Beruflich Dokumente
Kultur Dokumente
Copyright Statement
Ruijie Networks reserves all copyrights of this document. Any reproduction, excerption, backup, modification,
transmission, translation or commercial use of this document or any portion of this document, in any form or by any means,
without the prior written consent of Ruijie Networks is prohibited.
, , , , ,
, , , ,
Exemption Statement
This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain
the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will
not shoulder any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.
·
Preface
Thank you for using our products. This manual matches the RGOS Release 11.1(5)B6.
Audience
Network engineers
Technical support and servicing engineers
Network administrators
Related Documents
Documents Description
Describes the functional and physical features and provides the device
Hardware Installation and Reference
installation steps, hardware troubleshooting, module technical specifications,
Guide
and specifications and usage guidelines for cables and connectors.
Conventions
Convention Description
italic font Arguments for which you supply values are in italics.
{x|y|z} Alternative keywords are grouped in braces and separated by vertical bars.
Means reader be careful. In this situation, you might do something that could result in equipment damage or
loss of data.
RG-WLAN Series Access Point
Release 11.1(5)B6
Configuring AP Management
Overview
A wireless local area network (WLAN) links computers and other devices using wireless communication technology to
form a network system for communication and resource sharing between each other. The essential characteristic of
WLAN is that computers are connected to the network through wireless means rather than cables, making the
construction of networks and mobility of terminals more flexible.
1) Access Point (AP): Access points serve as a bridge between wireless terminals and wired network for wireless
terminals to access the wired network.
2) Access Control (AC): Wireless controls are connected with APs through the wired network for centralized
management of APs.
3) Radio Frequency: WLAN uses radio frequencies as the media of transmission for the communication between APs
and wireless terminals and between wireless terminals.
4) Frequency band: it indicates the range of frequency. In a WLAN, wireless devices may support different 802.11
standards which working at different frequency ranges.
5) Wireless user: it refers to the user that accesses the network through wireless terminals.
1) 802.11b
It works at the frequency band of 2.4GHz at a transmission rate up to 11Mb/s, which can be 11, 5.5, 2 or 1Mb/s based on
actual needs.
2) 802.11a
It works at the frequency band of 5GHz, at a transmission rate up to 54Mb/s, which can be 48, 36, 24, 18, 12, 9 or 6Mb/s
based on actual needs.
3) 802.11g
Configuration Guide Configuring AP Management
It works at the frequency band of 2.4GHz, at a transmission rate up to 54Mb/s. Devices supporting 802.11g also support
802.11b.
4) 802.11n
It can work at the frequency bands of 2.4GHz and 5GHz, at a transmission rate up to 600Mb/s. Devices supporting
802.11n also support 802.11a/b/g.
License
The license function is used to protect the legitimate rights of the authorized users. With the license activation-key, the
user can confirm whether the license is valid or not and obtain the corresponding authorization. The license function is
used to control the maximum AP number supported by the AC. For different devices, the maximum AP number, license
type and the detailed formats for different license types are different.
The user can configure/add a valid license executing the command, and the input license must be valid and applicable for
the device. If the authorized AP number has reached the maximum AP number supported by the device, no new license
can be configured or added.
Configuration Guide Configuring AP Management
In this configuration guide, the license activation-key configured on the device is also named license, license
ID, license key, ect, and the Serial Number for the license CD purchased is called the license serial number.
The followings are the function attributes and use restrictions for the license function:
1) One license that the user applied for can only be used for the specified device, and is invalid for other devices;
2) Once configured, the license takes effect permanently, that is, the user is authorized to use this license forever.
3) Once configured, the license takes effect immediately, that is, the license can be used without the operation of
resetting.
4) Multiple licenses can be configured on one device, that is, the maximum AP number supported by the device is the
summary of the multiple authorized license number. However, the maximum AP number supported by the
authorized license cannot exceed the maximum AP number supported by the device itself.
AC Redundancy
In order to provide services for wireless users, AP must maintain connection with a specific AC. If this AC fails suddenly,
AP will be unable to connect to AC and the service will fail. To enhance serviceability, the feature of AC redundancy is
introduced.
AC redundancy assigns multiple ACs to the AP. When one AC fails, the AP can use the backup AC. AC redundancy well
improves the reliability of AC cluster and avoid the circumstance that the downlink AP cannot provide services due to the
failure of certain AC.
Generally, when the connection between AP and AC fails, the AP will look for the backup AC. By default, AP is connected
to AC according to the sequence of association requests arrived. Failover Priority can help specify the priority level for AP,
so that AC can accept the access request of AP according to the priority level of AP, ensuring that high-priority APs can be
given the priority to connect to AC.
When the number of APs connected to AC has reached the threshold, if a new AP requests to associate with this AC and
its priority level is higher than some connected APs, then AC will randomly kick out one AP among those associated APs
with the lowest priority level. In this way, the new AP can then associate with this AC.
Configuration Guide Configuring AP Management
The priority level of AP ranges from 1 to 4. 1 indicates the lowest priority level.
Connection of wireless terminals to network is completed in three steps: scanning, authentication and association, as
shown in the figure below.
Scanning
Before a wireless terminal is connected to a network, it searches available networks in its location. The searching is
performed by either active or passive scanning.
Active scanning: The wireless terminal sends the Probe Request frame to requesting for joining the network. After the AP
has received the Probe Request frame, it sends back the Probe Response frame.
Passive scanning: The AP periodically broadcasts Beacon frames (which carry the SSID associated to the AP), and the
wireless terminal listens to Beacon frames to identify networks.
Authentication
If a wireless terminal has received Probe Response frames from APs, it selects one candidate AP for association.
Authentication is required before association, including open system authentication and shared key authentication.
Authentication: The wireless terminal sends Authentication Request frame to the selected AP requesting for
authentication. After the AP has received the Authentication Request frame, it sends back Authentication Response
frame.
Configuration Guide Configuring AP Management
Association
After the authentication, the wireless terminal is able to establish association with the selected AP. The association
process is as follows: The wireless terminal sends Association Request frame to the selected AP requesting for
association. After the AP has received the Association Request frame, it sends back the Association Response frame.
WLAN Communication
A WLAN is a network combining wired network and wireless communication. The wireless interfaces of APs are
connected to wireless terminals for communication through 802.11 frames; the Ethernet ports of APs are connected with
the wired network for communication through 802.3 frames.
In a network with fat APs, the APs independently complete the conversion between 802.11 fames and 802.3 frames for
communication between the wired and the wireless networks.
In a network with fit APs, control channels and data channels are established between ACs and APs through the
CAPWAP protocol. The control channels are for configuration of APs at the AC and for APs to send event notices to the
AC, and the data channels are for sending data messages between the APs and the AC.
The data communication in a network with fit APs is usually in the Split MAC mode or the Local MAC mode. The Local
MAC mode is further classified into centralized forward mode and local forward mode.
Split MAC mode: After the AP receives an 802.11 frame, it directly forwards the frame to the AC after direct
CAPWAP encapsulation; then the AC de-encapsulates the frame and converts the 802.11 frame into the 802.3
frame; and vice versa.
Centralized forward mode: After the AP receives an 802.11 frame, it locally converts the frame into an 802.3 frame
and then forwards the frame to the AC after CAPWAP encapsulation; and vice versa.
Local forward mode: After the AP receives an 802.11 frame, it locally processes and forwards the frame without
sending it to the AC via the CAPWAP tunnel.
Configuration
Command Function
Ruijie# config terminal Enters global configuration mode.
Ruijie(config)# ap-mode fit Switches the AP to fit mode.
Swiches the AP to fat mode.
When the DHCP parameter is configured, the AP
Ruijie(config)# ap-mode fat [dhcp]
enables DHCP to obtain IP address by default; Otherwise
the AP uses static IP addresses by default.
After switching the AP working mode, restart the device to ensure the configuration consistency.
Configuration Guide Configuring AP Management
For Ruijie Networks’ WALL-AP ,when working as a fat AP, the default IP address of the rear end wired interface (Which is
connected to the PoE switching device) is 192.168.110.1/255.255.255.0; the default IP address of the front end wired
interface (the Ethernet port on the front panel) is 192.168.111.1/255.255.255.0.\
When the command ap-mode fat dhcp is configured, once the AP is switched to fat mode, the fat AP will obtain IP
address through DHCP. After AP is restarted without further related configuration, it will still obtain IP address through
DHCP.
When the command ap-mode fat dhcp is configured on the WALL-AP, DHCP is enabled only on the rear
end wired interface by default; that is to say,by default, the front end interface still uses static IP address.
You cannot use commands ap-mode fat dhcp and ap-mode fat to perform direct switchover in the fat mode.
You should switch to fit mode and then perform such switchover.
Configuration Example:
Use the following commands in privileged EXEC mode to display AP management configuration.
Command Function
show ap-mode Displays the AP mode.
Configuration Guide Configuring STA Management
Overview
Station management (STAMG) provides services of controlling the STA access and notifying STA relevant events.
1. Configuring a dynamic blacklist in the network which requires high-security performance to prevent STA attacks.
Association Control
The association control is a method of controlling wireless STA’s association behaviors. By grouping STAs, define one of
the STAs as the master STA and others as secondary-STAs which must follow the master STA’s method, and make the
associated wireless network of secondary-STAs be the same as that of the master STA, therefore, the associated
behaviors of wireless terminals can be controlled.
1) The association control zone: it can be understood as the wireless network made up of one or one group of APs. For
a STA group, it can only successfully associate with a certain AP in an association control zone at one time.
2) The terminal package: it’s made up of a group of STAs, including the master STA and secondary-STAs.
Secondary-STAs cannot be separated from the master STA, associating with certain AP in the control zone alone. It
can only follow the master STA; it can only associate with certain AP in the control zone with which the master STA
associate.
Divide the scope of the wireless network into several association control zones, and arrange one or several APs in every
association control zone, then group the wireless terminal to strictly control the control zones that the terminal can
associate with. Take the application of the school e-bag for instance, a school has many classrooms in which wireless
APs are installed and the wireless signal travels in the space. When two neighboring classrooms are using the e-bag, the
ideal situation is that teachers’ and students’ computers all associate with local APs, therefore, every class can proceed
without interruption. This requires each classroom to be an association control zone, and students’ and teachers’
computers all associate with local wireless APs. Currently, the fit AP framework and the fat AP framework are the two
wireless networking methods. The following is the principle sketch of how these two methods use the association control.
The figure below shows the fit AP framework of the association control application.
Premise
The purpose of the association control is to prevent the terminal to perform random associations when there are many
wireless networks. The premise of the network configuration is as below:
Set each association control zone as a WLAN subnet and allocate a VLAN for each subnet. By this measure, the
broadcast or the multicast report is limited in the local control zone, thus, the application fluency of the association
control zone is ensured.
Use different SSIDs for all WLAN subnets. For example, use the association control zone’s name as SSID for easier
differentiation. It’s easier for the master STA and secondary-STAs in the terminal to associate with designate APs in
the association control zone.
Working Principle
The AC sends all information of the master STA in the terminal package to all APs in the association control zone as
per the pre-configured information of the association control zone and the terminal package.
Since all the information of the master STA in the terminal package is on the AP’s white list, when applying the
association control function, the master STA needs to associate with corresponding SSIDs in the control zone first;
after the master STA completes the association, the AC will send all secondary-STAs to all APs in the association
control zone as per the configuration of the terminal package where the master STA stays, and create the white list,
thus, secondary-STAs are allowed to be associated with the local control zone.
When the master STA releases association and logs off, all corresponding secondary-STAs will be offline and be
deleted from the APs’ white list in the association control zone.
Configuration Guide Configuring STA Management
The above process can be briefly summarized as that secondary-STAs follow the master STA; with whichever APs
the master STA associates, secondary-STAs must follow and associate with the APs in the association control zone.
The corresponding white list is only on the APs of the association zone, and since the list doesn’t exist on APs in
other association control zones, it ensures that STAs will not perform random associations.
The figure below shows the fat AP framework of the association control application.
Premise
The purpose of the association control is to prevent the terminal to perform random associations when there are many
wireless networks. The premise of network configuration is as below:
Set each association control zone as a WLAN subnet and allocate a VLAN for each subnet. By this measure, the
broadcast or the multicast report is limited in the local control zone, thus, the application fluency of the association
control zone is ensured.
Use different SSIDs for all WLAN subnets. For example, use the association control zone’s name as SSID for easier
differentiation. It’s easier for the master STA and secondary-STAs in the terminal to associate with the designate
APs in the association control zone.
Working Principle
The AP adds all the information of the master STA into the white list as per pre-configured information of the
association control zone and the terminal package
Configuration Guide Configuring STA Management
Since all the information of the master STA in the terminal package is on the AP’s white list, when applying the
association control function, the master STA needs to associate with corresponding SSIDs in the control zone first;
after the master STA completes the association, the AP will create a white list of all secondary-STAs as per the
configuration of the terminal package where the master STA stays, thus, secondary-STAs are allowed to be
associated with the local control zone.
When the master STA releases the association and logs off, all corresponding secondary-STAs will be offline and be
deleted from the fat AP’s white list.
The above process can be briefly summarized as that secondary-STAs follow the master STA; with whichever the fat
AP the master STA associate, students’ computers must follow to associate with this fat AP. This can prevent certain
mis-behavior students to perform random association. For instance, secondary-STAs cannot associate with other
APs.
In the fit AP framework, the master STA and secondary-STAs might be distributed to several APs in certain
control zones. But in the fat AP framework, the master STA and secondary-STAs only associate with one AP.
Because, different from the fit AP framework which has the AC to be managed, the fat AP does the
management on its own, if the master STA only associate with one fat AP, other fat APs can’t predict to
which the fat AP the master STA associates. Therefore, as per the principle that secondary-STAs must
follow the master STA, secondary-STAs must associate with the same fat AP that the master STA
associates.
Configuration
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Configure the terminal package named pkg-name, and
Ruijie(config)# package pkg-name enter the terminal configuration mode. pkg-name is the
alphabetic string, and its length is [1,32].
Ruijie(config- package)#end Quit from the terminal package configuration mode.
Ruijie#show package View the terminal package configuration.
Use the no package [ pkg-name ] configuration command to delete the terminal package configuration.
Configuration example:
The operation will clear package(s) configuration, which may cause corresponding STAs offline . Continue? [no]y
Ruijie(config-package)# end
Ruijie# show package
no package configuration.
When delete the terminal package, all configurations relating to the terminal package will be deleted. And if
there are STAs online, this will cause all the STAs log off.
This command only exists on the AC and the fat AP, the fit AP is excluded.
The AC allows a maximum of 300-terminal-package configuration, and the fat AP 50. An error notice will
appear if the number reaches the maximum.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)# package pkg-name Enter the terminal package configuration mode.
Configure the master STA in the terminal package. The
Ruijie(config-package)#primary-sta mac-address MAC address of the master STA is mac-address, and the
form is as: xxx.xxxx.xxxx
Ruijie(config-package)#end Quit from the terminal package configuration mode.
Ruijie#show package View the terminal package configuration.
Use the no primary-sta configuration command to the delete master STA configuration.
Configuration Guide Configuring STA Management
Configuration Example:
# configure the master STA for the terminal package package_1, the MAC address is 00d0.f800.0001
Deleting the master STA in a terminal package might cause the STA offline, and also cause other STAS
offline.
One terminal package only allows configuring one master STA. If there are different master STA
configuration information, follow the last configuration.
This command only exists on the AC and the fat AP, the fit AP is excluded.
Configuring Secondary-STAs
By default, no secondary-STA configuration is in the system, enter privileged EXEC mode, follow the steps below to
configure secondary-STAs:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)# package pkg-name Enter the terminal package configuration mode.
Configure secondary-STAs. The Mac address of
Ruijie(config-package)# secondary-sta mac-address secondary-STAs is mac-address, and the from is as:
xxx.xxxx.xxxx
Ruijie(config-package)#end Quit from the terminal package configuration mode.
Ruijie#show package View the terminal package configuration.
Use the secondary-sta [ mac-address ] configuration command to delete the secondary-STAs configuration.
Configuration Example:
# configure secondary-STAs in the terminal package package_1, the MAC address is 00d0.f800.0002
Deleting a secondary-STA from a terminal package might cause this STA offline.
A terminal package allows a maximum of 100-secondary-STA configuration; An error notice will appear if the
number reaches the maximum.
This command only exists on the AC and the fat AP, the fit AP is excluded.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Configure the association control zone and enter the
association control zone configuration mode, association
Ruijie(config)# control-zone czone-name
control zone’s name is czone-name, and the length is
[1,64].
Quit from the association control zone configuration
Ruijie(config-czone)#end
mode.
View the summary of the association control zone
Ruijie#show control-zone summary
configuration.
Use the no control-zone [ czone-name ] configuration command to delete the association control zone configuration.
Configuration Example:
Ruijie(config-czone)# end
Ruijie# show control-zone summary
control zone num : 1
Class one Grade one
The names of the association control zones cannot be repeated, or an error notice will appear. Besides,
when deleting the association control zone, all the associated configurations will be deleted, and this might
cause corresponding STAs in the terminal package associated with this control zone offline.
This command only exists on the AC and the fat AP, the fit AP is excluded.
The AC allows a maximum of 300-association-control-zone configuration, and the fat AP one. An error notice
will appear if the number reaches the maximum.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)# control-zone classroom-name Enter the association control zone configuration mode
Configure the AP information. WORD presents the AP’s
Ruijie(config-czone)#ap WORD
name, and the length is [1-64]
View the details of the association control zone
Ruijie#show control-zone
configuration
Configuration Example:
# configure AP information of AP1(1)-2 in the association control zone named “Class one Grade one”
Deleting the AP information in an association control zone might cause the corresponding STA of the
terminal package on the AP offline.
This command only exists on the AC and the fat AP, the fit AP is excluded.
An association control zone allows a maximum of 5-AP-information configuration. An error notice will
appear if the number reaches the maximum.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)#assoc-control Enable the association control function
Ruijie(config)# exit Quit from the global configuration mode.
Ruijie# show assoc-control View the current association control enabling condition.
Use the no assoc-control configuration command to disable the association control function.
Configuration Example:
Ruijie(config)# exit
Ruijie# show assoc-control
Association control is enabled.
This command only exists on the AC and the fat AP, the fit AP is excluded.
When the association control function is disabled, the relating commands can still be configured, but the
function doesn’t work
Command Function
show assoc-control Display the current association control operating
condition
show package [ pkg-name ] Display the terminal package configuration information
show control-zone [ summary | czone-name ] Display the association control zone configuration
information
Displaying Configuration
Command Function
show assoc-control Display the state of the association control.
show control-zone [ summary | czone-name ] Display the association control-zone configuration.
show package [ pkg-name ] Display the terminal package configuration.
Configuration Guide Configuring Ethernet Management
Overview
Ethernet Management (ETH-MNG) is an AP wired parameter management service used to configure wired parameters of
APs.
The LAN interface bandwidth restriction function, as a fundamental service of ETH-MNG, is used to configure the
maximum bandwidth of various LAN interfaces of APs, so as to avoid the slow Internet access of wireless users in a
scenario where wireless and wired users coexist and wired users occupy a substantial bandwidth.
N/A
Features
Basic Concepts
N/A
Overview
Feature Description
LAN Interface Bandwidth Configure the maximum bandwidth of various LAN interfaces of APs so as to avoid the
Restriction slow Internet access of wireless users in a scenario where wireless and wired users
coexist and wired users occupy a substantial bandwidth.
Working Principle
The LAN interface bandwidth restriction function is used to configure the maximum bandwidth of various LAN interfaces of
APs so as to avoid the slow Internet access of wireless users caused in a scenario where wireless and wired users coexist
and wired users occupy a substantial bandwidth.
Configuration Guide Configuring Ethernet Management
Configuration
Configuring the Maximum Optional configuration, which is used to configure the maximum bandwidth of
Bandwidth of LAN LAN interfaces of APs.
Interfaces
Networking Requirements
Notes
N/A
Configuration Steps
Run the wired-rate command to configure the maximum bandwidth of various LAN interfaces.
Verification
Run the show running-config command to display the configuration about the bandwidth restriction of various LAN
interfaces.
Configuration Guide Configuring Ethernet Management
Configuration Example
Configuration
Steps
AP120-W
On one AP120-W, set the maximum bandwidth of FastEthernet 0/4 to 40 Mbps.
Verification
On the AP, run the show running-config command to display the configuration.
Common Errors
N/A
Monitoring
N/A
Configuration Guide Configuring Data Plane
Overview
The data plane provides broadcast forwarding control functions, including broadcast forwarding weight control and
broadcast wireless forwarding control.
Broadcast forwarding weight control means restricting the weights of packet types for broadcast forwarding, so as to
prevent STAs from being influenced when a certain type of packets occupy all resources.
Broadcast wireless forwarding control means forwarding only necessary packets to the wireless network, so as to prevent
some useless broadcast packets from occupying substantial radio frequency (RF) resources.
Broadcast wireless forwarding control is applicable to all packets to be sent to the radio interface.
N/A
Applications
Application Description
Broadcast Forwarding Control Set up the network with at least one AC and one fit AP.
Scenario
An AC is deployed in the wireless network and enabled with broadcast wireless forwarding control function.
The AC controls the wireless forwarding of broadcast packets, as shown in Figure 0-1.
Configuration Guide Configuring Data Plane
Figure 0-1
Corresponding Protocols
Features
Basic Concepts
A network switching device may need to flood broadcast packets, multicast packets, and some unicast packets. A weight
can be set for each type of packets to prevent a certain type of broadcast packets from exhausting all broadcast
forwarding capabilities, thereby improving STAs' network experience.
The broadcast wireless forwarding control function is used to forward only necessary broadcast packets to the wireless
network, so as to prevent certain broadcast packets from occupying substantial air interface resources and improve the
network rates of STAs.
Overview
Feature Description
Broadcast Restricts the weights of packet types for broadcast forwarding, so as to protect RF resources from
Forwarding Weight being occupied by a certain type of packets and thereby guarantee normal forwarding of other
Control packets.
Configuration Guide Configuring Data Plane
Broadcast Wireless Controls whether to forward broadcast packets to the wireless network, so as to prevent useless
Forwarding Control broadcast packets from occupying substantial RF resources.
Working Principle
The broadcast forwarding weight control function classifies packets at first into unicast packets, multicast packets,
broadcast packets, unknown multicast packets, and unknown unicast packets.
Classify packets. Packets may be roughly classified into the following types: unicast packets, multicast packets,
broadcast packets, unknown multicast packets, and unknown unicast packets.
Allocate a token bucket to each type of packets, and record the number of packets permitted to pass at this moment.
According to the configured broadcast forwarding weights, calculate the number of packets permitted to pass within
each interval, and adjust the sizes of the token buckets accordingly.
When a packet arrives, determine the type of the packet and check whether there is any token in the token bucket
corresponding to the packet type. If the token bucket contains a token, the packet is permitted to pass; otherwise, the
packet is discarded.
Working Principle
Wireless networks differ from wired networks in performance. In a wireless network, air interface resources are shared by
STAs and APs which often becomes a bottleneck for STAs. Meanwhile, they are seized for a long time because broadcast
packets are sent at low rates.
In practice, some broadcast packets are useless for STAs. Forwarding these packets to the wireless network will result in
fewer air interface resources and worse user experience.
One solution is to classify broadcast packets for forwarding control. Only the packets of specified types are forwarded to
the wireless network.
Configuration
Weight Control
Optional configuration. Set the weights of packet types for broadcast forwarding.
Broadcast Wireless
Optional configuration. Enable the broadcast wireless forwarding function.
Forwarding Control
Networking Requirements
You can control the weight of a packet type for forwarding according to actual network conditions, so as to avoid
network congestion for sudden traffic spike.
Notes
N/A
Configuration Steps
Optional configuration. Run the data-plane queue-weight command in global configuration mode to configure the
broadcast forwarding weights.
Verification
Configuration Example
Scenario
Figure 0-2
Configuration Steps Configure the forwarding weights of packet types for broadcast forwarding in global configuration
mode.
AC/AP Ruijie#configure terminal
Ruijie(config)#data-plane queue-weight 100 50 50 25 25
Ruijie(config)#exit
Common Errors
N/A
Networking Requirements
Notes
N/A
Configuration Steps
Optional configuration. By default, the broadcast wireless forwarding function is disabled. Run the data-plane
wireless-broadcast command in global configuration mode to enable or disable this function.
Verification
Configuration Example
Scenario
Figure 0-3
Configuration Enable the broadcast wireless forwarding function in global configuration mode.
Steps
AC/AP Ruijie#configure terminal
Ruijie(config)#data-plane wireless-broadcast enable
!
cwmp
!
data-plane wireless-broadcast enable
!
Common Errors
N/A
Monitoring
N/A
Configuration Guide Configuring WLAN WLOG
Overview
WLAN-WLOG is used to collect, store, and check information about WLANs and terminals over a period of time. The
latest 24-hour information about WLANs, APs, and STAs provided through the CLI can help users analyze and locate
problems on WLANs.
Currently, WLAN-WLOG cannot automatically analyze the collected information. WLAN-WLOG is designed to provide
information over the past 24 hours for users to analyze and locate problems based on accurate status information about
WLANs and terminals.
Information collected by WLAN-WLOG is restored on ACs and APs. Currently, APs store only STA space information,
while others are stored on ACs.
Basic Concepts
Network Overview
Version information about online APs, including number of APs of each version
AP Overview
Name of an AP
IP address of the AP
1) Input and output rates for the recent five minutes (bits/s)
2) Statistics on input and output unicast, broadcast, and multicast packets, and incorrect frames
Working channel
STA Overview
IP address
Signal strength
Connection rate
STA space information contains the statistics on data frames and management frames on terminals and all types of rates,
including:
Level 0 1 2 3 4 5 6 7
Rate 1/2 5.5/11 6/9 12/18 24/36 48/54 Reserved Reserved
(Mbps)
Number of frames that are transmitted at each level of rate in MIMO mode
Level 0 1 2 3 4 5 6 7
Rate mcs0 mcs2 mcs4 mcs6 mcs8 mcs10 mcs12 mcs14
mcs1 mcs3 mcs5 mcs7 mcs9 mcs11 mcs13 mcs15
Space information shows whether an STA is running at a low rate, whether the proportion of no-ACK frames is high, and
whether excessive management frames are received. It helps users to locate the problems caused by low-rate nodes,
management frame attacks, and tough network environment. STA Given that STA space information changes all the time,
the current collection frequency is once every five minutes. The information is stored only on APs due to its huge volume.
AP Actions
AP actions include: getting online, getting offline, and processing CAPWAP connection failures.
STA Actions
STA actions include: associating, disassociating, roaming, getting online through web authentication, getting offline
through web authentication, getting online through 802.1x authentication, and getting offline through 802.1x
authentication.
Working Principle
Information on ACs is collected in the following modes:
Periodical collection
Information about whole network overview, AP overview and STA overview is collected and stored on a regular basis, for
example, on an hourly basis. Information about AP overview and STA overview contains all information about online APs
and STAs.
“AP actions" define that information is collected and stored when a related module notifies the WLAN-WLOG module of
the occurrence of AP actions.
“STA actions" define that information is collected and stored when a related module notifies the WLAN-WLOG module of
the occurrence of STA actions.
On APs, only STA space information is collected. On STAs, information is collected periodically.
Default Configuration
Configuring WLAN-WLOG
Command Function
Ruijie(config)# wlan diag enable Enables the WLOG function.
When the WLAN-WLOG function is enabled, memories are pre-allocated. If there is no sufficient memory,
the WLAN-WLOG function cannot be enabled.
When the WLAN-WLOG function is disabled, all memories including the pre-allocated ones for storing
information collected by the WLAN-WLOG module are reclaimed.
The command for displaying STA statistics is supported on APs. The displayed statistics vary with options set in the
command.
Command Function
Ruijie#show wlan diag sta [ sta-mac STA_MAC ] Displays STA statistics.
[ number NUMBER ] The option [ sta-mac STA_MAC ] specifies an STA
whose statistics are displayed. If it is not set, statistics
about all STA are displayed.
The option [ number NUMBER ] specifies the maximum
number of records.
=========================================================================================
================================================
2012-05-28 19:31:08
wlan id state rssi_rt rs_rate_mcs tx_frm_cnts rx_frm_cnts tx_frm_flow rx_frm_flow
tx_cnts_error tx_flow_error mgmt_cnts mgmt_flow
-------- -------- -------- ----------- ----------- ----------- ----------- -----------
------------- ------------- --------- ---------
1 3 23 80 18 59 4384 5967 0 0
3 381
tx/rxmcs mcs0, mcs1 mcs2, mcs3 mcs4, mcs5 mcs6, mcs7 mcs8, mcs9 mcs10, mcs11
mcs12, mcs13 mcs14, mcs15
------------- ------------- ------------- ------------- ------------- -------------
------------- ------------- -------------
txmcspercent : 0 0 0 0 0 0 0
0
rxmcspercent : 0 0 0 0 0 0 0
0
Networking Requirements
The WLAN-WLOG function is used to collect, store, and display information about a local AC or AP. It has no special
requirements on network topology.
Key Points
Configuration Procedure
For details, see the sections "Displaying Network Overview Statistics", "Displaying AP Statistics", and "Displaying STA
Statistics."
RG-WLAN Series Access Point RGOS Configuration Guide,
Release 11.1(5)B6
WLAN RF Configuration
3. Configuring Smartant
Overview
As a wireless access device, AP plays a part of the physical layer and MAC, and generally has no switching function. In
view of hardware structure, there is only one wired uplink which serves as the data channel for all access users in either a
fat or a fit AP.
As a typical application of the WLAN shown below, the uplink of the STA access server connected to a fit AP is: STA→ fit
AP→Switch→Route→Switch→AC→Switch→Route→Server; and that connected to a fat AP is: STA→ fat
AP→Switch→Route→Server. The downlink channel is in the reserve direction.
The RF resource scheduling will suspend the access service of the AP.RF resource scheduling means to disable the RF
or WLAN of an AP within a period specified by a user to save power and reduce wireless disturbance as well as
enhancing network security. The RF resource scheduling aims at security and energy conservation.
Configuration Guide Configuring RF Resource Scheduling
Features
The function of RF resource scheduling applies to wireless access in a fixed period. For example, the wireless access in
the teaching building of a university is only provided during the class hours of the day; the WLAN for visitors in an office
building is only enabled during the work hours on weekdays.
Reduce network traffic, save limited network resources and prevent waste and abuse;
Reduce RF disturbance, save power and protect the environment;
Reduce potential insecure factors by disabling the access service during “risky” hours.
RF resource scheduling can not only disable the RF of an AP but also disable specifically one or more
WLANs to achieve more accurate control.
Working Principles
First, configure a schedule session, including the scheduling cycle and time; For example, configure a schedule session to
disable wireless access after 9pm and enable it on 6am in the next morning on weekdays.
In the fit AP mode, apply the schedule session to an AC based on an AP, AP group or WLAN. For example, for the above
schedule session,
If the schedule session is applied to a single AP, the AP will disable RF at 9pm every weekday and enable the RF at
6am in the next morning;
If the schedule session is applied to an AP group, all the APs in this group will disable RF at 9pm every weekday and
enable the RF at 6am in the next morning;
If the schedule session is applied to a WLAN, all the APs in all the AP groups that provide such WLAN access
service will disable the RF at 9pm every weekday and enable the RF at 6am in the next morning.
In the fat AP mode, apply a schedule session globally or based on a WLAN. For example, for the above schedule session,
If the schedule session is applied globally, the AP will disable RF at 9pm every weekday and enable the RF at 6am in
the next morning;
If the schedule session is applied to a WLAN, the AP will disable the WLAN at 9pm every weekday and enable the
WLAN at 6am in the next morning.
If there are more than one schedule sessions, the principle to deal with the scheduling conflicts is
preferably to disable the function.
As long as a schedule session requires to disable the RF or WLAN, the RF or WLAN will be disabled;
The RF or WLAN will not be enabled unless all the schedule sessions require to enable the RF or WLAN;
None
Default Configuration
The default settings of RF resource scheduling are described in the table below.
Configuration
Command Function
Configuration Example:
# Create session 1 and specify the period as from 9:30pm every weekday to 6:00 am in the next morning.
No scheduling session is applied to a WLAN. Use the no form of this command to remove the configuration.
Example:
# Apply schedule session 1 which has been created to the specified WLAN.
Ruijie(config)# schedule session sid Applies the schedule session to the radio of the AP
provided the schedule session has been created.
sid is the ID of the scheduling session to be created or to
be applied to a WLAN. The range is from 1 to 8 for a fat
AP.
Configuration Example:
# Apply schedule session 1 to WLAN 2 provided both schedule session 1 and WLAN 2 have been created.
Monitoring
Command Function
Ruijie# show schedule session [ sid ] Displays configuration of the current schedule session.
sid is the specified session ID, which ranges from 1 to 64.
Configuration Example:
Configuration Examples
Networking Requirements
AP1 and AP2 are dual-band APs, each with two radios; AP3 is a single-band AP with only one radio;
AP1 and AP2 belong to the same AP group “apg1” and are required to be disabled at 11pm every night and enabled
at 7am in the next morning.
AP3 is required to be disabled at 9pm every weekend and enabled at 9am in the next morning;
WLAN 1 is configured on the AC, with the same scheduling requirements as for the AP group “apg1”.
Networking Topology
Configuration Steps
Ruijie(config)#ap-config AP3
Ruijie(config-ap)# schedule session 2 radio 1
Ruijie(config-ap)# exit
Ruijie(config)# wlan-config 1
Ruijie(config-wlan)# schedule session 1
Ruijie(config-wlan)# exit
Verification
……
link-check enable
……
wlan-config 1 <NULL> wlan1
……
schedule session 1
……
ap-group apg1
……
schedule session 1 radio 1
schedule session 1 radio 2
……
ap-config AP3
……
schedule session 2 radio
Configuration Guide Configuring Band Select
The band select function is not supported on the following AP products: AP110-W, AP220-I V1.x, AP220-SI V1.x,
AP220-E V2.x, AP220-SH V2.0, AP220-SH(C) V3.0, AP220-E(M) V2.x, AP620-H(C) V2.x, AP220-E(C) V3.0,
AP220-SH(C) V2.99 or AP220-E(C) V2.99.
Overview
With the popularity of WLAN, there come more and more wireless users, many of whom use dual-band STAs which can
simultaneously support the 2.4 G band and the 5 G band. However, 802.11b/g enjoys more popularity than 802.11a so
that many dual-band STAs unanimously use the 2.4 G band, resulting in a crowded 2.4 G band and a wasted 5 G band. In
fact, the 5 G band has a higher access capacity while the 2.4 G band can only have a maximum of three non-overlapping
communication channels; moreover, the 5 G band is able to provide more non-overlapping communication channels, five
in China, and up to 24 in North America.
Band Select uses technical means to guide the dual-band STAs to be connected to the 5 G band which has higher access
capacity so as to reduce the pressure on the 2.4 G band and enhance the user experience.
Features
First STAs send probe frames (broadcast) on all the communication channels of all its supporting bands, and the probe
frame contains the information such as the wireless access speed that STAs support and etc; once APs which provide
WLAN access services received the probe frame, APs will send out probe responses, providing some information of the
WLAN that they provide to STAs; STAs usually aggregate all responses they receive and present a list of accessible
WLANs to the users so that they could choose which WLAN to access.
The following figure shows the process of an STA detecting the accessible WLANs that provided by a dual-band AP. After
the process is finished, the STA would detect two BSSIDs with two bands belonging to the same WLAN, but the user is
unable to discern between them since their SSIDs are the same. If the user selects this WLAN for access, then the choice
of two bands depends on the user's wireless driver and it is an uncontrollable factor for both the user and the AP.
How to determine whether the network card supports dual-band? Generally the description of the wireless
network card will have a, b, g, n and other letters. The letters indicate the 802.11 protocol type that the
wireless network cards support. 802.11a operates in the 5.0 G band; 802.11b / g work in the 2.4 G band;
802.11n can work in both the 5 G band as well as the 2.4 G band. Therefore, if the description of the network
card contains both a and b or g, then it indicates that the network card supports both bands
Working Principles
The principle of the Band Select is as the following: discover the APs’ behavior in the process of WLAN by changing STAs,
and guide STAs to select the 5 G band. As shown in the figure below, in comparison with Figure 1 The Process of
Dual-band STA Detecting WLAN", this figure doesn’t show the probe response to the 2.4 G band.
To accomplish the guiding of the access of the dual-band STA, the first step is to identify whether the STA is dual-band.
If the STA’s probe request can be received in both the 2.4 G band and the 5 G band, then it is a dual-band STA;
If the STA’s probe request can only be received in the 2.4 G band, then this AP is a STA with 2.4 G band;
If the STA’s probe request can only be received in the 5 G band, then this AP is a STA with 5 G band;
Therefore, the reorganization of single-band STA is more time-consuming, because we need to wait to confirm that the
probe request will not be received from another band.
The STA information recognized by the AP needs to be saved up to provide the basis for follow-up response strategies.
Because the STA probe requests are broadcast reports, and generally, the AP will receive a large number of probe
requests, saving them all up is not necessary since the distance of some STAs is too far, and it is impossible for them to
have access to the local AP. Therefore, the Band Select only save the information of those STAs which may be
associated with, and the selection criteria is the STA's RSSI (Received Signal Strength Indication), whose threshold value
is configurable. Please refer to “Configuring the acceptable lower limit of STA RSSI.
The STA with single-band 2.4 G: negative response, it received more than one probe before sending out a response
and only the access is guaranteed;
The STA with single-band 5 G: normal response, and normal access is guaranteed;
The dual-band STA: it does not respond to the probe requests on the 2.4 G band, but it responds to the probe
requests on the 5 G band, and guide STA to have access to WLAN with 5 G band;
After being recognized, STAs are divided into two categories for the Band Select: STAs with single-band 2.4 G becomes
"suppression STAs" while dual-band STAs are called "dual-band STAs"; there is no need to distinguish STAs with
single-band 5 G from the dual-band STAs regarding to the Band Select, so they can be classified in one category.
The relevant information of these two categories of STAs after being recognized shall be saved up as the user may switch
STA bands manually, resulting in the stored information becoming out-of-date. Therefore aging shall be carried out for all
these information.
The introduction of distinguishing services of Band Select can guide dual-band users to use the 5 G band with higher
access capacity, thereby, increasing the service quality of the entire WLAN.
The Band Select can only work on dual-band APs; it is meaningless to use it on single-band APs.
Because APs do not respond to the probe request on the 2.4 G band before recognizing STAs, this will lead to the fact
that STAs with single-band 2.4 G are unable to detect WLAN before being recognized by APs. This period of time is 20
seconds, which means that STAs with single-band 2.4 G STA may not detect the accessible WLAN within 20 seconds.
Assuming the time it takes to refresh a WLAN list is 7 seconds, then the worst case is that users of STAs with single-band
2.4 G are unable to see the accessible WLAN until the third time of refreshing the WLAN list; generally, if a user of STAs
with single-band 2.4 G STA will be able to see the WLAN after trying for a second time if the first time of refreshing the
WLAN list fails to achieve that result.
None.
Default Configuration
The default configuration of the Band Select is described in the chart below.
Configuration
Commands Function
This function is disabled by default. Enabling the spectrum navigation requires that:
If the scenario cannot meet the above requirements, it is recommended not to enable the spectrum navigation.
If the WLAN with the spectrum navigation enabled is mapped to a single-band 2.4GHz AP, the dual-band
STA within AP signal coverage cannot navigate to the 5GHz band.
Configuration Example:
Ruijie(config)# band-select acceptable-rssi value Configures the acceptable lower limit of STA RSSI.
Value means the acceptable lower limit of STA RSSI in the
range from -100 to -50 in the unit of dBm.
Configuration Guide Configuring Band Select
Configuration Example:
The following example sets the acceptable lower limit of STA RSSI as -70 dBm.
The information of STAs with less value than this RSSI threshold value will not be saved, Please refer to "AP
behaviors after adding the Band Select functions " for the implemented standards of behavior for these STAs
by the AP - behaviors before recognizing STAs
Ruijie(config)# band-select probe-count value Configures the probe count of the suppression STA.
Value is the probe count of suppression STA in the range
is from 1 to 10.
Ruijie(config)# no band-select probe-count Recovers the default value of 2.
The probe count of the suppression STA only works on the 2.4 G band; if the configuration is n, it means that
the AP does not respond for the first time until it receives n probe reports from one STA, acting
as ”suppressing" the STA to detect the WLAN.
Configuration Example:
The following example configures the probe count of the suppression STA as 5.
Commands Function
The value n indicates that the AP does not respond until it receives n consecutive link authentication requests from the
dual-band STA on 2.4-GHz band.
This parameter can increase the navigation rate for high frequency spectrum, but it may cause difficulty in
access to some dual-band STAs.
Ruijie(config)# band-select scan-cycle period Configures the cycle of the STA information aging scan.
period means Cycle of STA information aging scan in the
range from 1 to 1000 in the unit of milliseconds.
Ruijie(config)# no band-select scan-cycle Recovers the default value of 500.
Configuration Guide Configuring Band Select
The cycle of the STA information aging scan specifies how often we shall check STA information to
determine whether the STA information should be aged. The following two aging time is the standards for
determining whether information of one STA should be aged.
The smaller this value is, the more frequently the scan of STA information is, and the higher the efficiency of
aging is; but correspondingly, the more system resources it ties up. When the network is busy, it is
recommended to configure a larger value so as to take up less system resources.
Configuration Example:
The following example configures the cycle of the STA information aging scan as 400 milliseconds.
Commands Function
Ruijie(config)# band-select age-out { dual-band value | Configures the aging cycle of STA information.
suppression value } dual-band value: The aging cycle of dual-band STA
information, in the range from 20 to 120 in the unit of
seconds.
suppression value: The aging cycle of suppressed STA
information, in the range from 10 to 60 in the unit of
seconds.
The default aging cycle of dual-band STA information is 60 seconds. The default aging cycle of suppressed STA
information is 20 seconds.
Configuration Guide Configuring Band Select
The AP is less sensitive to the STA band switching as the life cycle of the dual-band STA information increases. If the
wireless users’ network cards often switch between 2.4-GHz and 5-GHz bands, a smaller value can be configured;
otherwise, a bigger value can be configured.
It is recommended to configure the aging cycle of dual-band STA information as two or three times as that
of the suppressed STAs.
Configuration Example:
The following example sets the aging cycle of dual-band STA information to 120 seconds.
The following example sets the aging cycle of suppressed STA information to 60 seconds.
Monitoring
Commands Function
Configuration Example:
The following example displays the Band Select configuration and the statistics.
The dual-band client means the current total number of dual-band STAs; the dual band client added means
the increased amount of dual-band STAs, including the total number of recognized dual-band clients since
the AP is starting to run; if a STA is re-identified after aging, the count will be repeated; dual-band client
expired means the number of aging dual-band STAs, including the total number of dual-band clients since
the AP is starting to run and the count will also be repeated.
Suppressed client series data is similar to that of the dual-band client series.
Configuration Examples
Network Requirements
If the AP is a dual-band AP, then two radios work respectively on the 2.4 G and the 5 G band;
Networking Topology
Configuration Steps
Verification
Configuring Smartant
The smart antenna function is supported only on AP320-I, AP330-I or AP630-H V1.0 & AP520-I at present.
Overview
Antennas are passive devices that fall into the categories of omni-directional antennas and directional antennas according
to the radiation lobe. An omni-directional antenna covers a broad area over a relatively short distance, while a directional
antenna covers limited areas over a long distance. To cover all directions over a long distance, the smartant (SA) is
introduced.
The following section analyzes the disadvantages of omni-directional antennas and directional antennas.
As shown in Figure 1-1, although an omni-directional antenna covers both of the two clients, the AP only exchanges
packets with one of the client at a time. When the AP forms effective coverage for Client A, the rest of the signal
propagation is ineffective and wasted. If the wasted energy is directed to the effective coverage area, the signal intensity
and transmission bandwidth can be increased.
As shown in Figure 1-2, although a directional antenna focuses the energy and the signal intensity within the coverage
area is higher, the coverage angle is small and many areas are not within the signal coverage. If signals can be
transferred for other clients when Client A is in idle state, the coverage effectiveness and user access capability will highly
increase.
When the AP is communicating with a client, smart antennas can automatically modulate as directional antennas and
focus the energy beam on the client. The client will obtain stronger signals and other clients will not be disturbed.
Smartants are invented to achieve this effect.
Technically, an SA modulates its coverage to the intended area through beam switching and adaptive array.
A beam switching antenna consists of multiple narrow beam antennas. The angle of each antenna is small, so the
transmission gain is large and the antenna covers a long distance. Only one of the narrow beam antennas is functioning
for one user. When the user is changed or the location of the user shifts, the smartant system will disable the previous
narrow beam antenna and enable another one in the correct angle. The number of angles of a beam switching antenna
equals the number of its narrow beam antennas. The types and precision of the angles are limited due to hardware design.
However, the beam switching antenna has engineering advantages. The multi-beam SA is relatively easy to configure.
When the speed of digital signal processors (DSPs) cannot meet adaptive calculation requirements, the multi-beam SA
can be used to achieve a high cost performance ratio. Therefore, the multi-beam SA attains is applied in some projects.
Multiple antennas form an array and the different combinations of antennas form different radiation lobes. These
virtualized antennas of various directions, angles, and gains adapt to different working environments for users in different
locations and avoid unnecessary interference. An adaptive array antenna analyzes the working environment and senses
the location of users. By the processing of the internal chip, the system calculates the optimal antenna combination to
meet coverage requirements. Wireless access devices can easily adapt to all kinds of indoor environments and enlarge
the coverage area to stabilize the network through different antenna combinations and radiation lobes.
Smartant Characteristics
Obstacles blocking in the transmission path lead to wireless signal attenuation. Signals coming across obstacles reflex or
refract, which changes the cycle of the signal phase. Signal attenuation varies with the type of obstacle, as shown in Table
Configuration Guide Configuring Smartant
1-1. The major obstacles in dormitories are concrete walls and wooden walls. The coverage distance of an indoor AP is 50
meters, which will decrease to 5 meters when signals pass through the concrete wall and to 15 meters when signals pass
through the wooden wall.
SA study focuses on how to bypass obstacles or take advantage of the reflection on the surface of obstacles. SAs flatten
signals, which will become more concentrated. See the following figure. Traditional APs do not support direction analysis,
and they only cover surrounding areas with equal signals. Signals will be attenuated by 20-30 dB when they travel through
bearing walls. However, smartant APs find the transmission path with minimum signal attenuation. In this way, signals
sent by SA APs are 20-30 dB stronger than signals sent by traditional APs with the same transmit power in the same
location. The performance difference may be several times or even more.
Working Principle
Sample the downlink packets by APs to find the optimal transmission path to avoid interferences and obstacles.
Protocol Specification
N/A
Default Configuration
Configuration
Enabling Smartant
Command Function
Configuration Examples
Networking Requirements
The RG-AP320 and AP330 support the smartant function.
Networking Topology
Figure 1 Smartant Networking Topology
Configuration Steps
# Enable the smartant function.
Verification
AC5302_7#sh ap-config running
!
ap-config ap320
smartant enable radio 1
long-retries 3 radio 1
long-retries 3 radio 2
short-retries 6 radio 1
short-retries 6 radio 2
rts-retry 2 radio 1
rts-retry 2 radio 2
Configuration Guide Configuring Spectral Analysis
The FSS function is supported only on the following AP products: AP120-W, AP220-E(P), AP220-E(C) V4.0, AP3220
V1.00, AP220-SH V1.0, AP220-SH V1.1, AP330-I V1.00, AP330 V1.1 & AP630-H V1.0 & AP520-I.
Overview
The Spectral Analyzer (SA) is a device that uses frequency domain to analyze and study signal, it is necessary for signal
analysis. It. SA is widely applied to a wide range of areas such as the communication transmitter. Besides, it is also used
to measure interference signal, monitor frequency domain and analyze device features. Different industries and
departments focus on different application of the spectral analyzer. For example, a cable TV signal contains many image
signals and sound signals with complicated frequency domain distribution. Another example is that there are many
information channels procured by satellite monitoring. Each channel occupies some frequency domain and each
frequency point occupies some bandwidth. All these signals produce required parameters through SA.
WLAN mainly works within 2.4G and 5G frequency bands free from authorization and can be used by anyone. At present,
most infrequence signals work in 2.4G frequency band, such as Bluetooth, microwave, cordless phones and wireless
mouses. Specialized wireless network requires stable and reliable physical link as the basis for data transmission.
However, Wi-Fi network can hardly meet the requirement as this network has to share 2.4G and 5G frequency bands with
various potential interferences. When an 802.11 client or an AP device encounters the interference source in data
transmission, interference causes data dropout and enforces WIFI data retransmission, leading to degraded network
performance and worse experience for customers sharing the same AP. Sometimes a WLAN fault is caused by the RF
interference source, which cannot send effective 802.11a/b/g signals. The most common RF interference sources include
microwave ovens, cordless phones and Bluetooth devices and so on. Therefore, it is important to analyze RF signals. The
spectral analyzer is an effective tool to detect RF signals.
Features
At present, most signals are divided into broadband and narrowband. There are no rigorous definitions of broadband and
narrowband signals by documents or organizations. It is generally recognized that broadband signals and narrowband
signals are two relative concepts. Those signals not meeting narrowband conditions are named broadband signals. There
are different versions of narrowband signal definitions at preset. In general, narrowband signals refer to the signals with
drastically different bandwidth and carrier frequency.
As most interference signals such as that of microwave, Bluetooth and cordless phone belong to narrowband signals
compared with WLAN signals. Therefore, the interference signal source can be identified through narrowband signal
analysis.
Working Principle
Ruijie wireless access points (APs) contain basic hardware of a mini spectral analyzer, covering 2.4GHz and 5GHz
frequency range of 802.11a/b/g.
The wireless transceiver in the AP device detects RF signals and transmits data to the spectral analyzer engine. The
spectral analyzer receives data, performs Fast Fourier Transform (FFT), and sends spectral-related information to the
Configuration Guide Configuring Spectral Analysis
controller, including basic information such as the power and monopulse-related information of the RF spectral. The
controller formats the received data and sends it to the classification engine. The classification engine can identify
interference signals by analyzing specific information and then display the signals on the terminal.
Protocol Specification
N/A
Default Configuration
SA Configuration
Enabling SA
Use this command to enable the Spectral Analysis (SA) function on the AP. Use the no form of this command to restore
the default setting.
Command Function
Ruijie# config terminal Enters global configuration mode.
Ruijie(config)# spectral enable Enables spectral on the specified AP.
Configuration Example:
Enable SA.
Ruijie(config)# [ no ] spectral stability cwa num Configures recognition accuracy of the continuous wave
in the range from 4 to10. The default is 8.
Ruijie(config)# [ no ] spectral stability mwo num Configures recognition accuracy of the microwave in the
range from 1 to 5. The default is 1.
Configuration Example:
Command Function
Ruijie# config terminal Enters global configuration mode.
Ruijie(config)# [ no ] spectral period num Configures scanning cycle within the range from 1 to 100.
The default value is 5 microseconds.
Configuration Example:
Configuration Examples
Networking Requirements
Networking Topology
Configuration Steps
# Enable SA.
Verification
The WLAN location function is not supported on AP110-W or AP120-W because of memory.
Overview
The whole system of WiFi-based standard solution adopts hardware based on 802.11a/b/g standard. With no need for
more hardware, enterprises can install the system rapidly to reduce initial costs and support costs in the long term.
Besides, WiFi-based location system also reduces the possibility of Radio Frequency (RF) interference. The fact that the
whole WIFI location system shares the network with other customers makes the installation of other independent wireless
networks unnecessary. Ruijie integrated wireless location is a technology that uses WiFi-based Radio Frequency
Identification (RFID) and devices such as the transducer and the mobile unit (MU) to locate, track and monitor the location
of the specified target. AP sends collected Tag or MU information to the location server for calculation. The location server
sends the calculated location information to the graphics software. From the graphics software, users can procure location
information visually in many ways such as maps, tables and reports.
Features
The location system is divided into three parts: the device or source to be located, the device receiving location
information and the location system.
The device or source to be located: It can be an AE-produced Tag (a portable RFID which is usually seated on or
pasted to the object to be located) or a MU. Namely, it can be whatever wireless terminal or device in line with
802.11 technologies. The devices share the same feature of sending wireless signals around periodically.
The device receiving location information: Ruijie adopts the AP with standard 820.11 technologies or the
AE-produced Tag exciter (a device which motivates Tag to send specified wireless signals and which is not engaged
in collecting location information).
The location system: includes the location server, AE calculation software and various graphics software.
Working Principle
TDOA location technology: Suppose in the location system there are two known locations (known through the built-in GPS
module or other specialized systems) and two location bases (BSs) with synchronized clocks (GPS clocks or other high
precision clocks). The distance between two locations is L. When BSs receive radio signals from the same MU, if they are
not the same far away from the MU, the radio waves will not arrive at the BSs at the same time. Therefore, the time
difference between arrivals can be identified. As the radio wave is transmitted at a known speed (the speed of light), the
time difference helps to calculate distance D, the distance between two BSs. With distance D known, it can be deduced
that the MU is located on the hyperbola that takes two BSs as focuses and value L/D as the eccentricity. If there is another
BS that can receive signals from the MU, the second hyperbola can be identified. The intersection of two hyperbolas in
figure 1-1 is the two-dimension position of the MU. This technology is hyperbolic location based on time difference.
Configuration Guide Configuring WLAN Location
Figure 1-1
Triangulation location technology using received signal strength indication (RSSI): The basic principle is to estimate
distance d, the distance from the MU to the BS through RSSI and the propagation mode of the wireless information
channel between them. For BS (i), the MU must be located at the circle with BS (i) as the center and distance d as the
radius. In this way, MU position can be identified using three or more BSs for distance calculation. The multipath effect in
wireless signal transmission and the shadow effect produced by signals passing through barriers are the main reasons
causing location error. In open space with no barriers, location precision can be ensured. However, in most environments,
location precision will be greatly affected by the multipath effect and uncertain factors caused by various barriers, such as
attenuation and scattering.
Figure 1-2
Configuration Guide Configuring WLAN Location
Default Specification
Configuration
Configuration Example:
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)# wlocation ae-ip ip-address Configures the IP address of the AE server connected
with the specified AP.
ip-address: The IP address of the AE server.
Configuration Example:
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Configuration Guide Configuring WLAN Location
Ruijie(config-wlocation)# wlocation ae-port port Configures the port of AE server connected with the
specified AP.
Configuration Example:
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)# wlocation compound enable Enables aggregate transmission of wireless location
information on the specified AP.
Configuration Example:
Enabling MU Location
Use this command to enable Mobile Unit (MU) wireless location on the specified AP. Use the no form of this command to
restore the default setting.
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)# wlocation mu enable Enables MU location on the specified AP.
Configuration Example:
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)# wlocation tag enable Enables Tag location on the specified AP.
Configuration Example:
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)# wlocation send-mu-time Configures the frequency to send MU wireless location
interval information on the specified AP. The default value is 300
ms.
interval: Packets sending interval in the range from 100
to 5000 in the unit of milliseconds.
Configuration Example:
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)# wlocation send-tag-time Configures the frequency to send TAG wireless location
interval information on the specified AP. The default value is 300
ms.
interval: Packets sending interval within the range from
100 to 5000 in the unit of milliseconds.
Configuration Example:
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)#wlocation mu report enable Enables the specified AP to send the MU location report
directly.
The function is disabled by default. It allows the MU location report to pass through the NAT network without the three-way
handshake.
The following example enables the AP to send the MU location report directly.
The following example disables the AP from sending the MU location report directly.
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)#wlocation tag report enable Enables the specified AP to send the TAG location report
directly.
This function is disabled by default. It allows the TAG location report to pass through the NAT network without the
three-way handshake.
The following example enables the AP to send the TAG location report directly.
The following example disables the AP from sending the TAG location report directly.
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)#wlocation mu report reduce Enables the AP to send reduced MU location packets.
enable
This function is disabled by default. If the network is enabled with the wireless location function and the location server is a
Ruijie device, you can use this command to decrease the bandwidth.
Command Function
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)# wlocation Enters Wlocation configuration mode on the fat AP.
Ruijie(config-wlocation)#wlocation ignore beacon Enables the AP to ignore beacon packets.
enable
This function is disabled by default. Use this command to decrease the bandwidth consumed by beacon packets.
Configuration Examples
Networking Requirements
Networking Topology
Configuration Steps
Verification
2. Configuring WIDS
4. Configuring NFPP
5. Configuring WAPI
Configuration Guide Configuring Wireless LAN Security
Wireless LAN or WLAN security is a broad concept. This document focuses on the WLAN security based on the 802.11 or
Wired Equivalence Privacy (WEP), and the 802.11i standards.
Overview
WLAN security is an important component of WLAN system. Wireless network uses the open medium of electromagnetic
wave as the carrier for transmitting data signals, and there is no cable connection between both ends of communication. If
the transmission link is not properly encrypted, the risk of data transmission will increase considerably. Therefore, wireless
security is especially important in the WLAN network.
To enhance the security of wireless network, at least two security mechanisms shall be provided: authentication and
encryption.
Authentication mechanism: The authentication mechanism allows verification of user identity, so that network
resources can only be used by restricted users (authorized users).
Encryption mechanism: The encryption mechanism is used to encrypt the data transmitted on the wireless link, so
that such data can only be received and understood by anticipated users.
Basic Concepts
802.11i: new generation WLAN security standard -- an amendment to the original IEEE 802.11 in order to enhance its
weak encryption function. 802.11i proposes the concept of RSN (Robust Security Network), enhances the data encryption
and authentication performance of WLAN and makes various improvements in respect of the defects of WEP encryption
mechanism. The authentication scheme as suggested in 802.11i standard is based on 802.1X framework and Extensible
Authentication Protocol (EAP). The AES encryption algorithm is used for encryption operation.
RC4: In the field of cryptography, RC4 is the most widely applied stream encryption algorithm. It is one of symmetric
algorithms.
IV: Initialization Vector, the public cryptographic keying material in the encryption header.
EAPOL-KEY (EAP over LAN key): AP and STA carry out handshake via EAPoL-key frames.
PMK (Pairwise Master Key): The ultimate source of all cipher key data between the Supplicant and the Authenticator. It
can be dynamically generated upon the negotiation between the supplicant and the authentication server, or be directly
provided by the pre-shared key (PSK).
PTK (Pairwise Transient Key): PTK is the key derived from Pairwise Master Key (PMK), and is used for encryption and
integrity verification.
GMK (Group Master Key): The key used by an authenticator to derive the group transient key (GTK), and is usually a
group of random numbers generated by the authenticator.
Configuration Guide Configuring Wireless LAN Security
GTK (Group Transient Key): Derived from the group master key (GMK) through cryptographic hash algorithm, and is used
to protect the key of broadcast and multicast data.
MIC (message integrity code): A hash value calculated over a set of protected data to guard against tampering.
Link Authentication
Link authentication refers to 802.11 authentication, which is a low-level authentication mechanism. It takes place earlier
than access authentication when STA and AP associate with 802.11. Before attempting to connect to the network, the
STA must be subject to 802.11 authentication, which can be considered as the starting point of the handshake process
before STA can be connected to network, as well as the first step of network connection.
Open System Authentication allows any user to access the wireless network. In this sense, no data protection is provided
actually (no authentication), which means: if the authentication type is set to open system authentication, then all STAs
requesting for authentication will all pass the authentication.
Step 1: STA requests for authentication by sending the authentication request, which contains the STA ID (typically the
MAC address).
Step 2: AP sends out authentication response containing a success or failure message about the authentication. If the
authentication result indicates "success", then STA and AP will carry out two-way authentication.
Shared key authentication is another authentication mechanism other than the open system authentication. STA and AP
need to be configured with the same shared key. The process of shared key authentication is detailed below:
Step 2: AP will randomly generate a Challenge packet (a character string) which is then sent to STA;
Step 3: STA will copy the character string received to the new message, which is encrypted with the key before being sent
to AP;
Step 4: Upon receipt of this message, AP will decrypt the message with the key, and then compare the decrypted
character string with the character string formerly sent to STA. If they are same, it means that STA owns the same shared
Configuration Guide Configuring Wireless LAN Security
key as the wireless device and the shared key authentication is successful. Otherwise, the shared key authentication is
failed.
Access Authentication
Access certification is a enhanced WLAN network security solution. When STA is associated with AP, the availability of
AP service depends on the result of access authentication. If the authentication is successful, then the wireless AP will
open this logical port for STA. Otherwise, the user is not allowed to access the network.
PSK (Pre-shared key) is a kind of 802.11i authentication which uses the preconfigured static key for authentication. In
PSK authentication, the same pre-shared key needs to be configured at sides of both the wireless user and the wireless
access device. If the key is same, PSK access authentication will succeed; if the key is different, PSK access
authentication will fail.
