ACE remark. The procedure is similar for
Ruijie(config)# access-list id remark comment
other types of ACLs.
The following example configures the ACL remark and the ACE remark:
Ruijie(config)#ip access-list standard 1

Ruijie(config-std-nacl)#remark ace_remark_permit_62_start
Ruijie(config-std-nacl)#permit 192.168.197.62 0.0.0.0
Ruijie(config-std-nacl)#remark ace_remark_permit_62_end
Ruijie(config-std-nacl)#list-remark acl_remark_foo
Ruijie(config-std-nacl)#end
Ruijie#write
Ruijie#show access-lists 1
ip access-list standard 1
remark ace_remark_permit_62_start
10 permit host 192.168.197.62
remark ace_remark_permit_62_end
list-remark acl_remark_foo
Ruijie#
Configuring SVI Router ACLs

The ACL applied to layer 3 interface is called Router ACLs, which only apply to the routing messages forwarded at layer 3.
To realize the features of Router ACLs on SVI ACL, SVI Router ACLs enabling command is provided on Ruijie switches.
After enabling this command, the ACL applied to SVI will only apply to the layer 3 packets forwarded between VLANs, and
will not apply to the bridge forwarded packets within the VLAN.
By default, SVI Router ACLs is disabled. SVI ACL applies to both inter-VLAN layer 3 packets and intra-VLAN
bridge-forwarded packets.
Configuring SVI Router ACLs
Command Function
Ruijie# [no] svi router-acls enable Enables/Disables the SVI Router ACLs.
IP ACL Example
Configuration requirements:
There are two network devices A and B, as shown in Figure 1-3:
Figure1-3 Basic Access List Example
It is required to implement the following security functions by configuring access lists on device B.
Hosts at the 192.168.12.0/24 network section can only access the remote UNIX host TELNET service during the normal
working time period and deny the PING service.
On the device B console, access to any of the services of hosts at the 192.168.202.0/24 network section is denied.
The above case simplifies the application in the bank system. Namely, it only allows the hosts on the Local
Area Network of branches or savings agencies to access the central host and disallows accessing the
central host on the device.
Equipment Configuration
Device B configuration:

Ruijie(config-if)# exit
Ruijie(config-if)# ip access-group 101 in
Ruijie(config-if)# ip access-group 101 out
According to requirements, configure an extended access list numbered 101
access-list 101 permit tcp 192.168.12.0 0.0.0.255 any eq telnet time-range check
Ruijie(config)# access-list 101 deny icmp 192.168.12.0 0.0.0.255 any
Ruijie(config)# access-list 101 deny ip 2.2.2.0 0.0.0.255 any
Ruijie(config)# access-list 101 deny ip any any
Configure the time range
Ruijie(config)# time-range check

Ruijie(config-time-range)# periodic weekdays 8:30 to 17:30
For access list 101. the lat rule sentence ”access-list 101 deny ip any any” is not needed, for the ending part of
the access list implicates a “deny any” rule sentence.
Device A configuration:
Ruijie(config)# hostname Ruijie

MAC Extended Access List Example

It is required to implement the following security functions by configuring MAC access lists:
 The 0013.2049.8272 host using the ipx protocol cannot access the giga 0/1 port of a device.
 It can access other ports.
Ruijie> enable
Ruijie(config)# mac access-list extended mac-list
Ruijie(config-mac-nacl)# deny host 0013.2049.8272 any ipx
Ruijie(config-mac-nacl)# permit any any
Ruijie(config-mac-nacl)# exit
Ruijie(config-if)# mac access-group mac-list in
Ruijie# show access-lists
mac access-list extended mac-list
deny host 0013.2049.8272 any ipx
permit any any
For access lists, ”permit any any” cannot be discarded, for the ending part of an access list implicates a “deny
any” rule sentence.
Expert Extended Access List Example

It is required to implement the following security functions by configuring expert access lists:
 The 0013.2049.8272 host using VLAN 20 cannot access the giga 0/1 port of a device.
 It cannot access other ports.
Ruijie> enable
Ruijie(config)# expert access-list extended expert-list
Ruijie(config-exp-nacl)# permit ip vid 20 any host 0013.2049.8272 any any
Ruijie(config-exp-nacl)# deny any any any any
Ruijie(config-exp-nacl)# exit
Ruijie(config-if)# expert access-group expert-list in
expert access-list extended expert-list
permit ip vid 20 any host 0013.2049.8272 any any
deny any any any any
IPv6 Extended Access List Example

It is required to implement the following security functions by configuring access lists:
 The 192.168.4.12 host can access the gi 0/1 port of a device.

 It cannot access other ports.
Ruijie> enable
Ruijie(config)# ipv6 access-list v6-list
Ruijie(config-ipv6-nacl)# permit ipv6 ::192:68:4:12/24 any
Ruijie(config-ipv6-nacl)# deny ipv6 any any
Ruijie(config-ipv6-nacl)# exit
Ruijie(config-if)# ipv6 traffic-filter v6-list in
ipv6 access-list extended v6-list
petmit ipv6 ::192.168.4.12 any
deny any any
Configuring Unidirectional TCP Connection

Configure TCP Flag filtering to enable unidirectional ACL.
Configuration Requirements
For the security of network A, the hosts in network A are allowed to originate the TCP connection request to the hosts in
network B. However, the hosts of network B are not allowed to originate the TCP communication requests to network A.
Topology View
As shown in the above figure, two networks are connected through an intermediate device. Network A connects to the
G3/1 port of the device and network B connects to the G3/2 port of the device.
Analysis
By filtering the packets of TCP connection request originated by network B on the G3/2 port of the device, you can block
the TCP connection request from hosts in network B to network A. According to the analysis of TCP connection, the SYN
of the flag field in the TCP header of the initial TCP request packet is reset and the ACK is set to 0. Therefore, to enable
network A to access network B in the one-way direction, configure the Match-all option of the extended ACL to set the
SYN of the TCP header to 1 and ACK to 0 on the inbound direction of theG3/2 port.
Configuration Steps
 Define an Access Control List (ACL)
# Enter global configuration mode
# Create the extended ACL101 in the configuration mode
Ruijie(config)# ip access-list extended 101

# Deny the packets whose SYN is 1 and permit other packets whose SYN is 0 (including ACK)
Ruijie(config-ext-nacl)# deny tcp any any match-all SYN
# Permit other IP packets
Ruijie(config-ext-nacl)# permit ip any any

 Apply the ACL at the interface
# Exit ACL mode
Ruijie(config-ext-nacl)# exit
Ruijie(config)# ip address 1.1.1.1 255.255.255.0
Ruijie(config-if)#ip access-group ifaddr in
# Enter the G3/2 port on which the ACL is applied
# Apply ACL 101 to the packet filtering at the inlet of G3/2
Ruijie(config-if)# ip access-group 101 in

 Show the configuration of ACL
# In the privileged EXEC mode, use the show command to display related configuration of ACL
Ruijie# show access-lists 101

10 deny tcp any any match-all syn
20 permit ip any any
Typical Application of Intranet ACL

Networking Diagram
Figure 1-4
The above diagram shows the typical topology of an Intranet:
The access switch (Switch C) connecting PCs of respective departments is connected to the convergence switch through
1000M optical fiber cable (trunk mode).
The convergence switch (Switch B) assigns one VLAN for each department and is connected to the core switch through
10G optical fiber cable (trunk mode).
The core switch (Switch A) is connected with multiple servers, such as FTP, HTTP server and etc, and is connected to
Internet through firewall.
The above scenario of Intranet ACL application mainly involves the following needs:
Internet viruses are almost everywhere. Various vulnerable ports must be blocked in order to guarantee Intranet security.
Only the internal PCs can access the servers. External PCs are not allowed to access the servers.
PCs other than the finance department cannot access PCs of finance department; PCs other than the development
department cannot access PCs of development department.
QQ, MSN and other IM applications cannot be used by the staff of development department during working hours (namely
9:00-18:00).
Configuration Tips
 The viruses can be avoided by configuring extended ACL on the router-connecting port (G2/1) of core switch
(SwitchA) to filter packets destined for relevant ports.
 As for the requirement that internal PCs can access the servers while external PCs are not allowed to access these
servers, we can define the IP extended ACL and apply to ports (G2/2, SVI2) of the core switch (SwitchA) that
connect with the convergence switch and server.
 As for the requirement that specific departments cannot access each other, we can define the IP extended ACL
(apply IP extended ACL to G0/22 and G0/23 of Switch B).
 Configuring time & IP based extended ACL can prevent development departments from suing QQ/MSN and other IM
application during a specific period (applying time & IP based extended ACL to SVI2 of Switch B).
Configuration Steps
 Configure the core switch: SwitchA
Step 1: Define the virus-blocking ACL of "Virus_Defence"
The worm viruses on the network will create a TFTP server on the local port of "udp/69" in order to transmit the
binary virus program to other infected systems. While selecting the destination IP address, the worms will
generally select the IP of subnet to which the infected system belongs, and then randomly select the attack
target on Internet as per certain algorithm. Once the connection is established, the worms will send attack
data to TCP ports (135, 445, 593, 1025, 5554, 9995, and 9996), UDP ports (136, 445, 593, 1433, and 1434)
and UDP/TCP ports (135, 137, 138, and 139) of targets. If the attack is successful, TCP/4444 port of target
system will be used as the backdoor port. After that, worms will connect to this port and send TFTP
command in order to transmit virus file to the target system and run the file. The infected server will send
substantive invalid data packets to the network, thus wasting network bandwidth and even causing failure of
network devices and the network. In such a case, the extended ACL can be used to filter data packets
destined for these ports.
A#configure terminal
A(config)#ip access-list extended Virus_Defence
! Block packets destined for internal and external TCP ports which may have been used by viruses.
A(config-ext-nacl)#deny tcp any any eq 135

A(config-ext-nacl)#deny tcp any eq 135 any
! The configuration is the same for other ports.

! Block packets destined for internal and external UDP ports which may have been used by viruses.
A(config-ext-nacl)#deny udp any any eq 69

A(config-ext-nacl)#deny udp any eq 69 any

! The configuration is the same for other ports.

! Block ICMP packets.
A(config-ext-nacl)#deny icmp any any
! Permit all other IP packets.
A(config-ext-nacl)#permit ip any any

A(config-ext-nacl)#exit
Step 2: Apply the ACL Virus_Defence to the router-connecting interface of the core device.
A(config)#interface gigabitEthernet 2/1

A(config-if)#no switchport
A(config-if)#ip address 192.168.5.1 255.255.255.0
! Apply the ACL Virus_Defence in the IN direction of G2/1 to block virus packets from an external network.
A(config-if)#ip access-group Virus_Defence in

A(config-if)#exit
Step 3: Define the ACL access_server that permits only Intranet PCs to access the server.
A(config)#ip access-list extended access_server
! Permit only specified Intranet PCs to access the server (IP address being 192.168.4.100).
A(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 host 192.168.4.100

A(config-ext-nacl)#deny ip any any
Step 2: Apply the ACL access_server to the interface connecting with convergence device and server.

A(config-if)#switch mode trunk
! Apply to the IN direction on the interface of the convergence switch.
A(config-if)#ip access-group access_server in

A(config-if)#exit
! Create a VLAN.
A(config)#vlan 2
A(config-vlan)#exit
! The server-connecting interface of G2/48 belongs to vlan2.
A(config-if)#switch access vlan 2

A(config-if)#exit
! Apply to the IN direction of the server-connecting interface.
A(config)#interface vlan 2
A(config-if-VLAN 2)# ip access-group access_server in
A(config-if-VLAN 2)# ip address 192.168.4.2 255.255.255.0
A(config-ext-nacl)#end
 Configure the convergence switch: Switch B
Step 1: Create vlan2, vlan3, and vlan4.
B#configure terminal
! Create vlan2, vlan3, and vlan4.
B(config)#vlan range 2-4

B(config-vlan-range)#exit
Step 2: Define ACLs.
! Define the extended IP ACLs vlan_access1 and vlan_access2.
B(config)#ip access-list extended vlan_access1
! Prohibit the finance department and market department from accessing the development department.
B(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

B(config-ext-nacl)#permit ip any any
B(config)#ip access-list extended vlan_access2
! Prohibit the development department and market department from accessing the finance department.

B(config-ext-nacl)#exit
Step 3: Apply ACLs vlan_access1 and vlan-access2 to the corresponding interfaces.
! Configure G0/22 as a trunk port and apply vlan_access1.
B(config)#interface GigabitEthernet 0/22

B(config-if)#switchport mode trunk
B(config-if)#ip access-group vlan_access1 in
! Configure G0/23 as a trunk port and apply vlan_access2.

B(config)# interface GigabitEthernet 0/23

B(config-if)# switchport mode trunk
B(config-if)# ip access-group vlan_access2 in
! Configure G0/24 as a trunk port.
B(config)#interface GigabitEthernet 0/24

B(config-if)#switchport mode trunk
! Configure the IP address of SVI2.
B(config)#interface vlan 2
B(config-if)#ip address 192.168.1.100 255.255.255.0
Step 4: Define time range.
! Define the time range of 9:00-18:00 from Monday to Friday.
B(config)#time-range worktime
B(config-time-range)#periodic weekdays 9:00 to 18:00
Step 5: Define the traffic rule of development department.
! Create the extended ACL yanfa in the configuration mode.
B(config)#ip access-list extended yanfa
! Prohibit all hosts of development department from using QQ, MSN and other IM applications during 9:00-18:00 of every
working day.
B(config-ext-nacl)#deny tcp 192.168.1.0 0.0.0.255 eq 8000 any time-range worktime

B(config-ext-nacl)#deny udp 192.168.1.0 0.0.0.255 eq 8000 any time-range worktime

! Permit all other IP traffic.
! Apply the ACL to the IN direction of SVI2.
B(config-if)#ip access-group yanfa in
Verification
Step 1: Verify whether ACE entries are correct. The key is that whether the precedence order of entries is correct and
whether entries are effective.
SwitchA#show access-lists
ip access-list extended Virus_Defence
10 deny tcp any any eq 135
20 deny tcp any eq 135 any
100 deny udp any any eq tftp
110 deny udp any eq tftp any
120 deny udp any any eq 135
130 deny udp any eq 135 any
140 deny udp any any eq netbios-ns
150 deny udp any eq netbios-ns any
160 deny udp any any eq netbios-dgm
170 deny udp any eq netbios-dgm any
180 deny udp any any eq netbios-ss
190 deny udp any eq netbios-ss any

420 deny icmp any any
430 permit tcp any any
440 permit udp any any
ip access-list extended access_server

10 permit ip 192.168.2.0 0.0.0.255 host 192.168.4.100
20 permit ip 192.168.1.0 0.0.0.255 host 192.168.4.100
30 permit ip 192.168.3.0 0.0.0.255 host 192.168.4.100
40 deny ip any any
SwitchB#show access-lists
ip access-list extended vlan_access1
10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
20 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended vlan_access2

10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
20 deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended yanfa

10 deny tcp 192.168.1.0 0.0.0.255 eq 8000 any time-range worktime (active)
60 deny udp 192.168.1.0 0.0.0.255 eq 8000 any time-range worktime (active)
Step 2: Verify whether ACL configurations are complete. The key is that whether the correct ACL has been applied to the
specified interface.
Device A configuration:
A#show run
no switchport
no ip proxy-arp
ip access-group Virus_Defence in
ip address 192.168.5.1 255.255.255.0
!
switchport mode trunk
ip access-group access_server in
!
interface VLAN 2
no ip proxy-arp
ip access-group access_server in
ip address 192.168.4.2 255.255.255.0
Device B configuration:
B#show run
!
ip access-group vlan_access1 in
!
ip access-group vlan_access2 in
!
interface VLAN 2
no ip proxy-arp
ip access-group yanfa in
Configuration Guide Configuring SCC
Configuring SCC
Overview
The Security Control Center (SCC) provides common configuration methods and policy integration for various access
control and network security services, so that these access control and network security services can coexist on one
device to meet diversified access and security control requirements in various scenarios.
Typical access control services are dot1x, Web authentication, Address Resolution Protocol (ARP) check, and IP Source
Guard. The network security services include Access Control List (ACL), Network Foundation Protection Policy (NFPP),
and anti-ARP gateway spoofing. When two or more access control or network security services are simultaneously
enabled on the device, or when both access control and network security services are simultaneously enabled on the
device, the SCC coordinates the coexistence of these services according to relevant policies.
For details about the access control and network security services, see the related configuration guide. This
document describes the SCC only.
None.
Applications
Typical Application Scenario

Access Control of Extended Layer Students on a campus network can access the Internet based on dot1x client
2 Campus Networks authentication or Web authentication. ARP spoofing between the students
should be prevented. In addition, terminal devices in some departments (such as
the headmaster's office) can access the Internet without authentication.
Access Control of Extended Layer 2 Campus Networks
Application Scenario
Students on a campus network of a university usually need to be authenticated through the dot1x client or Web before
accessing the Internet, so as to facilitate accounting and guarantee the benefits of the university.
 The students can access the Internet through dot1x client authentication or Web authentication.
 ARP spoofing between the students is prevented, so as to guarantee the stability of the network.
 Terminal devices in some departments (such as the headmaster's office) can access the Internet without
authentication.
Figure 0-1
A traditional campus network is hierarchically designed, which consists of an access layer, a convergence layer
and a core layer, where the access layer performs user access control. On an extended Layer 2 campus
network, however, user access control is performed by a core switch, below which access switches exist
without involving any convergence device in between. The ports between the core switch and the access
switches (such as switches B, C, and D in Figure 1-1) are all trunk ports.
The user access switches B, C, and D connect to PCs in various departments via access ports, and VLANs
correspond to sub VLANs configured on the downlink ports of the core switch, so that access users are in
different VLANs to prevent ARP spoofing.
The core switch A connects to various servers, such as the authentication server and the DHCP server. Super
VLANs and sub VLANs are configured on the downlink ports. One super VLAN correspond to multiple sub
VLANs, and each sub VLAN represents an access user.
Deployment
 On the core switch, different access users are identified by VLAN and port numbers. Each access user (or a group of
access users) corresponds to one VLAN. The ports on each access switch that connect to downstream users are
configured as access ports, and one user VLAN is assigned to each access user according to VLAN planning. The
core switch does not forward ARP requests. The core switch replies to the ARP requests from authenticated users
only, so as to prevent ARP spoofing. On the core switch A, user VLANs are regarded as sub VLANs, super VLANs
are configured, and SVIs corresponding to the super VLANs are configured as user gateways.
 On the downlink ports of the core switch (switch A in this example) that connect to the teachers' living area and the
students' living area, both dot1x authentication and Web authentication are enabled, so that users can freely select
either authentication mode for Internet access.
 Any special department (such as the headmaster's office in this example) can be allocated to a particular VLAN, and
this VLAN can be configured as an authentication-exemption VLAN so that users in this department can access the
Internet without authentication.
Features
Basic Concepts
 Authentication Mode
There are two authentication modes: access authentication and gateway authentication. On a traditional hierarchical
network, access authentication is usually performed by access switches. On a extended Layer 2 network, the access
function moves forward to a core switch while the access devices need only to support basic VLAN and Layer 2
forwarding functions. As the access authentication is performed by access switches on a traditional hierarchical network
while performed by a core switch on a de-layered extended Layer 2 network, some extrinsic functions and behaviors will
differ accordingly with the two different authentication modes. Therefore, the authentication mode falls into gateway
authentication and access authentication. If the access authentication moves to the core switch, the core switch needs to
be enabled with the gateway authentication mode to support a large number of user entries, typically including a
large-capacity MAC address table, ARP table and routing table. Otherwise, the supported user capacity is subject to
hardware ACL entry restrictions. In general, the capacity of hardware ACL entries is limited and cannot support a large
user capacity. The access authentication mode is generally applicable only in scenarios where the access authentication
is deployed on access switches.
 Authentication-exemption VLAN
Some special departments may be allocated to authentication-exemption VLANs to simplify network management, so that
users in these departments can access network resources without authentication. For example, the headmaster's office
can be divided into the authentication-exemption VLANs on the campus network, so that users in the headmaster's office
can access the Internet without authentication.
 IPv4 User Capacity
The number of IPv4 access users can be restricted to protect the access stability of online users on the Internet and
improve the operational stability of the device.
The number of IPv4 access users is not restricted by default; that is, a large number of users can get online
after being authenticated, till reaching the maximum hardware capacity of the device.
IPv4 access users include IP users (such as IP authenticated users) based on dot1x authentication, users
based on Web authentication, and IP users manually bound (using IP source guard, ARP check, or other
means).
 Authenticated-User Migration
Online-user migration means that an online user can get authenticated again from different physical locations to access
the network. On the campus network, however, for ease of management, students are usually requested to get
authenticated from a specified location before accessing the Internet, but cannot get authenticated on other access ports.
This means that the users cannot migrate. In another case, some users have the mobile office requirement and can get
authenticated from different access locations. Then the users can migrate.
 User Online-Status Detection
For a chargeable user, accounting starts immediately after the user passes the authentication and gets online. The
accounting process does not end until the user actively gets offline. Some users, however, forget to get offline when
leaving their PCs, or cannot get offline because of terminal problems. Then the users suffer certain economical losses as
the accounting process continues. To more precisely determine whether a user is really online, we can preset a traffic
value, so that the user is considered as not accessing the Internet and therefore directly brought offline when the user's
traffic is lower than the preset value in a period of time or there is not traffic of the user at all in a period of time.
Features
Feature Function
Authentication Mode This feature determines whether access control is deployed on access switches or core switches
depending on network deployment needs.
Authentication-exem Users in a specified VLAN can be configured as authentication-exemption users.
ption VLAN
IPv4 User Capacity The IPv4 user capacity of a specified interface can be restricted to guarantee the access stability of
users on the Internet.
Authenticated-User You can specify whether the authenticated can migrate.
Migration
User Online-Status You can specify whether to detect the traffic of online users, so that a user is forced offline when the
Detection traffic of the user is lower than a preset value in a period of time.
Authentication Mode
There are two authentication modes: access authentication and gateway authentication. In access authentication mode,
access control such as dot1x or Web authentication is enabled on access switches. In gateway authentication mode,
access control is enabled on core switches. On a large-scale network such as a campus network, there are hundreds of
access switches. Compared with the access authentication mode, the gateway authentication mode simplifies the routine
maintenance and management on the access switches, because the access switches need only to support basic VLAN
and Layer 2 forwarding functions. Therefore, the gateway authentication mode is recommended.
Working Principle
The authentication mode on a device depends on the network layer where the access control device works. If access
control is deployed on core switches (for example, on an extended Layer 2 network), gateway authentication mode on
core switches is required. If access control is deployed on access switches, the authentication mode should be set to
access authentication on the access switches.
The access authentication mode applies by default. In addition, only the N18000 switches support
authentication mode switching.
Restart the device after the authentication mode is changed, so that the new authentication mode takes effect.
Save the current configuration before restarting the device.
Authentication-Exemption VLAN
Authentication-exemption VLANs are used to accommodate departments with special access requirements, so that users
in these departments can access the Internet without authentication such as dot1x or Web authentication.
Working Principle
Suppose the authentication-exemption VLAN feature is enabled on a device. When the device detects that a packet
comes from an authentication-exemption VLAN, access control is not performed. In this way, users in the
authentication-exemption VLAN can access the Internet without authentication. The authentication-exemption VLAN
feature can be regarded as a kind of applications of secure channels.
Only the switches support the authentication-exemption VLAN feature.
A maximum of 100 authentication-exemption VLANs can be configured.
The authentication-exemption VLANs occupy hardware entries. When access control such as authentication is
disabled, configuring authentication-exemption VLANs has the same effect as the case where no
authentication-exemption VLANs are configured. Therefore, it is recommended that
authentication-exemption VLANs be configured for users who need to access the Internet without
authentication, only when the access control function has been enabled.
Although packets from authentication-exemption VLANs are exempt from access control, they still need to be
checked by a security ACL. If the packets of the users in an authentication-exemption VLAN are denied
according to the security ACL, the users still cannot access the Internet.
In gateway authentication mode, the device does not initiate any ARP request to a user in an
authentication-exemption VLAN, and the ARP proxy will not work. Therefore, in gateway authentication
mode, users in different authentication-exemption VLANs cannot access each other unless the users have
been authenticated.
IPv4 User Capacity

To improve the operational stability of the device and guard against brutal force impacts from unauthorized users, you can
restrict the total number of IPv4 access users on a certain port of the device.
Working Principle
If the total number of IPv4 access users is restricted, new users going beyond the total number cannot access the
Internet.
The number of IPv4 access users is not restricted on the device by default, but depends on the hardware
capacity of the device.
The number of IPv4 access users includes the IPv4 authenticated users based on dot1x authentication, IPv4
users based on Web authentication, and IPv4 users based on various binding functions. Because the
number of IPv4 access users is configured in interface configuration mode, the restriction includes both the
number of IPv4 users generated on the port and IPv4 users globally generated. For example, you can set the
maximum number of IPv4 access users on the Gi 0/1 port to 2, run commands to bind an IPv4 user to the
port, and then run commands to bind a global IPv4 user to the port. Actually there are already two access
users on the port. If you attempt to bind another IPv4 user or another global IPv4 user to the port, the binding
operation fails.
Authenticated-User Migration
On an actual network, users do not necessarily access the Internet from a fixed place. Instead, users may be transferred
to another department or office after getting authenticated at one place. They do not actively get offline but remove
network cables and carry their mobile terminals to the new office to access the network. Then this brings about an issue
about authenticated-user migration. If authenticated-user migration is not configured, a user who gets online at one place
cannot get online at another place without getting offline first.
Working Principle
When authenticated-user migration is enabled, the dot1x or Web authentication module of the device detects that the port
number or VLAN corresponding to a user's MAC address has changed. Then the user is forced offline and needs to be
authenticated again before getting online.
Only the switches or wireless devices support authenticated-user migration. In addition, cross-switch migration
is not supported. For example, authentication and migration are enabled on two N18000, and a user gets
online after being authenticated on one of the two N18000. If the user attempts to migrate to the other
N18000, the migration fails.
The authenticated-user migration function requires a check of users' MAC addresses, and is invalid for users
who have IP addresses only.
The authenticated-user migration function enables a user who gets online at one place to get online at another
place without getting offline first. If the user gets online at one place and then gets offline at that place, or if
the user does not get online before moving to another place, the situation is beyond the control range of
authenticated-user migration.
During migration, the system checks whether the VLAN ID or port number that corresponds to a user's MAC
address has changed, so as to determine whether the user has migrated. If the VLAN ID or port number is
the same, it indicates that the user does not migrate; otherwise, it indicates that the user has migrated.
According to the preceding principle, if another user on the network uses the MAC address of an online user,
the system will wrongly disconnect the online user unless extra judgment is made. To prevent such a
problem, the dot1x or Web authentication will check whether a user has actually migrated. For a user who
gets online through Web authentication or dot1x authentication with IP authorization, the dot1x or Web
authentication sends an ARP request to the original place of the user if detecting that the same MAC
address is online in another VLAN or on another port. If no response is received within the specified time, it
indicates that the user's location has indeed changed and then the migration is allowed. If a response is
received within the specified time, it indicates that the user actually does not migrate and a fraudulent user
may exist on the network. In the latter case, the migration is not performed. The ARP request is sent once
every second by default, and sent for a total of five times. This means that the migration cannot be confirmed
until five seconds later. Timeout-related parameters, including the probe interval and probe times, can be
changed using the arp retry times times and arp retry interval interval commands. For details about the
specific configuration, see ARP-SCG.doc. It should be noted that the migration check requires the
configuration of IP authorization for users based on dot1x authentication. In addition, the ARP probe is
triggered only for user migration in gateway authentication mode but not triggered for user migration in
access authentication mode.
User Online-Status Detection

After a user accesses the Internet, the user may forget to get offline or cannot actively get offline due to terminal faults. In
this case, the user will keep being charged and therefore will suffer a certain economical loss. To protect the benefits of
users on the Internet, the device provides a function to detect whether the users are really online. If the device considers
that a user is not online, the device actively disconnects the user.
Working Principle
A specific detection interval is preset on the device. If a user's traffic is lower than a certain value in this interval, the device
considers that the user is not using the network and therefore directly disconnects the user.
Only the switches and wireless devices support the user online-status detection function.
The user online-status detection function applies to only users who get online through dot1x or Web
authentication.
Currently, the N18000 supports zero-traffic detection only.
Currently, due to hardware chip restrictions of the N18000, the time to disconnect a user without any traffic
relates to the configured MAC address aging time. If the traffic detection interval is set to m minutes and the
MAC address aging time is set to n minutes, the interval from the moment when an authenticated user
leaves the network without actively getting offline to the moment when the user is disconnected upon
detection of zero traffic is about [m, m+n] minutes. In other words, if an online user does not incur any
Internet access traffic, the user is disconnected about [m, m+n] minutes later.
Configuration
Configuration Item Suggestions and Related Commands
Configuring
Optional configuration, which is used to specify the users of which VLANs can
Authentication-Exemption
access the Internet without authentication.
VLANs
Configures authentication-exemption
[no] direct-vlan
VLANs.
Configuring the IPv4 User Optional configuration, which is used to specify the maximum number of users who
Capacity are allowed to access a certain interface.
Configures the number of IPv4 users who

[no] nac-author-user maximum
are allowed to access a certain interface.
Optional configuration, which is used to specify whether to enable the user

Configuring User online-status detection function.
Online-Status Detection Configures the parameters of the user
offline-detect interval threshold
online-status detection function.
Disables the user online-status detection
no offline-detect
function.
Restores the default user online-status
default offline-detect
detection mode.
Configuring Authentication-Exemption VLANs

Configuration Effect
Configure authentication-exemption VLANs, so that users in these VLANs can access the Internet without experiencing
dot1x or Web authentication.
Precautions
Authentication-exemption VLANs only mean that users in these VLANs do not need to experience a check related to
access authentication, but still need to experience a check based on a security ACL. If specified users or VLANs are
denied according to the security ACL, corresponding users still cannot access the Internet. Therefore, during ACL
configuration, you need to ensure that specified VLANs or specified users in the authentication-exemption VLANs are not
blocked if you hope that users in the authentication-exemption VLANs can access the Internet without being
authenticated.
Configuration Steps
 Configuring Authentication-Exemption VLANs

 Optional configuration. To spare all users in certain VLANs from dot1x or Web authentication, configure these
VLANS as authentication-exemption VLANs.
 Perform this configuration on access, convergence, or core switches depending on user distribution.
Command [no] direct-vlan vlanlist
Syntax
Parameter no: If the command carries this parameter, it indicates that the authentication-exemption VLAN
Description configuration will be deleted.
vlanlist: This parameter indicates the list of authentication-exemption VLANs to be configured or
deleted.
Default No authentication-exemption VLAN has been configured.
Configuratio
n
Command Global configuration mode
Mode
Usage Guide Use this command to configure or delete authentication-exemption VLANs.
Verification
Check the authentication-exemption VLAN configuration using the following method:
 Enable dot1x authentication on downlink ports that connect to user terminals, add the downlink ports that connect to
the user terminals to a specific VLAN, and configure the VLAN as an authentication-exemption VLAN. Then open the
Internet Explorer, and enter a valid extranet address (such as www.baidu.com). If the users can open the
corresponding webpage on the Internet, it indicates that the authentication-exemption VLAN is valid; otherwise, the
authentication-exemption VLAN does not take effect.
 Use the show direct-vlan command to check the authentication-exemption VLAN configuration on the device.

Command show direct-vlan
Parameter N/A
Description
Command Privileged EXEC mode, global configuration mode, or interface configuration mode
Mode
Usage Guide Global configuration mode
Usage Ruijie#show direct-vlan
Example direct-vlan 100
The following configuration example describes SCC-related configuration only.
Configuring the IPv4 User Capacity

Configure the IPv4 user capacity, so as to restrict the number of users who are allowed to access an access port.
Precautions
None.
Configuration Steps
 Configuring the IPv4 User Capacity

 Optional configuration. To limit the maximum of users who are allowed to access an access port, configure the IPv4
user capacity. The access user capacity is not limited on an access port by default. Suppose the user capacity limit is
configured on a specific interface. When the number of authenticated users on the interface reaches the maximum,
new users cannot be authenticated on this interface and cannot get online, until existing authenticated users get
offline on the interface.
 Perform this configuration on access switches, which may be access switches on the network edge or core gateway
devices.
Command nac-author-user maximum max-user-num
Syntax no nac-author-user maximum
Parameter no: If the command carries this parameter, it indicates that the limit on the IPv4 access user capacity
Description will be removed from the port.
max-user-num: This parameter indicates the maximum number of IPv4 users who allowed to access
the port. The value range is from 1 to 1024.
Default The number of IPv4 access users is not limited.
Configuratio
n
Command Interface configuration mode
Mode
Usage Guide Use this command to limit the number of IPv4 access users on a specific access port.
Verification
Check the IPv4 user capacity configuration on a port using the following method:
 dot1x authentication: When the number of users who get online based on 1x client authentication on the port
reaches the specified user capacity, no any new user can get online from this port.
 Web authentication: When the number of users who get online based on Web authentication on the port reaches the
specified user capacity, no any new user can get online from this port.
 Use the show nac-author-user [ interface interface-name ] command to check the IPv4 user capacity configured
on the device.
Command show nac-author-user [ interface interface-name ]
Parameter interface-name: This parameter indicates the interface name.
Description
Command Privileged EXEC mode, global configuration mode, or interface configuration mode
Mode
Usage Guide Global configuration mode
Usage Ruijie#show nac-author-user interface GigabitEthernet 0/1
Example Port Cur_num Max_num
-------- ------- -------
Gi0/1 0 4
Restricting the Number of IP4 Users on a Port to Prevent Excessive Access Terminals from Impacting the
Network
Network
Environment
Figure 1-2
Configuration  Assume that the dot1x authentication environment has been well configured on the access
Method switch A, and dot1x authentication is enabled on the Gi 0/2 port.
 Set the maximum number of IPv4 access users on the Gi 0/2 port to 4.
Switch A SwitchA(config)#int GigabitEthernet 0/2
SwitchA(config-if-GigabitEthernet 0/2)#nac-author-user maximum 4
Verification  Perform dot1x authentication for all the four PCs in the dormitory, so that the PCs get online.
Then take an additional terminal to access the network, and attempt to perform dot1x
authentication for this terminal. Verify that the terminal cannot be successfully authenticated to
get online.
 Use the show nac-author-user command to check whether the configuration has taken effect.
Switch A SwitchA(config)#show nac-author-user
Port Cur_num Max_num
-------- ------- -------
Gi0/1 0 4
Configuring User Online-Status Detection

After the user online-status detection function is enabled, if a user's traffic is lower than a certain threshold within the
specified period of time, the device automatically disconnects the user, so as to avoid the economical loss incurred by
constant charging to the user.
Precautions
It should be noted that if disconnecting zero-traffic users is configured, generally software such as 360 Security Guard will
run on a user terminal by default. Then such software will send packets time and again, and the device will disconnect the
user only when the user's terminal is powered off.
Configuration Steps
 Configuring User Online-Status Detection

 Optional configuration. A user is disconnected if the user does not involve any traffic within eight hours by default.
 Perform this configuration on access, convergence, or core switches depending on user distribution. The
configuration acts on only the configured device instead of other devices on the network.
 If the traffic threshold parameter threshold is set to 0, it indicates that zero-traffic detection will be performed.
Command offline-detect interval interval threshold threshold
no offline-detect
default offline-detect
Parameter interval: This parameter indicates the offline-detection interval. The value range is from 6 to 65535 in
Description minutes on a switch or from 1 to 65535 in minutes on a non-switch device. The default value is 8
hours, that is, 480 minutes.
threshold: This parameter indicates the traffic threshold. The value range is from 0 to 4294967294 in
bytes. The default value is 0, indicating that the user is disconnected when no traffic of the user is
detected.
no offline-detect: Disables the user online-status detection function.
default offline-detect: Restores the default value. In other words, an online user will be disconnected
when the device detects that the user does not have any traffic within eight hours.
Defaults 8 hours
Mode
Usage Guide Use this command to configure user online-status detection, so that a user is disconnected when its
traffic is lower than a specific threshold within a specific period of time. Use the no offline-detect
command to disable the user online-status detection function, or use the default offline-detect
command to restore the default detection mode.
Verification
Check the user online-status detection configuration using the following method:
 After the user online-status detection function is enabled, power off the specified authenticated terminal after the
corresponding user gets online. Then wait for the specified period of time, and run the online user query command
associated with dot1x or Web authentication on the device to confirm that the user is already offline.
Configuring User Online-Status Detection so that a User Is Disconnected if the User Does Not Have Traffic Within
Five Minutes
Network
Environment
Figure 1-3
Configuration  Enable dot1x authentication on the access port Gi 0/2, and configure authentication
Method parameters. The authentication is MAC-based.
 Configure user online-status detection so that a user is disconnected if the user does not have
traffic within five minutes.
Switch A sw1(config)# offline-detect interval 5 threshold 0
Verification  Perform dot1x authentication using dot1x SU client for a PC in the R&D department, so that the
PC gets online. Then power off the PC, wait for 6 minutes, and run the online user query
command available with dot1x authentication on switch 1 to confirm that the user of the PC is
already offline.
Switch A sw1(config)#show running-config | include offline-detect
offline-detect interval 5
Monitoring
None.
Checking the Running Status