IEEE 802.1X protocol is a port-based network access control protocol. This authentication method implements
authentication and control of user devices at the port level of WLAN access device. If the user device connected to the
interface can pass the authentication, then it can access WLAN resources. Otherwise, it will be unable to access WLAN
resources.
A wireless network with 802.1x authentication function must have the following three elements before completing
port-based access control user authentication and authorization:
Supplicant
Configuration Guide Configuring Wireless LAN Security
Generally it is installed on user's workstation. When the user needs to connect to the network, this client-side software will
be activated. After the user name and password required is entered, the client-side software will then sent out the access
request.
Authenticator
Wireless AP or communication device acting as wireless AP in the wireless network. Its primary function is to complete
the upload and download of user authentication information, and open or close the port according to the authentication
result.
Authentication server
It checks the identification (user name and password) information sent from client side to verify whether the user is entitled
to use the services provided by the network system, and instructs the authentication system to open or close the port
according to the authentication result.
Wireless Encryption
Compared with wired network, the wireless network is exposed to greater data security risks. Since all WLAN devices
share the same transmission medium in the area, any device can receive the data sent to all other devices. This feature is
a direct threat to the security of WLAN access data. IEEE 802.11 provides three kinds of encryption algorithms: Wired
Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES-CCMP).
WEP encryption
TKIP encryption
AES-CCMP encryption
WEP Encryption
WEP (Wired Equivalent Privacy) is the designated data encryption method applied in the former IEEE 802.11 standard.
As the basis of WLAN security authentication and encryption, it is used to protect the privacy of data exchanged by
authorized users in WLAN and avoid data interception.
WEP uses RC4 algorithm to protect data privacy and realize authentication via the shared key. Without specifying the
scheme for key management, WEP generally configures and maintains the key in a manual way. WEP without key
allocation is called manual WEP or static WEP.
WEP encryption key generally has 64 bits or 128 bits. Since the 24-Bit IV (Initialization Vector) is generated by the system,
the shared key to be configured on AP and STA remains only 40 bits or 104 bits. In practice, WEP with 104-bit key has
widely replaced the WEP with 40-bit key, and it is also called WEP-104. Although WEP104 enhances the security of WEP
encryption to a certain extent, due to the limitation of R4 encryption algorithm and statically configured key, WEP
encryption is exposed to greater security risks, and is unable to guarantee data privacy and integrity and carry out the
authentication of access users.
TKIP Encryption
TKIP (Temporal Key Integrity Protocol) was an interim solution developed by IEEE 802.11 association to fix the encryption
mechanism of WEP. Like WEP encryption mechanism, it uses RC4 algorithm, but provides better protection for WLAN
service than the WEP encryption mechanism, as detailed below:
Configuration Guide Configuring Wireless LAN Security
1) The key of static WEP is manually configured, and all users in one service areas share one same key. The key of
TKIP is dynamically generated, and each data packet transmitted contains a different key.
2) TKIP extends the length of key from WEP 40 bits to 128 bits and the length of Initialization Vector (IV) from 24 bits to
48 bits, well enhancing the security of WEP encryption.
3) TKIP supports MIC (Message Integrity Check) authentication and is capable of defending against replay attack.
AES-CCMP Encryption
AES-CCMP (Counter mode with CBC-MAC Protocol) is by now the most advanced wireless security protocol.
IEEE 802.11i requires the use of CCMP to provide all four security services: authentication, confidentiality, integrity, and
replay protection. CCMP utilizes the 128-bit AES (Advanced Encryption Standard) encryption algorithm for confidentiality
and CBC-MAC (Cipher Block Chaining Message Authentication Code) to guarantee data integrity and authentication.
As a brand-new advanced encryption standard, AES encryption algorithm adopts symmetric block encryption technique to
provide higher encryption performance than the RC4 algorithm applied in WEP/TKIP. Upon the final approval of IEEE
802.11i, it has become a new-generation encryption technique replacing WEP, offering better security protection for the
wireless network.
WPA (Wi-Fi Protected Access) is a WLAN security technique developed by Wi-Fi Alliance on the basis of IEEE 802.11i
draft, aiming to replace the conventional WEP security technique and provide a interim advanced security solution for
WLAN devices while maintaining the compatibility with future security protocols. WPA can be considered as a sub-class of
IEEE802.11i, with core being IEEE 802.1X and TKIP.
During the past years, the wireless security protocol has witnessed substantial development. The encryption technique
has developed from the traditional WEP encryption to the AES-CCMP encryption of IEEE 802.11i, and the authentication
method has also developed from WEP shared-key authentication to 802.1x security authentication. With the introduction
of new protocols and new technologies, the entire network architecture has become more complicated. The existing WPA
security technique allows the application of diversified authentication and encryption methods to implement WLAN access
control, key management and data encryption. For example, the access authentication can adopt pre-shared key (PSK)
authentication or 802.1X authentication, while the encryption method can use TKIP or AES. The combination of WPA with
these encryption and authentication methods well guarantees the security of data link layer and ensures that only
authorized users can access WLAN network.
RSN (Robust Secure Network) is known as WPA2 security mode, the second edition of WPA. It is developed by Wi-Fi
Alliance upon the official release of IEEE 802.11i. Since RSN supports encryption algorithm, it theoretically provides better
security performance than WPA.
Similar to WPA, the existing RSN security technique can also be combined with multiple authentication and encryption
methods to build a safer WLAN. Different from WPA, during the process of security capability advertisement and
negotiation, WPA uses WPA IE (Information Element) to identify security configuration information, while RSN adopts the
standard RSN IE.
WPA operating mechanism is shown below, and can be summarized into the following four phases:
Configuration Guide Configuring Wireless LAN Security
The operating process of RSN (WPA2) is basically the same as that of WPA. For the operating mechanism of
RSN, please refer to the operating mechanism of WPA.
The security capability advertisement takes place at the phase when STA and AP associate with 802.11:
In order to advertise its support to WPA, AP will send out a Beacon frame with WPA IE (Information Element), which
contains the security configuration information of AP (including such safety configuration information as encryption
algorithm and authentication method).
STA sends an Open System Authentication request to AP, which will reply with the authentication result. For details,
please refer to the section of "Open System Authentication".
STA will select the corresponding security configurations according to the IE information contained in AP advertisement,
and send the safety configurations selected to AP. At this phase, if STA doesn't support any encryption and authentication
method supported by AP, then AP may deny the request to establish connection; if AP doesn't support any encryption and
authentication method supported by STA, then STA won't establish connection with AP.
This phase mainly involves user authentication which will generate the Pairwise Master Key (PMK).
PMK is the ultimate source of all cipher key data. It can be dynamically generated upon the negotiation between STA and
the authentication server, or be directly provided by the pre-shared key (PSK) configured.
Configuration Guide Configuring Wireless LAN Security
For 802.1X authentication: PMK is generated upon the dynamic negotiation between STA and the authentication
server (as indicated in the authentication protocol). This process is transparent to AP, which will mainly complete the
upload and download of user authentication information, and open or close the port according to the authentication
result.
For PSK authentication: PSK authentication doesn't have the process of PMK negotiation between STA and
authentication server. AP and STA will directly take the PSK configured as PMK.
STA and authentication server (for 802.1X authentication) will generate PMK for both sides only if the access
authentication is successful. For 802.1X access authentication, after successful authentication, the server will distribute
the PMK generated to AP.
This phase mainly involves communication key negotiation to generate PTK and GTK, which are used to encrypt the
unicast and multicast messages.
AP and STA will carry out 4-way WPA handshake via EAPOL-KEY frames. During this process, AP and STA will calculate
a 512-bit PTK on the basis of PMK, and divide this PTK into keys for multiple purposes: data encryption key, MIC key
(data integrity key), EAPOL-Key encryption key, EAPOL-Key integrity key and etc, which are used to provide encryption
and integrity protection for the subsequent unicast data frames and EAPOL-Key frames.
After successful 4-way handshake, AP will use certain fields of PTK to encrypt GTK and send the encrypted GTK to STA,
which will use PTK to decrypt GTK. GTK is a group of global encryption keys. AP uses GTK to encrypt broadcast and
multicast packets. All STAs associated with this AP can use the same GTK to decrypt the encrypted broadcast and
multicast packets sent by AP and check the MIC.
TKIP or AES encryption algorithm doesn't directly use the key generated from PTK/GTK as the key for packet encryption.
Instead, this key is used as the Base Key to generate a new key upon 2-step key mixing. A different key will be generated
during every packet transmission. In the subsequent communication, AP and STA will use this key to carry out encrypted
communication.
IEEE Standard for Information technology— Telecommunications and information exchange between systems—
Local and metropolitan area networks— Specific requirements -2007
WI-FI Protected Access – Enhanced Security Implementation Based On IEEE P802.11i Standard-Aug 2004
802.11i IEEE Standard for Information technology—Telecommunications and information exchange between
systems—Local and metropolitan area networks—Specific requirements
Default Configurations
Configuration Guide Configuring Wireless LAN Security
Configuration
In practical applications, different levels of wireless security policies shall be implemented as per different user needs.
Three security levels of the wireless security mechanism are shown below:
Configuration Guide
Wireless security encryption mainly involves three configuration models, which are associated with different encryption
and authentication combinations. According to the actual networking needs, the user can refer to the above security levels
and select an appropriate security configuration models:
Configuration Guide Configuring Wireless LAN Security
AES-CCMP 802.1X -
Configure WPA
TKIP 802.1X -
AES-CCMP PSK -
TKIP PSK -
WPA and RSN security modes can be enabled simultaneously. If one WLAN enables WPA and RSN
simultaneously, then both security modes share the same encryption and authentication methods.
The following two configurations must be completed for the static WEP security encryption model:
WEP encryption mode is enabled by configuring the WEP encryption key. Execute the following commands.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# wlansec wlan-id Enters wireless security configuration mode. WLAN-ID
refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Configuration Guide Configuring Wireless LAN Security
After configuring static WEP encryption key, the wireless security mode will automatically switch to the static
WEP mode.WEP supports four keys, but currently only the first key is valid.
Ruijie (config)#wlansec 1
Ruijie(wlansec)# security static-wep-key encryption 40 ascii 1 12345
Ruijie(wlansec)#show wlan security 1
Security Policy :static WEP // Security policy: static WEP
WEP auth mode :open
WEP index......... :0 // Key index is 0, and the corresponding value is 1.
WEP key is HEX :false // Whether to use HEX format to configure the key
WEP key length :5
WEP passphrase :
31 32 33 34 35 // Passphrase (displayed in HEX format): the corresponding ASCII key
is 12345
Ruijie (config)#wlansec 1
Ruijie(wlansec)# security static-wep-key encryption 40 hex 1 3132333435
Ruijie(wlansec)#show wlan security 1
Security Policy :static WEP //Security policy: static WEP
WEP auth mode :open
WEP index......... :0 // Key index is 0, and the corresponding value is 1.
WEP key is HEX :true // Whether to use HEX format to configure the key
WEP key length :5
WEP passphrase :
31 32 33 34 35 // Passphrase (displayed in HEX format): the corresponding ASCII key
is 12345
Configuration Guide Configuring Wireless LAN Security
WEP encryption mode can be used with one of the following two link authentication modes.
Open System Authentication: WEP key will only be used for encryption. Even if the keys configured are different, the
user can still access the network, but the data transmitted subsequently will be discarded by the receiving end as a
result of the different keys. In one word, STA can connect to AP but cannot access Internet.
Shared key authentication: WEP key will be used for authentication and encryption. If the keys are different, STA will
be unable to access the network.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# wlansec wlan-id Enters wireless security configuration mode. WLAN-ID
refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Ruijie(wlansec)# security static-wep-key authentication Configures WEP authentication mode.
[ open | share-key ] By default, open system authentication will be used,
namely there will be no authentication.
open: Open system authentication mode.
share-key: Shared key authentication mode.
Ruijie(wlansec)# show wlan security wlan-id Displays the security configuration of the specified
WLAN.
wlan-id: The ID of the WLAN to be checked, in the range
from 1 to 512.
The shared key authentication mode can only be configured during WEP encryption configuration.
When configuring WPA and RSN security modes, AP must operate under the open system authentication
mode.
Example: Configure the link authentication mode of WLAN1 to shared key authentication:
Ruijie (config)#wlansec 1
Ruijie(wlansec)# security static-wep-key authentication share-key
Ruijie(wlansec)#show wlan security 1
Security Policy :static WEP
WEP auth mode : share-key // Link authentication mode: shared key authentication
WEP index......... :0
WEP key is HEX :true
WEP key length :5
WEP passphrase :
31 32 33 34 35
Configuration Guide Configuring Wireless LAN Security
Among the existing WPA security solutions, two encryption methods can be adopted: TKIP and AES-CCMP, and two
authentication methods can be applied: PSK authentication and 802.11x authentication. The combination of WPA with
these encryption and authentication methods well guarantees the security of data link layer and ensures that only
authorized users can access WLAN network.
The following steps indicate how to enable WPA security mode. Encryption and authentication modes can only be
configured after the security mode is enabled.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Enters wireless security configuration mode. WLAN-ID
Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Ruijie(wlansec)# security wpa [ enable | disable ] (Required) Enables/disables WPA security mode.
Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified
WLAN.
For devices like AP220-E V1.x, AP220-SH V1.x, AP220-SE V1.x and AP220-E (M) V1.5, when they are using
WPA security mechanism, the encryption mode and authentication mode shall be configured accordingly. If
only the encryption mode or the authentication mode is configured, or if none of them is configured, then
STA will be unable to connect to the wireless network. For devices like AP220-E V2.x, AP220-SH V2.x,
AP220-1 and AP220-SI, when they are using WPA security mechanism, the encryption mode and
authentication mode shall be configured accordingly. If only the encryption mode or the authentication mode
is configured, or if none of them is configured, then STA will be unable to connect to the wireless network,
but not in the encryption mode.
When using WPA security mechanism, AP must work under the open system authentication mode.
Ruijie (config)#wlansec 1
Ruijie(wlansec)# security wpa enable
Configuration Guide Configuring Wireless LAN Security
Similar to WPA, RSN also needs to configure both the encryption mode and the authentication mode to guarantee the
security of data link layer and ensures that only authorized users can access the WLAN.
The following configurations must be completed for RSN security encryption model:
The following steps indicate how to enable RSN security mode. Encryption and authentication modes can only be
configured after the security mode is enabled.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Enters wireless security configuration mode. WLAN-ID
Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Ruijie(wlansec)# security rsn [ enable | disable ] (Required) Configures RSN authentication for a WLAN.
Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified
WLAN.
When using RSN security mechanism, the encryption mode and authentication mode shall be configured
accordingly. If only the encryption mode or the authentication mode is configured, or if none of them is
configured, then STA will be unable to connect to the wireless network.
When using RSN security mechanism, AP must operate under the open system authentication mode.
Wireless clients running Windows XP SP1/SP2 need an additional patch to support RSN security mode.
Ruijie (config)#wlansec 10
Ruijie(wlansec)# security rsn enable
Configure the encryption mode of WPA/RSN in wireless security mode. WPA and RSN can both adopt the following two
encryption modes:
TKIP encryption
AES encryption
Configuration Guide Configuring Wireless LAN Security
Command Function
Ruijie# configure terminal Enters global configuration mode.
Enters wireless security configuration mode. WLAN-ID
Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Ruijie(wlansec)# security wpa ciphers [aes | tkip ] Configures the encryption mode of WPA to AES or TKIP,
enable or enable both.
Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified
WLAN.
WPA key negotiation mode is generally used together with TKIP algorithm or AES algorithm. Likewise, RSN
key negotiation mode is generally used together with AES algorithm or TKIP algorithm.
TKIP supports 802.11a/b/g. It does not support 802.11n.
Ruijie (config)#wlansec 10
Ruijie(wlansec)# security rsn enable
Ruijie(wlansec)# security wpa ciphers aes enable
Ruijie(wlansec)# show wlan security 10
Security Policy: WPA none (no AKM)
WPA version : WPA2(RSN)
AKM type :
pairwise cipher type:AES // Encryption mode: AES
group cipher type :AES
WLAN SSID :SSID_wlan10
wpa_passhraselen :
wpa_passphrase :
WEP auth mode :open
Configure the authentication mode of WPA/RSN in wireless security mode. WPA and RSN can both adopt the following
two authentication modes:
PSK authentication
802.1x authentication
Command Function
Ruijie# configure terminal Enters global configuration mode.
Configuration Guide Configuring Wireless LAN Security
To support WPA/RSN, AP must operate under the open system authentication mode.
After STA is associated with AP via WPA mode or RSN mode, if there is a Radius server in the network acting as the
authentication server, then STA can adopt 802.1x mode for authentication; if there is no Radius server in the network,
STA and AP can adopt PSK mode for authentication.
Ruijie (config)#wlansec 10
Ruijie(wlansec)# security rsn enable
Ruijie(wlansec)# security wpa ciphers aes enable
Ruijie(wlansec)# security wpa akm psk enable
Ruijie(wlansec)# show wlan security 10
Security Policy : WPA PSK
WPA version : WPA2(RSN)
AKM type : preshare key // Access authentication: PSK
pairwise cipher type:AES
group cipher type :AES
WLAN SSID :SSID_wlan10
wpa_passhraselen :
wpa_passphrase :
WEP auth mode :open
When the authentication mode is set to PSK, the PSK shall be configured. This PSK will only make sense after PSK
authentication mode is configured.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Enters wireless security configuration mode. WLAN-ID
Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Configuration Guide Configuring Wireless LAN Security
Configures PSK.
ascii : The ASCII password.
ascii-key: The ASCII password, containing 8-63
Ruijie(wlansec)# security wpa akm psk set-key { ascii
characters.
ascii-key | hex hex-key }
hex: Specifies the hexadecimal password.
hex-key: The hexadecimal password, containing 64
characters.
Ruijie(wlansec)#show wlan security wlan-id Displays the security configuration of the specified
WLAN.
Ruijie (config)#wlansec 10
Ruijie(wlansec)# security rsn enable
Ruijie(wlansec)# security wpa ciphers aes enable
Ruijie(wlansec)# security wpa akm psk enable
Ruijie(wlansec)# security wpa akm psk set-key ascci 12345
Ruijie(wlansec)# show wlan security 10
Security Policy : WPA none (no AKM)
WPA version : WPA2(RSN)
AKM type : preshare key
pairwise cipher type:AES
group cipher type :AES
WLAN SSID :SSID_wlan10
wpa_passhraselen : 5 // Key length: 5 bytes
wpa_passphrase :
31 32 33 34 35 // Passphrase (displayed in HEX format): the corresponding ASCII key
is 12345
WEP auth mode :open
Configuring MAB
In actual applications, there are some wireless devices that cannot be installed with 1X clients, but these devices need to
be connected to a wireless network requiring authentication. The MAB (MAC Authentication Bypass) which is a
MAC-address-based authentication mechanism without 1X clients can be used for such cases.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Enters wireless security configuration mode. WLAN-ID
Ruijie(config)# wlansec wlan-id refers to an existing WLAN ID. A WLAN must be created
before this configuration.
Enables the MAB feature. Use the no form of this
Ruijie(wlansec)#dot1x-mab
command to remove the configuration.
Configuration Guide Configuring Wireless LAN Security
This command is used to enable MAB authentication. It can be used in combination with PSK access authentication but
not with 802.1X access authentication.
The MAB feature cannot coexist with the other security modes in the same WLAN.
Ruijie(config)#wlansec 1
Ruijie(config-wlansec)# dot1x-mab
Ruijie(config)#wlansec 1
Ruijie(config-wlansec)# no dot1x-mab
To switch over the WLAN security policies, please delete the WLANSEC configuration corresponding to this
WLAN before configuring new security policies.
Use this command to configure the forbidcount after a four-way handshake fails to accomplish key exchange in WLAN
security configuration mode. Use the no or default form of this command to restore the default setting.
Command Function
Configures the forbidcount after a four-way handshake
fails to accomplish key exchange.
authtimeout forbidcount count
count: sets the forbidcount after a four-way handshake
fails to accomplish key exchange.
The following example sets the forbidcount to 5 after a four-way handshake fails to accomplish key exchange.
Ruijie(config-wlansec)#authtimeout forbidcount 5
Use this command to set the forbidtime after a four-way handshake fails to accomplish key exchange in WLAN security
configuration mode. Use the no or default form of this command to restore the default setting.
Configuration Guide Configuring Wireless LAN Security
Command Function
Sets the forbidtime after a four-way handshake fails to
accomplish key exchange.
authtimeout forbidtime time
time: sets the forbidtime after a four-way handshake fails
to accomplish key exchange, in the unit of seconds.
The default is 5.
The following example sets the forbidtime to 6 seconds after a four-way handshake fails to accomplish key exchange,
Ruijie(config-wlansec)#authtimeout forbidtime 6
Use this command to set the retransmission count for the multicast key agreement packet in WLAN security configuration
mode. Use the no or default form of this command to restore the default setting.
Command Function
Sets the retransmission count for the multicast key
agreement packet.
authtimeout groupcount count
count: sets the retransmission count for the multicast key
negotiation packet.
The default is 7.
The following example set the retransmission count for the multicast key negotiation packet to 5.
Ruijie(config-wlansec)#authtimeout groupcount 5
Use this command to set the retransmission count for the unicast key negotiation packet. Use the no or default form of
this command to restore the default setting.
Command Function
Sets the retransmission count for the unicast key
negotiation packet.
authtimeout paircount count
count: sets the retransmission count for the unicast key
negotiation packet.
The default is 7.
The following example sets the retransmission count for the unicast key negotiation packet to 5.
Ruijie(config-wlansec)#authtimeout paircount 5
Configuration Guide Configuring Wireless LAN Security
Use this command to set the timeout period for the multicast key negotiation packet in WLAN security configuration mode.
Use the no or default form of this command to restore the default setting.
Command Function
Sets the timeout period for the multicast key negotiation
packet.
authtimeout grouptime timeout
timeout: sets the timeout period for the multicast key
negotiation packet, in the unit of milliseconds.
The following example sets the timeout period for the multicast key negotiation packet to 100 milliseconds.
Use this command to set the timeout period for the unicast key negotiation packet in WLAN security configuration mode.
Use the no or default form of this command to restore the default setting.
Command Function
Sets the timeout period for the unicast key negotiation
packet.
authtimeout pairtime timeout
timeout: sets the timeout period for the unicast key
negotiation packet, in the unit of milliseconds.
The following example sets the timeout period for the unicast key negotiation packet to 100 milliseconds.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Enters WLAN security configuration mode.
Ruijie(config)# wlansec wlan-id The wlan-id specifies an existing WLAN ID, which must be
created before this configuration.
Ruijie(wlansec)# webauth prevent-jitter timeout Sets the timeout for jitter prevention during Web
authentication. The range of timeout is from 0 to 86400 in
the unit of seconds. The default is 300 seconds.
Use the no webauth prevent-jitter or default webauth prevent-jitter command to restore the default setting.
Configuration Guide Configuring Wireless LAN Security
Displaying Configurations
After completing the aforementioned configurations, you can execute the following show commands to display security
configurations in any mode.
Command Function
show wlan security wlan-id Displays the security configuration of the specified
WLAN.
show wlan stainfo summury Displays the authentication state of current user.
Configuration Examples
The followings will only explain configurations related to encryption and authentication.
Network Topology
Networking Requirements
As there is no dedicated authentication server, the wireless clients will use PSK authentication to access network.
ASE encryption algorithm shall be used to ensure the high security of network data.
Configuration Tips
1) Create WLAN
To configure WPA/RSN security mode, the open system authentication must be enabled
Configuration Steps
Ruijie(config)#vlan 2
Ruijie(config-vlan)#int vlan 2
Ruijie(config-if-VLAN 2)#exit
2. Create a WLAN with ID being 1024, and configure the mapping between WLAN1 and CVI 2, and then apply to radio 1
of all APs in the default AP group.
1. Enable open system authentication. By default, the link authentication mode adopts open system authentication.
Ruijie(config)#wlansec 100
Ruijie(wlansec)# security static-wep-key authentication open
Verifying Configurations
Step 3: Enter correct and wrong passphrase on the wireless client to verify whether the security function is effective or not.
By entering the correct PSK, the wireless client can successfully associate with AP and access Internet resources.
By entering the wrong PSK, the wireless client will be unable to associate with AP and access Internet resources
(due to the difference in user terminals, some wireless clients may be able to associate with AP but unable to access
network).
Configuration Guide Configuring WIDS
Configuring WIDS
Overview
Compared with wired network, WLAN is convenient to deploy, flexible to use, cost-efficient and easy to expand, and is
thus applied more and more widely. However, due to the openness of WLAN channel, the wireless networks are
susceptible to a wide array of threats such as unauthorized APs, ad-hoc networks and different kinds of protocol attacks.
Therefore, security has become an important factor inhibiting the development of WLAN.
WIDS (Wireless Intrusion Detection System) provides early detection of malicious attacks and intrusions and helps the
network administrator to proactively discover the hidden defects of network and take necessary countermeasures.
User isolation
Rogue device: Unauthorized or malicious device on the network. It can be an illegal AP, illegal bridge or unauthorized
Ad-hoc device.
Rogue AP:An unauthorized or malicious AP on the network, such as an unauthorized AP, misconfigured AP or an
attacker operated AP.
Ad-hoc device: A wireless client in ad-hoc mode can directly communicate with other stations without support from any
other device. Since no basic facility is provided for Ad-hoc network, there would be certain security threats.
IDS attack detection: WIDS can detect the malicious or unintentional attacks on the WLAN network, such as Flooding
attack, Spoof attack and Weak IV attack by wireless users.
Network devices on the network can generally be divided into: illegal devices (Rogue devices) and legal devices. Rogue
devices may have security vulnerabilities or be controlled by the attacker, thus imposing severe threats and hazards to the
network security. The Rogue device detection feature of WIDS can help monitor the abnormal devices in the entire WLAN
and assist the network administrator to detect hidden defects of the network.
Rogue device detection can detect multiple Rogue devices in the WLAN: Rogue AP, Rogue Client, Rogue wireless bridge,
and Ad-hoc network. Currently, only the detection of Rogue AP and Ad-hoc network can be supported.
Configuration Guide Configuring WIDS
Rogue device detection is performed by APs operating in monitor mode. WIDS deploys some APs in the wireless network
and instructs them to operating in monitor mode in order to capture the wireless packets transmitted over air medium.
Besides listening for packets, AP will also send broadcast detection requests and wait for the reply messages. Each
device adjacent to this AP will all receive such detection request and give replies. In this way, the AP operating in monitor
mode can identify the types of surrounding devices according to these response frames. Meanwhile, the network
administrator can also monitor the abnormal devices in the entire WLAN by configuring detection rules.
Rogue device countermeasure is used to attack fake authentication release frame sent by rogue device address in the list
to countermeasure rogue device.
Monitor AP:In this mode, AP will scan all devices in the WLAN, and will act only as the monitor AP instead of access
AP. When AP operates in Monitor mode, all WLAN services provided by this AP will be disabled. As shown in Fig 1,
AP 1 works as an access AP, and AP 2 works as a monitor AP to listen to all 802.11 frames and detect illegal
devices on the wireless network. AP 2 cannot provide wireless access services.
Hybrid AP:In this mode, AP can act as both access AP and Monitor AP. AP will scan devices in the WLAN and
provide WLAN data services. As shown in Fig 2, AP can both detect Rogue devices and provide WLAN access
services for Client1 and Client2.
After a Rogue device is detected, you can enable the countermeasures. The monitor AP downloads an attack list from the
AC according to the countermeasure mode and takes countermeasures against detected rogue devices. For example,
you the use the address of Rogue device to sent spoofed de-authentication frame to take countermeasure against the
Rogue device (this feature is not provided for the moment).
In order to timely detect and defend against malicious or unintentional attacks on the WLAN network, WIDS can detect
multiple kinds of intrusions or attacks. When attack is detected, WIDS will inform the network administrator of such attacks
through recording information or sending logs. The network administrator can timely adjust network configurations and
clear insecurity factors in the WLAN.
Weak IV detection
A flooding attack refers to the case in which WLAN devices receive large volumes of frames of the same kind within a
short span of time and get overwhelmed. As a result, such WLAN devices are unable to respond to the requests from
legal users.
WIDS attacks detection counters flood attacks by constantly keeping track of the density of traffic generated by each
device. When the traffic density of a device exceeds the threshold configured by the network administrator, the device is
considered flooding the network and will be blocked. Flooding attack detection can be used in conjunction with dynamic
blacklist. When Flooding attack is detected by WIDS, if the dynamic blacklist feature is enabled, the detected wireless
Configuration Guide Configuring WIDS
client will be added to the blacklist, so as to make sure the WLAN system will no longer be subject to the attacks from such
device.
Probe requests
Action frames
Spoof attack refers to the case in which a potential attacker sends a frame in the air on behalf of another device. For
instance, a spoofed de-authentication frame can cause a station to get de-authenticated from the network.
WIDS counters spoof attack by detecting broadcast de-authentication and disassociation frames. When such a frame is
received, this is identified as a spoofed frame, and the attack is immediately logged.
Weak IV Detection
Weak IV (Weak Initialization Vector) attack: During the process when WLAN uses WEP to encrypt each frame, the
attacker may intercept frames with weak IV to crack the shared key and eventually capture the enciphered messages.
When WLAN uses WEP to encrypt each frame, an IV will be generated for each frame. The IV and shared key are used to
generate a key string, which is encrypted with the plain texts to eventually generate the cipher texts. When a WEP frame
is sent, the IV used in encrypting the frame is also sent as part of the frame header. If a client generates IVs in an insecure
way, for example, if it uses a fixed IV for all frames, the shared secret key may be exposed to any potential attackers.
When the shared secret key is compromised, the attacker can access network resources and threaten network security.
WIDS counters this attack by verifying the IVs in WEP frames. Whenever a frame with a weak IV is detected, it will be
considered a defect and be immediately logged.
Frame Filtering
In WLAN network, WIDS can specify frame filtering rules to filter frames from wireless clients and thus implement access
control of wireless clients.
WIDS frame filtering function achieves wireless client access control through the following three types of filtering lists:
White List
White list contains MAC addresses of wireless clients whose frames can be processed. If the white list is used, only
wireless clients included in the white list can access the WLAN, and all frames from other wireless clients will be discarded
directly by AP, thus reducing the impacts of illegal frames on the wireless network.
Static Blacklist
Configuration Guide Configuring WIDS
The static blacklist contains the MAC addresses of wireless clients whose frames should be dropped. If the static blacklist
is used, then all frames from wireless clients included in the blacklist will be discarded directly by AP.
Dynamic Blacklist
The dynamic blacklist contains MAC addresses of wireless clients whose frames will be dropped. A client is dynamically
added to the list only if Flooding attack from this client is detected by WIDS. When WLAN detects the Flooding attack from
a terminal device, it will dynamically add the MAC address of this device into the blacklist and discard any frame received
from this device, allowing security protection of WLAN network.
User Isolation
Due to the mobility and uncertainty of wireless clients, the privacy of user information is especially important under certain
circumstances (especially in public places), and the direct access between clients shall be restricted. User isolation
enables the control of insecure access between wireless terminals in the wireless network (such as the access between
wireless clients via network neighborhood), avoiding the interception of personal information by others.
Without affect the normal network access of clients, user isolation can prevent clients from mutual access and ensure the
security of user services. The user isolation function can be divided into:
AP User Isolation
AP user isolation refers to the case where all users associated with the same AP cannot communicate directly with each
other. As shown below, Clients 1-4 access the network via the same AP. Wireless terminals can communicate with each
other while accessing Internet. After the AP user isolation function is enabled, Client 1-Client 4 associated with the same
AP won't be able to ping and communicate with each other, but they can still access Internet.
AC User Isolation
AC user isolation refers to the case where all users associated with the same AC (but not the same AP) cannot
communicate directly with each other.
As shown below, AP1 and AP2 are connected to the same AC via switch. Client 1 and Client 2 are connected to the
network via AP1, while Client 3 and Client 4 are connected to the network via AP2. Wireless terminals can communicate
with each other while accessing Internet. After the AC user isolation function is enabled, APs associated with the same
AC (but not the same AP) won't be able to communicate with each other, namely Client 1 cannot ping Client 3 and Client 4,
and Client 2 cannot ping Client 3 and Client 4. However, Client 1 can still ping Client 2, and Client 3 can still ping Client 4.
Client 1-Client 4 can maintain their access to Internet.
Default Configurations
Configuration
Due to the existence of Rogue devices, the network administrator may want some of APs in the WLAN to operate in
monitor mode in order to capture the wireless packets transmitted over air medium in a real-time manner, identify the
surrounding devices by analyzing message format (including device type, SSID, BSSID and CHAN), and record these
information into the list of devices detected. AP can operate in any of the three modes: Normal, Monitor and Hybrid.
Normal AP: Access AP. AP will transmit the data of WLAN users without monitoring these data.
Monitor AP: Network device that scans or monitors wireless medium and attempts to detect attacker devices on the
wireless network. In this mode, AP will act only as the monitor AP instead of access AP.
Hybrid AP: Act as both access AP and monitor AP. In this mode, AP can both scan devices in the WLAN and
provide WLAN data services.
Command Function
Ruijie# config terminal Access global configuration mode.
Ruijie(config)# ap-config ap-name Enter the configuration mode of specified AP.
Ruijie(ap-config)# device mode {monitor | normal | Configure AP operation mode.
hybrid} The operation mode is hybrid mode by default.
Ruijie(ap-config)#show Display configurations.
Command Function
Ruijie# config terminal Access global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# device mode {monitor | normal | Configure AP operation mode.
hybrid} The operation mode is hybrid mode by default.
Ruijie(ap-config)#show Display configurations.
Configuration Guide Configuring WIDS
Detection rule is the policy established for identifying Rogue devices. WIDS will check the frames according to the rule
configured in order to identify legal (Friendly) devices, unclassified devices and eventually illegal (Rogue) devices.
The network administrator can preconfigure the policy for identifying legal devices, such as permitted MAC address list,
permitted SSID list and permitted vender list. Device failing to meet policy requirements will be considered as unclassified
devices or Rogue devices. As shown above, when the device detected meet the policy, it will be considered as a legal
(Friend) device, or else it will be considered as an unclassified device.
The Rogue device detection rule can be configured on AC and then be applied to all associated monitor APs.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Configuration Guide Configuring WIDS
Ruijie(config-wids)# device permit mac-address (Required) Configure the permitted MAC address list. By
mac-address default, no entry exists.
Ruijie(config-wids)# device pemit ssid ssid (Optional) Configure the permitted SSID list. By default,
no entry exists.
Ruijie(config-wids)# device pemit vendor bssid bssid (Optional) Configure the permitted vendor list. By default,
no entry exists.
Ruijie(config-wids)# show wids permitted { mac-address Display the permitted MAC/SSID/vendor list trusted by
| ssid | vendor } WIDS.
AP operating in monitor mode will capture the wireless packets transmitted over air medium in a real-time manner and
record the scanning result into the list of detected devices. The administrator can learn about the currently network
devices through this list. When an abnormal device is detected, such device can be classified as Rogue device by adding
the MAC address of this device to the attack list. Of course, the administrator can also add the MAC address of a specific
device into the static attack list in advance. When the monitor AP detects the access of device with this MAC address, it
will consider this device as Rogue device.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# device attack mac-address (Optional) Configure static attack list. By default, no entry
mac-address exists.
Ruijie(config-wids)# show wids attack-list Display the entries of statically configured attack (Rogue)
list.
The administrator can configure the aging duration of entries in the device detection list. Upon expiration of aging duration,
if the device is not detected again, this device will be removed from the list. If this device is already considered as Rogue
device, it will be transferred to the history record of Rogue devices.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# device aging duration duration Configure device aging duration.
Ruijie(config-wids)# show run Display configurations
Display and clear the list of all WLAN devices detected, including legal devices, unclassified devices and illegal devices.
Command Function
show wids detected all Display the list of all WLAN devices detected.
Configuration Guide Configuring WIDS
reset wids detected all Clear the list of all WLAN devices detected.
Display and clear the list of all illegal and unclassified devices detected.
Command Function
show wids detected friendly Display all legal devices detected.
reset wids detected friendly Clear all legal devices detected.
show wids detected unclassified Display all unclassified devices detected.
reset wids detected unclassified Clear all unclassified devices detected.
Display and clear the record of devices detected and considered as illegal.
Command Function
show wids detected rogue ap Display the record of Rogue AP detected.
reset wids detected rogue ap Clear the record of Rogue AP detected.
show wids detected rogue adhoc Display the record of Rogue adhoc detected.
Display and clear the record of device with specified MAC address.
Command Function
show wids detected mac-address mac-address Display the record of detected device with specified
source MAC address.
reset wids detected mac-address mac-address Clear the record of detected device with specified source
MAC address.
Display and clear the record of Rogue devices deleted from the detection list as a result of timeout (this command is not
supported for the moment).
Command Function
show wids rogue-history Display the history record of Rogue devices.
reset wids rogue-history Clear the history record of Rogue devices.
Currently, WIDS is capable of detecting three types of intrusions: Flooding attack detection, Spoof attack detection and
Weak-IV detection. The process of detection is shown below.
In WIDS configuration mode, enable the corresponding IDS attack detection function to activate IDS attack detection. The
user can apply the corresponding counter-attack policies according to actual network conditions. The configuration steps
are shown below:
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# attack-detection enable all (Optional) Enable all IDS attack detection functions,
including DDoS, Flooding, Spoof and Weak-IV attack
detection. This function is disabled by default.
Ruijie(config-wids)#attack-detection enable ddos (Required) Enable DDoS attack detection.
This function is disabled by default.
Ruijie(config-wids)#attack-detection enable flood (Required) Enable Flooding attack detection.
This function is disabled by default.
Ruijie(config-wids)#attack-detection enable spoof (Required) Enable Spoof attack detection.
This function is disabled by default.
Ruijie(config-wids)# attack-detection enable weak-iv (Required) Enable Weak-IV detection.
This function is disabled by default.
Ruijie(config-wids)# show run Display the enable/disable state of IDS intrusion
detection function
Configuration Guide Configuring WIDS
Use these commands to set the packet threshold and interval of the specified DDoS attack detection packets in WIDS
configuration mode. Use the no form of these commands to restore the default setting.
Command Function
attack-detection ddos { arp-threshold num | Set the threshold and interval for the specified DDOS
icmp-threshold num | syn-threshold num | interval attack detection packets.
time } interval time: Sets DDOS detection interval in the range
from 10 to 60 in the unit of seconds.
arp-threshold num: Set the ARP packet threshold in the
range from 1 to 10000 in the unit of pps.
icmp-threshold num: Sets the ICMP packet threshold in
the range from 1 to 10000 in the unit of pps.
syn-threshold num: Sets the SYN packet threshold in
the range from 1 to 10000 in the unit of pps.
The default arp-threshold is 5pps, icmp-threshold 100pps, syn-threshold 5pps, and interval 30 seconds.
The following example restores the ARP packet threshold to the default setting.
Use these commands to set the packet threshold and interval of the specified Flooding attack detection packets in WIDS
configuration mode. Use the no form of these commands to restore the default setting.
Command Function
Configuration Guide Configuring WIDS
attack-detection flood multi-mac { assoc | reassoc | Set the packet threshold and interval of the specified
disassoc | probe | action | auth | deauth | null-data } Flooding attack detection packets for multiple users.
threshold num interval time total: Specifies all types of packets.
assoc: Specifies the association packet.
reassoc: Specifies the reassocation packet.
disassoc: Specifies the disassociation packet.
probe: Specifies the probe request packet.
action: Specifies the action packet.
auth: Specifies the authentication packet.
deauth: Specifies the deauthentication packet.
null-data: Specifies the null data packet
threshold num: Sets the packet threshold in the range
from 1 to 5000.
interval time: Sets the statistics interval threshold in the
range from 10 to 60 in the unit of seconds.
attack-detection flood single-mac { total | assoc | Set the threshold and statistics interval of the specified
reassoc | disassoc | probe | action | auth | deauth | Flooding attack detection packets for one single user.
null-data } threshold num interval time
The default threshold is 500 and interval is 10 seconds for multiple users.
The default threshold is 300 and interval is 10 seconds for one single user.
The following example sets assoc to 200 and interval to 20000 milliseconds of assoc packets for multiple users.
The following example restores assoc and interval to the default setting.
The following example sets assoc to 200 and interval to 20000 milliseconds of assoc packets for one single user.
The following example restores assoc and interval to the default setting.
Use this command to set the threshold and statistics interval for Spoofing attack detection packets in WIDS configuration
mode. Use the no form of this command to restore the default setting.
Command Function
attack-detection spoof { threshold num | interval time } Set the threshold and statistics interval for Spoofing
attack detection packets.
threshold num: Sets the packet threshold in the range
from 1 to 1000.
interval time: Sets the detection interval in the range
from 10 to 60 in the unit of seconds.
Configuration Guide Configuring WIDS
The following example sets the threshold for Spoofing attack detection packets to 20.
The following example restores the Spoofing attack detection threshold to the default setting.
Weak IV Detection
Use this command to set the threshold and interval for Weak IV attack detection packets in WIDS configuration mode.
Use the no form of this command to restore the default setting.
Command Function
attack-detection spoof { threshold num | interval time } Sets the threshold and statistics interval for Weak IV
attack detection packets.
threshold num: Sets the packet threshold in the range
from 1 to 1000.
interval time: Sets the detection interval in the range
from 10 to 60 in the unit of seconds.
The following example sets the threshold for Weak IV attack detection packets to 200.
The following example restores the Weak IV attack detection threshold to the default setting.
Use this command to set the maximum number of IDS attack detection list entries on ACs or APs in WIDS configuration
mode. Use the no form of these commands to restore the default setting.
Command Function
attack-detection statistics ap-max num Sets the maximum number of IDS attack detection list
entries on the APs in the range from 1 to 1024.
The following example sets the maximum number of IDS attack detection list entries on the AP to 1000..
The following example restores the maximum number of IDS attack detection list entries on the AP to the default setting.
After completing the aforementioned configurations, you can use the show command to display IDS attack detection
history in any mode. In the privilege mode, use the reset command to clear IDS attack detection history information and
statistics information.
Display and clear IDS attack detection history (this command is not supported for the moment).
Command Function
show wids history Display IDS attack detection history.
reset history Clear IDS attack detection history.
Display and clear IDS attack detection statistics (this command is not supported for the moment).
Command Function
show wids statistics Display IDS attack detection statistics.
reset statistics Clear IDS attack detection statistics.
Frame filtering involves the configuration of white list, static blacklist and dynamic blacklist. When AP receives a data
frame, it will check the MAC address of this data frame. The process of frame filtering is shown below:
Configure white list in WIDS configuration mode. When an entry exists in the white list, the corresponding client will pass
frame filtering. The user can add or delete entries by executing relevant commands.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Configuration Guide Configuring WIDS
Configure static blacklist in WIDS configuration mode. When an entry exists in the blacklist, the corresponding client will
be denied to pass. The user can add or delete entries by executing relevant commands.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# [ no ] static-blacklist mac-address (Required) Configure static blacklist.
mac-address Blank by default.
Ruijie(config-wids)# show wids blacklist static Display static blacklist
Enable dynamic blacklist in WIDS configuration mode. When Flooding attack is detected by WIDS, this associated client
will be dynamically added to the dynamic blacklist. The user can configure the lifetime of entries in the dynamic blacklist.
Upon expiration of lifetime, if the device is not detected again, the corresponding entry will be removed from the dynamic
blacklist.
The user can configure the dynamic-blacklist entries by executing relevant commands. Use the no form of this command
to restore the default setting.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# dynamic-blacklist enable (Required) Enable dynamic blacklist function.
Disabled by default.
Ruijie(config-wids)# dynamic-blacklist lifetime lifetime (Optional) Configure the lifetime of dynamic blacklist.
Default: 300 seconds.
Ruijie(config-wids)# dynamic-blacklist { ac-max | Set the maximum number of the dynamic blacklist entries
ap-max } num in the range from 1 to 4096 on ACs and in the range from
1 to 1024 on APs. The default is 2048 on ACs and 512 on
APs.
Ruijie(config-wids)# show wids blacklist dynamic Display dynamic blacklist.
After completing the aforementioned configurations, you can use the show command to display the configurations of
static lists.
Command Function
Configuration Guide Configuring WIDS
After completing the aforementioned configurations, you can use the show command to display the dynamic blacklist. In
the privilege mode, use the reset command to clear relevant information in the dynamic blacklist.
Command Function
show wids blacklist dynamic Display dynamic blacklist.
reset ssid-filter { ssid all | in-ssid string | blacklist all | Remove one or all blacklists or whitelists based on all
blacklist all in-ssid string | whitelist all | whitelist all SSIDs or a specified SSID.
in-ssid string } ssid all: All SSIDs.
in-ssid ssid: A specified SSID.
The following example removes the blacklist and whitelist configuration based on all SSIDs.
The following example removes the blacklist configuration based on all SSIDs
The following example removes the blacklist configuration based on SSID my-wlan.
The following example removes the whitelist configuration based on all SSIDs.
The following example removes the whitelist configuration based on SSID my-wlan.
The countermeasure mode is used to configure the countermeasure to the device. In the hybrid, monitor mode, AP can be
configured in 4 countermeasure modes:
The rogue AP
Command Function
Ruijie# configure terminal Enter the global configuration mode
Ruijie(config)# wids Enter the WIDS configuration
Ruijie(config-wids)# countermeasure enable Make it countermeasure, disable the default
Ruijie(config-wids)# countermeasure { config | all |
Configure the countermeasure mode.
adhoc | rouge }
Enable the isolation function in the wireless device (the AP or the AC). When the device receives a certain user’s report, it
will judge if it’s the same device according to the resource port and the destination port in the information it forwards. If the
resource port and the destination port are on the same device, then discard the report; otherwise, normally forward the
report.
The user can also add the permitted interflow user table entry through configuring isolation permit list. If the MAC address
of two users on the same AP or AC is added into the user isolation permit list, then these two users can visit each other.
The process of enabling the user isolation function is showed in the picture below:
In WIDS configuration mode, enable AP user isolation by executing the following commands:
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
(Required) Enable AP user isolation.
Ruijie(config-wids)# user-isolation ap enable
Disabled by default.
Ruijie(config-wids)#show run Display configurations
In the WIDS configuration mode, enable the AP user isolation function based on WLAN to isolate users in the same
WLAN by executing the commands below:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)# wids Enter the WIDS configuration mode.
Configuration Guide Configuring WIDS
In WIDS configuration mode, enable AC user isolation function to enable different AP users isolation function at AC by
executing the following commands:
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
Ruijie(config-wids)# user-isolation ac enable (Required) enable user isolation at AC. Close default.
Ruijie(config-wids)# show run Display configurations
In the WIDS configuration mode, enable the AC user isolation function based on WLAN to enable different APs but the
same WLAN’s users isolation function on the AC by executing the commands below:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)# wids Enter the WIDS configuration mode.
(Required) enable the user isolation on AC. Disable the
Ruijie(config-wids)# user-isolation ac enable
default.
Ruijie(config-wids)# show run Display the configuration
The user may also configure isolation permit list to add entries of users which can communicate with each other. If the
MAC address of any one of two users associated with the same device is added into the user isolation permit list, then
these two users can communicate with each other. In WIDS configuration mode, configure user isolation permit list by
executing the following commands:
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie(config)# wids Enter WIDS configuration mode.
(Optional) Configure user isolation permit list.
Ruijie(config-wids)# user-isolation permit-mac Blank by default. User isolation configuration based on
mac-address WLAN on AP is based on identifying BSSID of wireless
network.
Ruijie(config-wids)# show run Display configurations
Configuration Examples
Network Topology
As shown below, the wireless access point AP1 is connected to the wireless AC and Internet via switch.
Networking Requirements
AP must be able to provide access service for WLAN users and transmit data of WLAN users while scanning WLAN
devices to detect illegal APs on the network.
Client1 (0000.0000.0001) is an illegal wireless client. All data frames from this client must be filtered and dropped.
Client2 (0000.0000.0002) is a legal wireless client. All data frames from this client must be allowed and forwarded.
AC must enable IDS attack detection function, and all wireless clients initiating Flooding attack must be added to the
dynamic blacklist.
Configuration Tips
AP operating in Hybrid mode can both scan devices in the WLAN and provide WLAN data services. AP operates in
Hybrid mode by default.
Configure Client1 (0000.0000.0001) as an entry of static blacklist, which will include the MAC addresses of wireless
clients whose frames should be dropped.
Configure Client2 (0000.0000.0002) as an entry of while list, which will include the MAC addresses of wireless
clients whose frames should be forwarded.
Configuration Guide Configuring WIDS
Enable Flooding attack detection and dynamic blacklist on AC. The dynamic blacklist contains MAC addresses of
wireless clients whose frames will be dropped. A client is dynamically added to the list only if Flooding attack from
this client is detected by WIDS.
Configuration Steps
1) Configure the operating mode of AP1 to Hybrid mode (AP operates in Hybrid mode by default)
Ruijie(config)# wids
Ruijie(config-wids)# whitelist mac-address 0000.0000.0002
3) Configure static blacklist
Verification
Overview
Functions
Malicious attacks are always detected in the network environment. Generally, in these attacks, lots of management and
protocol packets are fabricated. The switch is busy processing these attack packets and has no time to process normal
management and protocol packets. This causes destructive impact on switch security and network stability.
Ruijie network switch provides the CPU Protect Policy (CPP) function to effectively protect the network against malicious
attacks. By identifying packets and suppressing attack packets, the CPP function:
Weakens the impacts of attack packets on the switch (switch processor protection).
Meanwhile, the CPP provides flexible packet policies to allow network administrators to implement optimal
configuration for specific network environments, thereby ensuring switch security and network stability.
The CPP function protects switch processor resources and guarantees important packets using four technologies, that is,
packet identification and packet bandwidth control.
Packet identification
All packets to be sent to the switch for protocol processing are classified during packet identification, for example, ARP,
BPDU, and GVRP. (For data classification of each product, see Default Values of CPU Protect.)
An administrator can configure the bandwidth for packets of each type. In this way, high-speed attack packets can be
effectively suppressed on the network.
Configuration
In global configuration mode, set the bandwidth for packets of each type using the following steps in global configuration
mode. Use the no form of this command to restore the default setting.
Command Function
Configuration Guide Configuring CPU Protection
The default bandwidth for receiving ARP packets of each type is 100 pps(WS5302) or 10000ps (other).
The default bandwidth for receiving igmp packets is 200pps(WS5302) or 500pps (other).
The following example sets the bandwidth of BPDU packets to 200 pps.
The following table lists the packet types that can be identified by switches of various series and factory defaults. The
maximum packet bandwidth can be restored to their default values by using the no cpu-protect type command.
Bandwidth
Packet Type Description
(pps)
arp ARP protocol packet 10000
bpdu IEEE BPDU packet 128
dhcp-relay-client DHCP Client packet of the DHCP Relay function 128
dhcp-relay-server DHCP Server packet of the DHCP Relay function 128
dhcps DHCP packet of the DHCP Snooping function 128
d1x 802.1X EAPOL packet 128
igmp IGMP packet 200
isis ISIS protocol packet 128
dhcp_option82 DHCP Option82 packet 128
ospf OSPF protocol packet 128
ospf3 OSPF Version3 protocol packet 600
rip IPv4 RIP protocol packet 128
ripng IPv6 RIP protocol packet 600
vrrp VRRP packet 128
capwap_disc Capwap discover packet 128
lldp LLDP link layer discover packet 128
pppoe PPPoE packet 128
AP series switches
Bandwidth
Packet Type Description
(pps)
tp-guard Topology Protection Protocol (TPP) packet 180
arp ARP packet 100
bpdu IEEE BPDU packet 128
dhcp_relay_client DHCP Relay function, DHCP Client packet 128
dhcp_relay_server DHCP Relay function, DHCP Server packet 128
dhcps DHCP Snooping function, DHCP packet 128
d1x 802.1X EAPOL packet 128
igmp IGMP packet 200
isis ISIS packet 128
dhcp_option82 DHCP Option82 packet 128
ospf OSPF packet 128
ospf3 OSPF Version3 packet 600
rip IPV4 RIP packet 128
ripng IPV6 RIP packet 600
Configuration Guide Configuring CPU Protection
Bandwidth
Packet Type Description
(pps)
vrrp VRRP packet 128
capwap_disc Capwap discover packet 128
lldp LLDP packet 128
pppoe Pppoe packet 128
Monitoring
The CPU Protect information that can be displayed through the switch includes the following:
Use the following command to display the statistics about the received packets of each type in privileged EXEC mode.
Command Function
Displays statistics about the received packets of each type.
arp: ARP packets.
bpdu: IEEE BPDU packets.
capwap-disc: CAPWAP Discover packets.
d1x: 802.1x EAPOL packets.
dhcp-option82: DHCP Option82 packets.
dhcp-relay-client: DHCP relay client packets.
dhcp-relay-server: DHCP relay server packets.
Ruijie# show cpu-protect type { arp | bpdu | dhcps: DHCP Snooping packets.
capwap-disc | d1x | dhcp-option82 | igmp: IGMP packets.
dhcp-relay-client | dhcp-relay-server | dhcps | ipmc: IPv4 multicast packets.
igmp | ipmc | ipv6-nans | isis | lldp | ospf | ospfv3 | ipv6-nans: IPv6 neighbor discovery packets.
pim | pppoe | rip | ripng | vrrp } isis: ISIS packets.
lldp: LLDP packets.
ospf: OSPF packets.
ospfv3: OSPF version 3 packets.
pim: PIM packets.
pppoe: PPPOE packets.
rip: IPv4 RIP packets.
ripng: IPv6 RIP packets.
vrrp: VRRP packets.
The following example uses the show cpu-protect type arp command to display statistics about ARP packets:
Use the following command to display the bandwidth of packets of each type in privileged EXEC mode.
Command Function
Ruijie# show cpu-protect summary Display configuration information of all packet types.
The following example uses the show cpu-protect summary command to display configuration information of all packet
types:
Configuring NFPP
Overview
NFPP Function
In the network, some malicious attacks put too much burden on the switch, thus the CPU of the switch cannot operate
normally.
DoS attack may lead to the consumption of a large amount of the switch memory, entries and other resources, resulting in
the system service failure.
A large amount of the packet traffic uses the CPU bandwidth, resulting in the handling failure of the protocol packet and
manage packet by the CPU, influencing the data forwarding, the device management of the administrator and the normal
device/network running.
A large amount of the packet traffic consumes massive CPU resources, making the CPU being in the high-load status and
influencing the device management of the administrator and the normal device running.
In the NFPP-enabled environment, it prevents the system from being attacked, releasing the CPU load and ensuring the
normal and stable operation of various system services and the whole network.
NFPP Principle
As shown in the Figure-1, the processes of the NFPP datagram processing include hardware filtering, CPU Protect Policy
(CPP), packet attack detection/rate-limit, Protocol/Manage/Route flow classification, focus rate-limit and ultimately the
application-layer handling.
The CPP classification and rate-limit configurations not only classify the CPU datagram according to the CPP service
classification principle, but also limit the rate of the packet transmission, preventing different packets from competing for
the bandwidth and resolving the problem that when a large amount of one packet flow attack occurs, it fails to handle
other packets in time. For example, with both the OSPF packet and BPDU packet in the NFPP-enabled device, if the
OSPF/BPDU packets consume a large amount of the CPU bandwidth, it will not influence receiving the BPDU/OSPF
packets.
In order to make full use of the NFPP function, you can modify the rate-limit value of each packet in CPU
Protect Policy according to specified network environment, you can also use the recommended value displayed after
executing the show cpu-protect summary command.
NFPP provides the host-based/port-based attack and rate-limit threshold configuration for the administrator to set in the
specific network flexibly to control the rate of receiving the packets based on the host/port. With the attack threshold
configured, after detecting the attack, the anti-attack policy implements the attack-warning or the isolation action. For the
isolation action, the anti-attack policy uses the hardware filter in order to make sure that the attack packets will not be sent
to the CPU and ensure the normal device operation.
After detecting an attack, NFPP sends the warning messages to the administrator. However, to avoid the
frequent displaying of the warning messages, the warning messages will not be shown again within the continuous
60s after the sending.
Frequently print the syslog consumes the CPU resources, to this end, NFPP writes the syslog on the attack detection
to the buffer area and specifies the print rate. No rate-limit is configured for the TRAP message.
As shown in the Table-1, the packet types are divided into Manage, Route and Protocol packet. Each packet type owns
the independent bandwidth. The bandwidth between the different types cannot be shared and the packet flow exceeding
Configuration Guide Configuring NFPP
the bandwidth threshold will be discarded. The packet flow classification ensures that the set packet type on the device
takes the precedence over other types of packet. The administrator can flexibly allocate the bandwidth of the three types
of the packet according to the actual network environment and make sure that the protocol and manage packets takes the
precedence of being handled for the purpose of normal protocol running and the administrator management, thereby
safeguarding the normal operation of each important function on the device and improving the anti-attack capability.
After the classification rate-limit, focus on all the flow classification in a queue. If the process rate of one type of the
packets is low, the corresponding packets will accumulate in the queue, and consume the queue resources ultimately.
The administrator can configure the packet percent. If the length of the queue for one type of the packet is more than the
total queue length multiplied by the packet percent, the type of packets will be discarded.
Configuration
Manage 3000PPS 30
Route 3000PPS 25
Protocol 3000PPS 45
ARP-guard
ARP-guard Overview
The IP address is translated into the MAC address by ARP protocol in the local area network(LAN). ARP protocol plays an
important role in the network security. ARP DoS attack sends a large amount of illegal ARP packets to the gateway,
preventing the gateway from providing the services. To deal with this attack, on one hand, you can configure the rate-limit
of the ARP packet; on the other hand, you can detect and isolate the attack source.
The ARP attack detection could be host-based or port-based. Host-based ARP attack detection could be classified into
the following two types again: source IP address/VID/port-based and source MAC address/VID/port-based. For each
attack detection, you can configure the rate-limit threshold and warning threshold. The ARP packet will be dropped when
Configuration Guide Configuring NFPP
the packet rate exceeds the rate-limit threshold. When the ARP packet rate exceeds the warning threshold, it will prompt
the warning messages and send the TRAP message. The host-based attack detection can isolate the attack source.
Besides, ARP-guard is able to detect the ARP scan. ARP scan is that the source MAC address on link layer is fixed while
the source IP address is changing, or the source MAC address and source IP address are fixed while the destination IP
address is changing. Ruijie products only support to detect the first ARP scan (the source MAC address on link layer is
fixed while the source IP address is changing).
It is worth mentioning that ARP-guard is only for the ARP DoS attack, rather than ARP fraud or dealing with the ARP
attack problems in the network.
Enabling ARP-guard
You can enable arp-guard in the NFPP configuration mode or in the interface configuration mode.
Command Function
With the arp-guard disabled, the monitored hosts and scan hosts are auto-cleared.
Configuration Guide Configuring NFPP
For the isolated time of the attacker, it can be configured in the global or interface configuration mode. By default, the
isolated time is configured in the global configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
Ruijie# show nfpp arp-guard summary Display the arp-guard parameter settings.
To restore the global isolated time to the default value, use the no arp-guard isolate-period or default arp-guard
isolate-period command in the NFPP configuration mode. If the isolated time has been configured on a port, you can use
the no arp-guard isolate-period command to remove the port-based isolated time configuration in NFPP configuration
mode.
If the isolated time is 0 (that is no isolation), the serviceview monitor will be performed to auto-monitor the attacker
according to the configured monitored period, providing the attacker information in the system. If the isolated time is but
not 0, the arp-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# arp-guard monitor-period Configure the monitored time in the range from 180 to
seconds 86400 in the unit of seconds. The default value is 600
Configuration Guide Configuring NFPP
Command Function
seconds.
Ruijie# show nfpp arp-guard summary Display the arp-guard parameter settings.
To restore the monitored time to the default value, use the no or default form of this command in the NFPP configuration
mode.
If the isolated time is 0, the serviceview monitor will be performed to monitor the detected attacker, and the
timeout time will be the monitored period. In the process of the serviceview monitor, if the isolated time is but not 0,
the hardware isolation will be performed to isolate the attacker and the timeout time will be the isolated period. Only
be the monitored period valid when the isolated period is 0.
Modifying the isolated time from non-0 to 0 removes the attackers from the interface rather than performs the
serviceview monitor.
Use this command to set the trusted host in NFPP configuration mode. Use the no or default form of this command to
restore the default setting.
Command Function
Set the trusted host.
arp-guard trusted-host ip mac ip: set the IP address.
mac: set the MAC address.
Restore the default setting.
ip: set the IP address.
no arp-guard trusted-host { all | ip mac }
mac: set the MAC address.
all: delete all trusted hosts.
After this function is enabled, the ARP packets are sent from the trusted host to CPU without rate limit or alarm notification.
Up to 500 hosts are supported.
The following example sets the host whose IP address and MAC address are 1.1.1.1 and 0000.0000.1111 respectively as
the trusted host.
Ruijie(config)# nfpp
Ruijie(config-nfpp)#arp-guard trusted-host 1.1.1.1 0000.0000.1111
Configuration Guide Configuring NFPP
Use this command to set the maximum number of monitored hosts. Use the no or default form of this command to restore
the default setting.
Command Function
Ruijie(config-nfpp)# arp-guard Configure the monitored host limit in the range from 1 to
monitored-host-limit seconds 4294967295. The default is 1000.
Ruijie# show nfpp arp-guard summary Display the arp-guard parameter settings.
To restore the monitored host limit to the default value, use the no arp-guard monitored-host-limit command in the
NFPP configuration mode.
If the monitored host number has reached the default 1000, and the administrator sets the monitored host limit smaller
than 1000, the existent monitored hosts will not be deleted and it will prompt the message “%ERROR: The value that you
configured is smaller than current monitored hosts 1000, please clear a part of monitored hosts.” to notify the
administrator of the invalid configuration and removing a part of the monitored hosts.
For the host-based attack detection, it can be classified into the following two types: source IP address/VID/port-based
and source MAC address/VID/port-based. For each attack detection, you can configure the rate-limit threshold and attack
threshold (also called warning threshold). The ARP packet will be dropped when the packet rate exceeds the rate-limit
threshold. When the ARP packet rate exceeds the warning threshold, it will prompt the warning messages and send the
TRAP message.
ARP-guard supports to detect the ARP scan, which is in 10s, 15s by default. If 15 or more than 15 ARP packets have
been received within 10s, and the source MAC address on link layer is fixed while the source IP address is changing, or
the source MAC address and source IP address are fixed while the destination IP address is changing, ARP scan is
detected and recorded in the syslog and the TRAP messages are sent.
It prompts the following message if the ARP DoS attack was detected:
The following example displays the describing information included in the sent TRAP messages:
If the isolated time is not set as 0 by the administrator, when the hardware isolation succeeds, it prompts:
The following example displays the describing information included in the sent TRAP messages:
When it fails to isolate the hardware due to a lack of memory or hardware resources, it prompts:
The following example displays the describing information included in the sent TRAP messages:
It prompts the following message when the ARP scan was detected:
The following example displays the describing information included in the sent TRAP messages:
It saves the latest 256 pieces of records in the ARP scan table. When the ARP scan table is full, it prompts:
It prompts the following message to remind the administrator that the configured rate-limit threshold is higher than the
attack threshold:
It prompts the following message to remind the administrator that the configured attack threshold is smaller than the
rate-limit threshold:
It sets a policy to the hardware when isolating the attackers. When the hardware resources have been
exhausted, it prompts the message to inform the administrator.
When it fails to allocate the memory to the detected attackers, it prompts the message like
“%NFPP_ARP_GUARD-4-NO_MEMORY: Failed to alloc memory. ”to inform the administrator.
It contains only the latest 256 pieces of the records in the ARP scan table. When the ARP scan table is full, the
newest record will overwrite the oldest one.
Configuration Guide Configuring NFPP
The administrator can configure the host-based rate-limit and attack detection in the NFPP configuration mode and in the
interface configuration mode. Use the no or default form of these commands to restore the default setting.
Command Function
Ruijie# show nfpp arp-guard summary Check the arp-guard parameter settings.
You can configure the arp-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the ARP packet rate on a port exceeds the limit, the ARP packets are dropped. When the
ARP packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the ARP DoS attack was detected on a port:
This section shows the administrator how to configure the port-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of these commands to restore the
default setting.
Command Function
Ruijie(config-nfpp)# arp-guard rate-limit per-port Configure the arp-guard rate-limit of the ARP packet on the
pps port, ranging from 1 to 9999, 100 by default.
Configure the arp-guard attack threshold, ranging from 1 to
Ruijie(config-nfpp)# arp-guard attack-threshold 9999, 200 by default. When the ARP packet number on a port
per-port pps exceeds the attack threshold, the CLI prompts and the TRAP
packets are sent.
Ruijie(config-if)#nfpp arp-guard policy per-port Configure the rate-limit and attack threshold on the specified
pps interface. By default, the rate-limit threshold and the attack
threshold are not configured.
rate-limit-pps: set the rate-limit threshold. The valid range is
Configuration Guide Configuring NFPP
Command Function
1-9999.
attack-threshold-pps: set the attack threshold. The valid range
is 1-9999.
Ruijie# show nfpp arp-guard summary Display the arp-guard parameter settings.
MAC address-based rate limit takes precedence over IP address-based rate limit. IP address-based rate limit
takes precedence over port-based rate limit.
It is recommended for the administrator to follow the following principle of configuring the host-based rate-limit and
attack threshold, in order to perform the best arp-guard function:
IP address-based rate-limit threshold < IP address-based attack threshold < source MAC address-based rate-limit
threshold < source MAC address-based attack threshold.
When configuring the rate limit on the port, you can refer to the user count on this port. For example, if 500 users
exist on a port, you can set the rate limit on this port to 500.
The isolated hosts can be recovered automatically after a period of the time. The administrator can use the following
command to clear the isolated hosts manually.
Command Function
The administrator can use the following command to clear the ARP scan table manually.
Command Function
Ruijie# clear nfpp arp-guard scan Clear the ARP scan table.
Command Function
Configuration Guide Configuring NFPP
Command Function
For example,
Use this command to display the trusted host configuration in privileged EXEC mode.
Command Function
Command Function
For example,
Meaning: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
The preceding fields indicate VLAN number, interface, IP address, MAC address and remaining time of
isolation separately.
If "*" is displayed in the first column of a specific line, it means that this host is currently subject to software
monitoring or the hardware isolation has failed due to insufficient resources.
If the MAC address columm shows “-”, it means “the host is identified by the source IP address”; If the IP address
columm shows “-”, it means “the host is identified by the source MAC address”.
Configuration Guide Configuring NFPP
Command Function
Ruijie# show nfpp arp-guard scan statistics Display the arp-guard scan statistics.
For example,
“timestamp” represents the time when the ARP scan was detected. For example, “2008-01-23 16:23:10” represents that
the ARP scan was detected at 16:23:10, Jan 23, 2008.
IP-guard
IP-guard Overview
As is known to all, many hacker attacks and the network virus invasions begin with the network scanning. To this end, a
large amount of the scanning packets take up the network bandwidth, leading to the abnormal network communication.
Ruijie Layer-3 device provides the IP-guard function to prevent the attacks from the hacker and the virus such as “Blaster”,
reducing the CPU burden of the layer-3 devices.
Scanning the destination IP address change: not only consumes the network bandwidth and increases the device
burden, but also is a prelude of the hacker attack.
Sending the IP packets to the inexistent destination IP address at the high-rate: for the layer-3 device, the packets
are directly forwarded by the switching chip without the consumption of the CPU resources if the destination IP address
exists. While if the destination IP address is inexistent, the ARP request packets are sent from the CPU to ask for the
corresponding MAC address for the destination IP address when the IP packets are sent to the CPU. It consumes the
CPU resources if many IP packets are sent to the CPU.
The workaround for this attack: on one hand, you may configure the IP packet rate-limit; on the other hand, you may
detect and isolate the attack source.
The IP attack detection could be host-based or port-based. Host-based ARP attack detection adopts the combination of
source IP address/VID/port-based. For each attack detection, you can configure the rate-limit threshold and warning
threshold. The IP packet will be dropped when the packet rate exceeds the rate-limit threshold. When the ARP packet rate
exceeds the warning threshold, it will prompt the warning messages and send the TRAP message. The host-based attack
detection can isolate the attack source.
It is worth mentioning that the IP-guard is for the attack of the IP packets with the destination IP address not the
host IP address. For the IP packet with the destination IP address the host IP address, use the CPP (CPU Protect
Policy) to limit the rate.
With the ip-guard enabled on the interface and the non-0 isolated period configured, it isolates the hosts attacked by the
IP packets.
Enabling IP-guard
You can enable ip-guard in the NFPP configuration mode or in the interface configuration mode. By default, the ip-guard is
enabled. Use the no or default form of these commands to restore the default setting.
Command Function
For the isolated time of the attacker, it is configured in NFPP configuration mode. Use the no or default form of these
commands to restore the default setting.
Command Function
To restore the global isolated time to the default value, use the no ip-guard isolate-period command in the NFPP
configuration mode. If the isolated time has been configured on a port, you can use the no ip-guard isolate-period
command to remove the port-based isolated time configuration in NFPP configuration mode.
If the isolated time is 0 (that is no isolation), the serviceview monitor will be performed to auto-monitor the attacker
according to the configured monitored period, providing the attacker information in the system. If the isolated time is but
not 0, the ip-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function
Command Function
Ruijie(config-nfpp)# ip-guard monitor-period Configure the monitored time in the range from 180 to 86400 in
seconds the unit of seconds. The default value is 600s.
To restore the monitored time to the default value, use the no ip-guard monitor-period command in the NFPP
configuration mode.
If the isolated time is 0, the serviceview monitor will be performed to monitor the detected attacker, and the
timeout time will be the monitored period. In the process of the serviceview monitor, if the isolated time is but not 0,
the hardware isolation will be performed to isolate the attacker, and the timeout time will be the isolated period. Only
be the monitored period valid when the isolated period is 0.
Modifying the isolated time from non-0 to 0 removes the attackers from the interface rather than performs the
serviceview monitor.
Command Function
Ruijie(config-nfpp)# ip-guard monitored-host-limit Configure the monitored host limit, ranging in the range from 1
seconds to 4294967295. The default is 1000.
To restore the monitored host limit to the default value, use the no ip-guard monitored-host-limit or default ip-guard
monitored-host-limit command in the NFPP configuration mode.
If the monitored host number has reached the default 1000, and the administrator sets the monitored host limit smaller
than 1000, the existent monitored hosts will not be deleted and it will prompt the message “%ERROR: The value that you
configured is smaller than current monitored hosts 1000, please clear a part of monitored hosts.” to notify the
administrator of the invalid configuration and removing a part of the monitored hosts.
Configuration Guide Configuring NFPP
Use the source IP address/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The IP packet will be dropped when
the packet rate exceeds the rate-limit threshold. When the IP packet rate exceeds the warning threshold, it will prompt the
warning messages and send the TRAP message.
The following example displays the describing information included in the sent TRAP messages:
If the isolated time is not set as 0 by the administrator, when the hardware isolation succeeds, it prompts:
The following example displays the describing information included in the sent TRAP messages:
When it fails to isolate the hardware due to a lack of memory or hardware resources, it prompts:
The following example displays the describing information included in the sent TRAP messages:
The following example displays the describing information included in the sent TRAP messages:
It sets a policy to the hardware when isolating the attackers. When the hardware resources have been
exhausted, it prompts the message to inform the administrator.
Configuration Guide Configuring NFPP
When it fails to allocate the memory to the detected attackers, it prompts the message like
“%NFPP_IP_GUARD-4-NO_MEMORY: Failed to alloc memory.” to inform the administrator.
This section displays the administrator how to configure the host-based rate-limit and attack detection in NFPP
configuration mode. Use the no or default form of these commands to restore the default setting.
Command Function
You can configure the ip-guard rate limit and attack threshold on the port. The rate limit value must be less than the attack
threshold value. When the IP packet rate on a port exceeds the limit, the IP packets are dropped. When the IP packet rate
on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the IP DoS attack was detected on a port:
This section shows the administrator how to configure the port-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of these commands to restore the
default setting.
Command Function
Ruijie(config-if)#nfpp ip-guard policy per-port Configure the rate-limit and attack threshold on the specified
rate-limit-pps attack-threshold-pps interface.
rate-limit-pps: set the rate-limit threshold. The valid range is
1-9999 and by default, it adopts the global rate-limit threshold
value.
attack-threshold-pps: set the attack threshold. The valid range
is 1-9999 and by default, it adopts the global attack threshold
value.
The source IP address-based rate limit takes precedence over port-based rate limit.
Use the following commands to set the trusted host to make a host free from monitoring. The IP packets are allowed to be
sent to the CPU from the trusted host.
Command Function
Ruijie(config-if)# show nfpp ip-guard trusted-host Display the trusted host settings.
In the NFPP configuration mode, use the no or default form of this command to delete a trusted host entry and use the all
form of this command to delete all trusted hosts.
It prompts that “%ERROR: Attempt to exceed limit of 500 trusted hosts. “to inform the administrator of the full
trusted host table.
If the IP address for the trusted host entry is the same to the one existing in the untrusted host list, the system will
auto-delete the entry according to the IP address.
It prompts that “%ERROR:Failed to delete trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the
failure of trusted host removal.
It prompts that “%ERROR:Failed to add trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the failure
of adding the trusted host.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 has already been configured.” to inform the
administrator of the exisitence of the trusted host to be added.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator of the
inexisitence of the trusted host to be deleted.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator if it fails to
allocate the memory for the trusted host.
Configuration Guide Configuring NFPP
The isolated hosts can be recovered automatically after a period of the time. The administrator can use the following
command to clear the isolated hosts manually.
Command Function
Command Function
For example,
Command Function
Command Function
Meaning: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
The preceding fields indicate VLAN number, interface, IP address, reason for being monitored and remaining
time of isolation.
If "*" is displayed in the first column of a specific line, it means that this host is currently subject to software
monitoring or the hardware isolation has failed due to insufficient resources.
The fourth field Reason describes the reason why the host is monitored: ATTACK indicates that the speed of
sending IP packets of the host exceeds the attack threshold and SCAN indicates that the host is scanning a specific
network segment.
Command Function
Configuration Guide Configuring NFPP
Command Function
For example,
ICMP-guard
ICMP-guard Overview
The ICMP attack detection could be host-based or port-based. Host-based ICMP protocol is used to diagnose the network
trouble. Its basic principle is that the host sends an ICMP echo request packet, and the router/switch sends an ICMP echo
reply packet upon receiving the ICMP echo request packet. The “ICMP flood” attack is that the attacker sends a large
amount of the ICMP echo request packets to the destination device, resulting in the consumption of the CPU resources
and the erroe of the device working. The workaround for the “ICMP flood” attack: one one hand, you may configure the
ICMP packet rate-limit; on the other hand, you may detect and isolate the attack source.
ARP attack detection adopts the combination of source IP address/VID/port-based. For each attack detection, you can
configure the rate-limit threshold and warning threshold. The ICMP packet will be dropped when the packet rate exceeds
the rate-limit threshold. When the ICMP packet rate exceeds the warning threshold, it will prompt the warning messages
and send the TRAP message. The host-based attack detection can isolate the attack source.
Enabling ICMP-guard
You can enable icmp-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
icmp-guard is enabled.
Command Function
Command Function
For the isolated time of the attacker, it can be configured in NFPP configuration mode.
Command Function
To restore the global isolated time to the default value, use the no icmp-guard isolate-period or default icmp-guard
isolate-period command in the NFPP configuration mode. If the isolated time has been configured on a port, you can use
the no icmp-guard isolate-period command to remove the port-based isolated time configuration in NFPP configuration
mode.
Without the global and port-based isolated period configured(including set the interface isolated time 0), the serviceview
monitor will be performed to auto-monitor the attacker according to the configured monitored period, providing the
Configuration Guide Configuring NFPP
attacker information in the system. With the global or port-based isolated period configured, the ICMP-guard will perform
hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# icmp-guard monitor-period Configure the monitored time, ranging 180-86400s(one day).
seconds The default value is 600s.
To restore the monitored time to the default value, use the no icmp-guard monitor-period command in the NFPP
configuration mode.
If the isolated time is 0, the serviceview monitor will be performed to monitor the detected attacker, and the
timeout time will be the monitored period. In the process of the serviceview monitor, if the isolated time is but not 0,
the hardware isolation will be performed to isolate the attacker, and the timeout time will be the isolated period. Only
be the monitored period valid when the isolated period is 0.
Modifying the isolated time from non-0 to 0 removes the attackers from the interface rather than performs the
serviceview monitor.
Command Function
Ruijie(config-nfpp)# icmp-guard Configure the monitored host limit, ranging 1-4294967295. The
monitored-host-limit seconds default value is1000.
To restore the monitored host limit to the default value, use the no icmp-guard monitored-host-limit command in the
NFPP configuration mode.
If the monitored host number has reached the default 1000, and the administrator sets the monitored host limit smaller
than 1000, the existent monitored hosts will not be deleted and it will prompt the message “%ERROR: The value that you
configured is smaller than current monitored hosts 1000, please clear a part of monitored hosts.” to notify the
administrator of the invalid configuration and removing a part of the monitored hosts.
Configuration Guide Configuring NFPP
Use the source IP address/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The ICMP packet will be dropped
when the packet rate exceeds the rate-limit threshold. When the ICMP packet rate exceeds the warning threshold, it will
prompt the warning messages and send the TRAP message.
It prompts the following message if the ICMP DoS attack was detected:
The following example displays the describing information included in the sent TRAP messages:
If the isolated time is not set as 0 by the administrator, when the hardware isolation succeeds, it prompts:
The following example displays the describing information included in the sent TRAP messages:
When it fails to isolate the hardware due to a lack of memory or hardware resources, it prompts:
The following example displays the describing information included in the sent TRAP messages:
When it fails to allocate the memory to the detected attackers, it prompts the message like
“%NFPP_ICMP_GUARD-4-NO_MEMORY: Failed to alloc memory.” to inform the administrator.
This section shows the administrator how to configure the host-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
You can configure the icmp-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the ICMP packet rate on a port exceeds the limit, the ICMP packets are dropped. When the
ICMP packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the ICMP DoS attack was detected on a port:
This section shows the administrator how to configure the port-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
Ruijie(config-if)#nfpp icmp-guard policy per-port Configure the rate-limit and attack threshold on the specified
rate-limit-pps attack-threshold-pps interface.
rate-limit-pps: set the rate-limit threshold. The valid range is
1-9999 and by default, it adopts the global rate-limit threshold
value.
attack-threshold-pps: set the attack threshold. The valid range
is 1-9999 and by default, it adopts the global attack threshold
value.
The source IP address-based rate limit takes precedence over port-based rate limit.
Use the following commands to set the trusted host to make a host free from monitoring. The ping packets are allowed to
be sent to the CPU from the trusted host. Use the no or default form of this command to restore the default setting.
Command Function
Ruijie(config-nfpp)# icmp-guard trusted-host ip Configure the IP address range for the trusted hosts. Up to 500
mask pieces of IP addresses can be configured.
No trusted host is configured by default.For example: The following example delete all trusted hosts:
It prompts that “%ERROR: Attempt to exceed limit of 500 trusted hosts. “to inform the administrator of the full
trusted host table.
If the IP address for the trusted host entry is the same to the one existing in the untrusted host list, the system will
auto-delete the entry according to the IP address.
It prompts that “%ERROR:Failed to delete trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the
failure of trusted host removal.
It prompts that “%ERROR:Failed to add trusted host 1.1.1.0 255.255.255.0.” to inform the administrator of the failure
of adding the trusted host.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 has already been configured.” to inform the
administrator of the exisitence of the trusted host to be added.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator of the
inexisitence of the trusted host to be deleted.
It prompts that “%ERROR:Trusted host 1.1.1.0 255.255.255.0 is not found.” to inform the administrator if it fails to
allocate the memory for the trusted host.
Configuration Guide Configuring NFPP
The isolated hosts can be recovered automatically after a period of the time. The administrator can use the following
command to clear the isolated hosts manually.
Command Function
Command Function
For example,
Command Function
Ruijie# show nfpp icmp-guard hosts statistics Display the icmp-guard hosts statistics, including total host
Configuration Guide Configuring NFPP
Command Function
For example,
Indicates: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
The preceding fields indicate VLAN number, interface, IP address, MAC address and remaining time of
isolation.
If "*" is displayed in the first column of a specific line, it means that this host is currently subject to software
monitoring or the hardware isolation has failed due to insufficient resources.
Use the show nfpp icmp-guard trusted-host command to display the trusted hosts exempt from monitoring:
Command Function
Configuration Guide Configuring NFPP
Command Function
For example,
DHCP-guard
DHCP-guard Overview
The DHCP protocol is widely used to dynamically allocate the IP address in the LAN, and plays an important role in the
network security. The “DHCP exhaustion” attack occurs in the way of broadcasting the DHCP request packets through
faking the MAC address. If there are too many DHCP request packets, the attacker may use up the addresses provided in
the DHCP server. To this end, a legal host fails to request for a DHCP IP address and access to the network. The
workaround for the “DHCP exhaustion” attack: one one hand, you may configure the DHCP packet rate-limit; on the other
hand, you may detect and isolate the attack source.
The DHCP attack detection could be host-based or port-based. Host-based ARP attack detection adopts the combination
of source IP address/VID/port-based. For each attack detection, you can configure the rate-limit threshold and warning
threshold. The DHCP packet will be dropped when the packet rate exceeds the rate-limit threshold. When the DHCP
packet rate exceeds the warning threshold, it will prompt the warning messages and send the TRAP message. The
host-based attack detection can isolate the attack source.
Enabling DHCP-guard
You can enable dhcp-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
dhcp-guard is enabled. Use the no or default form of this command to restore the default setting.
Command Function
Ruijie(config-if)# nfpp dhcp-guard enable Enable the dhcp-guard on the interface. By default, dhcp-guard
Configuration Guide Configuring NFPP
For the isolated time of the attacker, it can be configured in the global or interface configuration mode. By default, the
isolated time is configured in the global configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
To restore the global isolated time to the default value, use the no dhcp-guard isolate-period command in the NFPP
configuration mode. If the isolated time has been configured on a port, you can use the no dhcp-guard isolate-period
command to remove the port-based isolated time configuration in the interface configuration mode.
Configuration Guide Configuring NFPP
If the isolated time is 0 (that is no isolation), the serviceview monitor will be performed to auto-monitor the attacker
according to the configured monitored period, providing the attacker information in the system. If the isolated time is but
not 0, the DHCP-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# dhcp-guard monitor-period Configure the monitored time in the range from 180 to 86400 in
seconds the unit of seconds. The default is 600 seconds.
Use the no or default form of this command to restore the default setting.
NFPP configuration modeIf the isolated time is 0, the serviceview monitor will be performed to monitor the
detected attacker, and the timeout time will be the monitored period. In the process of the serviceview monitor, if the
isolated time is but not 0, the hardware isolation will be performed to isolate the attacker, and the timeout time will be
the isolated period. Only be the monitored period valid when the isolated period is 0.
Modifying the isolated time from non-0 to 0 removes the attackers from the interface rather than performs the
serviceview monitor.
Use this command to set the trusted host in NFPP configuration mode. Use the no or default form of this command to
restore the default setting.
Command Function
Set the trusted host.
dhcp-guard trusted-host mac
mac: set the MAC address.
Restore the default setting.
dhcp-guard trusted-host { all | mac } mac: set the MAC address.
all: delete all trusted hosts.
After this function is enabled, the DHCP packets are sent from the trusted host to CPU without rate limit or alarm
notification. Up to 500 trusted hosts are supported.
The following example sets the host whose MAC address is 0000.0000.1111 as the trusted host.
Ruijie(config)# nfpp
Ruijie(config-nfpp)#dhcp-guard trusted-host 0000.0000.1111
Configuration Guide Configuring NFPP
Command Function
Ruijie(config-nfpp)# dhcp-guard Configure the monitored host limit in the range from 1 to
monitored-host-limit seconds 4294967295. The default is 1000.
Use the no or default form of this command to restore the default setting.
NFPP configuration modeIf the number of monitored hosts has reached the default 1000, and the administrator sets the
monitored host limit smaller than 1000, the existent monitored hosts will not be deleted and it will prompt the message
“%ERROR: The value that you configured is smaller than current monitored hosts 1000, please clear a part of monitored
hosts.” to notify the administrator of the invalid configuration and removing a part of the monitored hosts.
Use the source MAC/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The DHCP packet will be dropped
when the packet rate exceeds the rate-limit threshold. When the DHCP packet rate exceeds the warning threshold, it will
prompt the warning messages and send the TRAP message.
It prompts the following message if the DHCP DoS attack was detected:
The following example displays the describing information included in the sent TRAP messages:
If the isolated time is not set as 0 by the administrator, when the hardware isolation succeeds, it prompts:
The following example displays the describing information included in the sent TRAP messages:
Configuration Guide Configuring NFPP
When it fails to isolate the hardware due to a lack of memory or hardware resources, it prompts:
The following example displays the describing information included in the sent TRAP messages:
This section displays the administrator how to configure the host-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
Command Function
MAC/VID/port;
You can configure the dhcp-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the DHCP packet rate on a port exceeds the limit, the DHCP packets are dropped. When
the DHCP packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the DHCP DoS attack was detected on a port:
This section shows the administrator how to configure the port-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode. Use the no or default form of this command to restore the
default setting.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)# nfpp Enter the NFPP configuration mode.
Configure the dhcp-guard rate-limit of the DHCP packet on the
Ruijie(config)# dhcp-guard rate-limit per-port pps
port, ranging from 1 to 9999, 150 by default.
Configure the dhcp-guard attack threshold, ranging from 1 to
Ruijie(config)# dhcp-guard attack-threshold 9999, 300 by default.
per-port pps When the DHCP packet number on a port exceeds the attack
threshold, the CLI prompts and the TRAP packets are sent.
Ruijie(config-nfpp)# end Return to the privileged EXEC mode.
Ruijie# configure terminal Enter the global configuration mode.
Ruijie(config)# interface interface-name Enter the interface configuration mode.
Ruijie(config-if)#nfpp dhcp-guard policy per-port Configure the rate-limit and attack threshold on the specified
rate-limit-pps attack-threshold-pps interface.
rate-limit-pps: set the rate-limit threshold. The valid range is
1-9999 and by default, it adopts the global rate-limit threshold
value.
attack-threshold-pps: set the attack threshold. The valid range
is 1-9999 and by default, it adopts the global attack threshold
Configuration Guide Configuring NFPP
Command Function
value.
The source MAC address-based rate limit takes precedence over port-based rate limit.
The isolated hosts can be recovered automatically after a period of the time. The administrator can use the following
command to clear the isolated hosts manually.
Command Function
Command Function
For example,
Use this command to display the trusted host configuration in privileged EXEC mode.
Command Function
Command Function
Display the dhcp-guard hosts statistics, including total host
Ruijie# show nfpp dhcp-guard hosts statistics
amount, isolated host amount and non-isolated host amount.
Display the isolated hosts information.
Ruijie#show nfpp dhcp-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under
[ interface interface-id ] [ mac-address ] attack will be displayed. If any parameter is specified, only
eligible hosts will be displayed.
Indicates: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
The preceding fields indicate VLAN number, interface, IP address, MAC address and remaining time of
isolation.
If "*" is displayed in the first column of a specific line, it means that this host is currently subject to software
monitoring or the hardware isolation has failed due to insufficient resources.
DHCPv6-guard
DHCPv6-guard Overview
The DHCPv6 protocol is widely used to dynamically allocate the IPv6 address in the LAN, and plays an important role in
the network security. Being similar to the DHCP attack, the DHCPv6 attack occurs in the way of broadcasting the DHCPv6
request packets through faking the MAC address. If there are too many DHCPv6 request packets, the attacker may use
up the addresses provided in the DHCPv6 server. To this end, a legal host fails to request for an IPv6 address and access
to the network. The workaround for the DHCPv6 attack: one one hand, you may configure the DHCPv6 packet rate-limit;
on the other hand, you may detect and isolate the attack source.
The DHCPv6 attack detection could be host-based or port-based. Host-based ARP attack detection adopts the
combination of source IP address/VID/port-based. For each attack detection, you can configure the rate-limit threshold
and warning threshold. The DHCPv6 packet will be dropped when the packet rate exceeds the rate-limit threshold. When
the DHCPv6 packet rate exceeds the warning threshold, it will prompt the warning messages and send the TRAP
message. The host-based attack detection can isolate the attack source.
Configuration Guide Configuring NFPP
Enabling DHCPv6-guard
You can enable dhcpv6-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
dhcpv6-guard is enabled. Use the no or default form of this command to restore the default setting.
Command Function
For the isolated time of the attacker, it can be configured in NFPP configuration mode or interface configuration mode. By
default, the isolated time is configured in the global configuration mode.
Command Function
Ruijie(config-if)# nfpp arp-guard isolate-period Configure the isolated time on the port, ranging 0s,
Configuration Guide Configuring NFPP
To restore the global isolated time to the default value, use the no dhcpv6-guard isolate-period command in the NFPP
configuration mode. If the isolated time has been configured on a port, you can use the no dhcpv6-guard isolate-period
command to remove the port-based isolated time configuration in the interface configuration mode.
If the isolated time is 0 second (that is no isolation), the serviceview monitor will be performed to auto-monitor the
attacker according to the configured monitored period, providing the attacker information in the system. If the isolated time
is but not 0 second, the DHCPv6-guard will perform hardware isolation towards the hosts using the serviceview monitor.
Command Function
Ruijie(config-nfpp)# dhcpv6-guard monitor-period Configure the monitored time in the range from 180 to 86400 in
seconds the unit of seconds. The default is 600 seconds.
To restore the monitored time to the default value, use the no dhcpv6-guard monitor-period or default dhcpv6-guard
monitor-period command in the NFPP configuration mode.
If the isolated time is 0, the serviceview monitor will be performed to monitor the detected attacker, and the
timeout time will be the monitored period. In the process of the serviceview monitor, if the isolated time is but not 0,
the hardware isolation will be performed to isolate the attacker, and the timeout time will be the isolated period. Only
be the monitored period valid when the isolated period is 0.
Modifying the isolated time from non-0 to 0 removes the attackers from the interface rather than performs the
serviceview monitor.
Configuration Guide Configuring NFPP
Use this command to set the trusted host in NFPP configuration mode. Use the no or default form of this command to
restore the default setting.
Command Function
After this function is enabled, the DHCPv6 packets are sent from the trusted host to CPU without rate limit or alarm
notification. Up to 500 trusted hosts are supported.
The following example sets the host whose MAC address is 0000.0000.1111 as the trusted host.
Ruijie(config)# nfpp
Ruijie(config-nfpp)#dhcpv6-guard trusted-host 0000.0000.1111
Command Function
Ruijie(config-nfpp)# dhcpv6-guard Configure the monitored host limit in the range from 1 to
monitored-host-limit seconds 4294967295. The default is1000.
To restore the monitored host limit to the default value, use the no dhcpv6-guard monitored-host-limit or default
dhcpv6-guard monitored-host-limit command in the NFPP configuration mode.
If the monitored host number has reached the default 1000, and the administrator sets the monitored host limit smaller
than 1000, the existent monitored hosts will not be deleted and it will prompt the message “%ERROR: The value that you
configured is smaller than current monitored hosts 1000, please clear a part of monitored hosts.” to notify the
administrator of the invalid configuration and removing a part of the monitored hosts.
Use the source MAC/VID/port-based method to detect the host-based attack. For each attack detection, you can
configure the rate-limit threshold and attack threshold (also called warning threshold). The DHCPv6 packet will be
dropped when the packet rate exceeds the rate-limit threshold. When the DHCPv6 packet rate exceeds the warning
threshold, it will prompt the warning messages and send the TRAP message.
It prompts the following message if the DHCPv6 DoS attack was detected:
The following example displays the describing information included in the sent TRAP messages:
If the isolated time is not set as 0 by the administrator, when the hardware isolation succeeds, it prompts:
The following example displays the describing information included in the sent TRAP messages:
When it fails to isolate the hardware due to a lack of memory or hardware resources, it prompts:
The following example displays the describing information included in the sent TRAP messages:
When it fails to allocate the memory to the detected attackers, it prompts the message like
“%NFPP_DHCPV6_GUARD-4-NO_MEMORY: Failed to alloc memory.” to inform the administrator.
This section shows the administrator how to configure the host-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode:
Command Function
You can configure the dhcpv6-guard rate limit and attack threshold on the port. The rate limit value must be less than the
attack threshold value. When the DHCPv6 packet rate on a port exceeds the limit, the DHCPv6 packets are dropped.
When the DHCPv6 packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are
sent.
It prompts the following message when the DHCPv6 DoS attack was detected on a port:
This section shows the administrator how to configure the port-based rate-limit and attack detection in the NFPP
configuration mode and in the interface configuration mode:
Configuration Guide Configuring NFPP
Command Function
Ruijie(config-if)#nfpp dhcpv6-guard policy per-port Configure the rate-limit and attack threshold on the specified
rate-limit-pps attack-threshold-pps interface.
rate-limit-pps: set the rate-limit threshold. The valid range is
1-9999 and by default, it adopts the global rate-limit threshold
value.
attack-threshold-pps: set the attack threshold. The valid range
is 1-9999 and by default, it adopts the global attack threshold
value.
The source MAC address-based rate limit takes precedence over port-based rate limit.
The isolated hosts can be recovered automatically after a period of the time. The administrator can use the following
command to clear the isolated hosts manually.
Command Function
Command Function
For example,
Use this command to display the trusted host configuration in Privileged EXEC mode.
Command Function
Command Function
Display the dhcpv6-guard hosts statistics, including total host
Ruijie# show nfpp dhcpv6-guard hosts statistics
amount, isolated host amount and non-isolated host amount.
Display the isolated hosts information.
Ruijie#show nfpp dhcpv6-guard hosts [ vlan vid ] If no parameter is specified, all hosts detected to be under
[ interface interface-id ] [ mac-address ] attack will be displayed. If any parameter is specified, only
eligible hosts will be displayed.
For example,
Indicates: Totally 120 hosts are isolated, including 100 successful hosts and 20 failed hosts.
ND-guard
ND-guard Overview
ND, the abbreviation of “Neighbor Discovery”, is responsible for the address resolution, router discovery, prefix discovery
and the redirection. ND uses the following 5 types of the ND packets: Neighbor Solicitation, Neighbor Advertisement,
Router Solicitation, Router Advertisement and Redirect, which are abbreviated as the NS, NA, RS and RA.
ND Snooping monitors the ND packets in the network, filters the illegal ND packets and associates the monitored IPv6
users with the interface to prevent the IPv6 address from being stolen. ND Snooping shall send the ND packets to the
Configuration Guide Configuring NFPP
CPU at the configured rate-limit to implement the ND-guard function, for sending the ND packets at the high rate leads to
the CPU attack.
ND-guard classifies the ND packets into the following three types: 1) NS-NA: the Neighbor Solicitation and the Neighbor
Advertisement, used for the address resolution; 2) RS: the Router Solicitation, used for the gateway discovery by the host;
RA and Redirect: the Router Advertisement and Redirect, used to advertise the gateway and prefix, and the better
next-hop.
At present, only the port-based ND packet attack detection is implemented. You may configure the rate-limit threshold and
the attack threshold for the ND packets. When the ND packet rate on a port exceeds the limit, the ND packets are dropped.
When the ND packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
Enabling ND-guard
You can enable ND-guard in the NFPP configuration mode or in the interface configuration mode. By default, the
ND-guard is enabled. Use the no or default form of this command to restore the default setting.
Command Function
Use this command to set the trusted host in NFPP configuration mode. Use the no or default form of this command to
restore the default setting.
Command Function
Command Function
After this function is enabled, the ND packets are sent from the trusted host to CPU without rate limit or alarm notification.
The following example sets the host whose MAC address is 0000.0000.1111 as the trusted host.
Ruijie(config)# nfpp
Ruijie(config-nfpp)#nd-guard trusted-host 0000.0000.1111
You can configure the ND-guard rate-limit and attack threshold on the port. The rate-limit value must be less than the
attack threshold value. When the ND packet rate on a port exceeds the limit, the ND packets are dropped. When the ND
packet rate on a port exceeds the attack threshold limit, the CLI prompts and the TRAP packets are sent.
ND Snooping divides the port into the untrusted port and the trusted port, which connect to the host and the gateway
respectively. The rate-limit threshold for the trusted port shall be higher than the one for the untrusted port because the
traffic for the trusted port is generally higher than the one for the untrusted port. With the ND Snooping enabled, the ND
Snooping advertises the ND-guard to set the rate-limit threshold and the attack threshold of the ND packets on the trusted
port as 800pps and 900pps respectively.
ND-guard treats the rate-limit threshold configured by the ND Snooping and the one configured by the administrator
equally, the latter configured threshold value overwrites the former configured one. In details, that is, if an administrator
configures the rate-limit threshold earlier than ND Snooping on the port, the rate-limit threshold configured by ND
Snooping overwrites the one configured by the administrator. Similarly, if ND Snooping configures the rate-limit threshold
earlier then the administrator on the port, the rate-limit threshold configured by the administrator overwrites the one
configured by ND Snooping.
When the administrator saves the settings, the rate-limit threshold configured by the ND Snooping saved into the
configuration file.
It prompts the following message when the NS-NA DoS attack was detected on a port:
It prompts the following message when the RS DoS attack was detected on a port:
It prompts the following message when the RA-REDIRECT DoS attack was detected on a port:
This section shows the administrator how to configure the port-based rate-limit and attack detection in NFPP configuration
mode and in the interface configuration mode. Use the no or default form of these commands to restore the default
setting.
Command Function
Ruijie(config)# nd-guard rate-limit per-port [ ns-na Configure the rate-limit of the ND packets on the port in the
| rs | ra-redirect ] pps range from 1 to 9999 in the unit of pps. The default is Lapps.
Configure the attack threshold in the range from 1 to 9999 in
the unit of seconds. By default, the default attack threshold for
Ruijie(config)# nd-guard attack-threshold per-port
the ns-na, rs and ra-redirect on each port is 30 seconds.
[ ns-na | rs | ra-redirect ] pps
When the ND packet number on a port exceeds the attack
threshold, the CLI prompts and the TRAP packets are sent.
Ruijie(config-if)# nfpp nd-guard policy per-port Configure the rate-limit and attack threshold on the specified
[ ns-na | rs | ra-redirect ] rate-limit-pps interface. By default, the rate-limit threshold and the attack
attack-threshold-pps threshold are not configured.
rate-limit-pps: set the rate-limit threshold in the range from1 to
9999.
attack-threshold-pps: set the attack threshold in the range
from1 to 9999.
Command Function
Configuration Guide Configuring NFPP
Command Function
For example,
Use this command to display the trusted host configuration in Privileged EXEC mode.
Command Function
NFPP Syslog
A NFPP log is generated in the NFPP syslog buffer area after detecting the attack. Use the NFPP log to generate the
syslog at the specified rate and delete the NFPP log from the NFPP syslog buffer area.
The administrator can configure the NFPP log-buffer entry number in NFPP configuration mode.
Command Function
Configure the NFPP log buffer in the range from 0 to 1024, The
Ruijie(config-nfpp)# log-buffer entries number
default is 256.
The administrator can configure the rate of generating the NFPP syslog in NFPP configuration mode. Use the no or
default form of this command to restore the default setting.
Command Function
Set the rate of generating the syslog from the NFPP syslog
buffer area.
number_of_message /length_in_seconds: The rate of
generating the syslog. The correspondent information in the
NFPP syslog buffer area will be removed while generating the
syslog.
Ruijie(config-nfpp)# log-buffer logs number_of_message: The valid range is from 0 to1024. The
number_of_message interval length_in_seconds default is 1 second. 0 indicates that all syslogs are recorded in
the NFPP syslog buffer area and the syslog is not generated.
length_in_seconds: The valid range is from 0 to 86400 in the
unit of seconds. The default value is 30 seconds. 0 indicates to
generate the syslog immediately.
Setting the number_of_message and the length_in_seconds 0
indicates to generate the syslog immediately.
Configuration Guide Configuring NFPP
Command Function
The administrator can filter the NFPP syslog and record the syslog in the specific VLAN or on the specific interface. Use
the no or default form of these commands to restore the default setting.
Command Function
Command Function
Ruijie# clear nfpp log Clear the NFPP syslog in the log-buffer area.
Command Function
Ruijie# show nfpp log summary Display the NFPP syslog configuration.
interface Gi 0/2
The following example displays the NFPP syslog number in the log-buffer area:
IP (corresponding to IP anti-scanning)
If the syslog buffer area is full, the subsequent syslog will be discarded and an entry with all attributes “-” will be
shown in the syslog buffer area. The administrator shall increase the capacity of the syslog buffer area or improve
the rate of generating the syslog.
The syslog that generated from the syslog buffer area carries with the event timestamp, for example:
%NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0000.0000.0004,port=Gi4/1,VLAN=1> was
detected.(2009-07-01 13:00:00)
Configuration Guide Configuring WAPI
Configuring WAPI
Overview
WLAN Authentication and Privacy Infrastructure (WAPI) is an energetically promoted wireless security standard in China.
This protocol contains two parts: WLAN Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). WAI
is used for user authentication; WPI is used to encrypt transmitting data. WAPI is a necessary supplement for wireless
security and an essential function for wireless products to enter into the market.
Basic Concept
Authenticates ASUEs that except to access service. This entity resides in an AP or STA.
Applies for authentication before accessing service. This entity resides in an STA.
Provides mutual authentication service for the AE and ASUE. This entity resides in an ASU.
Working Principle
To allow an STA to recognize WAPI information and enable the WAPI security mechanism, you need to add WAPI
information elements to beacon frames, association request frames, re-association request frames, and inquiry request
frames. For APs, you need to add WAPI information elements to sent beacon frames and probe response frames
according to WAPI configuration of the APs. An AP can negotiate with an STA only when parsing association request
frames and re-association request frames meet the WAPI configuration conditions of the AP.
The Length field specifies the number of bytes of the WAPI information element except for Element ID and Length.
The Version field specifies the version of WAPI. In this protocol specification, only version 1 is used.
The Authentication and key management (AKM) suite count field specifies the number of AKM mechanisms
supported by STAs.
This field contains AKM mechanisms supported by STAs. "m" is the value of the AKM suite count field.
The Unicast password suite count field specifies the number of unicast password algorithms supported by STAs.
The Unicast password suite field contains unicast password algorithms supported by STAs. "n" is the value of the
Unicast password suite count field.
The Multicast password suite field contains multicast password algorithms supported by STAs.
In the WAPI capability information field, bit 0 is the pre-authentication flag bit. Other bits are reserved.
The BKID count and BKID list fields are used only in association and re-association request frames sent to APs. The
BKID count field specifies the number of BKIDs in the BKID list field.
WAI performs authentication and key management based on certificates and per-sharing keys (PSKs). The process of
authentication and key management based on certificates includes certificate authentication, unicast key negotiation, and
multicast key advertisement. This process based on PSKs is divided into unicast key negotiation and multicast key
advertisement. The following figure shows how these links interact with each other. The STA, AP, and ASU serve
respectively as the ASUE, AE, and ASE.
Packets between the STA and AP are authenticated based on the Ethernet field with the value of 0x88B4. Packets
between the AP and ASU are transmitted through UDP. The ASU uses the UDP port with the number of 3810. For the
formats of packets exchanged in each process, refer to WAPI Deployment Guide-2006
Configuration Guide Configuring WAPI
WPI encrypts and decrypt MPDUs generated at the MAC sub-layer but not processes WAI packets. An encrypted MPDU
is composed as follows:
If the MAC header field contains the fourth address, the length of the field is 30 bytes; if not, the length of the field is 24
bytes. If the MAC header field contains a QoS sub-field, two bytes are added. Currently, WAPI does not define wireless
QoS and therefore does not support QoS.
The KeyIdx field specifies an index of USKID, MSKID, or STAKeyID, that is, a session key index of the packet.
The value of the PN field is an integer, which specifies the number of the data packet. The number is used as the
initialization vector (IV) for data encryption and verification in OFB or CBC-MAC mode. The PN field of the data packet is
coded and sent in little-endian mode.
The PDU field includes MPDU data. The maximum length of this field is computed in the following formula: 2278 = 2312 –
18 (length of the WPI header) – 16 (length of MIC).
The message integrity check (MIC) field is obtained by computing integrity verification data using an integrity verification
key in CBC-MAC mode. The following figure shows the composition of MIC.
First part:
Frame control field: Bits 4, 5, 6, 11, 12, and 13 are set to 0, and bit 14 is set to 1.
If the MAC frame header does not contain the fourth address, the six eight-bit groups of the field are all set to 0.
QoS field: It is contained in the MAC frame header or does not exist.
Configuration Guide Configuring WAPI
When an MIC is computed, ensure that the length of integrity verification data is an integral multiple of 16. If the length of a
part of integrity verification data is not an integral multiple of 16, extend this part by filling fewest 0s after it to compose an
integral multiple of 16.
Configuration Examples
Networking Topology
As shown in the figure above, the WAPI terminals and RG-AP all support WAPI. The WAPI terminals, RG-AP, and
authentication server (AS hereinafter referred to ASU) all have a digital certificate file. When a WAPI terminal requests
access to the wireless network, the RG-AP authenticates the terminal through either of the two WAPI authentication
methods: digital certificate authentication and PSK authentication. If digital certificate authentication is performed, the
ASU is needed. The following figure shows a typical WAPI application on fit AP networking topology.
As shown in the figure above, the RG-AC and two RG-APs are basic devices of the fit AP wireless network. The WAPI
terminals, RG-APs, and RG-AC all support WAPI. When a WAPI terminal requests access to the wireless network, the
RG-AC authenticates the terminal through WAPI. When WAPI authentication is completed, the WAPI terminal negotiates
with the RG-AC to generate a session key. Then, the RG-AC delivers the key to the specific RG-AP. When the WAPI
terminal receives or sends data packets, the RG-AP is responsible for encryption or decryption by using the key.
Configuration
IP address of the WAPI ASU No IP address is configured for the WAPI ASU by default.
WAPI security mode is disabled by default. Only when it is enabled, an authentication mode can be configured.
Use the following commands to enable WAPI security mode in WLAN security configuration mode.
Command Function
Configuring WAPI security mode and displaying WAPI configuration and state are not supported on AP110-W or
AP120-W.
The WAPI security mode is disabled by default. To disable WAPI security mode, use the security wapi disable
command.
Configuration example
Before configuring WAPI PSK authentication mode, you must enable WAPI security mode.
Use the following commands to configure WAPI PSK authentication in WLAN security configuration mode.
Command Function
Ruijie(wlansec)# security wapi psk enable Enables WAPI PSK authentication mode.
The WAPI PSK authentication mode is disabled by default. To disable WAPI PSK authentication, use the security wapi
psk disable command.
Configuration example
The length of the PSK must be 8 to 32 bits and is an even number because the PSK is in the hexadecimal
format.
If both WAPI authentication mode and the PSK are not configured, or either of them is not configured, WLAN users
cannot access a WLAN through WAPI PSK authentication mode.
Configuration for WAPI PSK authentication mode and that for a PSK do not following a specific order.
Before configuring WAPI certificate authentication, you must enable WAPI security mode. Currently, devices support
WAPI two-certificate authentication and WAPI three-certificate authentication. The difference between them is that the CA
is isolated from the ASU in three-certificate authentication mode, but not in two-certificate authentication mode.
Before configuring two-certificate authentication mode, you must import a CA and CE certificates into the AE. Otherwise,
the configuration fails. In WAPI two-certificate authentication mode, a configured CA certificate is used as an ASU
certificate by default. If WAPI three-certificate authentication is needed, you must import an ASU certificate.
Command Function
Use the following command to enable WAPI two-certificate authentication in WLAN security configuration mode.
Command Function
Ruijie(wlansec)# security wapi 2-cert enable Enable WAPI two-certificate authentication mode.
Before configuring WAPI two-certificate authentication mode, ensure that WAPI security mode has been
enabled.
Two-certificate authentication mode and three-certificate authentication mode cannot be used synchronously.
To disable WAPI two-certificate authentication mode, use the security wapi 2-cert disable command.
Use the following command to enable WAPI three-certificate authentication in WLAN security configuration mode.
Command Function
Ruijie(wlansec)# security wapi 3-cert enable Enable WAPI three-certificate authentication mode.
Before configuring WAPI three-certificate authentication mode, ensure that WAPI security mode has been
enabled.
Two-certificate authentication mode and three-certificate authentication mode cannot be used synchronously.
To disable WAPI three-certificate authentication mode, use the security wapi 3-cert disable command.
Configuring a CA Certificate
In WAPI two-certificate authentication mode, the CA is also the ASU. Therefore, a CA certificate is an ASU certificate. You
do not need to configure an ASU certificate separately.
In WAPI three-certificate authentication mode, the CA is separated from the ASU. The ASU certificate is issued by a
certificate management system. Therefore, you need to configure an ASU certificate separately. A CA certificate is only
used to verify a CA signature to determine whether the certificate is authorized.
Configuration Guide Configuring WAPI
Use the following command to configure a CA certificate in WLAN security configuration mode.
Command Function
Before configuring a CA certificate, ensure that WAPI security mode has been enabled, and the certificate file
has been imported into the AE.
The ASU runs authentication software and is connected with the AE through wires. During WAPI certificate authentication,
the ASU is used to transmit certificate authentication requests and authentication-related packets through UDP. Therefore,
you must specify an ASU IP address.
Use the following command to configure an IP address for the ASU in WLAN security configuration mode.
Command Function
Before configuring an address for the ASU, ensure that WAPI security mode has been enabled.
An ASU certificate is needed in WAPI three-certificate authentication mode but not in WAPI two-certificate authentication
mode.
Use the following command to configure an ASU certificate in WLAN security configuration mode.
Command Function
Before configuring an ASU certificate, ensure that WAPI security mode has been enabled, and the certificate
file has been imported into the AE.
Configuring an AE Certificate
Use the following command to configure an AE certificate in WLAN security configuration mode.
Command Function
Configure an AE certificate.
Ruijie(wlansec)# security wapi ae cert ae_certfile
ae_certfile: Specifies the name of the AE certificate file.
Before configuring an AE certificate, ensure that WAPI security mode has been enabled, and the certificate file
has been imported into the AE.
Monitoring
Use the following command in privileged EXEC mode or global configuration mode or WLAN security configuration mode
to display configuration information about users that have been authenticated and are being authenticated through WAPI.
Command Function
Configuring WAPI security mode and displaying WAPI configuration and state are not supported on AP110-W or
AP120-W.
This command can be used in any configuration mode except user configuration mode.
Configuration Guide Configuring WAPI
Configuration Examples
Networking Topology
Networking Requirements
As shown in the figure above, the AP is connected with the AC; the AC is connected with the AS.
CA certificate EccCA.cer and AE certificate EccAE.cer have been imported into the AC.
Configuration Steps
Configure WLAN security configuration mode for WLAN 1 and enable WAPI.
# Configure a CA certificate.
# Configure an AE certificate.
Networking Topology
Networking Requirements
As shown in the figure above, the AP is connected with the AC; the AC is connected with the ASU.
CA certificate EccCA.cer, ASU certificate EccASU.cer, and AE certificate EccAE.cer have been imported into the AC.
WAPI security mode and WAPI three-certificate authentication mode are enabled.
Configuration Steps
Configure WLAN security configuration mode for WLAN 1 and enable WAPI.
# Configure a CA certificate.
# Configure an AE certificate.
Overview
WLANs compliant with 802.11 provide wireless access equally available to users. However, different applications may
have various requirements for networks, but the original 802.11 networks provide no mechanism for differentiating
between service priorities. As a result, it cannot provide access of different quality levels for different applications. In the
case, when a network is congested by the traffic, service messages requiring prioritized processing (such as voice
messages) and ordinary messages (such as those for browsing Web pages) will be dropped at the same probability. This
practice cannot well match the QoS mechanism of wired networks and falls short of the actual needs of applications.
WLAN QoS is able to deliver different quality levels of network services for different needs. Data messages having high
requirements for timeliness and reliability enjoy superior quality and are processed in priority, while ordinary data
messages having low requirements for timeliness will be given a lower priority for processing.
Basic Concepts
WMM (Wi-Fi multimedia): WMM is a wireless QoS protocol as a subset of the 802.11e standard. This protocol is used to
ensure that the messages of higher priority will be sent first, and thus applications such as voice and video will have better
quality.
AC (access category): WMM has four priority levels which are voice, video, best-effort and back-ground flows in the
sequence of priority from the highest to the lowest.
CAC (call admission control): CAC is used to limit the number of clients to use queues (voice and video queues) with high
priority to ensure that clients which have already been using the queues to enjoy sufficient bandwidth.
U-APSD (unscheduled automatic power-save delivery): U-APSD is a new energy-saving processing method defined by
WMM to improve energy conservation at clients.
SVP (SpectraLink Voice Priority): SVP is a voice priority mechanism defined by SpectraLink for WLANs to ensure voice
flows to enjoy higher priority in transmission.
WMM Services
The scheduling mode of DCF (distributed coordination function) in the IEEE 802.11 standard is based on the CSMA/CA
(carrier sense multiple access with collision avoidance) principle. As a result, all terminal users are equal in taking up the
channels.
IEEE 802.11e adds QoS features to WLANs based on 802.11. It takes quite a long time to standardize the protocol.
During the standardization process, the Wi-Fi Alliance defined WMM to ensure interconnectivity between devices with
QoS from different WLAN vendors. WMM enables WLANs to offer QoS.
WMM divides data messages into four AC queues. ACs of higher priority has a better chance to take up channels than
ACs of lower priority do, so it is possible to provide different quality of service for each type of messages.
Average-data-rate
The allowable average rate of flows, also known as the undertaken information rate
Burst-data-rate
The maximum allowable bust traffic, also known as the undertaken bust size. The set bust size must be longer than the
maximum message length.
Fair Scheduling
The fair scheduling allows STAs in the same RF range associate with the same AP to share the wireless network resource
provided by the AP, impartially sharing wireless network bandwidth. Using the fair scheduling can prevent the low-speed
STAs slowing down the entire wireless network throughput and provide a smoother network speed experience for STAs.
Besides, the fair scheduling function can intellectively monitor every STA network flow change, automatically adjust the
wireless bandwidth ratio of each STA and bring better wireless network experience to the clients.
Default Configuration
Activate WMM/QoS
Enabled by default.
service
Configure WMM
Configure CAC admission policy, which is not configured by default.
service
Configure support for U-APSD energy-saving mode, which is closed by default.
Configure WLAN
Not configured by default.
QoS rate limit
Configure fire
Enabled by default.
scheduling
The WLAN QoS rate limit function has the following options.
Configure the total traffic limit of the current AP in AP configuration mode. Use the no form of these commands to restore
the default setting.
Command Function
Command Function
Configure the total traffic rate limit based on WLAN in WLAN configuration mode. Use the no form of these commands to
restore the default setting.
Command Function
Command Function
Ruijie(config-wlan)# wlan-qos wlan-based per-ap-limit Configures the intelligent per-ap-limit for uplink traffic of the
up-streams intelligent current WLAN.
up-streams:
Total upstream traffic limit of the WLAN.
Intelligent:
Whether to enable intelligent per-ap-limit.
Ruijie(config-wlan)# wlan-qos wlan-based per-ap-limit Configures the intelligent per-ap-limit for downlink traffic of
down-streams intelligent the current WLAN.
per-ap-limit:
Limits WLAN Total for each AP.
down-streams:
Total downstream traffic limit of the WLAN.
Intelligent:
Whether to enable intelligent per-ap-limit.
Command Function
On the fat AP, configuring the fair schedule command is in (config) mode, use show run command to view
the configuration.
In the fit AP mode, the fair scheduling function can only be configured on the AC.
Command Function
sta-fair mac-address priority priority Specifies the fair scheduling priority for a specified user.
mac-address: specifies the user’s MAC address.
priority: sets the fair scheduling priority, in the range from 1
to 6.
Configuration Guide Configuring WLAN QoS
The following example sets the fair scheduling priority for user 0000.0000.0001 on the AC to 3.
Ruijie(config)# ac-controller
Ruijie(config-ac)# sta-fair 0000.0000.0001 priority 3
Command Function
This function is disabled by default. When dot1x authentication and Web authentication are disabled, use this command to
enable WQoS traffic statistics. Otherwise, WQoS traffic statistics is enabled by default and this command becomes
invalid.
The following example enables WQoS traffic statistics for all APs associated with the AC.
Ruijie(config-ac)#wqos fs enable
RG-WLAN Series Access Point
Release 11.1(5)B6
Configuring WDS
Overview
A wireless distribution system (WDS) enables interconnection of APs via wireless bridges or repeaters to allow connection
of a distributed network and expansion of wireless signals.
AP Working Mode
In a WDS network, APs work as autonomous ones. You may configure different working modes for the APs according to
the needs of the network. The roles of different working modes are described as follows:
Root AP: The wired interface of the AP is connected to the wired network; the wireless interface serves as a wireless
access point for connection with STAs (wireless terminals).
Root Bridge: The wired interface of the AP is connected to the wired network; the wireless interface serves as a wireless
bridge point for connection with non-root bridges.
Non-root Bridge: The wired interface of the AP is connected to the wired network; the wireless interface serves as a
wireless bridge point for connection with root bridges.
Based on above AP working modes, WDS allows two network structures: point-to-point and point-to-multipoint.
Point-to-Point Structure
Since wireless devices are connected to each other, this structure is suitable for a network connecting two fixed points.
The network topology is shown below:
The wired interface of the root bridge is connected to the wired network, and its wireless interface is connected to the
non-root bridge;
The wireless interface of the non-root bridge is connected to the root bridge, and its wired interface is connected to the
wired network;
Two separate wired networks are connected in a wireless manner through the wireless bridging between the root bridge
and the non-root bridge.
Point-to-Multipoint Structure
Since wireless devices are connected from one point to multiple points, this structure is suitable for a network with a
central point and multiple remote points. The network topology is shown below:
The root bridge serves as the root node, with its wireless interfaces being connected multiple non-root bridges.
The non-root bridges serve as leaf nodes, with their wireless interfaces being connected to the root bridge and wired
interface to the designated wired network.
If a root bridge is associated with multiple non-root bridges, it is possible to connect multiple separate wired networks by
wireless means.
Working Principles
Association with AP
Each AP is equivalent to a basic service set (BBS), and each BBS corresponds to a BBSID (which generally is the MAC
address of the AP). The AP’s periodically broadcasts Beacon frames containing the SSID (name of the wireless LAN) and
the BSSID. STAs listen to the Beacon frames; if the SSID in the Beacon frames is the same as the preset LAN name in
themselves, it will join the LAN via the AP. If an STA finds that multiple APs are sending Beacon, it will select one of the
APs for joining the LAN. Connection between the STA and the AP is through identification of the AP’s BSSID and
association with it.
For an AP, it cannot choose to be associated with other APs. The BSSID to be associated must be designated for the AP
for it to establish wireless connection with the corresponding APs. In the WDS network, the BSSID of the upper-level AP
should be designated for APs under other working modes except Root Bridge to associate the APs up to each level and
final form the corresponding network topology.
Configuration Guide Configuring WDS
Depending on the transmission types of 802.11 MAC frames, the address structures of MAC frames may be of three
addresses or four addresses. MAC frames transmitted between APs and STAs has a three-address structure, while those
between has a four-address structure.
As shown in the figure below, when STA 1 communicates with STA 2, STA 1 sends a three-address MAC frame to AP 2
with the three addresses carrying the MAC addresses of AP2, STA 1 and STA 2 respectively (See Table STA 1->AP 2);
AP2 forwards the received MAC frame to STA 2 with the sequence of the three addresses being changed to those of STA
2, AP 2 and STA 1 (See Table AP 2->STA 2). When STA 1 communicates with STA 3, AP 2 forwards the MAC frame
received from STA 1 to AP 1 after converting the three-address structure into a four-address structure with the addresses
carrying the MAC addresses of AP 2, AP 1, STA 2 and STA 1 respectively (See Table AP 2->AP 1); AP1 forwards the
received MAC frame to STA 3 after converting the four-address structure into a three-address structure.
caching information of the STAs associated with the current interface; while the other table is for caching information of
other accessible STAs and of next hops to such STAs.
When the wireless interface of an AP receives a MAC frame, it updates its cache table based on the source address of the
MAC frame, and search in the cached address table according to the destination MAC address. If the destination address
is the address of an STA associate with the current interface, it modifies the MAC frame to have a three-address structure
and forwards it locally. If the destination address is the address of an STA accessible to the current interface, it modifies
the MAC frame to have a four-address structure and forwards it to the AP at the next hop. If the destination address does
not exit, the MAC frame is dropped.
Configuring WDS
The configuration is described below. Use the no form of this command to restore the default setting.
Command Function
Ruijie# config terminal Enters the global configuration mode.
Ruijie(config)#interface dot11radio radio-id /0 Enters the configuration mode of the designated wireless
interface.
radio-id: Specify the radio of the AP. If radio-id is not
specified, it will apply to all radios of all APs within the AP
group.
Ruijie(config-if-Dot11radio X/Y)# station-role { root-ap | Configures the AP working mode.
root-bridge bridge-wlan wlan-id | non-root-bridge }
root-ap: Sets the AP working mode as non-bridge mode.
non-root-bridge: Sets the AP working mode as non-boot
bridge.
root-bridge: Sets the AP working mode as root bridge.
bridge-wlan wlan-id: WLAN ID used for root bridge.
Ruijie(config-if-Dot11radio X/Y)# show running-config Views the configuration result.
In fat AP mode, only the main interface can be used for bridging.