Command Function
show direct-vlan Displays the authentication-exemption VLAN
configuration.
Displays information about IPv4 user entries on a specific
show nac-author-user [ interface interface-name ]
interface.
Checking Debugging Information
System resources are occupied when debugging information is output. Therefore, close the debugging switch
immediately after use.
Command Function
debug scc event Displays information about the access list running process.
Displays debugging information about user entries of the
debug scc user [ mac | author | mac ]
current SCC.
Displays summary debugging information about ACLs stored
debug scc acl-show summary
in the current SCC and delivered by various services.
Displays debugging information about all ALCs stored in the
debug scc acl-show all
current SCC.
Configuration Guide Configuring Password Policy
Configuring Password Policy
Overview
The Password Policy is a password security function provided for local authentication of the device. It is configured to
control users' login passwords and login states.
The following sections introduce password policy only.
N/A
Features
Basic Concepts
Minimum Password Length
Administrators can set a minimum length for user passwords according to system security requirements. If the password
input by a user is shorter than the minimum password length, the system does not allow the user to set this password but
displays a prompt, asking the user to specify another password of an appropriate length.
Strong Password Detection
The less complex a password is, the more likely it is to crack the password. For example, a password that is the same as
the corresponding account or a simple password that contains only characters or digits may be easily cracked. For the
sake of security, administrators can enable the strong password detection function to ensure that the passwords set by
users are highly complex. After the strong password detection function is enabled, a prompt will be displayed for the
following types of passwords:
 Passwords that are the same as corresponding accounts;

 Simple passwords that contain characters or digits only.
Password Dictionary Detection
The so-called password dictionary is used in combination with password cracking software. It contains many conventional
passwords, and therefore improves the cracking rate and shortens the time taken to crack a password.
The password dictionary detects the input password and prevents the user from configuring any password contained in it,
thereby improving the security of the password configured by the user and helping to guard against password cracking.
The password dictionary detection function detects a user-input password based on the following aspects:
 Detects a system-defaulted password dictionary: If the user-input password exists in the system-defaulted password
dictionary, the user-configured password fails to pass the detection and the system displays a prompt indicating that
the user cannot use this password.
 Detects a date dictionary, which is a birthday dictionary in most cases: The system detects a combination of four to
eight digits for the user-input password, because the birthday password format is 4-digit mmdd, 5-digit yymmd or
yymdd, 6-digit yymmdd or yyyymd, 7-digit yyyymdd or yyyymmd, or 8-digit yyyymmdd, where the year yy ranges
from 00 to 99, the year yyyy ranges from 1900 to 2100, the month mm ranges from 1 to 12, and the day dd ranges
from 1 to 31.
 Detects a surname spelling dictionary: The system checks the user-input password against the spellings of the latest
100 common surnames.
 Detects a combination of the date dictionary and the name spelling dictionary: The system checks the user-input
password against a combination of the date dictionary and the name spelling dictionary, which can be the
combination of a birthday and a surname, the combination of a surname and a birthday, or a birthday or surname
only.
Weak Password Detection
A weak password is one that may be easily guessed by others or one that may be easily cracked by using a password
cracking tool. It contains only simple digits and letters, such as 123 or abc. Since such a password may be easily cracked
to threaten the security of the user's PC, it is not recommended for use.
The weak password detection function detects a user-input password based on the following aspects:
 Detects whether the password contains only digits or letters: If yes, the user-input password fails to pass the
detection.
 Provides a command for the user to configure a custom password dictionary: The user can configure a custom weak
password using the command. After the weak password is configured, the user cannot use this weak password
during later password configuration.
Password Life Cycle
The password life cycle defines the validity time of a user password. When the service time of a password exceeds the life
cycle, the user needs to change the password.
If the user inputs a password that has already expired during login, the system will give a prompt, indicating that the
password has expired and the user needs to reset the password. If the new password input during password resetting
does not meet system requirements or the new passwords consecutively input twice are not the same, the system will ask
the user to input the new password once again.
Guard Against Repeated Use of Passwords
When changing the password, the user will set a new password while the old password will be recorded as the user's
history records. If the new password input by the user has been used previously, the system gives an error prompt and
asks the user to specify another password.
The maximum number of password history records per user can be configured. When the number of password history
records of a user is greater than the maximum number configured for this user, the new password history record will
overwrite the user's oldest password history record.
Storage of Encrypted Passwords

Administrators can enable the storage of encrypted passwords for security consideration. When administrators run the
show running-config command to display configuration or run the write command to save configuration files, various
user-set passwords are displayed in the cipher text format. If administrators disable the storage of encrypted passwords
next time, the passwords already in cipher text format will not be restored to plaintext passwords.
Configuration

password policy life-cycle Configures the password life cycle.
password policy min-size Configures the minimum length of user
passwords.
password policy no-repeat-times Sets the no-repeat times of latest password
configuration, so that the passwords
specified in these times of latest password
configuration can no longer be used in future
password configuration.
password policy secret-dictionary weak
Configures a user-defined weak password.
password
password policy strong Enables the strong password detection
function.
service password-encryption Sets the storage of encrypted passwords.
 Provide a password security policy for local authentication of the device. Users can configure different password
security policies to implement password security management.
Notes
 The configured password security policy is valid for global passwords (configured using the commands enable
password and enable secret) and local user passwords (configured using the username name password password
command). It is invalid for passwords in Line mode.
Configuration Steps
Configuring the Password Dictionary Detection Function
 Optional
 Perform this configuration on each device that requires password dictionary detection unless otherwise stated.
Configuring the Password Life Cycle
 Optional
 Perform this configuration on each device that requires the configuration of a password life cycle unless otherwise
stated.
Configuring the Minimum Length of User Passwords
 Optional
 Perform this configuration on each device that requires a limit on the minimum length of user passwords unless
otherwise stated.
Setting the No-Repeat Times of Latest Password Configuration
 Optional
 Perform this configuration on each device that requires a limit on the no-repeat times of latest password
configuration unless otherwise stated.
Configuring a User-Defined Weak Password
 Optional
 Perform this configuration on each device that requires weak password detection unless otherwise stated.
Enabling the Strong Password Detection Function
 Optional
 Perform this configuration on each device that requires strong password detection unless otherwise stated.
Setting the Storage of Encrypted Passwords
 Optional
 Perform this configuration on each device that requires the storage of passwords in encrypted format unless
otherwise stated.
Verification
Configure a local user on the device, and configure a valid password and an invalid password for the user.
 When you configure the valid password, the device correctly adds the password.
 When you configure the invalid password, the device displays a corresponding error log.
Corresponding
Configuring the Password Life Cycle
Command password policy life-cycle days

Parameter life-cycle days: Indicates the password life cycle in the unit of days. The value range is from 1 to 65535.
Description
Mode
Usage Guide The password life cycle is used to define the validity period of user passwords. If the user logs in with a
password whose service time already exceeds the life cycle, a prompt is given, asking the user to change
the password.
Configuring the Minimum Length of User Passwords
Command password policy min-size length

Parameter min-size length: Indicates the minimum length of passwords. The value range is from 1 to 31.
Description
Mode
Usage Guide This command is used to configure the minimum length of passwords. If the minimum length of passwords is
not configured, users can input a password of any length.
Setting the No-Repeat Times of Latest Password Configuration
Command password policy no-repeat-times times

Parameter no-repeat-times times: Indicates the no-repeat times of latest password configuration. The value range is
Description from 1 to 31.
Mode
Usage Guide After this function is enabled, all old passwords used in the several times of latest password configuration
will be recorded as the user's password history records. If the new password input by the user has been
used previously, the system gives an error prompt and the password modification fails.
You can configure the maximum number of password history records per user. When the number of
password history records of a user is greater than the maximum number configured for the user, the new
password history record will overwrite the user's oldest password history record.
Configuring a User-Defined Weak Password
Command password policy secret-dictionary weak password

Parameter password: Indicates the weak password manually set.
Description
Mode
Usage Guide After a custom weak password list is configured, if the user-input password is the same as a weak password
in the list, it indicates that the user-input password is invalid. Then the password setting fails and a prompt is
given.
Enabling the Strong Password Detection Function
Command password policy strong

Parameter N/A
Description
Mode
Usage Guide After the strong password detection function is enabled, a prompt is displayed for the following types of
passwords:
 Passwords that are the same as corresponding accounts;
 Simple passwords that contain characters or digits only.
Setting the Storage of Encrypted Passwords
Command service password-encryption

Parameter N/A
Description
Mode
Usage Guide Before the storage of encrypted passwords is set, all passwords used in the configuration process will be
displayed and stored in plaintext format, unless the passwords are configured in cipher text format. You can
enable the storage of encrypted passwords for security consideration. When you run the show
running-config command to display configuration or run the write command to save configuration files,
various user-set passwords are displayed in the cipher text format. If you disable the storage of encrypted
passwords next time, the passwords already in cipher text format will not be restored to plaintext passwords.
Checking User-Configured Password Security Policy Information
Command show password policy

Parameter N/A
Description
Command Privileged EXEC mode/ Global configuration mode/ Interface configuration mode
Mode
Usage Guide Use this command to display the password security policy configured on the device.
The following configuration example describes configuration related to a password security policy.
Configuring Password Security Check on the Device
Typical Assume that the following password security requirements arise in a network environment:
Application  The minimum length of passwords is 8 characters;
 The password life cycle is 90 days;
 Passwords are stored and transmitted in cipher text format;
 The number of no-repeat times of password history records is 3;
 Passwords shall not be the same as user names, and shall not contain simple characters or digits only.
Configuration  Set the minimum length of passwords to 8.

Steps  Set the password life cycle to 90 days.
 Enable the storage of encrypted passwords.
 Set the no-repeat times of password history records to 3.
 Enable the strong password detection function.
Ruijie(config)# password policy min-size 8
Ruijie(config)# password policy life-cycle 90
Ruijie(config)# service password-encryption
Ruijie(config)# password policy no-repeat-times 3
Ruijie(config)# password policy strong
Verification When you create a user and the corresponding password after configuring the password security policy, the
system will perform relevant detection according to the password security policy.
 Run the show password policy command to display user-configured password security policy
information.
Ruijie# show password policy
Global password policy configurations:

Password encryption: Enabled
Password strong-check: Enabled
Password secret-dictionary-check: Enabled
Password min-size: Enabled (8 characters)
Password life-cycle: Enabled (90 days)
Password no-repeat-times: Enabled (max history record: 3)
Common Errors
The time configured for giving a pre-warning notice about password expiry to the user is greater than the password life
cycle.
Monitoring
Command Function
show password policy Displays user-configured password security policy information.
Configuration Guide Configuring SSH
Configuring SSH
 The SSH function is not supported on AP110-W or AP120-W.
Overview
SSH is the shortened form of Secure Shell. The SSH connection functions like a Telnet connection, except that all
transmissions based on the connection are encrypted. When the user logs onto the device via a network environment
where security cannot be guaranteed, the SSH feature provides safe information guarantee and powerful authentication
function to protect the devices from IP address fraud, plain password interception and other kinds of attacks.
Ruijie SSH service supports both the IPv4 and IPv6 protocols.
’Ruijie SSH Support Algorithms
Support Algorithm SSH1 SSH2

Signature authentication
RSA RSA, DSA
algorithm
KEX_DH_GEX_SHA1
RSA public key encryption based
Key exchanging algorithm KEX_DH_GRP1_SHA1
key exchanging algorithm
KEX_DH_GRP14_SHA1
DES, 3DES, Blowfish, RC4, AES-128, AES-192,
Encryption algorithm DES, 3DES, Blowfish, RC4
AES-256
User authentication User-password based User-password based authentication method, and
algorithm authentication method user-public-key based authentication method
Message authentication
Not supported MD5, SHA1, SHA1-96, MD5-96
algorithm
Compression algorithm NONE (uncompressed), and zlib NONE (uncompressed), and zlib
Configuration
Default SSH Configurations

Item Default Value
SSH service end status Off
SSH version Compatible mode (supporting versions 1 and 2)
SSH user authentication timeout period 120s
SSH user re-authentication times 3
SCPserver Off
 For the consideration of the SSH connection security, the login without authentication is forbidden. Therefore, in the
login authentication of the users, the login authentication mode must have password configured (no-authentication
login allowed for telnet).
 The username and password entered every time must have lengths greater than zero. If the current authentication
mode does not need the username, the username can be entered randomly but the entry length must be greater
than zero.
Enabling SSH Server

The SSH Server is disabled by default. To enable the SSH Server, run the enable service ssh-server command in the
global configuration mode while generating SSH key.
Command Description
enable service ssh-server Enable SSH Server.
crypto key generate { rsa|dsa } Generate the key.
To delete the key, use the crypto key zeroize command rather than the [no] crypto key generate command.
The SSH module does not support hot standby. For products supporting management module hot standby,
after the management module is switched over, if no SSH key files are in the new main board, the crypto
key generate command must be used to regenerate the key in order to use the SSH.
Disabling SSH Server

When the SSH Server is enabled, if the public key on the server is deleted, the SSH Server is automatically closed. To
delete the public key, run no enable service ssh-server in the global configuration mode to disable the SSH Server.
Command Description
configure terminal Enter the global configuration mode
no enable service ssh-server Delete the key to disable SSH Server.
Enabling Encrypted Session with Remote Device

Use this command to establish an encrypted session with a remote device in user EXEC mode.
Command Description
Command Description
ssh [ oob ] [ -v { 1 | 2 } ] [ -c { 3des | aes128-cbc |
aes192-cbc | aes256-cbc } ] [ -l username ] [ -m
{ hmac-md5-96 | hmac-md5-128 |
hmac-sha1-96 | hmac-sha1-160 } ] [ -p Establish an encrypted session with a remote device.
port-num ] { ip-addr | hostname } [ /source { ip
A.B.C.D | ipv6 X:X:X:X::X | interface
interface-name } ] [ /vrf vrf-name ]
Use the ssh command to create a secure and encrypted session between the current device (SSH client) and the other
device (SSH server, or the server that supports SSHv1 or SSHv2). This session is similar to the Telnet session except that
the SSH session is encrypted. Therefore, the SSH client can create a secure session on the insecure network based on
authentication and encryption.
SSHv1 supports only DES (56-bit secret key) and 3DES (168-bit secret key).
SSHv2 supports the following AES algorithm: ase128-cbc, aes192-cbc and aes256-cbc.
SSHv1 does not support HMAC algorithm.
If the specified SSH version is incompatible with the specified encryption algorithm or authentication
algorithm, the algorithm configuration does not take effect
The following example creates a session with the username admin to the SSH server whose IP address is
192.168.23.122 via SSH.
Ruijie#ssh -l admin 192.168.23.122
The following example creates a session with the username admin to the SSH server whose IP address is
192.168.23.122 via SSHv2, setting aes128-cbc and hmac-md5-128 as encryption algorithm and authentication algorithm
respectively. Ruijie#ssh -v 2 -c aes128-cbc -m hmac-md5-128 -l admin 192.168.23.122
Ruijie#ssh -v 2 -c aes128-cbc -m hmac-md5-128 -l admin 192.168.23.122
Configuring the Supported SSH Server Version

By default, the SSHv1 and SSHv2 are compatible. Run the following commands to configure the SSH version.
Command Description
configure terminal Enter the configuration mode
ip ssh version { 1|2 } Configure the supported SSH version.
no ip ssh version Restore the SSH default version.
Configuring SSH User Authentication Timeout

By default, the user authentication timeout period of the SSH SERVER is 120 seconds. Run the following commands to
configure the SSH user authentication timeout period.
Command Description
Command Description
ip ssh time-out time Configure the SSH timeout period (1-120sec)
Restore the SSH default user authentication timeout period 120
no ip ssh time-out
seconds.
Configuring SSH Re-authentication Times

This command is used to set the authentication attempts for SSH user requesting connections to prevent illegal actions
such as malicious guesswork. The authentication attempts are 3 for the SSH Server by default. In other words, it allows
the user to enter the username and password for three times to attempt the authentication. Run the following commands
to configure the SSH re-authentication times:
Command Description
ip ssh authentication-retries retry times Configure SSH re-authentication times (range 0-5)
no ip ssh authentication-retries Restore the default SSH re-authentication times as 3.
For details of the above commands, see SSH Command Reference Manual.
Configuring SSH Public-Key Based Authentication

According to the SSH protocol, only SSHv2 supports public-key based authentication. Run the following commands to
associate the public-key file with the user name on a client. During client login authentication, the public-key file is
specified by using the user name.
Command Function
Ruijie# configure terminal Enter the configuration mode.
Ruijie(config)# ip ssh peer username public-key { rsa |
Set the RSA public-key file associated with the user test.
dsa } filename
Ruijie(config)# ip ssh peer test public-key dsa
Set the DSA public-key file associated with the user test.
flash:dsa.pub
Configuring SSH server Encryption Mode

Use this command to set the SSH server encryption mode in global configuration mode. All encryption modes are
supported by default.
Command Function
Set the SSH server encryption mode.

cbc:
Encryption mode: CBC (Cipher Block Chaining)
Encryption algorithm: DES-CBC, 3DES-CBC,
AES-128-CBC, AES-192-CBC, AES-256-CBC,
Blowfish-CBC
ip ssh cipher-mode { cbc | ctr | others } ctr:
Encryption mode: CTR (Counter)
Encryption algorithm: AES128-CTR, AES192-CTR,
AES256-CTR
others:
Encryption mode: Others
Encryption algorithm: RC4
With the advancement of cryptography study, CBC and Others encryption modes are proved to easily decipher. It is
recommended to enable the CTR mode to raise assurance for organizations and enterprises demanding high security.
The following example enable CTR encryption mode.

Ruijie(config)# ip ssh cipher-mode ctr
Configuring the SCP Server Function

With the SCP server enabled on a network device, the user can directly download files from the network device and
upload local files to the network device. Meanwhile, the user can transfer all interactive data in encrypted text manner,
featuring authentication and security.
Command Function
Ruijie# configure terminal Enter the configuration mode.
Ruijie(config)#ip scp server enable Enable the SCP server function.
Ruijie(config)# no ip scp server enable Disable the SCP server function.
Configuring Algorithm for Message Authentication

Use this command to set the algorithm for message authentication in global configuration mode. Use the no form of this
command to restore the default setting. By default, SSHv2 supports all the algorithms.
Command Function
Set the algorithm for message authentication.
md5: MD5 algorithm
ip ssh hmac-algorithm { md5 | md5-96 | sha1 | sha1-96 } md5-96: MD5-96 algorithm
sha1: SHA1 algorithm
sha1-96: SHA1-96 algorithm
Ruijie SSHv1 servers do not support algorithms for message authentication. The following example sets the algorithm for
message authentication to SHA1.

Ruijie(config)# ip ssh hmac-algorithm sha1
Restoring Suspended SSH Client Session

Use this command to restore the suspended SSH client session in user EXEC mode.
Command Function
ssh-session session-id ID of the SSH client session to be restored
After creating the SSH client session via the SSH command, you can use the hot key (ctrl+shift+6 x) to temporarily
suspend the session, If you want to restore the suspended SSH client session, run the ssh-session command. Use the
show ssh-session command to display the established session.
The following example restores the suspended SSH client session:
Ruijie# ssh-session 1
Disconnecting Suspended SSH Client Session

Use this command to disconnect the suspended SSH client session in User EXEC mode.
Command Function
Disconnect the suspended SSH client session.
disconnect ssh-session session-id
session-id: ID of the suspended SSH client session
This command is used to disconnect the suspended SSH client session by specifying its session ID. The following
example disconnects a SSH client session by specifying its session ID.
Ruijie# disconnect ssh-session 1
Displaying SSH Configuration

Use this command to display the information about the established SSH client instance in user EXEC mode.
Command Function
show ssh-session Display SSH configuration.
This command is used to display the information about the established SSH client instance, including the VTY number,
SSH version, and server address.
The following example displays the information about the established SSH client instance.
Ruijie#show ssh-session
Connect No. SSH Version Server Address
----------- ----------- ---------------
0 2.0 192.168.23.122
1 1.5 192.168.23.122
Using SSH for Device Management

You may use the SSH for device management by first enabling the SSH Server function that is disabled by default. Since
the Telnet that comes with the Windows does not support SSH, third-party client software has to be used. Currently, the
clients with sound forward compatibility include Putty, Linux and SecureCRT. With the client software SecureCRT as an
example, the SSH client configuration is described as follows (see the UI below):
Figure 1-1
As shown in Figure-1, protocol 2 is used for login, so SSH2 is chosen in “Protocol”. “Hostname” indicates the IP address
of the host that will log in, 192.168.5.245. Port 22 is the default number of the port for SSH listening. “Username” indicates
the username, and does not take effect when the device only requires password. “Authentication” indicates the
authentication mode, and the username/password authentication is supported here. The used password is the same as
the Telnet password.
Ruijie devices support the user-name-password based authentication method and the public-key based authentication
method. For the user-name-password based authentication method, the password used is the same as the Telnet
password. The public-key based authentication method is described in the next section.
Click “OK” to pop up the following dialog:
Figure 1-2
Click “Connect” to log into the host just configured, as shown below:
Figure 1-3
Ask the machine that is logging into the host 192.168.5.245 to see whether the key from the server end is received or not.
Select “Accept & Save” or “Accept Once” to enter the password confirmation dialog box, as shown below:
Figure 1-4
Enter the Telnet login password to enter the UI that is the same as the Telnet. See the diagram below:
Figure 1-5
Using SSH Public-Key Based Authentication

Operations on a Client
To use the public-key based authentication method on a client, you need to generate a key pair (RSA or DSA) on the
client, put the key on the SSH server, and select the PublicKey authentication method. The following uses the client
software SecureCRT as an example for describing how to generate the key pair on the client.
Step 1: In the Authentication option of Session Option, select PublicKey and then Properties. See the following figure.
Figure 1-6
Figure Click Properties... If the key pair has been generated, you can choose the used private key (Use identity or
certificate file). Note that the private key must be paired with the public key on the server. Otherwise, authentication fails.
Figure 1-7
If the key pair has not been generated, generate a new key pair (Create Identity File). During key generation, you can set
a password (the password can be blank) for the private key. If so, you need to enter the password in every authentication.
Figure 1-8
During key generation, do not move the cursor continuously, or the creation takes a long time.
The key file of the OpenSSH format must be selected, or the key file cannot be used. If Putty serves as the
client, the puttygen.exe tool must be used to transform the private key into the Putty format. The
puttygen.exe tool can generate the key pair of the OpenSSH format, but Putty cannot directly use such a key
pair. The public-key file on the server does not need to be transformed. Its format is still OpenSSH. See the
following figure.
Figure1-9
Operations on a Server
After keys are generated on the client, the SSH server, namely the network device, needs to copy the client public-key file
to flash, and associate the file with the SSH user name. Each user can associate with an RSA public key and a DSA
public key. See the following contents.

Ruijie(config)# ip ssh peer test public-key rsa flash:rsa.pub
Ruijie(config)# ip ssh peer test public-key dsa flash:dsa.pub
In this way, the client can log in to the network device using the public-key based authentication method.
Using SSH to Transfer FilesOperations on a Server
Secure CoPy (SCP) is used in SSH file transfer. The SCP server function needs to be enabled on the network device, so
that the client can use SCP to transfer files to the network device, or download files from the network device. See the
following contents.

Ruijie(config)# ip scp server enable
In this way, the client can use SCP to connect to the server and transfer files. The SCP server uses the SSH thread. When
connecting the network device for SCP transfer, the client uses a VTY connection. When you run the show user command,
you can find that the user type is SSH.
Operations on a Client
The SCP command is carried on both the Unix and Linux platforms. With Ubuntu Linux as an example, the SCP command
usage is described as follows:
SCP command syntax:

scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
[[user@]host1:]file1 [...] [[user@]host2:]file2
Description about some options:

-1: uses the SSH1 version. If the value is not specified, SSH2 is used by default.
-2: uses SSH2 by default.
-C: specifies that compression transfer is used.
-c: specifies the encryption algorithm that is used.
-r: specifies that an entire directory is transferred.
-i: specifies the key file that is used.
-l: restricts the transfer speed in Kbits.
For the description about other parameters, see the scp.0 file.
File transfer examples (all the following operations are performed on Ubuntu 7.10)
Example 1:
Specify the user name as test. Copy the config.text file from the network device (IP address: 192.168.195.188) to the
local /root directory. See the following contents.
root@dhcpd:~# scp test@192.168.195.188:/config.text /root/config.text

test@192.168.195.188's password:
config.text 100% 1506 1.5KB/s 00:00
Read from remote host 192.168.195.188: Connection reset by peer
Example 2:
Specify the user name as test. Copy all files in the /tmp directory from the network device (IP address: 192.168.195.188)
to the local /root/ccc/ directory. If the /roo/ccc/tmp/ directory does not exist on the local device, the directory will be
automatically created. See the following contents.
root@dhcpd:~# scp -r test@192.168.195.188:/tmp/ /root/ccc/

test@192.168.195.188's password:
aaa.txt 100% 2576 2.5KB/s 00:00
bbb.txt 100% 2576 2.5KB/s 00:00
ccc.txt 100% 2576 2.5KB/s 00:00
Read from remote host 192.168.195.188: Connection reset by peer
Most options are related to the client. A few options require support of both the client and the server. However,
the SCP server on Ruijie network devices does not support the options -d -p –q. When these options are
used, the system will prompt that they are not supported.
During files downloading, if the speed is not restricted (option –l is not used), the CPU usage of the network
device increases during downloading, and recovers to normal status after downloading ends. The console
can still be used, but other application tasks will be affected.
Example of SSH Local Authentication Configurations

Figure 0-10 Networking diagram for SSH local password protection
As shown above, to ensure the security of information exchange, PC1 and PC2 serve as SSH clients which will login the
SSH Server through SSH protocol. The specific requirements are shown below:
 SSH users adopt line password authentication.

 0-4 lines are enabled at the same time. The login password for line 0 is "passzero", and the login password for other
four lines is "pass". Any user name can be used.
Configuration Tips
 SSH Server configuration tips are shown below:

 Globally enable SSH Server. By default, SSH Server supports SSH1 and SSH2.
 Configure key. The SSH server will use this key to decrypt the encrypted password received from SSH client, and
compare the decrypted plain text with the password stored on the server before giving the reply about successful or
failed authentication. SSH1 uses RSA key, while SSH 2 uses RSA or DSA key.
 Configure the IP address of the interface Gi 1/1 of SSH server. SSH client will use this address to connect SSH
server. The route from SSH client to SSH server shall be reachable.
 Configurations on SSH Client:
There are many SSH client programs, such as Putty, Linux, OpenSSH and etc. Here we will only take the client software
of SecureCRT as the example to introduce how to configure SSH Client. The configuration details are given in
"Configuration Steps".
Configuration Steps
 Configure SSH Server
Before configuring relevant SSH features, make sure the route from SSH client to SSH server is reachable. The IP
addresses of respective interfaces are shown in the topological diagram, and the steps of IP and route configuration are
omitted herein.
Step 1: Enable SSH Server

Ruijie(config)# enable service ssh-server
Step 2: Generate RSA key
Ruijie(config)#crypto key generate rsa

% You already have RSA keys.
% Do you really want to replace them? [yes/no]:
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:

% Generating 512 bit RSA1 keys ...[ok]
% Generating 512 bit RSA keys ...[ok]
Step 3: Configure the address of interface Gi 1/1. The client will use this address to connect SSH server.

Ruijie(config-if- gigabitEthernet 1/1)#ip address 10.10.10.10 255.255.255.0
Ruijie(config-if- gigabitEthernet 1/1)#exit
Step 4: Configure login password for lines
! Configure the login password for line 0 as "passzero"
Ruijie(config)#line vty 0
Ruijie(config-line)#password passzero
Ruijie(config-line)#exit
! Configure the login password for line 1-4 as "pass"
Ruijie(config-line)#password pass
 Configure SSH Client (PC1/PC2)
Open SecureCRT connection dialog box, as shown below. Use SSH1 for login authentication. Any session name can be
specified (here the session name is configured as PC1-SSH1-10.10.10.10).
Figure 1-11
Configure SSH attributes. The host name is the IP address of SSH server (10.10.10.10 in this example). Since user name
is not required by the currently-used authentication mode, you can type in any user name in the field of "User Name", but
this field cannot be left blank (the user name is "anyname" in this example).
Figure 1-12
Verification
 Verify the configurations of SSH Server
Step 1: Execute "show running-config" command to verify the current configurations:
!
enable secret 5 $1$eyy2$xs28FDw4s2q0tx97
enable service ssh-server
!
interface gigabitEthernet 1/1
ip address 10.10.10.10 255.255.255.0
line vty 0
privilege level 15
login
password passzero
line vty 1 4
privilege level 15
login
password pass
!
end
 Verify the configurations of SSH Client
Step 1: Establish remote connection.
Establish connection and type in the correct password in order to enter the operating interface of SSH Server. The login
password for line 0 is "passzero", and the login password for other four lines is "pass".
Figure 1-13
Step 2: Display login user.
Ruijie#show users
Line User Host(s) Idle Location
0 con 0 idle 00:03:16
1 vty 0 idle 00:02:16 192.168.217.10
* 2 vty 1 idle 00:00:00 192.168.217.20
Example of Configuring AAA Authentication for SSH

Figure 0-14 Networking diagram for AAA authentication for SSH
As shown above, to ensure the security of information exchange, PC serves as SSH clients which will login the SSH
Server using SSH protocol.
To better implement security management, SSH client adopts the AAA authentication mode. Meanwhile, for stability
consideration, two authentication methods are configured in the AAA authentication method list: Radius server
authentication and local authentication. Radius server will always be selected first, and the local authentication method
will be selected later if no reply is received from Radius server.
Configuration Tips
 The route from SSH client to SSH server and the route from SSH server to Radius client shall be reachable,
 Complete SSH Server related configurations on the network device. The configuration tips have been described in
the previous example, and won't be further introduced herein.
 Complete AAA authentication related configurations on the network device. AAA defines ID authentication and type
by creating the method list, which is then applied to the specific service or interface. Details are given in the section
of "Configuration Steps".
Configuration Steps
The route from SSH client to SSH server and the route from SSH client to Radius server shall be reachable. Route related
configurations won't be further introduced. Please refer to the section of route configuration in this manual.
 Configure relevant SSH features on the network device
Step 1: Enable SSH Server
Ruijie(config)# enable service ssh-server
Step 2: Generate the key
! Generate RSA key
Ruijie(config)#crypto key generate rsa

% You already have RSA keys.
% Do you really want to replace them? [yes/no]:
a few minutes.
% Generating 512 bit RSA1 keys ...[ok]
% Generating 512 bit RSA keys ...[ok]
! Generate DSA key
Ruijie(config)#crypto key generate dsa

a few minutes.
% Generating 512 bit DSA keys ...[ok]
Step 3: Configure the IP address of device. The client will use this address to connect SSH server.

Ruijie(config-if-gigabitEthernet 1/1)#ip address 192.168.217.81 255.255.255.0
Ruijie(config-if-gigabitEthernet 1/1)#exit
 Configure relevant features of AAA authentication on the network device
Step 1: Enable AAA on the device
Step 2: Configure information about Radius server (the shared key used by device for communicating with RADIUS server
is "aaaradius"

Ruijie(config)#radius-server key aaaradius
Step 3: Configure AAA authentication method list
! Configure login authentication method list (Radius first, followed by Local), and the name of method list shall be
"method".
Ruijie(config)#aaa authentication login method group radius local
Step 4: Apply this method list to the line
Ruijie(config-line)#login authentication method
Step 5: Configure local user database
! Configure local user database (configure user name and password, and bind the privilege level)
Ruijie(config)#username user1 privilege 1 password 111

! Configure local enable command for local enable authentication
Verification
Step 1: Execute "show running-config" command to verify the current configurations:
Ruijie#show run
aaa new-model
!
aaa authentication login method group radius local
!
username user1 password 111
username user2 privilege 10
username user3 privilege 15
no service password-encryption
!
radius-server key aaaradius
enable secret 5 $1$hbgz$ArCsyqty6yyzzp03
enable service ssh-server
!
interface gigabitEthernet 1/1
no ip proxy-arp
ip address 192.168.217.81 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.217.1
!
line con 0
line vty 0 4
login authentication method
!
end
Step 2: Configure Radius Server. This example configures the SAM server.
In "System Management-Device Management", type in device IP of "192.168.217.81" and device key of "aaaradius";
In "Security Management - Device Management Privilege", configure the privilege level for the login user;
In "Security Management - Device Administrator", type in the user name of "user" and password of "pass".
Step 3: Establish remote SSH connection on the PC.
SSH client configuration and connection establishment: please refer to the previous example.
Type in the correct password: "user" for SSH user name and "pass" for password. The user will login successfully.
Step 4: Display login user.
Ruijie#show users
0 con 0 idle 00:00:31
* 1 vty 0 user idle 00:00:33 192.168.217.60
Release 11.1(5)B6
System Configuration
1. Configuring Command Line Interface
2. Configuring Basic Configuration Management
3. Configuring LINE Mode
4. Configuring RMON
5. Configuring SNMP
6. Configuring HTTP Service
7. Configuring Syslog
8. Configuring RLOG
9. Configuring CWMP
10. Configuring LED
11. Configuring USB
12. Configuring PKG_MGMT
13. Configuring NTP
14. Configuring SNTP
15. Configuring Time Range

Configuration Guide Configuring Command Line Interface
Configuring Command Line Interface
This chapter describes the method to use the command line interface(CLI). You can manage network devices by the
command line interface.
This chapter covers the following topics:
 Command Mode
 Getting Help
 Abbreviating Commands
 Using no and default Options
 Understanding CLI Error Messages
 Using History Commands
 Using Editing Features
 Filtering and Looking Up CLI Output Information
 Using Command Alias
 Accessing CLI
Command Mode
The management interface of Ruijie network devices falls into multiple modes. The command mode you are working with
determines the commands you can use.
To list the usable commands in each mode, enter a question mark (?) at the command prompt.
After setting up a session connection to the network device management interface, you enter in user EXEC mode first. In
user EXEC mode, only a few commands are usable with limited functions, for example, command show. The command
results are not saved.
To use all commands, enter privileged EXEC mode with the privileged password. Then you can use all privileged
commands and enter global configuration mode.
Using commands in a configuration mode (for instance, global configuration or interface configuration) will influence the
current configuration. If you have saved the configuration information, these commands will be saved and executed when
the system restarts. To enter any of the configuration modes, first enter global configuration mode.
The following table lists the command modes, access methods, prompts, and exit methods. Suppose the equipment is
named "Ruijie" by default.
Summary of main command modes:
Command mode Access Method Exit or Enter the Next

Prompt Remark
Mode
Enter command exit to quit

this mode. Used for basic test and
User EXEC Log in. Ruijie> Enter command enable to showing system
enter privileged EXEC information
mode.
To return to user EXEC
In user EXEC mode, enter command
mode, enter disable. Verify settings. This mode
Privileged EXEC Ruijie#
command To enter global is password-protected.
enable. configuration mode, enter
command configure.
To return to privileged
EXEC mode, enter
command end or exit or
In privileged press Ctrl+C. In this mode, you can
EXEC mode, To access interface execute commands to
Global
enter command Ruijie ( config )# configuration mode, enter configure global
configuration
configure command interface with parameters influencing the
terminal. an interface specified. whole switch.
To access VLAN
configuration mode, enter
command vlan vlan_id.
EXEC mode, enter
In global command end or press
configuration Ctrl+C. To return to global Configure various
Interface Ruijie
mode, enter configuration mode, enter interfaces of the equipment
configuration ( config-if )#
command command exit. Moreover, in this mode.
interface. you need specify an
interface in the interface
command.
In global EXEC mode, enter
configuration command end or press
Config-vlan Ruijie ( config- Configure VLAN
mode, enter Ctrl+C.
( Vlan Mode ) vlan )# parameters in this mode.
command vlan To return to global
vlan-id. configuration mode, enter
command exit.
Getting Help
To obtain a list of commands that are available for each command mode, enter a question mark(?) at the command
prompt. You can also obtain a list of command keywords beginning with the same character or parameters of each
command. See the following table.
Command Function
Obtain the brief description of the help system under any
Help
command mode.
Obtain a list of commands that begin with a particular
character
string. ( Do not leave a space between the keyword and
abbreviated-command-entry? question mark.)
For example:
Ruijie# di?
dir disable
Complete a partial command name.
abbreviated-command-entry For example:
<Tab> Ruijie# show conf<Tab>
Ruijie# show configuration
List a command's associated keywords. ( Leave a space
between the keyword and question mark.)
?
For example:
Ruijie# show ?
List a command's associated arguments. (Leave a space
between the keyword and question mark.)
For example:
command keyword ?
Ruijie( config )# snmp-server
community ?
WORD SNMP community string
Obtain the brief description of the help system under any
Help
command mode.
Abbreviating Commands
To abbreviate a command, simply enter part of the command that can uniquely identify the command.
For example, show configuration can be abbreviated as:
Ruijie# show config
If the entered command cannot be uniquely identified by the system, the system will prompt "Ambiguous command:”.
For example, when you want to view the information about access lists, the following command is not complete.
Ruijie# show access