1. It is required to bind WLAN to related interfaces before bridging is configured on the non-root end.
2. It is recommend configure the same channel on both the non-root end and the root end to establish fast
bridging..
Configuration Guide Configuring WDS
By Configuring BSSID
It is required to configure the BSSID of the parent node for non-root-bridge to establish bridging with the specified root.
Command Function
Ruijie# config terminal Enters global configuration mode.
Ruijie(config)#interface dot11radio radio-id /0 Enters configuration mode of the specified wireless
interface.
radio-id: The radio of the specified AP.
Ruijie(config-if-Dot11radio X/Y)# parent mac-address Configures the parent node of the non root bridge.
HHHH.HHHH.HHHH HHHH.HHHH.HHHH: BSSID of a specified root end as a fixed
access point.
Ruijie(config-if-Dot11radio X/Y)# show running-config Views the configuration.
By Configuring SSID
Use the non-root-bridge command to configure the SSID of the parent node to establish bridging with the specified root.
Command Function
Ruijie# config terminal Enters global configuration mode.
Ruijie(config)#interface dot11radio radio-id /0 Enters configuration mode of the specified wireless
interface.
radio-id: The radio of the specified AP.
Ruijie(config-if-Dot11radio X/Y)# parent ssid ssid Configures the parent node of the non root bridge.
ssid ssid: SSID of a specified root end eligible for
roaming.
Command Function
Configuration Guide Configuring WDS
This command is pre-configuration for non-root fat APs working in the non-root fit mode.
The wds pre-config create command is configured only on fat APs. It specifies the current non-root
configuration of the fat AP as the pre-configuration of the non-root fit mode. Then, it restores the fat AP’s
default setting.
Before the noon-root fit AP works in the non-root fit mode, it must get pre-configured.
When the WDS bridge mode is disabled, use the wds pre-config delete command to delete configuration
files on the non-root end.
The following example pre-configures ruijie-root as its access root end on the fat AP.
Command Function
bridge with-client { enable | disable } Enables or disables bridge coverage.
enable: Enables bridge coverage.
disable: Disables bridge coverage.
This function is disabled by default. Only after this function is enabled will bridge coverage take effect in a WDS network.
In the non-root bridge working mode, only after being committed will the modified bridge with-client
command take effect.
The following example enables WDS bridge coverage in the root bridge mode on APs.
Showing WDS
Command Function
show dot11 wds-bridge-info interface-name Displays WDS bridge configuration.
interface-name: Dot11radio interface name.
WBI 1/0
NONROOT 00d0.f822.3304
WBI 1/1
NONROOT 00d0.f822.3307
WBI 1/0
ROOT 32d0.f822.3303
RG-WLAN Series Access Point
Release 11.1(5)B6
3. Configuring VLAN
5. Configuring LLDP
Configuring Interface
Interface Overview
Ruijie device supports two types of interfaces: physical interface and logical interface. A physical interface is an interface
that has a corresponding physical hardware port on the device, for example, fast Ethernet interface and Gigabit Ethernet
interface.
A logical interface is an interface that has no corresponding physical hardware port on the device. A logical interface can
be associated with a physical interface or independent of physical interfaces. Examples are loopback interface, and tunnel
interface. For network protocols, physical interfaces and logical interfaces are treated in the same way.
Command Function
Ruijie(config)# interface interface-type Create an interface and enter the specified interface
interface-number configuration mode.
Ruijie(config)# no interface interface-type
Delete the specified interface.
interface-number
For example, to enter port 0 of slot 0 of the Fast Ethernet, perform the following steps:
For the names of the various interface types, see the interface type table above.
For E1/CE1 interfaces, the interface number consists of the slot number, port number and channel
number. For example, the first channel group of the third port of the E1/CE1 module in slot 2 is
represented as serial 2/3:1.
Both the sync serial port and auxiliary port belong to the Async interface. The interfaces are numbered
in a way that the auxiliary interfaces come after the async serial ports. For example, when one 8-async
port subcard is inserted into the device, async ports 1-8 are numbered from Async 1 to Async 8 and
the auxiliary port is numbered as Async 9. If there is not any async serial port module on the device, the
number of the auxiliary port is Async 1.
Command Function
Enter interface configuration mode on multiple
interfaces in global configuration mode.
interface range { port-range | macro macro_name } port-range: Specifies the interface type and ID range, in
the form of interface-type slot-number/interface-number.
The interface can be either an Ethernet physical
Configuration Guide Configuring Interface
Use the define interface-range command to define a range of interfaces as the macro name and then use the interface
range macro macro_name command to enter interface configuration mode on multiple interfaces.
The following example enters interface configuration mode on multiple interfaces by defining the macro name.
Configuring IP Addresses
Except the NULL interface, every interface has its own IP address, which you must consider when you use the interface.
There are the following commands:
Command Function
Ruijie(config-if)# ip address ip-address ip-mask Configure the IP address of the interface.
Ruijie(config-if)# no ip address Delete the IP address of the interface.
For the details about the IP address configuration, see the related chapter in IP Address and Service Configuration Guide.
To configure an interface description, execute the following commands in the interface configuration mode:
Command Function
Describe the purpose of the specified interface; support
Ruijie(config-if)# description interface-description
a description string with up to 80 characters
Ruijie(config-if)# no description Delete the description of the interface
Command Function
Ruijie(config-if)# mtu bytes Configure the MTU size.
Ruijie(config-if)# no mtu Restore the default value of the MTU.
Configuration Guide Configuring Interface
Configuring Bandwidth
The Bandwidth is used for some routing protocols (for example, OSPF) to calculate the route metric and for the RSVP to
calculate the retained bandwidth. Modifying the interface bandwidth will not affect the data transmission rate of the
physical interface.
To configure the bandwidth of the interface, execute the following commands in the interface configuration mode:
Command Function
Ruijie(config-if)# bandwidth kilobits Configure the bandwidth
Ruijie(config-if)# no bandwidth Remove the setting of the bandwidth
Command Function
Ruijie(config-if)# snmp-server if-index persist Enable the function of fixing interface index.
Ruijie(config-if)# no snmp-server if-index persist Disable the function of fixing interface index.
Configuration example
Command Function
Send LinkTrap on an interface in interface configuration
snmp trap link-status
mode.
no snmp trap link-status Disable this function.
Use this command to decide whether to send LinkTrap on an interface (for instance, Ethernet interface, AP interface, and
SVI interface). If the function is enabled, the SNMP sends the LinkTrap when the link status of the interface changes.
The following example disables the interface from sending LinkTrap on the interface.
The list of the tasks for monitoring and maintaining the interfaces is as below:
You can use the show interface command to display the following information: interface and protocol status, MTU,
bandwidth, loopback status, interface queue policy and usage, protocol communication, interface packet input/output and
error, and link physical status. You can see that this command is the most commonly used one in checking the usage of
the data link layer on an interface.
On a high-speed interface, when the default policy is the FIFO queue policy, you can use this command to see the usage
of the queue: Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops; currently the output queue
uses 0, with the maximum of 40, packet drop of 0; the input queue currently use 0, with the maximum of 75, packet drop of
0.
The following example displays the information of the sync serial interface.
Ruijie#
Configuration Guide Configuring Interface
If you do not specify an interface, the link state statistics of all interfaces are displayed.
If you do not specify an interface, the bandwidth usage of all interfaces is displayed. Bandwidth refers to the actual link
bandwidth rather than the bandwidth parameter configured on the interface.
Bandwidth refers to the interface link bandwidth, the maximum speed of link.
If you do not specify an interface, the packet statistics on all interfaces are displayed.
Rxload refers to the receive bandwidth usage and Txload refers to the Tx bandwidth usage. InPkts is the
total number of receive unicast, multicast and broadcast packets. OutPkts is the total number of transmit
unicast, multicast and broadcast packets.
Packet increment in last sampling interval (5 seconds) represents the packet statistics increased during the
last sample interval (5 seconds).
The following example displays the packet statistics on interface GigabitEthernet 0/1 increased during the last sample
interval.
OutMulticastPkts : 100
The following example displays error packet statistics on interface GigabitEthernet 0/1.
Gi0/1 0 0 0 0
The following example displays packet receiving and transmitting rate on interface GigabitEthernet 0/1.
Sampling Time is the time when packets are sampled. Input rate is packet receiving rate and Output rate is
packet transmitting rate.
The following example displays packet statistics summary on interface GigabitEthernet 0/1.
InOctets is the total number of packets received on the interface. InUcastPkts is the number of unicast
packets received on the interface. InMulticastPkts is the number of multicast packets received on the
interface. InBroadcastPkts is the number of broadcast packets received on the interface.
Configuration Guide Configuring Interface
OutOctets is the total number of packets transmitted on the interface. OutUcastPkts is the number of unicast
packets transmitted on the interface. OutMulticastPkts is the number of multicast packets transmitted on the
interface. OutBroadcastPkts is the number of broadcast packets transmitted on the interface.
Command Function
Clear the communication statistics count of the interface
Ruijie# Clear counters [serial] | [async] | [FastEthernet]
shown by using the show interface command that is,
|…
resetting to 0.
Ruijie# clear interface [serial] | [async] | [FastEthernet]
Clear all state values of an interface.
|…
For example, before you use the clear counter command, use the show interface serial1/0 command to show the
information of the interface:
Then, use the show interface command to show the information of the interface:
Overview
Layer-2 forwarding, a major function of the Ethernet Switch, is to forward the messages by identifying the data link layer
information. The switch forwards the messages to the corresponding interface through the destination MAC addresses
carried by the messages, and stores the information about the relationship between the destination MAC address and the
interface in the MAC address table.
All the MAC addresses in the MAC address table are associated with the VLAN. Different MAC addresses are allowed to
be in the same VLAN. Each VLAN maintains a MAC address table logically. It is possible that a MAC address learned by a
VLAN is unknown to other VLANs and shall be learned again.
The MAC address entries are updated and maintained by the following two ways:
The switch searches for the corresponding outgoing forward interface according to the destination MAC address and the
VLAN ID for the message in the MAC address table, and then forwards the messages in unicast, multicast and broadcast
way.
Unicast forwarding: if the switch searches for the corresponding entry of the packet destination MAC address and
VLAN ID in the MAC address table and the outgoing forward interface is sole, the packets are forwarded through this
interface.
Multicast forwarding: if the switch searches for the corresponding entry of the packet destination MAC address and
VLAN ID in the MAC address table and this entry is correspondent with a group of outgoing forward interfaces, the
packets are forwarded through the interfaces directly.
Broadcast forwarding: if the switch receives the packets destined to ffff.ffff.ffff, or it cannot search for the
corresponding entry in the MAC address table, the packets are sent to the VLAN to which belongs and forwarded
through the outgoing interfaces except for the incoming interface.
Configuration Guide Configuring MAC Address
This chapter describes management of dynamic, static and filtering addresses. For the management of
multicast address, refer to IGMP Snooping Configurations.
A dynamic address is the MAC address learnt automatically from the packets received by the switch. Only the dynamic
address be removed by the aging mechanism of the address table.
In general, the MAC address table is maintained by learning the dynamic address. The operation principle is:
1) The MAC address table in the switch is null and User A shall communicate with User B. User A sends the packet to
interface GigabitEthernet 0/2 and the MAC address for User A is learnt in the MAC address table.
There is no source MAC address for User B in MAC address table. Therefore, the switch sends the packets to all
ports except for the ports of User A in broadcast form. User C can receive the packets sent from User A and don’t
belong to User A.
2) Upon receiving the packets, User B will send them to User A through interface GigabitEthernet 0/3. The MAC address
for User A exits in the MAC address table. Therefore, the packets are forwarded to interface GigabitEthernet 0/2 in
the unicast form and the switch learns the MAC address for User B at the same time. The difference from the step
one is that User C cannot receive the packets sent from User B to User A.
Configuration Guide Configuring MAC Address
After the communication between User A and User B, the switch learns the source MAC addresses for User A and User B.
The mutual packets between User A and User B are forwarded in the unicast form and User C cannot receive them again.
In the stack system, the address tables of each member device are asynchronous. For example:
Suppose the device A and device B stack and the device A is the host, send the broadcast packets to the
device A, the port receiving the frames on the device A will learn the MAC1 address, which will be recorded
in the address table. Since the packets are broadcasted to the device B through the stack port, the stack port
on the device B will also learn this MAC1 address but not record it in the address table.
Removing the MAC address learned from the frame-receiving port on the device A, the MAC1 address in the
address table will also be removed. However, the stack port of the device B still learn this MAC address, the
inconsistency of the hardware address table of the master and slave devices occurs. Send the packets
destined to MAC1 address to other ports of the device A, those packets cannot be broadcasted to the device
B for the reason that the MAC1 address has already been learned by the stack port of the device B. After this
MAC address ages out, the packets are broadcasted to the port of the device B.
Because the address tables of the member devices in a stack are not synchronous and the hash table may
conflict, the address table may contain too many records and some records cannot age out in some extreme
conditions. For example, device A and device B are IRF member devices, and device A is the master device.
Device B, whose port Bport connects to the terminal device, such as PC sends broadcast packets. Since the
address tables of device A and device B are full and are not synchronous, device B may have an address of
Configuration Guide Configuring MAC Address
mac1+vid1+Bport, but device A does not. The address is recorded in the address table, so the address table
contains more records. The user moves the terminal device, such as PC, of mac1 to Aport of device A from
Bport of device B, so that device A re-learns mac1+vid1 address. Because the address table of device A is
full and the mac1+vid1 address does not exist in the table, device A cannot learn the address successfully.
The IRF port broadcasts the packet to device B. Device B finds that the mac1+vid1 address already exists in
its table and overwrites the existing mac1+vid1+Bport address with the mac1+vid1+Aport address. Because
the mac1+vid1+Bport address in not removed from the address table and device B learns the
mac1+vid1+Aport address, the mac1+vid1+Bport will not age out even if the aging time expires. To solve this
problem, you can use the clear mac-address-table dynamic command to empty the address table.
Address Aging
The capacity of MAC address is restricted. The switch updates the MAC address list by learning new addresses and aging
out unused addresses.
For an address in the MAC address table, if the switch has not received any packet from the MAC address for a long time
(depending on the aging time), the address will be aged out and removed from the MAC address table.
Multiple line cards in the switch learn the MAC addresses, with each line card learning the MAC address independently.
The MAC address learn process is described as follows:
The User A under the Line Card1 sends the packets to the User B. Because the MAC address for the User B does not
exist on the switch, the packets will be sent to all line cards on the switch in broadcast form.
The switch learns the address after receiving the packets from the User A. At this time, Line Card 1 and Line Card 2 both
receive the packets from the User A, so they learn the MAC address for the User A simultaneously.
After receiving the packets from the User A, the User B sends the reply packets to the Line Card1. Since the Line Card 1
has learned the MAC address for the User A, the packets will be sent to the port of User A in the unicast form and will not
be sent to the Line Card 2.
Configuration Guide Configuring MAC Address
For the reply packets sent by the User B are forwarded to the port of User A through the Line Card 1, the switch only learn
the Mac addresses on the Line Card 1 and the MAC address for User B cannot be learned on the Line Card 2.
When the User C under the Line Card 2 sends a packet to the User A, since the Line Card 2 has learned the MAC
address for the User A, the packet will be forwarded to the User A in the unicast form.
Configuration Guide Configuring MAC Address
When the User C under the Line Card 2 sends a packet to the User B, since the Line Card 2 has learned the MAC
address for the User B, the packet will be forwarded in the broadcast form. At this time, the UserD that is in the same
VLAN of User C also receives the packet. The packet will be forwarded in the unicast form to the User B after being sent
to the Line Card 1.
For the VLAN with the limit of dynamic addresses configured, only the specified MAC addresses can be learned. The
MAC addresses that exceeds the upper limit are not learned and the packets destined to those MAC addresses are
forwarded in the broadcast form.
If the upper limit of the dynamic addresses for a VLAN is less than the number of the learned dynamic
addresses in the current VLAN, the Ethernet switch no longer learns the address in the VLAN and learns
again until the number of the addresses is less than the upper limit due to the address aging and deletion.
The MAC address duplication which duplicates the MAC address to the MAC address entry of the specified
VLAN is not limited by the number of dynamic MAC addresses learnt in this VLAN.
Static Address
A static address is a manually configured MAC address. A static address is the same as a dynamic address in terms of
function. However, you can only manually add and delete a static address rather than learn and age out a static address.
A static address is stored in the configuration file and will not be lost even if the device restarts.
By configuring the static address manually, you can bind the MAC address for the network device with the interface in the
MAC address table.
Filtering Address
A filtering address is a manually configured MAC address When the device receives the packets from a filtering address, it
will directly discard them. You can only manually add and delete a filtering address rather than age it out. A filtering
address is stored in the configuration file and will not be lost even if the device restarts.
If you want the device to filter some invalid users, you can specify their source MAC addresses as filtering addresses.
Consequently, these invalid users cannot communicate with outside through the device.
Configuration Guide Configuring MAC Address
A filtering address is invalid for the packets sent to the CPU. For example, the L2 source MAC address for an
ARP packet is a filtering address, this ARP packet can still be sent to the CPU, but cannot be forwarded.
After the MAC address change notification is enabled, the MAC address change notification information is generated and
sent in the SNMP Trap message form to the specified NMS when the switch learns a new MAC address or ages out a
learned MAC address.
The notification about adding a MAC address lets you know a newcomer (identified by the MAC address) is using the
device. The notification about deleting a MAC address (in the case of that the user did not communicate with the device
within the aging time) lets you know that a user does not use the device any more.
When many users use the device, lots of MAC address changes may occur in a short period of time (for example, when
the device is powered on), incurring additional network traffic. In order to release network burden, you can set the time
interval of sending MAC address notifications. All the notification messages within the interval time will be bundled in one
SNMP Trap message. So one notification message includes multiple MAC address changes, reducing network traffic
significantly.
When a MAC address change notification is generated, it will be recorded in the MAC address notification history list.
Then even though the NMS has not been specified to receive the SNMP Trap message, the administrator can view the
information about address change by checking the MAC address notification history list.
MAC address change notification is effective only for dynamic addresses, not for static addresses and
filtering addresses.
Configuration Guide Configuring MAC Address
IP address and MAC address binding lets you filter packets. After you bind an IP address and a MAC address, the switch
will only receive the IP packets whose source IP address and MAC address match the binding address ;or it will be
discarded.
Taking advantages of IP address and MAC address binding, you can check the legality of the input sources. Note that this
function takes precedence over 802.1X, port-based security and ACL effectiveness.
The address binding mode divides into 3 modes: compatible, loose and strict. By default, the address binding mode is
strict. The following table lists the corresponding forwarding rules:
By default, the IP address and MAC address binding function is effective on all ports. You can configure the exceptional
ports to make this address binding function ineffective on some ports.
Because the binding relationship on the uplink port is uncertain, generally the uplink port is configured as the
exceptional port. It is not necessary to check the IP address and MAC address binding on the uplink port.
Related Protocols
TM
IEEE Std 802.3 Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer
specifications
TM
IEEE Std 802.1Q Virtual Bridged Local Area Networks
Function Default
Dynamic address aging time 300 seconds
MAC address learning on a port Enabled
Limit of VLAN dynamic address Disabled
MAC address change notification Disabled
The following example shows how to clear all dynamic addresses in VLAN 1 on interface GigabitEthernet 0/1:
Viewing Configurations
Command Function
Ruijie# show mac-address-table dynamic Show all dynamic addresses.
Ruijie# show mac-address-table dynamic address Show the specified dynamic MAC address.
mac-address [ vlan vlan-id ] mac-address: the specified MAC address.
vlan-id: the specified VLAN to which the MAC address
belongs.
Ruijie# show mac-address-table dynamic Show all dynamic addresses on the specified port or
interface interface-id [ vlan vlan-id ] Aggregate Port.
Interface-id: the specified port or Aggregate Port;
vlan-id: the specified VLAN to which the dynamic address
belongs.
Ruijie# show mac-address-table dynamic vlan Show all dynamic addresses in the specified VLAN.
vlan-id vlan-id: the specified VLAN to which the dynamic address
belongs.
Ruijie# show mac-address-table count [ interface Show the statistics in the mac address table.
interface-id | vlan vlan-id ] interface-id: Show address entry statistics of the specified
interface.
vlan-id: Show address entry statistics of the specified VLAN.
The following example shows all dynamic MAC addresses in VLAN 1 on interface GigabitEthernet 0/1:
The following example shows the statistics in the MAC address table:
Command Function
Ruijie(config)# mac-address-table aging-time [ 0 Set the time for an address to be stored in the dynamic
|10-1000000 ] MAC address table after it has been learned. It is in the
range of 10 to 1000000 seconds, 300 seconds by
default. When you set the aging time as 0, the address
aging function is disabled and the learned addresses will
not be aged.
Configuration Guide Configuring MAC Address
Ruijie(config)# no mac-address-table aging-time Restore the aging time to the default value.
The following example shows how to set the address aging time to 180 seconds:
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#mac-address-table aging-time 180
Viewing Configurations
Command Function
Ruijie)#show mac-address-table aging-time Show the aging time of all addresses.
The following example shows how to view the address aging time configurations:
The actual aging time may be different from the setting value for the MAC address table. However, it will not
be 2 times than the setting value.
Command Function
Ruijie(config)# mac-address-table static mac-address mac-addr: Specify the destination MAC address to which
vlan vlan-id interface interface-id the entry corresponds.
vlan-id: Specify the VLAN to which this address belongs.
interface-id: specify the interface (physical port or
aggregate port) to which the packet is forwarded.
Upon receiving the packets to the destination MAC address
in the VLAN, the switch will forward them to the interface.
Ruijie(config)# no mac-address-table static Remove the static MAC address entries.
mac-address vlan vlan-id interface interface-id
The following example shows how to configure the static address 00d0.f800.073c. When a packet to this address is
received in VLAN 4, it is forwarded to GigabitEthernet 0/3.
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Configuration Guide Configuring MAC Address
Viewing Configurations
Command Function
Ruijie# show mac-address-table static Show the information of all the static MAC addresses.
The following example shows how to view the information of all the static MAC addresses:
Command Function
Ruijie(config)# mac-address-table filtering mac-addr vlan mac-addr: Specify the MAC address to be filtered by the
vlan-id device.
vlan-id: Specify the VLAN to which this address
belongs.
Ruijie(config)# no mac-address-table filtering mac-addr Remove the filtering MAC address entries.
vlan vlan-id
The following example shows how to configure the filtering address 00d0.f800.073c. When a packet to or from this
address is received in VLAN 4, it will be discarded.
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# mac-address-table filtering 00d0.f800.073c vlan 4
The following example shows how to remove the filtering address 00d0.f800.073c.
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#no mac-address-table filtering 00d0.f800.073c vlan 4
Viewing Configurations
Command Function
Ruijie# show mac-address-table filtering Show the information of all the filtering MAC
addresses.
Configuration Guide Configuring MAC Address
The following example shows how to view the information of all the filtering MAC addresses:
To configure the MAC address change notification function, execute the following command:
Command Function
Ruijie(config)# snmp-server host host-addr traps Configure the NMS to receive the MAC address
[ version { 1 | 2c | 3 [ auth | noauth | priv ] } ] change notification.
community-string host-add: IP address of the receiver.
version: Specify the version of the SNMP Trap
message to be sent.
community-string: Specify the authentication name
carried with the SNMP Trap message.
Ruijie (config)#snmp-server enable traps Allow the switch to send the SNMP Trap message.
Ruijie(config)# mac-address-table notification Turn on the global switch of the MAC address change
notification function.
Ruijie(config)# mac-address-table notification { interval interval value :Interval of generating the MAC address
value | history-size value } change notification (optional), in the range of 1 to
3600 seconds, 1 second by default.
history-size value: Maximum number of the records in
the MAC notification history list, in the range of 1 to
200, 50 by default.
Ruijie(config-if)# snmp trap mac-notification { added | Enable the MAC address change notification on the
removed } interface.
added: Send a MAC address change notification
when a MAC address is added on this interface.
Removed: Send a MAC address change notification
when an address is deleted.
To disable the MAC address change notification function, use the no snmp-server enable traps command in the global
configuration mode. To turn off the global switch of the MAC address change notification function, use the no
mac-address-table notification command. To disable the MAC address change notification function on a specified
interface, use the no snmp trap mac-notification {added | removed} command in the interface configuration mode.
This example shows how to enable the MAC address change notification function, use public as the authentication name
to send a MAC address change notification to the NMS whose IP address is 192.168.12.54 at the interval of 40 seconds,
Configuration Guide Configuring MAC Address
set the size of the MAC address change history list to 100, and enable the MAC address change notification function on
gigabitethernet 0/1 when a MAC address is added or removed.
In the privileged EXEC mode, you can view the information on the MAC address table of the device by using the
commands listed in the following table:
Command Function
Ruijie# show mac-address-table notification Show the global configuration of the MAC address
change notification function.
Ruijie# show mac-address-table notification interface Show the configuration of the MAC address change
notification on the interface.
Ruijie# show mac-address-table notification history Show the history list of the MAC address change
notification.
The following examples show how to view the MAC address change notification.
As Figure-1-7 shows, the database server connects to the Ethernet switch through the interface GigabitEthernet 0/11, the
web server connects to the Ethernet switch through the interface GigabitEthernet 0/10, and the server administrator
connects to the switch through the interface GigabitEthernet 0/12. Other users access the web server through the
interface GigabitEthernet 0/5. All data are forwarded in VLAN 10.
Application Requirements
The static MAC address configuration enables the data exchanged between the web server and the database server, the
administrator and the server to be forwarded in the unicast form, preventing these data from being forwarded in the
broadcast form in the user network and ensuring the security of the information exchanged between the web server and
the database server, the administrator and the server .
Configuration Tips
The following three key points shall be ensured when configuring the static MAC address entries:
Upon receiving the packets to the destination MAC address in the VLAN, the switch will forward them to the specified
interface.
The following table shows the corresponding relationship among the MAC address, VLAN ID and interface ID in this
configuration example.
Configuration Steps
Ruijie>en
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
! Add the static MAC addresses (Specify the VLAN and interface to which this address belongs).
Verifications
As Figure 1-8 shows, the users connect to the switch through the interface GigabitEthernet 0/2.
Application Requirements
In order to facilitate network access management for an administrator, the following requirements are expected through
the configuration:
Upon receiving a new MAC address or aging a learnt MAC address on the interface connected to the user, the
switch will record the address change information in the MAC address notification history list, so that the
administrator could view the information about address change by checking the MAC address notification history list.
Meanwhile, the MAC address change notification will be sent in SNMP Trap message form to the specified NMS.
When many users use the device, avoid generating lots of MAC address changes in a short period of time to reduce
network burden.
Configuration Tips
Enable the MAC address change notification function globally, and configure the MAC address change notification
on the interface Gi 0/2.
Configure the NMS host address, and enable the switch to actively send the SNMP Trap notification. The route from
the switch to the NMS (Network Management Station) should be reachable.
Set the interval of sending the MAC address change notification to 300 seconds (the default interval is 1 second). All
the notification messages within the interval time will be bundled in one SNMP Trap message. So one notification
message includes multiple MAC address changes, reducing network traffic significantly.
Configuration Steps
Step1: Enable the global MAC address change notification function on the switch.
Ruijie>enable
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Configuration Guide Configuring MAC Address
Ruijie(config)#mac-address-table notification
Step2: Set the interval of sending MAC address change notification to 30 seconds.
Step3: Enable the MAC address change notification function on the interface Gi 0/2.
! Enable the device to send notification when an address is added on this interface.
! Enable the device to send notification when an address is deleted on this interface.
Step4: Configure the NMS which receives the MAC address change notification, with IP address being 192.168.1.10,
message format being Version 2c and authentication name being comefrom2.
Verifications
Step2: Display the status of MAC address change notification function on the interface.
Use the clear mac-address-table dynamic address 00d0.3232.0003 command to simulate the address aging.
Configuring VLAN
Overview
Virtual Local Area Network (VLAN) is a logical network divided on a physical network. VLAN corresponds to the L2
network in the ISO model. The division of VLAN is not restricted by the physical locations of network ports. A VLAN has
the same attributes as a common physical network. Except for no restriction on physical location, unicast, broadcast and
multicast frames on layer 2 are forwarded and distributed within a VLAN, not being allowed to directly go to other
VLANs.Therefore, when a host in a VLAN wants to communicate with another host in another VLAN, a layer 3 device
must be used, as shown in the following diagram.
You can define a port as the member of a VLAN. All the terminals connected to the specified port are part of the VLAN. A
network can support multiple VLANs. In this case, when you add, delete, and modify users in the VLANs, you do not need
to modify the network configuration physically.
Like a physical network, a VLAN is usually connected to an IP subnet. A typical example is that all the hosts in the same
IP subnet belong to the same VLAN. A layer 3 device must be used for communication between VLANs. Ruijie L3 devices
can perform IP routing between VLANs through SVI (Switch Virtual Interfaces). For the configuration about SVI, refer to
Interface Management Configuration and IP Unicast Routing Configuration.
Supported VLAN
Complying with IEEE802.1Q Standard, our products support up to 4094 VLANs(VLAN ID 1-4094 ), in which VLAN 1 is the
default VLAN that cannot be deleted.
Configuration Guide Configuring VLAN
Configuring a VLAN
A VLAN is identified by its VLAN ID. You can add, remove, and modify the VLANs in the range of 2 to 4094 on a device.
VLAN 1 is created by a device automatically and cannot be removed.
You can configure the member type of a port in a VLAN, add a port to a VLAN, and remove a port from a VLAN in the
interface configuration mode.
Creating/Modifying VLAN
In the privileged EXEC mode, you can create or modify a VLAN by executing the following commands.
Command Function
Enter a VLAN ID. If you enter a new VLAN ID, the device
Ruijie(config)# vlan vlan-id will create it. If you enter an existing VLAN ID, the device
modifies the corresponding VLAN.
(Optional) Name the VLAN. If you skip this step, the
device automatically assigns the VLAN a name of VLAN
Ruijie(config)# name vlan-name
xxxx, where xxxx is a 4-digit VLAN ID starting with 0. For
example, VLAN 0004 is the default name of VLAN 4.
Configuration Guide Configuring VLAN
To restore the name of a VLAN to its default, simply enter the no name/default name command.
The following example creates VLAN 888, names it test888, and saves its configuration into the configuration file:
Deleting VLAN
You cannot delete the default VLAN (VLAN 1). The default is static VLAN.
In the global configuration mode, you can delete a VLAN by executing the following command.
Command Function
Ruijie(config)# no vlan { vlan-id | range vlan-range } Enter the VLAN ID that you want to delete.
Ruijie(config)# default vlan { vlan-id | range vlan-range } Enter the VLAN ID that you want to delete.
Configuration Guide Configuring VLAN Group
Overview
A VLAN group including multiple VLANs can be associated with a wireless LAN (WLAN) to form mapping between a
WLAN and N VLANs, so that VLANs can be flexibly assigned to STAs that access the WLAN. VLANs can be assigned in
one of the two modes:
The authentication server assigns VLANs to STAs that pass 802.1x authentication.
VLANs are assigned to STA based on the idle situation of the address pool of the DHCP server.
In the figure above, multiple STAs access the same WLAN. VLANs in the VLAN group associated with the
WLAN are assigned to the STAs. The STAs in the same WLAN can be assigned with the same or different
VLANs.
To better understand the subsequent configuration process, learn about the following concepts:
VLAN Group
VLAN group: You can add multiple VLANs to one VLAN group. When STAs access a WLAN, VLANs in the VLAN group
associated with the WLAN are assigned to the STAs
Working Principle
The process of assigning VLANs through 802.1x is as follows:
Before a user passes authentication, the VLAN that belongs to the user is the default VLAN of the VLAN group associated
with the current WLAN.
After the STA in the default VLAN is authenticated, the authentication server assigns a VLAN to the STA.
If the authentication server assigns a VLAN, packets sent by the STA are transmitted over the VLAN.
If the authentication server does not assign a VLAN to the STA, the packets from the STA are transmitted over the default
VLAN.
The process of assigning VLANs based on the VLAN assignment state of the address pool on the DCHP server is as
follows:
The device checks and records the VLAN assignment state of the DHCP server corresponding to each VLAN in a VLAN
group. If an STA sends multiple consecutive DHCP requests for a VLAN but receives no response, the device records the
VLAN assignment state of the DHCP server as not assignable.
When an STA accesses the WLAN, the device checks whether the VLAN assignment state of the DHCP servers
corresponding to VLANs in the VLAN group is assignable.
If such VLAN exists, the device assigns one of the VLANs randomly to the STA. Then, the STA applies for an IP address
to the DHCP server corresponding to the VLAN. After obtaining the IP address, the STA sends packets over the VLAN.
If there is no such VLAN, the device records the VLAN assignment state of the DHCP servers corresponding to all VLANs
in the VLAN group as not assignable.
Protocol Specification
None
Configuration Guide Configuring VLAN Group
Default Configuration
Use the following commands to create a VLAN group and associate it with a WLAN: (For details about these commands,
refer to command reference.)
Command Function
Ruijie# configure terminal Enters global configuration mode.
Creates a VLAN group and enters VLAN group
Ruijie(config)# vlan-group group-id
configuration mode.
Configures the VLAN assignment mode for the VLAN
group.
Ruijie(config-vlan-group)# vlan-assign-mode dot1x
dot1x: Indicates that the authentication server assigns
VLANs to users that pass the 802.1x authentication.
Configures the list of VLANs in the VLAN group.
Ruijie(config-vlan-group)# vlan-list vlan-list vlan-list: Specifies a VLAN list for a VLAN group. A VLAN
group includes up to 128 VLANs.
The example below creates VLAN group 100, specifies the 802.1x-based VLAN assignment mode, adds VLANs 1-10 to
the VLAN group, and configures VLAN 1 as the default VLAN:
On an AP, use the following commands to map a WLAN to a VLAN group: (For details about these commands, refer to
command reference.)
Command Function
Ruijie# configure terminal Enters global configuration mode.
Creates a WLAN and enter the WLAN configuration
Ruijie(config)# dot11 wlan wlan-id
mode.
Ruijie(dot11-wlan-config)# vlan-group group-id Maps a WLAN to the VLAN group.
Ruijie(dot11-wlan-config)# end Exits from the WLAN configuration mode.
Ruijie(config)# interface interface-name Enters WLAN sub-interface configuration mode.
Configures VLAN group encapsulation for the
Ruijie(config-subif)# encapsulation dot1Q [group] sub-interface.
{vlan-id | vlan-group-id} vlan –id: Specifies a VLAN ID.
vlan-group-id: VLAN group ID. The range is from 1 to
128.
Ruijie(config-subif)# end Exits from WLAN configuration mode.
The example below maps WLAN 100 to VLAN group 10 on a fat AP:
Command Function
Ruijie# configure terminal Enters global configuration mode.
Creates an AP group and enter the AP group
Ruijie(config)# ap-group group-name
configuration mode.
Ruijie(config-ap-group)# interface-mapping wlan-id
Maps the WLAN to the VLAN group.
group group-id
Ruijie(config-ap-group)# end Exits from AP group configuration mode.
The example below maps WLAN 100 to VLAN group 100 for the AP group default on an AC:
Configuration Guide Configuring VLAN Group
In privileged EXEC mode, use the following command to display VLAN group configuration.
Command Function
Displays configuration information about a specific VLAN
Ruijie# show vlan-group [ group-id ]
group or all VLAN groups.
The example below displays configuration information about all VLAN groups.
In a WLAN, users are classified into leaders, staff, and visitors. They can access the device through the same WLAN but
with different access rights.
Network Topology
Configuration Guide Configuring VLAN Group
Map WLAN 1 to VLAN group 100. When an STA accesses WLAN 1, the authentication server authenticates the STA
through 802.1x. If the STA passes the authentication, the authentication server assigns VLAN 10 to leaders, VLAN
20 to staff, and VLAN 30 to visitors.
Key Points
Map a WLAN to a VLAN group to form mapping between a WLAN and N VLANs. Assign different VLANs to the
STAs in the same WLAN.
Configure 802.1x-based authentication for WLAN 1. Assign different VLANs to STAs in different WLANs.
Configuration Procedure
APs use the default shin AP plus aggregate forwarding mode. They are uniformly configured by the AC.
Create a VLAN group, and add VLANs 10, 20, and 30 to the VLAN group. Set VLAN 30 as the default VLAN for visitors.
Create WLAN 1 and configure 802.1x-based authentication as the authentication mode and AES as the encryption mode
for the WLAN.
If different types of user accounts are opened on the authentication server, specify the VLAN to be assigned for each type
of users.
Configuring LLDP
LLDP Overview
Drafted by IEEE 802.1AB, LLDP (Link Layer Discovery Protocol) can detect network topology change and identify what
the change is. With LLDP, a device sends local device information as TLV (Type, Length and Value) triplets in LLDP Data
Units (LLDPDUs) to the neighbor devices, and at the same time, stores the device information received in LLDPDUs sent
from the LLDP neighbors in a standard management information base (MIB) to be accessed by the network management
system.
Through LLDP, the network management system can learn about the state of topological connections, such as which
ports of the device are connected to other devices, the rate of ports on both sides of link, and whether the duplex mode is
matched. The network administrator can quickly locate and eliminate faults according to such information.
Basic Concepts
LLDPDU
LLDPDU refers to the data units encapsulated in LLDP packets, and comprises multiple TLV sequences, including three
fixed TLVs, a number of optional TLVs and an End of TLV. The detailed format of LLDPDU is shown in Fig 1:
In LLDPDU, Chassis ID TLV, Port ID TLV, Time To Live TLV and End Of LLDPDU TLV are fixed TLVs, while other
TLVs are optional.
LLDP packet supports two encapsulation formats: Ethernet II and SNAP (Subnetwork Access Protocols).
Specifically:
Specifically:
TLV
Basic management TLVs are a group of basic TLVs for network management. The organizationally specific TLVs are
TLVs defined by standards organizations and other organizations, such as IEEE 802.1, IEEE 802.3 and etc.
Basic management TLVs include two types of TLVs: fixed TLVs and optional TLVs. Fixed TLVs must be included in
LLDPDU, while optional TLVs can be included or excluded according to need.
Configuration Guide Configuring LLDP
Different organizations (such as IEEE 802.1, IEEE 802.3, IETF or device suppliers) may define specific TLVs to advertise
specific information about the device, and OUI (Organizationally Unique Identifier) is used to identify different
organizations.
Organizationally specific TLVs are optional TLVs advertised in LLDPDU according to user's actual needs. Currently,
commonly found organizationally specific TLVs include:
Type Description
Port VLAN ID TLV VLAN identifier of the sending port
Port And Protocol VLAN ID TLV Protocol VLAN identifier of the sending port
VLAN Name TLV Name of VLAN with which the device is configured
Protocol Identity TLV Protocols supported by the port
Type Description
MAC/PHY Configuration/Status TLV The bit-rate and duplex capabilities of the sending
port and support for auto negotiation.
Power Via MDI TLV Power supply capability of the port
Link Aggregation TLV Indicate the link aggregation capability of the port and
the aggregation status.
Maximum Frame Size TLV The maximum frame size supported by the port.
3) LLDP-MED TLVs
LLDP-MED is the extension of IEEE 802.1AB LLDP protocol, so that the user can conveniently deploy VoIP (Voice Over
IP) network and fault detection. It provides multiple applications such as network policy configuration, device detection,
PoE management and directory management, providing a cost-effective and easy-to-use solution for deploying voice
devices in Ethernet.
Type Description
LLDP-MED Capabilities TLV Whether the device supports LLDP-MED, the type of LLDP-MED TLV
encapsulated in LLDPDU, and the type of current device (network
connection device or endpoint)
Network Policy TLV Advertise VLAN configuration of the specific port, supported applications
(voice and video, for example), and the Layer 2 priorities.
Location Identification TLV Location identifier information for an endpoint, used to accurately locate
the endpoint in applications such as network topology collection.
Extended Power-via-MDI TLV Provide more advanced power supply management.
Inventory – Hardware Revision TLV Hardware version of MED device
Inventory – Firmware Revision TLV Firmware version of MED device
Inventory – Software Revision TLV Software version of MED device
Inventory – Serial Number TLV Serial number of MED device
Inventory – Manufacturer Name TLV Vendor name of MED device
Inventory – Model Name TLV Model name of MED device
Inventory – Asset ID TLV Asset ID of MED device, used for directory management and asset
tracking.
Working Principles
Operating Modes of LLDP
When the LLDP operating mode of a port changes, the port will initialize the protocol state machine. To prevent LLDP
from being initialized too frequently during times of frequent operating mode change, you can configure a re-initialization
delay.
An LLDP-enabled port operating in TxRx mode or Tx Only mode will send LLDPDUs both periodically and when the local
device information changes. To avoid frequent LLDPDU sending during times of frequent local device information change,
an interval is introduced between two successive LLDPDUs. This interval can be configured manually.
Standard LLDPDUs: including the management and configuration information about local device.
Shutdown LLDPDU: When LLDP sending mode is disabled or when the port is administratively shut down, shutdown
LLDPDU will be sent. Shutdown LLDPDU generally comprises Chassis ID TLV, Port ID TLV, Time To Live TLV and
End Of LLDP TLV, with the TTL in Time To Live TLV being 0. When the device receives shutdown LLDPDUs, it will
consider the neighbor on longer available and delete neighbor information.
When LLDP operating mode changes from shutdown or Rx to TxRx or Tx, or when a new neighbor is detected (namely
new LLDPDUs are received and no such neighbor information is stored locally), to allow the neighbor device to quickly
study the information about this device, the fast sending mechanism will be initiated. The fast sending mechanism adjusts
the LLDPDU sending interval to 1 second and continuously transmits a certain number of LLDPDUs.
A LLDP-enabled port operating in TxRx mode or Rx Only mode will be able to receive LLDPDUs, and will check the
validity of received LLDPDUs to verify they are new neighbor information or updates of existing neighbor information. The
neighbor information will be stored on the local device. Meanwhile, an aging timer will be set according to the value in TTL
TLV carried in the LLDPDU. If the TTL value is zero, the information is aged out immediately.
Protocol Specifications
The protocols and standards related to LLDP include:
IEEE 802.1AB 2005: Station and Media Access Control Connectivity Discovery
Enabling LLDP
By default, LLDP is enabled globally and on each port. To make LLDP take effect on certain ports, you must enable LLDP
both globally and on these ports.
Execute the following steps to disable LLDP globally and on each port.
Command Function
Ruijie(config)#no lldp enable Disable LLDP globally.
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)#no lldp enable Disable LLDP on the interface.
Ruijie(config-if)#show lldp status Display LLDP state.
Disabling the LLDP globally will disable LLDP on the device. Meanwhile, the device will send Shutdown
LLDPDUs to neighbor devices in order to delete the corresponding LLDP information.
Configuration example:
Command Function
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)#lldp mode { tx | rx | txrx } Configure LLDP operating mode. The configurable operating
modes include Tx, Rx and TxRx.
Ruijie(config-if)#show lldp status interface Display LLDP state on the interface.
interface-name
Configuration example:
# Configure LLDP operating mode as Tx on the interface and display LLDP state on the interface
Command Function
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)# lldp tlv-enable { basic-tlv { all | Configure the TLV types that the interface allows the port to
port-description | system-capability | advertise. By default, all TLVs other than Location Identification
system-description | system-name } | dot1-tlv TLV can be advertised on the interface.
{ all | port-vlan-id | protocol-vlan-id [ vlan-id ] |
vlan-name [ vlan-id ] } | dot3-tlv { all |
link-aggregation | mac-physic | max-frame-size
| power } | med-tlv { all | capability | inventory |
location { civic-location | elin } identifier id |
Configuration Guide Configuring LLDP
When configuring basic management TLVs, IEEE 802.1 organizationally specific TLVs and IEEE 802.3
organizationally specific TLVs, if "all" parameter is specified, all corresponding optional TLVs will be
advertised.
When configuring LLDP-MED TLVs, if "all" parameter is specified, all LLDP-MED TLVs other than Location
Identification TLV will be advertised.
Configure to allow the advertisement of LLDP-MED MAC/PHY TLVs before that of LLDP-MED Capability
TLVs.
Configure to cancel the advertisement of LLDP-MED Capability TLVs before that of LLDP-MED MAC/PHY
TLVs.
When configuring LLDP-MED TLVs, the LLDP-MED Capability TLV shall be configured as advertisable in
order to further configure other LLDP-MED TLVs as advertisable.
In order not to advertise LLDP-MED Capability TLV, other LLDP-MED TLVs shall be configured as
non-advertisable, so that LLDP-MED TLVs are not advertised.
For the meaning of respective key words of "lldp tlv-enable", please refer to the descriptions given in
"LLDP-CREF".
When associating the device with an IP phone, you can configure the network policy TLV delivery policy to
the IP phone if it supports LLDP-MED. Then, the IP phone modifies the voice flow tag and QoS. At this time,
the voice VLAN function is not required, but it is required to configure the port connecting to the IP phone as
the QoS trusted port. If the IP phone does not support LLDP-MED, the voice VLAN configuration is required
and the phone MAC address must be manually configured to the voice VLAN OUI list.
Configuration example:
# Configure to disable the advertisement of Port And Protocol VLAN ID TLV specified by IEEE 802.1.
Execute the following steps to configure the management address to be advertised in LLDPDU:
Command Function
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)#lldp management-address-tlv Configure the management address advertised in the LLDP
[ ip-address ] packet.
Ruijie(config-if)#show lldp local-information Display LLDP local information about a specific interface.
interface interface-name
By default, the management address is advertised in LLDPDU, and is the IPv4 address of the lowest-ID
VLAN carried on the port. If IPv4 address is not configured for this VLAN, the next lowest-ID VLAN carried on
the port will be tried until the IPv4 address is obtained.
If the IPv4 address is still not found, the IPv6 address of the lowest-ID VLAN carried on the port will be tried.
If the IPv6 address is still not found, the MAC address of the device will be advertised as the management
address.
Configuration Guide Configuring LLDP
Configuration example:
# Configure the management address advertised in LLDPDU as 192.168.1.1 and display the corresponding configuration.
Command Function
Ruijie(config)#lldp fast-count count Configure the number of fast sent LLDPDUs in the range from 1
to 10. The default is 3.
Ruijie(config-if)#show lldp status Display LLDP state.
Configuration example:
Ruijie(config)#lldp fast-count 5
Ruijie(config)#show lldp status
Global status of LLDP : Enable
Neighbor information last changed time :
Transmit interval : 30s
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
Notification interval : 5s
Fast start counts : 5
The LLDPDU transmit interval can be adjusted. Execute the following steps to configure TTL multiplier and LLDPDU
transmit interval.
Command Function
Ruijie(config)#lldp hold-multiplier value Configure TTL multiplier in the range from 2 to 10. The default is
4.
Ruijie(config)#lldp timer tx-interval seconds Configure LLDPDU transmit interval in the range from 5 to 32768
in the unit of seconds. The default is 30.
Ruijie(config-if)#show lldp status Display LLDP state.
Configuration example:
# Configure TTL multiplier to 3 and LLDPDU transmit interval to 20 seconds. By this time, the TTL of local device
information on the neighbor device is 61 seconds.
Ruijie(config)#lldp hold-multiplier 3
Ruijie(config)#lldp timer tx-interval 20
Ruijie(config)#show lldp status
Configuration Guide Configuring LLDP
Command Function
Ruijie(config)#lldp timer tx-delay seconds Configure LLDPDU transmit delay
Ruijie(config)#show lldp status Display LLDP state.
Configuration example:
Command Function
Ruijie(config)#lldp timer reinit-delay seconds Configure port re-initialization delay.
Ruijie(config)#show lldp status Display LLDP state.
Configuration example:
# Configure the port re-initialization delay to 3 seconds and display LLDP state.
Configuration Guide Configuring LLDP
To prevent excessive LLDP traps from being sent, you can set an interval for sending LLDP Traps. If LLDP information
change is detected during this interval, traps will be sent to the network management server.
Command Function
Ruijie(config)#lldp timer notification-interval Configure the interval for sending LLDP Traps in the range from
seconds 5 to 3600 in the unit of seconds. The default is 5.
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)#lldp notification remote-change Enable LLDP Trap. LLDP Trap is disabled by default.
enable
Ruijie(config-if)#show lldp status Display LLDP state.
Configuration example:
# Enable LLDP Trap and configure the interval for sending LLDP Traps to 10 seconds.
Command Function
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)#lldp error-detect Configure LLDP error detection. LLDP error detection is enabled
by default.
Ruijie(config-if)#show lldp status interface Display LLDP state on the interface.
interface-name
Configuration example:
When configured to Ethernet II format, the device can only send and receive Ethernet II-encapsulated LLDP packets.
When configured to SNAP format, the device can only send and receive SNAP-encapsulated LLDP packets.
Command Function
Ruijie(config)# interface interface-name Enter interface configuration mode. LLDP runs on the actual
physical interface (for AP port, it runs on AP's member port).
LLDP is not supported on stacking port or VSL port.
Ruijie(config-if)#lldp encapsulation snap Configure LLDPDU encapsulation format to SNAP.
Ruijie(config-if)#show lldp status interface Display LLDP state on the interface.
interface-name
To guarantee normal communication between local device and neighbor device, the same LLDPDU
encapsulation format must be used.
Configuration example:
# Configure LLDPDU encapsulation format to SNAP and display the corresponding configuration.
Configuration example:
Ruijie#config
Ruijie(config)#lldp network-policy profile 1
Ruijie(config-lldp-network-policy)# voice vlan 3 cos 4
Ruijie(config-lldp-network-policy)# voice vlan 3 dscp 6
Ruijie(config-lldp-network-policy)#exit
Ruijie(config)# interface gigabitethernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)# lldp tlv-enable med-tlv network-policy profile 1
Command Function
Ruijie(config)# lldp location civic-location identifier id Enters the LLDP Civic Address configuration mode
Ruijie(config-lldp-civic)# device-type device-type Configure the device type. The default device type is a
switch.
Ruijie(config-lldp-civic)# { country | state | county | city | Configure the LLDP civic address information.
division | neighborhood | street-group |
leading-street-dir | trailing-street-suffix | street-suffix |
number | street-number-suffix | landmark |
additional-location-information | name | postal-code |
building | unit | floor | room | type-of-place |
postal-community-name | post-office-box |
additional-code } ca-word
Configuration example:
Ruijie#config
Ruijie(config)#lldp location civic-location identifier 1
Ruijie(config-lldp-civic)# country CH
Ruijie(config-lldp-civic)# city Fuzhou
Ruijie(config-lldp-civic)# postal-code 350000
Ruijie(config-lldp-civic)# exit
Ruijie(config)# interface gigabitethernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)# lldp tlv-enable location civic-location identifier 1
Command Function
Ruijie(config)# lldp location elin identifier id Configure the emergency call number.
elin-location tel-number
Configuration example:
Ruijie#config
Ruijie(config)#lldp location elin identifier 1 elin-location 085283671111
Ruijie(config)# interface gigabitethernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)# lldp tlv-enable location elin identifier 1
Configuration example:
# Show the device information about an adjacent neighbor connecting a specified port.
LLDP-MED capabilities :
Device class :
HardwareRev :
FirmwareRev :
SoftwareRev :
SerialNum :
Manufacturer name :
Asset tracking identifier :
PMD auto-negotiation advertised : 1000BASE-T full duplex mode, 100BASE-TX full duplex mode,
100BASE-TX half duplex mode, 10BASE-T full duplex mode, 10BASE-T half duplex mode
Operational MAU type : speed(100)/duplex(Full)
PoE support : NO
Link aggregation supported : YES
Link aggregation enabled : NO
Aggregation port ID : 0
Maximum frame Size : 1500
For details about LLDP output information, see the description in LLDP Command Reference.
Devices required
Two Ethernet switches (Switch A and Switch B), one MED device (taking IP Phone as the example) and one NMS
(Network management System).
Configuration required
Network Tpology
Configuration Tips
LLDPDU transmit times will use default values, namely LLDPDU transmit interval is 30 seconds and LLDPDU
transmit delay is 2 seconds.
Configuration Steps
Verification
Display the information about the neighbor device connecting with Switch A.
The above messages show that the MAC address of neighbor device connected to port 2 of switch A is 00d0-f822-33cd
and the port connected is Gi 0/1. The neighbor device allows bridging and routing.
# Display the detailed information about the neighbor device connected to port Gi 0/2 of Switch A.
LLDP-MED capabilities :
Device class :
HardwareRev :
FirmwareRev :
SoftwareRev :
SerialNum :
Manufacturer name :
Asset tracking identifier :
Devices required
Configuration required
Network Topology
Configuration Tips
LLDPDU transmit times will use default values, namely LLDPDU transmit interval is 30 seconds and LLDPDU
transmit delay is 2 seconds.
Configuration Steps
Ruijie#config
Ruijie(config)#interface gigabitethernet 0/1
Configuration Guide Configuring LLDP
Ruijie(config-if)#speed 100
%Warning: the speed/duplex of port GigabitEthernet 0/1 may not match with it's neighbor.
The above messages show that bit-rate and duplex capabilities of port 1 may not match with that of port on neighbor
device.
Verification
While the administrator is carrying out VLAN configuration, port bit-rate and duplex configuration, aggregation port
configuration and port MTU configuration, if the information doesn't match with the configurations of neighbor device the
corresponding error messages will be prompted.
Configuration Guide Configuring PPPoE Client
The PPPoE client function is supported only on AP110-W, AP120-W, AP320, AP330, AP530, AP3220, AP3220-P,
AP4210, APD-M, AP5280 & AP630-H.
Overview
Ruijie products support the PPPoE client on Ethernet interfaces, and are therefore able to connect to a host network by
accessing a remote hub through a simple access device. The PPPoE protocol enables the PPPoE server to control each
access client and perform relevant accounting.
Ruijie products support the auto dialing mode: no Dial-on-Demand Routing (DDR) but always online.
The PPPoE client is applicable in scenarios where Internet access is implemented through ADSL.
Applications
Application Description
ADSL Scenario In a scenario where Internet access is implemented through the Asymmetric Digital
Subscriber Line (ADSL) technology, the device provides dialup and packet
forwarding functions.
ADSL Scenario
Scenario
In a scenario where Internet access is implemented through ADSL, the device provides dialup and packet forwarding
functions.
Configuration Guide Configuring PPPoE Client
The dialup function is enabled on the device. The device connects to a remote Internet service provider (ISP) over
an ADSL line, and obtains Internet access capability.
Figure 0-1
Corresponding Protocols
Enable the dialup function on the device, and dial up to the Internet over the ADSL line.
Features
Basic Concepts
ISP
A network operator who provides users with Internet access service, information service, and value-added services
(VASs).
ADSL
Data Flow
Interested Flow
A specific type of packets defined by users during configuration, which can trigger the device to start dialup.
Overview
Feature Description
Configuration Guide Configuring PPPoE Client
Dialup to the Internet In a scenario where Internet access is implemented through the Asymmetric Digital Subscriber
Line (ADSL) technology, the device provides dialup and packet forwarding functions.
Working Principle
Dialup corresponds to the negotiation process, whereas Internet access corresponds to the packet forwarding process.
Negotiation can be further divided into three parts: protocol negotiation, protocol keepalive, and protocol termination.
Protocol Negotiation
During PPPoE negotiation, both parties confirm a unique peer, record the peer's MAC address, and establish a unique
session ID.
During PPP negotiation, the server checks the client's authentication information. If the client passes the authentication,
the server allocates an IP address to the client. If the client has already been configured with an IP address and the
configured IP address meets the server's requirements, the server will agree to use this IP address as the IP address of
the client.
After both protocols are up, the device has Internet access capability and prepares a Layer 2 (L2) header that is
necessary for data packet encapsulation.
Protocol Keepalive
After PPP is up, both parties periodically send LCP heartbeat packets to each other. If the party at one end does not
receive any heartbeat response from the other party, it actively terminates the protocol.
Protocol Termination
The initiating party sends a PPP termination packet to end the current PPP session, and then sends a PPPoE termination
packet to end the current PPPoE session.
After receiving the PPP termination packet, the passive party returns an acknowledgement packet to agree to the
termination of the PPP session; and after receiving the PPPoE termination packet, the passive party returns another
acknowledgement packet to agree to the termination of the PPPoE session.
Once either party receives a PPPoE termination protocol, the PPP session and the PPPoE session will immediately
terminate, even if it has not received any PPP termination protocol.
Packet Forwarding
Configuration Guide Configuring PPPoE Client
Packet sending process: When a data packet is routed to the dialer interface, the device encapsulates the data packet
with the prepared L2 header information and ultimately sends the data packet from a physical port.
Packet receiving process: After a packet arrives at a physical port, the device marks the Layer 3 (L3) header position of
the packet, executes the next service, and ultimately sends the packet to a host in the intranet.
Related Configuration
By default, the following functions are disabled and there is no corresponding default value.
Run the pppoe enable command to enable the PPPoE client function on the interface.
Run the no pppoe enable command to disable the PPPoE client function on the interface.
Run the pppoe-client dial-pool-number pool-number no-ddr command to bind the Ethernet interface to a specific
logical dialer pool. The logical dialer pool provides automatic dialing and is always online.
Run the no pppoe-client dial-pool-number pool-number command to unbind the Ethernet interface from the specific
logical dialer pool.
Run the pppoe session mac-address H.H.H command to configure the MAC address of the PPPoE session.
Run the interface dialer dialer-number command to add a specific logical interface and enter the configuration mode of
the logical interface.
Run the no interface dialer dialer-number command to delete the specific logical interface.
Run the no ip address negotiate command to remove the configuration of negotiation-based IP address acquisition.
Run the dialer pool number command to associate a dialer pool, which corresponds to the dialer pool configured on the
Ethernet interface.
Run the no dialer pool number command to remove the association with the dialer pool.
Run the encapsulation ppp command to configure the encapsulation protocol PPP. PPPoE is established on the basis of
PPP.
Run the mtu 1488 command to set the Maximum Transmit Unit (MTU) to 1488.
Run the dialer-group dialer-group-number command to associate a dialer triggering rule, which corresponds to the
dialer-list.
Run the no dialer-group command to remove the configuration of the dialer triggering rule.
Configuration Guide Configuring PPPoE Client
Run the ppp chap hostname username command to configure the user name for CHAP authentication.
Run the no ppp chap hostname command to remove the user name configuration for CHAP authentication.
Run the ppp chap password password command to configure the password for CHAP authentication.
Run the no ppp chap password command to remove the password configuration for CHAP authentication.
Run the ppp pap sent-username username password password command to configure the user name and password
for PAH authentication.
Run the no ppp pap sent-username command to remove the user name and password configuration for PAH
authentication.
By default, the following functions are disabled and shall be configured according to actual requirements. If other
functional modules need to be used together, you also need to configure other global parameters.
Run the dialer-list number protocol protocol-name ip{ permit | deny | list access-list-number } command to define a
dialer triggering rule.
Run the no dialer-list number command to delete the configured dialer triggering rule.
Run the ip route 0.0.0.0 0.0.0.0 dialer dialer-number [ permanent ] command to configure a route. If you specify the
permanent option, the route will be always valid, even if the logical interface is within the enable-timeout period, in which
case the logical interface will be down.
Run the no ip route 0.0.0.0 0.0.0.0 dialer dialer-number command to remove the route.
Configuration Guide Configuring PPPoE Client
Configuration
Mandatory configuration.
Networking Requirements
The device initiates PPPoE negotiation, and completes the negotiation process, protocol keepalive, and protocol
termination.
The device obtains Internet access capability after the negotiation is complete, and starts to forward a data flow
which is routed to the dialer interface.
Configuration Guide Configuring PPPoE Client
Notes
After the kernel module is uninstalled, users can still perform configuration management but negotiation and data
flow forwarding cannot be performed.
Configuration Steps
Bind the Ethernet interface to a specific logical dialer pool and specify the dialer mode.
Specify the MAC address of the PPPoE session for subinterface dialing.
Adding a Specific Logical Interface and Entering the Configuration Mode of the Logical Interface
Verification
Check whether a correct dialer interface route entry has been established on the device.
Configuration Guide Configuring PPPoE Client
Related Commands
Command dialer-list number protocol protocol-name ip{ permit | deny | list access-list-number }
Syntax
Parameter protocol-name: protocol name
Description access-list-number: ACL number
Command Mode Global configuration mode
Configuration N/A
Usage
Configuration Example
The following configuration example describes configuration related to the PPPoE client only.
Configuration Guide Configuring PPPoE Client
In the ADSL scenario, enable the PPPoE client function and access the Internet through an ADSL
line.
Scenario
Figure 0-2
Configuration
Enable the PPPoE client function on the device, and add the interface Gi0/5 to the dialer pool.
Steps
A A# configure terminal
A(config)# interface GigabitEthernet 0/5
A(config-if)# pppoe enable
A(config-if)# pppoe-client dial-pool-number 1 no-ddr
A(config-if)# exit
A(config)# interface dialer 1
A(config-if)# ip address negotiate
A(config-if)# mtu 1488
A(config-if)# encapsulation ppp
A(config-if)# ip nat outside
A(config-if)# dialer pool 1
A(config-if)# dialer-group 1
A(config-if)# ppp chap hostname pppoe
A(config-if)# ppp chap password pppoe
A(config-if)# ppp pap sent-username pppoe password pppoe
A(config-if)# exit
A(config)# access-list 1 permit any
A(config)# dialer-list 1 protocol ip permit
A(config)# ip nat inside source list 1 interface dialer 1
A(config)# ip route 0.0.0.0 0.0.0.0 dialer 1
A(config)# end
A#
Configuration Guide Configuring PPPoE Client
Verification Run the show ip interface brief | in dialer 1 command to check whether the dialer interface has
acquired an IP address.
Run the show ip route command to check whether a correct dialer interface route entry has been
established.
A# show ip interface brief | in dialer 1
dialer 1 49.1.1.127/32 YES UP
A# show ip route
Common Errors
Intranet hosts cannot access the Internet because NAT configuration is incorrect.
Intranet hosts cannot access the Internet because route configuration is incorrect.
Monitoring
If you run the clear pppoe tunnel command while the device is operating, packet forwarding will be
interrupted due to tunnel clearance.
Function Command
Clears statistics about the DDR clear dialer [ interface-type interface-number ]
dialer interface.
Clears the tunnel. clear pppoe tunnel
Configuration Guide Configuring PPPoE Client
Function Command
Displays information about the DDR show dialer [ interface type number ] [ maps ] [ pools ]
dialer.
Displays PPPoE status information. show pppoe { ref | session | tunnel }
System resources are occupied when debugging information is output. Therefore, disable the debugging
switch immediately after use.
Command Function
debug dialer { pkt | Enables the DDR debugging switch.
mlp|callback|event }
debug ppp [ authentication | error Enables the PPP negotiation debugging switch.
| event | negotiation | packet ]
debug pppoe [ datas | errors | Enables the PPPoE negotiation debugging switch.
events | packets ]
RG-WLAN Series Access Point RGOS Configuration Guide,
Release 11.1(5)B6
IP Address & Application Configuration
2. Configuring ARP
3. Configuring IPv6
4. Configuring DHCP
5. Configuring DHCPv6
6. Configuring DNS
8. Configuring TCP
IP Address Configuration
IP Address Overview
IP address is made up of 32 binary bits and expressed in the dotted decimal format for the convenience of writing and
description. In the dotted decimal format, the 32 binary bits are broken into four octets (1 octet equals to 8 bits). Each octet
is separated by a period (dot) in the range from 0 to 255. For example, 192.168.1.1 is an IP address in the dotted decimal
format.
An IP address is an address that IP protocols use to connect one another. A 32-bit IP address consists of two parts:
network address and local address. According to the first several bits of the network address of an IP address, an IP
address is divided into four categories.
Class A: Total of 128 class-A IP addresses. The highest bit is 0 followed by seven bits identifying Network ID, and the
remaining 24 bits identify Host ID.
8 16 24 32
Class B: Total of 16,384 class B IP addresses. The highest two bits are 10 followed by 14 bits identifying Network ID, and
the remaining 16 bits identify Host ID.
8 16 24 32
Class C: Totaol of 2,097,152 class C IP addresses. The highest three bits are 110 followed by 21 bits identifying Network
ID, and the remaining eight addresses identify Host ID.
8 16 24 32
Class D: The highest four bits are 1110 and other bits are multicast IP address..
8 16 24 32
An IP address whose highest four bits are 1111 is prohibited. This type of IP address, also called Class E IP
address, is reserved.
When you build up a network, you should execute IP addressing according to the real network environment. To make the
network connect to the Internet, you need apply for IP addresses from a central authority, for example, the China Internet
Network Information Center (CNNIC) in China. It is the Internet Corporation for Assigned Names and Numbers (ICANN)
that is responsible for IP address allocation. However, a private network does not require the application of IP addresses.
It is recommended to assign private IP addresses for them.
The following table lists those reserved and available addresses by class.
0.0.0.0 Reserved
Class A 1.0.0.0 to 126.0.0.0 Available
127.0.0.0 Reserved
192.0.0.0 Reserved
Class C 192.0.1.0 to 223.255.254.0 Available
223.255.255.0 Reserved
There are three blocks of IP addresses reserved for private networks that are not used in the Internet. Address translation
is required for a private network using one of these IP addresses to access the Internet. The following table details these
addresses, which are defined in RFC 1918.
For the information on the assignment of IP address, TCP/UDP port and other codes, please refer to RFC 1166.
The IPv4 functions of Ping and Traceroute are not supported on AP110-W.
Only a host has an IP address configured can it receive and send IP packets. If an interface is configured with an IP
address, this means that the interface supports running the IP protocol.
To assign an IP address to an interface, execute the following commands in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address ip-address mask Assign an IP address for the interface.
Ruijie(config-if)# no ip address Remove the IP address configuration for the interface.
A 32-bit mask identifies the network part of an IP address. In a mask, the IP address bit corresponding to 1 represetns
network ID and the IP address bit corresponding to 0 represents host ID. For example, the mask corresponding a Class A
IP address is 255.0.0.0. You can partition a network into multiple segments with a mask. The goal of network partition is to
use some bits of the host address of an IP address as the network address to reduce hosts and increase networks. At this
point, the mask is called subnet mask.
Theoretically, any bit of the host address of an IP address can be used as the subnet mask. Ruijie product
only supports continuous subnet masks from left to right starting from the network ID.
The interface-related IP address configuration task list includes the following tasks, only the first one is required, others
are optional depending on your network requirements.
Ruijie product supports assigning multiple IP addresses for an interface with one being the primary IP address and others
being the secondary addresses. Theoretically, you can configure secondary addresses up your mind. A secondary IP
address can reside in the same or different network with the primary IP address. The secondary IP address will be used
frequently during the building of a network, for example, in the following cases:
There may not enough host addresses for a network. For example, a LAN requires a Class C IP address to support
up to 254 hosts. However, when there are more than 254 hosts in the LAN, another Class C IP address is necessary.
Therefore, a host needs to connect two networks and thus needs configuring multiple IP addresses.
Many older networks were built based on layer 2 bridges without partition. The use of secondary IP addresses
makes them easy to upgrade to IP-based routing networks. An IP address is assigned for every device in a subnet.
Configuration Guide Configuring IP Address and Service
Two subnets of a network might otherwise be separated by another network. By creating a subnet in each separated
subnets, you can connect the two separated subnets together by assigning secondary IP addresses. One subnet
cannot appear on two or more interfaces in a device.
Before configuring secondary IP addresses, you need to confirm that the primary IP address has been
configured. All the devices in a network should have the same secondary IP address. If you assign a
secondary IP address to a device but do not assign IP addresses for other devices, you can set it to the
primary IP address for them.
To assign a secondary IP address to an interface, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address ip-address mask
Assign a secondary IP address to the interface.
secondary
Ruijie(config-if)# no ip address ip-address Remove the secondary IP address configuration for the
mask secondary interface.
The Ruijie layer-2 switches allow you to configure management IP and gateway in the same command. Generally, the
layer-2 switches provide " gateway" command to configure a default gateway. Sometimes, the layer-2 switch is subject to
remote management via telnet, and the management IP and default gateway of the layer-2 switch must be modified. In
such a case, configuring either IP address or gateway will prevent you from configuring another command (as the
configuration has changed and this device can no longer be accessed via network). Therefore, we can use the gateway
keyword of IP address command to modify the management IP and default gateway.
To configure management IP and gateway at the same time, execute the following commands in interface configuration
mode:
Command Function
Ruijie(config-if)# ip address ip-address mask
Configure management IP and gateway.
gateway ip-address
Ruijie(config-if)# no ip address ip-address
Remove management IP and gateway configuration.
mask gateway
Disabling IP Routing
IP routing feature is enabled by default. Do not execute this command unless you sure that IP routing is not needed.
Disabling IP routing will make the equipment lose all the routes and the route forwarding function.
To disable IP routing, execute the following commands in the global configuration mode:
Configuration Guide Configuring IP Address and Service
Command Function
Ruijie(config)# no ip routing Disable IP routing.
Ruijie(config)# ip routing Enable IP routing
The switch performs the checking of ip checksum towards the routing packets. If the ip checksum error
occurs, the routing halts. To this end, the unicast packets will be discarded directly and the multicast packets
will only be forwarded on Layer 2.
A broadcast packet is destined for all hosts in a physical network. Ruijie product supports two kinds of broadcast packets:
directed broadcast and flooding. A directed broadcast packet is sent to all the hosts in a specific network that the host IDs
of their IP addresses are all set to 1. While a flooding broadcast packet is sent to all the hosts whose IP addresses are all
set to 1. Broadcast packets are heavily used by some protocols, including the Internet protocol. Therefore, it is the basic
responsibility for a network administrator to manage and control broadcast packets.
Forwarding flooding broadcast packets may make the network overburden and thus influencing network operation. This is
known as broadcast storm. There are some ways to supress and restrict broadcast storm in the local network. However,
layer 2 network devices like bridges and switches will forward and propagate broadcast storm.
The best solution to solve the broadcast storm problem is to specify a broadcast address for each network, that is,
directed broadcast. This requires the IP protocol to use directed broadcast instead of flooding broadcast if possible.
For detailed description about broadcast, refer to RFC 919 and RFC 922.
To handle broadcast packets, perform the following tasks according to the network requirement.
A directed broadcast IP packet is the one destined to the broadcast address of an IP subnet. For instance, the packet
destined to 172.16.16.255 is a directed broadcast packet. However, the node that generates this packet is not a member
of the destination subnet.
Upon the receipt of directed broadcast IP packets, the device indirectly connecting the destination subnet will forward the
packets in the same way as forwarding unicast packets. After the directed broadcast IP packets arrive the device directly
connecting the subnet, the device transforms them into flooding broadcast IP packets (whose destination address is all 1s
in general), and then send them to all the hosts within the subnet by means of broadcast on the link layer.
Enabling directed broadcast to physical broadcast translation on an interface allows the itnerface to forward the directed
broadcast IP packets to the directly connected network. This command will only affect the transmission of the directed
broadcast IP packets to the final destination subnet, not other directed broadcasts.
Configuration Guide Configuring IP Address and Service
You can forward directed broadcast IP packets as required an interface by defining ACLs. Only those IP packets matching
the ACLs are translated from directed broadcasts to physical broadcasts.
To configure the directed broadcast-to-physical broadcast translation, execute the following command in the interface
configuration mode:
Command Function
Ruijie(config-if)# ip directed-broadcast Enable directed broadcast to physical broadcast
[access-list-number] translation on the interface.
Ruijie(config-if)# no ip directed-broadcast Restore the default setting.
Currently, the most popular way is the destination address consisting of all 1s (255.255.255.255). Ruijie product can be
configured to generate any form of IP broadcast address and receive any form of IP broadcast packets.
To set a broadcast IP address other than 255.255.255.255, execute the following command in the interface configuration
mode:
Command Function
Ruijie(config-if)# ip broadcast-address ip-address Create a broadcast address.
Ruijie(config-if)# no ip broadcast-address Remove the configuration.
Command Function
Sets the rate to send the ICMP destination unreachable
packets triggered by DF in the IP header in the global
configuration mode.
milliseconds: The refresh period of the token bucket, in
ip icmp error-interval DF milliseconds [ bucket-size ] the range from 0 to 2147483647 in the unit of
milliseconds. 0 indicates no limit on the rate to send
ICMP error packets. The default is 100.
bucket-size : The number of tokens in the bucket, in the
range is from 1 to 200. The default is 10.
no ip icmp error-interval DF milliseconds [ bucket-size ] Restores the default setting.
To prevent DoS attack, the token bucket algorithm is adopted to limit the rate to send ICMP error packets.
If IP packets need to be fragmented while the DF is set to 1, the device sends ICMP destination unreachable packets
numbered 4 to the source IP address for path MTU discovery. Rate limits on ICMP destination unreachable packets and
other error packets are needed to prevent path MTU discovery failure.
Configuration Guide Configuring IP Address and Service
It is recommended to set the refresh period to an integral multiple of 10 milliseconds. If the refresh period is not an integral
multiple of 10 milliseconds, it is adjusted automatically. For example, 1 per 5 milliseconds is adjusted to 2 per 10
milliseconds; 3 per 15 milliseconds is adjusted to 2 per 10 milliseconds.
The following example sets the rate to send the ICMP destination unreachable packets triggered by DF in the IP header to
100 per second.
Command Function
To prevent DoS attack, the token bucket algorithm is adopted to limit the rate to send ICMP error packets.
If IP packets need to be fragmented while the DF is set to 1, the device sends ICMP destination unreachable packets
numbered 4 to the source IP address for path MTU discovery. Rate limits on ICMP destination unreachable packets and
other error packets are needed to prevent path MTU discovery failure.
It is recommended to set the refresh period to an integral multiple of 10 milliseconds. If the refresh period is not an integral
multiple of 10 milliseconds, it is adjusted automatically. For example, 1 per 5 milliseconds is adjusted to 2 per 10
milliseconds; 3 per 15 milliseconds is adjusted to 2 per 10 milliseconds.
The following example sets the rate to send other ICMP error packets to 10 per second.
Ruijie(config)# ip icmp error-interval 1000 10
Command Function
Configure an IP address for the interface through PPP
ip address negotiate
negotiation in interface configuration mode.
no ip address negotiate Restore the configuration.
Configuration Guide Configuring IP Address and Service
Only the PPP interface of the router supports IP address configuration through PPP negotiation. After the interface is
configured with the ip address negotiate command, the peer end should be configured with the peer default ip address
command.
The following example obtains an IP address for the interface through PPP negotiation.
Ruijie(config)# interface dialer 1
Ruijie(onfig-if-dialer 1)# ip address negotiate
Command Function
Allocate an IP address to the peer end through PPP
negotiation in interface configuration mode.
peer default ip address { ip-address | pool [pool-name] } ip-address: Allocates an IP address to the peer end.
pool-name: (Optional) Specifies the address pool name.
If not specified, the default address pool is used.
no peer default ip address Restore the default setting.
If the local end is configured with an IP address while the peer end not, you can enable the local end to allocate an IP
address to the peer end by configuring the ip address negotiate command on the peer end and the peer default ip
address on the local end.
This command is configured on PPP interface supporting encapsulation PPP or SLIP.
The peer default ip address pool command is used to allocate an IP address to the peer end from the address pool,
configured by using the ip local pool command.
The peer default ip address ip-address command is used to specify an IP address for the peer end. This command
cannot be configured on virtual template interfaces and asyn interfaces.
The following example enables interface dialer 1 to allocate IP address 10.0.0.1 to the peer end.
Ruijie(config)# interface dialer 1
Ruijie(config-if-dialer 1)# peer default ip address 10.0.0.1
Command Function
Enable the IP address pool function in global
ip address-pool local
configuration mode.
no ip address-pool local Disable this function.
This function is enabled by default. PPP users can allocate an IP address to the peer end from the IP address pool
configured. If you can use the no ip address-pool local command to disable this function and clear all configured IP
address pools.
Command Function
Create an IP address pool in global configuration mode.
pool-name: Specifies the address pool name. The default
name is default.
ip local pool pool-name low-ip-address [ high-ip-address ] low-ip-address: The smart IP address in the address
pool.
high-ip-address: (Optional) The end IP address in the
address pool.
no ip local pool pool-name [ low-ip-address
Restore the default setting.
[ high-ip-address ] ]
This command is used to create one or multiple IP address pools for PPP to allocate addresses to users.
The following example creates an IP address pool named quark ranging from 172.16.23.0 to 172.16.23.255.
You can show the contents of the IP routing table, cache, and database. Such information is very helpful in
troubleshooting the network. You also can display information about reachability of local network and discover the routing
path that the packets of your device are taking through the network.
To display system and network status, execute the following commands in the privileged EXEC mode:
Command Function
Ruijie# show ip interface [ interface-type
Display the IP status information of an interface.
interface-number | brief ]
Ruijie# show ip route [ network [ mask ] ] Show the routing table.
Ruijie#show ip route Show the brief information of the routing table.
Ruijie# ping ip-address [ length bytes ] [ ntimes times ]
Test network reachability.
[ timeout seconds ]
Ruijie# show ip raw-socket [ num ] Display IPv4 raw sockets.
Ruijie# show ip sockets Display all IPv4 sockets.
Ruijie# show ip udp [ local-port num ] Display IPv4 UDP sockets.
Ruijie# show ip udp statistic Display IPv4 UDP socket statistics.
Configuration requirements:
Configure RIPv1. You can see the routes of 172.16.2.0/24 on router C and the routes of 172.16.1.0/24 on router D.
RIPv1 does not support classless-based routes. This means masks are not carried with routing advertisement.
172.16.1.0/24 and 172.16.2.0/24 that belong to the same netowrk are separated by the Class C network 192.168.12.0/2.
Generally, router C and router D cannot routes from each other. According to one feature of RIP, the mask of the route to
be received should be set to the same value as that of the interface network if the route and the interface network belong
to the same network. By configuring routers A and B, you can build a secondary netowrk 172.16.3.0/24 on the network
192.168.12.0/24 to link the two separated subnets. The following presents a configuraiton description of routers A and B.
Router A:
Router B:
interface FastEthernet 0/0
Configuration Guide Configuring IP Address and Service
IP Service Configuration
Managing IP Connections
The IP protocol stack offers a number of services to control and manage IP connections. Internet Control Message
Protocol (ICMP) provides many of these services. Once a network problem occurs, a router or access server will send an
ICMP message to the host or other rotuers. For detailed information on ICMP, see RFC 792.
To manage various aspects of IP connections, perform the optional tasks described in the following sections:
When a router receives a non-broadcast packet destined to it, and this packet uses an IP protocol that it cannot handle, it
will return an ICMP protocol unreachable message to the source address. Similarly, if the router is unable to forward the
packet because it knows of no route to the destination address, it sends an ICMP host unreachable message. This feature
is enabled by default.
To enable this service, execute the following command in the interface configuration mode:
Command Function
Enable the ICMP protocol unreachable and host
Ruijie(config-if)# ip unreachables
unreachable messages.
Configuration Guide Configuring IP Address and Service
Routes are sometimes less than optimal. For example, it is possible for the device to be forced to resend a packet through
the same interface on which it was received. If the device resends a packet through the same interface on which it was
received, it sends an ICMP redirect message to the originator of the packet telling the originator that the gateway to this
destination address is another device in the same subnet. Therefore the originator will transmit the packets based on the
optimized path afterwards. This feature is enabled by default.
To enable the ICMP redirect message, execute the following command in the interface configuration mode:
Command Function
Enable the ICMP redirect message. It is enabled by
Ruijie(config-if)# ip redirects
default.
Ruijie(config-if)# no ip redirects Disable the ICMP redirect message.
Occasionally, a network device needs to know the mask of a subnetwork in the Internet. To obtain this information, the
device can send the ICMP mask request message. The receiving device will send the ICMP mask reply message. Ruijie
product can respond the ICMP mask request message. This function is enabled by default.
To enable the ICMP mask reply message, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip mask-reply Enable the ICMP mask reply message.
Ruijie(config-if)# no ip mask-reply Restore the default setting.
All interfaces have a default MTU (Maximum Transmission Unit) value. All the packets which are larger than the MTU
have to be fragmented before sending. Otherwise it is unable to be forwarded on the interface.
Ruijie product allows you to adjust the MTU on an interface. Changing the MTU value can affect the IP MTU value, and
the IP MTU value will be modified automatically to match the new MTU. However, changing the IP MTU value has no
effect on the value of MTU.
The interfaces of a device in a physical network should have the same MTU for a protocol.
To set the IP MTU, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip mtu bytes Set the MTU in the range from 68 to 1500 bytes.
Ruijie(config-if)# no ip mtu Restore the default setting.
Configuration Guide Configuring IP Address and Service
Ruijie product supports IP source routing. Upon receiving an IP packet, the device will check its IP header like strict
source route, loose source route and recorded route, which are defined in RFC 791. If one of these options is enabled, the
device performs appropriate action. Otherwise, it sends an ICMP error message to the source and then discards the
packet. Our product supports IP source routing by default.
To enable IP source routing, execute the following command in the interface configuration mode:
Command Function
Ruijie(config)# ip source-route Enable IP source routing.
Ruijie(config)# no ip source-route Disable IP source routing.
Configuring ARP
Every device in a LAN has two addresses: local address and network address. Local address is contained in the header of
the frames on the data link layer. Disputably, the correct term is data link layer address. Since this local address is
handled in the MAC sub-layer of the data link layer, it is normally called MAC address representing an IP network device
in a network. Network address represents a device in the Internet and indicates the network to which the device belongs.
For inter-communication, a device in a LAN must know the 48-bit MAC address of another device. The ARP can resolve
the MAC address upon an IP address and the reversed ARP (RARP) can resolve the IP address upon a MAC address.
You can resolve the MAC address in two ways: ARP and Proxy ARP. For the information on ARP, Proxy ARP and RARP,
refer to RFC 826, RFC 1027, and RFC 903.
ARP binds the IP and MAC Address. It can resolve the MAC address upon an IP address. Then, the relationship between
the IP address and the MAC address is stored in the ARP cache. With the MAC address, a device can encapsulate the
frames of the data link layer and send them to the LAN in the Ethernet II-type by default. However the frames can also be
encapsulated into other types of Ethernet frame (for example, SNAP).
The principle of RARP is similar to ARP. RARP resolves the IPaddress upon a MAC address. RARP is configured on
non-disk workstation in general.
Normally, a device can work without any special address resolution configuration. Ruijie product can manage address
resolution by.
To configure static ARP, execute the following command in the global configuration mode:
Command Function
Define static ARP. Only arpa type is supported for
Ruijie(config)# arp ip-address mac-address arp-type
arp-type.
Ruijie(config)# no arp ip-address Restore the default setting.
Command Function
arp-learning enable Dnable ARP learning in interface configuration mode.
Configuration Guide Configuring ARP
After the device learns the dynamic ARP and turns it to the static ARP through Web, it is recommended to enable ARP
learning. Otherwise, it is not recommended to enable this function. If this function is disabled with dynamic ARP existing,
you can turn dynamic ARP to static ARP through Web. You can also clear the dynamic ARP using the clear arp
command to deny the specified user’s access to Internet. Otherwise, the dynamic ARP will be aged and then cleared.
After this function is disabled, the AnyIP function and trust ARP detection are disabled.
To configure ARP timeout time, execute the following command in the interface configuration mode:
Command Function
Configure the ARP timeout time in the range from 0 to
Ruijie(config-if)# arp timeout seconds
2147483 in the unit of seconds, with 0 not being aged.
Ruijie(config-if)# no arp timeout Restore the default setting.
Command Function
Enable egress gateway trusted ARP in interface
arp trust-monitor enable
configuration mode.
no arp trust-monitor enable Restore the default setting.
The egress gateway trusted ARP is different from GSN trusted ARP. With this function enabled, the device sends a
unicast request for confirmation when learning an ARP table entry. The device learns the ARP table entry after receiving
the response. When the device receives the ARP packet, only if the ARP table entry is aged or incomplete and the ARP
Configuration Guide Configuring ARP
packet is a response packet will the packet be handled. After egress gateway trusted ARP is enabled, the aging time of
the ARP table entry turns to 60 seconds. After this function is disabled, the aging time restores to 3600 seconds.
Command Function
Set the maximum number of ARP learned on the
interface in interface configuration mode.
limit: sets the maximum number of ARP learned on the
arp cache interface-limit limit
interface, including static and dynamic ARPs, in the
range from 0 to the number supported on the interface. 0
indicates that the number is not limited.
no arp cache interface-limit Restore the default setting.
This function can prevent ARP attacks from generating ARP entries to consume resources limit must be no smaller than
the number of ARPs learned on the interface. Otherwise, the configuration does not take effect.
The following example sets the maximum number of ARP learned on the interface to 300.
Command Function
Set the maximum number of the unresolved ARP entries
in global configuration mode.
arp unresolve number number: The maximum number of the unresolved ARP
entries in the range from 1 to the ARP table size
supported by the device.
no arp unresolve Restore the default setting.
If there are a large number of unresolved entries in the ARP cache table and they do not disappear after a period of time,
this command can be used to limit the number of the unresolved entries.
Configuration Guide Configuring ARP
The following example sets the maximum number of the unresolved items to 500.
Ruijie(config)# arp unresolve 500
To monitor and maintain your network, perform the tasks described in the following sections.
Command Function
Remove a dynamic ARP mapping record from the ARP
cache table and clear an IP route cache table..
trusted: deletes trusted ARP entries. Dynamic ARP
entries are deleted by default.
vrf vrf_name: deletes dynamic ARP entries of the
specified VRF instance. The default is the public
instance.
ip: deletes ARP entries of the specified IP address. If
trusted value is specified, trusted ARP entries are
Ruijie# clear arp-cache [ vrf vrf_name | trusted ] [ ip
deleted; otherwise, all dynamic ARP entries are deleted
[mask ] ] | interface interface-name ]
which is the default.
mask: deletes ARP entries in a subnet mask. If trusted
value is specified, trusted ARP entries in the subnet
mask are deleted; otherwise, all dynamic ARP entries are
deleted. The dynamic ARP entry specified by the IP
address is deleted by default.
interface interface-name: deletes dynamic ARP entries
on the specified interface. Dynamic ARP entries are
deleted on all interfaces by default.
On a NFPP-based (Network Foundation Protection Policy) device, it receives one ARP packet for every
mac/ip address per second by default. If the interval of two clear arp times is within 1s, the second response
packet will be filtered and the ARP packet will not be resolved for a short time.
The following example deletes the dynamic ARP entry on interface SVI1.
To display system and network status, execute the following commands in the privileged EXEC mode :
Command Function
Ruijie# show arp Show the ARP table.
Ruijie# show ip arp Show the IP ARP table.
Configuration Guide Configuring IPv6
Configuring IPv6
IPv6 Overview
As the Internet is growing rapidly and the IPv4 address space is exhausting, the limitation of the IPv4 is more obvious. The
research and practice of the next generation of the Internet Protocol becomes popular. Furthermore, the IPng workgroup
of the IETF determines the protocol specification of IPng referred to as IPv6. Refer to RFC2460 for details.
The length of address will be extended to 128 bits from the 32 bits of Ipv4. Namely, there are 2^128-1 addresses for IPv6.
The IPv6 adopts the hierarchical address mode and supports multiple-level IP address assignment, for example, from the
Internet backbone network to the internal subnet of enterprises.
The design principle of new IPv6 packet header is to minimize the overhead. For this reason, some non-critical fields and
optional fields are removed from the packet header and placed into the extended packet header. The length of the IPv6
address is 4 times of IPv4 address; its packet header is only 2 times of IPv4 header. The improved IPv6 packet header is
more efficient for forwarding, for instance, there is no checksum in the IPv6 packet header and it is not necessary for the
IPv6 router to process the fragment during forwarding (the fragment is completed by the originator).
The IPv6 adopts the aggregation mechanism and defines flexible hierarchical addressing and routing structure, and
several networks at the same level is presented as a unified network prefix at the higher level of routers. So it obviously
reduces the entries that the router must maintain and greatly minimizes the routing and storage overhead.
Simplify the management and maintenance of the network node by the implementation of a series of auto-discovery and
auto-configuration functions. Such as the Neighbor Discovery, the MTU Discovery, the Router Advertisement, the Router
Solicitation and the Auto-configuration technologies provide related service for the plug and play. It should be mentioned
that the IPv6 supports such address configuration methods as the stateful and the stateless. In the IPv4, the dynamical
host configuration protocol (DHCP) implements the automatic setting of the host IP address and related configuration,
while the IPv6 inherits this auto-configuration service of the IPv4 and refers to it as the Stateful Auto-configuration.
Furthermore, the IPv6 also adopts an auto-configuration service, referred to as the Stateless Auto-configuration. During
the stateless auto-configuration, the host obtains the local address of the link, the address prefix of local device and some
other related configuration information automatically.
Security
The IPSec is an optional extended protocol of the IPv4, while it is only a component of the IPv6 used to provide security.
At present, the IPv6 implements the Authentication Header (AH) and Encapsulated Security Payload (ESP) mechanisms.
Where, the former authenticates the integrity of the data and the source of the IP packet to ensure that the packet does
Configuration Guide Configuring IPv6
come from the node marked by the source address, while the latter provides the data encryption function to implement the
end-to-end encryption.
The new field in the IPv6 packet header defines how to identify and process the data flow. The Flow Label field in the IPv6
packet header is used to identify the data flow ID, by which the IPv6 allows users to put forward the requirement for the
QoS of communication. The router can identify all packets of some specified data flow by this field and provide special
processing for these packet on demand.
The Neighbor Discovery Protocol of the IPv6 uses a series of IPv6 control information message (ICMPv6) to carry out the
interactive management of the neighbor nodes (the nodes of the same link). The Neighbor Discovery Protocol and
high-efficient multicast and unicast Neighbor Discovery message replace previous broadcast-based address resolution
protocol (ARP) and the ICMPv4 router discovery message.
Extensibility
The IPv6 provides powerful extensibility and the new features can be added to the extended packet header after the IPv6
packet header. Unlike the IPv4, the packet header can only support the option of up to 40 bytes, while the size of the IPv6
extended packet header is only limited by the maximum bytes of the whole IPv6 packet.
IPv6 Protocol
IPv6 Address Format
Type of IPv6 Address
ICMPv6
IPv6 Neighbor Discovery
Path MTU Discovery
ICMPv6 Redirection
Address Conflict Detection
IPv6 Stateless Auto-configuration
IPv6 Address Configuration
IPv6 Route Forwarding (supporting static route configuration)
Configuration of various IPv6 parameters
Diagnosis Tool Ping IPv6
2001:ABCD:1234:5678:AAAA:BBBB:1200:2100
800 : 0 : 0 :0 : 0 : 0 : 0 : 1
These integers are hex integers, where A to F denote 10 to 15 respectively. Each integer in the address must be denoted
and the starting 0 needs not be denoted. Some IPv6 address may contain a series of 0s (such as the examples 2 and 3).
Once this condition occurs, the “: :” is allowed to denote this series of 0s. Namely, the address 800:0:0:0:0:0:0:1 can be
denoted as: 800 :: 1.
These two colons denote that this address can be extended to the complete 128-bit address. In this way, the 16-bit group
can be replaced with two colons only when they are all 0s and the two colons can only present for one time.
In the mixture environment of IPv4 and IPv6, there is a mixture denotation method. The lowest 32 bits in an IPv6 address
can be used to denote an IPv4 address. The address can be expressed in a mixture mode, i.e., X: X : X : X : X : X : d . d .
d . d. Where, the X denotes a 16-bit integer, while d denotes an 8-bit decimal integer. For instance, the address 0 : 0 : 0 : 0 :
0 : 0 : 192 .168 . 20 : 1 is a legal IPv6 address. After the abbreviated expression method is used, this address can be
denoted as follows: : : 192.168. 20. 1. One of the typical example is the IPv4-compatible IPv6 address, which is expressed
in the “::A.B.C.D” mode, i.e., “::1.1.1.1”; the other typical example is the IPv4-mapped IPv6 address, which is expressed in
the “::FFFF:A.B.C.D” and used to invert the IPv6 address to the IPv6 address, i.e., map the IPv4 address”1.1.1.1” to the
IPv6 address”::FFFF:1.1.1.1”.
For the IPv6 address is divided into two parts such as the subnet prefix and the interface identifier, it can be denoted as an
address with additional numeric value by the method like the CIDR address. Where, this numeric value indicates how
many bits represent the network part (the network prefix). Namely the IPv6 node address indicates the length of the prefix,
and the length is differentiated from the IPv6 address by the slash. For instance: 12AB::CD30:0:0:0:0/60,The length of the
prefix used for routing in this address is 60 bits.
Unicast: Identifier of a single interface. The packet to be sent to a unicast address will be transmitted to the interface
identified by this address.
Anycast: Identifiers of a set of interfaces. The packet to be sent to an anycast address will be transmitted to one of
the interfaces identified by this address (select the nearest one according to the routing protocol).
Multicast: Identifiers of a set of interfaces (In general, they are of different nodes). The packet to be sent to a
Multicast address will be transmitted to all the interfaces which are added to this multicast address.
Unicast Addresses
The unicast address is divided into unspecified address, loopback address, link-level local address, site-level local
address and global unicast address. Now the site-level local address has been repealled, the unicast addresses excepting
for the unspecified address, loopback address and thhe link-level local address are all global unicast addresses.
1. Unspecified Address
1. If there is no unicast address when the host is rebooting, use the unspecified address as the source address, send
the router request and obtain the prefix information from the gateway to auto-generate the unicast address.
2. When configuring the IPv6 address for the host, check whether the IPv6 address conflicts with the address for other
hosts in the same network segment or not. If so, use the unspecified address as the source address to send the
neighbor request message.
2. Loopback Address
The loopback address is 0:0:0:0:0:0:0:1, abbreviated as ::1, which is equal to the IPv4 address 127.0.0.1 and used when
the node sends the packets to itself.
The link-level local address is used to number the host on the single network link. The address of former 10-bit
identification for the prefix is the link-level local address. The router will not forward the message of the source address or
the destination address with the link-level local address forever. The intermediate 54-bit of this address is 0. The latter 64
64
indicates the interface identifier, this part allows the single network to connect to up to 2 -1 hosts.
The site-level local address can be taken to transmit the data within the site, and the router will not forward the message of
the source address or the destination address with the site-level local address to Internet. Namely, such packet can only
be forwarded within the site, but cannot be forwarded to out of the site. Suppose that the site is the LAN for a company,
the site-level local address is similar to the IPv4 private address, i.e., 192.168.0.0/16. The RFC3879 has repealled the
site-level local address.
One class of the global unicast address is the IPv6 address embedded with IPv4 address, which is used to interconnect
the IPv4 nodes and the IPv6 nodes and divided into IPv4-compatible IPv6 address and the IPv4-mapped IPv6 address.
The IPv4-compatible IPv6 address is mainly used to the automatic tunneling, which supports both the IPv4 and IPv6. The
IPv4-compatible IPv6 address will transmit the IPv6 packet via the IPv4 router in the tunneling way. Now the
IPv4-compatible IPv6 address has been repealled. The IPv6 address of an IPv4 mapping is used to access the nodes that
only support IPv4 by IPv6 nodes. For example, when one IPv6 application of the IPv4/IPv6 host requests the resolution of
a host name (the host only supports IPv4), the name server will internally generate the IPv6 addresses of the IPv4
mapping dynamically and return them to the IPv6 application.
Multicast Addresses
| 8 | 4| 4| 112 bits |
+----------+----+----+-----------------------------------------------------------------+
|11111111|flgs|scop| group ID |
+----------+----+----+-----------------------------------------------------------------+
The first byte of the address format is full 1, which denote a multicast address.
Flag field:
It consists of 4 bits.At present, only the fourth bit is specified. The bit is used to indicate whether the address is a known
multicast address specified by Internet Number Constitution or a temporary multicast address used in a specific condition.
If this flag bit is 0, it indicates this address is a known multicast address. If this bit is 1, it indicates that this address is a
temporary one. Other 3 flag bits are reserved for future use.
Range field:
Composed of 4 bits and used to denote the range of multicast. Namely, whether the multicast group contains the local
node, the local link and the local site or any position nodes in the IPv6 global address space.
Configuration Guide Configuring IPv6
112 bits long and used to identify a multicast group. Depending on whether a multicast address is temporary or known and
the range of the address, a multicast identifier can denote different groups.
The multicast address of the IPv6 is this type of address taking FF00::/8 as the prefix One multicast address of an IPv6
usually identifies the interfaces of a serial of different nodes. When one message is sent to one multicast address, this
message will be distributed to the interfaces of each node with this multicast address. One node (host or router) should
add the following multicast:
The multicast address of all nodes for the local link is FF02::1
The prefix of the multicast address for the solicited node is FF02:0:0:0:0:1:FF00:0000/104
If they are routers, it is necessary to add the multicast address FF02::2 of all routers for the local link.
The multicast address of the solicited node corresponds to the IPv6 unicast and anycast address, so it is necessary for the
IPv6 node to add corresponding multicast address of the solicited node for each configured unicast address and anycast
address. The prefix of the multicast address for the solicited node is FF02:0:0:0:0:1:FF00:0000/104, another 24 bits are
comprised of the unicast address or the lower 24 bits of the anycast address, for instance, the multicast address of the
solicited node corresponding to the FE80::2AA:FF:FE21:1234 is FF02::1:FF21:1234,
The multicast address of solicited node is usually used to the neighbor solicitation (NS) message. The format of the
solicited node is shown as follows:
Anycast Addresses
The anycast address is similar with the multicast address as more than one node shares an anycast address. The
difference is that only one node expects to receive the data packet of the anycast address, while all nodes of the multicast
address members expect to receive all packets sending to this address. The anycast address is assigned to normal IPv6
unicast address space, so the anycast address cannot be differentiated from the unicast address from the style. For this
reason, each member of all anycast addresses has to be configured explicitly to identify the anycast address.
The anycast address can only be assigned to the router, but cannot be assigned to the host. Furthermore,
the anycast address cannot be taken as the source address of the message.
Configuration Guide Configuring IPv6
The RFC2373 predefines an anycast address, referred to as the anycast address of the subnet router. The following
diagram shows the anycast address format of the subnet router, which consists of the subnet prefix followed by a series of
0s (as the interface identifier).
Where, the subnet prefix identifies a specified link (subnet) and the packet to be sent to the anycast address of the subnet
router will be distributed to a router of this subnet. The anycast address of the subnet router is usually used for some node
which needs to communicate with one router of the remote subnet.
The IPv4 packet header takes 4 bytes as the unit; the IPv6 packet header takes 8 bytes as the unit and the total length of
the packet header is 40 bytes. In the IPv6 packet header, the following fields are defined:
Version:
Traffic Class:
The length is 8 bits. It indicates a type of service provided to the packey and is equal to the “TOS” in the IPv4.
Flow Label:
Configuration Guide Configuring IPv6
The length is 20 bits used to identify the packets of the same service flow. One node can be taken as the sending source
of several service flows. Flow label and source node IP address identify a service flow uniquely.
Payload Length:
The length is 16 bits, including the byte length of payload and the length of various IPv6 extension options (if any). In other
words, it includes the length of an IPv6 packet except for the IPv6 header itself.
Next Header:
This field indicates the protocol type in the header field following the IPv6 header. Similar to the IPv4 protocol field, the
Next Header field can be used to indicate whether the upper level is TCP or UDP. It can also be used to indicate whether
an extended IPv6 header exists.
Hop Limit:
The length is 8 bits. When one router forwards the packet for one time, this field will reduce 1. If this field is 0, this packet
will be discarded. It is similar to the life span field in the IPv4 packet header.
The length is 128 bits. It indicates the sender address of an IPv6 packet.
The length is 128 bits. It indicates the receiver address of an IPv6 packet.
At present, the following extended headers are defined for the IPv6:
Hop-by-Hop Options:
This extended header must directly follow an IPv6 header. It contains the option data that must be checked by each node
along the path.
This extended header indicates the nodes that a packet will go through before reaching the destination. It contains the
address table of various nodes that the packet goes through. The initial destination address of the IPv6 header is the first
one of a series of addresses in the routing header, other than the final destination address of the packet. After receiving
this packet, the node of this address will process the IPv6 header and the routing header, and send the packet to the
second address of the routing header list. It repeats this step until the packet reaches the final destination.
This extended header is used to fragment the packets longer than the MTU of the path between the source node and
destination node.
This extended header replaces the IPv4 option field. At present, the only defined destination option is to fill the option with
an integer multiple of 64 bits (8 bytes) when necessary. This extended header can be used to carry the information
checked by the destination node.
Configuration Guide Configuring IPv6
It indicates the the upper layer transmission protocol, such as TCP(6) and UDP(17).
Furthermore, the extended header of the Authentication and the Encapsulating Security Payload will be described in the
IPSec section. At present, the IPv6 implemented by us cannot support the IPSec.
Furthermore, when the data packet to be sent is larger than the MTU of the data transmission path, the host will fragment
the packets by itself. This behavior makes it not necessary for the router to process the fragment, and thus save resources
and improve the efficiency of the IPv6 network.
The minimum link MTU is 68 bytes in the IPv4, indicating that the links along the path over which the packets
are transmitted should support at least the link MTU of 68 bytes. The minimum link MTU is 1280 bytes in the
IPv6. It is strongly recommended to use the link MTU of 1500 bytes for the link in the IPv6.
Address Resolution
A node must get the link layer address of another node before communicating with it. At this time, it should send the
neighbor solicitation (NS) message to the solicitated multicast address of the IPv6 address of the destination node. The
NS message also contains the link layer address of itself. After receiving this NS message, the destination node responds
with a message, referred to as neighbor advertisement (NA), with its link layer address. After receiving the response
message, the source node can communicate with the destination node.
Enabling the Neighbor Unreachability Detection function to send the IPv6 unicast packet to the neighbor whose reachable
time expires.
Neighbor Unreachability Detection and sending the IPv6 packet to the neighbor can be co-processed. During the
detection, it continues to forward the IPv6 packet to the neighbor.
After configuring the IPv6 address to the host, enabling the address conflict detection function to check whether the IPv6
address in the link is sole or not.
The router sends the Router Advertisement (RA) to all the local nodes of the link periodically.
The following figure shows the process of sending the Router Advertisement (RA):
One or more IPv6 address prefixes used for the on-link confirmation or the stateless address auto-configuration.
Effective period of the IPv6 address prefix.
Configuration Guide Configuring IPv6
The Router Advertisement (RA) is also used to respond to the Router Solicitation (RS) message sent by the host. The
Router Solicitation (RS) message allows the host to obtain the auto-configuration information immediately without waiting
for the router to send the Router Advertisement (RA). If there is no unicast address when the host is activated, the Router
Solicitation (RS) message sent by the host will use the unassigned address (0:0:0:0:0:0:0:0) as the source address of the
solicitation message. Otherwise, the existing unicast address is taken as the source address, while the Router Solicitation
(RS) message uses the multicast address (FF02::2) of all routers for the local link as the destination address. As the
response router solicitation (RS) message, the Router Advertisement (RA) message will use the source address of the
solicitation message as the destination address (if the source address is the unassigned address, it will use the multicast
address FF02::1) of all nodes for the local link.
The following parameters can be configured in the Router Advertisement (RA) message:
Ra-lifetime: Router lifetime, namely whether the device is acted as the default router of the local link and the time as this
role.
Prefix: IPv6 address prefix of the local link, which can be used for the on-link confirmation or the stateless address
auto-configuration, including the configuration of other parameters for the prefix.
1. By default, no Router Advertisement (RA) message is sent actively on the interface. To do so, you can
use the command no ipv6 nd suppress-ra in the interface configuration mode.
2. In order to make the stateless address auto-configuration of the node work normally, the length of the
prefix for the router advertisement (RA) message should be 64 bits.
Redirection
After receiving the IPv6 packets, the router discovers the better next-hop and sends the ICMP redirection message to
notify the host of the better next-hop. Next time the host sends the IPv6 packets to the better next-hop directly.
IPv6 Configuration
The following will introduce the configuration of various function modules of the IPv6 respectively:
Once an interface is created and its link status is UP, the system will automatically generate the local link
address for the interface. At present, the IPv6 doesn’t support anycast address.
To configure an IPv6 address, execute the following commands in the global configuration mode:
Command Function
Ruijie#configure terminal Enter the global configuration mode.
Enter the interface configuration mode.
Ruijie(config)#interface interface-id Note that the no switchport command shall be used to
switchover the layer-2 port to the layer-3 interface.
Enable the IPv6 protocol on an interface. If this command
is not run, the system automatically enables the IPv6
Ruijie(config-if)#ipv6 enable
protocol when you configure an IPv6 address for an
interface.
Configure the IPv6 unicast address for this interface. The
key word Eui-64 indicates the generated IPv6 address
consists of the configured address prefix and the 64-bit
Ruijie(config-if)#ipv6 address ipv6-address/prefix-length interface ID.
Note: Whether the key word eui-64 is used, it is
necessary to enter the complete address format to delete
Ruijie(config-if)#ipv6 address ipv6-prefix/prefix-length an IPv6 address (Prefix + interface ID/prefix length).
[eui-64] When you configure an IPv6 address on an interface,
then the IPv6 protocol is automatically enabled on the
interface. Even if you use no ipv6 enable, you cannot
disable the IPv6 protocol.
Ruijie(config-if)#end Return to the privileged EXEC mode.
Ruijie#show ipv6 interface interface-id View the IPv6 interface information.
Ruijie#copy running-config startup-config Save the configuration.
Use the no ipv6 address ipv6-prefix/prefix-length [eui-64] command to delete the configured IPv6 address.
The router other than the host can generate the redirection message, and the router will not update its
routing table when it receives the redirection message.
To enable redirection on the interface, execute the following commands in the global configuration mode:
Command Function
Ruijie#configure terminal Enter the global configuration mode.
Configuration Guide Configuring IPv6
Use the no ipv6 redirects command to disable the redirection function. The following is an example to configure the
redirection function:
To configure the static neighbor, execute the following commands in the global configuration mode.
Command Function
Ruijie#configure terminal Enter the global configuration mode.
Configuration Guide Configuring IPv6
Use the no ipv6 neighbor ipv6-address interface-id command to delete the specified neighbor. The following is an
example to configure a static neighbor on GigabitEthernet 0/1:
The management prohibits the address conflict detection, namely, the number of the neighbor solicitation messages
sent for the address conflict detection is set to 0.
The configured anycast address can not be applied to the address conflict detection.
Furthermore, if the address conflict detection function is not disabled on the interface, the system will enable the address
conflict detection process for the configured address when the interface changes to the Up status from the Down status.
The following is the configuration procedure of the quantity of the neighbor solicitation message sent for the address
conflict detection:
Command Function
Ruijie#configure terminal Enter the global configuration mode.
Enter the interface configuration mode.
Ruijie(config)#interface interface-id Note that the no switchport command shall be used to
switchover the layer-2 port to the layer-3 interface.
The quantity of the neighbor solicitation message sent for
the address conflict detection. When it is configured to 0,
Ruijie(config-if)#ipv6 nd dad attempts attempts any neighbor solicitation message is denied.
Enable the address conflict detection function on the
interface.
Ruijie(config-if)#end Return to the privileged EXEC mode.
Ruijie#show ipv6 interface vlan 1 View the IPv6 information on the interface.
Ruijie#copy running-config startup-config Save the configuration.
Configuration Guide Configuring IPv6
Use the no ipv6 nd dad attempts command to restore the default value. The following is an example to configure the
times of the neighbor solicitation (NS) message sent for the address conflict detection on the SVI1:
This command does not clear all the dynamic neighbors on authentication VLAN.
Configuration Guide Configuring IPv6
Command Function
Ruijie#configure terminal Enter the global configuration mode.
Enter the interface configuration mode.
Ruijie(config)#interface interface-id Note that the no switchport command shall be used to
switchover the layer-2 port to the layer-3 interface.
Ruijie(config-if)#ipv6 enable Enable the IPv6 function.
(Optional) Define the retransmission interval of the
Ruijie(config-if)#ipv6 nd ns-interval milliseconds neighbor solicitation message, in ms, the default value is
1000ms.
(Optional) Define the time when the neighbor is
considered to be reachable, in ms, the default value is
30000ms.
Ruijie(config-if)#ipv6 nd reachable-time milliseconds Note: as specified in RFC4861, the reachable time of a
neighbor should be increased or decreased at random on
the basis of the configured time in the range of 0.5 to 1.5
of the configured time.
Ruijie(config-if)# ipv6 nd prefix { ipv6-prefix/prefix-length |
default } [ [ valid-lifetime preferred-lifetime ] | [ at valid-date (Optional) Set the address prefix to be advertised in the
preferred-date ] | [infinite { infinite | preferred-lifetime } ] ] router advertisement (RA) message.
[ no-advertise ] | [ [ off-link ] [ no-autoconfig ] ]
(Optional) Set the TTL of the router in the router
advertisement (RA) message, namely the time as the
Ruijie(config-if)#ipv6 nd ra-lifetime seconds default router. 0, indicates that the router will not act as
the default router of the direct-connected network. The
default value is 1800s.
(Optional) Set the time interval for the router to send the
router advertisement (RA) message periodically, in
second, and the default value is 200s.
Ruijie(config-if)#ipv6 nd ra-interval {seconds min-max With the min-max specified, the actual interval of the
min_value max_value} message sending is a random value between the
minimum and maximum value. Without the min-max
specified, the actual interval of the message sending is
approximately 1.2/0.8*the configured value.
Configuration Guide Configuring IPv6
The no command of above commands can be used to restore the default value. For details, refer to IPv6 Command
Reference.
Command Function
Set the frequency with which ICMPv6-oversize error
packets are sent in global configuration mode.
milliseconds: Sets the refresh interval of the token
bucket, in the range from 0 to 2147483647 in the unit of
ipv6 icmp error-interval too-big milliseconds
seconds. Setting the value to 0 indicates that the
[ bucket-size ]
frequency with which ICMPv6 error packets are sent is
not fixed.
bucket-size: Sets the number of tokens in the token
bucket, in the range from 1 to 200.
no ipv6 icmp error-interval too-big milliseconds
Restore the default setting.
[ bucket-size ]
The token bucket algorithm is adopted to set the frequency with which ICMPv6 error packets are sent so as to prevent
Denial of Service (DoS) attack,
Configuration Guide Configuring IPv6
If the forwarded IPv6 packet is greater than the egress IPv6 MTU in size, the router discards the IPv6 packet and sends
the ICMPv6-oversize error packet to the source IPv6 address. This kind of ICMPv6 error packet is used for IPv6 path MTU
discovery. If there are too many ICMPv6 error packets, the ICMPv6-oversize error packet may not be sent, causing IPv6
path MTU discovery failure. Therefore, it is recommended to set the frequency of ICMPv6-oversize error packet and other
ICMPv6 error packet respectively. Note that ICMPv6 redirect packet is not an ICMPv6 error packet and Ruijie sets the
frequency of the ICMPv6 redirect packet the same as that of other ICMPv6 error packet.
For the timer is accurate to 10 milliseconds, it is recommended to set the refresh interval of the token bucket to an integer
multiple of 10 milliseconds. If the refresh interval is not an integer multiple of 10 milliseconds, it is converted automatically.
For example, the frequency of 1 per five milliseconds turns out to be 2 per 10 milliseconds; the frequency of 3 per 15
milliseconds is converted to 2 per 10 milliseconds.
The following example sets the frequency with which ICMPv6-oversize error packets are sent to 100 per second.
Command Function
Set the frequency with which other ICMPv6 error packets
are sent in global configuration mode.
milliseconds: Sets the refresh interval of the token
bucket, in the range from 0 to 2147483647 in the unit of
ipv6 icmp error-interval milliseconds [ bucket-size ] seconds. Setting the value to 0 indicates that the
frequency with which ICMPv6 error packets are sent is
not fixed.
bucket-size: Sets the number of tokens in the token
bucket, in the range from 1 to 200.
no ipv6 icmp error-interval milliseconds [ bucket-size ] Restore the default setting.
The token bucket algorithm is adopted to set the frequency with which ICMPv6 error packets are sent so as to prevent
Denial of Service (DoS) attack,
If the forwarded IPv6 packet is greater than the egress IPv6 MTU in size, the router discards the IPv6 packet and sends
the ICMPv6-oversize error packet to the source IPv6 address. This kind of ICMPv6 error packet is used for IPv6 path MTU
discovery. If there are too many ICMPv6 error packets, the ICMPv6-oversize error packet may not be sent, causing IPv6
path MTU discovery failure. Therefore, it is recommended to set the frequency of ICMPv6-oversize error packet and other
ICMPv6 error packet respectively. Note that ICMPv6 redirect packet is not an ICMPv6 error packet and Ruijie sets the
frequency of the ICMPv6 redirect packet the same as that of other ICMPv6 error packet.
For the timer is accurate to 10 milliseconds, it is recommended to set the refresh interval of the token bucket to an integer
multiple of 10 milliseconds. If the refresh interval is not an integer multiple of 10 milliseconds, it is converted automatically.
For example, the frequency of 1 per five milliseconds turns out to be 2 per 10 milliseconds; the frequency of 3 per 15
milliseconds is converted to 2 per 10 milliseconds.
The following example sets the frequency with which other ICMPv6 error packets are sent to 10 per second.
Configuration Guide Configuring IPv6
Command Function
Set the maximum number of the unresolved neighbor
table entries in global configuration mode.
number: Sets the maximum number of the unresolved
ipv6 nd unresolved number
neighbor table entries, in the range from 1 to the neighbor
table size supported by the device. 0 indicates the
number is not limited.
no ipv6 nd unresolved Restore the default setting.
This command is used to prevent unresolved ND table entries generated by malicious scan attacks from consuming table
entry resources,
The following example sets the maximum number of the unresolved neighbor table entries to 200.
Command Function
Set the maximum number of neighbors learned on the
interface in interface configuration mode.
value: Sets the number of neighbors learned on the
ipv6 nd cache interface-limit value
interface, including the static and dynamical neighbors, in
the range from 0 to the number supported by the device.
0 indicates the number is not limited.
no ipv6 nd cache interface-limit Restore the default setting.
This function can prevent neighbor entries generated by malicious neighbor attacks from consuming memory. value must
be no smaller than the number of neighbors learned on the interface. Otherwise, the configuration does not take effect.
The following example sets the maximum number of neighbors learned on the interface to 100.
It is mainly used to provide related command to show some internal information of the IPv6 protocol, such as the ipv6
information, the neighbor table and the route table information of the interface.
Command Function
Configuration Guide Configuring IPv6
show ipv6 interface [ interface-id ] [ ra-info ] Display the IPv6 information of the interface.
Show ipv6 neighbors [vrf vrf-name] [ verbose ]
Display the neighbor information.
[ interface-id ] [ ipv6-address ]
Show ipv6 route [vrf vrf-name] [static | local | connected
Display the information of the IPv6 routing table.
| bgp | rip | ospf | isis ]
show ipv6 raw-socket [ num ] Display all IPv6 raw sockets.
show ipv6 sockets Display all IPv6 sockets.
show ipv6 udp [ local-port num ] [ peer-port num ] Display all IPv6 UDP sockets.
show ipv6 udp statistics Display IPv6 UDP socket statistics.
2. View the information of the router advertisement (RA) message to be sent of an interface
Configuring DHCP
Introduction to DHCP
The DHCP (Dynamic Host Configuration Protocol), specified in RFC 2131, provides configuration parameters for hosts
over the Internet. The DHCP works in the client/server mode. The DHCP server assigns IP addresses for the hosts
dynamically and provides configuration parameters.
1. Assign IP addresses automatically. The DHCP server assigns permanent IP addresses to the clients;
2. Assign IP addresses dynamically. The DHCP server assigns IP addresses that will expire after a period of time to the
clients (or the clients can release the addresses by themselves);
3. Configure IP addresses manually. Network administrators specify IP addresses and send the specified IP addresses to
the clients through the DHCP.
Among the above mentioned three methods, only dynamic assignment allows reuse of the IP address that the client does
not need any more.
The format of DHCP message is based on that of BOOTP (Bootstrap Protocol) message. Hence, it is necessary for the
device to be able to act as the BOOTP relay agent and interact with the BOOTP client and the DHCP server. The function
of BOOTP relay agent eliminates the need of deploying a DHCP server in every physical network. The DHCP is detailed
in RFC 951 and RFC 1542.
As specified in RFC2131, the DHCP server of Ruijie is implemented to assign and manage IP addresses for the DHCP
clients. The DHCP operation process is shown in the following figure.
1. The host broadcasts a DHCPDISCOVER packet in the network to locate the DHCP server;
Configuration Guide Configuring DHCP
2. The DHCP server sends a DHCPOFFER packet in unicast form to the host, including IP address, MAC address,
domain name and address lease period;
3. The host sends a DHCPREQUEST packet in broadcast form to formally request the server to assign the provided IP
address;
4. The DHCP server sends a DHCPACK packet in unicast form to the host to confirm the request.
The DHCP client may receive the DHCPOFFER packets from multiple DHCP servers, and accept any
DHCPOFFER packet. However, the DHCP client usually accepts the first received DHCPOFFER packet
only. The address specified in the DHCPOFFER packet from the DHCP server is not necessarily the finally
assigned address. Generally, the DHCP server reserves this address until the client sends a formal request.
The goal of broadcasting the DHCPREQUEST packet is to let all the DHCP servers that send the DHCPOFFER packet
receive this packet and then release the IP address specified in the DHCPOFFER packet.
If the DHCPOFFER packet sent to the DHCP client contains invalid parameters, the DHCP client sends the
DHCPDECLINE packet to refuse the assigned configuration.
During negotiation, if the DHCP client does not respond to the DHCPOFFER packet in time, the DHCP server will send
the DHCPNAK packet to the DHCP client, initiating the address request process again.
The advantages of using the DHCP server of Ruijie for network construction are:
Decrease network access cost. Generally, dynamic address assignment costs less than static address assignment.
Simplify configuration tasks and reduce network construction cost. Dynamic address assignment significantly
simplifies equipment configuration, and even reduces deployment cost if devices are deployed in the places where
there are no professionals.
Centralized management. During configuration management on several subnets, any configuration parameter can
be changed simply by modifying and updating configurations in the DHCP server.
The DHCP client can obtain IP addresses and other configuration parameters from the DHCP server automatically. The
DHCP client brings the following advantages:
The DHCP Client are supported on the Ethernet interface, FR, PPP, HDLC interfaces.
Configuration Guide Configuring DHCP
The DHCP relay agent forwards DHCP packets between the DHCP server and the DHCP clients. When the DHCP clients
and the server are not located in the same subnet, a DHCP relay agent must be available for forwarding the DHCP
request and response messages. Data forwarding by the DHCP relay agent is different from general forwarding. In
general forwarding, IP packets are unaltered and the transmission is transparent. However, upon receiving a DHCP
message, the DHCP relay agent regenerates and forwards a DHCP message.
From the perspective of the DHCP client, the DHCP relay agent works like a DHCP server. From the perspective of the
DHCP server, the DHCP relay agent works like a DHCP client.
Configuring DHCP
To configure DHCP, perform the following tasks, of which the first three tasks are mandatory.
Enabling the DHCP Server and the DHCP Relay Agent (required)
Configuring DHCP Excluded Addresses (required)
Configuring DHCP Address Pool (required)
Binding Address Manually (optional)
Configuring the Ping Times (optional)
Configuring Ping Packet Timeout (optional)
Ethernet interface DHCP client configuration (optional)
DHCP Client Configuration in PPP Encapsulation link (optional)
DHCP Client Configuration in FR Encapsulation link (optional)
DHCP Client Configuration in HDLC Encapsulation link (optional)
To configure the addresses that cannot be assigned to the DHCP clients, execute the following commands in the global
configuration mode:
Command Function
Ruijie(config)# ip dhcp excluded-address Define a range of IP addresses that the DHCP server will
low-ip-address [ high-ip-address ] not assign to the DHCP clients.
Ruijie(config)# no ip dhcp excluded-address
Remove the configuration.
low-ip-address [ high-ip-address ]
A good practice in configuring the DHCP server is to prohibit the DHCP server from assigning any address that has been
assigned specifically. This provides two advantages: 1) No address conflict will occur; 2) When DHCP assigns addresses,
the time for detection is shortened and thus DHCP will perform assignment more efficiently.
Configuration Guide Configuring DHCP
You can give a meaningful name that can be memorized easily to the DHCP address pool. The name of address pool
contains characters and digits. Ruijie product allows you to define multiple address pools. The IP address of the DHCP
relay agent in the DHCP request packet is used to determine which address pool is used for address assignment.
If the DHCP request packet does not contain the IP address of the DHCP relay agent, the address that is in the same
subnet or network as the IP address of the interface that receives the DHCP request packet is assigned to the DHCP
client. If no address pool is defined for this network segment, address assignment fails.
If the DHCP request packet contains the IP address of the DHCP relay agent, the address that is in the same subnet
or network as this address is assigned to the DHCP client. If no address pool is defined for this network segment,
address assignment fails.
To configure a DHCP address pool, perform the following tasks as appropriate, of which the first three tasks are
mandatory:
Configure an address pool name and enter its configuration mode (required)
Configure a subnet and its mask for the address pool (required)
Configure the default gateway for the DHCP client (required)
Configure the address lease period (optional)
Configure the domain name of the DHCP client (optional)
Configuring the domain name server (optional)
Configure the NetBIOS WINS server (optional)
Configure the NetBIOS node type for the DHCP client (optional)
Command Function
Enable or disable the DHCP address pool in DHCP
address pool configuration mode.
pool-status { enable | disable }
enable: Enables the address pool.
disable: Disables the address pool.