% Ambiguous command: "show access"
Using No and Default Options
Almost all commands have the no option generally used to disable a feature or function or perform a reversed action of
the command. For example, the no shutdown command turns on the interface, the opposite operation of the shutdown
command. You can use the commands without the no option to enable the features that have been disabled or are
disabled by default.
Most configuration commands have the default option that restores the command setting to its default. Most commands
are disabled by default. In this case, the default and no options generally serve the same purpose. However, some
commands are enabled by default. In this case, the default and no options serve different purposes, where the default
option enables the command and restores the arguments to the default settings.
Understanding CLI Error Messages
The following table lists the error prompt messages that may occur when you use the CLI to manage equipment.
Common CLI error messages:
Command Meaning Function

The device cannot identify the Re-input the command with a question
% Ambiguous
unique command for you input mark following the ambiguous word.
command: "show c"
insufficient characters. The possible keywords will be listed.
Re-input the command with a space
User has not input the required followed by a question mark. The
% Incomplete command.
keywords or arguments. possible keywords or arguments will be
displayed.
The symbol “^” will indicate the Input a question mark at the command
% Invalid input detected at „^‟
position of the wrong words when prompt to show the allowed keywords of
marker.
user inputs a wrong command. the command.
Using Historical Commands
The system records the commands you have input recently, which is very useful when you input a long and complex
command again.
To re-execute the commands you have input from the historical records, perform the following operations.
Operation Result
Allows you to browse the previous command in the

Ctrl-P or Up
historical command records.
Allows you to return to a more recent command in the
Ctrl-N or Down
historical command records.
Standards-based terminals like VT100 series support arrow keys.
Using Editing Features
This section describes the editing functions that may be used for command line edit, including:
 Edit Shortcut Keys

 Sliding Window of Command Line
Editing Shortcut Keys

 The following table lists the edit shortcut keys.
Function Shortcut Key Description
Move cursor in an editing line Left direction key or Ctrl+B Move the cursor to left by one character.
Right direction key or Ctrl+F Move the cursor to right by one character.
Ctrl+A Move the cursor to the beginning of the command line.
Ctrl+E Move the cursor to the end of the command line.
Delete the entered Backspace Delete the character to the left of the cursor.
characters Delete Delete the character where the cursor is located.
Scroll up the displayed contents by one line and make
Scroll up by one line or one
Return the next line appear. This is used only before the end
page
of the output.
Delete the entered
Backspace Delete the character to the left of the cursor.
characters
Scroll up the displayed contents by one line and make
Return the next line appear. This is used only before the end
Scroll up by one line or one of the output.
page Scroll up the displayed contents by one page and
Space make the next page appear. This is used only before
the end of the output.
Sliding Window of Command Line

You can use the sliding window to edit the commands that exceed the width of one line. When the editing cursor closes to
the right border, the whole command line will move to the left by 20 characters. In this case, the cursor can still be moved
back to the previous character or the beginning of the command line.
When editing a command line, you can move the cursor using the shortcut keys in the following table:
Function Shortcut Key

Move the cursor to the left by one character Left direction key or Ctrl+B
Move the cursor to the head of a line Ctrl+A
Move the cursor to the right by one character Right direction key or Ctrl+F
Move the cursor to the end of a line Ctrl+E
For example, the contents of the mac-address-table static command may exceed the screen width. When the cursor
approaches the line end for the first time, the whole line move left by 20 characters, and the hidden beginning part is
replaced by "$" on the screen. The line moves left by 20 characters when the cursor reaches the right border.
mac-address-table static 00d0.f800.0c0c vlan 1 interface

$tatic 00d0.f800.0c0c vlan 1 interface fastEthernet
$tatic 00d0.f800.0c0c vlan 1 interface fastEthernet 0/1
Now you can press Ctrl+A to return to the beginning of the command line. In this case, the hidden ending part is replaced
by "$".
-address-table static 00d0.f800.0c0c vlan 1 interface $
The default line width on the terminal is 80 characters.
Combined with historical commands, the sliding window enables you to invoke complicated commands repeatedly. For
details about shortcut keys, see Edit Shortcut Keys.
Filtering and Looking UP CLI Output Information
Filtering and Looking Up the Information Outputted by the Show Command

To look up the specified message in the information output by the show command, execute the following command:
Command Function
Look up the specified content from the information output
Ruijie# show any-command | begin regular-expression by the show command and output all information of the
first line that contains this content and subsequent lines.
You can execute show command in any mode.
The information to be looked up is case sensitive, and the following is the same.
To filter the specified content in the information output by the show command, execute the following commands:
Command Description
Filter the content from the information output by the
Ruijie# show any-command | exclude regular-expression show command and output other information excluding
the line that includes the specified content.
Filter the content from the information output by the
Ruijie#show any-command | include regular-expression show command and output the line that includes the
specified content. Other information will be filtered.
To look up and filter the contents output by the show command, it is necessary to input the pipeline sign
( vertical line, “|” ) followed by lookup and filtration rules and contents ( characters or strings ). The contents
to be looked up and filtered are case sensitive.
Using Command Alias
The system provides the command alias function. Any word can be specified as the alias of a command. For example,
you can define the word “mygateway” as the alias of “ip route 0.0.0.0 0.0.0.0 192.1.1.1”. Inputting this word is equal to
inputting the whole string.
You can use one word to replace one command by configuring an alias for the command. For example, you can define an
alias to represent the front part of one command, and then continue to enter the following part.
The command that an alias represents must run under the mode you have defined in the current system. In global
configuration mode, you can enter alias? to list all command modes that can configure alias.
Ruijie(config)#alias ?
aaa-gs AAA server group mode
acl acl configure mode
bgp Configure bgp Protocol
config globle configure mode
......
An alias supports help information. An alias appears with an asterisk (*) before it in the following format:
*command-alias=original-command
For example, in EXEC mode, the alias “s” indicates the show command by default. Enter “s?”
to obtain the help information on the command and the aliases beginning with „s‟.
Ruijie#s?
*s=show show start-chat start-terminal-service
If the command that an alias represents has more than one word, the command will be included by the quotation marks.
As shown in the following example, configure the alias “sv” to replace the show version command in the EXEC mode.
Ruijie#s?
*s=show *sv=”show version” show start-chat
start-terminal-service
An alias must begin with the first character of the command line entered without any blank before it. As shown in the
above example, the alias is invalid if you have inputted a blank before the command.
Ruijie# s?
show start-chat start-terminal-service
An alias can also be used to get the help information on obtaining command parameters. For example, the alias “ia"
represents “ip address” in the interface configuration mode.
Ruijie(config-if)#ia ?
A.B.C.D IP address
dhcp IP Address via DHCP
Ruijie(config-if)#ip address
Here lists the parameter information after the command “ip address”, and replaces the alias with the actual command.
An alias must be inputted fully for use. Otherwise, it can not be identified.
Use the show aliases command to view the setting of aliases in the system.
Accessing CLI
Before using CLI, you need to use a terminal or PC to connect with the network device. Power on the network device.
After the initialization of hardware and software, you can use CLI. If the network device is used for the first time, you can
only connect the network device through the serial port (Console), which is referred to as out-band management. In
addition, you can connect and manage the network device through Telnet virtual terminal by performing corresponding
configurations. In either case, you can access the command line interface.
Configuration Guide Configuring Basic Switch Management
Configuring Basic Switch Management
Overview
This chapter describes how to manage our switches:
 Command Authorization-based Access Control

 Logon Authentication Control
 System Time Configuration
 Scheduled Restart
 System Name and Command Prompt Configuration
 Banner Configuration
 System Information Displaying
 Console Rate Configuration
 Telnet Configuration
 Connection Timeout Configuration
 Commands Execution in Batch in the Executable File
 Service Switch Configuration
For more information about the usage and description of the CLI commands mentioned in this chapter, see
the Reference Configuration of Switch Management Command.
 The Telnet function is not supported on AP110-W or AP120-W.
Command Authorization-based Access Control
Overview
A simple way to manage the terminals‟ access to a network is to use passwords and assign privileged levels. Password
restricts access to a network or network devices. Privileged levels define the commands users can use after they have
logged in to a network device.
From the perspective of security, password is stored in the configuration file. Password must be safe when the
configuration file is transmitted, for example, over TFTP, across a network. Password is encrypted before being stored
into the configuration file, and the clear text password is changed to the cipher text password. The enable secret
command uses a private encryption algorithm.
Configuring Default Password and Privileged Level

No password at any level is configured by default. The default privileged level is 15.
Configuring/Changing the Passwords at Different Levels

Our prodects provide the following commands for configuring or changing the passwords at different levels.
Command Function
Set a static password. You can only set a level-15
password only when no level-15 security password is
configured.
Ruijie ( config )# enable password If a non- level -15 password is set, the system will show a
[ level level ] { password | encryption-type prompt and automatically convert it into a security
encrypted-password } password.
If you have set the same level-15 static password as the
level 15 security password, the system will show a
warning message.
Set the security password, which has the same function
Ruijie ( config )# enable secret [ level but better password encryption algorithm than the static
Level ] { encryption-type encrypted-password } password. For the purpose of security, it is recommended
to use the security password.
Switch over between user levels. To switch over from a
Ruijie# enable [ level ], and
lower level to a higher level, you need to input the
Ruijie# disable [ level ]
password for the higher level.
During the process of setting a password, the keyword "level" is used to define the password for a specified privileged
level. After setting, it is only applicable for the users who are at that level.
Configuring Multiple Privileged Levels

By default, the system has only two password-protected levels: normal user (level 1) and privileged user (level 15). You
can configure up to 16 hierarchical levels of commands for each mode. By configuring different passwords at different
levels, you can use different sets of commands by different levels.
When no password is set for the privileged user level, you can enter the privileged EXEC mode without password
authentication. For security, you are recommended to set the password for the privileged user level.
Configuring Line Password Protection

Our products offer password authentication for remote logons (such as Telnet). A password is required for the protection
purpose. Execute the following command in the line configuration mode:
Command Purpose
Ruijie ( config-line )# password password Specify a line password.
Ruijie ( config-line )# login Enable the line password protection.
If no logon authentication is configured, the password authentication on line layer will be ignored even when
the line password is configured. The logon authentication will be described in the next section.
Supporting Session Locking

Our products allow you to lock the session terminal temporarily using the lock command, so as to prevent access. To this
end, enable the terminal locking function in the line configuration mode, and lock the terminal using the lock command in
the EXEC mode of the terminal:
Command Purpose
Ruijie ( config-line )# lockable Enable the function of locking the line terminal
Ruijie# lock Lock the current line terminal
Logon Authentication Control
Overview
In the previous section, we have described how to control the access to network devices by configuring the locally stored
password. In addition to line password protection and local authentication, in AAA mode, we can authenticate users‟
management privilege based on their usernames and passwords on some servers when they log on to the switch, take
RADIUS server for example.
With RADIUS server, the network device sends the encrypted user information to the RADIUS server for authentication
rather than authenticates them with the locally stored credentials. The RADIUS server configures user information
consistently like user name, password, shared key, and access policy to facilitate the management and control of user
access and enhance the security of user information.
Configuring Local Users

Our products support local database-based identify authentication system used for local authentication of the method list
in AAA mode and local authentication of line login management in non-AAA mode.
To enable the username identity authentication, run the following specific commands in the global configuration mode:
Command Function
username name [ login mode { aux | console | ssh |
telnet } ] [ online amount number ] [ permission
Enable the username identity authentication with
oper-mode path ] [ privilege privilege-level ] [ reject
encrypted password.
remote-login ] [ web-auth ] [ pwd-modify ] [ nopassword
| password [ 0 | 7 ] text-string ]
Configuring Line Logon Authentication

To enable the line logon identity authentication, run the following specific commands in the line configuration mode:
Command Function
Ruijie ( config-line )# login local Set local authentication for line logon in non-AAA mode.
Set AAA authentication for line logon in AAA mode. The
Ruijie ( config-line )# login authentication methods in the AAA method list will be
authentication { default | list-name } used for authentication, including Radius authentication,
local authentication and no authentication.
For more information on how to set AAA mode, configure Radius service and configure the method list, see
the sections for AAA configuration.
Importing User Information

User information is information about the authenticated account, including the username, password, class, available
authentication way and etc.
To import user information from a file, use the following command in the privileged EXEC mode:
Command Function
Import user information from a file.
username import filename
filename: name of the file.
The following example imports user information.
Ruijie# username import user.csv
Exporting User Information

To export user information from a file, use the following command in the privileged EXEC mode:
Command Function
Export user information from a file.
username export filename
filename: name of the file.
The following example exports user information.
Ruijie# username export user.csv
System Time Configuration
Overview
Every switch has its system clock, which provides date (year, month, day) and time (hour, minute, second) and week.
When you use a switch for the first time, you must configure the system clock manually. Of course, you can adjust the
system clock when necessary. System clock is used for such functions as system logging that need recording the time
when an event occurs.
Setting System Time and Date

You can configure the system time on the network device manually. Once configured, the clock will be running
continuously even if the network device is powered off. Therefore, unless you need to modify the time of device, it is not
necessary to configure the time again.
However, for the network devices that don‟t provide the hardware clock, manually setting time actually configures software
clock, which only takes effect for this operation. When the network devices are powered off, the manually set time will not
be valid.
Command Function
Ruijie# clock set hh:mm:ss month
Set system date and time.
date day year
For example, change the system time to10:10:12, 2003-6-20:
Ruijie# clock set 10:10:12 6 20 2003 //Set system time and date.
Updating Hardware Clock

Some platforms use hardware clock (calendar) to implement software clock. Since battery enables hardware clock to run
continuously, even though the device is closed or restarts, hardware clock still runs.
If hardware clock and software clock are asynchronous, then software clock is more accurate. Execute clock
update-calendar command to copy date and time of software clock to hardware clock.
In the privileged EXEC mode, execute clock update-calendar command to make software clock overwrite the value of
hardware clock.
Command Function
Ruijie# clock update-calendar Update hardware clock via software clock.
Execute the command below to copy current date and time of software clock to hardware clock.
Ruijie# clock update-calendar
Scheduled Restart
Overview
This section describes how to use the reload [modifiers] command to schedule a restart scheme to restart the system at
the specified time. This function facilitates user's operation in some circumstance (for the purpose of test, for example).
Modifiers is a set of options provided by the reload command, making the command more flexible. The optional modifiers
includes in, at and cancel. The following are the details:
reload in mmm | hhh:mm [string]

This command sets the system restart in fixed intervals in the format of mmm or hhh:mm. string is a help prompt. You can
give the scheme a memorable name by the string to indicate its purpose. string is a prompt. For example, to reload the
system at the interval of 10 minutes for test, type reload in 10 test.
reload at hh:mm day month year [string]
This command sets the system restart at the specified time in the future ,which must not be more than 200 days from the
curent system time . The usage of string is just like above. For example, if the current system time is 14:31 on January 10,
2005, and you want the system to reload tomorrow, you can input reload at 08:30 11 1 2005 newday. If the current
system time is 14:31 on December 10, 2005, and you want the system to reload at 12:00 a.m. on January 1, 2006, you
can input reload at 12:00 1 1 2006 newyear.
reload cancel
This command deletes the restart scheme specified by the user. As mentioned above, you have specified the system to
reload at 8:30 a.m. tomorrow, the setting will be removed after you input reload cancel.
Only if the system supports clock function can users use option at. Before the use, it is recommended to
configure the system clock according to your needs. If a restart scheme has been set before, the subsequent
settings will overwrite the previous settings. If the user has set a restart scheme and then restarts the system
before the scheme takes effect, the scheme will be lost.
The span from the time in the restart scheme to the current time shall be within 200 days and must be
greater than the current system time. Besides, after you set reload, you should not set the system clock.
Otherwise, your setting may fail to take effect, such as setting system time after reload time.
Specifying the System to Restart at the Specified Time

In the privileged EXEC mode, you can configure the system reload at the specified time using the following commands:
Command Function
The system will reload at hh:mm,month day,year.
Ruijie# reload at hh:mm day month year [ reload-reason ] reload-reason ( if any ) indicates the reason that the
system reloads.
The following is an example specifying the system reload at 12:00 a.m. January 11, 2005 (suppose the current system
clock is 8:30 a.m. January 11,2005):
Ruijie# reload at 12:00 1 11 2005 midday //Set the reload time and date.
Ruijie# show reload //Confirm the modification takes effect.
Reload scheduled for 2005-01-11 12:00 (in 3 hours 29 minutes)16581 seconds.
At 2005-01-11 12:00
Reload reason: midday
Specifying the System to Restart after a Period of Time

In the privileged EXEC mode, you can configure the system reload in the specified time with the following commands:
Command Function
Ruijie# reload in Configure the system reload in mmm minutes, where the
mmm [ reload-reason ] reload reason is described in reload-reason ( if inputted )
Configure the system reload in hhh hours and mm
Ruijie# reload in
minutes, where the reload reason is described in
hhh:mm [ reload-reason ]
reload-reason ( if inputted )
The following example shows how to reload the system in 125 minutes (assumes that the current system time is 12:00
a.m. January 10, 2005):
Ruijie# reload in 125 test //Set the system reload time
Or
Ruijie# reload in 2:5 test //Set the system reload time

Ruijie# show reload //Confirm whether the restart time change takes effect
Reload scheduled System will reload in 2 hours and 4 minutes7485 seconds.
Immediate Restart
The reload command without any parameters will restart the device immediately. In the privileged EXEC mode, the user
can restart the system immediately by typing the reload command.
Deleting the Configured Restart Scheme

In the privileged EXEC mode, use the following command to delete the configured restart scheme:
Command Function
Ruijie# reload cancel Delete the configured restart scheme.
If no reload scheme is configured, you will see an error message for the operation.
Configuring a System Name and Prompt
Overview
For easy management, you can configure a system name for the switch to identify it. If you configure a system name of
more than 32 characters, the first 32 characters are used as the system prompt. The prompt varies with the system name.
By default, the system name and command prompt are specific device names, for example "S2924G”or ”R2692”.
Configuring a System Name

Our products provide the following commands to configure a system name in the global configuration mode:
Command Function
Configure a system name with printable characters less

Ruijie ( Config )# hostname name
than 255 bytes.
To restore the name to the default value, use the no hostname command in the global configuration mode. The following
example changes the equipment name to RGOS:
Ruijie# configure terminal //Enter the global configuration mode.

Ruijie(config)# hostname RGOS //Set the equipment name to RGOS
RGOS(config)# //The name has been modified successfully.
Configuring a Command Prompt

System name will be the default prompt if you have not configured command prompt. (if the system name exceeds 32
characters, intercept the first 32 characters) The prompt varies with the system name.You can use the prompt command
to configure the command prompt in the global configuration mode, and the command prompt is only valid in the EXEC
mode.
Command Function
Set the command prompt with printable characters. If the
Ruijie# prompt string name exceeds 32 characters, intercept the first 32
characters.
To restore the prompt to the default value, use the no prompt command in the global configuration mode.
Banner Configuration
Overview
When the user logs in the switch, you may need to tell the user some useful information by configuring a banner. There
are two kinds of banners: message-of-the-day (MOTD) and login banner. The MOTD is specific for all users who connect
with switches. And when users log in the switch, the notification message will appear on the terminal. MOTD allows you
send some urgent messages (for example, the system is to be shut down) to network users. The login banner also
appears on all connected terminals. It provides some common login messages. By default, the MOTD and login banner
are not configured.
Configuring a Welcome Message
Command Function
Configure a message to welcome the user entering user

EXEC mode through the line in global configuration
mode.
banner exec c message c
c: Separator of the message. Delimiters are not allowed
in the message.
message: Contents of the message.
no banner exec Remove the setting.
The system discards all the characters next to the terminating symbol.
When you are logging in to the device, the MOTD message is displayed at first, and then the banner login message. After
you have logged in, the EXEC message or the incoming message is displayed. If it‟s a reverse Telnet session, the
incoming message is displayed. Otherwise, the EXEC message is displayed.
The messages are for all lines. If you want to disable display the EXEC message on a specific line, configure the no
exec-banner command on the line.
The following example configures a welcome message.
Ruijie(config)# banner exec $ Welcome $
Configuring a Prompt Message for Reverse Telnet Session

Command Function
Configure a prompt message for reverse Telnet session
banner incoming c message c c: Separator of the message. Delimiters are not allowed
in the message.
no banner incoming Remove the setting.
When you are logging in to the device, the MOTD message is displayed at first, and then the banner login message. After
you have logged in, the welcome message or the prompt message is displayed. If it‟s a reverse Telnet session, the prompt
message is displayed. Otherwise, the welcome message is displayed.
The following example configures a prompt message for reverse Telnet session.
Ruijie(config)# banner incoming $ Welcome $
Configuring a Message-of-the-Day
You can create a notification of single or multi-line messages that appears when a user logs in the switch. To configure
the message of the day, execute the following commands in the global configuration mode:
Command Function
Specify the message of the day, with c being the

delimiter, for example, a pound sign (&). After inputting
the delimiter, press the Enter key. Now, you can start to
type text. You need to input the delimiter and then press
Ruijie ( Config )# banner motd c
Enter to complete the type. Note that if you type
message c
additional characters after the end delimiter, these
characters will be discarded by the system. Also note that
you cannot use the delimiter in the message and the
message length should be no more than 255 bytes.
To delete the MOTD, use the no banner motd command in the global configuration mode. The following example
describes how to configure a MOTD. The # symbol is used as the delimiter, and the text is “Notice: system will shutdown
on July 6th.”
Ruijie(config)# banner motd # //Start delimiter.

Enter TEXT message. End with the character '#'.
Notice: system will shutdown on July 6th.# //End delimiter.
Ruijie(config)#
Configuring a Login Banner

To configure a login banner, executing the following commands in the global configuration mode:
Command Function
Specify the text of the login banner, with c being the
delimiter, for example, a pound sign (&). After inputting
the delimiter, press the Enter key. Now, you can start to
type text. You need to input the delimiter and then press
Ruijie ( Config )# banner login c Enter to complete the type. Note that if you type
message c additional characters after the end delimiter, these
characters will be discarded by the system. Also note that
you cannot use the delimiter in the text of the login
banner and the text length should be no more than 255
bytes.
To delete the login banner, use the no banner login command in the global configuration mode.
The following example shows how to configure a login banner. The pound sign (#) is used as the starting and end
delimiters and the text of the login banner is "Access for authorized users only. Please enter your password."
Ruijie(config)# banner login # //Start delimiter

Enter TEXT message. End with the character '#'.
Access for authorized users only. Please enter your password.
# //End delimiter
Ruijie(config)#
Configuring a Timeout Message

Command Function
Configure the prompt-timeout message to notify timeout
banner prompt-timeout c message c c: Separator of the message. Delimiters are not allowed
in the message.
no banner prompt-timeout Remove the setting.
When authentication times out, the banner prompt-timeout message is displayed.
The following example configures the prompt-timeout message to notify timeout.
Ruijie(config)# banner exec $ authentication timeout $
Configuring a SLIP-PPP Message

Command Function
Configure the slip-ppp message for the SLIP/PPP
session in global configuration mode.
banner slip-ppp c message c c: Separator of the message. Delimiters are not allowed
in the message.
no banner slip-pp Remove the setting.
When the SLIP/PPP session is created, the slip-ppp message is displayed on the corresponding terminal.
The following example configures the banner slip-ppp message for the SLIP/PPP session.
Ruijie(config)# banner slip-ppp $ Welcome $
Displaying a Banner
A banner is displayed when you log in the network device. See the following example:
C:\>telnet 192.168.65.236
Notice: system will shutdown on July 6th.
Access for authorized users only. Please enter your password.
User Access Verification
Password:
As you can see, “Notice: system will shutdown on July 6th." is a MOTD banner and "Access for authorized users only.
Please enter your password." is a login banner.
Viewing System Information
Overview
You can view some system information with the show command on the command-line interface, such as version, device
information, and so on.
Viewing System Information and Version

System information consists of description, power-on time, hardware version, software version, BOOT-layer software
version, CTRL-layer software version, and so on. System information helps you know the system You can show the
system information with the following commands in the privileged EXEC mode.
Command Function
Ruijie# show version Show system information.
For sequence number ,run the show version command on the main program interface to view
SYSTEMUPTIME in the form of DD:HH:MM:SS.
During upgrading, the running software version may be different from the version in the file system. In this
case, the main program version shown by running the show version command is the one running in the
memory, but the Boot/Ctrl version is the one saved in Flash.
Viewing Hardware Entity Information

Hardware information refers to the information on physical devices as well as slots and modules assembled in a device.
The information on a device itself includes description, number of slots, slot information, slot number, description of the
module on the slot (empty description if no module is plugged on the slot), number of physical ports of the module on the
slot, and maximum number of ports possibly supported on the slot (number of ports of the module plugged). You may use
the following commands to show the information of the device and slots in the privileged EXEC mode:
Command Function
Ruijie# show version devices Show device information.
Ruijie# show version slots Show the information about slots and modules.
Setting Console Rate
Overview
The switch comes with a console interface for management. When using the switch for the first time, you need to execute
configuration through the console interface. You can change the console rate on the equipment if necessary. Note that the
rate of the terminal used to managing the switch must be the same as that of the console interface on the switch.
Setting Console Rate

In the line configuration mode, execute the following command to set the console rate:
Command Function
Set transmission rate in bps on the console interface. For
a serial interface, you can only set the transmission rate
Ruijie ( config-line )# speed speed
to one of 9600, 19200, 38400, 57600 and 115200 bps,
with 9600 bps by default.
This example shows how to configure the baud rate of the serial interface to 57600 bps:

Ruijie(config)# line console 0 //Enter the console line configuration mode
Ruijie(config-line)# speed 57600 //Set the console rate to 57600bps
Ruijie(config-line)# end //Return to the privileged EXEC mode
Ruijie# show line console 0 //View the console configuration
CON Type speed Overruns
* 0 CON 57600 0
Line 0, Location: "", Type: "vt100"
Length: 25 lines, Width: 80 columns
Special Chars: Escape Disconnect Activation
^^x none ^M
Timeouts: Idle EXEC Idle Session
never never
History is enabled, history size is 10.
Total input: 22 bytes
Total output: 115 bytes
Data overflow: 0 bytes
stop rx interrupt: 0 times
Modem: READY
Configuring Telnet
Overview
Telnet, an application layer protocol in the TCP/IP protocol suite, provides the specifications of remote logon and virtual
terminal communication functions. The Telnet Client service is used by the local or remote user who has logged onto the
local network device to work with the Telnet Client program to access other remote system resources on the network. As
shown below, after setting up a connection with Switch A through the terminal emulation program or Telnet, users can log
on the Switch B for management and configuration with the telnet command.
Using Telnet Client

You can log in to a remote device by using the telnet command on the switch.
Command Function
Log on to a remote device via Telnet. host may be an
Ruijie# telnet host [ port ] [ /source { ip A.B.C.D ipv6 IPv4 or IPv6 host name or an IPv4 or IPv6 address.
X:X:X::X | interface interface-name } ] [ /vrf vrf-name ] For supported optional parameters, refer to relevant
[ via mgmt-name ] Telnet command section in Basic Configuration
Management Command.
The following example shows how to establish a Telnet session and manage the remote device with the IP address
192.168.65.119:
Ruijie# telnet 192.168.65.119 //Establish the telnet session to the remote device
Trying 192.168.65.119 ... Open
User Access Verification //Enter into the logon interface of the remote device
Password:
The following example shows how to establish a Telnet session and manage the remote device with the IPv6 address
2AAA:BBBB::CCCC:
Ruijie# telnet 2AAA:BBBB::CCCC //Establish the telnet session to the remote device
Trying 2AAA:BBBB::CCCC ... Open
User Access Verification //Enter into the logon interface of the remote device
Password:
The following example shows how to establish a Telnet session to IPv4 address 192.168.1.1 and specifies the MGMT port
for the oob option used by the Telnet client.
Ruijie# telnet oob 192.168.1.1 via mgmt 0
Setting Connection Timeout
Overview
You can control the connections that a device has set up (including the accepted connections and the session between
the device and a remote terminal) by configuring the connection timeout time for the device. When the idle time exceeds
the set value and there is no input or output, this connection will be interrupted.
Connection Timeout
When there is no information traveling through an accepted connection within a specified time, the server will interrupt this
connection.
Our products provide commands to configure the connection timeout in the line configuration mode.
Command Function
Configure the timeout for the accepted connection. When
Ruijie ( Config-line )#exec-timeout 20 the configured time is due and there is no input, this
connection will be interrupted.
The connection timeout setting can be removed by using the no exec-timeout command in the line configuration mode.

Ruijie# line vty 0 //Enter the line configuration mode
Ruijie(config-line)#exec-timeout 20 //Set the timeout to 20min
Session Timeout
When there is no input for the session established with a remote terminal over the current line within the specified time,
the session will be interrupted and the remote terminal becomes idle.
RGOS provides commands in the line configuration mode to configure the timeout for the session set up with the remote
terminal.
Command Function
Configure the timeout for the session set up with the
Ruijie ( Config-line )#session-timeout 20 remote terminal over the line. If there is no input within
the specified time, this session will be interrupted.
The timeout setting for the session set up with the remote terminal over the line can be removed by using the no
exec-timeout command in the line configuration mode.

Ruijie(config)# line vty 0 //Enter the line configuration mode
Ruijie(config-line)# session-timeout 20 //Set the session timeout to 20min
Setting Service Switch
During operation, you can adjust services dynamically, enabling or disabling specified services ( SNMP Server/SSH
Server/Telnet Server/Web Server ).
Command Function
Ruijie ( Config)# enable service snmp-agent Enable SNMP Server.
Ruijie ( Config)# enable service ssh-sesrver Enable SSH Server.
Ruijie ( Config)# enable service telnet-server Enable Telnet Server
Ruijie ( Config )# enable service web-server Enable Http Server.
In the configuration mode, you can use the no enable service command to disable corresponding services.

Ruijie(config)# enable service ssh-server //Enable SSH Server
Displaying Help Information
Command Function
Display the help information in global configuration mode/
help
privileged EXEC mode/ Interface configuration mode.
This command is used to display brief information about the help system. You can use ”?” to display all commands or a
specified command with its parameters.
The following example displays brief information about the help system.
Ruijie#help
Help may be requested at any point in a command by entering
a question mark '?'. If nothing matches, the help list will
be empty and you must backup until entering a '?' shows the
available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a
command argument (e.g. 'show ?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered
and you want to know what arguments match the input
(e.g. 'show pr?'.)
The following example displays all available commands in interface configuration mode.
Ruijie(config-if-GigabitEthernet 0/0)#?
Interface configuration commands:
arp ARP interface subcommands
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
dampening Enable event dampening
default Set a command to its defaults
description Interface specific description
dldp Exec data link detection command
duplex Configure duplex operation
efm Config efm for an interface
end Exit from interface configuration mode
exit Exit from interface configuration mode
expert Expert extended ACL
flowcontrol Set the flow-control value for an interface
full-duplex Force full duplex operation
global Global ACL
gvrp GVRP configure command
half-duplex Force half duplex operation
help Description of the interactive help system

ip Interface Internet Protocol config commands
ipv6 Internet Protocol Version 6
isis Intermediate System - Intermediate System (IS-IS)
l2 Config L2 attribute
label-switching Enable interface process mpls packet
lacp LACP interface subcommands
lldp Link Layer Discovery Protocol
load-interval Specify interval for load calculation for an interface
mac Mac extended ACL
mac-address Set mac-address
mpls Multi-Protocol Label Switching
mtu Set the interface Maximum Transmission Unit (MTU)
no Negate a command or set its defaults
ntp Configure NTP
port-group Aggregateport/port bundling configuration
redirect Redirect packets
rmon Rmon command
security Configure the Security
show Show running system information
shutdown Shutdown the selected interface
snmp Modify SNMP interface parameters
speed Configure speed operation
switchport Set switching mode characteristics
vrf Multi-af VPN Routing/Forwarding parameters on the interface
vrrp VRRP interface subcommands
xconnect Xconnect commands
The following example displays the parameters of a specified command.
Ruijie(config)#access-list 1 permit ?
A.B.C.D Source address
any Any source host
host A single source host

Configuration Guide Configuring LINE Mode
Configuring LINE Mode
Overview
This chapter describes some operations in LINE mode:
 Enter the LINE mode

 Increase/decrease LINE VTY
 Configure the protocols to communicate on the line
 Configure the ACLs on the line
Configuring LINE Mode
Entering LINE Mode
After entering the specific LINE mode, you can configure the specified line. Execute the following command to enter the
specified LINE mode:
Command Function
Ruijie ( config )# line [aux | console | tty | vty] first-line
Enter the specified LINE mode.
[ last-line ]
Increasing/Decreasing LINE VTY

By default, the number of line vty is 5. You can execute the following commands to increase or decrease line vty, up to 36
line vty is supported.
Command Function
Ruijie ( config )# line vty line-number Increase the number of LINE VTY to the specified value.
Ruijie ( config )# no line vty line-number Decrease the number of LINE VTY to the specified value.
Configuring the Protocols to Communicate on the Line

To restrain the communication protocol type supported on the line, you can use this command. By default, all, ssh and
telnet protocols are allowed..
Command Description
configure terminal Enter the configuration mode.
line vty first-line [last-line] Enter line configuration mode.
transport input { all | ssh | telnet | none } Configure the protocol to communicate on the line.
no transport input Disable the communication of any protocol on the line.
Configuring the Access Control List on the Line

To control login into the terminal through IPv4 ACL, you can use these commands.
Command Description
configure terminal Enter the configuration mode.
line vty first-line [ ast-line ] Enter line configuration mode.
access-class { access-list-number | access-list-name }
Control login into the terminal through IPv4 ACL.
{ in | out }
no access-class{ access-list-number| access-list-name }
{ in|out }
Enabling Command Accounting

Command Description
Enable command accounting in LINE configuration
mode.
level: Command level ranging from 0 to 15. The
accounting commands level { default | list-name }
command of this level is accounted when it is executed.
default: Default authorization list name.
list-name: Optional list name.
no accounting commands level Restore the default setting.
This function is used together with AAA authorization. Configure AAA command accounting first, and then apply it on the
line.
The following example enables command accounting in line VTY 1 and sets the command level to 15.

Ruijie(config)# aaa accounting commands 15 default start-stop group tacacs+
Ruijie(config-line)# accounting commands 15 default
Enabling User Access Accounting

Command Description
Enable user access accounting in LINE configuration

mode,
accounting commands level { default | list-name }
command of this level is accounted when it is executed.
default: Default authorization list name.
no accounting commands level Restore the default setting.
This function is used together with AAA authorization. Configure AAA EXEC accounting first, and then apply it on the line.
The following example enables user access accounting in line VTY 1.

Ruijie(config)# aaa accounting exec default start-stop group radius
Ruijie(config-line)# accounting exec default
Enabling Command Authorization

Command Description
Enable authorization on commands in LINE configuration
mode,
authorization commands level { default | list-name } command of this level is executed after authorization is
performed.
default: Default authorization list name,
no authorization commands level Restore the default setting.
This function is used together with AAA authorization. Configure AAA authorization first, and then apply it on the line.
The following example enables authorization on commands of level 15 in line VTY 1.

Ruijie(config)# aaa authorization commands 15 default group tacacs+
Ruijie(config-line)# authorization commands 15 default
Enabling EXEC authorization

This function is disabled by default,
Command Description
Enable EXEC authorization in line configuration mode.
authorization { default | list-name } default: Default authorization list name,
no authorization exec Restore the default setting.
This function is used together with AAA authorization. Configure AAA EXEC authorization first, and then apply it on the
line.
The following example performs EXEC authorization to line VTY 1.

Ruijie(config)# aaa authorization exec default group radius
Ruijie(config-line)# authorization exec default
Clearing Connection Status of Line

Command Description
Clear connection status of the line in privileged EXEC
mode.
aux: Clears connection status of auxiliary port line.
This parameter is on routers generally.
clear line { aux line-num | console line-num | tty line-num console: Clears connection status of the console line.
| vty line-num | line-num } ttv: Clears connection status of the asynchronous port
line.
This parameter is on routers generally.
vty: Clears connection status of the virtual terminal line.
line-num: Specifies the line to be cleared.
This command is used to clear connection status of the line and restore the line to the unoccupied status to create new
connections.
The following example clears connection status of line VTY 13. The connected session on the client (such as Telnet and
SSH) in the line is disconnected immediately.
Ruijie# clear line vty 13
Configuring Hot Key for Disconnection

The default hot key is Ctrl+D and the ASCII decimal value is 0x04.
Command Description
Set the hot key that disconnects the terminal service
connection in line configuration mode.
disconnect-character ascii-value ascii-value: ASCII decimal value of the hot key that
disconnects the terminal service connection, in the range
from 0 to 255.
no disconnect-character Restore the default setting.
This command is used to set the hot key that disconnects the terminal service connection. The hot key cannot be the
commonly used ASCII node such as characters ranging from a to z, from A to Z or numbers ranging from 0 to 9.
Otherwise, the terminal service cannot operate properly.
The following example sets the hot key that disconnects the terminal service connection on line VTY 0 5 to Ctrl+E (0x05).

Ruijie(config-line)# disconnect-character 5
Configuring Escape Character For Line

The default escape character is Ctrl+^ (Ctrl+Shift+6) and the ASCII decimal value is 30.
Command Description
Set the escape character in LINE configuration mode.
escape-character escape-value escape-value: Sets the ASCII value corresponding to the
escape character for the line, in the range from 0 to 255.
no escape-character Restore the default setting.
After configuring this command, press the key combination of the escape character and then press x, the current session
is disconnected to return to the original session.
The following example sets the escape character for the line to 23 (Ctrl+w).

Ruijie(config-line)# escape-character 23
Entering Command Line Interface

Command Description
Enable the line to enter the command line interface in
exec
LINE configuration mode.
no exec Disable the default setting.
The following example bans line VTY 1 from entering the command line interface.

Ruijie(config-line)# no exec
Ruijie# show users
---------------- ------------ -------------------- ---------- ------------------
* 0 con 0 --- idle 00:00:00 ---
1 vty 0 --- idle 00:01:03 20.1.1.2
3 vty 2 --- idle 00:00:13 20.1.1.2
Enabling Command History/Configuring Command Limit for Line

Command Description
Enable command history for the line or set the number of
commands in the command history in LINE configuration
history [ size size ] mode.
size size: The maximum number of commands, in the
range from 0 to 256.
no history Disable command history

no history size Restore the default setting.
This function is enabled by default, The default size is 10.
The following example sets the number of commands in the command history to 20 for line VTY 0 5.

Ruijie(config-line)# history size 20
The following example disables the command history for line VTY 0 5.

Ruijie(config-line)# no history
Configuring Access to Terminal Through IPv6 ACL

Command Description
Configure access to the terminal through IPv6 ACL in
LINE configuration mode.
ipv6 access-class access-list-name { in | out } access-list-name: Specifies the ACL name.
in: Filters the incoming connections.
out: Filters the outgoing connections.
no ipv6 access-class access-list-name { in | out } Disable this function.
The following example uses the ACL named “test” to filter the outgoing IPv6 connections in line VTY 0 4.

Ruijie(config-line)ipv6 access-list test out
Configuring Screen Length for Line

Command Description
Set the screen length in LINE configuration mode.
length screen-length screen-length : Sets the screen length, in the range from
0 to 512.
no length Restore the default setting.
The following example sets the screen length to 10.
Ruijie(config-line)# length 10
Configuring Line Location Description for Line

Command Description
Configure the line location description in LINE
location location configuration mode.
Location: Line location description
no location Disable this function.
The following example describes the line location as Swtich‟s Line VTY 0.

Ruijie(config-line)# location Swtich‟s Line Vty 0
Enabling Log Display on Terminal

Command Description
Enable log display on the terminal in LINE configuration
monitor
mode.
no monitor Disable this function.
The following example enables log display on the terminal in VTY line 0 5.

Ruijie(config-line)# monitor
Configuring Privilege Level

The default is 1.
Command Description
Set the privilege level in LINE configuration mode.
privilege level level
level: Privilege level, in the range from 0 to 15.
no privilege level Restore the default setting.
The following example sets the privilege level for the line VTY 0 4 to 14.

Ruijie(config-line)privilege level 14
Configuring Login Refusal Message

Command Description
Set the login refusal message in LINE configuration
mode.
refuse-message [ c message c ] c: Delimiter of the login refusal message, which is not
allowed within the message.
message: Login refusal message.
no refuse-message Disable this function.
The following example sets the login refusal message for the line to “Unauthorized user cannot login to the ruijie device”.
Ruijie(config-line)#vacant-message @ Unauthorized user cannot login to the ruijie device @
Displaying Command History

Command Description
Display the command history of the line in privileged
show history
EXEC mode,
The following example displays the command history of the line.

Ruijie# show history

exec:
sh privilege
sh run
show user
sh user all
show history
Displaying Line Configuration

Command Description
show line { aux line-num | console line-num | tty line-num Display Line Configuration in privileged EXEC mode.
| vty line-num | line-num }
The following example displays configuration for the console port.
Ruijie# show line console 0

CON Type speed Overruns
* 0 CON 9600 45927
Line 0, Location: "", Type: "vt100"
Length: 24 lines, Width: 79 columns
Special Chars: Escape Disconnect Activation
^^x none ^M
Timeouts: Idle EXEC Idle Session
never never
History is enabled, history size is 10.
Total input: 53564 bytes
Total output: 395756 bytes
Data overflow: 27697 bytes
stop rx interrupt: 0 times
Displaying Privilege Level

Command Description
Display the privilege level of the line in privileged EXEC
show privilege
mode.
The following example displays the privilege level of the line.
Ruijie# show privilege

Current privilege level is 10
Displaying Login User Information

Command Description
Display the login user information in privileged EXEC

mode.
show users [ all ]
all: Displays line user information, including users
logging into the line and users not logging into the line.
The following example displays the information about users logging into the line,
Ruijie# show users

---------------- ------------ -------------------- ---------- ------------------
0 con 0 --- idle 00:00:46 ---
1 vty 0 --- idle 00:00:29 20.1.1.2
* 2 vty 1 --- idle 00:00:00 20.1.1.2
The following example displays all line user information,
Ruijie(config)# show users all

---------------- ------------ -------------------- ---------- ------------------
0 con 0 --- idle 00:00:49 ---
1 vty 0 --- idle 00:00:32 20.1.1.2
* 2 vty 1 --- idle 00:00:00 20.1.1.2
3 vty 2 --- 00:00:00 ---
4 vty 3 --- 00:00:00 ---
5 vty 4 --- 00:00:00 ---
6 vty 5 --- 00:00:00 ---
Configuring Baud Rate for Line

Command Description
Configure the baud rate in LINE configuration mode.
speed baudrate baudrate: Sets the baud rate, in the range from 9600 to
115200.
no speed Restore the default setting.
The following example sets the baud rate to 115200,
Ruijie(config-line)# speed 115200
Configuring Escape Character for Terminal

The default escape character is Ctrl+^ (Ctrl+Shift+6) and the ASCII decimal value is 30.
Command Description
Set the escape character for the current terminal in

terminal escape-character escape-value escape-value: Sets the ASCII value corresponding to the
escape character for the current terminal, in the range
from 0 to 255.
terminal no escape-character Restore the default setting.
After configuring this command, press the key combination of the escape character and then press x, the current session
is disconnected to return to the original session.
The following example sets the escape character for the current terminal to 23 (Ctrl+w).
Ruijie# terminal escape-character 23
Enabling Command History/Configuring Command Limit for Terminal

This function is enabled by default, The default size is 10.
Command Description
Enable command history for the line or set the number of
commands in the command history in privileged EXEC
terminal history [ size size ] mode.
size size: The maximum number of commands, in the
range from 0 to 256.
terminal no history Disable command history
terminal no history size Restore the default setting.
The following example sets the number of commands in the command history to 20 for the current terminal.
Ruijie# terminal history size 20
The following example disables the command history for the current terminal.
Ruijie# terminal no history
Configuring Screen Length for Terminal

The default is 24.
Command Description
Set the screen length for the current terminal in privileged
EXEC mode.
terminal length screen-length
screen-length: Sets the screen length, in the range from
0 to 512.
terminal no length Restore the default setting.
The following example sets the screen length for the current terminal to 10.
Ruijie# terminal length 10

Configuring Location Description for Terminal

Command Description
Configure location description for the current device in
terminal location location
Location: Configures location description of the current
device.
terminal no location Restore the default setting.
The following example configures location description of the current device as “Swtich‟s Line Vty 0”.
Ruijie# terminal location Swtich‟s Line Vty 0
Configuring Baud Rate for Terminal

Command Description
Configure the baud rate for the current terminal in
terminal speed baudrate
terminal no speed Restore the default setting.
The following example sets the baud rate for the current terminal to 115200,
Ruijie# terminal speed 115200
Configuring Screen Width for Terminal

The default is 79.
Command Description
Set the screen width for the terminal in privileged EXEC
mode.
terminal width screen-width
screen-width; Sets the screen width, in the range from 0
to 256.
terminal no width Restore the default setting.
The following example sets the screen width for the terminal to 10.
Ruijie# terminal width 10
Configuring Authentication Timeout for Line

The default is 30.
Command Description
Set the login authentication timeout for the line in LINE

configuration mode.
response: The time period during which the line waits for
timeout login response seconds
the user to enter any message.
Seconds: Timeout value, in the range from 1 to 300 in the
unit of seconds.
no timeout login response Restore the default setting.
The following example sets the login authentication timeout to 300 seconds for line VTY 0 5.

Ruijie(config-line)login timeout response 300
Configuring Logout Message

Command Description
Set the logout message in LINE configuration mode.
c: Delimiter of the logout message, which is not allowed
vacant-message [ c message c ]
within the message.
message: Logout message.
no vacant-message Restore the default setting.
This command is used to set the logout message for the line. The characters entered after the ending delimiter are
discarded directly, The logout message is displayed when the user logs out.
The following example sets the logout message to “Logout from the ruijie device”.
Ruijie(config-line)#vacant-message @ Logout from the ruijie device @
Configuring Screen Width for Line

The default is 79.
Command Description
Set the screen width for the line in LINE configuration
mode.
width screen-width
screen-width: Sets the screen width for the line, in the
range from 0 to 256,
no width Restore the default setting.
The following example sets the screen width to 10.
Ruijie(config-line)# width 10
Configuration Guide Configuring RMON
Configuring RMON
Overview
Remote Monitoring (RMON) is a standard monitoring specification of IETF (Internet Engineering Task Force). It can be
used to exchange the network monitoring data among various network monitors and console systems. In the RMON,
detectors can be placed on the network nodes, and the NMS determines which information is reported by these detectors,
for example, the monitored statistics and the time buckets for collecting history. The network device such as the switch or
router acts as a node on the network. The information of current node can be monitored by means of the RMON.
There are three stages in the development of RMON. The first stage is the remote monitoring of Ethernet. The second
stage introduces the token ring which is referred to as the token ring remote monitoring module. The third stage is known
as RMON2, which develops the RMON to a high level of protocol monitor.
The first stage of RMON (known as RMON1) contains nine groups. All of them are optional (not mandatory), but some
groups should be supported by the other groups.
The switch implements the contents of Group 1, 2 , 3 and 9: the statistics, history, alarm and event.
Statistics
Statistics is the first group in RMON. It measures the basic statistics information of each monitored subnet. At present,
only the Ethernet interfaces of network devices can be monitored and measured. This group contains a statistics of
Ethernet, including the discarded packets, broadcast packets, CRC errors, size block, conflicts and etc.
History
History is the second group in RMON. It collects the network statistics information regularly and keeps them for
processing later. This group contains two subgroups:
1) The subgroup History Control is used to set such control information as sampling interval and sampling data source.
2) The subgroup Ethernet History provides history data about the network section traffic, error messages, broadcast
packets, utilization, number of collision and other statistics for the administrator.
Alarm
Alarm is the third group in RMON. It monitors a specific management information base (MIB) object at the specified
interval. When the value of this MIB object is higher than the predefined upper limit or lower than the predefined lower limit,
an alarm will be triggered. The alarm is handled as an event by means of recording the log or sending the SNMP Trap
message.
Event
Event is the ninth group in RMON. It determines to generate a log entry or a SNMP Trap message when an event is
generated due to alarms.
 The RMON function is not supported on AP110-W or AP120-W.

Configuring RMON
Configuring Statistics
One of these commands can be used to add a statistic entry.
Command Function
Ruijie(config-if)# rmon collection stats index [owner
Add a statistic entry.
ownername ]
Ruijie(config-if)# no rmon collection stats index Remove a statistic entry.
The current version of Ruijie product supports only the statistics of Ethernet interface. The index value
should be an integer between 1 to 65535. At present, at most 100 statistic entries can be configured at the
same time.
Configuring History
One of these commands can be used to add a history entry.
Command Function
Ruijie(config-if)# rmon collection history index [owner
Add a history entry.
ownername] [buckets bucket-number] [interval seconds]
Ruijie(config-if)# no rmon collection history index Remove a history entry.
The current version of Ruijie product supports only the records of Ethernet. The index value should be within
1 to 65535. At most 10 history entries can be configured.
Bucket-number: Specifies the used data source and time interval. Each sampling interval should be sampled once. The
sampling results are saved. The Bucket-number specifies the maximum number of sampling. When the maximum is
reached for the sampling records, the new one will overwrite the earliest one. The value range of Bucket-number is 1 to
65535. Its default value is 10.
Interval: Sampling interval in the range of 1 to 3600 seconds, 1800 seconds by default.
Configuring Alarm and Event

One of these command can be used to configure the alarm:
Command Function
Ruijie(config)# rmon alarm number variable interval
{absolute | delta} rising-threshold value [event-number]
Add an alarm entry.
falling-threshold value [event-number] [owner
ownername]
Ruijie(config)# rmon event number [log] [trap
community] [description description-string] [owner Add an event entry.
ownername]
Ruijie(config)# no rmon alarm number Remove an alarm.
Ruijie(config)# no rmon event number Remove an event.
number: Alarm index in the range of 1 to 65535.
variable: Variable to be monitored by the alarm(in integer).
interval: Sampling interval in the range of 1 to 4294967295.
Absolute: each sampling value compared with the upper and lower limits.
Delta: the difference with previous sampling value compared with the upper and lower limits.
value: Upper and lower limits.
Event-number: when the value exceeds the upper or lower limit, the event with the index of Event-number will be
triggered.
Log: Record the event.
Trap: Send the Trap message to the NMS when the event is triggered.
Community: Community string used for sending the SNMP Trap message.
Description-string: Description of the event.
Ownername: Owner of the alarm or the event.
Showing RMON status

Command Function
Ruijie(config)# show rmon Show RMON configuration.
Ruijie(config)# show rmon alarms Show alarms.
Ruijie(config)# show rmon events Show events.
Ruijie(config)# show rmon history Show history.
Ruijie(config)# show rmon statistics Show statistics.
RMON Configuration Examples
Configuring Statistics
If you want to get the statistics of Ethernet Port 3 , use the following commands:

Ruijie(config-if)# rmon collection stats 1 owner aaa1
Configuring History
Use the following commands if you want to get the statistics of Ethernet Port 3 every 10 minutes:

Ruijie(config-if)# rmon collection history 1 owner aaa1 interval 600
Configuring Alarm and Event

If you want to configure the alarm function for a statistical MIB variable, the following example shows you how to set the
alarm function to the instance ifInNUcastPkts.6 (number of non-unicast frames received on port 6; the ID of the instance is
1.3.6.1.2.1.2.2.1.12.6) in IfEntry table of MIB-II. The specific function is as follows: the switch checks the changes to the
number of non-unicast frames received on port 6 every 30 seconds. If 20 or more than 20 non-unicast frames are added
after last check (30 seconds earlier), or only 10 or less than 10 are added, the alarm will be triggered, and event 1 is
triggered to do corresponding operations (record it into the log and send the Trap with “community” name as “rmon”). The
“description” of the event is “ifInNUcastPkts is too much”). The “owner” of the alarm and the event entry is “aaa1”.
Ruijie(config)#rmon alarm 10 1.3.6.1.2.1.2.2.1.12.6 30 delta rising-threshold 20 1

falling-threshold 10 1 owner aaa1
Ruijie(config)#rmon event 1 log trap rmon description "ifInNUcastPkts is too much " owner aaa1
Showing RMON Status

show rmon alarm
Ruijie# show rmon alarms

rmon alarm table:
index: 10,
interval: 30,
oid = 1.3.6.1.2.1.2.2.1.12.6
sampleType: 2,
alarmValue: 0,
startupAlarm: 3,
risingThreshold: 20,
fallingThreshold: 10,
risingEventIndex: 1,
fallingEventIndex: 1,
owner: zhangesan,
stats: 1,
show rmon event
Ruijie# show rmon events

rmon event table:
index = 1
description = ifInNUcastPkts
type = 4
community = rmon
lastTimeSent = 0 d:0 h:0 m:0 s
owner = zhangsan
status = 1
show rmon history
Ruijie# show rmon history

rmon history control table:
index = 1
interface = FastEthernet 0/1
bucketsRequested = 10
bucketsGranted = 10
interval = 1800
owner = zhangsan
stats = 1
rmon history table:

index = 1
sampleIndex = 198
intervalStart = 0d:14h:0m:47s
dropEvents = 0
octets = 67988
pkts = 726
broadcastPkts = 502
multiPkts = 189
crcAllignErrors = 0
underSizePkts = 0
overSizePkts = 0
fragments = 0
jabbers = 0
collisions = 0
utilization = 0
show rmon statistics
Ruijie# show rmon statistics

ether statistic table:
index = 1
interface = FastEthernet 0/1
owner = zhangsan
status = 0
dropEvents = 0
octets = 1884085
pkts = 3096
broadcastPkts = 161
multiPkts = 97
crcAllignErrors = 0
underSizePkts = 0
overSizePkts = 1200
fragments = 0
jabbers = 0
collisions = 0
packets64Octets = 128
packets65To127Octets = 336
Configuration Guide Configuring SNMP
Configuring SNMP
Overview
As the abbreviation of Simple Network Management Protocol, SNMP has been a network management standard
(RFC1157) since the August, 1988. So far, the SNMP becomes the actual network management standard for the support
from many manufacturers. It is applicable to the situation of interconnecting multiple systems from different manufacturers.
Administrators can use the SNMP protocol to query information, configure network, locate failure and plan capacity for the
nodes on the network. Network supervision and administration are the basic function of the SNMP protocol.
As a protocol in the application layer, the SNMP protocol works in the client/server mode, including three parts as follows:
 SNMP network manager

 SNMP agent
 MIB (management information base)
The SNMP network manager, also referred to as NMS (Network Management System), is a system to control and monitor
the network using the SNMP protocol. HP OpenView, CiscoView and CiscoWorks 2000 are the typical network
management platforms running on the NMS. Ruijie has developed a suite of software (Star View) for network
management against its own network devices. These typical network management software are convenient to monitor
and manage network devices.
The SNMP Agent is the software running on the managed devices. It receives, processes and responds the monitoring
and controlling messages from the NMS, and also sends some messages to the NMS.
The relationship between the NMS and the SNMP Agent can be indicated as follows:
Relationship between the NMS and the SNMP Agent
The MIB (Management Information Base) is a virtual information base for network management. There are large volumes
of information for the managed network equipment. In order to uniquely identify a specific management unit in the SNMP
message, the tree-type hierarchy is used to by the MIB to describe the management units in the network management
equipment. The node in the tree indicates a specific management unit. Take the following figure of MIB as an example to
name the objectives in the tree. To identify a specific management unit system in the network equipment uniquely, a
series of numbers can be used. For instance, the number string {1.3.6.1.2.1.1} is the object identifier of management unit,
so the MIB is the set of object identifiers in the network equipment.
Tree-type MIB hierarchy
SNMP Versions
This software supports these SNMP versions:
 SNMPv1: The first formal version of the Simple Network Management Protocol, which is defined in RFC1157.
 SNMPv2C: Community-based Administrative Framework for SNMPv2, an experimental Internet protocol defined in
RFC1901.
 SNMPv3: Offers the following security features by authenticating and encrypting packets:
3) Ensure that the data are not tampered during transmission.
4) Ensure that the data come from a valid data source.
5) Encrypt packets to ensure the data confidentiality.
Both the SNMPv1 and SNMPv2C use a community-based security framework. They restrict administrator‟s operations on
the MIB by defining the host IP addresses and community string.
With the GetBulk retrieval mechanism, SNMPv2C sends more detailed error information type to the management station.
GetBulk allows you to obtain all the information or a great volume of data from the table at a time, and thus reducing the
times of request and response. Moreover, SNMPv2C improves the capability of handing errors, including expanding error
codes to distinguish different kinds of errors, which are represented by one error code in SNMPv1. Now, error types can
be distinguished by error codes. Since there may be the management workstations supporting SNMPv1 and SNMPv2C in
a network, the SNMP agent must be able to recognize both SNMPv1 and SNMPv2C messages, and return the
corresponding version of messages.
SNMP Management Operations

For the information exchange between the NMS and the SNMP Agent, six types of operations are defined:
6) Get-request: The NMS gets one or more parameter values from the SNMP Agent.
7) Get-next-request: The NMS gets the next parameter value of one or more parameters from the SNMP Agent.
8) Get-bulk: The NMS gets a bulk of parameter values from the SNMP Agent.
9) Set-request: The NMS sets one or more parameter values for the SNMP Agent.
10) Get-response: The SNMP Agent returns one or more parameter values, the response of the SNMP Agent to any of
the above 3 operations of the NMS.
11) Trap: The SNMP Agent proactively sends messages to notify the NMS that some event will occur.
The first four messages are sent from the NMS to the SNMP Agent, and the last two messages are sent from the SNMP
Agent to the NMS (Note: SNMPv1 does not support the Get-bulk operation). These operations are described in the
following figure:
Message types in SNMP
NMS sends messages to the SNMP Agent in the first three operations and the SNMP Agent responds a message through
the UDP port 161. However, the SNMP Agent sends a message in the Trap operation through the UDP port 162.
When managing the R2700 switching card(NM2-24ESW/NM2-16ESW) via SNMP, NM2-24ESW obtains the
inexistent error message of port 17-26, while NM2-16ESW obtains the inexistent error message of port
25-26.
SNMP Security
Both SNMPv1 and SNMPv2 use the community string to check whether the management workstation is entitled to use
MIB objects. In order to manage devices, the community string of NMS must be identical to a community string defined in
the devices.
A community string Features:
 Read-only: Authorized management workstations are entitled to read all the variables in the MIB.
 Read-write: Authorized management workstations are entitled to read and write all the variables in the MIB.
Based on SNMPv2, SNMPv3 can determine a security mechanism for processing data by security model and security
level. There are three types of security models: SNMPv1, SNMPv2C and SNMPv3.
The table below describes the supported security models and security levels.
Model Level Authentication Encryption Description

Ensures the data validity through
SNMPv1 noAuthNoPriv Community string None
community string.
SNMPv2c noAuthNoPriv Community string None
community string.
SNMPv3 noAuthNoPriv User name None
user name.
Provides HMAC-MD5 or
SNMPv3 authNoPriv MD5 or SHA None HMAC-SHA-based authentication
mechanism.
Provides HMAC-MD5 or
HMAC-SHA-based authentication
SNMPv3 authPriv MD5 or SHA DES
mechanism and CBC-DES-based
encryption mechanism.
SNMP Engine ID
The engine ID is designed to identify a SNMP engine uniquely. Every SNMP entity contains a SNMP engine, a SNMP
engine ID identifies a SNMP entity in a management domain. So every SNMPV3 entity has a unique identifier named
SNMP Engine ID.
The SNMP Engine ID is an octet string of 5 to 32 bytes, which is defined in RFC3411:
 The first four bytes indicate the private enterprise number of an enterprise (assigned by IANA) in hex system.
 The fifth byte indicates how to identify the rest bytes.
0: Reserved
1: The following 4 bytes indicate an IPv4 address.
2: The following 16 bytes indicate an IPv6 address.
3: The following 6 bytes indicate an MAC address
4: Texts of up to 27 bytes defined by manufacturers
5: A hexadecimal value of up to 27 bytes defined by manufacturers
6-127: Reserved
128-255: In the format specified by manufacturers.
 Configuring the SNMP traps with private fields, NE information and SNMPv3 related function are not supported on
AP110-W or AP120-W.
Configuring SNMP
To configure SNMP, enter global configuration mode.
Setting the Community String and Access Authority

SNMPv1 and SNMPv2C adopt community string-based security scheme. The SNMP Agent supports only the
management operations from the management workstations of the same community string. The SNMP messages without
matching the community string will be discarded. The community string serves as the password between the NMS and the
SNMP Agent.
 Configure an ACL rule to allow the NMS of the specified IP address to manage devices.
 Set the community‟s operation right: ReadOnly or ReadWrite.
 Specify a view for view-based management. By default, no view is configured. That is, the management workstation
is allowed to access to all MIB objects
 Indicate the IP address of the NMS who can use this community string. If it is not indicated, any NMS can use this
community string. By default, any NMS can use this community string.
To configure the SNMP community string, run the following command in global configuration mode:
Command Function
Ruijie(config)# snmp-server community string [view
view-name] [ro | rw] [host host-ip] [ipv6 Set the community string and its right.
ipv6-aclname][aclnum | aclname]
One or more community strings can be specified for the NMS of different rights. To remove the community name and its
right, run the no snmp-server community string command in the global configuration mode.
Configuring MIB Views and Groups

With view-based access control model, you can determine whether the object of a management operation is in a view or
not. For access control, generally some users are associated with a group and then the group is associated with a view.
The users in a group have the same access right.
 Set an inclusion view and an exclusion view.

 Set a Read-only view and a Read-write view for a group.
 Set security levels, whether to authenticate, and whether to encrypt for SNMPv3 users.
To configure the MIB views and groups, run the following commands in global configuration mode:
Command Function
Ruijie(config)# snmp-server view view-name oid-tree Create a MIB view to include or exclude associated MIB
{include | exclude} objects.
Ruijie(config)# snmp-server group groupname {v1 | v2c
|v3 {auth | noauth | priv}} [read readview] [write
Create a group and associate it with the view.
writeview] [access {[ipv6 ipv6_aclname] [aclnum |
aclname] }]
You can delete a view by using the no snmp-server view view-name command, or delete a tree from the view by using
the no snmp-server view view-name oid-tree command. You can also delete a group by using the no snmp-server
group groupname {v1 | v2c | v3} command.
Configuring SNMP Users

User-based security model can be used for security management. In this mode, you should configure user information
first. The NMS can communicate with the SMP Agent by using a valid user account.
For SNMPv3 users, you can specify security level, authentication algorithm (MD5 or SHA), authentication password,
encryption algorithm (only DES now) and encryption password.
To configure a SNMP user, run the following commands in global configuration mode:
Command Function
Ruijie(config)# snmp-server user username roupname
{v1 | v2c | v3 [encrypted] [auth { md5|sha }
Configure the user information.
auth-password ] [priv des56 priv-password] } [access
{[ipv6 ipv6_aclname] [aclnum | aclname] }]
To remove the specified user, execute the no snmp-server user username groupname {v1 | v2c | v3} command in the
Configuring Host Address

In special cases, the SNMP Agent may also proactively send messages to the NMS.
To configure the NMS host address that the SNMP Agent proactively sends messages to, execute the following
commands in the global configuration mode:
Command Function
Ruijie(config)# snmp-server host { host-addr | ipv6
ipv6-addr } [ vrf vrfname ] [ traps ] [ version { 1 | 2c | 3 Set the SNMP host address, vrf, community string,
{ auth | noauth | priv } ] community-string [ udp-port message type (or security level in SNMPv3).
port-num ] [ via mgmt-name ] [ notification-type ]
The via parameter can take effect only when the oob parameter is configured. The vrf parameter cannot be
used together with the oob parameter.
Configuring SNMP Agent Parameters

You can configure the basic parameters of the SNMP Agent, including contact, device location and sequence number.
With these parameters, the NMS knows the contact, location and other information of the device.
To configure the SNMP agent parameters, run the following commands in global configuration mode:
Command Function
Ruijie(config)# snmp-server contact text Configure the contact.
Ruijie(config)# snmp-server location text Configure the location.
Ruijie(config)# snmp-server chassis-id number Configure the sequence number.
Defining the Maximum Message Size of the SNMP Agent

In order to enhance network performance, you can configure the maximum packet size of the SNMP Agent. To configure
the maximum packet size of the SNMP Agent, run the following command in global configuration mode:
Command Function
Ruijie(config)# snmp-server packetsize byte-count Set the maximum packet size of the SNMP Agent.
Shielding the SNMP Agent

The SNMP Agent service is a service provided by Ruijie product and enabled by default. When you do not need it, you
can shield the SNMP agent service and related configuration by executing the following command in global configuration
mode:
Command Function
Ruijie(config)# no snmp-server Shield the SNMP agent service.
Disabling the SNMP Agent

Ruijie products provide a different command from the shield command to disable the SNMP Agent. This command will act
on all of the SNMP services instead of shielding the configuration information of the SNMP Agent. To disable the SNMP
agent service, run the following command in global configuration mode:
Command Function
Ruijie(config)# no enable service snmp-agent Disable the SNMP agent service.
Configuring the SNMP Agent to Send the Trap Message to the NMS Initiatively
The TRAP message is a message automatically sent by the SNMP Agent to the NMS unsolicitedly, and is used to report
some critical and important events. By default the SNMP Agent is not allowed to send the TRAP message. To enable it,
run the following command in global configuration mode:
Command Function
Allow the SNMP Agent to send the TRAP message
Ruijie(config)# snmp-server enable traps [type] [option]
proactively.
Ruijie(config)# no snmp-server enable traps [type] Forbid the SNMP Agent to send the TRAP message
[option] proactively.
Configuring LinkTrap Policy

You can configure whether to send the LinkTrap message of an interface. When this function is enabled and the link
status of the interface changes, the SNMP will send the LinkTrap message. Otherwise, it will not. By default, this function
is enabled.
Command Function
Ruijie(config)# interface interface-id Enter the interface configuration mode.
Enable or disable sending the LinkTrap message of the
Ruijie(config-if)# [no] snmp trap link-status
interface.
The following configures not to send LinkTrap message on the interface:

Ruijie(config-if)#no snmp trap link-status
Configuring the Parameters for Sending the Trap Message

To set the parameters for the SNMP Agent to send the Trap message, execute the following commands:
Command Function
Ruijie(config)# snmp-server trap-source interface Specify the source port sending the Trap message.
Ruijie(config)# snmp-server queue-length length Specify the queue length of each Trap message.
Ruijie(config)# snmp-server trap-timeout seconds Specify the interval of sending Trap message.
Configuring Network Element Coding

No network element coding information is configured by default.
To configure the network element coding information of the device, execute the following command:
Command Function
Configure the network element coding information of the
device.
Ruijie(config)# snmp-server trap-source interface
text: The text length ranges from 1 to 255. The text is
case-sensitive, and may contain spaces.
Ruijie(config)# no snmp-server trap-source Remove the network element coding information.
The following example configures the network element coding text to FZ_CDMA_MSC1.
Ruijie(config)# snmp-server net-id FZ_CDMA_MSC1
Configuring the SNMP Traps with Private Fields

The private field is not carried in the SNMP trap by default.
To configure the SNMP traps with private fields, execute the following command:
Command Function
Ruijie(config)# snmp-server trap-format private Configure the SNMP traps with private fields.
Ruijie(config)# no snmp-server trap-format private Restore the default trap format.
The following example configures the SNMP trap format with the private field.
Ruijie(config)# snmp-server trap-format private
Specifying a Port to Receive SNMP Packets

The default port number is 161.
To specify a port to receive SNMP packets, execute the following command:
Command Function
Ruijie(config)# snmp-server udp port port-number Specify a port to receive SNMP packets.
Ruijie(config)# no snmp-server udp port Restore the default port number.
The following example specifies port 15000 to receive the SNMP packets.
Ruijie(config)# snmp-server udp-port 15000
Configuring the Resend Times for Informing Requests

The default retry-num is 3, and the default timeout time is 15 seconds.
To configure the resend times for informing requests and the inform request timeout, execute the following command:
Command Function
Ruijie(config)# snmp-server inform [ retries retry-time | Configure the resend times for informing requests and
timeout time ] the inform request timeout.
Ruijie(config)# no snmp-server inform Restore the default resend times.
The following example configures the resend times of inform requests to 5.

Ruijie(config)# snmp-server inform retries 5
The following example configures the inform request timeout to 20 seconds.

Ruijie(config)# snmp-server inform timeout 20
Monitoring
Showing the Current SNMP Status

To monitor the SNMP status and troubleshoot SNMP configurations, Ruijie product provides monitoring commands for
SNMP, with which it is possible to easily check the SNMP status of the current network device. In the privileged EXEC
mode, execute show snmp to check the current SNMP status.
Ruijie# show snmp

Chassis: 1234567890 0987654321
Contact: wugb@i-net.com.cn
Location: fuzhou
2381 SNMP packets input
5 Bad SNMP version errors
6 Unknown community name
0 Illegal operation for community name supplied
0 Encoding errors
9325 Number of requested variables
0 Number of altered variables
31 Get-request PDUs
2339 Get-next PDUs
0 Set-request PDUs
2406 SNMP packets output
0 Too big errors (Maximum packet size 1500)
4 No such name errors
0 Bad values errors
0 General errors
2370 Get-response PDUs
36 SNMP trap PDUs
SNMP global trap: disabled
SNMP logging: enabled
SNMP agent: enabled
The above statistics is explained as follows:
Showing Information Description

Bad SNMP version errors SNMP version is incorrect.
Unknown community name The community name is not known.
Illegal operation for community name supplied Illegal operation
Encoding errors Code error
Get-request PDUs Get-request message
Get-next PDUs Get-next message
Set-request PDUs Set-request message
Too big errors (Maximum packet size 1500) Too large response message
No such name errors Not in the specified management unit
Bad values errors Specified value type error

General errors General error
Get-response PDUs Get-response message
SNMP trap PDUs SNMP trap message
Showing the MIB Objects Supported by the Current SNMP Agent

To check the MIB objects supported by the current SNMP Agent, run the show snmp mib command in the privileged
EXEC mode:
Ruijie# show snmp mib

sysDescr
sysObjectID
sysUpTime
sysContact
sysName
sysLocation
sysServices
sysORLastChange
snmpInPkts
snmpOutPkts
snmpInBadVersions
snmpInBadCommunityNames
snmpInBadCommunityUses
snmpInASNParseErrs
snmpInTooBigs
snmpInNoSuchNames
snmpInBadValues
snmpInReadOnlys
snmpInGenErrs
snmpInTotalReqVars
snmpInTotalSetVars
snmpInGetRequests
snmpInGetNexts
snmpInSetRequests
snmpInGetResponses
snmpInTraps
snmpOutTooBigs
snmpOutNoSuchNames
snmpOutBadValues
snmpOutGenErrs
snmpOutGetRequests
snmpOutGetNexts
snmpOutSetRequests
snmpOutGetResponses
snmpOutTraps
snmpEnableAuthenTraps
snmpSilentDrops
snmpProxyDrops
entPhysicalEntry
entPhysicalEntry.entPhysicalIndex
entPhysicalEntry.entPhysicalDescr
entPhysicalEntry.entPhysicalVendorType
entPhysicalEntry.entPhysicalContainedIn
entPhysicalEntry.entPhysicalClass
entPhysicalEntry.entPhysicalParentRelPos
entPhysicalEntry.entPhysicalName
entPhysicalEntry.entPhysicalHardwareRev
entPhysicalEntry.entPhysicalFirmwareRev
entPhysicalEntry.entPhysicalSoftwareRev
entPhysicalEntry.entPhysicalSerialNum
entPhysicalEntry.entPhysicalMfgName
entPhysicalEntry.entPhysicalModelName
entPhysicalEntry.entPhysicalAlias
entPhysicalEntry.entPhysicalAssetID
entPhysicalEntry.entPhysicalIsFRU
entPhysicalContainsEntry
entPhysicalContainsEntry.entPhysicalChildIndex
entLastChangeTime
Showing SNMP Users

To view the SNMP users configured on the current SNMP agent, run the show snmp user command in the privileged
EXEC mode:
Ruijie# show snmp user

User name: test
Engine ID: 8000131103000000000000
storage-type: permanent active
Security level: auth priv
Auth protocol: SHA
Priv protocol: DES
Group-name: g1
Showing SNMP Views and Groups

To view the group configured on the current SNMP agent, run the show snmp group command in the privileged EXEC
mode:
Ruijie# show snmp group

groupname: g1
securityModel: v3
securityLevel:authPriv
readview: default
writeview: default
notifyview:
groupname: public
securityModel: v1
securityLevel:noAuthNoPriv
readview: default
writeview: default
notifyview:
groupname: public
securityModel: v2c
readview: default
writeview: default
notifyview:
To view the view configured on the current SNMP agent, run the show snmp view command in the privileged EXEC
mode:
Ruijie# show snmp view

default(include) 1.3.6.1
test-view(include) 1.3.6.1.2.1
Showing Host Information

To view the host information configured on the SNMP agent, run the show snmp host command in privileged EXEC
mode:
Ruijie# show snmp host

Notification host: 192.168.64.221
udp-port: 162 type: trap
user: public security model: v1
Notification host: 2000:1234::64
udp-port: 162 type: trap
user: public security model: v1
SNMP Configuration Examples
SNMP v1/v2 Configuration Example

Networking Topology
SNMP v1/2 Networking Topology
12) The Network Management Station (NMS) manages the network device (Agent) by applying the community-based
authentication model, and the network device can control the operation permission (read or write) of the community
to access the specified MIB objects. For example, community "user1" can only read and write objects under System
(1.3.6.1.2.1.1) node.
13) The network device can only be managed by NMS with a specific IP (i.e., 192.168.3.2/24).
14) The network device can actively send messages to NMS.
15) The NMS can acquire the basic system information of the device, such as contact, location, ID and etc.
Configuration Tips
16) By creating MIB view and associating authentication name (Community) and access permission (Read or Write), the
first application need can be met.
17) While configuring the authentication name and access permission, associate ACL or specify the IP of administrator
using this authentication name to meet the second application need (this example associates the ACL).
18) Configure the address of SNMP host and enable the Agent to actively send Traps.
19) Configure the parameters of SNMP proxy.
Configuration Steps
Step 1: Configure MIB view and ACL.
! Create a MID view named "v1", which contains the associated MIB object (1.3.6.1.2.1.1).
Ruijie(config)#snmp-server view v1 1.3.6.1.2.1.1 include
! Create an ACL named "a1" to permit the IP address of 192.168.3.2/24.
Ruijie(config)#ip access-list standard a1

Ruijie(config-std-nacl)#permit host 192.168.3.2
Ruijie(config-std-nacl)#exit
Step 2: Configure authentication name and access permission.
! Configure Community of "user1", associate read and write permission for MIB view of "v1", and associate the ACL of
"a1".
Ruijie(config)#snmp-server community user1 view v1 rw a1
Step 3: Configure the Agent to actively send messages to NMS.