To configure an address pool name and enter the address pool configuration mode, execute the following command in the
global configuration mode:
Command Function
Configuration Guide Configuring DHCP
Command Function
Enable the fit AP to calculate the network number and
dynamic-pool mask of the dynamic DHCP address pool according to
the MAC address in ap-config/ap-group mode.
no dynamic-pool Remove the setting.
The following example enables the fit AP to calculate the network number and mask of the dynamic DHCP address pool
according to the MAC address
Ruijie(config-group) # dynamic-pool
The boot image file is the one used when the client starts. The boot image file is often the operation system to be
downloaded by the DHCP client.
To configure the boot file for the DHCP client, execute the following command in the address pool configuration mode:
Command Function
Ruijie (dhcp-config)# bootfile filename Configure the name of the boot file for the DHCP client.
The IP address of the default gateway must be in the same network as the IP address of the DHCP client.
To configure the default gateway for the DHCP client, execute the following command in the address pool configuration
mode:
Command Function
Ruijie(dhcp-config)# default-router address
Configure the default gateway.
[ address2…address8 ]
The lease for the address that the DHCP server assigns to the client is one day by default. The client should request to
renew when the lease period is going to expire. Otherwise, it cannot use this address when the lease period expires.
To configure the address lease period, execute the following command in the address pool configuration mode:
Command Function
Ruijie(dhcp-config)# lease { days [ hours ] [ minutes ] |
Configure the address lease period.
infinite }
Configuration Guide Configuring DHCP
The domain name of the DHCP client can be specified. In this way, the domain name suffix will be automatically added to
the incomplete host name to form a complete host name when the DHCP client accesses the network resources using the
host name.
To configure the domain name of the DHCP client, execute the following command in the address pool configuration
mode:
Command Function
Ruijie(dhcp-config)# domain-name domain Configure the domain name.
A DNS server should be specified for domain name resolution when the DHCP client accesses the network resources
using a host name.
To configure a domain name server for the DHCP client, execute the following command in the address pool configuration
mode:
Command Function
Ruijie(dhcp-config)# dns-server address
Configure a DNS server.
[ address2…address8 ]
WINS is a domain name resolution service from Microsoft that the TCP/IP network uses to resolve a NetNBIOS name to
an IP addresses. The WINS server runs in Windows NT. After started, the WINS server will receive a registration request
from the WINS client. When the WINS client is being shut down, it will send a name release message to the WINS server
to guarantee the consistency of available computers between the WINS database and the network.
To configure a NetBIOS WINS server for the DHCP client, execute the following command in the address pool
configuration mode:
Command Function
Ruijie(dhcp-config)# netbios-name-server address
Configure a DNS server.
[ address2…address8 ]
There are four types of NetBIOS nodes for Microsoft DHCP client:
By default, the Windows operation systems support broadcast or hybrid type NetBIOS nodes. If no WINS server is
configured, the node is of broadcast type. If a WINS server is configured, the node is of hybrid type.
To configure the NetBIOS node type for the DHCP client, execute the following command in the address pool
configuration mode:
Command Function
Ruijie(dhcp-config)# netbios-node-type type Configure the NetBIOS node type.
Configuring the Network Number and Mask of the DHCP Address Pool
To configure dynamic address binding, you must configure the subnet and its mask for the new address pool. A DHCP
address pool provides the DHCP server with an address space that can be assigned to clients. All the addresses in the
address pool are available for the DHCP clients unless address exclusion is configured. The DHCP server assigns the
addresses in the address pool in sequence. If an address already exists in the binding table or this address is detected to
be already present in this network segment, the DHCP server will check the next address until it assigns a valid address.
To configure the subnet and its mask of the DHCP address pool, execute the following commands in the address pool
configuration mode:
Command Function
Ruijie(dhcp-config)# network Configure the network number and mask of the DHCP
network-number mask address pool.
For the DHCP dynamic address pool of Ruijie products, addresses are assigned based on the physical
address and ID of a DHCP client. This means there should not be two leases for the same DHCP client in
the DHCP dynamic address pool. If path redundancy occurs between the DHCP client and the DHCP server
(the DHCP client can reach the DHCP server by the direct path or relay path), the DHCP server may fail to
assign addresses.
To solve this problem, administrators should avoid path redundancy between the DHCP clients and the
DHCP sever in other ways like adjusting physical links or network paths.
Generally, the DHCP relay agent will insert an option of "Option 82" to carry relevant information about the client during
the process of packet forwarding (such as the VLAN to which the client belongs, slot number, port number or user's 1X
class). Upon receipt of such packets, the DHCP server will allocate addresses according to the specific information about
clients by analyzing Option 82 information. For example, Option 82 can be utilized to allocate a certain range of IP
addresses to clients belonging to a certain VLAN or user class. This feature can be used when it is needed to allocate a
specific range of IP addresses according to user's network allocation information (such as VLAN, slot number or port
number) or user's priority.
Each DHCP address pool can allocate addresses using Option 82 information. Option 82 information will be matched and
classified, and we can specify the allocable address range for the corresponding class. One DHCP address pool can be
associated with multiple classes, and different address ranges can be specified for each class.
Configuration Guide Configuring DHCP
During the process of address allocation, we can first determine the allocable address pool according to the network
segment to which the client belongs, and then further determine its CLASS according to Option 82 information, so as to
allocate IP address from the address range corresponding to the CLASS. When a request packet matches multiple
classes in the address pool, address will be allocated from the address ranges corresponding to these classes in the order
that the classes are configured in the address pool. If the class has not allocable address, the address range for next
matching class will be used, and the like. Each class corresponds to one address range, and the addresses must be
allocated from low to high. Multiple classes can be configured with the same address range. If the class associated with
the address pool is specified but the corresponding network scope is not configured, then the default address range of this
class shall be same as that of the address pool to which this class belongs.
To configure the CLASS associated with address pool and the address range corresponding to the class, execute the
following commands in address pool configuration mode:
Command Function
Ruijie(dhcp-config)# class class-name Configure the name of associated class, and enter the
class configuration mode of address pool.
Ruijie(config-dhcp-pool-class)# address range Configure the corresponding address range.
low-ip-address high-ip-address
1. When the class configured cannot be found in global class, a global class will be created automatically;
2. The associated class configured in the address pool may conflict with the static manual binding, and
therefore must not be configured at the same time.
3. Up to 5 classes can be configured for each address pool.
Command Function
update arp Enable DHCP to add trusted ARP when allocating
addresses in DHCP address pool configuration mode.
no update arp Restore the default setting
defaut update arp Restore the default setting
The trusted ARP has a higher priority than the dynamic ARP and cannot be overwritten.
Configuration Guide Configuring DHCP
The following example enables DHCP to add trusted ARP when allocating addresses.
This command is configured on the DHCP server and used in combination with supervlan.
Ruijie(config)#address-manage
Configuring AM Rule
Command Function
Defining an AM rule in AM rule configuration mode.
ip-address: IP address
match ip ip-address netmask [ interface ] [ add/remove ] netmask: Subnet mask
vlan vlan-list interface: Interface ID
add/remove: Adds or removes the specified VLAN
vlan-list: VLAN ID
no match ip ip-address netmask [ interface] Restore the default setting.
[ add/remove] vlan vlan-list
With this function enabled, all DHCP clients without VLAN+port/VLAN configuration obtain addresses in the rule.
If the DHCP client obtains a static address in subvlan, he gets the static address in whichever subvlan. The AM rule
configuration is based on VLAN and applies to only static addresses.
With this function enabled, all DHCP clients without VLAN+port/VLAN configuration obtain addresses in the default rule.
Configuring Class
The specific Option82 matching information corresponding to each CLASS can be configured after entering CLASS
configuration mode in global mode. One CLASS can match multiple Option 82 information, and it is considered matched if
the packet matches any information. If no matching information is configured for CLASS, then this CLASS can match any
request packets carrying Option 82 information. The address can only be allocated from the corresponding address pool
after the request packet matches a specific CLASS.
To configure global CLASS and the Option 82 information corresponding to the CLASS, execute the following commands
in global configuration mode:
Command Function
Ruijie(config)# ip dhcp class class-name Configure CLASS name and enter global CLASS
configuration mode.
Ruijie(config-dhcp-class)# relay agent information Enter Option 82 matching information configuration
mode.
Ruijie(config-dhcp-class-relayinfo)# relay-information Configure specific Option 82 matching information.
hex aabb.ccdd.eeff… [*] Aabb.ccdd.eeff.. is a hexadecimal number
* means imperfect matching mode. It is considered
matched if the information before * is matched.
To configure remark information to describe the meaning of CLASS, execute the following commands in global
configuration mode:
Command Function
Ruijie(config)# ip dhcp class class-name Configure CLASS name and enter CLASS configuration
mode.
Ruijie(config-dhcp-class)#remark used in #1 building Configure remark information.
To configure address allocation using CLASS, execute the following commands in global configuration mode:
Command Function
Ruijie(config)# ip dhcp use class Configure address allocation using CLASS.
Configuration Guide Configuring DHCP
This command is enabled by default. Execute NO command to disable address allocation using CLASS.
Manual binding: Configure the static IP address to MAC address mapping for the DHCP client on the DHCP server
manually. Manual binding actually offers a special address pool;
Dynamic binding: Upon receiving a DHCP request from the DHCP client, the DHCP server dynamically assigns an
IP address from the DHCP address pool to the DHCP client, and thus mapping the IP address to the MAC address
for the DHCP client.
To define manual address binding, you first need to define a host address pool for each manual binding, and then define
the IP address and hardware address (MAC address) or ID for the DHCP client. Generally, a client ID instead of a MAC
address, is defined for the Microsoft clients. The client ID contains media type and MAC address. For the codes of media
types, refer to Address Resolution Protocol Parameters in RFC 1700. The code of Ethernet type is “01”.
To configure the manual address binding, execute the following commands in the address pool configuration mode:
Command Function
Define the name of the DHCP address pool and enter the
Ruijie(config)# ip dhcp pool name
DHCP configuration mode.
Ruijie(dhcp-config)# host address Define an IP address for the DHCP client.
Ruijie(dhcp-config)# hardware-address Define a hardware address for the DHCP client, such as
hardware-address type aabb.bbbb.bb88
Ruijie(dhcp-config)# client-identifier Define an ID for the DHCP client, such as
unique-identifier 01aa.bbbb.bbbb.88
(Optional) Define the client name using standard ASCII
characters. Don't include domain name in the client
Ruijie(dhcp-config)# client-name name
name. For example, if you define the mary host name, do
not define as mary.rg.com
To configure the number of Ping packets, execute the following commands in the global configuration mode:
Configuration Guide Configuring DHCP
Command Function
Configure the number of Ping packets before the DHCP
Ruijie(config)# ip dhcp ping packets number server assigns an address. If it is set to 0, the Ping
operation is not performed. The default value is 2.
To configure the Ping packet timeout, execute the following commands in the global configuration mode:
Command Function
Ruijie(config)# ip dhcp ping Configure the Ping packet timeout for the DHCP server.
timeout milliseconds The default value is 500ms.
To configure the DHCP client on the Ethernet port, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP.
To configure the DHCP client, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP.
To configure the DHCP client, execute the following command in the interface configuration mode:
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP.
To configure the DHCP client, execute the following command in the interface configuration mode:
Configuration Guide Configuring DHCP
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP.
For some product in v10.1, DHCP client supports obtaining the IP address assigned by the DHCP server in
the point-to-point link of PPP, HDLC, FR encapsulation.
Clear commands, used to clear such information as DHCP address binding, address conflict and server
statistics;
Debug commands, used to output necessary debugging information. Such commands are mainly used to diagnose
and fix faults;
Show commands, used to show information about DHCP.
Ruijie products provide five clear commands. To clear information, execute the following commands in the command
execution mode:
Command Function
Ruijie# clear ip dhcp binding { address | *} Clear the DHCP address binding information.
Ruijie# clear ip dhcp conflict { address | *} Clear the DHCP address conflict information.
Ruijie# clear ip dhcp server statistics Clear the DHCP server statistics.
Ruijie# clear ip dhcp history{ * | mac-address } Clear the DCHP history.
Ruijie# clear ip dhcp relay statistics Clear the DHCP relay statistics.
Clear statistics about the packet processing rate of every
Ruijie# clear ip dhcp server rate
module.
To debug the DHCP server, execute the following command in the command execution mode:
Command Function
Ruijie# debug ip dhcp server [ events | packet ] Debug the DHCP server.
To show the working status of the DHCP server, execute the following commands in the command execution mode:
Command Function
Ruijie# show ip dhcp binding [ address ] Show the DHCP address binding information.
Ruijie# show ip dhcp conflict Show the DHCP address conflict information.
Ruijie# show ip dhcp server statistics Show the DHCP server statistics.
Ruijie# show ip dhcp relay-statistics Show the DHCP relay statistics.
Ruijie# show ip dhcp socket Show the socket used by the DHCP server.
Configuration Guide Configuring DHCP
Debug commands, used to output necessary debugging information. Such commands are mainly used to diagnose
and clear faults.
Show commands, used to show information about DHCP.
To debug the DHCP client, execute the following command in the command execution mode:
Command Function
Ruijie# debug ip dhcp client Debug the DHCP client.
To show information about the lease that the DHCP client obtains, execute the following command in the command
execution mode:
Command Function
Ruijie# show dhcp lease Show the information about DHCP lease.
In the following example, an address pool of "net82" is defined; the address pool is in the network segment of
172.16.1.0/24, and the associated classes include class1, class2, class3 and class4. Class1 will allocate addresses from
the range of 172.16.1.1-172.16.1.8; class2 will allocate addresses from the range of 172.16.1.9-172.16.1.18; class3 will
allocate addresses from the range of 172.16.1.19-172.16.1.28; class4 has no defined address range, and will allocate
addresses from the range of entire network segment. Configure class1 to match Option 82 information of 0100002120,
class2 to match 0106020145, class3 to match 06020506*, and class4 to match any information.
!
ip dhcp class class1
relay agent information
relay-information hex 0100002120
!
ip dhcp class class2
relay agent information
relay-information hex 0106020145
!
ip dhcp class class3
relay agent information
relay-information hex 06020506*
!
ip dhcp class class4
!
ip dhcp pool net82
network 172.16.1.0 255.255.255.0
Configuration Guide Configuring DHCP
class class1
address range 172.16.1.1 172.16.1.8
class class2
address range 172.16.1.9 172.16.1.18
class class3
address range 172.16.1.19 172.16.1.28
class class4
Topological Diagram
Application Requirements
Switch A can serve as a DHCP Sever to allocate dynamic IP addresses to one part of clients and fixed IP addresses to
another part of clients.
DNS Server can provide domain name resolution service for the IP addresses allocated by DHCP server to clients,
namely the clients can access network resources via host names. WINS Server can translate host names into IP
addresses for hosts communicating through NETBIOS protocol.
Configuration Tips
1. Enable DHCP server on Switch A and create an address pool to configure dynamic IP address allocation. Meanwhile,
create an address pool to bind IP address manually.
Configuration Guide Configuring DHCP
2. Specify the address of Domain Name Server (addresses of DNS Server and WINS Server in this example) and domain
name of client in the corresponding address pool.
This example only illustrates the configuration of DHCP Server related features on Switch A. As for Switch B,
all access users will belong to VLAN 1 by default. Access PC will obtain a dynamically allocated IP address.
If you are in need of other applications, please refer to the relevant configurations.
Configuration Steps
Step 1: On Switch A, create a new DHCP address pool and configure dynamic IP address allocation.
! Configure the name of address pool as "dynamic" and enter DHCP configuration mode.
! In DHCP configuration mode, configure an IP address network allocable to clients and configure the default gateway of
this network segment.
Step 2: Specify the DNS Server of "dynamic" address pool and configure the domain name of client.
! Assuming that the IP address of DNS Server is 192.168.1.2; configure Domain Name Server in the address pool and
configure the domain name of client as ruijie.com.
Step 3: Specify the WINS Server of "dynamic" address pool and configure the NetBIOS node type of client.
! Assuming that the IP address of WIN Server is 192.168.1.3; configure NetBIOS WINS server in the address pool and
configure the NetBIOS node type as Hybrid.
SwitchA(dhcp-config)#netbios-name-server 192.168.1.3
SwitchA(dhcp-config)#netbios-node-type h-node
! As shown above, IP addresses of 192.168.1.1, 192.168.1.2 and 192.168.1.3 have been allocated to the gateway, DNS
server and WINS server. By configuring excluded addresses, these addresses won't be allocated to clients.
SwitchA (dhcp-config)#exit
SwitchA (config)#ip dhcp excluded-address 192.168.1.1 192.168.1.3
Step 5: Create another address pool and manually bind the IP address.
! Configure the name of address pool as "static" and enter DHCP configuration mode.
Configuration Guide Configuring DHCP
! Manually bind the IP address of 192.168.1.4/24 to the MAC address of 0013.2049.9014, with client name being "admin".
Note: The identifier for identifying the client shall indicate the network media type ("01" for Ethernet), namely the identifier
of the client corresponding to the manually bound MAC address shall be 0100.1320.4990.14.
Step 6: Specify the gateway address corresponding to the "static" address pool.
Step 7: Specify the DNS Server of "static" address pool and configure the domain name of client.
! Assuming that the IP address of DNS Server is 192.168.1.2; configure Domain Name Server in the address pool and
configure the domain name of client as ruijie.com.
Step 8: Specify the WINS Server of "static" address pool and configure the NetBIOS node type of client.
! Assuming that the IP address of WIN Server is 192.168.1.3; configure NetBIOS WINS server in the address pool and
configure the NetBIOS node type as Hybrid.
SwitchA(dhcp-config)#netbios-name-server 192.168.1.3
SwitchA(dhcp-config)#netbios-node-type h-node
SwitchA(dhcp-config)#exit
! By default, all access clients belong to VLAN 1; configure the SVI of VLAN 1 as 192.168.1.1/24.
SwitchA(config)#interface vlan 1
SwitchA(config-if)#ip address 192.168.1.1 255.255.255.0
SwitchA(dhcp-config)#exit
SwitchA(config)#service dhcp
Verification
SwitchA#show running-config
!
service dhcp
!
ip dhcp excluded-address 192.168.1.1 192.168.1.3
Configuration Guide Configuring DHCP
!
ip dhcp pool dynamic
netbios-node-type n-node
netbios-name-server 192.168.1.3
domain-name ruijie.com
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.2
default-router 192.168.1.1 255.255.255.0
!
ip dhcp pool static
client-name admin
client-identifier 0100.1320.4990.14
host 192.168.1.10 255.255.255.0
netbios-node-type n-node
netbios-name-server 192.168.1.3
domain-name ruijie.com
dns-server 192.168.1.2
default-router 192.168.1.1 255.255.255.0
!
interface VLAN 1
no ip proxy-arp
ip address 192.168.1.1 255.255.255.0
Step 2: Connect two PCs to Switch B, with the MAC address of one PC being 0013.2049.9014. View the IP address
allocated by DHCP Server on Switch A.
Configuring DHCPv6
DHCPv6 Overview
Along with the development of IPv6 network, IPv6-based network is being applied more and more widely. As the
framework proposed at the beginning of IPv6 design, the automatic configuration of network nodes has become a key
feature of IPv6 network. In the new network framework, the concepts of stateless configuration and stateful configuration
were brought forward. Through stateless auto-configuration, the new nodes in the network can complete all configurations
via Route Advertisement; while in stateful auto-configuration, the network nodes need interact with relevant configuration
server in the network in order to complete the configuration of network address and other parameters. As the only stateful
configuration model developed at the present time, DHCPv6 is fully described in RFC3315.
Comparatively complete description on the application model of DHCPv6 has been given in RFC3315 (Dynamic Host
Configuration Protocol for IPv6). Similar to the framework of sDHCPv4, the application model of DHCPv6 is composed of
the DHCP server, DHCP clients and DHCP relay. The configuration parameters can be obtained through the interaction
between DHCP clients and DHCP server, while the DHCP relay can link the DHCP clients with the DHCP server outside
the local link. The message interaction and parameter maintenance basically follow the practices of DHCPv4, but
DHCPv6 do give proper consideration to the message structure and process according to the new network.
Stateless auto-configuration: Network nodes will acquire configuration parameters from route advertisement.
Stateful auto-configuration: Network nodes will acquire configuration parameters from the DHCPv6 server.
As shown in the above figure, the new network node (host or interface) will send a multicast message (Solicit) to all the
DHCPv6 servers and DHCPv6 relays in the local link (address: FF02::1:2; port: 547), and the DHCPv6 servers will send
the unicast Advertise reply message after receiving such message. After selecting the DHCP server, the DHCP clients will
send the Request message to solicit for configuration information, and the DHCP server will send Reply message after
completing the allocation of parameters.
As mentioned above, such a 4-message interaction is very similar to the 4-message interaction in DHCPv4 (Discover -
Offer - Request - Ack). Certainly, DHCPv6 has made further modifications and expansions.
Multicast is used instead of broadcast because broadcast has been abolished in the IPv6 network.
Configuration Guide Configuring DHCPv6
By utilizing the option of Rapid Commit, the 4-message interaction can be simplified into 2-message interaction
(Solicit - Reply).
New DHCP message structure, DHCPv6 has made huge modifications to the original DHCPv4 message, and has
removed optional parameters in the header of DHCP message. Only few fields to be used in all interactions are
preserved. Other optional fields are all encapsulated in the option field of the DHCP message. During the interaction
with the DHCP server and the DHCP relay, the DHCP message sent by the DHCP client to the DHCP server will be
wholly encapsulated in the DHCP relay message as an option.
New address parameters. As mentioned above, in DHCPv6, the address field is deleted from the fixed header of the
DHCP message, and the entire address parameters and relevant time parameters are encapsulated in an option
called IA (Identity Association). Each DHCPv6 client is associated with one IA, and each IA can contain multiple
addresses and relevant time information. The corresponding IA can be generated in accordance with the type of
address, such as IA_NA (Identity association for non-temporary addresses) and IA_TA (Identity association for
temporary addresses).
Stateless DHCPv6 auto-configuration. During the auto-configuration of network nodes, the address configuration is
independent from parameter configuration, and each corresponding configuration can be acquired via the DHCP
protocol, which means network nodes can acquire other non-address parameters from the DHCPv6 server.
Compared with the allocation method used in DHCPv4, this is a critical change. Relevant information is detailed in
RFC3736.
Prefix delegation. Apart from IPv6 address, network prefix can also be delegated via DHCPv6. This also accredits to
the definition of IA in DHCPv6. A prefix can be delegated to the client in the form of address (or time parameter, etc)
only by expanding the type of IA. Such a new type of IA is called IA_PD (Identity Association for Prefix Delegation),
and it is detailed in RFC3633.
In the IPv6 network, a 128-bit IPv6 address is usually written in the hexadecimal format, making it difficult to allocate
addresses manually. As the IPv6 address format is inconvenient for people to identify, the automatic allocation method for
IPv6 addresses is a key part in network planning. To allocate addresses without or with minimum man-made interference,
many applications have been developed to handle addresses and parameters allocated to IPv6 hosts. Several IPv6
address allocation methods are described as follows:
Manual allocation
The method is to configure an IPv6 address statically through manual allocation. The method is applicable to configuration
of router interfaces and static network parameters. Manual allocation method may lead to many errors.
The stateless address auto-configuration is to allocate addresses to IPv6 nodes without man-made interference. If this
method is applied on one IPv6 node, this node must be connected with at least one IPv6 router through the network. The
IPv6 router is configured by the administrator to send Router Advertisement messages on the link. Such messages will be
received by the IPv6 node connected to the router and the node will configure the IPv6 address and routing parameters.
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) defined by RFC3315 enables DHCP Server to send
configuration parameters such as IPv6 address to IPv6 nodes. The protocol enables adding network addresses flexibly
and using them repeatedly.
DHCPv6-PD method
The DHCPv6 Prefix Delegation (DHCPv6-PD) method defined by RFC3633 is developed based on DHCPv6. In the
typical DHCPv6 method, DHCPv6 Server allocates state IPv6 addresses to DHCPv6 Client. Developed based on
DHCPv6, the DHCPv6-PD method enables the DHCPv6-PD Server to allocate a complete subnet and other network and
interface parameters to DHCPv6-PD Client by allocating Prefix Delegation information.
The stateless DHCPv6 method combines characteristics of the stateless automatic address allocation and state DHCPv6
method. The device can use the stateless automatic address allocation method to obtain the IPv6 address and use
DHCPv6 to obtain other parameters, which cannot be obtained by using the stateless automatic address allocation
method. The device can use the information to complete the configuration.
In network planning, the above-mentioned IPv6 address and parameter allocation methods can be used
concurrently.
Ruijie DHCPv6 Server supports IPv6 address and prefix allocation. The IPv6 address allocation is to allocate IPv6
addresses automatically to DHCPv6 Client. The prefix allocation realizes flexible and automatic site-level configuration to
control the site address space flexibly. Network terminals such as PCs can use stateless or state automatic configuration
to realize automatic configuration of addresses and other network parameters.
Ruijie DHCPv6 Server also supports DHCPv6-PD Server. DHCPv6 Server and DHCPv6-PD Server are collectively
referred to as DHCPv6 Server.
Application of DHCPv6
The DHCPv6 server realizes the allocation of IAPD and IANA. The allocation of IANA refers to the automatic allocation of
IPv6 address to the DHCP client, which is similar to DHCPv4. The allocation of IAPD allows flexible site-level
auto-configuration to control the address range of sites. Terminal devices (such as PC) can realize auto-configuration of
address via stateless auto-configuration or stateful auto-configuration.
The above figure illustrates the application of prefix-based DHCPv6 in IPv6 network.
IPv6 multi-service router runs the DHCPv6 client on the interface connecting to the core router, acquiring prefix
space from the core router and storing it in the global prefix pool of IPv6.
IPv6 multi-service router enables auto-configuration on the interface connecting to the desktop computer and runs
interface-based router advertisement or address assignment (NA) based DHCPv6 server.
The desktop computer completes address and parameter configuration via ND or address assignment (NA) based
DHCPv6 client.
The DHCP client (host, node) sends out prefix delegation (PD) based multicast solicit message within the link to look
for DHCPv6 servers.
The DHCP servers will send unicast advertisement message to the DHCP client after receiving such solicitation
message.
The DHCP client will select one server and send a multicast request message.
The DHCP server will then send a unicast reply message to complete address assignment.
In the IPv6 network, DHCPv6 can be applied to enable user terminals to obtain IPv6 addresses and related parameters
automatically.
1) DHCPv6 client sends a Solicit packet with the destination address of FF02::1:2 and destination UDP port of 547 to
demand the DHCP service. All the DHCPv6 servers in the network segment will receive the packet.
2) After receiving the Solicit packet, each DHCPv6 server will send an Advertise packet in reply through unicast to state
that it can provide the DHCP service.
3) The DHCPv6 client will choose a server among those that have sent the Advertise packets to it, and send a Request
packet with the destination address of FF02::1:2 and destination UDP port of 547 to announce the server that has
been chosen by it. All the DHCPv6 servers in the network segment will receive the packet.
4) After the DHCPv6 server that has been chosen receives the Request packet, it will send a Reply packet through
unicast to announce the IP address allocated for the DHCPv6 client and other information.
FF02::1:2 is used to identify all the DHCPv6 servers and relays in the same network segment.
The Solicit and Request packets use this address as the destination address. The packets are only
transmitted within the network segment.
DUID Overview
DUID means the DHCP Unique Identifier. The RFC3315 defines that each DHCPv6 device (including the client, relay and
server) must have a DHCPv6 unique identifier for identification during the exchange of DHCPv6 messages between
devices. DUID cannot be used for any other purposes. For all DHCPv6 devices, DUID must be designed as unrepeatable
and fixed for any devices. For example, a device's DUID must remain the same when any part of the device is replaced. A
DUID has a maximum length of 128 bytes. The protocol provides three types of DUID definitions:
Currently, Ruijie DHCPv6 devices apply DUID-LL. The structure of the DUID-LL is as follows:
Figure 1-4
In the structure, the DUID type is DUID, DUID-LL type value is 0x0003; the Hardware type is hardware, the hardware type
supported by the device is Ethernet, the value is 0x0001; Link layer address is the address of the link layer, and the value
is the device's MAC address.
Configuration Guide Configuring DHCPv6
Unlike DHCPv4, Server in DHCPv6 allocates an identity association (IA) rather than an address to each Client. DHCPv6
Server will allocate addresses on the IA basis and each IA has an IAID unique identifier. The identity association identifier
(IAID) is generated by DHCPv6 Client. Each IA is only corresponding to one Client and can contain multiple addresses.
The Client can allocate addresses in the IA to other interfaces on the device. Addresses contained in an IA can be divided
into the following three types:
According to the types of addresses contained in IAs, IAs can be divided into three types, namely IA_NA, IA_TA and
IA_PD. Ruijie DHCPv6 Server supports IA_NA and IA_PD, but not IA_TA.
DHCPv6 Bindings
The DHCPv6 Bindings is a group of manageable address information structures. The binding is based on the IA and can
be identified by Server and Clients. The binding data on Server records the IA allocated to each Client and other
configuration information. Each Client can apply for several bindings. Binding data on the Server is managed in the
binding table and can be searched by DUID, IA-Type and IAID.
RFC3315 provides that DHCPv6 can use UDP546 and 547 ports to send and receive packets. The DHCPv6 Client uses
port 546 to receive packets, while DHCPv6 Server and Relay use port 547 to receive packets. RFC3315 defines that
packets of the following types can be exchanged among DHCPv6 Server, Client and Relay:
Types of packets that can be sent by Client to Service: Solicit, Request, Confirm, Renew, Rebind, Release, Decline
and Information-request;
Types of packets that can be sent by Server to Client: Advertise, Reply and Reconfigure;
To simplify the DHCP communication process, not all types of packets are used. Users can decide which type of packets
should be used based on the DHCPv6 options carried by packets. The DHCP data also vary with the options chosen. In
terms of packet types and functions, DHCPv6 is similar with DHCPv4. Although DHCPv6 packets are adjusted to new
networks and processes, some packet types in DHCPv6 are corresponding to those in DHCPv4. The following table
outlines the corresponding relationship between packet types of DHCPv6 and DHCPv4:
The Reconfigure type of packets is not supported by Ruijie DHCPv6 Server. Please refer to the Guide for
DHCP Configuration chapter for information about DHCPv4.
The application mode of DHCPv6 is generally developed based on the framework of DHCPv4. The application mode of
DHCPv6 comprises Server, Client and Relay. Configuration parameters are obtained through communication between
Client and Server. Relay can connect Client with Server that is not on the local link. In terms of the exchange of packets
and maintenance of parameters, DHCPv6 is generally similar with DHCPv4. However, it has adjusted the packet structure
and handling process to new networks. Comparison between DHCPv6 and DHCPv4
DHCPv6 applies a new packet structure. Original DHCPv4 packets have been largely modified. Optional parameters
in DHCPv5 packet heads are removed, with only a few fields required for exchange of all packets left. Other optional
fields are encapsulated as options in the option domain of packets.
DHCPv6 applies new address parameters. As mentioned above, the address field in the fixed packet head in
DHCPv4 is removed in DHCPv6. All the address parameters and related time parameters are encapsulated in the IA
option. Each DHCPv6 Client is associated with an IA and each IA may contain several addresses and related time
information; the corresponding type of IA, such as IA_NA, IA_TA or IA_PD, will be generated according to the
address type;
DHCPv6 supports the stateless automatic DHCPv6 configuration, which means that when automatic configuration is
being performed on a network node, the address and parameters can be configured separately, and each
configuration can be obtained through the DHCP method. Therefore, network nodes can obtain parameters in
addition to addresses through a DHCPv6 server. This is a substantial difference from the allocation mode of
DHCPv4.
DHCPv6 supports prefix-based allocation so that in addition to IPv6 addresses, network prefixes can also be
allocated through DHCPv6.
5) DHCPv6 Client sends a multicast Solicit packet with the destination address of FF02::1:2 and destination UDP port
of 547 on the local link. All the DHCPv6 Servers and Relays on the local link will receive the packet.
6) After DHCPv6 Servers receive the packet, they will send unicast Advertise packets in reply;
7) After DHCPv6 Client chooses a Server, it will send a multicast Request packet with the destination address of
FF02::1:2 and destination UDP port of 547 on the local link.
8) After the DHCPv6 Server receives the Request packet, it will send an unicast Reply packet in reply and the
configuration process completes.
The DHCPv6 communication process involves four packets and is similar with the DHCPv4 communication process,
which also involves four packets (Discover, Offer, Request and Ack). The special option Rapid Commit can be used to
shorten the communication process to involve only two packets (Solicit and Reply). The Client can add this option into the
Solicit packet. The Server will send the Reply packet after receiving the packet. The shortened process is shown as
follows:
A Relay can be added between Server and Client to perform the address allocation between Client and Server on
different network segments. The request packet sent by Client will be encapsulated as an option in the Relay-forward
packet and sent to Server. After the request is obtained by Server from the request message, the reply message will be
encapsulated in the Relay message option of the Relay-reply packet and the Relay-reply packet will be sent to Relay. The
reply message will be forwarded to Client after being obtained. The process is shown as follows:
Configuration Guide Configuring DHCPv6
When the Client's network connection changes, Client will send the Confirm packet to Server to inquire whether the
resource allocated by Server previously is available. After Server receives the packet, it will send a Reply packet to Client.
The process is shown as follows:
If Client adopts the stateless address configuration but obtains other parameters through the DHCP method, the Client will
send a Information-request packet to Server. After Server receives the packet, it will send a Reply packet to Client. The
process is shown as follows:
Protocol specification
The DHCPv6 client gets relevant parameters based on interface, such as Domain Name Server, SNTP server. Relevant
parameters configurations depend on the validity of interface.
The DHCP relay is just like a DHCP server for the DHCP clients and a DHCP client for the DHCP server.
With the help of DHCPv6 Relay Agent, the DHCPv6 server can provide services for DHCPv6 clients in other network
segments; without DHCPv6 Relay Agent, the DHCPv6 server can only provide services for DHCPv6 clients in the same
network segment.
Functions of DHCPv6 Relay Agent are described as follows (corresponding to the numbers in the figure):
1) It enables the DHCPv6 relay, the gateway that has enabled DHCPv6 Relay Agent, to receive packets sent by the
DHCPv6 client to the DHCPv6 server.
2) It enables the DHCPv6 relay to encapsulate packets received (sent by the DHCPv6 client to DHCPv6 server) in the
Relay-Forward packet and send it in the unicast manner to the specified DHCPv6 server.
3) It enables the DHCPv6 server to encapsulate the reply in the Relay-Reply packet after it receives the Relay-Forward
packet and send it to the DHCPv6 relay in the unicast manner.
4) It enables the DHCPv6 relay to restore the packet (sent by the DHCPv6 server to the DHCPv6 client) after it receives
the Relay-Reply packet and send it to the DHCPv6 client in the unicast manner.
Configuration Guide Configuring DHCPv6
In the address lease renewal, rebinding and release processes on a DHCPv6 client and the configuration
refreshing process on a server, the DHCPv6 Relay Agent plays a similar role.
Protocol specification
DHCPv6 Configuration
Default configuration
The following table outlines the default configuration of the DHCPv6 Server.
This task involves how to create and configure a DHCPv6 configuration information pool, and how to associate this pool
with the DHCPv6 server on the interface.
Command Function
Ruijie(config-if)#ipv6 dhcp server poolname Enables the DHCPv6 server on this interface. The valid
[ rapid-commit ] [ preference value ] range is from 1 to 100 and the default value is 0.
For example:
# Configure a configuration information pool named pool 1 and configure the domain name, DNS Server, IA_NA, IA_PD
and etc. Enable the DHCPv6 Server function on the FastEthernet 0/1 interface.
DHCPv6 Server does not support allocation of gateway addresses for clients. To do this, the RA notification
function Ruijie(config-if)# no ipv6 nd suppress-ra must be enabled on the device.
The flag bit "managed address configuration" in the Router Announcement (RA) packet should also be set to
decide whether the host that receives the RA should use the stateful automatic configuration to obtain the
addresses. By default, the flag bit in the RA packet is not set:
Ruijie(config-if)# ipv6 nd managed-config-flag
The flag bit "other stateful configuration" in the RA packet is set to decide whether the host that receives the
RA should use the stateful automatic configuration to obtain information other than the addresses. By default,
the flag bit in the RA packet is not set by Ruijie(config-if)# ipv6 nd other-config-flag
Finally, disable the prefix notification function: Ruijie(config-if)# ipv6 nd prefix ipv6-prefix/prefix-length
no-advertise
Configuration Guide Configuring DHCPv6
When the address pool prefix or prefix mask in the address pool information is revised, the lease information
of the corresponding address pool will be deleted. In this case, DHCPv6 Server may allocate an address or
address prefix that has been allocated previously to a new request to trigger an address conflict. Please note
that generally, after an address pool is created to allocate addresses or prefixes, the address pool's prefix or
prefix mask should be revised unless it is necessary to do so.
The stateless DHCPv6 Server does not need to configure the prefix pool. Given that the Client has obtained the address
though RA, the Server only needs to provide the Client with other configuration information. The configuration process is
described as follows:
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# ipv6 dhcp pool poolname Configures the DHCPv6 configuration information pool
and enter pool configuration mode.
Ruijie(config-dhcp)# domain-name domain Configures a domain-name that can be allocated to
DHCPv6 Client.
Ruijie(config-dhcp)# dns-server ipv6-address Configures the DNS Server that can be provided to the
DHCPv6 Client.
Ruijie(config-dhcp)# exit Exits DHCPv6 pool configuration mode.
Ruijie(config)# interface interface-name Enters interface configuration mode.
Ruijie(config-if)# ipv6 dhcp server poolname Enables the DHCPv6 Server on the interface.
[ rapid-commit ] [ preference value ]
Ruijie(config-if)# ipv6 nd other-config-flag Sets the flag bit "other stateful configuration" in IPv6 RA.
Example:
# Configure a configuration information pool named pool1 and configure the domain name, DNS Server and etc. Enable
the DHCPv6 Server function on the FastEthernet 0/1 interface, and set the flag bit in IPv6 RA.
DHCPv6 Server does not support allocation of gateway addresses for clients. To do this, the RA notification
function Ruijie(config-if)# no ipv6 nd suppress-ra must be enabled on the device.
By default, no option52 is created after pool configuration on the DHCPv6 server is complete.
Command Function
Configure the DHCPv6 Server to set the CAPWAP AC
option52 ipv6-address IPv6 address in DHCPv6 pool configuration mode.
ipv6-address: Sets the CAPWAP AC IPv6 address.
no option52 ipv6-address Restore the default setting.
This command can be used to set multiple CAPWAP AC IPv6 addresses. The newly added IPv6 address does not
overwrite the old one.
Use the following commands to display information about DHCPv6 Server configuration and state:
Command Function
show ipv6 dhcp Displays the device's DUID information in the privileged
EXEC mode/ interface configuration mode / gloabl
configuration mode.
show ipv6 dhcp binding Displays the DHCPv6 server's address binding
information in the privileged EXEC mode.
show ipv6 dhcp conflict Displays the DHCPv6 server's address conflict
information in the privileged EXEC mode.
show ipv6 dhcp interface Displays the DHCPv6 interface information in the
privileged EXEC mode.
show ipv6 dhcp pool Displays the DHCPv6 pool information in the privileged
EXEC mode.
show ipv6 dhcp server statistics Displays the DHCPv6 statistics in the privileged EXEC
mode.
show ipv6 local pool [ poolname ] Display the local prefix pool configuration and usage in
the privileged EXEC mode.
# Example:
Packet statistics:
DHCPv6 packets received: 7
Solicit received: 7
Request received: 0
Confirm received: 0
Renew received: 0
Rebind received: 0
Release received: 0
Decline received: 0
Relay-forward received: 0
Information-request received: 0
Unknown message type received: 0
Error message received: 0
Binding statistics:
Bindings generated: 0
Configuration Guide Configuring DHCPv6
IAPD assigned: 0
IANA assigned: 0
Configuration statistics:
DHCPv6 server interface: 1
DHCPv6 pool: 0
DHCPv6 iapd binding: 0
Command Function
Ruijie (config-if)#ipv6 dhcp client pd prefix-name Enables the DHCPv6 client and prefix solicitation on the
[rapid-commit] interface.
For example:
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# interface type number Enters interface configuration mode.
Ruijie(config-if)# ipv6 enable Enables the IPv6 function on the interface.
Example:
Command Function
Configuration Guide Configuring DHCPv6
Ruijie#clear ipv6 dhcp client interface-type Re-enables the DHCPv6 Client on the interface.
interface-number
Example:
Command Function
Enable DHCPv6 client mode and request the IANA
address from the DHCPv6 server in interface
ipv6 dhcp client ia [ rapid-commit ] configuration mode.
rapid-commit: Allows the two-message interaction
process.
no ipv6 dhcp client ia Restore the default setting.
This command is used to enable DHCPv6 client mode and request the IANA address from the DHCPv6 server,
The rapid-commit key allows the two-message interaction process between the client and the server. After the key is
configured, the solicit message transmitted by the client contains the rapid-commit option.
The following example enables the request for the IANA address on the interface.
Default configuration
This task enables the DHCPv6 relay function on the interface, and configures the address used for relay forwarding.
Command Function
Ruijie(config-if)#ipv6 dhcp relay destination ipv6-address Enables the DHCPv6 relay on the interface, and
[ interface-type interface-number ] designate the address for relay forwarding.
Configuration Guide Configuring DHCPv6
Use the following command to show the destination address of the DHCPv6 Relay:
Use the following command to delete the destination address of the DHCPv6 Relay:
Example: Enable the DHCPv6 Relay Agent function with the destination address of 3001::2 on the interface VLAN 1.
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#interface vlan 1
Ruijie(config-if)#ipv6 dhcp relay destination 3001::2
Ruijie(config-if)#end
The IPv6 DHCP Relay Destination command can only be used on the layer-3 interface;
One device can be configured with 20 Relay Agent Destinations at most;
When Destination configures multicast addresses, the interface numbers must be specified behind the
addresses.
Command Function
show ipv6 dhcp relay destination { all | interface Shows the DHCPv6 Relay's destination address.
interface-type interface-number }
show ipv6 dhcp relay statistics Shows the DHCPv6 Relay Agent's packet statistics.
clear ipv6 dhcp relay statistics Clears the DHCPv6 Relay Agent's packet statistics.
REQUEST : 0
CONFIRM : 0
RENEW : 0
REBIND : 0
RELEASE : 0
DECLINE : 0
INFORMATION-REQUEST : 14
RELAY-FORWARD : 0
RELAY-REPLY : 14
Packets sent : 16
ADVERTISE : 0
RECONFIGURE : 0
REPLY : 8
RELAY-FORWARD : 8
RELAY-REPLY : 0
In the user environment, the most common practice is to deploy DHCPv6 Server in the core or convergent position of the
network to allocate the entire subnet's IP addresses and manage the allocation.
Networking topology
As shown in the following figure, enable the DHCPv6 Server function on the convergent device to allocate IPv6 address
and other network configuration information for PCs in the subnet. The range of IA_NA addresses that can be allocated is
configured on the Server. When a PC sends a request for address allocation, the Server will calculate an available
address in the IA_NA address range and allocate it to the PC after it receives the request. In addition, the Server provides
other information including DNS Server addresses and domain names. To ensure that the DHCPv6 Server function takes
effect, the IP address in the same network segment with the IA_NA should be configured on the layer-3 interface where
the Server function is enabled.
Key points
If the core device serves as the DHCPv6 Server, the device's CPU and memory occupancy rates will rise. When Clients
increase, the pressure on the Server will rise. Therefore, a high-performance or separate device should be used as the
DHCPv6 Server.
Configuration process
# Configure a configuration information pool named pool 1 and configure the domain name, DNS Server, IA_NA and etc.
Enable the DHCPv6 Server function on the vlan 1 interface.
Showing verification
Show the configuration of the DHCPv6 Server on the convergence gateway device:
Packet statistics:
DHCPv6 packets received: 7
Solicit received: 7
Request received: 0
Confirm received: 0
Renew received: 0
Rebind received: 0
Release received: 0
Decline received: 0
Relay-forward received: 0
Information-request received: 0
Unknown message type received: 0
Error message received: 0
Binding statistics:
Bindings generated: 0
IAPD assigned: 0
IANA assigned: 0
Configuration statistics:
DHCPv6 server interface: 1
DHCPv6 pool: 0
DHCPv6 iapd binding: 0
Device1 enables the DHCPv6 Relay Agent with the destination address of 3001::2; Device2 enables the DHCPv6 Relay
Agent with the destination address of FF02::1:2 (for all Server and Relay multicast packets) to continue relaying the
Configuration Guide Configuring DHCPv6
packet to other servers. The layer-3 interface whose egress interface is specified as the upper destination address is gi
0/1.
Networking topology
Enable the DHCPv6 Relay Agent function on the gateway and designate the known server address or next-level Relay
address as the destination.
Configuration process
Enable the DHCPv6 Relay Agent function on the convergence gateway device Device1 with the destination address
of 3001::2:
Ruijie#config
Enter configuration commands, one per line. End with CNTL/Z
Ruijie(config)#interface vlan 1
Ruijie(config-if)# ipv6 dhcp relay destination 3001::2
Enable the DHCPv6 Relay Agent function on the convergence gateway device Device2 with the destination address
of FF02::1:2:
Ruijie#config
Enter configuration commands, one per line. End with CNTL/Z
Ruijie(config)#interface vlan 1
Ruijie(config-if)#ipv6 dhcp relay destination FF02::1:2 interface gi 0/1
Configuring DNS
DNS Overview
Each IP address may present a host name consisting of one or more strings separated by the decimal. Then, all you need
to do is to remember the host name rather than IP address. This is the function of the DNS protocol.
There are two methods to map from the host name to the IP address: 1) Static Mapping: A device maintains its host name
to IP address mapping table and uses it only by itself. 2) Dynamic Mapping: The host name to IP address mapping table is
maintained on the DNS server. In order for a device to communicate with others by its host name, it needs to search its
corresponding IP address on the DNS server.
The domain name resolution (or host name resolution) is the process that the device obtains IP address which
corresponds to the host name by the host name. The Ruijie switches support the host name resolution locally or by the
DNS. During the resolution of domain name, you can firstly adopt the static method. If it fails, use the dynamic method
instead. Some frequently used domain names can be put into the resolution list of static domain names. In this way, the
efficiency of domain name resolution can be increased considerably.
Command Function
Ruijie(config)# ip domain-lookup Enable DNS domain name resolution.
The command no ip domain-lookup is used to disable the DNS domain name resolution function.
The following example disables the DNS domain name resolution function.
Ruijie(config)# no ip domain-lookup
Configuration Guide Configuring DNS
The no ip name-server [ ip-address | ipv6-address ]command can be used to remove the DNS server. Where, the
ip-address parameter indicates the specified DNS server to be removed. If this parameter is omitted, all the DNS servers
will be removed.
Command Function
Add the IP address of the DNS Server. The switch will
add a DNS Server when this command is executed every
time. If the domain name can’t be obtained from the first
Ruijie(config)# ip name-server { ip-address |
DNS Server, the switch will send the DNS request to the
ipv6-address }
subsequent several servers until the correct response is
received. The system can support six DNS servers at
most.
Command Function
Configure the host name to IP address mapping
Ruijie(config)# ip host host-name ip-address
manually.
Configure the host name to IPv6 address mapping
Ruijie(config)# ipv6 host host-name ip-address
manually.
This command with the parameter no can be used to remove the mapping between the host name and IP/IPv6 address.
Command Function
Clear the dynamic buffer table of host names.
Ruijie# clear host [ host-name ]
The host names configured statically will not be removed.
Command Function
Display the DNS configuration.
Ruijie# show hosts hostname: displays the specified domain name
information,
Configuration Guide Configuring DNS
Topological Diagram
Application Requirements
Since the network device Ruijie-A will frequently access the host of destination.com, we can use static DNS to access the
host of IP 1.1.1.20 through the domain name of destination.com, so as to enhance the efficiency of domain resolution.
Configuration Tips
Configuration Steps
Manually configure the mapping between host name and IP address. In this example, configure the host name to
"destination.com" and the corresponding IP address to 1.1.1.20.
Verifications
Step 1: View DNS information. Key point: the mapping between host and IP address shall be correct.
From the above information, we can learn that Ruijie-A has successfully accessed the host with IP address being 1.1.1.20
through the host name of destination.com by means of static DNS.
Topological Diagram
Application Requirements
Configuration Tips
The route between DNS client, DNS server and access PC shall be reachable.
DNS shall be enabled. The DNS feature is enabled by default.
The IP address of DNS server has been correctly configured.
Configuration Guide Configuring DNS
Configuration Steps
Different DNS servers need to be configured differently. Please configure DNS server according to the actual conditions.
Configure the mapping between host and IP address on DNS server. In this example, configure host name as "host.com"
and IP address as 10.1.1.2/24.
The route between DNS client, DNS server and access PC shall be reachable. The interface IP configurations are shown
in the topological diagram.
Ruijie(config)#ip domain-lookup
Verifications
Ruijie#ping host.com
From the above information, we can learn that the client device can ping the host, and the corresponding destination IP is
10.1.1.2. Through dynamic DNS, the host with IP address being 10.1.1.2 can be accessed through the host name of
host.com.
Step 2: View DNS information. Key point: the host name and IP address.
Ruijie#show host
Name servers are:
192.168.31.206 static
From the above information, we can learn that the mapping between host name and host IP is correct.
Configuration Guide Configuring DNS
Configuration Guide Configuring DNS
Configuration Guide Configuring Network Communication Detection Tools
To test the connectivity of a network, many network devices support the Echo protocol. The protocol sends a special
packet to a specified network address and waits for a response. This allows you to evaluate the connectivity, delay and
reliability of a network. The ping tool provided by RGOS can effectively help users diagnose and locate the connectivity
problems in a network.
The Ping command runs in the user EXEC mode and privileged EXEC mode. In the user EXEC mode, only basic ping
functions are available. However, in the privileged EXEC mode, extended ping functions are available.
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP
Ruijie# ping [ oob | vrf vrf-name | ip ] [ address [ length
length ] [ ntimes times ] [ timeout seconds ] [ data data ] Test the network connectivity.
[ source source ] [ df-bit ] [ validate ] [ detail ] ]
The basic ping function can be performed in either the user EXEC mode or the privileged EXEC mode. By default, this
command sends five 100-byte packets to the specified IP address. If the system receives a response within the specified
time (2 seconds by default), it shows "!" . Otherwise, it shows ".". Finally, the system shows statistics. This is a normal ping
example:
The extended ping function can be performed in the privileged EXEC mode only. This function allows you specify the
number of packets, packet length, and timeout. As with the basic ping function, the extended ping also shows statistics.
The following is an example of the extended ping:
Ruijie ping 192.168.5.197 length 1500 ntimes 100 data ffff source 192.168.4.190 timeout 3
Sending 100, 1000-byte ICMP Echoes to 192.168.5.197, timeout is 3 seconds:
< press Ctrl+C to break >
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 2/2/3 ms
Ruijie#
Configuration Guide Configuring Network Communication Detection Tools
To test the connectivity of a network, many network devices support the Echo protocol. The protocol sends a special
packet to a specified network address and waits for a response. This allows you to evaluate the connectivity, delay and
reliability of a network. The ping tool provided by RGOS can effectively help users diagnose and locate the connectivity
problems in a network.
The Ping ipv6 command runs in the user EXEC mode and privileged EXEC mode. In the user EXEC mode, only basic
ping IPv6 functions are available. However, in the privileged EXEC mode, extended ping IPv6 functions are available.
Command Function
Ruijie# ping [ vrf vrf-name | [ oob] ipv6 ] [ ip-address
[ length length ] [ ntimes times ] [ timeout seconds ] Test the network connectivity.
[ data data ] [ source source ] [ detail ] ]
The basic ping function can be performed in either the user EXEC mode or the privileged EXEC mode. By default, this
command sends five 100-byte packets to the specified IP address. If the system receives a response within the specified
time (2 seconds by default), it shows "!" . Otherwise, it shows ".". If the response does not match the request, the system
shows “C” and outputs statistics. This is a normal ping example:
The extended ping function can be performed in the privileged EXEC mode only. This function allows you specify the
number of packets, packet length, and timeout. As with the basic ping function, the extended ping also shows statistics.
The following is an example of the extended ping:
Ruijie# ping ipv6 2000::1 length 1500 ntimes 100 data ffff source 2000::2 timeout 3
Sending 100, 1000-byte ICMP Echoes to 2000::1, timeout is 3 seconds:
< press Ctrl+C to break >
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 2/2/3 ms
The Traceroute command is mainly used to check the network connectivity. It shows all the gateways that a packet
passes through from the source to the destination and exactly locates the fault when the network fails.
One of the network transmission rules is that the number in the TTL field in the packet will decrease by 1 every time when
a packet passes through a gateway. When the number in the TTL field is 0, the gateway will discard this packet and send
an address unreachable error message back to the source. According to this rule, the execution of the traceroute
command is as follows: At first, the source sends a packet whose TTL is 1 to the destination address. The first gateway
sends an ICMP error message back, indicating that this packet cannot be forwarded for TTL timeout. Then, the first
Configuration Guide Configuring Network Communication Detection Tools
gateway re-sends the packet after the TTL domain adds 1. Likewise, the second gateway returns a TTL timeout error and
the process lasts until the packet reaches the destination address. By recording every address returning the ICMP TTL
timeout message, you can draw the entire path passed by the IP packet from the source address to the destination
address.
The traceroute command can run in the user EXEC mode (enables basic functions) and the privileged EXEC mode
(enables extended functions). The command format is as follows:
Command Function
Ruijie# traceroute [oob | vrf vrf-name | ip] [adress [probe
number ] [source source] [timeout seconds] [ttl minimum Trace the path that a packet passes through.
maximum]]
By default, seconds is 3 seconds, number is 3, minimum and maximum are 1 and 255.
The following are two examples that apply traceroute. In one example, network connectivity is good. In another example,
some gateways in a network are not connected.
As you can see, to access the host with an IP address of 61.154.22.36, the network packet passes throuth gateways 1 to
6 from the source address. Meanwhile, you can know the time that the network packet spennds to reach a gateway. This
is very useful for network analysis.
As you can see, to access the host with an IP address of 202.108.37.42, the network packet passes through gateways 1
to 17 from the source address and there is failure in gateway 4.
The Traceroute ipv6 command is mainly used to check the network connectivity. It shows all the gateways that a packet
passes through from the source to the destination and exactly locates the fault when the network fails.
The traceroute ipv6 command can run in the user EXEC mode (enables basic functions) and the privileged EXEC mode
(enables extended functions). The command format is as follows:
Command Function
Ruijie# traceroute [vrf vrf-name | [oob] ipv6 ] [ address
[ probe number ] [ timeout seconds ] [ ttl minimum Trace the path that a packet passes through.
maximum ]]
By default, seconds is 3 seconds, number is 3, minimum and maximum are 1 and 255.
The following are two examples that apply traceroute ipv6. In one example, network connectivity is good. In another
example, some gateways in a network are not connected.
As you can see, to access the host with an IP address of 3004::1, the network packet passes throuth gateways 1 to 4 from
the source address. Meanwhile, you can know the time that the network packet spennds to reach a gateway. This is very
useful for network analysis.
traceroute ipv6 example where some gateways in a network are not connected:
Ruijie# traceroute ipv6 3004::1
< press Ctrl+C to break >
Configuration Guide Configuring Network Communication Detection Tools
As you can see, to access the host with an IP address of 3004::1, the network packet passes through gateways 1 to 5
from the source address and there is failure in gateway 4.
Command Function
Clear Rping entries in Privileged EXEC mode.
clear rping table [ all | [ping-object owner test-name] |
Owner: User index
[ trace-object owner test-name ] ]
test-name: Test index
Command Function
Display Rping information in privileged EXEC
show rping detail mode/global configuration mode/interface configuration
mode.
This command is used to display the Rping information such as numbers of test accounts and users.
Configuring TCP
Overview
TCP module provides a reliable and connective IP-based transmission layer protocol for the application layer.
The application layer sends data streams represented in 8-bit bytes for Internet transmission to the TCP layer, which
separates the data streams into packet segments with proper size. The maximum segment size (MSS) is generally limited
by the maximum transmission unit (MTU) of the data link layer of the network to which the computer is connected. After
that, TCP transmits the result packets to the IP layer, which will then transmit the said packets through the network to the
TCP layer of receiving terminal.
To ensure no packet loss, TCP assigns a sequence number to each byte, and the sequence number also ensures that
packets transmitted to the receiving terminal are received in sequence. The receiving terminal will then reply with an ACK
to confirm the receipt of each byte. If no ACK is received within the reasonable Round Trip Time (RTT), then the
corresponding byte (assumed lost) will be retransmitted by the sender.
With regard to data accuracy and validity, TCP uses a checksum function to verify the data. The checksum must be
calculated while the date is sent or received. In the meantime, MD5 authentication can also be utilized to encrypt the
data.
To ensure reliability, TCP applies the mechanisms of timeout retransmission and piggybacking.
The sliding window protocol is applied to implement flow control. According to the protocol, all unconfirmed packets
within the window will be retransmitted.
The widely recognized TCP congestion control algorithm (also called AIMD algorithm) is applied to implement
congestion control. This algorithm mainly involves: 1) additive increase, multiplicative decrease; 2) slow start; 3)
response to timeouts.
Configuring TCP
After the local end sends SYN, if the remote end doesn't respond with SYN+ACK, the local end will continuously
retransmit SYN packets until a specified number of retransmissions are reached or until the timeout timer expires.
After the local end sends SYN and the remote end responds with SYN+ACK, if the local end no longer responds with
ACK, the remote end will retransmit continuously until a specified number of retransmissions is reached or until the
timeout timer expires. (Such as SYN attack).
Execute the following command to configure the timeout value for SYN packet (the maximum time from SYN transmission
to successful three-way handshake), namely the timeout for establishing TCP session.
Command Function
Configuration Guide Configuring TCP
Command Function
Change the size of receiving buffer and sending buffer for
Ruijie(config)# ip tcp window-size size TCP session.
Range: 128-65535 << 14 bytes; default: 65535.
This command doesn't apply to the existing TCP session; it only applies to the newly established TCP
session.
This command will apply to both the receiving buffer and sending buffer.
Command Function
The ip tcp not-send-rst command in RGOS 10.x is compatible in RGOS 11.0. When you run this command, it is
converted to the no ip tcp send-reset command automatically.
Configuration Guide Configuring TCP
During the three-way handshake for establishing a TCP session, one important job is to carry out MSS negotiation. Both
sides will insert MSS option into the SYN packet to indicate the maximum size of segment that can be received by the
local end, namely the maximum size of segment that can be sent by the remote end. Both sides will take the lower of the
MSS value sent locally and that received from the remote end as the maximum segment size of this session. The methods
for calculating the value of MSS option while sending SYN packet are shown below:
The mss calculated cannot exceed the size of receiving buffer or the ip tcp mss configured by the user.
Otherwise, the lower of them will be used.
If certain options are supported by this session, then the size obtained after 4-byte alignment of the option
must be subtracted from mss. For example, the size of MD5 option is 18 bytes, and 20 bytes will be obtained
after alignment.
The rmss value obtained here is the value of mss option in the syn packet sent. For example, BGP adjacency is generally
established in the directly connected network, and the mss of such session is 1500-20-20-20=1440.
The function of IP TCP MSS is to limit the MSS of the pending TCP session. The negotiated MSS cannot exceed the
value configured.
Command Function
Command Function
Configuration Guide Configuring TCP
According to RFC1191, after discovering PMTU, TCP can use greater MSS to discover new PMTU, and the time interval
thereof is specified with the parameter age-timer. When the PMTU discovered by the device is smaller than the MSS
negotiated, the device will try to discover greater PMTU as per the aforementioned time interval. Such discovery process
will not end until PMTU reaches the value of MSS or until user stop this timer. To turn off the timer, use the parameter
age-timer infinite.
This command doesn't apply to the existing TCP session; it only applies to the newly established TCP
session.
Configuring the MSS Option Value of SYN Packets Sent and Received on the
Interface
The TCP Path MTU (PMTU) is implemented as per RFC1191. This feature can improve the network bandwidth utilization
ratio. When the user uses TCP to transmit mass data, this feature can substantially enhance the transmission
performance.
When the client initiates a TCP session, it negotiates the maximum payload of TCP packets through the MSS option field
of TCP SYN packet. The MSS value of client's SYN packet implies the maximum payload of TCP packets sent by the
server, and vice versa.
As shown below, PC may fail to access the server through http, because the MSS of 1460 will be negotiated between PC
and server, but such MSS cannot pass R1 and R2 (R1 and R2 are connected through tunnel, with MTU lower than 1500).
Figure 1-1
In such a case, we can configure the following command on port (1) and port (2) of R2 to change the MSS option value of
SYN packet, so as to change the MSS value negotiated for the TCP session going through port (1) and port (2).