! Configure the address of SNMP host to 192.168.3.2, message format to Version 2c and authentication name to "user1".
Ruijie(config)#snmp-server host 192.168.3.2 traps version 2c user1
! Enable the Agent to actively send traps.
Ruijie(config)#snmp-server enable traps
Step 4: Configure parameters of SNMP proxy.
! Configure system location.
Ruijie(config)#snmp-server location fuzhou
! Configure system contact.
Ruijie(config)#snmp-server contact ruijie.com.cn
! Configure system ID.
Ruijie(config)#snmp-server chassis-id 1234567890
Step 5: Configure the IP address of Agent.
! Configure the IP address of Gi 0/1 as 192.168.3.1/24.

Ruijie(config-if-GigabitEthernet 0/1)#ip address 192.168.3.1 255.255.255.0
Verification
Step 1: Display configurations of the device.
!
ip access-list standard a1
10 permit host 192.168.3.2
!
no ip proxy-arp
ip address 192.168.3.1 255.255.255.0
!
snmp-server view v1 1.3.6.1.2.1.1 include
snmp-server location fuzhou
snmp-server host 192.168.3.2 traps version 2c user1
snmp-server enable traps
snmp-server contact ruijie.com.cn
snmp-server community user1 view v1 rw a1
snmp-server chassis-id 1234567890
Step 2: Display information about SNMP view and group.
Ruijie#show snmp view

v1(include) 1.3.6.1.2.1.1 //define MIB object of “v1”

default(include) 1.3.6.1 //default MIB object
Ruijie#show snmp group
groupname: user1 //Configure Community as SNMP group
securityModel: v1
readview: v1
writeview: v1
notifyview:
groupname: user1
securityModel: v2c
readview: v1
writeview: v1
notifyview:
Step 3: Install MIB-Browser. Type in device IP of "192.168.3.1" in the field of IP Address; type in "user1" in the field of
Community Name; click "Add Item" button and select the specific management unit for querying MIB, such as the System
shown below. Click Start button to implement MIB query of network device. The query result is shown in the bottommost
box:
SNMP v3 Configuration Example

Networking Topology
SNMPv3 Networking Topology

20) Network Management Station manages the network device (Agent) by applying user-based security model. For
example: the user name is "user1", authentication mode is MD5, authentication key is "123", encryption algorithm is
DES56, and the encryption key is "321".
21) The network device can control user's permission to access MIB objects. For example: "User1" can read the MIB
objects under System (1.3.6.1.2.1.1) node, and can only write MIB objects under SysContact (1.3.6.1.2.1.1.4.0) node.
22) The network device can actively send authentication and encryption messages to the network management station.
Configuration Tips
23) Create MIB view and specify the included or excluded MIB objects.
24) Create SNMP group and configure the version to "v3"; specify the security level of this group, and configure the
read-write permission of the view corresponding to this group.
25) Create user name and associate the corresponding SNMP group name in order to further configure the user's
permission to access MIB objects; meanwhile, configure the version number to "v3" and the corresponding authentication
mode, authentication key, encryption algorithm and encryption key.
26) Configure the address of SNMP host, configure the version number to "3" and configure the security level to be
adopted.
Configuration Steps
Step 1: Configure MIB view and group.
! Create a MIB view of "view1" and include the MIB object of 1.3.6.1.2.1.1; further create a MIB view of "view2" and include
the MIB object of 1.3.6.1.2.1.1.4.0.
Ruijie(config)#snmp-server view view1 1.3.6.1.2.1.1 include

Ruijie(config)#snmp-server view view2 1.3.6.1.2.1.1.4.0 include
! Create a group named "g1" and select the version number of "v3"; configure security level to "priv" to read "view1" and
write "view2".
Ruijie(config)#snmp-server group g1 v3 priv read view1 write view2
Step 2: Configure SNMP user.
! Create a user named "user1", which belongs to group "g1"; select version number of "v3" and configure authentication
mode to "md5", authentication key to "123", encryption mode to "DES56" and encryption key to "321".
Ruijie(config)#snmp-server user user1 g1 v3 auth md5 123 priv des56 321
Step 3: Configure the address of SNMP host.

! Configure the host address as 192.168.3.2 and select version number of "3"; configure security level to "priv" and
associate the corresponding user name of "user1".
Ruijie(config)#snmp-server host 192.168.3.2 traps version 3 priv user1
! Enable the Agent to actively send traps to NMS.
Ruijie(config)#snmp-server enable traps
Step 4: Configure the IP address of Agent.
! Configure the IP address of Gi 0/1 as 192.168.3.1/24.

Ruijie(config-if-GigabitEthernet 0/1)#ip address 192.168.3.1 255.255.255.0
Verification
Step 1: Display configurations of device.
!
no ip proxy-arp
ip address 192.168.3.1 255.255.255.0
!
snmp-server view view1 1.3.6.1.2.1.1 include
snmp-server view view2 1.3.6.1.2.1.1.4.0 include
snmp-server user user1 g1 v3 encrypted auth md5 7EBD6A1287D3548E4E52CF8349CBC93D priv des56
D5CEC4884360373ABBF30AB170E42D03
snmp-server group g1 v3 priv read view1 write view2
snmp-server host 192.168.3.2 traps version 3 priv user1
snmp-server enable traps
Step 2: Display SNMP user.
Ruijie#show snmp user

User name: user1
Engine ID: 800013110300d0f8221120
storage-type: permanent active
Security level: auth priv
Auth protocol: MD5
Priv protocol: DES
Group-name: g1
Step 3: Display SNMP view.
Ruijie#show snmp view

view1(include) 1.3.6.1.2.1.1
view2(include) 1.3.6.1.2.1.1.4.0
default(include) 1.3.6.1
Step 4: Display SNMP group.
Ruijie#show snmp group

groupname: g1
securityModel: v3
securityLevel:authPriv
readview: view1
writeview: view2
notifyview:
Step 5: Display host information configured by the user.
Ruijie#show snmp host

Notification host: 192.168.3.2
udp-port: 162
type: trap
user: user1
security model: v3 authPriv
Step 6: Install MIB-Browser. Type in device IP of "192.168.3.1" in the field of IP Address; type in "user1" in the field of
UserName; select "AuthPriv" from Security Level; type in "123" in the field of AuthPassWord; select "MD5" from
AuthProtocol; type in "321" in the field of PrivPassWord. Click "Add Item" button and select the specific management unit
for querying MIB, such as the System shown below. Click Start button to implement MIB query of network device. The
query result is shown in the bottommost box:
Configuration Guide Configuring HTTP Service
Configuring HTTP Service
Understanding HTTP
Overview
The Hypertext Transfer Protocol (HTTP) is used to transmit Web page information over the Internet. HTTP resides at the
application layer of the TCP/IP protocol stack. The transmission layer uses connection-oriented TCP.
Hypertext Transfer Protocol Secure (HTTPS) is the HTTP supporting the Secure Sockets Layer (SSL). HTTPS sets up a
secure channel on an insecure network to ensure that information can hardly be intercepted and to defend against
man-in-the-middle attacks to some extent. Currently, HTTPS has been widely used among security-sensitive
communication services, such as electronic payment.
Basic Concept
HTTP Service
The HTTP service facilitates HTTP to transmit Web page information over the Internet. HTTP/1.0 is the most popular
HTTP version in the industry. HTTP/1.0 uses the short connection mode to simplify connection management, as a Web
server may be accessed for tens of thousands or even a million times each day. When receiving a connection request, the
server sets up a TCP connection and releases it after the request is completed. The server does not record or trace
previous requests. Although HTTP/1.0 simplifies connection management, it introduces certain performance defects.
For example, a Web page may contain URLs of multiple images, so that the browser sends multiple requests in the
access process. When receiving a request, the server sets up an independent connection which is completely isolated
from other connections. The process of setting up and releasing a connection consumes plenty of resources, and
therefore has serious severe impact on the performance of the client and the server, as shown in Figure 0-1.
Figure 0-1 HTTP/1.0 Protocol Packet Exchange
HTTP/1.1, however, has solved this defect. HTTP/1.1 supports a persistent connection, through which multiple requests
and responses can be transmitted. The client can send the next request before the previous request is completed, thereby
reducing network delay and enhancing performance, as shown in Figure 0-2.
Figure 0-2 HTTP/1.1 Protocol Packet Exchange
Currently, Ruijie devices support HTTP/1.0 and HTTP/1.1.
The protocol version used by a device depends on the specific Web browser.
HTTPS Service
HTTPS adds the security base of SSL to HTTP. To enable HTTPS to run normally, the server must have a Public Key
Infrastructure (PKI) certificate, which is not necessary for the client. SSL provides the following services:
 Authenticating users and servers to ensure that data is sent to correct clients and servers
 Encrypting data to prevent data interception during transmission
 Keeping data integrity to ensure that data is not changed during transmission
Figure 0-3 HTTPS Service
HTTP Upgrade Service
The HTTP upgrade service includes local and remote HTTP upgrade services.
 During local upgrade, the device works as an HTTP server. Users can log in to the device through the Web browser
and upload the upgrade files to the device so as to upgrade files on the device.
 During remote upgrade, the device works as a client connected to a remote HTTP server. It obtains the upgrade files
from the server so as to upgrade local files.
Working Principle
HTTP Working Process
HTTP is used for Web management. Users log in to the device through the Web interface for configuration and
management. Web management involves the Web client and Web server. The HTTP service adopts the client/server
mode accordingly. The HTTP client is embedded in the Web browser of the Web management client and can send HTTP
packets, receive HTTP response packets, and handle HTTP response packets. The Web server (HTTP server) is
embedded in the device. The client and the server exchanges information with each other according to the following
process:
 The client sets up a TCP connection with the server. The default HTTP port number is 80, and the default HTTPS
port number is 443.
 The client sends a request to the server.
 After processing the request, the server sends a response to the client.
 After processing a request, the HTTP service directly closes the TCP connection between the client and the server;
while HTTPS can handle multiple requests until the client sends a TCP connection closure request or until the
connection is closed due to server timeout.
The HTTP remote upgrade process is summarized as follows:

 The device connects to the server. In this process, the user-configured server address is preferentially used. If the
connection fails, the server address in the local upgrade record file is used to establish the connection.
 The device sends the version numbers of local programs to the server.
 After resolution, the server returns a download file list.
 The device connects to file servers according to the list and downloads the upgrade files as necessary.
 The device can connect to different file servers according to the different files to be downloaded.
 The device upgrades its local files.
RFC1945 - Hypertext Transfer Protocol -- HTTP/1.0
RFC2616 - Hypertext Transfer Protocol -- HTTP/1.1
RFC2818 - Hypertext Transfer Protocol Over TLS -- HTTPS
Typical Application
HTTP Application Service
Currently, the Web NMS is still a major method for users to maintain and manage devices. Ruijie network devices also
provide the Web management function. When HTTP is enabled, users can log in to the Web management interface after
entering "http://+device IP address" on the PC browser and passing the authentication. Through the Web interface, users
can perform various operations, such as monitoring device states, configuring devices, uploading files, and downloading
files.
The common HTTP-based service is actually insecure. For security-sensitive communications, Ruijie devices also provide
the more secure HTTPS service, which encrypts the information transmitted between users and the device, so that
third-party devices cannot intercept or modify the information. Users can perform Web management simply after entering
"https://+device IP address" on the Web browser and passing the authentication.
Figure 0-4 illustrates a typical Web management scenario. Users can remotely access and manage the device through
the Internet or log in to the Web server through a LAN to perform configuration management for the device. Users can
enable either HTTPS or HTTP, or both as necessary on the device. Users can also specify HTTP/1.0 or HTTP/1.1 on the
Web browser for accessing the HTTP service of the device.
Figure 0-4 HTTP Application Scenario
HTTP Remote Upgrade Service
The HTTP Remote Upgrade Service means that a device serving as a client connects the remote HTTP server and
obtains files from the server to upgrade local files. The default domain name of Ruijie Web server is "rgos.ruijie.com.cn."
Figure 0-5 shows a typical application scenario.
Figure 0-5 HTTP Remote Upgrade
Configuring HTTP
The following table describes the default configuration of HTTP.


Enabling the HTTP service The HTTP service is disabled by default.
HTTP authentication method By default, two users are configured.
1. User1 is configured with privilege level 1, username of admin and
plaintext password of admin.
2. User2 is configured with privilege level 2, username of guest and
plaintext password of guest.
HTTP service port Common HTTP port number: 80
HTTPS port number: 443
HTTP upgrade server Server address: 0.0.0.0
Port number: 80
HTTP upgrade mode Auto
HTTP upgrade auto-detection time Random
Prerequisites
Before configuring the domain name of the HTTP upgrade server, enable the DNS function on the device and configure
the address of the DNS server.
Configuration Steps
Step Configuration Task Description

1 Enable the HTTP service. Mandatory
2 Configure HTTP authentication information. (Optional) This step is performed when authentication
information needs to be modified.
3 Configure the HTTP port. (Optional) This step is performed when the HTTP port
needs to be changed.
4 Configure the HTTP upgrade server. (Optional) This step is performed when the server address
needs to be specified.
5 Configure the HTTP upgrade mode. (Optional) This step is performed when the upgrade mode
needs to be changed.
6 Configure HTTP upgrade auto-detection (Optional) This step is performed when the HTTP upgrade
time. auto-detection time needs to be changed.
7 Manually upgrade files with HTTP. Mandatory
Enabling the HTTP Service

The HTTP service includes the commonly used HTTP service and the HTTPS service. HTTPS adds SSL on the basis of
HTTP to enhance information security.
Use the following commands to enable the HTTP service in configuration mode.
Command Function
Ruijie(config)#enable service web-server http (Mandatory) Enables the HTTP service.
Ruijie(config)#enable service web-server https (Mandatory) Enables the HTTPS service.
Ruijie(config)#enable service web-server [all] (Mandatory) Enables both HTTP and HTTPS services.
The following example enables both HTTP and HTTPS services on a Ruijie device.

Ruijie(config)# enable service web-server
Configuring HTTP Authentication Information

When HTTP is enabled, users can log in to the Web interface only after being authenticated. Use the webmaster level
command to configure HTTP authentication information.
Command Function
Ruijie(confing)# webmaster level privilege-level (Mandatory) Configures the login authentication mode,
username name password { password | [ 0 | 7 ] which is not configured by default.
encrypted-password }
Usernames and passwords come with three permission levels, each of which includes at most 10
usernames and passwords.
The following example uses the username admin and plain-text password ruijie at level 0 to perform Web authentication
on a Ruijie device.

Ruijie(config)# webmaster level 0 username admin password ruijie
Configuring the HTTP Port

Configuring the HTTP port can reduce attacks from unauthorized users to HTTP. Ruijie devices support the HTTP and
HTTPS service modes.
 Use the following commands to configure the HTTP port number.
Command Function
Ruijie(config)# http port port-number (Optional) Configures the HTTP port number, which is 80
by default.
The following example configures the HTTP port number as 8080 on a Ruijie device.


Ruijie(config)# http port 8080
 Use the following commands to configure the HTTPS port.
Command Function
Ruijie(config)# http secure-port port-number (Optional) Configures the HTTPS port number, which is
443 by default.
The following example configures the HTTPS port number as 4430 on a Ruijie device.

Ruijie(config)# http secure-port 4430
Upgrading Web Package in Local System

Use the following commands to upgrade the Web package in local file system in privileged EXEC mode.
Command Function
Ruijie# upgrade web uri Upgrades the Web package in local file system.
Please use the copy command to copy the Web package into the file system before you use this command
to upgrade the Web package.
The following example copies a Web package into the file system and upgrades the package.
Ruijie#copy tftp://192.168.23.24/web.upd flash:/web.upd

Ruijie#upgrade web flash:/web.upd
Downloading Web Package from TFTP Server

Use the following commands to download the Web package from the TFTP server and upgrade the package
automatically.
Command Function
Downloads the Web package from the TFTP server and

upgrades the package automatically.
oob_tftp: path: path indicates the storage path of the
Web package on the TFTP server.
oob_tftp indicates the system downloads the Web
package from the TFTP server through the MGMT port
Ruijie# upgrade web download { oob_tftp: path | tftp: and upgrades the Web package automatically.
path } This parameter is supported only on the device
supporting the MGMT port.
tftp: path: path indicates the storage path of the Web
package on the TFTP server.
tftp indicates the system downloads the Web package
from the TFTP server through the physical port and
upgrades the Web package automatically.
The following example downloads a Web package form the TFTP server and upgrade the package automatically.
Ruijie#upgrade web download tftp://192.168.23.24/web.upd
Monitoring and Maintaining HTTP
Displaying HTTP Configuration Information

Command Function
show web-server status Displays the configuration information and status of the
Web service.
The following example displays the HTTP configuration information of a Ruijie device.
Ruijie# show web-server status

http server status : enabled
http server port : 80
https server status: enabled
https server port: 443
http(s) use memory block: 768, create task num: 0
HTTP Configuration Example

Network administrators hope to manage a device through Web, and therefore log in to the switch through the Web
browser to configure the switch.
 Log in with the user-configured authentication information.
 Ensure that the Web browser can be accessed through HTTP or HTTPS so as to enhance security.
 Configure the HTTP port to reduce attacks from unauthorized users to HTTP.
Networking Topology
Figure 0-6 HTTP Application Topology
Configuration Tips
The old version Web management system adopts ip http authentication to configure authentication mode. When be
upgraded to the new version Smart Web management system, the configuration ip http authentication, will be
automatically removed, for the Smart Web management system adopts webmaster level to configure authentication
mode.
To meet the networking requirements, focus on the following points:
 Use the webmaster level command to configure authentication information.
 Enable HTTP and HTTPS at the same time to meet the customer's security requirements.
 Configure the HTTP port number as 8080 and the HTTPS port number as 4430.
When upgrading device from the old version Web management system to new version Smart Web
management system. The accounts in the old version Web will be invalid to the Smart Web management
system. However, Smart Web management system provides two default accounts for the user (admin/admin
or guest/guest). User can use the command webmaster level to modify default accounts or add other
accounts. And when be upgraded to the new version Smart Web management system, the configuration ip
http authentication, will be automatically removed
Configuration Steps
27) Configure the username as admin and the password as ruijie.
Ruijie(config)# webmaster level 0 username admin password ruijie
28) Enable the HTTP and HTTPS services.
Ruijie(config)#enable service web-server
29) Configure the HTTP port number as 8080.
Ruijie(config)# http port 8080
30) Configure the HTTPS port number as 4430.
Ruijie(config)# http secure-port 4430
Verification
31) Check HTTP configuration information.
Ruijie#show web-server status

http server status : enabled
http server port : 8080
https server status: enabled
https server port: 4430
http(s) use memory block: 768, create task num: 0
Configuration Example of HTTP Remote Upgrade

An enterprise purchasing a Ruijie device hopes to use the HTTP upgrade function to upgrade files.
 Ensure that the device can periodically and remotely obtain information about the files available for upgrade from a
Ruijie server.
 Check the files currently available for upgrade.

 Download the latest files from the Ruijie server and update the device to be upgraded.
Networking Topology
Figure 0-7 Networking Topology of HTTP Remote Upgrade
Configuration Tips
To meet the customer's requirements, focus on the following point:
 Configure the device to remotely obtain information about the latest files at 2:00 am each day.
Configuration Steps
32) Configure DNS information.
Ruijie(config)#ip domain-lookup //Enable the DNS function on the
device.
Ruijie(config)#ip name-server 192.168.5.134 //Configure the IP address of
the DNS server.
33) Configure the address of the upgrade server.
Ruijie(config)# http update server rgos.ruijie.com.cn
34) Obtain information about the files available for upgrade from the remote server.
Ruijie#http check-version
app name:web
sn version filename
-- ------------------- -------------------------
0 1.2.1(82381) web1.2.1(145680).upd
1 1.2.1(82380) web1.2.1(145680).upd
2 1.2.1(82379) web1.2.1(145680).upd
3 1.2.1(82378) web1.2.1(145680).upd
Verification
Check server version information on the online upgrade interface of Web.
Configuration Example of HTTP Local Upgrade

 Users hope to run the latest Web package, which is obtained from an official Website, on a device.
Networking Topology
Figure 0-8 Networking Topology of HTTP Local Upgrade
Configuration Tips
To meet the customer's requirements, focus on the following points:
 Connect the device to a local PC whose IP address is 10.10.10.13, and configure the device with an IP address
10.10.10.131 in the same network segment.
 Download the latest Web package to the device.
 Update the Web package on the device.
Configuration Steps
35) Create VLAN1 and configure an IP address for the device
Ruijie(config-VLAN 1)#ip address 10.10.10.131 255.255.255.0
36) Enable the TFTP server function on the PC and run the copy tftp command on the device to download the Web
package.
Ruijie#copy tftp://10.10.10.13/web_management_pack.upd flash:web_management_pack.upd
Verification
On the PC, log in with Web authentication once again to check whether the latest Web interface is displayed.
Configuration Guide Configuring Syslog
Configuring Syslog
Overview
During the operation of a device, there are various state changes, such as the link status up/down, and various events
occurring, such as receiving abnormal messages and handling abnormities. Our product provides a mechanism to
generate messages of fixed format ( log message ) in case of status change or event occurring. These messages can be
displayed in related windows ( console, VTY, etc. ) or recorded in related media ( memory buffer, FLASH ), or sent to a
group of log servers in the network for the administrators to analyze and locate problems. Meanwhile, in order to make it
easy for administrators to read and manage log messages, these log messages can be labeled time stamps and serial
numbers, and is graded according to the priority of log information.
The format of the our log message is as follows:
<priority> seq no: timestamp sysname

%ModuleName-severity-MNEMONIC: description
The meanings of the above words as follows:
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP
Command Function
< priority > Priority, priority value = device value * 8 + severity
seq no Sequential number of the system, which is a 6-digit
integer. You can disable the export of this information
using the command.
timestamp Timestamp, which is the local time by default.Format:
Mmm dd hh:mm:ss, where Mmm is the abbreviation of
the month in English, as shown below: Jan, Feb, Mar,
Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec
sysname System name. You can disable the output of the system
name using the command.
ModuleName Abbreviation of the module name
severity Severity level of a log
MNEMONIC Information in the shortened form
description Information content
For example:
<189> 226:Mar 5 02:09:10 S3250 %SYS-5-CONFIG_I: Configured from console by console

The priority field is not attached to the log messages that are printed in the user window. It only appears in
the log messages that are sent to the syslog server.
Log Configuration
Log Switch
The log switch is turned on by default. If it is turned off, the device will not print log information in the user window, or send
log information to the syslog server, or record the log information in the related media ( memory buffer, flash ).
To turn on or off the log switch, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# logging on Turn on the log switch
Ruijie ( config )# no logging on Turn off the log switch
Do not turn off the log switch in general case. If it prints too much information, you can reduce it by setting
different displaying levels for device log information.
Configuring the Device Displaying the Log Information

When the log switch is turned on, the log information will be displayed on the console and also sent to different displaying
devices.
To configure different displaying devices for receiving logs, run the following commands in the global configuration mode
or privileged level:
Command Function
Ruijie ( config )# buffered [ buffer-size ] [ level ] Record log in memory buffer
Ruijie# terminal monitor Allow log to be displayed on VTY window
Ruijie ( config )# logging server host Send log information to the syslog sever in the network
Ruijie ( config )# logging file flash:filename Save log messages in the log file, which can be saved in
[ max-file-size ] [ level ] { sata0:filename | hardware, expanded FLASH, USB or SD card.. A file will be
flash:filename | usb0:filename | usb1:filename | created on FLASH according to the specified file name for
sd0:filename } [ max-file-size ] [ level ] saving logs. The size of the file increases with the log size,
but no more than the set max-file-size.
Logging Buffered will record log information in the memory buffer. The memory buffer for log is used in recycled manner.
That is, when it is full, the oldest information will be overwritten. To show the log information in the memory buffer, run
show logging at the privileged user level. To clear the log information in the memory buffer, run clear logging at the
privileged user level.
Terminal Monitor allows log information to be displayed on the current VTY ( such as the telnet window ).
Logging Host specifies the address of the syslog server that will receive the log information. Our product allows the
configuration of at most 5 syslog servers. The log information will be sent to all the syslog servers at the same time. You
can use logging host configuration to achieve the same purpose.
To send the log information to the syslog server, it is required to turn on the timestamp switch or sequential
number switch of the log information. Otherwise, log information will not be sent to the syslog server.
Logging File Flash: Record log information in FLASH. The filename for log shall not have any extension to indicate the file
type. The extension of the log file is fixed as txt. Any configuration of extension for the filename will be refused.
More flash: filename command shows the contents of the log file in the flash.
Some devices support expanded FLASH. If the device has expanded FLASH, the log information will be
recorded there. If the device has no expanded FLASH, the log information will be recorded in the serial
FLASH.
Enabling the Log Timestamp Switch of Log Information

To add or delete timestamp in log information, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# service timestamps [ message-type Enable the timestamp in the log information
[ uptime | datetime [ msec ] [ year ] ] ]
Ruijie ( config )# no service timestamps Disable the timestamp in the log information
[ message-type ]
The timestamp are available in two formats: device uptime and device datetime. Select the type of timestamp
appropriately.
Message type: log or debug. The "log" type means the log information with severity levels 0-6. The "debug" type means
that with severity level 7.
If the current device has no RTC, the configured time is invalid, and the device automatically uses the startup
time as the timestamp for the log information. If the current device has a RTC, the device time is used as the
timestamp for the log information by default.
Enabling the Log System Name Switch

No system name is attached to logs by default. To add or remove the system name in the log information, perform the
following commands in the global configuration mode.
Command Function
Ruijie ( config )# no service sysname Cancel the system name in the log message.
Ruijie ( config )# service sysname Add the system name to the log message.
Enabling Log Statistics

By default, the log statistics function is disabled. To enable or disable the log statistics function, perform the following
commands in the global configuration mode.
Command Function
Ruijie ( config )# no logging count Disable the log statistics function and delete the statistics
information
Ruijie ( config )# logging count Enable the log statistics function
Ruijie# show logging count

Module Name Message Name Sev Occur Last Time
================================================================
LINEPROTO UPDOWN 5 2 Aug 20 01:41:19
-------------------------------------------------------------
LINEPROTO TOTAL 2
LINK CHANGED 5 1 Aug 20 01:41:19
-------------------------------------------------------------
LINK TOTAL 1
SYS CONFIG_I 5 1 Aug 20 01:40:55
-------------------------------------------------------------
SYS TOTAL 1
Ruijie #config
Ruijie (config)#no logging count
Ruijie (config)#end
Ruijie #show logging count
Module Name Message Name Sev Occur Last Time
===========================================================
Enabling the Sequential Number Switch of Log Information

By default, the log information has no sequential number. To add or delete sequential number in log information, run the
following commands in the global configuration mode:
Command Function
Ruijie ( config )# no service sequence-numbers Delete sequential number in the log messages
Ruijie ( config )# service sequence-numbers Add sequential number to the log messages
The log sequential number is a long integer, and increases whenever a log is added. As the number is a
5-digit number, it will return to 00000 once it increases from 1 to 10000 or reaches 2^32.
Configuring Synchronization Between User Input and Log Output

By default, user input is asynchronous with log output. User input is interrupted if the log is output when the user is keying
in characters. As shown below, the status of interface 0/12 changes after the user inputs “VLAN” and the log is printed. As
a result, the user forgets the character input previously and the command inputting is interrupted.
Ruijie(config)#vlan Aug 20 16:46:49 %LINK-5-CHANGED: Interface FastEthernet 0/12, changed

state to down
Aug 20 16:46:49 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet 0/12, changed
state to DOWN
% Incomplete command.
With the input synchronization configured, even if logs are printed during the input by users, the information inputted by
the users will be displayed after the printing to ensure the integrity and continuity of the input. As shown below, the status
of interface 0/1 changes after the user types in “VLAN” and the log is printed. After the printing, the log module will print
out the “VLAN” inputted by the user so as the user can proceed with the type-in.
Ruijie(config)#vlan
*Aug 20 10:05:19: %LINK-5-CHANGED: Interface GigabitEthernet 0/1, changed state to up
*Aug 20 10:05:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet 0/1, changed
state to up
Ruijie(config)#vlan
Use this command to configure synchronization between user input and log output in the line configuration mode:
Command Function
Ruijie ( config-line )# logging synchronous Set synchronization between user input and log output.
Ruijie ( config )# no logging synchronous Delete synchronization between user input and log output.
Configuring Log Rate Limit

By default, log rate is not limited. As a large number of logs are generated, without log rate control, the system will be
burdened. Use this command to configure log rate limit in the global configuration mode:
Command Function
Ruijie (config )# logging rate-limit number Set log rate limit.
Ruijie ( config )# no logging rate-limit Delete the setting of log rate limit.
Configuring the Log Information Displaying Level

To limit the number of log messages displayed on different devices, it is possible to set the severity level of log information
that is allowed to be displayed on those devices.
To configure the log information displaying level, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# logging console [ level ] Set the level of log information that is allowed to be
displayed on the console
Ruijie ( config )# logging monitor [ level ] Set the level of log information that is allowed to be
displayed on the VTY window ( such as telnet window )
Ruijie ( config )# logging buffered [ buffer-size ] [ level ] Set the level of log information that is allowed to be recorded
in memory buffer
Ruijie ( config )# logging trap [ level ] Set the level of log information that is allowed to be sent to
syslog server
The log information of our products is classified into the following 8 levels:
Level Keyword Level Description

Emergencies 0 Emergency case, system cannot run normally
Alerts 1 Problems that need immediate remedy
Critical 2 Critical conditions
Errors 3 Error message
Warnings 4 Alarm information
Notifications 5 Information that is normal but needs attention
Informational 6 Explanatory information
Debugging 7 Debugging messages
Lower value indicates higher level. That is, level 0 indicates the information of the highest level.
When the level of log information that can be displayed is set for the specified device, the log information that is at or
below the set level will be displayed. For example, after the command logging console 6 is executed, all log information at
or below level 6 will be displayed on the console.
By default, the log information that is allowed to be displayed on the console is at level 7.
By default, the log information that is allowed to be displayed on the VTY window is at level 7.
By default, the log information that is allowed to be sent to the syslog server is at level 6.
By default, the log information that is allowed to be recorded in the memory buffer is at level 7.
By default, the log information that is allowed to be recorded in the expanded flash is at level 6.
The privileged command show logging config can be used to show the level of log information allowed to be displayed on
different devices.
Configuring Log Severity Ranking Policy

Command Function
Configure the severity ranking policy in global configuration

mode.
module-name: The name of the module applying the
ranking policy.
not-lesser-than: If this parameter is specified, only when the
log‟s level is not lower than the configured level can the log
be sent. Otherwise, the log is filtered.
If this parameter is not specified, only when the log‟s level is
not higher than the configured level can the log be sent.
Otherwise, the log is filtered.
logging policy module module-name
level: Severity level
[ not-lesser-than ] level direction { all | server | file |
all: Applies the ranking policy in all directions.
console | monitor | buffer }
server: Applies the ranking policy to the direction toward the
server.
file: Applies the ranking policy to the direction toward the
log file.
console: Applies the ranking policy to the direction toward
the console.
monitor: Applies the ranking policy to the direction toward
the remote server.
buffer: Applies the ranking policy to the direction toward the
buffer.
no logging policy module module-name Remove one policy,
[ not-lesser-than ] level direction { all | server | file |
console | monitor | buffer }
no logging policy Remove all polices.
This command is used to send logs to different destinations based on module and severity.
The following example sends logs of the SYS module leveled above 5 to the console and sends logs of the SYS module
leveled below 3 to the buffer.
Ruijie(config)# logging policy module SYS not-lesser-than 5 direction console
Ruijie(config)# logging policy module SYS 3 direction buffer
Configuring Logging Server

No log is sent to any syslog server by default.
Command Function
logging server [ oob ] { ip-address | ipv6 Send the logs to the specified Syslog Sever in global
ipv6-address } [ via mgmt-name ] [ udp-prot port ] [ vrf configuration mode.
vrf-name ] oob: Specifies out-of-band communication for the logging
server. (logs are sent through the MGMT port to the logging
server.)
ip-address: Specifies the IP address of the host that
receives log information.
vrf-name: Specifies the VRF instance (VPN device
forwarding table) connecting to the log host.
ipv6-address: Specifies IPV6 address for the host receiving
the logs.
via mgmt-name: Specifies the MGMT port for the oob
option.
udp-port port: Specifies the port number for the specified
host (The default port number is 514).
no logging server [ oob ] { ip-address [ vrf vrf-name ] | Remove the setting.
ipv6 ipv6-address } [ via mgmt-name ] oob: Specifies out-of-band communication for the logging
server. (logs are sent through the MGMT port to the logging
server.)
ip-address: Specifies the IP address of the host that
the logs.
option.
no logging server { ip-address [ vrf vrf-name ] | ipv6 Restore the default port number.
ipv6-address } [ via mgmt-name ] udp-prot ip-address: Specifies the IP address of the host that
vrf-name: Specifies the VRF instance (VPN device
forwarding table) connecting to the log host.
the logs.
option.
This command specifies a Syslog server to receive the logs of the device. Users are allowed to configure up to 5 Syslog
Servers. The log information will be sent to all the configured Syslog Servers at the same time.
Only when the oob option is enabled can the via parameter be specified. Meanwhile, the vrf parameter cannot be set.
The following example specifies a syslog server of the address 202.101.11.1:
Ruijie(config)# logging server 202.101.11.1
The following example specifies an ipv6 address as AAAA:BBBB:FFFF:
Ruijie(config)# logging server ipv6 AAAA:BBBB:FFFF

Configuring the log information device value

The device value is one of the parts that form the priority field in the messages sent to the syslog server, indicating the
type of device that generates the information.
To configure the log information device value, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# logging facility facility-type Configure the log information device value
Ruijie ( config )# no logging facility Restore the default of the log information device value
The meanings of various device values are described as below:
Numerical Code Facility

0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages
5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon
10 security/authorization messages
11 FTP daemon
12 NTP subsystem
13 log audit
14 log alert
15 clock daemon
16 local use 0 (local0)
The default device value of our products is 23 (Local7, local use)..
Configuring the Source Address of Log Messages

No source interface is configured by default. It is possible to fix the source address for all log messages through
commands.
It is possible to directly set the source IP address of the log messages or the source port of the log messages.
To configure the source address of the log messages, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# logging source interface Configure the source port of log information
interface-type interface-number
Ruijie ( config )# logging source { ip ip-address | Configure the source IP address of log messages
ipv6 ipv6-address }
If the source IP address of log packets has been configured, but such address has not been configured on all
interfaces of the device, the source IP address of log packets is the non-existent IP address. Try to avoid
such configuration in practical use.
Enable Logging Periodically

Command Function
logging statistic enable Enable logging periodically in global configuration mode.
no logging statistic enable Restore the default setting.
This command is used to send performance statistics at a certain interval for the server to monitor the system
performance.
The following example enables logging periodically.
Ruijie(config)# logging statistic enable
Configuring Logging Interval

The default is 15.
Command Function
logging statistic mnemonic mnemonic interval Configure the interval at which logs are sent in global
minutes configuration mode.
mnemonic: Sets the mnemonics to identify the object.
minutes: Sets the interval at which logs are sent, in the unit
of minutes.
no logging statistic mnemonic mnemonic Restore the default setting.
The available settings include 0, 15, 30, 60 and 120. 0 indicates this function is disabled.
The following example set the interval at which logs are sent to 30 minutes.
Ruijie(config)# logging statistic mnemonic TUNNEL_STAT interval 30
Enabling Logs to be Sent to Console and Remote Terminal Periodically

Command Function
logging statistic terminal Enable logs to be sent to the console and the remote
terminal in global configuration mode.
no logging statistic terminal Restore the default setting.
The following example enables logs to be sent to the console and the remote terminal periodically.
Ruijie(config)# logging statistic terminal
Enabling RFC5424 Format

The RFC3164 format is used by default.
Command Function
service log-format rfc5424 Enable the RFC5424 format in global configuration mode.
no service log-format rfc5424 Restore the default setting.
After the RFC5424 format is enabled, the service sequence-numbers, service sysname, service timestamps, service
private-syslog and service standard-syslog commands become invalid and hidden.
After switching back to the RFC3164 format, the logging delay-send, logging policy and logging statistic commands
become invalid and hidden.
After switching the log format, the results of running the show logging and show logging config commands change,
The following example enables the RFC5424 format.
Ruijie(config)# service log-format rfc5424
Sending the User Log
Command Function
Ruijie ( config )# logging userinfo Set user login/logoff log.
Ruijie ( config )# logging userinfo command-log Send a log when a configuration command is executed
Log Monitoring
To monitor log information, run the following commands in the privileged user mode:
Command Function
Ruijie# show logging Display the log messages in memory buffer as well as the
statistical information of logs
Ruijie# show logging count Display the statistical information of logs in every modules
Ruijie# show logging config Display log configuration and statistics.
Ruijie# show logging reverse Display configured parameters and statistics of logs and log
messages in the memory buffer at privileged user layer.
Ruijie# clear logging Clear the log messages in the memory buffer
The format of the timestamp in the output result of show logging count is the format in the latest log output.
Configuring logging filtering

To filter log messages by configuring its direction, type or rule, run the following commands in the global configuration
mode:
Command Function
Ruijie ( config )# logging filter direction { all | buffer | Use this command to filter the log messages destined to a
file | server | terminal } certain direction. Use the no form of this command to
restore the default setting. Log messages destined to all
directions are filtered by default.
all: Log messages destined to all directions are filtered,
including console, VTY terminal, log buffer, log file and log
server.
buffer: Log messages destined to the log buffer are filtered,
including log messages displayed by running the show
logging config command.
file: Log messages destined to the log file are filtered.
server: Log messages destined to the log server are
filtered.
terminal: Log messages destined to the console and the
VTY terminal (including Telnet and SSH).
Ruijie ( config )# logging filter type { contains-only | Use this command to configure the filter type of log
filter-only } messages. Use the no form of this command to restore the
default setting. The default filter type is filter-only.
contains-only: The log message containing the key word
of the filter rule is printed.
filter-only: The log message containing the key word of the
filter rule is filtered.
Ruijie ( config )# logging filter rule { exact-match Use this command to configure the filter rule of the log
module module-name mnemonic mnemonic-name message, No filter rule is configured by default,
level level | single-match { level level | mnemonic exact-match: Exact-match filter rule. Fill in all the following
mnemonic-name | module module-name } } three parameters.
single-match: Single-match filter rule. Fill in one of the
following three parameters.
module module-name: Module name.
mnemonic mnemonic-name: Mnemonic name.
level level: Log level,
In general, log messages destined to all directions are filtered, including console, VTY terminal, log buffer, log file and log
server. If you want to filter log messages destined to a certain direction, the terminal for instance, configure the terminal
parameter.
When too many log messages are printed, the terminal screen keeps being refreshed. If you are not concerned with these
log messages, use the “filter-only” filter type to filter the log messages,
If you are concerned with certain log messages, use the “contains-only” filter type to print log messages containing the key
word of the filter rule, so as to monitor whether certain events happen.
In real operation, the contains-only and the fitler-only filter types cannot be configured at the same time.
If you configure the filter direction and the filter type without configuring the filter rule, the log messages are
not filtered.
If you want to filter a specific log message, use the “exact-match” filter rule and fill in all three parameters, namely, module
name, mnemonic name and log level.
If you want to filter a specific kind of log messages, use the “single-match” filter rule and fill in one of three parameters,
namely, module name, mnemonic name and log level.
When configured with the same module name, mnemonic name or log level, the “single-match” filter rule has a higher
priority than the “exact-match” filter rule,
The following example filters all syslogs with SYS module.