Command Function
Configuration Guide Configuring TCP
Use the no form of this command to remove the configuration. In such a case, the MSS option value of packets won't be
changed when the interface sends and receives SYN packets.
Configuring this command on the interface will change the MSS option of SYN packets received or sent by the interface to
the MSS value configured on the interface. It is suggested to configure the same value on the ingress interface and egress
interface, or else the MSS option of SYN packets going through the device will be changed to the lower of two values
configured.
Command Function
The keepalive function enables TCP to detect whether the peer end is operating properly.
Suppose the keepalive function is enabled together with default interval, times and idle-period settings. TCP begins to
send the keepalive packet at an interval of 75 seconds if it does not receive any packet from the peer end in 900 seconds.
The TCP connection is considered invalid and then disconnected automatically if the device sends the keepalive packet
for six consecutive times without receiving any TCP packet from the peer end. This command applies to both IPv4 and
IPv6 TCP.
The following example enables the TCP keepalive function on the device and sets the idle-period and interval to180 and
60 respectively. If the device sends the keepalive packet for four consecutive times without receiving any TCP packet from
the peer end, the TCP connection is considered invalid.
Command Function
Display basic information about the current TCP
Ruijie# show tcp connect
sessions.
Ruijie# show tcp pmtu Display information about TCP PMTU.
Ruijie# show tcp port Display information about the current TCP port.
Display the information about current IPv6 TCP
Ruijie# show ipv6 tcp connect
connection.
Ruijie# show ipv6 tcp connect statistics Display the current IPv6 TCP connection statistics.
Ruijie# show ipv6 tcp pmtu Display information about IPv6 TCP PMTU.
Ruijie# show ipv6 tcp port Display the current IPv6 TCP port status.
Configuration Guide Configuring IPv4/IPv6 REF
Overview
To adapt to the needs of high-end devices, currently we are using "Prefix Tree + Adjacency" Express Forwarding model to
achieve fast forwarding. In case the device only caches partial information of the core routing table, the central CPU will
have to add cache entries again if the cache fails. Express Forwarding maintains a mirror image of the entire core routing
table in order to relieve CPU load and guarantee the stability of routing performance.
Express Forwarding uses the following two components to create the mirror image of routing table:
Prefix Tree
This is an IP prefix tree organized as per the longest matching principle to look up adjacent nodes. In practice, the data
structure for constructing Prefix Tree is generally different form the Radix Tree of core routing table. A data structure called
M-Tries Tree is used to realize faster lookup. The Prefix Tree created by M-Tries Tree will consume more memory than
Radix Tree, and the update of Prefix and node information will be comparatively time-consuming, but higher lookup
performance can be realized.
Adjacency
Adjacent node, including the output interface information of routed packets, such as next hop list, next processing unit,
link-layer output encapsulation and etc. When packets matches with such adjacent node, the packets will be encapsulated
and forwarded by calling the transmit function of this node. To facilitate lookup and update, the adjacent nodes will
generally form a hash table. To support router load balancing, the next-hop entries of adjacent nodes are organized into a
load balancing table. Adjacent node may not include next-hop information, or may include the index number of next
processing unit (such as other line cards, multi-service card and etc).
IP packet forwarding is mainly achieved by the switching chip. Therefore, such forwarding information needs to be
downloaded from the API provided by SSP to the chip in order to achieve hardware-based express forwarding. The IP
express-forwarding module is responsible for maintaining router forwarded information and configuring the lower layer, but
will not forward packets.
Fast forwarding supports load balancing of packets, and currently two IP address based load balancing policies are
supported. In EF model, when route prefix IP/MASK is associated with multiple next hops (multipath routing), this route
will be associated with a load balancing table and achieve load balancing according to its weight. When IP packets match
Configuration Guide Configuring IPv4/IPv6 REF
with this load balancing table as per the longest prefix, Express Forwarding will select one of the paths to forward packets
according to the hash IP address of packets.
Perform load balancing as per the destination IP of IP packets and include destination address of packets in the hash;
path with greater weight value will be selected. The policy is used by default.
Perform load balancing as per the destination IP and source IP of IP packets and include destination IP and source
IP of packets in the hash; path with greater weight value will be selected.
To configure load balancing policy, execute the following commands in global configuration mode:
Command Function
Ruijie(config)# ip ref load-sharing algorithm Configure load balancing algorithm to a source IP and
original destination IP pair.
Disable source IP + destination IP based load balancing
Ruijie(config)# no ip ref sharing algorithm original algorithm and restore to the default destination IP based
load balancing algorithm.
The express forwarding module only passively receives and maintains the external routing information, and will not
actively insert or delete any routing information. Therefore, express forwarding mainly provides the statistics of existing
routes.
To monitor and maintain the express forwarding table, the following commands are provided:
Global statistics
Adjacency table
Packet forwarding path
Routes in express forwarding table
Synchronize express forwarding table to hardware forwarding table
Global Statistics
Global statistics refers to the data structure related information in the existing fast forwarding table, including the number
of existing routes, the number of adjacent nodes, the number of load balancing tables and the number of weighted nodes.
Command Function
Configuration Guide Configuring IPv4/IPv6 REF
Ruijie# show ip ref Display statistics in the existing express forwarding table.
Adjacency Table
In the express forwarding table, adjacency list is one of the important data structure. Execute the following commands to
view existing adjacency information:
Command Function
Ruijie# show ip ref adjacency [ glean | local | ip-address
Display the information about the specified adjacent node
| interface interface_type interface_number | discard |
or all adjacent nodes.
statistics ]
In the event of the following cases, the adjacency table will be used to forward packets.
Packets with destination IP address being 1.1.1.1 will be forwarded according to the information of adjacency 1.1.1.1, as
1.1.1.1/32 is the longest match route.
Command Function
Ruijie# show ip ref exact-route [ oob | vrf vrf_name ]
Display the IPv4 REF exact route.
source_ipaddress dest_ipaddress
Command Function
Configuration Guide Configuring IPv4/IPv6 REF
Configuring NAT
Overview
Before Network Address Translation (NAT) configuration, it is necessary to understand the allocation of internal local
addresses and internal global addresses. Perform the following configuration tasks according to different requirements.
NAT-capable AP products include AP630 V1.0, AP5280 V1.0, AP4210 V1.0, AP3220-P V1.0, AP3220 V1.0,
AP120-W V1.0, AP530-I V1.5, AP530-I V1.0, AP330-I V2.0, AP330-I V1.X & AP320-I V2.0.
Configuring NAT
Static NAT is to establish a one-to-one permanent mapping between internal local addresses and internal global
addresses. It is necessary when an external network uses a fixed global address to access hosts on an internal network.
To configure static NAT, run the following commands in global configuration mode:
Command Function
Ruijie(config)# ip nat inside source static Defines the static translation relationship of internal source
local-address global-address [permit-inside] [vrf addresses.
vrf_name]
Ruijie(config)# interface interface-type Enters interface configuration mode.
interface-number
Ruijie(config-if)# ip nat inside Defines the internal network the interface connects to.
The above configuration is the simplest one. You may configure several inside and outside interfaces.
Dynamic NAT is to establish a temporary mapping between internal local addresses and the internal global address pool,
which will be deleted after a while. To configure dynamic NAT, run the following commands in global configuration mode:
Command Function
Command Function
Ruijie(config)# access-list access-list-number permit Defines an ACL. Only the IP addresses that match the ACL
ip-address wildcard are translated.
Ruijie(config)# ip nat inside source list Defines the dynamic translation relationship of internal source
access-list-number pool address-pool [vrf vrf_name] addresses.
Ruijie(config)# interface interface-type Enters interface configuration mode.
interface-number
Ruijie(config-if)# ip nat inside Defines the internal network the interface connects to.
Only source addresses that match the ACL are translated. Note that the last rule of the ACL contains a deny
any statement. The ACL should not permit a wide range of IP addresses to be translated; otherwise,
unexpected results will be received.
NAPT is classified into static NAPT and dynamic NAPT. Static NAPT maps the designated port of a designated internal
host to a designated global port, whereas static NAT maps an internal address to a global address.
To configure static NAPT, run the following commands in global configuration mode:
Command Function
Ruijie(config)# ip nat inside source static {UDP | TCP} Defines the static translation relationship of internal source
local-address port global-address port [permit-inside] addresses.
[vrf vrf_name]
Ruijie(config)# interface interface-type Enters interface configuration mode.
interface-number
Ruijie(config-if)# ip nat inside Defines the internal network the interface connects to.
Dynamic internal source address translation mentioned in previous section has automatically completed the internal
source address dynamic NAPT and the configuration is to run the following command in global configuration mode.
Command Function
Configuration Guide Configuring NAT
Command Function
Ruijie(config-if)# ip nat inside Defines the internal network the interface connects to.
Ruijie(config-if)# ip nat outside Defines the external network the interface connects to.
NAPT may use the IP addresses in the address pool or directly uses the IP address of the interface. Generally, one
address is enough to meet the address translation need of a network and can be translated into up to 64,512 addresses.
In case of insufficient addresses, you can add IP addresses to the address pool.
NAT Overlap configuration is actually divided into two parts: 1) Internal source address translation configuration; and 2)
External source address translation configuration, which is only needed by an external network that has addresses
overlapped with the inner network. Static NAT or dynamic NAT may be adopted for external source address translation.
To configure static NAT for external source addresses, run the following command in global configuration mode:
Command Function
Ruijie(config)# ip nat outside source static Defines the static translation relationship of external source
global-address local-address [vrf vrf_name] addresses.
Ruijie(config)# interface interface-type
Enters interface configuration mode.
interface-number
Ruijie(config-if)# ip nat inside Defines the internal network the interface connects to.
Ruijie(config-if)# ip nat outside Defines the external network the interface connects to.
Configuration Guide Configuring NAT
Command Function
Ruijie(config)# ip nat pool address-pool start-address Defines an IP address pool. The IP addresses of all real
end-address {netmask mask | prefix-length hosts are included in the pool.
prefix-length}
Ruijie(config)# access-list access-list-number permit Defines an ACL to match the IP address of a virtual host.
ip-address wildcard The ACL should be an extended ACL used to match
destination IP addresses.
Ruijie(config)# ip nat inside destination list Defines the dynamic translation relationship of internal
access-list-number pool address-pool [vrf vrf_name] destination addresses.
Enters interface configuration mode.
Ruijie(config)# interface interface-type
interface-number
Ruijie(config-if)# ip nat inside Defines the internal network the interface connects to.
Configuration Examples
!
interface FastEthernet 0/0
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
interface FastEthernet 1/0
ip address 200.168.12.1 255.255.255.0
ip nat outside
!
ip nat pool net200 200.168.12.2 200.168.12.100 netmask 255.255.255.0
ip nat inside source list 1 pool net200
!
Configuration Guide Configuring NAT
!
interface FastEthernet 0/0
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
interface FastEthernet 1/0
ip address 200.168.12.200 255.255.255.0
ip nat outside
!
ip nat pool net200 200.168.12.200 200.168.12.200 netmask 255.255.255.0
ip nat inside source list 1 pool net200
access-list 1 permit 192.168.12.0 0.0.0.255
Whether correct NAT entries can be created can be checked by looking up the NAT mapping
table.
Ruijie# show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 200.168.12.200:2063 192.168.12.65:2063 168.168.12.1:23 168.168.12.1:23
The following example describes how to map IP address 192.168.12.3 of an internal web server to a global IP address
200.198.12.1 of port 80. The configuration script is as follows:
!
interface FastEthernet 0/0
ip address 192.168.12.1 255.255.255.0
ip nat inside
!
interface FastEthernet 1/0
ip address 200.198.12.1 255.255.255.0
ip nat outside
!
ip nat inside source static tcp 192.168.12.3 80 200.198.12.1 80
Configuration Guide Configuring NAT
!
interface FastEthernet 0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
interface FastEthernet 1/0
ip address 200.198.12.1 255.255.255.0
ip nat outside
!
ip nat pool realhosts 10.10.10.2 10.10.10.3 netmask 255.255.255.0 type rotary
ip nat inside destination list 100 pool realhosts
!
access-list 100 permit ip any host 10.10.10.100
!
Whether correct NAT entries can be created can be checked by looking up the NAT mapping table.
Figure 1
# Configure a static IP address for WAN port 0 which connects to the telecom network.
# Configure a NAT address pool. NAT provides multiple Outside ports. If GigabitEthernet 0/0 is configured as the Outside
port, the IP address of the port is set to 218.4.53.238; if GigabitEthernet 0/1 is configured as the Outside port, the IP
address of the port is set to 172.16.253.18.
Ruijie> enable
Ruijie(config-if)# no shut
Ruijie(config-if)# end
Ruijie#
# The system prompts that the link to the WAN port is Up.
Ruijie(config-if)# no shut
Ruijie(config-if)# end
Ruijie#
%LINK CHANGED: Interface FastEthernet 0/0, changed state to up
%LINE PROTOCOL CHANGE: Interface FastEthernet 0/0, changed state to UP
Ruijie# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
# Configure a connection sharing rule to allow common internal users to access Internet over a device
RUIJIE# write
Building configuration...
[OK]
RUIJIE#
Current configuration:
!
!
hostname NBR
!
!
!
access-list 1 permit any
!
!
interface FastEthernet 0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface FastEthernet 1/0
ip address 218.5.19.2 255.255.255.0
ip nat outside
!
ip nat inside source list 1 interface FastEthernet 1/0
ip nat inside source static tcp 192.168.0.4 110 218.5.19.2 110
ip nat inside source static tcp 192.168.0.4 25 218.5.19.2 25
ip nat inside source static tcp 192.168.0.3 80 218.5.19.2 80
ip nat inside source static tcp 192.168.0.2 21 218.5.19.2 21
ip nat inside source static tcp 192.168.0.2 20 218.5.19.2 20
!
ip route 0.0.0.0 0.0.0.0 FastEthernet 1/0 218.5.19.1
!
line con 0
line vty 0 4
password remoteuser
login
!
end
RUIJIE#
ip vrf 1
Configuration Guide Configuring NAT
ip vrf 2
Figure 3
Configure MPLS
mpls ip
Configure PBR
Specify an ACL
ip vrf data
rd 200:1
route-target both 200:1
ip vrf v1
rd 100:1
route-target export 100:1
ip vrf v2
rd 100:2
route-target export 100:2
interface Loopback 0
ip ref
ip address 3.3.3.3 255.255.255.255
router bgp 100
bgp router-id 3.3.3.3
bgp log-neighbor-changes
neighbor 4.4.4.4 remote-as 100
neighbor 4.4.4.4 update-source Loopback 0
address-family ipv4
neighbor 4.4.4.4 activate
exit-address-family
address-family vpnv4 unicast
neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both
neighbor 4.4.4.4 route-map hzb out
exit-address-family
address-family ipv4 vrf data
maximum-prefix 10000
network 0.0.0.0
redistribute connected
redistribute static
exit-address-family
address-family ipv4 vrf v1
maximum-prefix 10000
redistribute static
exit-address-family
address-family ipv4 vrf v2
Configuration Guide Configuring NAT
maximum-prefix 10000
exit-address-family
router ospf 1
router-id 3.3.3.3
network 0.0.0.0 255.255.255.255 area 0
mpls router ldp
ldp router-id interface Loopback 0 force
Release 11.1(5)B6
IP Routing Configuration
1. Configuring NSM
2. Configuring FPM
Configuration Guide Configuring NSM
Configuring NSM
IP Routing Configuration
Enabling IP Routing
By default, IPv4/IPv6 routing is enabled.
Command Function
Ruijie(config)# ip routing Enable IPv4 routing.
You can configure multiple (within the specified upper limit) static routes at the same time. No more static route can be
added if the upper limit is reached.
To configure static routes, execute the following commands in the global configuration mode:
Command Function
Ruijie(config)# ip route network net-mask { ip-address | Configure IPv4 static routes.
interface [ ip-address ] } [ distance ] [ tag tag ]
[ permanent ] [ weight number ] [ disable | enable ]
Ruijie(config)# ipv6 route ipv6-prefix / prefix-length Configure IPv6 static routes.
{ ipv6-address | interface [ ipv6-address ] } [ distance ]
[ tag tag ] [ weight number ]
Ruijie(config)# ip static route-limit number Configure the upper limit of IPv4 static routes.
Ruijie(config)# ipv6 static route-limit number Configure the upper limit of IPv6 static routes.
To delete static routes or cancel the upper limit of static routes, run the no form of the corresponding command.
If they are not deleted, Ruijie product will always retain the static routes. However, you can replace the static routes with
the better routes learned by the dynamic routing protocols. Better routes mean that they have smaller distances. All routes
including the static ones carry the parameters of the administrative distance. The following table shows the administrative
distances of various sources of Ruijie product:
The static route redistribution shall be configured if the static routes are advertised by the dynamic routing
protocols such as RIP and OSPF.
When a port is “down”, all routes to that port will disappear from the routing table. In addition, when Ruijie product fails to
find the forwarding route to the next-hop address, the static route will also disappear from the routing table.
By default, the weight of static route is 1. To view the static routes of non-default weight, execute the show ip route
weight command. When there are load balanced routes to an IP address, the switch will assign traffic by their weights.
The higher the weight of a route is, the more the route forwards. Router WCMP limit is 32, while the switch WCMP limit is
related to product model because the weights supported by various chips are different. For the detailed information about
the route weight value of specific model, please refer to the product specification paper.
When the sum of load-balancing route weights exceeds WCMP limit, the exceeded routes will not take effect. For example,
if the WCMP limit on a device is 8, only one static route configuration is effective:
The maximum number of static routes is 1024 by default. If the number of static routes configured exceeds the specified
upper limit, they will not be automatically deleted, but the addition will fail.
To view the configuration of IP route, execute the show ip route command to view the IP routing table. For details, refer
to Protocol-independent Command Configuration.
Default routes can be generated in two ways: 1) manual configuration. For details, see Configuring Static Routes in the
last section; 2) manually configuring the default network.
Configuration Guide Configuring NSM
Most internal gateway routing protocols have a mechanism that transmits the default route to the entire
routing domain. The device that needs to transmit the default route must have a default route.
The transmission of the default route in this section applies only to the RIP routing protocol. The RIP always
notifies the “0.0.0.0/0” network as the default route to the routing domain.
For general static routes, execute the following commands in the global configuration mode:
Command Function
To generate the default routes by using the default-network command, the following condition must be met:
The default network is not a directly-connected port network, but is reachable in the routing table.
Under the same condition, the RIP can also transmit the default route. Alternatively, there is another way to
do so, that is, by configuring the default static route or learning the 0.0.0.0/0 router via other routing
protocols.
If the router has a default route, whether learned by the dynamic routing protocol or manually configured, when you use
the show ip route command, the “gateway of last resort” in the routing table will show the information of the last gateway.
A routing table may have multiple routes as alterative default routes, but only the best default route becomes the “gateway
of last resort”.
Command Function
Ruijie(config)# maximum-paths number Limit the number of equivalent routes.
The upper limit of equivalent routes varies by product series. The upper limit is 32 for routers, while it depends on specific
chips for switches. During configuration, refer to the system prompt.
The no form of this command restores the default number of equivalent routes.
This command is valid for both ipv4 and ipv6. That is to say, after configuring this command, the maximum numbers of the
equivalent route path to IPv4 and IPv6 destination are the same value configured.
Configuration Guide Configuring NSM
Route-Map Configuration
Route-map is a collection of filter policy for the routing protocol and policy route, independent from the detailed routing
protocol. Route-map is used to filter and modify the routing information for the routing protocol, and control the packet
forwarding for the policy route.
Command Function
Ruijie(config)# route-map route-map-name [ [ permit |
Define the routing map.
deny ] sequence ]
Ruijie(config)# no route-map route-map-name [ { permit |
Remove the routing map.
deny } sequence ]
When you configure the rules for a routing map, you can execute one or multiple match or set commands. If there is no
match command, all will be matched. If there is no set command, not any action will be taken.
Whether a routing map supports the match command and the set command, it depends on applications associated with
the routing map. The general instructions are as follows:
When you configure commands associated with a routing map, the system displays a prompt when the configured
match command or the set command is inapplicable to the applications associated with the routing map.
When you configure a routing map, the match command, or the set command, the system displays a prompt when
any match command or set command is inapplicable to any application associated with the routing map.
The two instructions are inapplicable to associating policy routes with routing maps.
Route Redistribution
In route redistribution, the routing maps are often used to enforce conditional control over the mutual route redistribution
between two routers.
To redistribute routes from one routing area to another and control route redistribution, execute the following commands in
the routing process configuration mode:
Command Function
Configuration Guide Configuring NSM
Route redistribution may easily cause loops, so you must be very careful in using them.
When the route redistribution is configured in the OSPF routing process, the metric of 20 is allocated to the
redistributed routes with the type of Type-2 by default. This type belongs to the least credible route of the
OSPF.
To distribute the default route, execute the following commands in the routing process configuration mode:
Command Function
Introduce the default route to the routing
protocol process and advertise the route default.
always(optional): a default route is always
introduced to the process no matter whether the
Ruijie(config-router)# default-information originate [ always ]
default route exists in the local routing table or not.
[ metric metric ] [ metric-type type ] [ route-map map-name ]
metric(optional): set the metric value for the
introduced default route.
metric-type(optional): set the default route type.
route-map(optional): filter and set the default route.
To cancel introducing default route to the routing protocol process and advertise the cancellation, run the no form of the
corresponding command.
To prevent other routers or routing protocols from dynamically learning one or more route message, you can configure the
control over route updating advertising to prevent the specified route update.
Configuration Guide Configuring NSM
To prevent route updating advertising, execute the following commands in the routing process configuration mode:
Command Function
According to ACL rules, permit or deny some routes.
Ruijie(config-router)# distribute-list { [ access-list-number |
Prefix: This keyword specifies the prefix list for
access-list-name ] | prefix prefix-list-name out [ interface-type
filtering routes. The prefix list should be separately
interface-number | protocol ]
configured by using the ip prefix-list command.
Ruijie(config-router)# no distribute-list
{ [ access-list-number | access-list-name ]
Remove the configuration.
| prefix prefix-list-name } out [ interface-type interface-number
| protocol ]
When you configure the OSPF, you cannot specify the interface and the features are only applicable to the
external routes of the OSPF routing area.
To avoid processing some specified routes of the incoming route update packets, you can configure this feature. This
feature does not apply to the OSPF routing protocol.
To control route updating processing, execute the following commands in the routing process configuration mode:
Command Function
According to ACL rules, permit or deny receiving distributed
routes.
Ruijie(config-router)# distribute-list
Prefix: This keyword specifies the prefix list for filtering
{ [ access-list-number | access-list-name] | prefix
routes. The prefix list should be separately configured by
prefix-list-name [ gateway prefix-list-name] | gateway
using the ip prefix-list command.
prefix-list-name } in [ interface-type interface-number ]
Gateway: Use the prefix list to filter the routes distributed
according to the source of the routes.
Ruijie(config-router)# no distribute-list
{ [ access-list-number | name] | prefix
Remove the configuration.
prefix-list-name [ gateway prefix-list-name ] | gateway
prefix-list-name } in [ interface-type interface-number ]
Configuration Examples
In the following example, the OSPF routing protocol redistributes only the RIP routes whose hops are 4. In the OSPF
routing area, the type of the routes is external route type-1, the initial metric is 40, and the route tag is 40.
# Configure OSPF
In the following configuration example, the RIP routing protocol redistributes only the OSPF routes whose tag is and initial
metric is 10.
# Configure RIP
In the following configuration example, the OSPF routing protocol redistributes the RIP routes. Since the unsupported
rule for the route-map application has been configured, after redistributing the route-map, the printed message prompts
that the application not support the corresponding rule.
# Configure route-map
# Configure OSPF
One router exchanges route information with other routers via the RIP. In addition, there are three static routes. The RIP is
only allowed to redistribute two routes: 172.16.1.0/24 and 192.168.1.0/24.
This is a common distribution list-based route filtering configuration example in practice. Note that the metric is not
specified for the routes to be redistributed in the following configuration. Since a static route will be redistributed,the RIP
will automatically assign the metric. In the RIP configuration, the version must be specified and the route aggregation must
be disabled for the access list allows the 172.16.1.0/24 route. To advertise the route, the RIP protocol must first support
the classless route, and the route cannot be aggregated to the 172.16.0.0/16 network.
# Configure RIP
The connection among four routers is shown in the Figure-1. Router A belongs to the OSPF routing area, Router C
belongs to the RIP routing area, Router D belongs to the BGP routing area and Router B is connected to three routing
areas. Router A advertises the two routes of 192.168.10.0/24 and 192.168.100.1/32, Router C advertises the network
routes of 200.168.3.0/24 and 200.168.30.0/24, and Router D advertises the network routes of 192.168.4.0/24,
192.168.40.0/24.
Configuration Guide Configuring NSM
On Router B, the OSPF redistributes the RIP routes with the route Type-1, redistributes the BGP routes carrying with the
community attribute 11:11. The RIP redistributes the 192.168.10.0/24 route in the OSPF routing area whose metric is 3,
amd advertises a default route to the RIP routing area.
When the routing protocols redistribute routes among them, the simple route filtering can be controlled by the distribution
list. However, different attributes must be set for different routes, and this is not possible for the distribution list, so the
routing map must be configured for control. The routing map provides more control functions than the distribution list, and
it is more complex to configure. Therefore, do not use the routing map if possible for simple configuration of the router.
The following example does not use the routing map.
Router A configuration:
Router B configuration:
#Configure the RIP and use the distribution list to filter the redistributed routes
Router C configuration:
Router D configuration:
Configuring FPM
Overview
The flow platform (FPM) is a platform for the acceleration of packet service processing. Because IP packets have the flow
attribute, the FPM provides services with the function to identify the flow attribute of IP packets before service processing,
so as to improve service processing efficiency. The FPM is a fundamental platform. It is loaded upon system startup. The
configuration commands described in this document are provided to implement FPM configuration and management. In
general, the default configuration of the FPM can already meet practical requirements.
N/A
Applications
Application Description
Configuring the packet receiving threshold A standalone device serves as the gateway to forward packets.
Configuring loose TCP status check Perform active/standby switchover in the AS environment.
Scenario
When the device receives a large number of repeated TCP connection requests in a local area network (LAN), no
legitimate connection can be established if the device cannot receive any handshake response packet from the peer. In
this case, attacks probably occur. You can perform FPM configuration to restrict the number of TCP connection requests,
so as to effectively defend against such attacks.
Corresponding Protocols
Enable the strict packet status tracing function on the forwarding device.
Scenario
Loose TCP status check should be configured on the device to prevent flow interruption during active/standby switchover
of the device. Then a connection can be established and packets can be forwarded as long as one end sends an ACK
packet, so that the connection is not interrupted at all during the active/standby switchover.
Corresponding Protocols
Features
Basic Concepts
Flow Entry
A flow entry, as a physical resource for the device to identify and manage all connections of an IP session, records basic
information about the current IP session. The corresponding protocols include ICMP, TCP, UDP, and RAWIP.
Overview
Feature Description
Transparent transmission when the flow This feature ensures that the existing flows are not interrupted when the flow
table is full table is full.
Flow entry aging This feature reclaims invalid flow entries.
Number of packets permitted in a flow This feature prevents IP packet flooding attacks.
TCP status tracing This feature filters out packets on illegitimate TCP connections.
Strict packet status tracing This feature performs packet threshold check.
Loose TCP status check This feature allows the establishment of a connection with only ACK packets.
Working Principle
The acceleration of IP service processing relies on a flow table. Flow table resources are configured according to the
current product hardware configuration and generally can meet application requirements in an application environment. In
some extreme environments, however, flow table resources could be exhausted, causing the failure to establish flows.
With this feature, packets are transparently transmitted instead of establishing any flow on wireless products when the
flow table is full, and service processing is not accelerated, thereby ensuring that service flows are not interrupted.
Configuration Guide Configuring FPM
Working Principle
The aging of a flow entry means that the device actively withdraws the flow entry when there is no data exchange in a
certain period of time. If a session attack occurs, the flow table will be full, causing the failure to establish sessions. The
aging of the flow table is designed to solve this problem. For flow entries of different data types, their aging time shall be
set according to actual service requirements. For flows of different service data types, different aging time shall be set
according to different states of the flows. For example, the aging time of a TCP flow in SYN status is different from that of a
TCP flow in ESTABLISH status. For example again, when a port scanning attack occurs on a network, abundant flow table
resources of the system are occupied, and then appropriate aging time can be configured for flows established on these
connections according to the states of the flows, so as to effectively reclaim flow entries and avoid flow interruption.
Configuring appropriate aging time can help to reduce "useless" flow entries in the flow table while meeting the
requirement for exchanging service data flows.
Working Principle
For each flow in the current status, there is a counter that records the number of packets processed in the flow. An
attacker may send a large number of packets of a certain type to wage a traffic attack, in which case other types of
packets cannot be processed in time. You can configure the number of packets permitted to pass in a flow in a certain
status, so as to solve this problem and meet the requirement for exchanging service data flows.
Working Principle
A complete handshake process is required for the establishment of a TCP connection; otherwise, the connection is
illegitimate or the packets are attack packets. The FPM needs to trace the states of TCP connections, so as to distinguish
flows that are established over TCP session connections in various states and determine whether the connections are
legitimate. In some special scenarios such as asymmetrical routing, however, the states of TCP connections cannot be
traced and then this function should be disabled.
Working Principle
For a flow in a certain status established over a connection, there is an upper limit on the number of packets permitted on
the legitimate connection. If this upper limit is exceeded, a packet flooding attack probably occurs, occupying the
forwarding resources of the system. Therefore, you can configure a packet threshold for flows in various states so as to
effectively defend against such attacks.
Configuration Guide Configuring FPM
Working Principle
A complete handshake process is required for the establishment of a legitimate TCP connection. In some cases such as
active/standby switchover, however, probably a handshake process has been performed for the current TCP connection
but only no corresponding information exists. In such cases, the system requires only ACK packets. For this purpose, the
FPM provides loose TCP status check.
Configuration
Networking Requirements
For some special services such as network address translation (NAT) applied on wireless products, the FPM should
not allow the transparent transmission of packets without flow establishment.
Notes
By default, packets can be transparently transmitted without flow establishment when the flow table is full.
Configuration Guide Configuring FPM
Configuration Steps
Optional configuration.
By default, packets can be transparently transmitted without flow establishment when the flow table is full. You can
use the ip session direct-trans-disable command to disable the function.
Verification
Use the show run command to check whether the configuration includes ip session direct-trans-disable. If no, the
transparent transmission function is enabled.
Configuration Example
Scenario If the NAT service is required on the current wireless device, you need to disable the transparent
transmission function because the NAT service does not allow the transparent transmission of
IP packets without flow establishment.
Configuration Steps Disable transparent transmission of packets without flow establishment when the flow table is
full.
Ruijie# configure terminal
Ruijie(config)# ip session direct-trans-disable
Verification Use the show run command to verify that the configuration includes ip session
direct-trans-disable.
Common Errors
N/A
Networking Requirements
Reasonably make use of system flow table resources so as to reduce "useless" flow entries in the flow table and
meet the requirement for exchanging service data flows.
Notes
There is a default aging time upon system initialization, which can meet practical requirements in most scenarios.
Therefore, the configuration is optional.
Because a certain time is required before the system detects the corresponding flow, the actual aging time is slightly
later than the configured aging time.
Configuration Guide Configuring FPM
Configuration Steps
Optional configuration.
By default, a flow entry ages within the default aging time. If the default aging time does not meet the requirement,
you can use the ip session timeout command to change it. The longer the aging time, the longer the time-to-live
(TTL) of the flow entry.
Verification
Use the show run command to check whether the configuration includes ip session timeout. If no, the default
aging time applies.
Configuration Example
Scenario If there are a large number of UDP-established flows which occupy a great space of the flow table
on the current forwarding device, you can shorten the aging time of the UDP-established flows to
improve aging efficiency.
Configuration Steps The current forwarding device is a FW card located in slot 2 of device 1. Set the aging time of
flows in udp-established status to 120 seconds.
Ruijie# configure terminal
Ruijie(config)# ip session 1 2 timeout udp-established 120
Verification Check the aging time of flows in udp-established status on the device in slot 2 of device 1. The
aging time should be 120 seconds.
Use the show run command to verify that the configuration contains the following item:
ip session 1 2 timeout udp-established 120
This indicates that the aging time is 120 seconds.
Common Errors
Networking Requirements
An attacker may send a large number of packets of a certain type to wage a traffic attack, in which case other types
of packets cannot be processed in time. You can configure the number of packets permitted in a flow in a certain
status, so as to solve this problem and meet the requirement for exchanging service data flows.
Configuration Guide Configuring FPM
Notes
There is a default packet count upon system initialization, which can meet practical requirements in most scenarios.
Therefore, the configuration is optional.
The check function here is disabled by default. To enable the check function, you need to configure packet threshold
check for flows in various states first.
Configuration Steps
Optional configuration.
By default, a flow is judged according to the default number of packets permitted to pass in the flow. If the default
number of packets permittedz to pass does not meet the requirement, you can use the ip session threshold
command to change the number of packets allowed to pass in the corresponding flow. The greater the value, the
more packets permitted to pass in the flow.
Verification
Use the show run command to check whether the configuration includes ip session threshold. If no, the default
values about the number of packets permitted to pass apply.
Configuration Example
Scenario When a large number of ping packets exist on a network, a flooding attack probably occurs. You can
configure the number of packets permitted to pass in each ICMP flow in icmp-started status, so as to
Configuration Guide Configuring FPM
Common Errors
Networking Requirements
The TCP status tracing function needs to be enabled on corresponding wireless products.
Notes
Configuration Steps
Optional configuration.
By default, the TCP status tracing function is disabled on wireless products. You can use the ip session
tcp-state-inspection-enable command to enable the TCP status tracing function.
Verification
Use the show run command to check whether the configuration includes ip session tcp-state-inspection-enable.
If no, the TCP status tracing function is disabled.
Configuration Example
Scenario The TCP status tracing function needs to be enabled on the current wireless forwarding device.
Configuration Guide Configuring FPM
Verification Use the show run command to verify that the configuration includes ip session
tcp-state-inspection-enable.
Common Errors
Networking Requirements
Perform this configuration to enable the packet threshold check function and disable the current flow when packets
are unreachable.
Notes
Configuration Steps
Optional configuration.
You can use the ip session track-state-strictly command to enable the strict packet status tracing function.
The packet threshold check function needs to be enabled in a scenario such as the scenario where attacks are
waged using a certain type of packet.
Verification
Use the show run command to check whether the configuration includes ip session track-state-strictly. If no, the
strict packet status tracing function is disabled.
Configuration Example
Scenario If ICMP flooding attacks occur in the current network environment, packet threshold check is needed.
In this case, perform this configuration to enable the packet threshold check function.
Configuration Guide Configuring FPM
Configuration The current forwarding device is a FW card located in slot 2 of device 1. Enable the strict packet
Steps status tracing function on the forwarding device.
Ruijie# configure terminal
Ruijie(config)# ip session 1 2 track-state-strictly
Verification Use the show run command to verify that the configuration includes ip session track-state-strictly.
Common Errors
Networking Requirements
Notes
By default, the establishment of a flow with an ACK packet is not allowed on FW products but enabled on EG
products.
Configuration Steps
Optional configuration.
By default, the loose TCP status check function is disabled on FW products. You can use the ip session tcp-loose
command to enable the loose TCP status check function. By default, the loose TCP status check function is enabled
on all wireless and EG products.
The loose TCP status check function is required on the standby device in a scenario such as active/standby
switchover.
Verification
Use the show run command to check whether the configuration includes ip session tcp-loose. If no, the loose TCP
status check function is disabled.
Configuration Example
Scenario The current forwarding device is a FW card located in slot 2 of device 1. Active/standby
switchover is required in the current environment. Perform this configuration on the backup
Configuration Guide Configuring FPM
device.
Configuration Steps Enable the loose TCP status check function on the device in slot 2 of device 1.
Ruijie# configure terminal
Ruijie(config)# ip session 1 2 tcp-loose
Verification Use the show run command to verify that the configuration includes ip session tcp-loose.
Common Errors
Monitoring
If you run the clear command while the device is operating, services may be interrupted arising from the loss
of important information.
Function Command
Clears counters about the IPv4 clear ip fpm counters
packets.
Clears counters about the IPv6 clear ip v6fpm counters
packets.
Function Command
Displays the counters about the show ip fpm counters
IPv4 packets
Displays the counters about the show ip v6fpm counters
IPv6 packets
Displays IPv4 packet flow show ip fpm flows
information
Displays IPv4 packet flow show ip fpm flows filter
information except specific IPv4
packet flows
Displays IPv6 packet flow show ip v6fpm flows
information
Configuration Guide Configuring FPM
2. Configuring AAA
3. Configuring RADIUS
4. Configuring 802.1X
10.Configuring ACL
11.Configuring SCC
13.Configuring SSH
Configuration Guide Configuring Web Authentication
Overview
WEB authentication is an authentication method for the port to control the authority of user access network. Users can
perform access authentication by using the ordinary browser software, rather than installing the special client
authentication software.
When the unauthenticated user accesses the network, the switch forces the user to log in to a special website. The user
can access services for free. When the user needs to access other information in the internet, the user should be
authenticated in the WEB authentication server. The user can use the internet resource only when the authentication
succeeds.
If the user tries to access other outer network through HTTP, the user is forced to access the WEB authentication website.
This is called forced authentication.
WEB authentication provides convenient management function for users. The portal websites can provide the
advertisement, community service and personalized services.
Basic Concepts
HTTP Intercept
HTTP intercept indicates that the switch intercepts the HTTP packets that should be forwarded. These HTTP packets are
sent by the users who are connected to the port of the switch. For example, when a user accesses the network through IE
browser, the switch should forward these HTTP requests to the gateway. If the HTTP intercept function is enabled, these
packets cannot be forwarded.
After the HTTP intercept function is enabled, the switch should forward the HTTP connection requests of users to itself. In
this event, a connection session is created between the switch and users. The switch enables the HTTP redirection
function to recommend the redirection page to users. A page is popped on the user's browser. This page can be an
authentication page or a link for software download.
In the WEB authentication function, you can set the information about the HTTP packets that need or need not be
intercepted, including the connected physical port, the users who send the packets and the destination port. Usually the
HTTP request packets sent by the unauthenticated users are intercepted and those sent by the authenticated users are
not intercepted. HTTP intercept is the basis of WEB authentication. The intercept may trigger the WEB authentication.
HTTP Redirection
According to the HTTP protocol, after a user's browser sends the HTTP GET or HEAD request packet, if the receiving end
provides resources, the 200 response packet is used. If no resource is provided, the 302 response packet is used. A new
site path is provided in the 302 response packet. After receiving the response, the user can re-send the HTTP GET or
HEAD request packet to the new site.
Configuration Guide Configuring Web Authentication
HTTP redirection is an important link for WEB authentication and is performed after HTTP intercept. This HTTP
redirection function uses the features of the 302 packet in the HTTP protocol. The HTTP intercept process creates a
connection session between the switch and users. The user sends the HTTP GET or HEAD packet to the switch, which is
supposed to be sent to other sites. After the switch receives the packet, the 302 packet is sent back for response. The site
path of the redirection page is added in the 302 packet. The user re-sends a request packet to the site path and then
obtains the redirection page.
Working Principle
The following figure shows the typical networking mode for WEB authentication. The networking is composed of three
basic roles: the authentication client, access switch and WEB authentication server.
Convergence device: It is usually the convergence layer device in the network topology, such the L3 switch,
connecting to the access layer device. The WEB authentication can also be enabled on the convergence device if
the downlink access device does not enable the WEB authentication.
WEB authentication server: It is the authentication server system that receives the authentication request sent by the
authentication client. It provides portal services for free and the interface based on the WEB authentication. It
interactively authenticates the client authentication information with the access device.
The main steps for WEB authentication:
The access device intercepts all the HTTP requests sent by the unauthenticated users and re-directs to the WEB
authentication server before the authentication. In this event, an authentication page is displayed on the browser of
the user.
During the authentication process, the user enters the authentication information such as the user name, password
and check code on the authentication page, and then interacts the information with the authentication server for
implementing the identity authentication.
After the authentication succeeded, the WEB authentication server informs the access device that the user has
passed the authentication. The access device will allow the user to access the Internet;
The WEB authentication function can be enabled only on the FastEthernet or GigabitEthernet port.
If an interface is the member of aggregation ports, WEB authentication cannot be set on the interface. If a
member of aggregation ports is added to an interface enabling the WEB authentication function , the WEB
authentication function of this interface will be automatically disabled and the authenticated users on this
interface will be cleared. The WEB authentication configuration on this interface will also be cleared in the
meantime. The configuration will not be automatically recovered if the interface exits from the aggregation
ports. You must re-configure the function.
For the users passed the authentication, the WEB authentication on the access device, need perform following
binding: IP address+MAC address+PORT. Therefore, some restriction will be generated:
If set ACL on the controlled WEB port, after the IP address+MAC address binding passes authentication, ACL
does not take effect.
WEB authentication cannot be used with the global IP address and MAC address binding function at the same
time. The globally enabled IP+MAC address binding function may result in the failure of network access,
even though the user authentication succeeds.
WEB authentication cannot be used with the IP address+MAC address binding function of DHCP Snooping at
the same time.
Affected by the hardware capacity of the access device, enabling the ARP CHECK or the security channel may
result in reducing the number of the available authenticated users (especially the security channel function).
If both above-mentioned functions are enabled, the hardware resources may be exhausted and the WEB
authentication cannot be performed. In addition, if the WEB authentication is already enabled, and then
enabling ARP CHECK or the security channel may fail. Hence, it is not suggested to enable the WEB
authentication and the security channel at the same time.
When the WEB authentication and 802.1 authentication of the access device are jointly used, please pay
attention to followings:
The port-based 802.1x authentication and WEB authentication are enabled on the same port of the access
device. If the 802.1x authentication is implemented for a user on the port, the WEB authentication of other
users will not be performed. If the 802.1x authentication and WEB authentication based on the MAC address
of a port are enabled at the same time, the authentication modes of different users are not be effected.
The 802.1x authentication and the WEB authentication are enabled on the same port of the access device, the
WEB authentication of the user featuring the same IP address is no longer triggered if the 802.1x
authentication is performed at first.
The dynamic VLAN hop function for 802.1x authentication cannot be used with WEB authentication on the
same port of the access device at the same time.
For the functions related to HTTP redirection, refer to the HTTP 1.1 Protocol (RFC1945).
Default Configuration
The following table describes the default configurations for WEB authentication.
Basic Features
The WEB authentication configuration is performed on the access device. In the event of no configuration, the WEB
authentication of the access device is in the default status; this means the WEB authentication is disabled. The WEB
authentication function can work normally after all basic characteristics are configured. The following describes how to
configure the basic characteristics for WEB authentication.
In common cases, the authentication page is provided by the authentication server. Hence the IP address of HTTP
redirection should be the authentication server IP address. The redirection IP address is set as a special network resource
free of authentication. The unauthenticated users can directly perform HTTP communication with the IP address.
The IP address of HTTP redirection is not set by default. Perform the following steps to set the IP address of HTTP
redirection.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# http redirect ip-address Set the IP address of HTTP redirection.
Configuration Guide Configuring Web Authentication
Ruijie (config )# show http redirect Display the configuration for HTTP redirection.
To clear the IP address of HTTP redirection, perform the no http redirect command in the global configuration mode.
Configuration Examples
The authentication server can be a comprehensive portal server, which can not only provide WEB
authentication, but also provide software download of SU client. When a user needs to use the 802.1x
authentication to access the Internet, in the case of the SU client software is uninstalled, the user can be
redirected to the comprehensive portal server when the user accesses the Internet through a browser. After
downloading and installing the SU client software, the user can pass the 802.1x authentication to access the
Internet. This configuration is required when configuring the automatic client acquisition.
HTTP redirection homepage is not set by default. Perform the following steps to set HTTP redirection homepage URL.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
The homepage URL for authentication page setting is
Ruijie (config )# http redirect homepage url-string url-string beginning with http:// or https://, which is not
case sensitive. The maximum length is 255 characters.
Ruijie (config )# show http redirect Display the configuration for HTTP redirection.
To clear the homepage address of the authentication page, use the no http redirect homepage command in the global
configuration mode.
Configuration Examples
The homepage address can be a comprehensive portal server, which can not only provide WEB authentication
but also provide SU client software download. When a user needs to pass the 802.1x authentication for
accessing the internet, if the SU client software is not be installed, the user can be redirected to the
comprehensive portal server when the user accesses the Internet through a browser. After downloading and
installing the SU client software, the user can pass 802.1x authentication to access the Internet.
If a user enters the homepage address of the server in the browser address bar, the user can directly access
the homepage or download resources in the page without redirection. As redirection is not performed, the
switch has no information of the user or necessary security parameters between the switch and the
authentication server. Hence the authentication for the user may fail. In order to perform authentication,
users do not directly access the homepage of the server.
Setting the Communication Key between the Access Device and Authentication
Server
In order to use the WEB authentication function normally, set the communication key between the switch and
authentication server. When the switch detects that the unauthenticated user tries to access the network, the switch
redirects the user's access request to display the authentication page to guide the user to initiate authentication to the
authentication server. During authentication, the key between the access device and the authentication server encrypts
some data to enhance the security.
No key is set by default when the access device communicates with the authentication server. Perform the following steps
to set the key.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the key to communication between the switch and
Ruijie (config )# WEB-auth portal key key-string authentication server. The maximum length of the key is
255 characters.
Display the global configuration and statistics information
Ruijie (config )# show WEB-auth
for WEB authentication.
To clear the key to communicate between the access device and the authentication server, use the no WEB-auth key
command in the global configuration mode.
Configuration Examples
# Set the key to communicate between the switch and authentication server to WEB-auth.
Setting the SNMP Parameters between the Access Device and Authentication Server
SNMP/MIB is used to manage the authenticated users between the access device and authentication server. Use MIB to
manage the authentication user table on the access device. The authentication server accesses the MIB to obtain related
statistic information of the user and control the online and offline of users. When a user is offline, the access device sends
the SNMP-Inform message to the authentication server.
In order to use the WEB authentication function normally, set the SNMP parameters between the access device and
authentication server. Perform the following steps.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the SNMP Community function which can be used for
the authentication server to manage the online users on
Ruijie (config )# snmp-server community
the switch.
community-string rw
community-string: Community character string.
rw: Set MIB to RW which supports read-write operation.
Set that the switch can send the WEB authentication
message outward. The message type includes Trap and
Ruijie (config )# snmp-server enable traps WEB-auth
Inform.
WEB-auth is the message of WEB authentication.
Set the destination host, type, version and Community of
sending the WEB authentication message.
ip-address: The IP address of the destination host; that
is, the address of the authentication server.
Inform: Set the message that sends the SNMP-Inform
type. As the switch sends a message to the
authentication server when the user is offline, in order to
Ruijie (config )# snmp-server host ip-address inform prevent message lost, adopt SNMP-Inform, rather than
version 2c community-string WEB-auth SNMP-Trap.
version 2c: SNMPv2 and later versions support the
SNMP-Inform type. Hence you cannot set the version to
SNMPv1.
community-string: Send the Community character string
used when the SNMP-Inform is sent.
WEB-auth: Specify that the preceding parameters are
adopted when the WEB authentication message is sent.
For the SNMP configuration commands and other detailed information, refer to the section of SNMP Configuration.
Configuration Examples:
Configuration Guide Configuring Web Authentication
# Set the SNMP parameters between the access device and authentication server (IP address: 176.10.0.1). Set SNMP
Community to WEB-auth and send the parameters used by the SNMP-Inform message.
The SNMP communication parameters listed above are based on SNMPv2. You can adopt SNMPv3 to set
higher security for SNMP communication between the access device and the authentication server. For
SNMPv3, SNMP Community is set to SNMP User and the version of SNMP-Inform is SNMPv3. Other
security parameters related to SNMPv3 should also be set additionally. For the detailed information, refer to
related section of the SNMP Configuration.
Enable the WEB authentication function on the port and set the port to the controlled port for WEB authentication by
performing the following steps.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# interface interface-name Enter the port configuration mode.
Ruijie (config-if )# WEB-auth
Enable WEB authentication on the port.
port-control
Ruijie (config-if )# show WEB-auth port-control Display the WEB authentication message on the port.
In order to disable WEB authentication, use the no WEB-auth port-control command in the interface configuration mode.
Configuration examples:
Configuration
When a user accesses the network resources, for example, use a browser to access the Internet, the user sends HTTP
packets. The switch intercepts these HTTP packets sent by the user to make sure that the user is accessing the network
resources. When the access device detects that an unauthenticated user accesses the network resources, it blocks the
user to access the network resources and an authentication page is displayed for the user.
The switch intercepts those HTTP packets sent by the user on port 80 by default to detect whether the user accesses the
network resources.
To add the access device to intercept the HTTP packets of the special port number sent by the user, perform the following
steps.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the redirection of the HTTP requests sent by users on
specified destination ports.
Ruijie (config )# http redirect port port-num
A maximum of 10 destination port numbers can be
configured, including the port number 80.
Ruijie (config-if )# show http redirect Display the configuration for HTTP redirection.
To set the redirection of the HTTP requests sent by users on specified destination ports, use the no http redirect port
port-num command in the global configuration mode.
Configuration examples:
# Set redirection of the HTTP requests sent by users on the specified destination port number 8080.
# Set no redirection of the HTTP requests sent by users on the specified destination port number 80.
While configuring the automatic client acquisition, this configuration is required if you want to add a new access
device to intercept the HTTP packets with the specified port number sent by the users.
The management protocol ports commonly used on the access device (for example: port numbers 22, 23, and
53), and the reserved port inside the system cannot be set to redirection ports. Actually the HTTP protocol
seldom uses a port number smaller than 1000, except for the 80 port. In order to avoid conflict with the
well-known TCP protocol port, do not set a port with a small port number as the redirection port, unless
necessary.
Setting the Maximum HTTP Session Number for Each Unauthenticated User
When an unauthenticated user accesses the network resources, the user PC sends HTTP session connection requests.
The access device intercepts these HTTP packets and requires the user for WEB authentication through redirection. In
order to prevent an authenticated user initiating excessive HTTP connection request so that to save resources of the
access device, the access device should limit the maximum HTTP session number of the unauthenticated user.
The authentication for users may occupy an HTTP session, while other application of the user may also occupy the HTTP
session. Hence it is not recommended to set the maximum HTTP session number of the unauthenticated user to 1. The
value is set to 3 by default.
Perform the following steps to modify the maximum HTTP session number of the unauthenticated user.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the maximum HTTP session number of each
Ruijie (config )# http redirect session-limit session-num
unauthenticated user to session-num, rang from 1 to 10.
Ruijie (config-if )# show http redirect Display the configuration for HTTP redirection.
In order to recover the maximum HTTP session number of the unauthenticated user to 3, use the no http redirect
session-limit command in the global configuration mode.
Configuration examples:
When the authentication page of a user for WEB authentication cannot be displayed frequently, the maximum
HTTP session number may limit the display. In this event, it is recommended for users to shut down some
applications that may occupy HTTP session and then perform WEB authentication.
Set the timeout of holding redirection connection. When the unauthenticated user accesses the network resources
through HTTP, the TCP connection requests are intercepted. The TCP connection is created with the switch. After the
connection is created, the access device needs wait the GET/HEAD packet of HTTP sent by users, and then replies the
HTTP redirection packet to disable the connection. This setting can prevent users from sending the GET/HEAD packet
and occupying TCP connection for a long time. The timeout of holding redirection connection is 3 seconds by default.
Perform the following steps to modify the timeout of holding redirection connection.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the timeout of keeping redirection connection
Ruijie (config )# http redirect timeout seconds (second ):
seconds ranging from 1 to 10.
Ruijie (config-if )# show http redirect Display the configuration for HTTP redirection.
In order to recover the timeout of holding redirection connection to 3 seconds, use the no http redirect timeout command
in the global configuration mode.
Configuration examples;
When the WEB authentication/802.1x authentication is enabled on a port, the unauthenticated users should pass WEB
authentication/802.1x authentication to access the network resources. If the unauthenticated users are allowed to access
some network resources free for authentication, use the related commands to set the network resources free for
authentication. After the network resources are set free for authentication, all users including the unauthenticated users
can access the website to access the network resources free for authentication. The unauthenticated users cannot access
the network resources which are not set free for authentication by default.
Perform the following steps to set the network resources free for authentication.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the network resources free for authentication and the
maximum number is 50.
Ruijie (config )# http redirect direct-site ip-address
If the switch enables the ARP Check function, perform
[ ip-mask ] [ arp ]
ARP binding for the network resources free for
authentication and configure arp keywords.
Ruijie (config-if )# show http redirect Display the configuration for HTTP redirection.
To cancel the network resources that are set free for authentication, use the no http redirect direct-site ip-address
[ ip-mask ] [ arp ] command in the global configuration mode.
Configuration example:
# Set a free website in the campus network 172.16.x.x as the network resources free for authentication.
Set the network resources free for authentication and hardware entry resources of the shared device of
unauthenticated users. The sum of the number should not exceed 50. The available number may decrease
caused by other security functions that occupy entries. In order to set more addresses, use the IP address +
mask mode.
When ARP CHECK is enabled, set the gateway that connects the L2 switch to the PC as the network resources
free for authentication.
The http redirect direct-site command is used to configure the access address of free authentication. While
the http redirect command is used to configure the address for web authentication server. Both the
addresses configured using the two commands can be accessed without authentication, but the actual use
of two commands are different. Therefore, it is suggested not to use the http redirect direct-site command to
configure the address for the web authentication server, as this may cause misunderstanding.
The following precautions shall be paid attention to when configuring automatic client acquisition: Setting the
network resources for free authentication takes effect on the 802.1x controlled port only after the global client
download function is enabled. This function is not affected by GSN or ACL, it means the IP address free for
authentication cannot be blocked by GSN or filtered by ACL. ARP binding must be performed on the S29
series switch. Therefore, the arp keyword of this command does not take effect for the S29 series switch.
(This keyword will be added automatically even through it is not set.)
The access device maintains the online user information and needs to update the online user information regularly,
including the online time, to monitor the network resources using by the online users. For example, when the user online
time is longer than or equal to the online time limit, the user is blocked to use the network resources. The access device
updates the online user information once every 60 seconds by default.
Perform the following steps to modify the update interval of the online user information.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the update interval of the online user information to
Ruijie (config )# WEB-auth update-interval seconds
seconds, ranging from 30 to 3600 seconds.
Display the global configuration information and statistics
Ruijie (config-if )# show WEB-auth
information for WEB authentication.
To recover the update interval of the online user information to 60 seconds, use the no WEB-auth update-interval
command in the global configuration mode.
Configuration example:
If the IP address of the unauthenticated user is in the range, the user can access all reachable network resources without
WEB authentication. No unauthenticated user is set by default. All users must pass WEB authentication to access the
network resources.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the unauthenticated users with a maximum number
of 50.
If the port item is set, bind the user IP address with the
Ruijie (config )# WEB-auth direct-host ip-address
port of the access device.
[ ip-mask ] [ port interface-name ] [ arp ]
If the switch enables the ARP Check function, perform
ARP binding for the user IP address free for
authentication and configure arp keywords.
Display the global configuration information and statistics
Ruijie (config-if )# show WEB-auth
information for WEB authentication.
To cancel the unauthenticated user, use the no WEB-auth direct-host ip-address [ip-mask] command in the global
configuration mode.
Configuration example;
The following lists the conditions that the function of the unauthenticated user can take effect: On the controlled
port for WEB authentication; The setting does not take effect in other cases; Not affected by GSN or ACL, it
means the IP address of the user cannot be blocked by GSN or filtered by ACL.
Check whether the user is offline based on the traffic. If the user traffic does not increase within 15 minutes, it is
considered the user is offline. This command is only a supplement used to detect whether the user is offline, which may
have some risk of wrong detection.
You can detect whether the user is offline with following three modes.
For the link-based detection mode, when the switch detects that the user port is in LinkDown mode and no longer
detects LinkUp within 1 minute, it is considered the user is offline;
For the user traffic based detection mode, if the user traffic does not increase within 15 minutes, it is considered the
user is offline.
Among the three modes, modes 1 and 2 are forced detection and mode 3 is optional detection. Modes 1 and 2 are used to
detect whether the user is offline by default. The traffic-based mode is not set to detect whether the user is offline by
default.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Set the traffic-based mode to detect whether the user is
Ruijie (config )# WEB-auth offline-detect-mode flow
offline.
Display the global configuration information and statistics
Ruijie (config-if )# show WEB-auth
information for WEB authentication.
In order to disable the user traffic based mode to detect whether the user is offline, use the no WEB-auth
offline-detect-mode flow command in the global configuration mode.
Configuration example:
# Set the user traffic based mode to detect whether the user is offline.
The convergence layer device is connected with access device (layer-2 device) via TRUNK, and user (PC) is connected
to the access device. Enable Web authentication on the convergence device and configure the VLAN that can pass
authentication. If user's VLAN belongs to the VLAN that can pass authentication, it can be authenticated, or else it will be
rejected. We can bind user's IP address, MAC address and VLAN ID.
To enable VLAN-based Web authentication and configure the list of allowed VLANs, execute the following steps:
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie (config )# web-auth allow-vlan list Configure to support VLAN-based web authentication.
Ruijie (config )# show web-auth allow-vlan Display the list of VLANs supporting VLAN-based Web
authentication.
To disable VLAN-based Web authentication, execute "no web-auth allow-vlan" in global configuration mode.
Configuration example:
Preconditions for VLAN-based web authentication to take effect: This feature is only supported when web
authentication is enabled on the convergence-layer device (including S3250E, S3760E, S5750, S5760E,
S78 and S86 series switches); Web authentication must be enabled on the port connecting
convergence-layer device and the downlink access layer device;
The port connecting convergence-layer device and the downlink access-layer device must operating in TRUNK
mode;
Use these commands to set or remove the URL format of redirect packets in template configuration mode.
Command Function
fmt { ace | ruijie | custom } Sets the URL format of redirect packets.
fmt custom [ encry { md5 | des | des_ecb | des_ecb3 | Sets the custom format of redirect packets.
none } ] [ user-ip userip-str ] [ user-mac usermac-str ]
[ user-vid uservid-str ] [ user-id userid-str ] [ nas-ip
nasip-str ] [ nas-id nasid-str ] [ nas-id2 nasid2-str ]
[ ac-name acname-str ] [ ap-mac apmac-str ] [ url url-str ]
[ ssid ssid-str ] [ port port-str ] [ ac-serialno ac-sno-str ]
[ ap-serialno ap-sno-str ] [ additional extern-str ]
no fmt custom [ user-ip ] [ user-mac ] [ user-vid ] Removes the configuration.
[ user-id ] [ nas-ip ] [ nas-id ] [ nas-id2 ] [ ac-name ]
[ ap-mac ] [ url ] [ ssid ] [ port ] [ ac-serialno ]
[ ap-serialno ] [ additional ]
Use this command to adjust the URL format according to the portal server. The ace parameter is only valid in
1st generation template configuration mode.
When the unauthenticated users access the network resources via the browser, they are redirected to the page for the
server downloading, which allows the unauthenticated users to download the client software and resolve the client
deployment difficulties easily.
Configuration Guide Configuring Web Authentication
The follow sections describe how to configure the automatic SU clients acquisition in detail.
Influenced by the hardware capacity of access devices, enabling the ARP CHECK or security channel function
may result in reducing the number of available authenticated users (especially the security channel function).
Enabling the automatic client acquisition if both above-mentioned functions enabled may exhaust hardware
resources in extreme cases, resulting in 802.1x authentication failure. In addition, the above functions may
fail on the condition that the 802.1x authentication is enabled. Therefore, it is not suggested to enable the
automatic client acquisition solution and the security channel function at the same time.
In order to use the automatic client acquisition function, set the IP address of HTTP redirection. When the access device
detects that the unauthenticated user tries to access the network through HTTP, the access device redirects the user's
access request in the client download page to guide the user to download, install and authenticate the client.
In common cases, the client download page is provided by the download server. Hence the IP address of HTTP
redirection should be the download server IP address. The redirection IP address is set as a special network resource free
of authentication. The unauthenticated users can directly perform HTTP communication with the IP address.
The IP address of HTTP redirection is not set by default. To set the HTTP Redirection Address, refer to the related
configuration commands in the setting HTTP redirection address section of Configuring the Basic Characteristics of WEB
Authentication Configuration.
When a user accesses the network resources, for example, use a browser to access the Internet, the user sends HTTP
packets. The access device intercepts these HTTP packets sent by the user to make sure that the user is accessing the
network resources. When the access device detects that an unauthenticated user accesses the network resources, it
blocks the user to access the network resources and an client download page is displayed for the user.
The access device intercepts those HTTP packets sent by the user on port 80 by default to detect whether the user
accesses the network resources.
To add the access device to intercept the HTTP packets of the special port number sent by the user, refer to the related
configuration commands in the setting the Redirection HTTP Ports section of Configuring the Optional Characterists for
WEB Authentication.