Ruijie(config)# logging filter direction server
Ruijie(config)# logging filter direction terminal
Ruijie(config)# logging filter type filter-only
Ruijie(config)# logging filter rule single-match module SYS
Writing Log in System Buffer into Flash File

To write log messages in the system buffer into the flash file immediately, run the following command in the global
configuration mode:
Command Function
Ruijie# logging flash flush Write log messages in the system buffer into the flash file
immediately.
In general, the log messages are cached in the log buffer. Only when the buffer is full or the timer expires are log
messages written into the flash file. This command is used to write log messages in the system buffer into the flash file
immediately.
The logging flash flush command takes effect only once for each configuration. The log messages cached in
the buffer are written into the flash file immediately after configuration.
The following example writes log messages in the system buffer into the flash file immediately.
Ruijie(config)# logging flash flush
Configuring Name of File for Delay Sending

The default name format is as follows: file size_device IP address_index.txt. If you want to change the file name, the file
sent to the remote server should be named as follows: prefix_ file size_device IP address_index.txt; the file saved locally
should be named as follows: prefix_index.txt. The default prefix is syslog_ftp_server.
Command Function
logging delay-send file flash:filename Set the name of the log file saved locally for delay sending in
flash:filename: Sets the name of the log file saved locally
for delay sending.
no logging delay-send file Restore the default setting
The file name cannot contain special symbols including . \/ : * ” < > and |.
For example, the file name is log_server, file index 5, file size 1000B and device IP address 10.2.3.5. The log file sent to
the remote server is named log_server_1000_10.2.3.5_5.txt and the log file saved locally is named log_server_5.txt.
If the device has an IPv6 address, the colon (:) in the IPv6 address is replaced by the hyphen (-).
For example, the is log_server, file index 6, file size 1000B and device IPv6 address 2001::1. The log file sent to the
remote server is named log_server_1000_2001-1_6.txt and the log file saved locally is named log_server_6.txt.
The following example sets the name of the log file saved locally to log_server.
Ruijie(config)# logging delay-send file flash:log_server
Configuring Delay Interval

Command Function
logging delay-send interval seconds Set the interval at which log sending is delayed in global
configuration mode.
seconds: Sets the interval at which log sending is delayed,
in the range from 600 to 65535 seconds.
no logging delay-send interval Restore the default setting
The following example sets the the interval at which log sending is delayed to 600 seconds.
Ruijie(config)# logging delay-send interval 600
Configuring Server Address and Log Sending Mode

Command Function
logging delay-send server { [ oob ] ip-address | ipv6 Configure the serve address and log sending mode in global
ipv6-address } [ vrf vrf-name ] mode { ftp user configuration mode.
username password [ 0 | 7 ] password | tftp } oob: Indicates that logs are sent to the server through the
MGMT port. It is required that the device have the MGMT
port.
ip-address: Specifies the IP address of the server.
ipv6 ipv6-address: Specifies the IPv6 address of the server.
vrf vrf-name: Specifies the VRF instance connected to the
server.
username: Sets the FTP server username.
password: Sets the FTP server password.
0: (Optional) The password is displayed in plaintext.
7: The password are encrypted.
no logging delay-send server { [ oob ] ip-address | Restore the default setting
ipv6 ipv6-address } [ vrf vrf-name ]
This command is used to specify an FTP/TFTP server to receive logs. You can configure five FTP/TFTP servers. Logs are
sent to all configured servers simultaneously.
The following example specifies an FTP server whose IP address is 192.168.23.12, username admin and password
admin,
Ruijie(config)# logging delay-send server 192.168.23.12 mode ftp user admin password admin
The following example specifies a TFTP server whose IPv6 address is 2000::1.
Ruijie(config)# logging delay-send server ipv6 2000::1 mode tftp
Enabling Delay in Sending Logs to Console and Remote Terminal

Command Function
logging delay-send terminal Enable delay in sending logs to console and remote terminal
no logging delay-send terminal Restore the default setting
The following example enables delay in sending logs to console and remote terminal.
Ruijie(config)# logging delay-send terminal
Examples of Log Configurations
Here is a typical example to enable the logging function:
The device is connected with the log server, which has an IP address of 192.168.200.2. To have all logs to carry a
timestamp and the logs at all levels to be sent to the log server, perform the following configuration:
Ruijie(config)# service timestamps debug datetime // enable DEBUG timestamp, date format
Ruijie(config)# service timestamps log datetime // enable LOG timestamp, date format
Ruijie(config)# logging 192.168.200.2 // specify the address of the syslog server
Ruijie(config)# logging trap debugging //logs at all levels are sent to the syslog server
Ruijie(config)# end
Configuration Guide Configuring RLOG
Configuring RLOG
Overview
RLOG (Remote Log) is developed to export log files to remote servers (like ELOG and SNC).
With RLOG enabled, devices collect and send logs to the servers. Then, servers analyze and write logs into their libraries.
Thus, it is convenient to refer to specific logs from the servers. RLOG is available to multiple types of logs concerning
device running, user behavior, and system security.
The following sections describe RLOG only.
Protocols and
Standards
 N/A
Applications
Log Export With RLOG enabled, remote logs are exported to RLOG servers for reference.
Log Export
Scenario
With RLOG and URL audit logging configured, the AP/AC outputs URL audit logs when users access the network through
the AP. Once users go offline, the logs are sent to the ELOG server.
Figure 0-1
Note AP: access point

AC: access controller
Deployment
 Enable log modules and RLOG on the AC/AP. Configure the RLOG server.
 The RLOG server receives and analyzes logs for reference and statistics.
Features
Basic Concepts
N/A
Overview
Function Description
RLOG Export Exports remote logs on AC/AP to RLOG servers.
RLOG-specific Server Configures remote log-differentiated servers for different types of logs.
Configuring RLOG Export

With this function enabled, AC/AP exports logs to RLOG servers.
Working Principle
Different log modules on AC/AP, such as flow logging, device audit logging, flow audit logging and content audit logging,
generate various logs. RLOG servers receive, analyze and display these logs.
 Enabling log modules
By default, log modules are disabled. Enable these modules at first.
For instance, use the flow-audit enable command to enable the flow audit log module.
 Enabling RLOG
By default, RLOG servers and export are not configured.
Configure an RLOG server: rlog server 192.168.1.100 port 20000
Configure the RLOG export: rlog type 25 server 192.168.1.100 priority 1
The parameter type 25 means interface flow logs.
Configuring RLOG-specific Export

With this function enabled, RLOG sends different sorts of logs to corresponding RLOG servers as configured.
Working Principle
According to RLOG types, export requests from log modules are handled differently.
 Enabling log modules
By default, log modules are disabled. Enable these modules at first.
For instance, use the flow-audit enable command to enable the flow audit log module.
 Enabling RLOG-specific export
By default, RLOG servers and export are not configured.
Configure 2 RLOG servers: rlog server 192.168.1.100 port 20000
rlog server 192.168.1.101 port 20000
Configure server for flow logs: rlog type 16 server 192.168.1.100 priority 1
Configure server for interface flow logs: rlog type 25 server 192.168.1.101 priority 1
The parameter type 16 means flow logs.
Configuration
Function Description and Command

(Mandatory). It is used to configure the server address and port.
Specifies the RLOG server and the
Enable RLOG export rlog server ip-address [ vrf vrf-name | oob ]
VRF/MGMT port to enable RLOG export.
[ port port-num ]
The default port number is 20000.
Specifies the RLOG type and priority for a

rlog type n server server-ip priority prio
specific server
(Optional). It is used to configure the RLOG export rate.
Sets the RLOG export rate (export counts
rlog export-rate val
per second).
Configure RLOG parameters rlog set log-com Enables RLOG combination export.
rlog dev-ip ip Specifies the RLOG device.
Enables the RLOG filtering. (not supported
rlog filter acl_id
currently)
Enabling RLOG
Networking
Requirements
 Configure the RLOG server.
 Configure RLOG-specific export.
Notes
 N/A
Configuration Steps
 Configuring RLOG servers
 Mandatory
 At least one RLOG server should be configured.
 Configure RLOG-specific export
 Mandatory
 At least one RLOG type should be configured.
Verification
 If RLOG export is functional, check whether the RLOG server receives every log.
Related Commands
 Configuring the RLOG server
Command rlog server ip-address [ vrf vrf-name | oob ] [ port port-num ]

ip-address: IP address of the RLOG server
Parameter port-num: Port number of the RLOG server
Description oob: oob port
vrf vrf-name: VRF name
Command
Global configuration mode
Mode
Usage Guide Configuring the RLOG server enables RLOG service. However, logs are not output without configuring
relevant commands. For instance, use the ip session log-on command to enable the flow log module. Use
the no rlog server ip-address to remove RLOG server configuration.
 Configuring the RLOG-specific type
Command rlog type n server server-ip priority prio

n: RLOG type
Parameter
server-ip: IP address of the RLOG server
Description
prio: RLOG priority (0-7). The lower the value is, the higher the priority is.
Command
Mode
Use the no rlog type n server server-ip command to remove the configuration.
Supported RLOG types at current are as follows:
[16] RLOG_TYPE_FLOW, /* flow log */
[17] RLOG_TYPE_CPU_MEM, /* CPU & memory usage log */
[18] RLOG_TYPE_DISC, /* hard disk log */
[19] RLOG_TYPE_DEV_LOG, /* device audit log */
[20] RLOG_TYPE_URL_AUDIT, /* URL audit log */
[21] RLOG_TYPE_SESSION, /* Online IP & session count log */
[22] RLOG_TYPE_IP_APP, /* IP-specific APP flow log */
[23] RLOG_TYPE_IP, /* IP-specific session count log*/
[24] RLOG_TYPE_CHANNEL, /* channel-specific flow log */
[25] RLOG_TYPE_INTERFACE, /* interface-specific flow log*/
[26] RLOG_TYPE_IP_OFFLINE, /* offline log */
Usage Guide
[27] RLOG_TYPE_MAIL_AUDIT, /* E-mail audit log */
[28] RLOG_TYPE_TELNET_AUDIT, /* Telnet audit log */
[29] RLOG_TYPE_WEB_SEARCH_AUDIT, /* search audit log */
[30] RLOG_TYPE_WEB_BBS_AUDIT, /* web_bbs audit log */
[31] RLOG_TYPE_IM_AUDIT, /* IM audit log */
[32] RLOG_TYPE_FTP_AUDIT, /* FTP audit log */
[33] RLOG_TYPE_WEB_AUDIT, /* Web audit log */
[34] RLOG_TYPE_APP_AUDIT, /* App audit log */
[35] RLOG_TYPE_FLOOD, /* Flood attack detection log*/
[36] RLOG_TYPE_FLOOD_CEASEm, /* Flood attack cease log*/
[37] RLOG_TYPE_SCAN, /* Scan detection log*/
[38] RLOG_TYPE_SCAN_CEASE, /* Scan cease log*/
[39] RLOG_TYPE_ATTACK_FRAG, /*IP fragmentation attack detection log*/
Configuration
Example
The following configuration example describes RLOG-related configuration only.
 Configuring RLOG export for flow logs

Scenario
Figure 0-2
 Configure the RLOG server on the AC/AP.

Configuration
 Enable RLOG-specific export on the AC/AP.
Steps
 Enable the flow log module.
A# configure terminal
A(config)# rlog server 10.10.10.10 port 20000
A A(config)# rlog type 16 server 10.10.10.10 priority 1
A(config)# ip session log-on
 Check whether there are fresh log outputs.

Verification
 Check whether there are fresh RLOG exports.
A# show rlog-status log
local rlog message:
remote rlog message:

[16]RLOG_TYPE_FLOW : 0
[17]RLOG_TYPE_CPU_MEM : 0
[18]RLOG_TYPE_DISC : 0
A
[19]RLOG_TYPE_DEV_LOG : 0
[20]RLOG_TYPE_URL_AUDIT : 0
[21]RLOG_TYPE_SESSION : 0
[22]RLOG_TYPE_IP_APP : 0
[23]RLOG_TYPE_IP : 0
[24]RLOG_TYPE_CHANNEL : 0
[25]RLOG_TYPE_INTERFACE : 0
[26]RLOG_TYPE_IP_OFFLINE : 0
[27]RLOG_TYPE_MAIL_AUDIT : 0
[28]RLOG_TYPE_TELNET_AUDIT : 0
[29]RLOG_TYPE_WEB_SEARCH_AUDIT : 0
[30]RLOG_TYPE_WEB_BBS_AUDIT : 0
[31]RLOG_TYPE_IM_AUDIT : 0
[32]RLOG_TYPE_FTP_AUDIT : 0
[33]RLOG_TYPE_WEB_AUDIT : 0
[34]RLOG_TYPE_APP_AUDIT : 0
[35]RLOG_TYPE_FLOOD : 0
[36]RLOG_TYPE_FLOOD_CEASEm : 0
[37]RLOG_TYPE_SCAN : 0
[38]RLOG_TYPE_SCAN_CEASE : 0
[39]RLOG_TYPE_ATTACK_FRAG : 0
If logs are produced, the value of RLOG_TYPE_FLOW will rise.
A# show rlog
rlog server is enable
port 20000 server 192.168.1.100
port 20000 server 10.10.10.10
rlog dev-ip 0.0.0.0
rlog export-rate 10000 rlog queue remain 10000
A
send log count : 0 error count : 0 errorno : 0
recv buf: 0 poll buf err: 0 push buf: 0 local buf: 0
recv err cnt: 0 depatch err cnt: 0
enable log combination: 0

If export succeeds, the value of send log count will rise.
Common Errors
 Though the RLOG server is configured, the RLOG type is not specified.
 Though the RLOG server and type are configured, the log module is not enabled.
Configuring RLOG Parameters

 RLOG operates with a better performance.
Notes
 In case of RLOG malfunction, make sure to fully understand each command parameter before the configuration.
Configuration Steps
 Optional
Verification
 Check whether RLOG export normally and the servers receive the logs.
Related Commands
 Setting the RLOG export rate
Command rlog export-rate val

Parameter
val: RLOG export rate (the export maximum per second)
Description
Command
Mode
Configuration The RLOG export rate is determined by device and server performance as well as log outputs. Too low
Usage rate causes log loss; too high rate raises CPU consumption.
 Enabling RLOG-combination export
Command rlog set log-com

Parameter
N/A
Description
Configuration
AP configuration mode/AP group configuration mode
Mode
Configuration With this function enabled, multiple logs are packed in one packet.
Usage Check whether the RLOG server supports this function before configuration.
 Configuring the IP address of the RLOG device
Command rlog dev-ip ip

Parameter
ip: IP address of the RLOG device
Description
Configuration
Mode
Configuration
(Optional) Specific types of logs require the IP address of RLOG device.
Usage
 Configuring the RLOG filtering
Command rlog filter acl_id

Parameter
id: Access list ID
Description
Configuration
Mode
Configuration
This command is not supported at current.
Usage
Configuration
Example
 Configuring the device IP address and the export rate
Configuration
Steps
Ruijie(config)# rlog dev-ip 10.10.10.1
Ruijie(config)# rlog export-rate 10000
Ruijie(config)# end
Verification The following example displays the configuration.

Ruijie# show rlog
rlog server is enable
port 20000 server 192.168.1.100
port 20000 server 10.10.10.10
rlog dev-ip 10.10.10.1
rlog export-rate 10000 rlog queue remain 10000
send log count : 0 error count : 0 errorno : 0
recv buf: 0 poll buf err: 0 push buf: 0 local buf: 0
recv err cnt: 0 depatch err cnt: 0
Common Errors
 Too low rate causes log loss.
Monitoring
Clearing Configuration
N/A
Displaying Running
Status
Command Function
show rlog Displays the RLOG configuration.
show rlog-type Displays the RLOG type.
show rlog-status [server ip] Displays the RLOG server status.
show rlog-status client Displays the RLOG module status.
show rlog-status log Displays the RLOG count.
Displaying Debugging
Information
Outputting debugging information consumes system resources. Therefore, disable the debugging device
immediately after use.
Command Function
debug rlog info Enables RLOG debugging function.
debug rlog lib Enables RLOG library function.

Configuration Guide Configuring CWMP
Configuring CWMP
Overview
The CPE WAN Management Protocol (CWMP) provides a general framework for unified device management, as well as
related message specifications, management methods, and data models, so as to solve difficulties in unified management
and maintenance of scattered CPEs, improve troubleshooting efficiency, and save O&M costs.
CWMP provides the following functions:
 Auto configuration and dynamic service provisioning. When a CPE initially accesses the network after being started,
it automatically obtains configuration from a management server. The management server can dynamically change
the configuration and status of the CPE while the CPE is running.
 Main program and configuration file management. CWMP manages the main programs and configuration files of
CPEs, and upgrade the configuration files of the CPEs.
 Software module management. CWMP manages software modules according to data models implemented for these
software modules.
 Status monitoring. CWMP notifies the management server of the running status of a CPE or configuration changes
to the CPE, so as to monitor the CPE according to the real-time change notifications.
 Fault diagnosis. The management server diagnoses or solves connectivity problems and other service problems
according to information from CPEs, and can also perform pre-defined diagnosis operations.
The following sections describe CWMP only.
For details about TR069 protocol specifications, visit the official forum at
http://www.broadband-forum.org/technical/trlist.php. Listed below are some major specifications:
 TR-069_Amendment-4.pdf: CWMP standard
 TR-098_Amendment-2.pdf: CWMP standard for gateway device data models
 TR-106_Amendment-6.pdf: CWMP standard for CPE data models
 TR-181_Issue-2_Amendment-5.pdf: specification for CPE data model 2
 tr-098-1-4-full.xml: CWMP gateway device data model definitions
 tr-181-2-4-full.xml: CWMP CPE data model 2 definitions
Typical Applications

CWMP Network Application Perform configuration for a CPE to establish a connection with an
Scenario auto-configuration server (ACS), so as to upgrade the main program of the CPE,
upload the configuration file of the CPE, restore the configuration of the CPE, or
attain other purposes.
CWMP Network Application Scenario

The major components of a CWMP network are CPEs, an ACS, a management center, a DHCP server, and a domain
name system (DNS) server. The plenty of CPEs are managed by the ACS. The management center controls the ACS, so
as to manage and control the CPEs. In general, a web browser is used in the management center to control the ACS.
Figure 1-1
Note  The DHCP server dynamically obtains the URL of the ACS. If the URL of the ACS is statically
configured, the DHCP server is optional.
 The DNS server parses the domain name of the ACS or the domain names of the CPEs. If the URLs of
the ACS and CPEs are IP addresses instead of domain names, the DNS server is optional.
Functional
Deployment
 HTTP runs on both the CPEs and the ACs.
 The CWMP function is supported only on AP320, AP330, AP120, AP530, AP630.
Functions
Basic Concept
 Common Terminologies
 CPE: Customer Premises Equipment

 ACS: Auto-Configuration Server
 RPC: Remote Procedure Call
 DM: Data Model
 Protocol Structure
Figure 1-2 shows the structure of CWMP.
Figure 1-2
As shown in Figure 1-2, CWMP consist of six layers. These layers have respective functions as follows:
 ACS/CPE Management Application
This layer is actually not within the scope of CWMP. It is the development performed for various functional modules of the
CPEs/ACS to support the management function of CWMP, just like the Simple Network Management Protocol (SNMP),
which does not cover the MIB management of functional modules.
 RPC Methods
This layer provides various RPC methods for interactions between the ACS and the CPEs, and implements operations for
these RPC methods.
 SOAP
The Simple Object Access Protocol (SOAP) layer provides CWMP protocol encapsulation and decapsulation in XML
format. The format of a CWMP message must comply with the encapsulation syntax of SOAP.
 HTTP
All CWMP messages are ultimately transmitted through the Hypertext Transfer Protocol (HTTP). Both the ACS and the
CPEs support HTTP client and server functions. The server function is used to monitor reverse connections from the peer.
 SSL/TLS
This layer provides CWMP security guarantees, including data integrity, confidentiality, and authentication.
 TCP/IP
This layer is the TCP/IP protocol stack.

 RPC Method Management
The ACS manages and monitors a CPE using mostly the following RPC methods:
 GET series of methods
The ACS uses these methods to remotely obtain information about RPC methods supported by the CPE, names of data
model parameters supported by the CPE, values of the data model parameters, and attributes of the data model
parameters.
 SET series of methods
The ACS uses these methods to remotely set the values and attributes of the data model parameters supported by the
CPE.
 INFORM method
The CPE uses the INFORM method to inform the ACS of its own device identifier, parameter information, or events. The
INFORM method is the first method involved for establishing a session between the ACS and the CPE.
 DownLoad method
The DownLoad method enables the ACS to remotely control the file downloading of the CPE, including controlling the
upgrade of the CPE's main program, controlling configuration file update, and controlling web package upgrade.
 UpLoad method
The UpLoad method enables the ACS to remotely control the file uploading of the CPE, including controlling the upload of
the configuration file of the CPE and controlling the upload of the log file of the CPE.
 Reboot method
The ACS uses the Reboot method to remotely control the reboot behavior of the CPE.
 Session Management
CWMP sessions are the basis for CWMP to operate normally, and CWMP interactions are CWMP session interactions.
All CWMP interactions between the ACS and the CPE are based on the session between the two. Interactions between
the ACS and the CPE are effectively performed through session transfer, management, and maintenance, so that the
ACS can manage and monitor the CPE. A TCP connection is established between the ACS and the CPE in a session
process between the two. The process from the beginning of Inform negotiation to the teardown of the TCP connection
upon completion of all current interactions is called a session process. Sessions are classified into CPE-initiated sessions
and ACS-solicited sessions, depending on the specific role of the session initiator. The following sections will describe the
two application scenarios.
 Data Model Management
CWMP operates based on CWMP data models, and CWMP's management of all functional modules is a set of operations
performed on the CWMP data models. Each functional module registers and implements a respective data model, just like
the MIBs implemented by various functional modules of SNMP.
A CWMP data model is represented in the form of a character string. For a clear hierarchy of the data model, a dot (.) is
used as a delimiter to distinguish an upper-level data model node from a lower-level data model node. For instance, in the
data model InternetGatewayDevice.LANDevice, InternetGatewayDevice is the parent data model node of LANDevice,
and LANDevice is the child data model node of InternetGatewayDevice.
Data model nodes are classified into two types: object nodes and parameter nodes. The parameter nodes are also known
as leaf nodes. An object node is a node under which there are child nodes, and a parameter node is a leaf node under
which there is no any child node. Object nodes are further classified into single-instance object nodes and multi-instance
object nodes. A single-instance object node is an object node for which there is only one instance, whereas a
multi-instance object node is an object node for which there are multiple instances.
Data model nodes can also be classified into readable nodes and readable-and-writable nodes. A readable node is a
node whose parameter values can be read but cannot be modified, and a readable-and-writable node is a node whose
parameter values can be both read and modified.
A data model node has two attributes. One attribute relates to a notification function; that is, whether to inform the ACS of
changes (other than changes caused by CWMP) to parameter values of the data model. The other attribute is an identifier
indicating that the parameters of the data model node can be written using other management modes (than the ACS); that
is, whether the values of the parameters can be modified using other management modes such as Telnet. The ACS can
modify the attributes of the data models using RPC methods.
CWMP manages the data models using corresponding RPC methods.
 Event Management
When some events concerned by the ACS or interesting to the ACS occur on the CPE, the CPE needs to inform the ACS
of these events. The ACS monitors these events so as to monitor the working status of the CPE. The events of CWMP are
just like trap messages of SNMP or logs involved in the product log function. The ACS can control and adjust concerned
events using RPC methods, so as to filter out the types of events that the ACS does not care about. Events in CWMP are
classified into two types: singular events and incremental events. A singular event means that there is no quantitative
change to the same event upon second occurrence of the event, and the old is discarded and the new kept. An
incremental event means that the old is not discarded and the new event is kept as a complete event when the same
event occurs for multiple times later; that is, the number of this event is incremented by 1.
All events that occur on the CPE are notified to the ACS using the INFORM method.
Features
Feature Description
Upgrading the Main The ACS controls the upgrade of the main program of a CPE using the DownLoad method.
Program
Updating the The ACS controls the upgrade of the configuration file of a CPE using the DownLoad method.
Configuration File
Uploading the The ACS controls the upload of the configuration file of a CPE using the UpLoad method.
Configuration File
Backing up and When a CPE breaks away from the NMS, this feature can remotely restore the CPE to the
Restoring a CPE previous status.
Upgrading the Main Program

This feature is used to update the main program of a network element (NE), so as to implement device version upgrade or
replacement.
Working Principle
 Main Program Upgrading Sequence Chart
Figure 1-3
A user selects to upgrade the main program of the CPE, and the ACS delivers the DownLoad method to the CPE for the
CPE to upgrade its main program. The CPE downloads the latest main program from a file server specified in the
DownLoad method, upgrades its own main program, and restarts after the main program is updated. After restarting, the
CPE informs the ACS that its main program has been upgraded.
The ACS may simultaneously serve as the file server; or the file server may be separately deployed.
 Enabling the CWMP Function
 The CWMP function is enabled by default.
 Run the cwmp command in global configuration mode to enable the CWMP function.
 Configuring the URL of the ACS
 There is no URL for the ACS by default.
 Run the acs url command in CWMP configuration mode to configure the URL of the ACS.
 Configuring the Username of the ACS
 There is no username for the ACS by default.
 Run the acs username command in CWMP configuration mode to configure the username of the ACS.
 Configuring the User Password of the ACS
 There is no user password for the ACS by default.
 Run the acs password command in CWMP configuration mode to configure the user password of the ACS.
 Configuring the URL of the CPE
 There is no URL for the CPE by default.
 Run the cpe url command in CWMP configuration mode to configure the URL of the CPE.
 Configuring the Username of the CPE
 There is no username for the CPE by default.
 Run the cpe username command in CWMP configuration mode to configure the username of the CPE.
 Configuring the User Password of the CPE
 There is no user password for the CPE by default.
 Run the cpe password command in CWMP configuration mode to configure the user password of the CPE.
 Enabling the Periodical Notification Function on the CPE
 The notification interval of the CPE is 600 seconds by default.
 Run the cpe inform command in CWMP configuration mode to enable the periodical notification function on the
CPE.
 Configuring the Session Timeout Period of the CPE
 The session timeout period of the CPE is 30 seconds by default.
 Run the timer cpe-timeout command in CWMP configuration mode to configure the session timeout period of the
CPE.
 Configuring the File Download Function of the CPE
 The file download function is enabled on the CPE by default.

 Run the no disable download command in CWMP configuration mode to enable the file download function on
the CPE, so that the CPE can download main program and configuration files from the ACS.
Upgrading the Configuration File

This feature is used to replace the current configuration file of a CPE with a new configuration file, so that the new
configuration file acts on the CPE after the CPE is reset.
Working Principle
Figure 1-4
A user selects to upgrade the configuration file of the CPE, and the ACS delivers the DownLoad method to the CPE for
the CPE to upgrade its configuration file. The CPE downloads the latest configuration file from a file server specified in the
DownLoad method, upgrades its own configuration file, and restarts after the configuration file is updated. After restarting,
the CPE informs the ACS that its configuration file has been upgraded.
The ACS may simultaneously serve as the file server; or the file server may be deployed as another
separate server.
Same as enabling the CWMP function in the "Upgrading the Main Program" section.
 Configuring the URL of the ACS
Same as configuring the URL of the ACS in the "Upgrading the Main Program" section.
Same as configuring the username of the ACS in the "Upgrading the Main Program" section.
Same as configuring the user password of the ACS in the "Upgrading the Main Program" section.
Same as configuring the URL of the CPE in the "Upgrading the Main Program" section.
Same as configuring the username of the CPE in the "Upgrading the Main Program" section.
Same as configuring the user password of the CPE in the "Upgrading the Main Program" section.
Same as enabling the periodical notification function on the CPE in the "Upgrading the Main Program" section.
Same as configuring the session timeout period of the CPE in the "Upgrading the Main Program" section.
 Configuring the File Download Function of the CPE
Same as configuring the file download function of the CPE in the "Upgrading the Main Program" section.
Uploading the Configuration File

The ACS controls the configuration file of the CPE. The configuration file of the CPE is uploaded using the UpLoad
method.
Working Principle
Figure 1-5
When the CPE initially accesses the ACS, the ACS needs to learn the configuration file of the CPE in the following
learning process:
 The ACS initially receives an INFORM message from the CPE, and finds or establishes corresponding CPE database
information according to device information carried in the INFORM message.
 The ACS database does not contain the configuration file of the CPE. Therefore, the ACS delivers the Upload method
to the CPE for the CPE to upload the configuration file.
 The CPE uploads its current configuration file to the ACS.
 The CPE informs the ACS that the configuration file has been uploaded.

Same as enabling the CWMP function in the "Upgrading the Main Program" section.
 Configure the URL of the ACS
Same as configuring the URL of the ACS in the "Upgrading the Main Program" section.
Same as configuring the username of the ACS in the "Upgrading the Main Program" section.
Same as configuring the user password of the ACS in the "Upgrading the Main Program" section.
Same as configuring the URL of the CPE in the "Upgrading the Main Program" section.
Same as configuring the username of the CPE in the "Upgrading the Main Program" section.
Same as configuring the user password of the CPE in the "Upgrading the Main Program" section.
Same as enabling the periodical notification function on the CPE in the "Upgrading the Main Program" section.
Same as configuring the session timeout period of the CPE in the "Upgrading the Main Program" section.
 Configuring the File Upload Function of the CPE
 The file upload function of the CPE is enabled by default.
 Run the no disable upload command in CWMP configuration mode to enable the CPE to upload configuration
files and log files to the ACS.
Backing Up and Restoring a CPE

When a remote CPE breaks away from the NMS due to abnormal management operations, the CPE backup and
restoration feature can help to restore the CPE to the previous status, so that the NMS can continue to operate and
manage the CPE as necessary.
Working Principle
You can configure the restoration function on a CPE, so that the CPE can restore itself from exceptions of its main
program or configuration file. Then when the CPE fails to connect to the ACS and breaks away from the NMS after its
main program or configuration file is upgraded, the previous main program or configuration file of the CPE can be restored
in time for the ACS to manage the CPE. This kind of exception is generally caused by delivery of a wrong main program or
configuration file.
Before the CPE receives a new main program or configuration file to upgrade its main program or configuration file, the
CPE will back up its current main program and configuration file. In addition, there is a mechanism for determining
whether the problem described in the preceding scenario has occurred. If the problem has occurred, the CPE is restored
to the previous manageable status.
 Configuring the CPE Backup and Restoration Function
 The CPE backup and restoration function is enabled by default, and the default restoration time is 60 seconds.
 Run the cpe back-up command in CWMP configuration mode to enable the CPE backup and restoration function.
 The greater the restoration time, the longer delay it takes for the CPE to start the restoration.
Configuration Details
Action Suggestions and Related Commands
This configuration is mandatory. You need to configure the ACS username and
password to be authenticated for the CPE to connect to the ACS, as well as the
CPE username and password to be authenticated for the ACS to connect to the
CPE.
Enables the CWMP function and enters

cwmp
CWMP configuration mode.
Configures the ACS username to be
acs username authenticated for the CPE to connect to
the ACS.
Configures the ACS user password to
acs password be authenticated for the CPE to connect
Establishing a Basic to the ACS.
CWMP Connection Configures the CPE username to be
cpe username authenticated for the ACS to connect to
the CPE.
Configures the CPE user password to
cpe password be authenticated for the ACS to connect
to the CPE.
This configuration is optional. You can configure the URLs of the CPE and the ACS
or not.
Configures the URL of the ACS to which

acs url
the CPE will connect.
Configures the URL of the CPE to which
cpe url
the ACS will connect.
Action Suggestions and Related Commands
This configuration is optional. You can configure the basic functions of the CPE,
such as backing up and restoring the main program or configuration file of the
CPE, and disabling the CPE's function of uploading configuration and log files
to the ACS.
Configures the periodic notification

cpe inform
function of the CPE.
Configures the backup and restoration of
Configuring cpe back-up the main program and configuration file
CWMP-Related Attributes of the CPE.
Disables the function of downloading
disable download main program and configuration files
from the ACS.
Disables the function of uploading
disable upload
configuration and log files to the ACS.
Configures the session timeout period of
timer cpe- timeout the CPE in which the ACS does not
return any response.
Establishing a Basic CWMP Connection

 A session connection is established between the ACS and the CPE.
Precautions
 None.
Configuration Method
 Enabling the CWMP Function and Entering CWMP Configuration Mode
 The CWMP function is enabled by default.
 This configuration is mandatory.
 This configuration is performed on the CPE.
 Configuring the ACS Username to Be Authenticated for the CPE to Connect to the ACS
 This configuration is performed on the ACS.
 Only one username can be configured for the ACS. If you configure the username of the ACS for multiple times, the
latest configuration applies.
 Configuring the ACS User Password to Be Authenticated for the CPE to Connect to the ACS

 This configuration is performed on the ACS.
 The user password of the ACS can be in plaintext or encrypted form. Only one user password can be configured for
the ACS. If you configure the user password of the ACS for multiple times, the latest configuration applies.
 Configuring the CPE Username to Be Authenticated for the ACS to Connect to the CPE
 Only one username can be configured for the CPE. If you configure the username of the CPE for multiple times, the
latest configuration applies.
 Configuring the CPE User Password to Be Authenticated for the ACS to Connect to the CPE
 The user password of the CPE can be in plaintext or encrypted form. Only one user password can be configured for
the CPE. If you configure the user password of the CPE for multiple times, the latest configuration applies.
 Configuring the URL of the ACS to Which the CPE Will Connect
 The default value is NULL. This configuration is optional.
 Only one ACS URL can be configured. If you configure the URL of the ACS for multiple times, the latest configuration
applies. The URL of the ACS must be in HTTP format.
 Configuring the URL of the CPE to Which the ACS Will Connect
 The default value is NULL. This configuration is optional.
 Only one CPE URL can be configured. If you configure the URL of the CPE for multiple times, the latest configuration
applies. The URL of the CPE must be in HTTP format, and cannot be in domain name format.
Verification
 Run the show cwmp configuration command.
Related Commands
Command cwmp
Syntax
Parameter None.
Description
Mode
Usage Guide None.
 Configuring the ACS Username to Be Authenticated for the CPE to Connect to the ACS
Command acs username username

Syntax
Parameter username username: Specifies the ACS username to be authenticated for the CPE to connect to the
Description ACS.
Command CWMP configuration mode
Mode
Usage Guide None.
 Configuring the ACS User Password to Be Authenticated for the CPE to Connect to the ACS
Command acs password {password | encryption-type encrypted-password}

Syntax
Parameter Password: Specifies the ACS user password to be authenticated for the CPE to connect to the ACS.
Description encryption-type: Specifies the encryption type, which can be set to 0 (indicating that no encryption is
used) or 7 (indicating that simple encryption is used).
encrypted-password: Specifies the password in encrypted form.
Mode
Usage Guide None.
 Configuring the CPE Username to Be Authenticated for the ACS to Connect to the CPE
Command cpe username username

Syntax
Parameter Username: Specifies the CPE username to be authenticated for the ACS to connect to the CPE.
Description
Mode
Usage Guide None.
 Configuring the CPE User Password to Be Authenticated for the ACS to Connect to the CPE
Command cpe password {password | encryption-type encrypted-password}

Syntax
Parameter Password: Specifies the CPE user password to be authenticated for the ACS to connect to the CPE.
Description encryption-type: Specifies the encryption type, which can be set to 0 (indicating that no encryption is
used) or 7 (indicating that simple encryption is used).
encrypted-password: Specifies the password in encrypted form.
Mode
Usage Guide Use this command to configure the CPE user password to be authenticated for the ACS to connect to
the CPE. In general, the encryption type does not need to be specified. The encryption type needs to be
specified only when copying and pasting the encrypted password of this command. A valid password
should meet the following format requirements
 The password contains only English letters in upper or lower case and numeric characters.
 Blanks are allowed at the beginning of the password but will be ignored. Intermediate and ending
blanks, however, are regarded as a part of the password.
 When the encryption-type is set to 7, the legitimate characters includes only 0~9, a~f and A~F.
 Configuring the URL of the ACS to Which the CPE Will Connect
Command acs url url

Syntax
Parameter url: Specifies the URL of the ACS.
Description
Mode
Usage Guide Use this command to configure the URL of the ACS to which the CPE will connect. If no ACS URL is
manually specified but a dynamic ACS URL is obtained through DHCP, the CPE initiates a connection to
the ACS using the dynamically obtained ACS URL. The URL of the ACS should meet the following
format requirements:
 The URL of the ACS is in http://ip [: port]/ path” format.
 The URL of the ACS consists of at most 256 characters.
 Configuring the URL of the CPE to Which the ACS Will Connect
Command cpe url url

Syntax
Parameter url: Specifies the URL of the CPE.
Description
Mode
Usage Guide Use this command to configure the URL of the CPE to which the ACS will connect. If the URL of the CPE
is not manually specified, the CPE automatically selects a URL according to the URL of the ACS. The
URL of the CPE should meet the following format requirements:
 The URL of the CPE is in http://ip [: port]/” format.
 The URL of the CPE consists of at most 256 characters.
Configuration
Examples
The following configuration examples describe CWMP-related configuration only.
 Configuring Usernames and Passwords on the CPE
Network
Environment
Figure 1-6
Configuration  Enable the CWMP function.

Method  On the CPE, configure the ACS username and password to be authenticated for the CPE to
connect to the ACS.
 On the CPE, configure the CPE username and password to be authenticated for the ACS to
connect to the CPE.
CPE Ruijie# configure terminal
Ruijie(config)# cwmp
Ruijie(config-cwmp)# acs username USERB
Ruijie(config-cwmp)# acs password PASSWORDB
Ruijie(config-cwmp)# cpe username USERB
Ruijie(config-cwmp)# cpe password PASSWORDB
Verification  Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie # show cwmp configuration
CWMP Status : enable
ACS URL : http://10.10.10.1:7547/acs
ACS username : USERA
ACS password : ******
CPE URL : http://10.10.10.2:7547/
CPE username : USERB
CPE password : ******
 Configuring the URLs of the ACS and the CPE

Network See Figure 1-6.
Environment
Configuratio  Configure the URL of the ACS.
n Method  Configure the URL of the CPE.
Ruijie(config-cwmp)# acs url http://10.10.10.1:7547/acs
Ruijie(config-cwmp)# cpe url http://10.10.10.1:7547/
Verification Run the show command on the CPE to check whether the configuration commands have been
CPE Ruijie #show cwmp configuration
ACS URL : http://10.10.10.1:7547/acs
ACS username : USERA
ACS password : ******
CPE URL : http://10.10.10.2:7547/
Common Errors
 The user-input encrypted password is longer than 254 characters, or the length of the password is not an even
number.
 The user-input plaintext password is longer than 100 characters.

 The user-input plaintext password contains illegal characters.
 The user-input encrypted password contains illegal characters (the legitimate characters includes only 0~9, a~f and
A~F)
 The URL of the ACS is set to NULL.
 The URL of the CPE is set to NULL.
Configuring CWMP-Related Attributes

 You can configure common functions of the CPE, such as the backup and restoration of its main program or
configuration file, whether to enable the CPE to download main program and configuration files from the ACS, and
whether to enable the CPE to upload its configuration and log files to the ACS.
 Configuring the Periodic Notification Function of the CPE
 This configuration is optional. The value range is from 30 to 3600 in seconds. The default value is 600.
 Perform this configuration to reset the periodical notification interval of the CPE.
 Disabling the Function of Downloading Main Program and Configuration Files from the ACS
 This configuration is optional. The CPE can download main program and configuration files from the ACS by default.
 Perform this configuration if the CPE does not need to download main program and configuration files from the ACS.
 Disabling the Function of Uploading Configuration and Log Files to the ACS
 This configuration is optional. The CPE can upload configuration and log files to the ACS by default.
 Perform this configuration if the CPE does not need to upload configuration and log files to the ACS.
 This configuration is performed on the CPE, so that the CPE does not upload configuration and log files to the ACS.
 Configuring the Backup and Restoration of the Main Program and Configuration File of the CPE
 This configuration is optional. The backup and restoration of the main program and configuration file of the CPE is
enabled by default. The value range is from 30 to 10000 in seconds. The default value is 60.
 Perform this configuration to modify the function of backing up and restoring the main program and configuration file
of the CPE.
 Configuring the Session Timeout Period of the CPE in Which the ACS Does Not Return Any Response
 The configuration is optional. The value range is from 10 to 600 in seconds. The default value is 30.
 Perform this configuration to modify the session timeout period of the CPE in which the ACS does not return any
response.
Verification
 Run the show cwmp configuration command.

Related Commands
 Configuring the Periodic Notification Function of the CPE
Command cpe inform [interval seconds] [starttime time]

Syntax
Parameter Seconds: Specifies the periodical notification interval of the CPE. The value range is from 30 to 3600 in
Description seconds. The default value is 600.
Time: Specifies the date and time for starting periodical notification in yyyy-mm-ddThh:mm:ss format.
Mode
Usage Guide Use this command to configure the periodic notification function of the CPE.
 If the time for starting periodical notification is not specified, periodical notification starts after the
periodical notification function is enabled. The notification is performed once within every
notification interval.
 If the time for starting periodical notification is specified, periodical notification starts at the specified
start time. For instance, if the periodical notification interval is set to 60 seconds and the start time
is 12:00 am next day, periodical notification will start at 12:00 am next day and once every 60
seconds.
Command disable download

Syntax
Parameter None.
Description
Mode
Usage Guide Use this command to disable the function of downloading main program and configuration files from the
ACS.
 This command does not act on configuration script files. The configuration scripts can still be
executed even if this function is disabled.
 Disabling the CPE's Function of Uploading Configuration and Log Files to the ACS
Command disable upload

Syntax
Parameter None.
Description
Mode
Usage Guide Use this command to disable the function of uploading configuration and log files to the ACS.
 Configuring the Backup and Restoration of the Main Program and Configuration File of the CPE
Command cpe back-up [delay-time seconds]

Syntax
Parameter Seconds: Specifies the delay for backup and restoration of the main program and configuration file of the
Description CPE.
Mode
Usage Guide
 Configuring the Session Timeout Period of the CPE in Which the ACS Does Not Return Any Response
Command timer cpe- timeout seconds

Syntax
Parameter Seconds: Specifies the timeout period in seconds. The value range is from 10 to 600.
Description
Mode
Usage Guide
Configuration
Examples
 Configuring the Periodical Notification Interval of the CPE

Environment
Configuratio  Enable the CWMP function and enter CWMP configuration mode.
n Method  Set the periodical notification interval of the CPE to 60 seconds.
CPE Ruijie#config
Ruijie(config)#cwmp
Ruijie(config-cwmp)#cpe inform interval 60
……
CPE inform interval : 60s

Environment
n Method  Disable the function of downloading main program and configuration files from the ACS.
CPE Ruijie#config
Ruijie(config)#cwmp
Ruijie(config-cwmp)#disable download
……
CPE download status : disable
 Disabling the CPE's Function of Uploading Configuration and Log Files to the ACS

Environment
n Method  Disable the CPE's function of uploading configuration and log files to the ACS.
CPE Ruijie#config
Ruijie(config)#cwmp
Ruijie(config-cwmp)# disable upload
……
CPE upload status : disable
 Configuring the Backup and Restoration Delay

Environment
n Method  Set the backup and restoration delay to 100 seconds.
CPE Ruijie#config
Ruijie(config)#cwmp
Ruijie(config-cwmp)# cpe back-up Seconds 30
……
CPE back up delay time : 30s

Environment
n Method  Set the session timeout period of the CPE to 100 seconds.
Ruijie(config-cwmp)# timer cpe-timeout 100
CPE Ruijie#show cwmp configuration
……
CPE wait timeout : 100s
Common
Configuration Errors
None
Monitoring and Maintaining CWMP
Checking the Running Status
Command Function
show cwmp configuration Shows the current configuration of CWMP.
show cwmp status Shows the running status of CWMP.
Configuration Guide Configuring LED
Configuring LED
Overview
Light Emitting Diode (LED) is a solid luminous semiconductor. It serves as an indicator light to show AP's working status in
different colors.
The following part only introduces LED.
Protocols and
Standards
N/A
Typical Application
N/A
Function Details
Ruijie products support one or multiple LEDs to display AP's working status. For example, the LED on an Ethernet
interface blink when there comes the data flow. It is controlled through GPIO or CPLD ports with different lighting, such as
solid green, blinking green, blinking red and so on. By observing the LED, you can easily tell AP's working status and
faults.
Configuration Item Configuration Suggestion & Relevant Command
Configuring Quiet Mode

(Optional). It is used to enable LED quiet mode.
quiet-mode session Enable LED quiet mode.
Configuring Quiet Mode

 All LEDs on an AP are off when this command takes effect.
Notes
 You must configure the effective time for the quiet mode at first.
 Configuring session
 Create a session before the configuration of the quiet mode.
 Configure the effective time for the session.
Command schedule session sid time-range n period day1 [ to day2 ] time hh1:mm1 to hh2:mm2
Syntax
Parameter sid: scheduled session ID.
Description n: scheduled session period No.
day1: scheduled session period; day 1indicates the start date, in the range of { sun | mon | tue | wed | thu
| fri | sat }.
to day2: the end date, only one day of the interval by default.
time hh1:mm1 to hh2:mm2: scheduled session time. hh1:mm1 is the start time and hh2:mm2 the end
time in the range from 0 to 23 hours and 0 to 59 minutes.
Defaults N/A
Mode
Usage Guide Configure a session at first.
 Configuring Quiet Mode
 Configuring LED quiet mode.
Command quiet-mode session session-num

Syntax
Parameter session-num: specifies the session ID.
Description
Default This function is disabled by default.
Configuratio
n
Configuratio AP configuration mode
n Mode
Usage Guide Configure a session at first.
Check Method
 All LEDs are off when the system time is within the session interval.
Configuration
Examples
 Configuring LED Quiet Mode from Monday 11pm to Tuesday 7am Every Week
Configuratio  Configure a session.

n Steps  The following example configures the session ID for the quiet mode.

Ruijie(config)#schedule session 1
Ruijie(config)#schedule session 1 time-range 1 period Mon time 23:00 to 7:00
Ruijie(config)#ap-config 00d0.f822.33bc
Ruijie(config-ap)#quiet-mode session 1
Verification When the system time is within the session interval, all LEDs on the AP are off.
Common Mistakes
 Configured session ID does not exist.
Clear Configuration
N/A
Display Operation
N/A
Display Debugging
N/A
Configuration Guide Configuring USB
Configuring USB
Overview
This document describes USB storage devices (mainly USB disk). The system only recognizes the USB disk partitioned
by FAT. Other file systems cannot be identified.
After inserting a USB disk, the system prompts that USB disk is found. The files in this USB disk can be positioned and
accessed through URL, such as usb0:/abc/1.txt.
Configuring Device Usage
Just insert a USB device into the USB slot. Messages as below are displayed if the system finds the device and loads the
driver.
*Jan 1 00:09:42: %USB-5-USB_DISK_FOUND: USB Disk <Mass Storage> has been inserted to USB port
0!
*Jan 1 00:09:42: %USB-5-USB_DISK_PARTITION_MOUNT: Mount usb0 (type: FAT32), size: 1050673152B
(1002MB)
<USB Mass Storage Device> is the name of the found device; usb0 is the first USB device, and size is the partition size.
This U-disk has 1002 MB space.
Using the Device

After loading USB disk to the system, directly run file system commands (dir, copy, del, and others) to operate USB disk.
Operations below show how to copy the file of USB disk to flash.
Enter the USB disk partition.
Ruijie# cd usb0:/
Enter the SD card partition.
Ruijie# cd sd0:/
Copy the a.txt file in USB disk to device‟s root directory.
Ruijie# copy a.txt usb0:/b.txt
Run the dir command. The result shows that the b.txt file has been added to the USB disk.
For other operation commands, see the “File System Management” section.
The RGOS system uses devices that support standard SCSI instructions (USB disks that are generally used).
Other devices (such as USB disks attached to the USB network access cards and USB disks attached with
virtual the USB optical drive) cannot be used in the RGOS system.
USB disks only support the FAT file system. Other file systems can be used only after being transformed into
the FAT file system.
When there are multiple partitions on a USB disk, only the first FAT partition can be accessed.
RGOS does not support USB movable disks (USB-HDD).
Upper-layer directories do not function in USB disks. After entering a USB disk through cd usbX:\, you can
return to the flash file system via cd flash:\.
For the description about usage scenarios of USB disks, see the command configuration guide of each
application. Copied cases exist in the command configuration guide of copy or FS. Redirection of syslog is
described in the command configuration guide of the SYSLOG module. "Designating a file on the USB to
start the system" is described in the command configuration guide of multi-boot.
In CRTL, a USB disk serves only for the multi-boot function, which is described in the command configuration guide of
multi-boot.
Showing USB Device Information

Command Function
Ruijie# show usb Show the USB device information of the system
Device information is displayed if there is a USB device. Otherwise, there is no output. If the USB disk is connected to the
USB port on the device, the ID displayed by running the show usb command is X, the USB port number. If the USB disk
is connected to the USB port on the device via a HUB, the ID displayed by running the show usb command is X-Y, in
which X stands for the USB port number and Y for the HUB slot number.
In the CLI command mode, use the show usb command to view the USB information of the system. The displayed
information is as follows:
Ruijie# show usb

Device: Mass Storage:
ID: 0
URL prefix: usb0
Disk Partitions:
usb0(type:FAT32)
Size : 131,072,000B(125MB)
Available size： 1,260,020B（1.2MB）
Ruijie# show usb

Device: Mass Storage:
ID: 1
URL prefix: sd0
Disk Partitions:
SD (type: FAT32)
Size: 131,072,000B (125MB)

Available size： 1,260,020B（1.2MB）
USB Mass Storage Device is the name of the device.
URL means which prefix can be used to access USB disk.
Size means the available space in USB disk that can be accessed.
Available size means the remaining space in USB disk card.
Unplugging USB Device

Before pulling out USB device, run the command on the CLI to uninstall the device in case system is using the USB device
to avoid an error.
Command Function
Ruijie# usb remove device_id Uninstall the USB device with Device_id
As shown above, ID0 indicates a USB device. The commands below can uninstall the corresponding USB device.
Ruijie# usb remove 0
After the uninstall command is used, the system will print:
OK, now you can pull out the device 0.
Sometimes, it may lead to failure to uninstall the device for the device is being used. Wait a while, and then run the
uninstall command to pull out the device.
Be sure to uninstall the device first and then unplug the device to prevent the system error.
USB Faults
Assume that the system prints the following message:
*Jan 2 00:00:39: %USB-3-OHCI_ERR: USB1.0 controller is not available now.
USB 1.0 controller is not available, while 2.0 USB card is still available. In this case, reset the whole system to use
corresponding version USB disk.
Assume that the system prints the following message:
*Jan 2 00:00:39: %USB-3-EHCI_ERR: USB2.0 controller is not available now.
USB 2.0 controller is not available, while 1.0 USB disk is still available. In this case, reset the whole system to use
corresponding version USB disk.
Configuration Guide Configuring PKG_MGMT
Configuring PKG_MGMT
Overview
Package management (pkg_mgmt) is a package management and upgrade module. This module is responsible for
installing, upgrading/degrading, querying and maintaining various components of the device, among which upgrade is the
main function. Through upgrade, users can install new version of software that is more stable or powerful. Adopting a
modular structure, the RGOS system not only supports overall upgrade and subsystem upgrade but also supports
separate upgrade of a feature package. In addition, the RGOS system supports upgrade through hot patches.
Component upgrade described in this document applies to both the box device and rack device. In addition, this
document is for only version 11.0 and later, excluding those upgraded from earlier versions.
None
Typical Application

Upgrading/Degrading a Subsystem Upgrade subsystem packages like boot, kernel, and rootfs on the box device and rack
Package device.
Upgrading/Degrading a Single Upgrade a single feature package on the box device and rack-mount device.
Feature Package
Installing a Hot Patch Package Install a hot patch, and repair a certain part of the feature component.
Upgrading/Degrading Subsystem Package

After the upgrade of a subsystem package is complete, all system software on the device is updated, and the overall
software is enhanced. Generally, the subsystem package of the box device is called main package, and the subsystem
package of the rack-mount device is called rack package.
The main features of this upgrade mode are as follows: The upgrade lasts for a long time; all software on the device is
updated after the upgrade is completed; all known software bugs are fixed.
Function Deployment
You can store the main package in the root directory of the TFTP server, download the package to the device, and then
run an upgrade command to upgrade the package locally. You can also store the main package in a USB flash drive or
SD card, connect the USB flash drive or SD card to the device, and then run an upgrade command to upgrade the
package.
You must store the rack package in a USB flash drive or SD card before performing the upgrade because the rack
package is too large to be stored in the memory space of the device.
Upgrading/Degrading a Single Feature Package

Device software consists of several components, and each component is an independent feature module. After an
independent feature package is upgraded, only the feature bug corresponding to this package is fixed. Besides, this
feature is enhanced with the other features unchanged.
The features of this upgrade mode are as follows: Generally, a feature package is small and the upgrade speed is high.
After the upgrade is completed, only the corresponding functional module is improved, and other functional modules
remain unchanged.
Function Deployment
You can store this package in the root directory of the TFTP server, download the package to the local device, and then
complete the upgrade. You can also store the package in a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then complete the upgrade.
Installing a Hot Patch Package

To fix software bugs without restarting the device, you can install hot patch packages. Hot patch packages are only
applicable to fixing a specific software version. Generally, hot patch packages are released to fix the software of a certain
version only when the device cannot be started in the user's environment.
The most significant feature of hot patch upgrade is that all bugs can be fixed without device restart after the upgrade is
completed.
Function Deployment
You can store this package in the root directory of the TFTP server, download the package to the local device, and then
complete the upgrade. You can also store the package in a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then complete the upgrade.
Function Details
Basic Concepts
 Subsystem
A subsystem exists on a device in the form of images. The subsystems of the RGOS include:
 boot: After being powered on, the device loads and runs the boot subsystem first. This subsystem is responsible for
initializing the device, and loading and running system images.
 kernel: kernel is the OS core part of the system. This subsystem shields hardware composition of the system and
provides applications with abstract running environment.
 rootfs: rootfs is the collection of applications in the system.
 Main Package and Rack Package
Main package is often used to upgrade/degrade a subsystem of the box device. The main package may be a combination
package of the kernel and rootfs subsystems or a combination package of the boot, kernel, and rootfs subsystems. The
main package can be used for overall system upgrade/degradation.
A rack package is used to upgrade a subsystem component of the rack device. This type of package contains the main
packages of the supervisor module and all line cards. Therefore, a rack package can be used to upgrade all line cards on
a rack device once for all.
 Feature Package of RGOS
The feature package of RGOS refers to a collection which enables a certain feature. When the device is delivered, all
supported functions are contained in the rootfs subsystem. You can upgrade only a specific feature by upgrading a single
feature package.
 Hot Patch Package
A hot patch package contains the hot patches of several features. You can upgrade a hot patch package to install patches
for various features. New features are provided immediately without device restart after the upgrade.
"Installation package" in this document refers to an installation file that contains a subsystem or feature module.
Functions and
Features
Function and Feature Description

Upgrading/Degrading Subsystem Upgrade/degrade a subsystem.
Components
Upgrading/Degrading Features Upgrade/degrade a feature or install a hot patch package.
and Installing Hot Patch
Packages
Managing Subsystem Enable a user to query available subsystem components on the device and activate
Components selected subsystems.
Managing Features and Hot Enable a user to query the feature packages on the device and their version and
Patches installation information. In addition, users can monitor the integrity and validity of
components.
Upgrading/Degrading and Managing Subsystem Components

Subsystem upgrade/degradation aims to upgrade the software by replacing the subsystem components of the device with
the subsystem components in the installation package. The subsystem component contains redundancy design.
Subsystems of the device are not directly replaced with the subsystems in the package during upgrade/degradation in
most cases. Instead, subsystems are added to the device and then activated during upgrade/degradation.
Working Principle
 Upgrade/Degradation
Various subsystems exist on the device in different forms. Therefore, upgrade/degradation varies with different
subsystems.
 boot: Generally, this subsystem exists on the norflash device in the form of images. Therefore, upgrading/degrading
this subsystem is to write the image into the norflash device.
 kernel: This subsystem exists in a specific partition in the form of files. Therefore, upgrading/degrading this
subsystem is to write the file.
 rootfs: Generally, this subsystem exists on the nandflash device in the form of images. Therefore,
upgrading/degrading this subsystem is to write the image into the nandflash device.
 Management
Query the subsystem components that are available currently and then load subsystem components as required.
Each subsystem component contains redundancy design. During the upgrade/degradation:
 boot: The boot subsystem always contains a master boot subsystem and a slave boot subsystem. Only the master
boot subsystem is involved in the upgrade, and the slave boot subsystem serves as the redundancy backup all
along.
 kernel: as the kernel subsystem contains at least one redundancy backup. More redundancy backups are allowed if
there is enough space.
 rootfs: The rootfs subsystem always contains a redundancy backup.
The boot component is not included in the scope of subsystem management due to its particularity. During upgrade of the
kernel or rootfs subsystem component, the upgrade/degradation module always records the subsystem component in use,
the redundant subsystem component, and various information in the configuration file. This design enables the functions
of querying, selecting, and loading subsystem components.
Relevant
Configuration
 Upgrade
 Store the upgrade file on the local device, and then run the upgrade command for upgrade.
Upgrading/Degrading and Managing Functional Components

Working Principle
In fact, upgrading a feature is replacing feature files on the device with the feature files in the package.
Managing feature components and hot patches is aimed at recording the information of feature components and hot
patches by using a database. In fact, installing, displaying and uninstalling a component is the result of performing the Add,
Query and Delete operation on the database.
Relevant
Configuration
 Upgrade
Upgrading/Degrading and Managing Hot Patch Packages

Working Principle
Upgrading/degrading feature components and installing hot patches are based on the same technology.
In fact, upgrading a feature component is replacing feature files on the device with the feature files in the package.
Upgrading hot patch packages is similar to upgrading features. The difference is that only files to be revised are replaced
during hot patch package upgrade. In addition, after the files are replaced, the new files take effect automatically.
 Management
Similar to feature component management, hot patch management also includes the query, installation, and uninstallation
operation, which is the result of adding, querying and deleting data respectively.
Hot patches and feature components are managed based on the same technology. The difference is that the hot patches
involve three different states, that is, Not installed, Installed, and Activated. These states are described as follows:
The hot patch in Installed state only indicates that this hot patch exists on the device, but it has not taken effect yet.
Only the hot patch in Activated state is valid.
Relevant
Configuration
 Upgrade
 Activating a Hot Patch
 You can run the patch active command to activate a patch temporarily. The patch becomes invalid after device
restart. To use this patch after device restart, you need to activate it again.
 You can also run the patch running command to activate a patch already permanently. The patch is still valid after
device start.
 The patch not activated will never become valid.
 Deactivating a Hot Patch
 To deactivate an activated patch, run the patch deactive command.
 Uninstalling a Hot Patch
 You can run the patch delete command to uninstall a hot patch.
Configuration Item Configuration Suggestion & Relevant Command

The basic function of the configuration is installing and upgrading/degrading a

subsystem package, feature package, and hot patch package. This command is valid on
both the box device and rack device.
url is a local path where the installation

package is stored. This command is used to
Upgrading/Degrading an upgrade url
upgrade the installation package stored on
Installation Package
the device.
path is the path of the installation package
on the server. This command is used to
upgrade download tftp:/ path download an installation package from the
server and upgrade the package
automatically.
path is the path of the installation package
on the server.
via mgmt number: If the transfer mode is
upgrade download oob_tftp:/path [ via oob_tftp and there are multiple MGMT ports,
mgmt { number } ] you can select a specific port.
This command is used to download an
installation package from the server and
upgrade the package automatically.
Upgrading/Degrading an Installation Package

Available installation packages include the main package, rack package, various f feature packages and hot patch
packages.
 After the upgrade of the main package is complete, all system software on the line card is updated, and the overall
software is enhanced.
 After the upgrade of the rack package is complete, all system software on the rack device is updated, and the overall
software is enhanced.
 After an independent feature package is upgraded, only the feature bug corresponding to this package is fixed.
Besides, this feature is enhanced, with other features remain unchanged.
 Upgrading hot patch packages is aimed at fixing software bugs without restarting the device. Hot patch packages are
only applicable to fixing bugs for a specific version of software.
Generally a main package is released to upgrade a box device.
Generally a rack package is released to upgrade a rack device.
Notes
-
 Upgrading the Main Package Corresponding to the Line Card
 Optional configuration. This configuration is required when all system software on the device needs to be upgraded.
 Download the installation package to the local device and run the upgrade command.
Generally a main package is released to upgrade a box device.
 Upgrading a Rack Package
 Optional configuration. This configuration is required when all system software on the device needs to be upgraded.
 When using a rack package to upgrade subsystem components, you must store the rack package in a USB flash
drive or SD card and then run the upgrade command because the rack package is very large.
Generally a rack package is released to upgrade a rack device.
 Upgrading Each Feature Package
 Optional configuration. The configuration is used to fix bugs of a certain feature and enhance the function of this
feature.
 Upgrading a Hot Patch Package
 Optional configuration. The configuration is used to fix software bugs without restarting the device.
 After being upgraded, the hot patch can be used after it is activated. The configuration in this step is mandatory. Two
activation modes are available: Run the patch active command to activate a patch temporarily, or run the patch
running command to activate a patch permanently.
Generally, the patch running command must be used to activate a patch permanently in the user scenario. The
patch active command can be used to activate a patch only when a user intends to verify the patch.
 Subsystem Rollback
 Optional configuration. This configuration aims to roll a subsystem back to the state before the upgrade, select this
configuration item..
 This configuration takes effect after you run the upgrade command to upgrade the subsystem component (for
example, the main package or the rack package).
After you run the upgrade command to upgrade a subsystem component in the user scenario, you can run the
rollback command once, that is, consecutive rollback is not supported.
Check Method
 After upgrading a subsystem component, you can run the show version detail or show subsys command to check
whether the upgrade is successful.
 After upgrading a feature component, you can run the show component command to check whether the upgrade is
successful.
 After upgrading a hot patch package, you can run the show patch command to check whether the upgrade is
successful.
Relevant Commands
 Displaying the Installation Package Stored on the Device
Command show upgrade file url

Syntax
Parameter url indicates the path of the installation package in the device file system.
Description
Command Privileged EXEC mode
Mode
Usage Guide -
 Displaying Subsystem Components Running in the Current System
Command show version detail

Syntax
Parameter N/A
Description
Mode
Usage Guide -
 Displaying Available Subsystem Components on the Device
Command show subsys [ slot { num | M1 | M2 | all } ]

Syntax
Parameter slot indicates that this command is executed on the device in the specified slot; num indicates the slot
Description number of the specified line card; M1 and M2 indicate the supervisor modules; all indicates all devices.
Mode
Usage Guide
All parameters are applicable to only the rack device.
 Subsystem Component Rollback
Command
upgrade rollback [ slot { num | M1 | M2 | all } ]
Syntax
Mode
Usage Guide This command is used to undo the last subsystem upgrade operation and make the subsystem restore to
the state before the upgrade. You can perform the rollback operation only if the last upgrade is subsystem
upgrade and the upgrade is successful. The rollback command cannot be executed in succession.
 Displaying the Feature Components Already Installed

Command show component [ slot { num | M1 | M2 | all } ] [ component _name ]

Syntax
Parameter [ component _name ]: component name
Description When this parameter value is N/A, the command is used to display all components already installed on the
device and basic information of these components.
When this parameter value is not N/A, the command is used to display detailed information of the
corresponding component, check whether the component is intact, and check whether this component
works properly.
slot indicates that this command is executed on the device in the specified slot; num indicates the slot
number of the specified line card; M1 and M2 indicate the supervisor modules; all indicates all devices.
Mode
Usage Guide
 Displaying the Patch Packages Already Installed
Command show patch [ slot { num | M1 | M2 | all } ] [ package _name ]

Syntax
Mode
Usage Guide
 Activating the Patches Temporarily
Command patch active [ slot { num | M1 | M2 | all } ]

Syntax
Mode
Usage Guide This operation can be performed only on the device already installed with a patch. This command can be
used to activate a patch temporarily, and the activated patch becomes invalid after device restart.
 Activating the Patches Permanently
Command patch running [ slot { num | M1 | M2 | all } ]

Syntax
Description number of the specified line card;, M1 and M2 indicate the supervisor modules; all indicates all devices.
Mode
Usage Guide This operation can be performed only on the device already installed with a patch. This command can be
used to activate a patch permanently.
Configuration
Examples
 Example of Upgrading a Subsystem Installation Package on the Box Device
Network Before the upgrade, you must copy the installation package to the device. The upgrade module provides
Environment the following solutions.
 Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
 Run the upgrade download tftp://path command directly to upgrade the installation package file
stored on the tftp server.
 Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
Configuratio  Run the upgrade command.

n Method  After upgrading the subsystem, restart the device.
Ruijie# upgrade download tftp://192.168.201.98/eg1000m_main_1.0.0.0f328e91.bin
Accessing tftp://192.168.201.98/eg1000m_main_1.0.0.0f328e91.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!
Transmission finished, file length 21525888 bytes.
*May 21 03:32:28: %7: Upgrade processing is 10%
*May 21 03:32:28: %7:
*May 21 03:32:28: %7: Upgrade info [OK]
*May 21 03:32:28: %7: Kernel version[2.6.32.91f9d21->2.6.32.9f8b56f]
*May 21 03:32:28: %7: Rootfs version[1.0.0.2ad02537->1.0.0.1bcc12e8]
*May 21 03:32:28: %7: Restart to take effect !
Reload system?(Y/N)y
[ 1586.114348] Restarting system.
Check  Check the system version on the current device. If the version information changes, the upgrade is
Method successful.
Ruijie#show version detail

System description : EG1000m
System start time : 1913-10-19 02:25:28
System uptime : 0:00:00:50
System hardware version : 1.00
System software version : eg1000m_RGOS11.0(1C2) Release(20131022)
System boot version : 1.0.0.e7a1451
System core version : 2.6.32.9f8b56f
System main version : 1.0.0.1bcc12e8
System boot build : unknown
System core build : 2013/10/22 04:54:03
System main build : 2013/10/22 05:33:38
 Example of Upgrading a Feature Package on the Box Device

n Method  Check whether the device needs to be restarted based on the prompt displayed after the upgrade.
Ruijie#upgrade sata0://bridge_eg1000m_2.3.1.1252ea-1.mips.rpm
*May 21 03:32:28: %7:
*May 21 03:32:28: %7: bridge version[2.0.1.37cd5cda ->2.3.1.1252ea] [OK]
Check  Check the version of the feature component on the current device. If the version information
Method changes, the upgrade is successful.
Ruijie# show component
*May 21 03:32:28: %7: Package :sysmonit
*May 21 03:32:28: %7: Version:1.0.1.23cd34aa Build time: Wed Dec 7
00:58:56 2011
*May 21 03:32:28: %7: Size:12877 Install time :Wed Mar 5 14:23:12 2012
*May 21 03:32:28: %7: Description:this is a system monit package
*May 21 03:32:28: %7: Required packages: None
-------------------------------------------------------------------
*May 21 03:32:28: %7: package:bridge
*May 21 03:32:28: %7: Version: 2.3.1.1252ea Build time: Wed Dec 7
00:54:56 2011
*May 21 03:32:28: %7: Size:26945 Install time : Wed Mar 19:23:15 2012
*May 21 03:32:28: %7: Description:this is a bridge package
 Example of Installing a Patch Package on the Box Device

n Method  Activate the hot patch.
Ruijie#upgrade download
tftp://192.168.201.98/eg1000m_RGOS11.0(1C2)_20131008_patch.bin
Accessing tftp://192.168.201.98/eg1000m_RGOS11.0(1C2)_20131008_patch.bin...
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!
Transmission finished, file length 9868 bytes.
Ruijie#*Jan 1 02:52:00: %7: Upgrade processing is 10%
*Jan 1 02:52:00: %7: Upgrade processing is 60%
*Jan 1 02:52:01: %7:
*Jan 1 02:52:01: %7: Upgrade info [OK]
*Jan 1 02:52:01: %7: patch_bridge version[1.0.0.1952]
*Jan 1 02:52:02: %7:
*Jan 1 02:52:02: %7: patch_install version[1.0.0.192e35a]
Ruijie#patch running
*May 21 17:05:41: %7: The patch on the system now is in running status
Check  Check the hot patches installed on the current device.

Method
Ruijie# show patch
*May 21 03:32:28: %7:patch package patch_install installed in the system,
version:pa1
*May 21 03:32:28: %7: Package : patch_bridge
*May 21 03:32:28: %7: status：running
*May 21 03:32:28: %7: Version: pa1 Build time: Mon May 13 09:03:07 2013
*May 21 03:32:28: %7: size: 277 Install time: Tue May 21 03:07:17 2013
*May 21 03:32:28: %7: Description: a patch for bridge
 Example of Subsystem Rollback on the Box Device
You can perform the rollback operation only if the last upgrade is subsystem upgrade and the upgrade is successful.
The rollback command cannot be executed in succession.
Configuratio  Run the subsystem rollback command.

n Method  Restart the device for the rollback to take effect.
Ruijie#upgrade rollback
*May 21 03:32:28: %7: kernel rollback
version[2.6.32.9f8b56f->2.6.32.91f9d21][OK]
*May 21 03:32:28: %7: rootfs rollback
version[1.0.0.1bcc12e8->1.0.0.2ad02537][OK]
*May 21 03:32:28: %7: Rollback success!
Check  Check the system version on the current device. If t it is restored to the version before the upgrade,
Method the rollback is successful.
Ruijie#show version detail
System description : EG1000m

System software version : eg1000m_RGOS11.0(1C2) Release(20131022)
System boot version : 1.0.0.e7a1451
System core version : 2.6.32.91f9d21
System main version : 1.0.0.2ad02537
 Example of Upgrading a Subsystem Installation Package on the Rack Device
Network Generally, a rack device is supplied with a USB flash drive or SD card. Before installing a rack package,
Environment you need to store the rack package into the USB flash drive or SD card. The upgrade module provides
the following solutions.

n Method  You can view the line card status during the upgrade.
 After upgrading the subsystem, restart the device for the upgrade to take effect.
Ruijie# upgrade usb0:/ca-octeon_11.0(1B2)_20131106_main_install.bin
*Aug 12 01:54:43: %7: [Slot M1]:Upgrade processing is 10%
*Aug 12 01:54:44: %7:
*Aug 12 01:54:44: %7: [Slot 1]:Upgrade processing is 10%
*Aug 12 01:55:03: %7:
*Aug 12 01:55:19: %7:
*Aug 12 01:55:43: %7:
*Aug 12 01:55:43: %7:
*Aug 12 01:55:43: %7: [Slot M1]:
*Aug 12 01:55:43: %7: Upgrade info [OK]
*Aug 12 01:55:43: %7: Kernel
version[2.6.32.abb2b41f170c81->2.6.32.abb2b415749f40]
*Aug 12 01:55:43: %7: Rootfs version[1.0.0.d5f0de03->1.0.0.660e0085]
*Aug 12 01:55:43: %7:
*Aug 12 01:55:43: %7: [Slot M1]:Restart to take effect !
*Aug 12 01:55:45: %7:

*Aug 12 01:56:27: %7:
*Aug 12 01:56:27: %7: [Slot 1]:
*Aug 12 01:56:27: %7: Upgrade info [OK]
*Aug 12 01:56:27: %7: Kernel version[2.6.32.9f8b56f1d45ab2
->2.6.32.0f48cb9f170c81]
*Aug 12 01:56:27: %7: Rootfs version[1.0.0.2ad02537->1.0.0.1bcc12e8]
*Aug 12 01:56:27: %7:
*Aug 12 01:56:27: %7: [Slot 1]:Restart to take effect !
*Aug 12 01:56:31: %7:
*Aug 12 02:07:30: %7: [slot: M1]
*Aug 12 02:07:30: %7: device_name: ca-octeon-cm
*Aug 12 02:07:30: %7: status: SUCCESS
*Aug 12 02:07:30: %7: [slot: 1]
*Aug 12 02:07:30: %7: device_name: ca-octeon-lc
*Aug 12 02:07:30: %7: status: SUCCESS
N18000#sho upgrade status
[slot: M1]
dev_type: ca-octeon-cm
status : upgrading
[slot: 1]
dev_type: ca-octeon-lc
status : transmission
Check Reload system?(Y/N)y
Method [ 1586.114348] Restarting system.
 Check the system version on the current device. If the version information changes, the upgrade is
successful.
N18000#sho version detail
System description : N18010
System software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131030)
System boot version : 1.0.0-00222-gafcc010
System core version : 2.6.32.abb2b415749f40
System main version : 1.0.0.660e0085
System isolcpus : 1-3
Module information:
Slot M1 : M18010-CM
Hardware version : 1.00
Boot version : 1.0.0-00222-gafcc010
Software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131030)
Slot 1 : M18000-40XS-CB
Boot version : 1.0.1.1fab7eb
Software version : ca-octeon-lc_RGOS11.0(1B2) Release(20131030)
 Example of Upgrading a Feature Package on the Rack Device

n Method  Check whether the device needs to be restarted based on the prompt displayed after the upgrade.
Ruijie#upgrade sata0://ca-octeon-cm_bridge-1.0.0.05151504-1311060616.mips.rpm
Ruijie#*May 21 16:54:03: %7:
*May 21 16:54:03: %7: [Slot M1]:Upgrade processing is 10%
*May 21 16:54:03: %7:
*May 21 16:54:05: %7:
*May 21 16:54:05: %7: [Slot M1]:
*May 21 16:54:05: %7: bridge version[1.0.0.97521231->1.0.0.05151504]
*May 21 16:54:05: %7:
*May 21 16:54:05: %7: [Slot M1]:Restart to take effect !
*May 21 16:54:05: %7:
[slot: M1]
device_name: ca-octeon-cm
status: SUCCESS
[slot: 2]
device_name: ca-octeon-lc
status: NOT SUPPORT
Check  Check the version of the feature component on the current device. If the version information
Method changes, the upgrade is successful.
Ruijie# show component slot M1
*May 21 16:47:10: %7: [Slot M1]:
*May 21 16:54:58: %7: Package : bridge
*May 21 16:54:58: %7: Version: 1.0.0.05151504 Build time: Wed May 15
07:05:06 2013
*May 21 16:54:58: %7: size: 11 Install time: Thu Jan 1 00:48:09 1970
*May 21 16:54:58: %7: Description: bridge component
*May 21 16:54:58: %7: -----------------------------------
…………………………………………………
 Example of Installing a Patch Package on the Rack Device

n Method  Activate the hot patch.
Ruijie#upgrade usb0:/ca-octeon-cm_RGOS11.0(1C2)_20131008_patch.bin
Ruijie#*Jan 1 02:52:00: %7: [Slot M1]: Upgrade processing is 10%
*Jan 1 02:52:00: %7: [Slot M1]: Upgrade processing is 60%
*Jan 1 02:52:01: %7:
*Jan 1 02:52:01: %7: [Slot M1]:
*Jan 1 02:52:01: %7: patch_bridge version[1.0.0.1952]
*Jan 1 02:52:02: %7:
*Jan 1 02:52:02: %7: [Slot M1]:
*Jan 1 02:52:02: %7: patch_install version[1.0.0.192e35a]
[slot: M1]
device_name: ca-octeon-cm
status: SUCCESS
[slot: 2]
device_name: ca-octeon-lc
status: NOT SUPPORT
Ruijie#patch running slot M1
*May 21 17:05:41: %7: The patch on the system now is in running status
Check  Check the hot patches installed on the current device.

Method
Ruijie# show patch slot M1
*May 21 03:32:28: %7:[Slot M1]:
*May 21 03:32:28: %7:patch package patch_install installed in the system,
version:pa1
*May 21 03:32:28: %7: Package : patch_bridge
*May 21 03:32:28: %7: status：running
*May 21 03:32:28: %7: Version: pa1 Build time: Mon May 13 09:03:07 2013
*May 21 03:32:28: %7: size: 277 Install time: Tue May 21 03:07:17 2013
*May 21 03:32:28: %7: Description: a patch for bridge
 Example of Subsystem Rollback on the Rack Device
You can perform the rollback operation only if the last upgrade is subsystem upgrade and the upgrade is successful.
The rollback command cannot be executed in succession.
The rack device allows you to perform the rollback operation on a specified line card.
Configuratio  Run the subsystem rollback command.

n Method  Restart the device for the rollback to take effect.
Ruijie#upgrade rollback slot M1
*May 21 03:32:28: %7: kernel rollback
version[2.6.32.abb2b415749f40->2.6.32.abb2b41f170c81][OK]
*May 21 03:32:28: %7: rootfs rollback
version[1.0.0.660e0085->1.0.0.d5f0de03][OK]
*May 21 03:32:28: %7: Rollback success!
Check  Check the system version on the current device. If it is restored to the version before the upgrade,
Method the rollback is successful.
N18000#sho version detail
System description : N18010
System software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131029)
System boot version : 1.0.0-00222-gafcc010
System core version : 2.6.32.abb2b41f170c81
System main version : 1.0.0.d5f0de03
System isolcpus : 1-3
Module information:
Slot M1 : M18010-CM
Boot version : 1.0.0-00222-gafcc010
Software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131029)
Common Errors
If an error occurs during the upgrade, the upgrade module displays an error message. The following provides an example:
Upgrade info [ERR]

Reason:creat config file err(217)
The following describes several types of common error messages:
 Invalid installation package: The cause is that the installation package may be damaged or incorrect. It is
recommended to obtain the installation package again and perform the upgrade operation.
 Installation package not supported by the device: The cause is that you may use the installation package of other
devices by mistake. It is recommended to obtain the installation package again, verify the package, and perform the
upgrade operation.
 Insufficient device space: Generally, this error occurs on a rack device. It is recommended to check whether the
device is supplied with a USB flash drive or SD card. Generally, this device has a USB flash drive.
Deactivating and Uninstalling a Hot Patch

An activated hot patch is deactivated or uninstalled.
Notes
A hot patch that is not activated does not take effect; therefore, you cannot deactivate it.
 Deactivating an Activated Patch
 Optional configuration. To deactivate an activated patch, run the patch deactive command.
 Uninstalling a Hot Patch
 Optional configuration. To uninstall a hot patch already installed, run the patch delete command.
Check Method
 You can run the show patch command to check whether a patch is activated or uninstalled.
Relevant Commands
 Deactivating an Activated Patch
Command patch deactive [ slot { num | M1 | M2 | all } ]

Syntax
Parameter slot: indicates that this command is executed on the device in the specified slot.
Description num: indicates the slot number of the specified line card.
M1 and M2: indicate the supervisor modules.
all: indicates all devices.
Mode
Usage Guide You can perform this operation on only an activated patch.
 Deleting a Hot Patch
Command patch delete [ slot { num | M1 | M2 | all } ]

Syntax
Parameter slot num: This parameter is used on a rack device. It indicates a corresponding line card based on the
Description slot number.
slot all: This parameter is used on a rack device. It indicates all devices.
slot M1: This parameter is used on a rack device. It specifies that the operation is performed on
supervisor module M1.
slot M2: This parameter is used on a rack device. It specifies that the operation is performed on
supervisor module M2.
Mode
Usage Guide This command is used to remove the hot patch package from the device.

Configuration
Examples
 Deactivating and Uninstalling a Patch on the Box Device
Configuratio  Run the patch deactivation command.

n Method  Run the patch deletion command.
Ruijie#patch deactive
*May 21 17:05:41: %7: Deactive the patch package success
Ruijie# patch delete
*May 20 16:49:57: %7: clear the patch patch_bridge success
*May 20 16:49:57: %7: clear the patch success
Check  Display patch status.

Method
Ruijie#show patch
Ruijie#*May 20 16:51:18: %7:
*May 20 16:51:18: %7: No patch package installed in the system
 Deactivating and Uninstalling a Patch on the Rack Device
Configuratio  Run the patch deactivation command.

n Method  Run the patch deletion command.
Ruijie#patch deactive slot M1
*May 21 17:05:41: %7: [Slot M1]:
*May 21 17:05:41: %7: Deactive the patch package success
Ruijie# patch delete slot M1
16:49:19:*May 20 16:49:57: %7: [Slot M1]:
16:49:19:*May 20 16:49:57: %7: clear the patch patch_bridge success
16:49:19:*May 20 16:49:57: %7: clear the patch success
Check  Display patch status.

Method
Ruijie#show patch slot M1
Ruijie#*May 20 16:51:18: %7:
*May 20 16:51:18: %7: [Slot M1]:
*May 20 16:51:18: %7: No patch package installed in the system
Common
Configuration Errors
 Run the patch deactive command when the patch is not activated. It is recommended to check the patch status.
You can run the patch deactive command only when the patch is in the status:running state.
Clearing Various
Information
Function Command
Deletes a hot patch package patch delete [ slot { num | M1 | M2 | all } ]
already installed.
Viewing the Running

Conditions
Function Command
Displays all components already installed on the show component [ slot { num | M1 | M2 | all } ] [ component
current device and their information. _name ]
Displays the information about the hot patch show patch [ slot { num | M1 | M2 | all } ] [ patch _name ]
packages already installed on the device.
Displays available kernel and rootfs subsystem show subsys [ slot { num | M1 | M2 | all } ]
components stored on the device, and specify
what components will be loaded by the device.
Displays the upgrade status of various line cards show upgrade status
on a rack device.
Displays the upgrade history. show upgrade history
Configuration Guide Configuring NTP
Configuring NTP
Overview
Network Time Protocol (NTP) is designed for time synchronization on network devices. A device can synchronize its clock
source and the server. Moreover, the NTP protocol can provide precise time correction (less than one millisecond on the
LAN and dozens of milliseconds on the WAN, compared with the standard time) and prevent from attacks by means of
encryption and confirmation.
To provide precise time, NTP needs precise time source, the Coordinated Universal Time (UTC). The NTP may obtain
UTC from the atom clock, observatory, satellite or Internet. Thus, accurate and reliable time source is available.
To prevent the time server from malicious destroying, an authentication mechanism is used by the NTP to check whether
the request of time correction really comes from the declared server, and check the path of returning data. This
mechanism provides protection of anti-interference.
Ruijie switches support the NTP client and server. That is, the switch can not only synchronize the time of server, but also
be the time server to synchronize the time of other switches. But when the switch works as the time server, it only support
the unicast server mode.
 The NTP function is not supported on AP110-W or AP120-W.
Configuring NTP
Configuring the Global NTP Authentication Mechanism

The NTP client of Ruijie supports encrypted communication with the NTP server by means of key encryption.
There are two steps to configure the NTP client to communicate with the NTP server by means of encryption:
Step 1, Authenticate the NTP client and configure the key globally;
Step 2, Configure the trusted key for the NTP server.
To initiate the encrypted communication with the NTP server, you need to set authentication key for the NTP server in
addition to perfomring Step 1.
By default, the NTP client does not use the global security authentication mechanism. Without this mechanism, the
communication will not be encrypted. However, enabling the global security authentication does not mean that the
encryption is used to implement the communication between the NTP server and the NTP client. You need to configure
other keys globally and an encryption key for the NTP server.
To configure the global security authentication mechanism, run the following commands in global configuration mode:
Command Function
Configure the global NTP security authentication

ntp authenticate
mechanism.
Disable the global NTP security authentication
no ntp authenticate
mechanism.
The message is verified by the trusted key specified by the ntp authentication-key or ntp trusted-key command.
Configuring the Global NTP Authentication Key

The next step to configure the global security authentication for the NTP is to set the global authentication key.
Each key is identified by a unique key-id globally. The customer can use the command ntp trusted-key to set the key
corresponding to the key-id as a global trusted key.
To specify a global authentication key, run the following commands in global configuration mode:
Command Function
Specify a global authentication key.
key-id: in the range of 1 to 4294967295
ntp authentication-key key-id md5 key-string [enc-type]
key-string: Any
enc-type: Two types: 0 and 7
no ntp authentication-key key-id Remove a global authentication key.
The configuration of global authentication key does not mean the key is effective; therefore, the key must be configured as
a global trusted key before using it.
The current NTP version can support up to 1024 authentication keys and only one key can be set for each
server for secure communication.
Configure the Global NTP Trusted key ID

The last step is to set a global authentication key as a global trusted key. Only by this trusted key the user can send
encrypted data and check the validity of the message.
To specify a global trusted key, run the following commands in global configuration mode:
Command Function
ntp trusted-key key-id Specify a global trusted key ID.
no ntp trusted-key key-id Remove a global trusted key ID.
The above-mentioned three steps of settings are the first procedure to implement security authentication mechanism. To
initiate real encrypted communication between the NTP client and the NTP server, a trusted key must be set for the
corresponding server.
When a global authentication key is removed, its all trusted information are removed.
Configuring the NTP Server

No NTP server is configured by default. Ruijie‟s client system supports simultaneous interaction with up to 20 NTP servers,
and one authentication key can be set for each server to initiate encrypted communication with the NTP server after
relevant settings of global authentication and key are completed.
NTP version 3 is the default version of communication with the NTP server. Meanwhile, the source interface can be
configured to send the NTP message, and the NTP message from the relevant server can only be received on the
sending interface.
To configure the NTP server, run the following commands in global configuration mode:
Command Function
Configure the NTP server.
oob: (Optional) Access the NTP server from the MGMT
interface. By default, this option is disabled.
vrf vrf-name: Specify the virtual routing and forwarding

(VRF) name. By default, this parameter is disabled.
ip-addr: Set the IP address of the NTP server. The

address can be in IPv4 or IPv6 format.
domain: Set the domain name of the NTP server,

supporting IPv4 and IPv6.
ntp server[ oob | vrf vrf-name] { ip-addr | domain | ip
domain | ipv6 domain } [ version version ] [ source version: (Optional) Specify the NTP version (1-3). The
if-name ] [ key keyid ] [ prefer ] [ via mgmt-name ] default is NTPv3.
if-name: (Optional) Specify the source interface from

which the NTP message is sent (L3 interface).
keyid: (Optional) Specify the encryption key adopted

when communication with the corresponding server. The
key ID range is from 1 to 4,294,967,295.
prefer: (Optional) Specify the given NTP server as the

preferred one.
mgmt-name: (Optional) Specifies the egress MGMT
interface for the packets in oob mode.
no ntp server ip-addr Remove the NTP server.
Only when the global security authentication and key setting mechanisms are completed, and the trusted key for
communicating with server is set, can the NTP client initiate the encrypted communication with the NTP server. To this end,
the NTP server should have the same trusted key configured.
Disabling the Interface to Receiving the NTP Message

The function of this command is to disable the interface to receive the NTP message.
By default, the NTP messages received on any interface are available to the NTP client for clock synchronization. This
function can shield the NTP messages received on the relevant interface.
This command takes effect only for the interface whose IP address can be configured to receive and send
packets.
To disable the interface to receive the NTP message, run the following commands in interface configuration mode:
Command Function
interface interface-type number Enter interface configuration mode.
Disable the function of receiving NTP messages on the
ntp disable
interface.
To enable the function of receiving NTP messages on the interface, use the command no ntp disable in interface
configuration mode.
Enabling or Disabling NTP

The no ntp command is to disable the NTP synchronization service, stop the time synchronization, and clear relevant
information of NTP configuration.
The NTP function is disabled by default, but may be enabled as long as the NTP server is configured.
To disable the NTP, run the following commands in global configuration mode:
Command Function
no ntp Disable the NTP function.
ntp authenticate or
ntp server ip-addr [version version][ source if-name Enable the NTP function.
number][key keyid][prefer]
Configuring the NTP Update-Calendar

The function of this command is to disable the interface to receive the NTP message.
To configure the NTP update-calendar, run the following commands in global configuration model:
Command Function
ntp update-calendar Configure the update calendar.
no ntp update-calendar Disable the function of NTP update calendar.
By default, the NTP update-calendar is not configured. After configuration, the NTP client updates the calendar at the
same time when the time synchronization of external time source is successful. It is recommended to enable this function
for keeping the accurate calendar.
Configuring the NTP Master

The function of this command is to set the local time as the NTP master(the reference source of the local time is reliable),
providing the synchronized time for other devices.
In general, the local system synchronizes the time from the external time source directly or indirectly. However, if the time
synchronization of local system fails for the network connection trouble, ect, use the command to set the reliable reference
source of the local time, providing the synchronized time for other devices.
Once set, the system time can not be synchronized to the time source with higher starum.
The starum indicates the level of current clock, reference indicates the address of the server used for
synchronization, freq indicates the clock frequency of current system, precision indicates the precision of
current system clock, reference time indicates the UTC time of reference clock on the synchronization server,
clock offset indicates the offset of current clock, root delay indicates the delay of current clock, root
dispersion indicates the precision of top server, peer dispersion indicates the precision of synchronization
server.
To configure the NTP master, run the following commands in global configuration mode:
Command Function
Set the local time as the NTP master and specify the
ntp master [stratum] corresponding stratum. The time stratum ranges from
1-15, 8 by default.
no ntp master Cancel the NTP master settings.
The following example shows how to set the reliable reference source of the local time and set the time starum as 12:
Ruijie(config)# ntp master 12
Using this command to set the local time as the master (in particular, specify a lower starum value), is likely
to be covered by the effective clock source. If multiple devices in the same network use this command, the
time synchronization instability may occur due to the time difference between the devices.
In addition, before using this command, if the system has never been synchronized with an external clock
source, it is necessary to manually calibrate the system clock to prevent too much bias. (For how to how to
manually calibrate the system clock, please refer to the section of system time configuration of "Basic switch
management Configuration Guide")
This command is not restricted by ntp access control (even if the NTP access control function has
corresponding matching limit, this command is still in force).
Configuring the Access Control Privilege of NTP Service

NTP services access control function provides a minimal security measures (more secure way is to use the NTP
authentication mechanism). By default, no NTP access control rules are configured in the system.
To set the NTP services access control privilege, run the following command in global configuration mode.
Command Function
ntp access-group { peer | serve | serve-only |
Set the access control privilege of the local service.
query-only } access-list-number | access-list-name
no ntp access-group { peer | serve | serve-only | Cancel the settings of access control privilege of the local
query-only } access-list-number | access-list-name service.
peer: not only allow the time requests and control queries for the local NTP service, but also allow the time
synchronization between the local device and the remote system (full access privilege).
serve: only allow the time requests and control queries for the local NTP service, not allow the time synchronization
between the local device and the remote system.
serve-only: only allow the time requests for the local NTP service.
query-only: only allow the control queries for the local NTP service.
access-list-number: IP access control list label; the range of 1 ~ 99 and 1300 ~ 1999. On how to create IP access control
list, refer to the relevant description in "Access Control List Configuration Guide".
access-list-name: IP access control list name. On how to create IP access control list , refer to the the relevant description
in "Access Control List Configuration Guide" .
When an access request arrives, NTP service matches the rules in accordance with the sequence from the smallest to the
largest to access restriction, and the first matched rule shall prevail. The matching order is peer, serve, serve-only,
query-only.
Control query function (the network management device controls the NTP server, such as setting the leap
second mark or monitor the working state,ect) is not supported in the current system. Although it matches
with the order in accordance with the above rules, the related requests about the control and query are not
supported.
If you do not configure any access control rules, then all accesses are allowed. However, once the access control rules
are configured, only the rule that allows access can be carried out.
The following example shows how to allow the peer device in acl1 to control the query, request for and synchronize the
time with the local device; and limit the peer device in acl2 to request the time for the local device:
Ruijie(config)# ntp access-group peer 1

Ruijie(config)# ntp access-group serve-only 2
Showing NTP Information
Showing NTP Information

Execute the show ntp status command in privileged EXEC mode to show the current NTP information.
To display the NTP function, run the following command in privileged EXEC mode:
Command Function
show ntp status Show the current NTP information.
Only when the relevant communication server is configured can this command be used to print the display information.
Ruijie# show ntp status

Clock is synchronized, stratum 9, reference is 192.168.217.100
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**18
reference time is AF3CF6AE.3BF8CB56 (20:55:10.000 UTC Mon Mar 1 1993)
clock offset is 32.97540 sec, root delay is 0.00000 sec
root dispersion is 0.00003 msec, peer dispersion is 0.00003 msec
The stratum indicates the level of current clock, reference indicates the address of the server used for
synchronization, freq indicates the clock frequency of current system, precision indicates the precision of
current system clock, reference time indicates the UTC time of reference clock on the synchronization server,
clock offset indicates the offset of current clock, root delay indicates the delay of current clock, root
dispersion indicates the precision of top server, peer dispersion indicates the precision of synchronization
server.
Typical NTP Configuration Examples
Configuring NTP client/server Mode

Topological Diagram
NTP client/server model
 On Host A, configure local clock as the NTP master clock, with clock stratum being 12;
 Configure the Host B as the NTP client and specify the Host A as the NTP server;
 The hardware clock of Host B shall be synchronized as well.
Configuration Tips
NTP server
Generally, the local system will directly or indirectly synchronize with the external clock sources. However, the local
system may not be able to synchronize with the external clock sources due to the failure of network connections. In such a
case, you can execute "ntp master" command to configure the local clock as NPT master clock to synchronize time to
other devices.
NTP client
 Configure the NTP server

 By configuring NTP hardware clock update, NTP client can use the clock value synchronized from external clock
sources to update its hardware clock, so that the hardware clock can also maintain precise.
Configuration Steps
 Configuration of NTP server
! Configure NTP master clock. Configure local clock as the trusted reference clock source, with clock stratum being 12;
HostA(config)#ntp master 12
 Configuration of NTP client
! Configure Host A as the NTP server
HostB(config)#ntp server 1.1.1.1
! Configure NTP hardware clock update
HostB(config)# ntp update-calendar
 Check the NTP status of client before synchronization

HostB(config)#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
reference time is 0.0 (00:00:00.000 UTC Thu, Jan 1, 1970)
The above information shows that the time hasn't been synchronized yet;
 After configuring NTP synchronization, display NTP configurations. Key points: NTP server address and stratum.
The following log will be printed on CLI interface:
*Sep 8 18:10:37: %SYS-6-CLOCKUPDATE: System clock has been updated to 18:10:37 UTC Tue Sep
8 2009.
HostB#show ntp status
reference time is CE511CC9.37EB5B2D (18:11:21.000 UTC Tue, Sep 8, 2009)
clock offset is -0.00107 sec, root delay is 0.00000 sec
The above information shows that the NTP client has connected to the server and the time of Host B has been
synchronized with the time of Host A, with stratum level being higher than that of Host A by 1 level (i.e., 13).
Configure NTP client/server Mode with authentication

Topological Diagram
NTP client/server model
 On Host A, configure local clock as the NTP master clock, with clock stratum being 12;
 Configure Host B as the NTP client and specify Host A as the NTP server;
 Enable the authentication mechanism to prevent illegal users from maliciously attacking the clock server.
Configuration Tips
Configuring NTP server/client authentication will involve the following steps:
 Enable NTP global authentication

 Configure the key for NTP global authentication and the corresponding key ID
 Specify NTP global trusted key ID
The authentication key used by NTP client to communicate with NTP server shall be identical with the corresponding
Key ID.
Configuration Steps
 Configuration of NTP server
Step 1: Configure NTP master clock. Configure local clock as the trusted reference clock source, with clock stratum being
12;
HostA(config)#ntp master 12
Step 2: Configure NTP authentication;
! Enable NTP global authentication
HostA(config)# ntp authenticate
! Configure NTP global authentication key as "helloworld" and the corresponding key ID as "6"
HostA(config)# ntp authentication-key 6 md5 helloworld
! Specify "6" as the NTP global trusted key ID
HostA(config)# ntp trusted-key 6

 Configuration of NTP client
Step 1: Configure NTP authentication;
! Enable NTP global authentication
HostB(config)# ntp authenticate
! Configure NTP global authentication key as "helloworld" and the corresponding key ID as "6"
HostB(config)# ntp authentication-key 6 md5 helloworld
! Specify "6" as the NTP global trusted key ID
HostB(config)# ntp trusted-key 6
! Configure Host A as the NTP server and set the key ID for communicating with this server as "6"
HostB(config)# ntp server 1.1.1.1 key 6
 Display the configurations of NTP server. Key points: NTP master clock configuration, NTP server's IP address, and
authentication related configurations.
HostA#show run
!
interface fastEthernet 0/1

ip address 1.1.1.1 255.255.255.0
!
ntp authentication-key 6 md5 07360623191d300a004609 7
ntp authenticate
ntp trusted-key 6
ntp master 12
!
 Display the configurations of NTP client. Key points: IP address and key ID of NTP server, and authentication related
configurations.
HostB #show run
!
interface fastEthernet 0/2
ip address 1.1.1.20 255.255.255.0
!
ntp authentication-key 6 md5 141a4f012d1d3c23174905 7
ntp authenticate
ntp trusted-key 6
ntp server 1.1.1.1 key 6
!
After proper configuration, the following log will be printed on the CLI interface:
*Sep 9 11:31:29: %SYS-6-CLOCKUPDATE: System clock has been updated to 11:31:29 UTC Wed Sep
9 2009.
The above log indicates that the clock of HostB (NTP client) has been updated.
 Display NTP status of NTP server

HostA #show ntp status
reference time is CE521261.E52DECA2 (11:39:13.000 UTC Wed, Sep 9, 2009)
 Display NTP status of NTP client. Key points: NTP server address and stratum.
HostB#show ntp status
reference time is CE5212A1.E5D712A0 (11:40:17.000 UTC Wed, Sep 9, 2009)
clock offset is -0.00005 sec, root delay is 0.00000 sec
The above information shows that the NTP client has successfully connected to the server and the time of Host B has
been synchronized with the time of Host A, with stratum level being higher than that of Host A by 1 level (i.e., 13).
Configuration Guide Configuring SNTP
Configuring SNTP
Overview
Network Time Protocol (NTP) is designed for time synchronization on network devices. Another protocol, Simple Network
Time Protocol(SNTP) can be used to synchronize the network time, too.
NTP protocol can be used across various platforms and operating systems and provide precise time calculation (1-50 ms
precision) and prevent from latency and jitter in the network. NTP also provides the authentication mechanism with high
security level. However, NTP algorithm is complicated and demands better system.
As a simplified version of NTP, SNTP simplifies the algorithm of time calculation but also has great performance, with
precision of about 1s.
SNTP Client is totally compatible with the NTP Server due to the consistency of the SNTP and NTP messages.
SNTP Fundamentals
SNTP works in the way of Client/Server. The standard Server system time is set by receiving the GPS signal or the atomic
clock. The Client obtains its accurate time from the service time accessing the server regularly and adjusts its system
clock to synchronize the time.
Figure-1
Originate Timestamp T1 time request sent by client
Receive Timestamp T2 time request received at server
Transmit Timestamp T3 time reply sent by server
Destination Timestamp T4 time reply received at client
T1: time request sent by client(refer to the client time) with the mark “Originate Timestamp”;
T2: time request received at server(refer to the server time) with the mark “Receive Timestamp”;
T3: time reply by server(refer to the server time) with the mark “Transmit Timestamp ”;
T4: time reply received at client(refer to the client time) with the mark “Destination Timestamp”.
T: time deviation between the Server and the Client
d: time between the Server and the Client
The following formula calculates the time:
∵ T2 = T1 + t + d / 2;
∴ T2 - T1 = t + d / 2;
∵ T4 = T3 – t + d / 2;
∴ T3 - T4 = t – d / 2;
∴ d = (T4 - T1) - (T3 - T2);
t = ((T2 - T1) + (T3 - T4)) / 2;
Then, according to the value of t and d, SNTP Client gets the current time: T4+t.
Configuring SNTP
By default, the SNTP configurations are as follows:
Features Default Settings
SNTP status Disabled.
IP address for the NTP server None
SNTP Sync Interval 1,800 seconds
Local Time-zone GMT+8
Enabling SNTP
To enable the SNTP, run the following command in global configuration mode:
Command Function
Enable the SNTP and synchronize the time once immediately. (in
Ruijie(config)# sntp enable order to prevent frequent time synchronization, the sync-interval
must not be less than 5s.)
To disable the SNTP, use the no sntp enable command.
Configuring the IP Address for the NTP Server

The SNTP Client is totally compatible with the NTP Server due to the consistency of SNTP and NTP messages. There are
many NTP servers in the network, you can choose one switch with less latency as the NTP server.
For the detailed NTP server IP addresses, please login to http://www.time.edu.cn/ or http://www.ntp.org/. For example,
192.43.244.18(time.nist.gov).
To set the IP address for the SNTP server, run the following commands in global configuration mode:
Command Function
Ruijie(config)# sntp server [ oob ] ip-address

Specify the IP address for the SNTP server.
[ via mgmt-name ]
Configuring the SNTP Sync Interval

To adjust the time regularly, you need to set the sync interval for SNTP Client to access the NTP server SNTP Client
regularly.
To configure the SNTP sync interval, run the following commands in the global configuration mode:
Command Function
Configure the SNTP sync interval, in second.
Ruijie(config)# sntp interval seconds Interval range: 60-65535s;
Default value: 1800s.
The sync interval configuration cannot take effect immediately. You shall execute the sntp enable command
immediately after configuring the SNTP sync interval.
Configuring the Local Time-zone

The time obtained through the SNTP communication is Greenwich Mean Time(GMT). In order to obtain the exact local
time, you need to set the local time to adjust the mean time.
To configure the local time-zone, run the following commands in interface configuration model:
Command Function
Configure the time-zone, ranging from GMT-23 to GMT+23,

wherein “-” indicates western area, “+” indicates eastern area and
Ruijie(config)#clock time-zone time-zone
“0” indicates Greenwich mean time. The default time-zone is
GMT+8, Beijing time.
To restore the local time-zone to the default, use the command no clock time-zone.
Displaying SNTP Configuration
Execute the show sntp command in privileged EXEC mode to display the current SNTP configuration.
Ruijie# show sntp

SNTP state : ENABLE //to view whether SNTP is enabled or not
SNTP server : 192.168.4.12 //NTP Server

SNTP sync interval : 60 //SNTP sync interval
Time zone : +8 //Local Time-zone
Configuration Guide Configuring Time Range
Configuring Time Range
Overview
Time Range is a time-based control service that provides some applications with time control. For example, you can
configure a time range and associate it with an access control list (ACL) so that the ACL takes effect within certain time
periods of a week.
Typical Application

Applying Time Range to an ACL Apply a time range to an ACL module so that the time-based ACL takes effect
Applying Time Range to an ACL

An organization allows users to access the Telnet service on a remote Unix host during working hours only, as shown in
Figure 1-7.
Figure 1-7
Note
Configure an ACL on device B to implement the following security function:
Hosts in network segment 192.168.12.0/24 can access the Telnet service on a remote Unix host during
normal working hours only.
Functional
Deployment
 On device B, apply an ACL to control Telnet service access of users in network segment 192.168.12.0/24. Associate
the ACL with a time range, so that the users' access to the Unix host is allowed only during working hours.
Function Details
Basic Concepts
 Absolute Time Range
The absolute time range is a time period between a start time and an end time. For example, [12:00 January 1 2000,
12:00 January 1 2001] is a typical absolute time range. When an application based on a time range is associated with the
time range, a certain function can be effective within this time range.
 Periodic Time
Periodic time refers to a periodical interval in the time range. For example, “from 8:00 every Monday to 17:00 every
Friday” is a typical periodic time interval. When a time-based application is associated with the time range, a certain
function can be effective periodically from every Monday to Friday.
Features
Feature Function
Using Absolute Sets an absolute time range for a time-based application, so that a certain function takes effect
Time Range within the absolute time range.
Using Periodic Sets periodic time or a time-based application, so that a certain function takes effect within the
Time periodic time.
Using Absolute Time Range

Working Principle
When a time-based application enables a certain function, it determines whether current time is within the absolute time
range. If yes, the function is effective or ineffective at the current time depending on specific configuration.
 Configuring Time Range
No time range is configured by default.
Use the time-range time-range-name command to configure a time range.
 Configuring Absolute Time Range
The absolute time range is [00:00 January 1, 0, 23:59 December 31, 9999] by default.
Use the absolute { [start time date] | [end time date] } command to configure the absolute time range.
Using Periodic Time
Working Principle
When a time-based application enables a certain function, it determines whether current time is within the period time. If
yes, the function is effective or ineffective at the current time depending on specific configuration.
No time range is configured by default.
Use the time-range time-range-name command to configure a time range.
 Configure Periodic Time
No periodic time is configured by default.
Use the periodic day-of-the-week time to [day-of-the-week] time command to configure periodic time.
Configuration Item Suggestions and Related Commands
Mandatory configuration. Time range configuration is required so as to use the time

range function.
time-range time-range-name Configures a time range.

Configuring Time
Optional configuration. You can configure various parameters as necessary.
Range
absolute { [start time date] | [end time
Configures an absolute time range.
date] }
periodic day-of-the-week time to
Configures periodic time.
[day-of-the-week] time
Configuring Time Range

 Configure a time range, which may be an absolute time range or a periodic time interval, so that a time-range-based
application can enable a certain function within the time range.
 Mandatory configuration.
 Perform the configuration on a device to which a time range applies.

 Configuring Periodic Time
Verification
 Use the show time-range [time-range-name] command to check time range configuration information.
Related Commands
Command time-range time-range-name

Syntax
Parameter time-range-name: name of the time range to be created.
Description
Mode
Usage Guide Some applications (such as ACL) may run based on time. For example, an ACL can be effective within
certain time ranges of a week. To this end, first you must configure a time range, then you can configure
relevant time control in time range configuration mode.
Command absolute { [start time date] | [end time date] }

Syntax
Parameter start time date: start time of the range.
Description end time date: end time of the range.
Command Time range configuration mode
Mode
Usage Guide Use the absolute command to configure a time absolute time range between a start time and an end
time to allow a certain function to take effect within the absolute time range.
 Configuring Periodic Time
Command periodic day-of-the-week time to [day-of-the-week] time

Syntax
Parameter day-of-the-week: the week day when the periodic time starts or ends
Description time: the exact time when the periodic time starts or ends
Command Time range configuration mode
Mode
Usage Guide Use the periodic command to configure a periodic time interval to allow a certain function to take effect
within the periodic time.
Monitoring and Maintaining Time Range
Displaying the Running

Status
Function Command
Displays time range configuration. show time-range [time-range-name]

RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1 (5) B6 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

RG-WLAN Series Access Point RGOS Configuration Guide, Release 11.1 (5) B6 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

RG-WLAN Series Access Point

RGOS Configuration Guide, Release 11.1(5)B6

Ruijie Networks© 2015

, , are registered trademarks of Ruijie Networks.

Counterfeit is strictly prohibited.

This manual is intended for:

Obtaining Technical Assistance

 Ruijie Networks website: http://www.ruijienetworks.com/

Describes the related configuration commands, including command modes,

This manual uses the following conventions:

boldface font Commands, command options, and keywords are in boldface.

[ ] Elements in square brackets are optional.

[x|y|z] Optional alternative keywords are grouped in brackets and separated by

Means reader take note. Notes contain helpful suggestions or references.

RGOS Configuration Guide,

WLAN Basic Configuration

2. Configuring STA Management

3. Configuring Ethernet Management

4. Configuring Data Plane

5. Configuring WLAN WLOG

Concepts Related to WLAN

WLAN Transmission Standards

Fit AP Network Architecture

Figure 1-1 Networking topology with fit APs

License Function Attributes

Cluster and Redundancy

AC to Support the Failover Priority of AP

WLAN Working Principles

Connection of Wireless Terminals to Network

Figure 1-2 Connection of wireless users to AP

Switching the AP Mode

# Switch the AP to fit mode.

Ruijie(config)# ap-mode fit

# Switch the AP to fat mode and enables DHCP.

Ruijie(config)# ap-mode fat dhcp

Displaying APMG Configuration

Configuring STA Management

STAMG applies in the following scenarios:

2. Configuring the maximum number of STAs when the AP capacity is exceeded.

3. Configuring load balancing for STAs to distribute traffic to multiple AP devices.

4. Configuring association control in the e-bag scenario.

Association Control Working Principle

The Fit AP Network Framework

Figure 1-1 The Fit AP Networking Topology

The Fat AP Network Framework

Figure 1-2 The Fat AP Networking Topology

Configuring the Terminal Package

# configure terminal package named”package_1”

Ruijie# configure terminal

# delete the terminal package named”package_1”

Ruijie(config)#no package package_1

Configuring the STA Master STA

Ruijie# configure terminal

Ruijie# configure terminal

Ruijie(config)# package package_1

Configuring Association Control Zone

# configure association control zone named “Grade one(1)”

Ruijie# configure terminal

# delete association control zone named”Grade one(1)”

Ruijie(config)#no control-zone Class one Grade one

Configuring the AP Information

Use the no ap [ WORD ] configuration command to delete the AP configuration.

Ruijie# configure terminal