Configuration Guide Configuring Web Authentication
Before enabling the automatic client acquisition, the homepage address for client download service must be configured.
When an unauthenticated user accesses the network, the information of this page is displayed for the user to download
the client.
Client download service homepage is not set by default. To set the homepage of the server for client download, refer to
the related configuration commands in the Setting HTTP Redirection Homepage section of Basic Characteristics of WEB
Authentication Configuration.
Setting the Maximum HTTP Session Number for Each Unauthenticated User
When an unauthenticated user accesses the network resources, the user PC sends HTTP session connection requests.
The access device intercepts these HTTP packets and requires the user for WEB authentication through redirection. In
order to prevent an authenticated user initiating excessive HTTP connection request so that to save resources of the
access device, the access device should limit the maximum HTTP session number of the unauthenticated user.
The authentication for users may occupy an HTTP session, while other application of the user may also occupy the HTTP
session. Hence it is not recommended to set the maximum HTTP session number of the unauthenticated user to 1. By
default, the global maximum HTTP session number for each unauthenticated user is 255, and the maximum HTTP
session number for each unauthenticated user on each port is 300.
To set the maximum HTTP session number for the unauthenticated user, refer to the Setting the Maximum HTTP Session
Number For Each Unauthenticated User section of Configuring the Optional Characterists for WEB Authentication.
To set the timeout of holding redirection connection, refer to the “Setting Timeout of Holding Redirection Connection
section of Configuring the Optional Characterists for WEB Authentication”.
Command Function
configure terminal Enter the global configuration mode.
Set the timeout of keeping redirection connection
http redirect timeout seconds (second ):
seconds ranges from 1 to 10.
show http redirect Display the configuration for HTTP redirection.
end Return to the privileged EXEC mode.
write Save the configuration.
In order to recover the timeout of holding redirection connection to 3 seconds, use the no http redirect timeout command
in the global configuration mode.
Configuration examples;
To set the range of network resources free for authentication, refer to the “Setting the Range of Network Resources Free
for Authentication” section of Configuring the Optional Characterists for WEB Authentication.
In the privileged EXEC mode, perform the following steps to display the HTTP redirection configuration acquired
automatically by clients.
Command Function
show http redirect Displays the configuration for HTTP redirection.
The following example displays the HTTP redirection configuration acquired automatically by clients.
direct-site
Address Mask ARP Binding
--------------- ---------------- -----------
176.10.0.1 255.255.255.255 On
176.10.5.0 255.255.255.128 Off
Use this command to enable the Ruijie portal server in global configuration mode. Use the no form of this command to
restore the default setting. Ruijie portal server is enabled by default.
Command Function
no web-auth portal extention Enables the Ruijie portal server.
Use this command to enable portal server check in global configuration mode. Use the no form of this command to restore
the default setting. Portal server check is disabled by default.
Command Function
Configuration Guide Configuring Web Authentication
Use this command to enable portal-escape function in global configuration mode. Use the no form of this command to
restore the default setting. This function is disabled by default.
Command Function
web-auth portal-escape Enables portal-escape function.
Use this command together with web-auth portal-check command to sustain key services when the portal server is
abnormal. The following example enables portal-escape function.
Use this command to set the communication key between the access device and the authentication server in global
configuration mode. Use the no form of this command to clear the communication key between the redirected Web
request of a user and the authentication server.
Command Function
Sets the communication key between the access device
web-auth portal key key-string
and the authentication server.
To use the Web authentication function, the communication key between the access device and the authentication server
must be set. The following example sets the communication key between the access device and the authentication server
to web-auth.
Monitoring
The following describes how to view the configuration and status for WEB authentication.
Command Function
Ruijie# show http redirect Displays the configuration of HTTP redirection.
Configuration Guide Configuring Web Authentication
Direct sites:
Address MASK ARP Binding
---------------- ---------------- -----------
61.233.3.215 255.255.255.255 On
61.233.3.220 255.255.255.255 Off
192.168.5.140 255.255.255.255 Off
218.30.66.101 255.255.0.0 Off
218.30.66.101 255.255.255.255 Off
Direct hosts:
Address Mask Port ARP Binding
---------------- ---------------- ---------- ------------
192.168.1.1 255.255.255.255 Fa0/1 On
Command Function
Ruijie# show WEB-auth
Displays the user range free for WEB authentication.
direct-host
The following is an example of displaying the user range free for WEB authentication:
Displaying the Configuration Information for the WEB Authentication on the Port
Use the following command to display the configuration information for WEB authentication in the privileged EXEC mode.
Command Function
Configuration Guide Configuring Web Authentication
The following is an example of displaying the configuration information for WEB authentication on the port:
Command Function
Ruijie# show WEB-auth Displays the online information of all users or specified
user [ ip-address ] users.
The following is an example of displaying the online information of all users or specified users:
Command Function
Displays the list of VLANs supporting VLAN-based Web
Ruijie# show web-auth allow-vlan
authentication.
The following example displays the list of VLANs supporting VLAN-based Web authentication.
Command Function
show http redirect Displays the authentication-exempted configuration.
Configuration Examples
The network consists of the WEB authentication server, DHCP server, straight-through server (website), DNS server,
core device (such as S86 series switches), convergence device (such as S57 series switches), switches (S26 series
switches ), and user PCs.
Configuration Guide Configuring Web Authentication
The access device needs support the WEB authentication function (only the S26 series switches).
Network Topology
The user PC connects to the access device, which connects to the convergence access device. The convergence
access device connects to the core access device. Users can access Internet through the core switch.
The server is installed in the server area and it connects to the core access device through an internal network.
PC1 obtains the IP address from the DHCP server: 192.168.4.11. PC2 obtains the IP address from the DHCP server:
192.168.4.12. The gateway address of PC1 and PC2 is 192.168.4.1.
The domain name of the WEB authentication server is www.WEB_auth.com, which can be resolved by the internal
DNS server. The URL of the WEB authentication page is http://www.WEB_auth.com/WEBportal/index.jsp. If the
internal DNS server is not deployed, directly set the IP address of the WEB authentication server in URL.
There is a public server in the service area; the users can access the internet without authentication.
Configuration Tips
If the WEB authentication function is enabled on the port, the DHCP and DNS packets sent by users, even the
unauthenticated user, can pass through. The users can obtain the IP address and resolute the domain name.
In order to prevent TCP attack, the maximum user connection number before authentication is limited. The default
number is 3 and the maximum is 10. The user PC may initiate multiple HTTP connections sent by either the browser
Configuration Guide Configuring Web Authentication
or other software, such as the chatting, download or video software, or even Trojan horse virus. Other software may
occupy the connection, thus resulting in the failure of creating connections by the browser. Hence the authentication
may fail. To solve the problem, pay attention during the deployment. If the users enabling WEB authentication uses
excessive automatic connection software before accessing the Internet, disable the software.
WEB authentication requires the user PC to initiate HTTP connections. Before initiating the connections, the user PC
should obtain the IP address resolved by the DNS server and ARP packets of the gateway. In this event, the switch
allows the ARP request packets sent to the gateway by the unauthenticated user. The ARP spoofing may occur. If a
user spoofs other user’s IP address under the same VLAN and sends the ARP packets to the gateway, the gateway
may learn the incorrect ARP. Other users under the same VLAN may be affected.
Configuration Steps
Set the IP address of the authentication server and the communication key with the authentication server on the
access device.
Ruijie# config
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# http redirect 192.168.3.1
Ruijie(config)# WEB-auth portal key WEB_auth_s26_1
Set the homepage address of the authentication page on the access device.
Ruijie(config)# http redirect homepage http://www.WEB_auth.com/WEBportal/index.jsp
Set the SNMP parameters between the access device and authentication server.
Ruijie(config)# snmp-server community WEB_auth_key
Ruijie(config)# snmp-server enable traps WEB-auth
Ruijie(config)# snmp-server host 192.168.3.1 inform version 2c WEB_auth_key WEB-auth
Ruijie(config)# exit
Enable the WEB authentication function on Fa0/2 and Fa0/3 ports on the access device.
Ruijie(config)# interface range fa0/2-3
Ruijie(config-if-range)# WEB-auth port-control
Ruijie(config-if-range)# exit
Set the range of the network resources free for authentication on the access device and set the public server as the
straight through website.
Ruijie(config)# http redirect direct-site 192.168.5.1
If the ARP Check function is enabled, the arp item should be added.
Set the gateway IP address 192.168.4.1 that connects to the PC within the range of network resources free for
authentication on the access device.
If the ARP Check function is enabled, the arp item should be added.
Configuration Guide Configuring Web Authentication
If PC1 wants to access internet, it is redirected to the WEB authentication server. After the authentication succeeds, PC1
can access Internet. PC2 can directly access Internet without authentication.
Verification
direct-site
Address Mask ARP Binding
--------------- ---------------- -----------
192.168.4.1 255.255.255.255 On
192.168.5.1 255.255.255.255 On
direct-host
Address Mask Port ARP Binding
--------------- ---------------- ---------- ----------
192.168.4.12 255.255.255.255 Fa0/3 On
Display the user range free for authentication.
Ruijie# show WEB-auth direct-host
direct-host
Address Mask Port ARP Binding
--------------- ---------------- ---------- ----------
192.168.4.12 255.255.255.255 Fa0/3 On
Display the authentication configuration and statistic information on the port.
Ruijie# show WEB-auth port-control
Port Control
------------------------- ----------
FastEthernet 0/1 Off
FastEthernet 0/2 On
FastEthernet 0/3 On
......
Configuration Guide Configuring AAA
Configuring AAA
The access control is used to control who can access the network server and which services can be accessed by the
users on the network. The authentication, authorization and accounting (AAA) is a key security mechanism for access
control.
Overview
Authentication, Authorization and Accounting (shortened as AAA) provide a consistence framework for configuring the
authentication, authorization and accounting functions, which are supported by Ruijie products.
Authentication: It verifies whether a user can access, where the RADIUS protocol or Local can be used. The
authentication is the method to identify a user before his/her access to the network and network services. The AAA is
configured by the definition of a naming list for authentication method and application of it on every interface. The
method list defines the authentication type and execution order. Before a defined authentication is executed, the
method list must be applied on a specific interface. The default method list is exceptional. If no other method list is
defined, the default method list will automatically apply on all interfaces. The defined method list overwrites the
default method list. All authentication methods other than the local, line password and allowing authentication must
be defined with AAA.
Authorization: This means authorizing the user with services. The AAA authorization is implemented through
defining a series of attributes that describe the operations authorized on users. These attributes can be stored on the
network device or the RADIUS security server remotely. All authorization methods must be defined with AAA. When
the AAA authorization is enabled, it is automatically applied on all interfaces of the network device.
Accounting: This means recording the user's usage of network resources. When the AAA accounting is enabled, the
network access server starts to send the user's network resource usages to the RADIUS security server through
statistics records. Every accounting record is composed of attribute pairs and stored in the security server. These
records can be read for analysis by special software to implement the accounting, statistics and tracing for the user's
network resource usage. All accounting methods must be defined with AAA. When the AAA accounting is enabled, it
is automatically applied on all interfaces of the network device.
The AAA of some products only provides the authentication function. For all problems with product
specifications, contact the market or technical support personnel.
Although the AAA is the primary access control method, Ruijie products also provide simple control access beyond of the
range of AAA, such as the local username authentication, line password authentication and so on. The difference lies in
the degree of their network protection, and the AAA provides the security protection at a higher level.
Expandability
Standardized authentication
Multiple backup systems
Basic Principles
The AAA can dynamically configure authentication, authorization and accounting for a single user (line) or server. It
defines the authentication, authorization and accounting by means of creating method lists and then applies them on
specific services or interfaces.
Method List
Because the authentication for users can be implemented in a variety of ways, you need to use the method list to define
the sequence of using different method to perform authentication for the users. The method list can define one or more
security protocols for authentication, so that there are backup systems available for the authentication in case of the
failure of the first method. Ruijie products work with the first method in the method list for user authentication, and then
select the next method in the method list if no reply from the first method. This process goes on till an authentication
method listed successfully allows communication or all methods listed are used up. If all methods listed are used up but
the communication is not allowed, it declares failure of authentication.
Only when there is no reply from a method, Ruijie products will attempt the next method. During the
authentication, if the user access is refused by a method, the authentication process ends and no other
methods will be attempted.
The figure above illustrates a typical AAA network configuration, including two security servers: R1 and R2 are both
RADIUS servers, and one NAS (Network Access Server) acting as the RADIUS server.
Supposed the system administrator has defined a method list. R1 is used first to capture the identity information, then R2,
and finally the local username database on the NAS. If a remote PC user attempts to access the network via dialup, the
NAS first queries the authentication information from R1. If the user passes the authentication on R1, R1 sends a
SUCCESS reply to the NAS, and thus the user's access to the network is allowed. If R1 returns FAIL reply, the user's
Configuration Guide Configuring AAA
access is refused and the disconnected. If R1 has no reply, the NAS regards it as ERROR and queries authentication
information from R2. This process continues for the remaining methods till the user passes the authentication, is refused
or the session is terminated. If ERROR is returned for all methods, the authentication fails and the user is disconnected.
The REJECT response is not the same as the TIMEOUT response. REJECT means the user fails to comply
with the standard in the available authentication database and does not pass the authentication, thus the
access request will be refused. TIMEOUT means there is no reply from the security server to the
authentication. When an ERROR is detected, the AAA selects the next authentication method in the method
list to continue the authentication process.
In this chapter, take RADIUS for example of the configuration of the related authentication, authorization and
accounting of the AAA security server. For the TACACS+, refer to TACACS+ Configuration.
Configuration
Basic Configuration
First you shall decide which security solution to choose, evaluate the potential security risks in the specific network and
take the proper measures to prevent unauthorized accesses. For the security risk evaluation and the possible security
solutions, see “Chapter 2, Security Overview.” We recommend using AAA as much as possible to guarantee the
network security.
Overview
The AAA configuration may become simple when the basic operation process of AAA is understood. On Ruijie network
devices, the AAA is configured through the following steps:
When the specific method list is applied, if no named method list is clearly specified, the default authentication
method list will apply.
As a result, if you do not want to use the default authentication method list, you shall specify a method list.
For complete descriptions of the commands mentioned in this chapter, see the related chapters in the Security
Configuration Command Reference.
Configuration Guide Configuring AAA
Enabling AAA
It is required to enable AAA first to be able to use the AAA security features.
Command Function
Ruijie (config)# aaa new-model Enables AAA.
Disabling AAA
Command Function
Ruijie (config)# no aaa new-model Disables AAA.
Configuration Steps
Command Function
Configuring Local Login Authentication 3 Configuring Authentication
Defining AAA Authentication Method List 3 Configuring Authentication
Applying Method List on Specific Interface or
4 Configuring Authentication
Line
Configuring RADIUS Security Protocol
2 Configuring RADIUS
Parameters
Enabling RADIUS Authorization 5 Configuring Authorization
Configuring Authentication
The authentication allows the user’s identity verification before the user of network resources. In most cases, the
authentication is implemented with the AAA security features. We recommend using AAA as much as possible.
To configure the AAA authentication, the first step is to define a named list of the authentication method, and then the
applications use the defined list for authentication. The method list defines the authentication type and execution order.
The defined authentication methods must be applied on specific interfaces before they can be executed. The default
method list is exceptional. When not configured, all applications will use the default method list.
The method list is just a list to define the authentication method to be queried in turn to verify the user’s identity. The
method list can define one or more security protocols for authentication, so that there are backup systems available for the
authentication in case of the failure of the first method. Ruijie products work with the first method in the method list for user
authentication, and then select the next method in the method list if no reply from the first method. This process goes on
until an authentication method listed successfully allows communication or all methods listed are used up. If all methods
listed are used up but the communication is not allowed, it declares failure of authentication.
Configuration Guide Configuring AAA
Only when there is no reply from a method, Ruijie products will attempt the next method. During the
authentication, if the user access is refused by a method, the authentication process ends and no other
methods will be attempted.
In a typical AAA network configuration, there are two servers: R1 and R2 are both RADIUS servers. Suppose the network
administrator has chosen a security solution, and the NAS authentication uses an authentication method to authenticate
the Telnet connection: First, R1 is used for the user authentication. If no reply, R2 will be used. If there is no reply from
both R1 and R2, the local database of the access server will perform the authentication. To configure the above
authentication list, run the following commands:
Command Function
configure terminal Enter global configuration mode.
Configure a default authentication method list, where
"default" is the name of the method list. The protocols
Ruijie (config)#aaa authentication login default included in this method list are listed behind the name in
group radius local the order by which they will be queried. The default
method list is applied on all applications.
If the system administrator hopes to apply this method list on a specific Login connection, he/she must create a named
method list and then apply it on the specific connection. The example below applies the authentication method list on line
2 only.
Command Function
configure terminal Enters global configuration mode.
Ruijie (config)#aaa new-model Turns on the AAA switch.
Ruijie (config)#aaa authentication login test Defines a method list named "test" in global configuration
group radius local mode.
Ruijie (config-line)#line vty 2 Enters VTY line 2 configuration mode.
In line configuration mode, apply the method list named
Ruijie(config-line)#login authentication test
“test” on the line.
If a remote PC user attempts to Telnet the network access server (NAS), the NAS first queries the authentication
information from R1. If the user passes the authentication on R1, R1 sends a ACCEPT reply to the NAS, and thus the
user's access to the network is allowed. If R1 returns the REJECT reply, the user's access is refused and then
disconnected. If R1 does not respond, NAS considers TIMEOUT and queries the authentication information from R2. This
process continues for the remaining methods until the user passes the authentication, is refused or the session is
terminated. If all servers (R1 and R2) return TIMEOUT, the authentication will be performed by the NAS local database.
The REJECT response is not the same as the TIMEOUT response. REJECT means the user fails to comply
with the standard in the available authentication database and does not pass the authentication; thus the
Configuration Guide Configuring AAA
access request will be refused. TIMEOUT means there is no reply from the security server to the
authentication. When a TIMEOUT is detected, the AAA selects the next authentication method in the method
list to continue the authentication process.
Authentication Types
Login Authentication -- the authentication of the user terminal logging in the NAS CLI.
Enable Authentication -- the authentication of improving the CLI authority after the user terminal logs in the NAS CLI.
PPP Authentication -- the authentication of PPP dial user.
DOT1X (IEEE802.1x) Authentication -- the authentication of the IEEE802.1x access user.
The following tasks are common for the configuration of AAA authentication.
This section deals with how to configure the AAA Login authentication methods supported by Ruijie products:
Only after the AAA is enabled through the command aaa new-model in global configuration mode, the AAA
security features are available for your configuration. For the details, see AAA Overview.
In many cases, the user needs to Telnet the network access server (NAS). Once such a connection is set up, it is possible
to configure NAS remotely. To prevent unauthorized accesses to the network, it is required to authenticate the user’s
identity.
The AAA security services make it easy for the network devices to perform line-based authentication. No matter which line
authentication method you decide to use, you just need to execute the aaa authentication login command to define one
or more authentication method list and apply it on the specific line that needs the line authentication.
To configure the AAA login authentication, execute the following commands in global configuration mode:
Command Function
configure terminal Enter global configuration mode.
Ruijie (config)#aaa new-model Enable AAA.
Configuration Guide Configuring AAA
Ruijie (config)#aaa authentication login { default Define an accounting method list, or repeat this
|list-name } method1 [ method2...] command to define more.
Ruijie (config)#line vty line-num Enter the line that needs to apply the AAA authentication.
Ruijie (config-line)#login authentication
Apply the method list on the line.
{ default|list-name }
The keyword "list-name" is used to name the created authentication method list, which can be any string. The keyword
"method" means the actual algorithm for authentication. Only when the current method returns ERROR (no reply), the
next authentication method will be attempted. If the current method returns FAIL, no authentication method will be used
any more. To make the authentication return successfully, even if no specified methods reply, it is possible to specific
"none" as the last authentication method.
In the example below, it is possible to pass the identity authentication even if the RADIUS server returns TIMEOUT. aaa
authentication login default group radius none
Since the keyword "none" enables any dialup user to pass the authentication even if the security server has no
reply, it is used only as the backup authentication method. We suggest not using the "none" identity
authentication in general cases. In special case when all possible dialup users are trustful, and no delay due
to system fault is allowed for the user's work, it is possible to use "none" as the last identity authentication
method in case the security server has no reply. And we recommend adding the local authentication method
before the “none” authentication method.
Keyword Description
local Use the local username database for authentication
none Do not perform authentication
Use the server group for authentication. At present, the
group radius
RADIUS server group is supported.
subs Use the subs database for authentication.
The table above lists the AAA login authentication methods supported by Ruijie products.
To configure the login authentication with local database, it is required to configure the local database first. Ruijie products
support authentication based on the local database. To establish the username authentication, run the following
commands in global configuration mode:
Command Function
configure terminal Enter global configuration mode.
Ruijie(config)#username name [ password password ]
Establish the username authentication using the
or
password, or the access list.
username name [ access-class number ]
username name [ privilege level ] (Optional) Set the privilege level for the user.
(Optional) Set the command auto-executed after the user
username name [ autocommand command ]
login.
Configuration Guide Configuring AAA
To define and apply the local login authentication method list, run the following commands:
Command Function
Ruijie#configure terminal () Enter global configuration mode.
Ruijie(config)#aaa new-model Turn on the AAA switch.
Ruijie(config)#aaa authentication login {default |
Define the local method list.
list-name} local
Ruijie(config)#end Return to privileged EXEC mode.
Ruijie#show aaa method-list Confirm the configured method list.
Ruijie#configure terminal Enter global configuration mode.
Ruijie(config)#line vty line-num Enter line configuration mode
Ruijie(config-line)#login authentication {default |
Apply the method list.
list-name}
Ruijie(config-line)#end Return to privileged EXEC mode.
Ruijie#show running-config Confirm the configuration.
To configure the RADIUS authentication server for login authentication, it is first required to configure the RADIUS server.
Ruijie products support the authentication based on the RADIUS server. To configure the RADIUS server, run the
following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#radius-server host ip-address [ auth-port
Configure the RADIUS server
port ] [ acct-port port ]
Ruijie#show radius server Display the RADIUS server.
After the RADIUS server is configured, make sure of successful communication with the RADIUS server before
configuring the RADIUS for authentication. For details of the RADIUS server configurations, see Configuring RADIUS.
Now it is possible to configure the RADIUS server based method list. Run the following commands:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa authentication login
Define the local method list.
{ default | list-name } group radius
Ruijie (config)#end Return to privileged EXEC mode.
Ruijie#show aaa method-list Confirm the configured method list.
Ruijie#configure terminal Enter global configuration mode.
Ruijie (config)#lline vty line-num Enter line configuration mode
Ruijie (config-line)#login authentication { default |
Apply the method list.
list-name }
Ruijie (config-line)#end Return to privileged EXEC mode.
Configuration Guide Configuring AAA
This section deals with how to configure the AAA Enable authentication methods supported by Ruijie products:
In many cases, the user needs to Telnet the network access server (NAS). After passing the authentication, the user
enters the Command Line Interface (CLI) and is assigned an initial command execution privilege (0-15 level). User can
execute different commands in different levels and use the show privilege command to display the current level. For the
details, see using the CLI.
After logging in the CLI, user can use the enable command to improve the privilege level if fail to execute some
commands due to low initial privilege level. To prevent the unauthorized access to the network, the identity authentication,
named Enable authentication, is necessary when improving the privilege level.
To configure the AAA Enable authentication, execute the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Enable AAA.
Ruijie(config)#aaa authentication enable default Define an enable authentication method list, for example
method1 [method2...] RADIUS.
It can only define one enable authentication method list globally, so it is unnecessary to define the name of the method list.
The keyword "method" means the actual algorithm for authentication. Only when the current method returns ERROR (no
reply), the next authentication method will be attempted. If the current method returns FAIL, no authentication method will
be used any more. To make the authentication return successfully, even if no specified methods reply, it is possible to
specify none as the last authentication method.
Once configured, the enable authentication method takes effect. When user executes enable command in privileged
EXEC mode, it prompts to authenticate if the user wants to switch over a higher privilege level. It is unnecessary to
authenticate if the privilege level to be set is lower than or equal to the current one.
The current username will be recorded if the Login authentication (except for none method) is done when the
user enters the CLI. At this time, if the Enable authentication processes, it will not prompt to input the
username and the user can use the same username of Login authentication. Note that the password input
must be consistent.
The username information will not be recorded if there is no Login authentication when entering the CLI, or the
none method is used. At this time, if the Enable authentication processes, the user shall input the username
again. This username will not be recorded, so the user shall input it every time when the Enable
authentication processes.
Some authentication methods can bind the security level. Then in the process of authentication, except for the returned
response based on the security protocol, it is necessary to verify the bound security level. If the service protocol can bind
the security level, the level shall be verified while authenticating. If the bound level is higher than or equal to the level to be
configured, the enable authentication and level switchover succeed. But if the bound level is lower than the level to be
Configuration Guide Configuring AAA
configured, the enable authentication fails, prompting the error message and keeping the current level. If the service
protocol fails to bind the security level, the user can configure the level without verification of the bound level.
Now only RADIUS and Local authentication support to bind the security level. To this end, only the security
levels of these two methods are checked.
When processing the enable authentication with local database, you can configure the user privilege level while
configuring the local users. By default, the privilege level is 1. To configure the enable authentication with local database,
it is first required to configure the local database and configure the privilege level. To establish the username
authentication, run the following commands in global configuration mode:
Command Function
Ruijie (config)#username name [ password password ] Establish the local username and set the password.
Ruijie (config)#username name [ privilege level ] Set the user privilege level. (Optional)
To define the local Enable authentication method list, run the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa authentication enable default local Define the local method list.
Ruijie#show aaa method-list Confirm the configured method list.
The standard RADIUS server can pass the privilege level bound with the Service-Type attribute (the standard attribute
number is 6) and can specify the privilege with 1 or 15 level. The extended RADIUS server (for example, SAM) can
configure the privilege level of the administrator (the private attribute number is 42) and can specify 0-15 privilege level.
For the details of the RADIUS server, see Specifying the RADIUS Private Attribute Type in Configuring RADIUS.
To configure the RADIUS authentication server for enable authentication, it is required to first configure the RADIUS
server, then the RADIUS server–based enable authentication method list. Run the following commands in global
configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa authentication enable default group
Define RADIUS authentication method.
radius
Ruijie (config)#show aaa method-list Confirm the configured method list.
PPP is a link-layer protocol carrying the network-layer datagram in the point-to-point link. In many circumstances, the user
accesses to the NAS (Network Access Server) by asynchronous or ISDN dial. Once the connection has been set up, the
Configuration Guide Configuring AAA
PPP negotiation will be enabled. To prevent the unauthorized access to the network, the identity authentication is required
for the dialed user in the process of PPP negotiation.
This section deals with how to configure the AAA Enable authentication methods supported by Ruijie products. To
configure the AAA Enable authentication, execute the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Enable AAA.
Define a PPP authentication method list. RADIUS,
Ruijie (config)#aaa authentication ppp {default |
TACACS+ remote authentication and using the local
list-name} method1 [method2...]
database are the supported authentication methods.
Enter the asynchronous or ISDN interface that needs to
Ruijie (config)#interface interface-type interface-number
apply the AAA authentication.
Ruijie (config-if-type ID)#ppp authentication { chap | Apply the method list on the asynchronous or ISDN
pap } { default | list-name } interface.
For the detailed configuration method for the PPP, see the related chapter in Configuring PPP, MP.
IEEE802.1x is a standard of Port-Based Network Access Control, providing the point-to-point secure access for the LAN,
and a means of the authentication of the user connecting to the LAN device.
This section deals with how to configure the 802.1x authentication methods supported by Ruijie products. To configure the
AAA Enable authentication, execute the following commands in global configuration mode:
Command Function
Ruijie(config)#aaa new-model Enable AAA.
Define an IEEE802.1x authentication method list.
Ruijie (config)#aaa authentication dot1x { default |
RADIUS remote authentication and local database
list-name } method1 [ method2...]
authentication are the supported authentication methods.
Ruijie (config)#dot1x authentication list-name Apply the method list to 802.1x.
For the detailed configuration method for the IEEE802.1x, see the related chapter in Configuring 802.1x.
To configure the AAA second-generation Web authentication, run the following commands in the global configuration
mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Configuration Guide Configuring AAA
If the AAA second-generation Web security service is enabled on the device, users must use AAA for the
second-generation Web authentication negotiation. You must use the aaa authentication web-auth
command to configure a default or optional method list for the PPP user authentication.The next method can
be used for authentication only when the current method does not work.
The following example defines an AAA sslvpn authentication method list named rds_web. In the authentication method
list, the RADIUS security server is first used for authentication. If the RADIUS security server does not respond, the local
user database is used for authentication.
Ruijie(config)#aaa new-model
Ruijie(config)# aaa authentication web-auth rds_web group radius none
To prevent login user from decoding password, use commands to limit the attempt times. If a user has attempted more
than the limited times, he/she will not login during the lockout.
In global configuration mode, use the following commands to configure login parameters:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Configuration Guide Configuring AAA
By default, login attempt times are 3 and the lockout time is restricted to 900 minutes.
Enabling the System to Print the Syslog for AAA Authentication Success
By default, the system prints the syslog informing AAA authentication success, and 5 syslog entries are printed per
second.
Command Function
Enable the system to print the syslog informing AAA
Ruijie(config)# aaa log enable
authentication success.
Set the rate of printing the syslog informing AAA
authentication success.
num: The number of syslog entries printed per second.
Ruijie(config)# aaa log rate-limit num
The range is from 0 to 655,535.
0 indicates the printing rate is not limited.
The default is 5.
Disable the system to print the system informing AAA
Ruijie (config)# no aaa log enable
authentication success.
Ruijie (config)# no aaa log rate-limit Restore the default printing rate.
The following example disables the system to print the syslog informing aaa authentication success..
The following example sets the rate of printing the syslog informing AAA authentication success to 10.
The example below illustrates how to configure the network device to use “RADIUS + local” for authentication.
In the example above, the access server uses the RADIUS server (IP 192.168.217.64) to perform authentication for the
login users. If the RADIUS server has no reply, the local database will be used for the identity authentication.
In the environment of the terminal service application, the terminal first connects to the asynchronous console, then offers
the service accessing the network server. However, if AAA is enabled, the Login authentication is necessary in all lines.
To access the server, the terminal must pass the Login authentication and it influences the terminal service. User can
separate two lines by configuration that makes the line using the terminal service directly connects the server without the
Login authentication, and ensures the device security by the Login authentication of the line connecting the device. That is
to say, the user can configure a login authentication list specific for the terminal service but the authentication method as
none. Then apply the configured list to the line with terminal service enabled, while other lines connecting the local device
are unchanged. Thereof the terminal can skip the local login authentication.
In the example above, the access server uses the RADIUS server (IP 192.168.217.64) to perform authentication for the
login users. If the RADIUS server has no reply, the local database will be used for the identity authentication. Login
authentication is unnecessary for tty 1-4 is the used line of the terminal service, while other tty and vty lines needs the
login authentication.
Configuring Authorization
The AAA authorization enables the administrator to control the user’s use of the services or the rights. After the AAA
authorization service is enabled, the network device configures the user sessions by using the user configuration file
stored locally or in the server. After the authorization is completed, the user can only use the services allowed in the profile
or has the allowed rights.
Authorization Types
Exec authorization method – the user terminal logs in the NAS CLI and is granted the privilege level (0-15 level).
Command authorization method – after the user terminal logs in the NAS CLI, the specific commands are
authorized.
Network authorization method – grant the available service to the user session on the network.
Configuration Guide Configuring AAA
Only TACACS+ supports the command authorization method. For the detailed information, please see
TACACS+ Configuration.
The following tasks must be completed before configuring the AAA authorization.
Enable the AAA server. For the details, see AAA Overview.
(Optional) Configure the AAA authentication. The authorization is done after the user passes the authentication. But
sole authorization can also be done without authentication. For details of the AAA authentication, see Configuring
Authentication.
(Optional) Configure security protocol parameters. If the security protocol is required for authorization, it is required
to configure the security protocol parameters. The network authorization only supports RADIUS; the Exec
authorization supports RADIUS and TACACS+. For details of the RADIUS, see Configuring RADIUS. For details of
the TACACS+, see Configuring TACACS+.
(Optional) If the local authorization is required, it is required to use the username command to define the user rights.
To authorize the command executed by the user who has logged in the NAS CLI, use the following command in global
configuration mode.
Command Function
Authorize the command executed by the user who has
logged in the NAS CLI.
level: Command level to be authorized, 0-15.
default: When this parameter is used, the following
defined method list is used as the default method for
command authorization.
aaa authorization commands level { default | list-name }
list-name: Name of the user authorization method list,
method1 [ method2..]
which could be any character strings.
method: It must be one of the keywords: none and
group. One method list can contain up to four methods.
none: Dose not perform authorization.
group: Uses the server group for authorization. At
present, the TACACS+ server group is supported.
RGOS supports authorization of the commands executed by the users. When the users input and attempt to execute a
command, AAA sends this command to the security server. This command is to be executed if the security server allows
to. Otherwise, it will prompt command deny.
It is necessary to specify the command level when configuring the command authorization, and this specified command
level is the default command level.
Configuration Guide Configuring AAA
The configured command authorization method must be applied to terminal line which requires the command
authorization. Otherwise, the configured command authorization method is ineffective.
The following example uses the TACACS+ server to authorize the level 15 command:
To enable AAA authorization, execute the following commands in global configuration mode:
Command Function
configure terminal Enter global configuration mode.
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa authorization exec network { default
Define the AAA Exec authorization method.
| list-name } method1 [ method2|…]
Ruijie (config)#aaa authorization network { default |
Define the AAA Command authorization method.
list-name } method1 [ method2|…]
The Exec authorization grants the privilege level of command execution for the user terminal logs on the network access
server (NAS). You can use the show privilege command to display the specific level after the user logs in the NAS CLI
successfully (by telnet, for example).
No matter which Exec authorization method you decide to use, you just need to execute the aaa authorization exec
command to define one or more authorization method list and then apply to the specific line that needs the Exec
authorization.
To configure the AAA Exec authorization, run the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Define the AAA Exec authorization method. If you need
Ruijie (config)#aaa authorization exec network{ default |
to define multiple methods, execute this command
list-name } method1 [ method2|…]
repeatedly.
Enter the line to which the AAA Exec authorization
Ruijie (config)#line vty line-num
method is applied.
Ruijie (config)#authorization exec { default | list-name } Apply the method to the line.
The keyword "list-name" is used to name the created authorization method list, which can be any string. The keyword
"method" means the actual algorithm for authorization. Only when the current method returns ERROR (no reply), the next
authorization method will be attempted. If the current method returns FAIL, no authorization method will be used any more.
To make the authorization return successfully, even if no specified methods reply, it is possible to specific "none" as the
last authorization method.
In the example below, it is possible to pass the Exec authorization even if the RADIUS server returns TIMEOUT:
Configuration Guide Configuring AAA
Command Function
local Use the local username database for Exec authorization.
none Do not perform Exec authorization.
group radius Use RADIUS for Exec authorization.
group tacacs+ Use Tacacs+ for Exec authorization.
The table above lists the AAA Exec authorization methods supported by Ruijie products.
The exec authorization is always used together with the login authentication, and they can be applied to the
same line at the same time. But note that it is possible to have different results of the authentication and the
authorization towards the same user because they can use different methods and servers. If the exec
authorization fails, even though the login authentication has passed, the user can not access the CLI.
To configure the Exec authorization with local database, it is required to configure the local database first. You can
configure the user privilege level while configuring the local user. By default, the privilege level is 1. Run the following
commands in global configuration mode:
Command Function
Ruijie (config)#username name [ password password ] Establish the local username and set the password.
Ruijie (config)#username name [ privilege level ] Set the user privilege level. (Optional)
To define the local Exec authorization method list, run the following commands:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa authorization exec { default | list-nam
Define the local method list.
e} local
Ruijie#show aaa method-list Confirm the configured method list.
Ruijie (config)#line vty line-num Enter line configuration mode.
Ruijie (config-line)#authorization exec { default |
Apply the method list.
list-name }
To configure the RADIUS server for Exec authorization, it is required to first configure the RADIUS server. For the details
of the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS serve–based method list can be configured. Run the following
commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Configuration Guide Configuring AAA
The example below illustrates how to configure exec authorization. The local login authentication and the “RADIUS+local”
exec authorization are used when the user on the vty line 0-4 logs in. The access server uses the RADIUS server with IP
address 192.168.217.64 and shared keyword test. The local username and password are Ruijie, and the privilege level is
6.
Ruijie# configure terminal
Ruijie(config)# aaa new-model
Ruijie(config)# radius-server host 192.168.217.64
Ruijie(config)# radius-server key test
Ruijie(config)# username Ruijie password Ruijie
Ruijie(config)# username Ruijie privilege 6
Ruijie(config)# aaa authentication login mlist1 local
Ruijie(config)# aaa authentication exec mlist2 group radius local
Ruijie(config)# line vty 0 4
Ruijie(config-line)# login authentication mlist1
Ruijie(config-line)# authorization exec mlist2
Ruijie(config-line)# end
Ruijie(config)# show running-config
!
aaa new-model
!
aaa authorization lexec mlist2 group radius local
aaa authentication login mlist1 local
!
username Ruijie password Ruijie
username Ruijie privilege 6
!
Radius-server host 192.168.217.64
radius-server key 7 093b100133
!
line con 0
line vty 0 4
authorization exec mliat2
login authentication mlist1
!
end
Configuration Guide Configuring AAA
Ruijie products support the network authorization over the network connection including PPP, SLIP. The network
authorization makes the network connection obtain the service like traffic, bandwidth, and timeout and so on. The network
authorization only supports the RADIUS. The authorization information assigned from the server is encapsulated in the
RADIUS attribute. For different network connection application, it is possible that this authorization information are
different.
Now the configuration does not support the 802.1X AAA authorization, while the 802.1X is implemented by
using other commands. For the details of the 802.1X authorization, see Configuring 802.1X.
To configure the AAA network authorization, run the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Define the AAA network authorization method. If you
Ruijie (config)#aaa authorization network{ default |
need to define multiple methods, execute this command
list-name } method1 [ method2|…]
repeatedly.
The keyword "list-name" is used to name the created authorization method list, which can be any string. The keyword
"method" means the actual algorithm for authorization. Only when the current method returns ERROR (no reply), the next
authorization method will be attempted. If the current method returns FAIL, no authorization method will be used any more.
To make the authorization return successfully, even if no specified methods reply, it is possible to specific "none" as the
last authorization method.
To configure the RADIUS server for network authorization, it is required to first configure the RADIUS server. For the
details of the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS server-based method list can be configured. Run the following
commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa authentication network {default |
Define RADIUS authentication method.
list-name } group radius
Configuring Accounting
The AAA accounting function enables you to trace the services and network resources used by the user. After the
accounting function is enabled, the network access server or router sends the user's network accesses to the RADIUS
security server by means of attribute pair. You may use some analysis software to analyze these data to implement the
billing, audition and tracing function for the user's activities.
Accounting Types
Exec Accounting -- record the accounting information of entering to and exiting from the CLI of the user terminal
logged in the NAS CLI.
Command Accounting – record the specific command execution information after the user terminal logs in the NAS
CLI.
Network Accounting – record the related information on the user session on the network.
Only TACACS+ supports the command accounting function. For the detailed information, please see
TACACS+ Configuration.
The following tasks must be completed before the AAA accounting is configured:
Enable the AAA service. For the details, see AAA Overview.
Define the security protocol parameters. It is required to configure the security protocol parameters for accounting.
The network accounting only supports RADIUS; the Exec accounting supports RADIUS and TACACS+; the
Command accounting supports TACACS+ only. For details of the RADIUS, see Configuring RADIUS. For details of
the TACACS+, see Configuring TACACS+.
(Optional) Configure the AAA authentication. The accounting is done after the user passes the authentication (for
example, Exec accounting). In some circumstances, the accounting can also be done without authentication. For
details of the AAA authentication, see Configuring Authentication.
Configuration Guide Configuring AAA
The exec accounting records the information of entering to and exiting from the CLI of the user terminal logged in the NAS.
When the user terminal logs in and enters the NAS CLI, it sends the accounting start information to the security server.
When the user terminal exits from the CLI, it sends the accounting stop information to the server.
Only after the user terminal logs in the NAS passes the login authentication, the exec accounting starts. If no
login authentication or none authentication method is configured, no exec accounting will be processed. For
the same user terminal, if it sends no accounting start information to the security server when logging in, no
accounting stop information will be sent when logging out.
To configure the AAA Exec accounting, run the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Define the AAA Exec accounting method list. If you need
Ruijie (config)#aaa accounting exec { default | list-name }
to define multiple method lists, execute this command
start-stop method1 [ method2…]
repeatedly.
Enter the line to which the AAA Exec accounting is
Ruijie (config)#line vty line-num
applied.
Ruijie (config)#accounting exec { default | list-name } Apply the method list to the line.
The keyword "list-name" is used to name the created accounting method list, which can be any string. The keyword
"method" means the actual algorithm for accounting. Only when the current method returns ERROR (no reply), the next
accounting method will be attempted. If the current method returns FAIL, no accounting method will be used any more. To
make the accounting return successfully, even if no specified methods reply, it is possible to specific "none" as the last
accounting method.
The keyword "start-stop" is used for the network access server to send the accounting information at the start
and end of the network service to the security server.
To configure the RADIUS server for Exec accounting, it is required to first configure the RADIUS server. For the details of
the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS server-based method list can be configured. Run the following
commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa accounting exec { default | list-name }
Define RADIUS accounting method.
start-stop group radius
Ruijie (config)#show aaa method-list Confirm the configured method list.
Configuration Guide Configuring AAA
The example below illustrates how to configure exec accounting. The local login authentication and the RADIUS exec
authorization are used when the user on the vty line 0-4 logs in. The access server uses the RADIUS server with IP
address 192.168.217.64 and shared keyword test. The local username and password are Ruijie
The network accounting provides the accounting information about user session, including the packet number, bytes, IP
address and username. Now the network accounting only supports RADIUS.
Configuration Guide Configuring AAA
The format of RADIUS accounting information varies with the RADIUS security server. The contents of the
account records may also vary with Ruijie products’ version.
To configure the AAA network accounting, run the following commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Define the AAA network accounting method list. If you
Ruijie (config)#aaa accounting network{ default |
need to define multiple method lists, execute this
list-name } start-stop method1 [ method2|…]
command repeatedly.
The keyword "list-name" is used to name the created accounting method list, which can be any string. The keyword
"method" means the actual algorithm for accounting. Only when the current method returns ERROR (no reply), the next
accounting method will be attempted. If the current method returns FAIL, no accounting method will be used any more. To
make the accounting return successfully, even if no specified methods reply, it is possible to specific "none" as the last
accounting method.
To configure the RADIUS server for network accounting, it is required to first configure the RADIUS server. For the details
of the RADIUS server configuration, see Configuring RADIUS.
After configuring the RADIUS server, the RADIUS server–based method list can be configured. Run the following
commands in global configuration mode:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa accounting network { default |
Define RADIUS accounting method.
list-name } start-stop group radius
The example below illustrates how to configure network authorization using RADIUS.
To view the information of the current login users, run the following commands in privileged EXEC mode:
Command Function
show aaa user { all | lockout | by-id session-id | Display the information of the current AAA user.
by-name user-name }
It is used to display user information through both user-name and session-id. To tell user- name from session-id
of the displayed information, by-name and by-id are added to this command.
To view the accounting update information, run the following commands in privileged EXEC mode:
Command Function
show aaa accounting update Display the accounting update information.
Virtual Private Networks (VPNs) provide a secure method for bandwidth share on the ISP backbone network. One VPN is
the collection of the sharing routes. The user station is linked with the service vendor network via one to multiple interfaces.
The VPN routing table is also called VPN routing//forwarding(VRF) table. AAA can specify the VRF for each self-defined
server group.
In global configuration mode, use the following command to configure VRF for the AAA group:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Configure the RADIUS server group and enter server
Ruijie (config)#aaa group server radius gs_name
group configuration mode.
Ruijie (config)#ip vrf forwarding vrf_name Specify the VRF for the group.
Overview
Domain-name-based AAA service configuration tasks
Domain-name-based AAA service configuration note
Domain-name-based AAA service configuration example
The domain-name-based AAA service is only applied to the IEEE802.1x authentication service. For the
detailed IEEE802.1x protocol configurations, please see the chapter of 802.1x Configuration.
Overview
In the multi-domain environment, one NAS(Network Access Server) can provide the AAA service for the users in different
domains. Due to the different user attributes(such as the username, password, service type, privilege, ect) in each domain,
it needs to tell them apart by setting the domain method and set the attribute collection for each domain, including the AAA
service method list.
For the type4 username, i.e., userid, without the domain-name, its domain-name is default.
Configuration Guide Configuring AAA
The followings are the basic principles for the domain-name-based AAA service:
One of the abovementioned steps fails, the AAA service cannot be used.
Enabling AAA
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
For the detailed command descriptions, please see the chapter of Enabling AAA.
Command Function
Ruijie (config)#aaa authentication dot1x { default |
Define the IEEE802.1x authentication method list.
list-name } method1 [ method2...]
Configuration Guide Configuring AAA
For the detailed command descriptions, please see the chapters of Configuring authentication, Configuring accounting
and Configuring authorization..
Command Function
Ruijie (config)#aaa domain enable Enable the domain-name-based AAA service switch.
You shall follow the following rules when searching for the domain-name matched the username:
Support the single character, such as “.”, “\”, “@” to tell the username and the domain-name apart.
The single “@” character is followed by the character string “domain-name”. With multiple “@” characters in the
username, use the character string following the last “@” character as the domain-name. For example, if the
username is a@b@c@d, use the a@b@c as the username and use the d as the domain-name.
The single “\” character follows the character string “domain-name”. With multiple “\” characters in the username, use
the character string priors to the first “\” character as the domain-name. For example, if the username is a\b\c\d, use
the b\c\d as the username and use a as the domain-name.
The single “.” character is followed by the character string “domain-name”. With multiple “.” characters in the
username, according to the pre-settings, use the character string following the last “.” character as the domain-name.
For example, if the username is a.b.c.d, use the a.b.c as the username and use the d as the domain-name.
If all characters of “.”, “\” and “@” exist in the username, when matching the domain-name, use the rules in sequence
of the “@”, “\” and “.” characters.
Command Function
Create the domain and enter the domain configuration
Ruijie (config)#aaa domain domain-name
mode.
The domain-name-based AAA service supports the domain name in the length of up to 64 characters, which is
not case-sensitive.
Use the following commands to select the AAA service method list in the domain configuration mode:
Command Function
Ruijie (config-aaa-domain)#authentication dot1x In the domain configuration mode, select the
{ default | list-name } authentication method list.
Configuration Guide Configuring AAA
Ruijie (config-aaa-domain)#accounting network { default In the domain configuration mode, select the accounting
| list-name } method list.
Ruijie (config-aaa-domain)#authorization network In the domain configuration mode, select the
{ default | list-name } authorization method list.
Command Function
Ruijie (config-aaa-domain)#state { block | active } In the domain configuration mode, set the domain state.
Use this command to check whether the username carries with the domain-name information:
Command Function
In the domain configuration mode, check whether the
Ruijie (config-aaa-domain)#username-format
username carries with the domain-name information
{ without-domain | with-domain }
when the NAS is interacting with the server.
Use this command to set the maximum user number supported in the domain:
Command Function
In the domain configuration mode, set the maximum user
Ruijie (config-aaa-domain)#access-limit num limit in the domain. By default, no user limit has been
configured (only valid for the 802.1x user).
To select the AAA service method list in the domain configuration mode, the AAA service method list is defined
before entering the domain configuration mode. Or the configurations are inexistent when selecting the AAA
method list-name.
With the domain-name-based AAA service enabled, if there is no domain information carried by the username,
use the default domain; if there is no configurations for the user domain in the system, the user is determined
to be illegal and provides no AAA service.
In the domain configuration mode, without the method list configured, use the default method list in the system.
Use the following command to display the domain-name-based AAA service information in thepriviledged EXEC mode/
global configuration mode/interface configuration mode
Command Function
Configuration Guide Configuring AAA
With the domain-name-based AAA service enabled, use the method list in the domain. Without the service enabled,
use the method list selected according to the access protocol(such as 802.1x, ect) for the AAA service. For example,
without the service enabled, use the dot1x authentication authen-list-name, dot1x accounting acct-list-name
authen-list-name and dot1x accounting acct-list-name acct-list-name commands to provide the AAA service for
the authentication and accouting method list name.
With the domain-name-based AAA service enabled, by default, there is no default domain, and user shall manually
set the default domain-name as “default”. After the configuration, user that not carries with the domain information
provides the AAA service using the default domain. Without the default domain configured, the user that not carries
with the domain information fails to use the AAA service.
If the domain information is carried by the auth-user but the domain is not configured on the device, it fails to provide
the AAA service for the user.
The AAA service method list selected by the domain must be consistent with the one defined by the AAA service. Or
it fails to provide the AAA service for the users in the domain.
The domain name carried by the user shall be accurately matched with the one configured on the device. For
example, the domain.com and the domain.com.cn have been configured on the device, and the request message
carried by the user is aaa@domain.com, the device determines that the user belongs to the domain.com but not the
domain.com.cn.
After the configuration, with the user a1 in the RADIUS server, use the 802.1x client to login the server for authentication
by keying in the username a1@domain.com and the correct password. The following displays the related domain-name
information:
=============Domain domain.com=============
State: Active
Username format: Without-domain
Access limit: No limit
Configuration Guide Configuring AAA
Configuration Examples
Network Topology
Network Requirements
For better security management for the Network Access Server device (NAS device for short) in the Figure-3, the
followings are the network requirements:
The administrators shall have their individual usernames and passwords for the convenience of the account
management.
The user authentication methods are divided into local authentication and collection authentication. The method of
combining the collection-authentication with the local-authentication shall be adopted, with the
collection-authentication mainly-used and the local-authentication as backup. In the process of the
collection-authentication, the RADIUS server authentication shall be passed first; if there is no reply, it will switch to
the local authentication.
Different users can be configured to access to the specified network device during the authentication.
User management priority: divide the network management users into the super users and ordinary users, wherein
the super users own the priority of reading and writing while the ordinary users own the reading priority only.
Configuration Guide Configuring AAA
The user authentication information, the authorization information and the network information are recorded in the
server for the display and audit later (This example uses the TACACS+ for the accounting.)
Configuration Tips
From the analysis of “Network Requirements”, we can see that deploying the AAA function can address the above
requirements, which is to dynamically configure the ID authentication, authorization and accounting type for the user(line)
or the server. Define the ID authentication, authorization and accounting type by creating the method list, and apply the
method list to the specified service or interface. For the details, see the following “Configuration Steps”.
Configuration Steps
#Enable AAA:
Ruijie#configure terminal
Ruijie(config)#aaa new-model
The network security server takes the responsibility for the authentication, the authorization and the accounting. The user
information are stored in the server and the software of the server can record, calculate and analyze the various
information via the syslog.
! Configure the RADIUS server information (The shared key for the communication between the device and the RADIUS
server is Ruijie.)
! Configure Tacacs+ server information (The shared key for the communication between the device and the Tacacs+
server is redgiant.)
! Configure the password encryption (The key information for the local password and the security server are saved and
shown in the simply-encrypted format)
Ruijie(config)#service password-encryption
! Configure the local user database (Configure the username and the password, and set the user privilege level)
! Configure the local enable password for the local enable authentication
Configuration Guide Configuring AAA
Ruijie(config)#enable secret w
!! Configure the line login password (With the AAA function enabled, the login password of the terminal line takes no
effect. So the line login password configuration is to prevent the login failure with the AAA function disabled.)
Ruijie(config)#line vty 0 15
Ruijie(config-line)#password w
! Configure the line user privilege level (With the Exec authorization disabled, or no Exec authorization method list is
applied in the line and no default Exec authorization method list, the configure line user privilege level should be used.)
Ruijie(config)#line vty 0 15
Ruijie(config-line)#privilege level 10
Login authentication
The Login authentication is used to control the user access. There are two methods to define the authentication method
list: 1) RADIUS; 2) Local.
! Configure login authentication method list and apply it to the corresponding line
To prevent the user from using the exhaust algorithm to crack the password during the Login authentication, AAA is used
to limit the user Login attempts. When the authentication attempts reach the configured limit, the user would fail to log in
for the lockout time (By default, the login authentication attempt is 3 times and the lockout time is 15 hours.)
! Configure the authentication attempt 2 times and the authentication lockout-time 10 hours
The Enable authentication is used to switch the user privilege level. An authentication process is needed before the user
switches the privilege level to the super user using the enable command. There are two methods to define the
authentication method list: 1) RADIUS; 2) Local. The Enable authentication can only set the default method list, which will
be auto-applied after the configuration.
Exec authorization
The Exec authorization is used to control the user command privilege level. For example, level 15 is the super user, level
14 is the configuration user, and level 2 is the ordinary user. The remote Exec authorization takes precedence over the
local one.
Configuration Guide Configuring AAA
! Configure the exec authorization method list and apply it to the line
! Configure the exec authorization for the console (By default, the exec authorization is not for the console.)
The Command authorization is used to offer the execution privilege of the key commands only to the administrators. The
Command authorization authorizes the level of the command but not of the current user. The RADIUS protocol is not
supported.
! Configure the Command authorization method list and apply it to the line.
Ruijie(config)#aaa authorization commands 2 abc group tacacs+ local
Ruijie(config)#line vty 0 15
Ruijie(config-line)#authorization commands 2 abc
Exec accounting
The Exec accouting is used to send the messages of the user login and logout to the server for the displaying, statistics
and the auditing.
! Configure the exec accouting method list and apply it to the line
The Command accouting is used to send the commands of a specific level executed by the user to the server for the
displaying, statistics and the auditing.
! Configure the command accounting method list and apply it to all lines
Verification
Step 1: Use the show running-config command to display the current configurations:
Ruijie#show running-config
......
!
aaa new-model
aaa local authentication attempts 2
aaa local authentication lockout-time 10
aaa authorization exec shouquan group tacacs+ local
aaa authorization commands 2 abc group tacacs+
aaa accounting exec default start-stop group tacacs+
Configuration Guide Configuring AAA
Step 2: In the actual application, use the show aaa user { id | all } command to display the current AAA user information.
Network Topology
Network Requirements
Configure the Network Access Server (NAS, short for the device) to enable the domain-name-based AAA service,
including the authentication, authorization and the accounting:
Use the 802.1x client for the login authentication with the username PC1@ruijie.com or PC2@ruijie.com.cn or
PC3@ruijie,.net and the password.
User network management: classify the users into the super users and the ordinary users, wherein the super users
are able to read and write while the ordinary users are able to read only.
The user authentication, authorization and network action messages are saved in the authentication server for the
displaying and the auditing.
Configure the domain-name-based AAA service to address the above network requirements.
This example takes the 802.1x client for example; therefore the network device must support 802.1x client access,
otherwise, this example cannot be applied.
Configuration Steps
#Enable AAA:
Ruijie#configure terminal
Ruijie(config)#aaa new-model
The network security server takes the responsibility for the authentication, the authorization and the accounting. The user
information is stored in the server and the software of the server can record, calculate and analyze the various information
via the syslog.
! Configure the RADIUS server information (The shared key for the communication between the device and the RADIUS
server is Ruijie.)
Configuration Guide Configuring AAA
! Configure the password encryption (The key information for the local password and the security server are saved and
shown in the simply-encrypted format.)
Ruijie(config)#service password-encryption
! Configure the local user database (Configure the username and the password, and set the user privilege level.)
! Configure the local enable password for the local enable authentication
Ruijie(config)#enable secret w
Ruijie(config-aaa-domain)#state active
Ruijie(config-aaa-domain)#username-format without-domain
! Ruijie(config)#aaa authentication dot1x renzheng group g2
Ruijie(config)#aaa authorization network shouquan group g2
!
Ruijie(config)#aaa accounting network jizhang start-stop group g2
!
Verification
Step 1: Use the show running-config command to display the current configurations (Take the domain name ruijie.com
for example.):
Ruijie#show running-config
......
!
aaa new-model
aaa domain enable
!
aaa domain ruijie.com
authentication dot1x renzheng
accounting network jizhang
authorization network shouquan
username-format without-domain
!
!
aaa group server radius g1
server 10.1.1.1
!
aaa group server radius g2
server 10.1.1.2
!
aaa group server radius g3
server 10.1.1.3
!
!
aaa accounting network jizhang start-stop group g2
Configuration Guide Configuring AAA
=============Domain ruijie.com=============
State: Active
Username format: Without-domain
Access limit: No limit
802.1X Access statistic: 0
Configuring RADIUS
Overview
The Remote Authentication Dial-In User Service (Radius) is a distributed client/server system that works with the AAA to
perform authentication for the users who are attempting to make connection and prevent unauthorized access. In the
implementation of our product, the RADIUS client runs on the router or the network access server (NAS) to send the
authentication requests to the central RADIUS server. The central center includes all information of user authentication
and network services.
Since the RADIUS is a completely-open protocol, it has become a component and been installed in such systems as
UNIX and WINDOWS 2000, so it is the security server most widely used for the time being.
Configuration
To configure Radius on the network device, perform the following tasks first:
Configuration Guide Configuring RADIUS
After the configuration is completed, you may start to configure the RADIUS. The configuration of the RADIUS consists of
the following parts:
Command Function
configure terminal Enter the global configuration mode.
radius-server host [ oob ] { ipv4-address | ipv6-address }
[ auth-port port-number ] [ acct-port port-number ] [ test Specify a RADIUS security server host. Use the no form
username name [ idle-time time ] [ ignore-auth-port ] of this command to restore the default setting.
[ ignore-acct-port ] ] [ key [ 0 | 7 ] text-string ]
Configure the sharing password for the communication
radius-server key string
between the device and Radius server
Specify the times of sending requests before the router
radius-server re-transmit retries
confirms Radius invalid (3 by default)
Specify the waiting time before the router resend request
radius-server timeout seconds
(2 s by default)
Specify the waiting time before the server is considered
radius-server deadtime minutes dead in case of no response to the request sent by the
device (5 minutes by default).
To configure the RADIUS, it is necessary to configure the RADIUS Key. The sharing password on the network
device and the sharing password on the Radius server must be the same.
The RADIUS Calling-Station-ID attribute is used to identify the NAS when the NAS is sending the request packets to the
RADIUS server. The contents of the RADIUS Calling-Station-ID are character strings, which can be in multiple formats.
The MAC address for the NAS is usually used as the content of the Calling-Station-ID to solely identify the NAS. The table
below lists the formats of the MAC address:
Format Description
The standard format specified by the IETF ( RFC3580 ).
ietf ‘-’ is used as the separator, for example:
00-D0-F8-33-22-AC.
Normal format representing the MAC address. ‘. ’is used
normal
as the separator. For example: 00d0.f833.22ac.
No format and separator. By default, unformatted is used.
unformatted
For example: 00d0f83322ac.
To configure the RADIUS Calling-Station-ID MAC-based attribute format, run the following commands:
Command Function
configure terminal Enter the global configuration mode.
radius-server attribute 31 mac format { ietf | normal | Configure the RADIUS Calling-Station-ID MAC-based
unformatted } attribute format. The default format is unformatted.
Command Function
radius attribute { id | down-rate-limit | dscp | mac-limit |
Set the private attribute type value.
up-rate-limit } vendor-type type
The contents in this section enable configuring freely the type of private attributes. The default configurations are as
follows:
ID Function Type
1 max down-rate 1
2 qos 2
3 user ip 3
4 vlan id 4
5 version to client 5
6 net ip 6
Configuration Guide Configuring RADIUS
7 user name 7
8 password 8
9 file-diractory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max up-rate 16
17 version to server 17
18 flux-max-high32 18
19 flux-max-low32 19
20 proxy-avoid 20
21 dailup-avoid 21
22 ip privilige 22
23 login privilige 42
24 limit to user number 50
ID Function TYPE
1 max down-rate 76
2 qos 77
3 user ip 3
4 vlan id 4
5 version to client 5
6 net ip 6
7 user name 7
8 password 8
9 file-diractory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max up-rate 75
17 version to server 17
18 flux-max-high32 18
19 flux-max-low32 19
20 proxy-avoid 20
21 dailup-avoid 21
22 ip privilige 22
Configuration Guide Configuring RADIUS
23 login privilige 42
24 limit to user number 50
Here is an example on how to configure the private type for network device:
6 net ip 6
7 user name 7
8 password 8
9 file-diractory 9
10 file-count 10
11 file-name-0 11
12 file-name-1 12
13 file-name-2 13
14 file-name-3 14
15 file-name-4 15
16 max up-rate 75
17 version to server 17
18 flux-max-high32 18
19 flux-max-low32 19
20 proxy-avoid 20
21 dailup-avoid 21
22 ip privilige 22
23 login privilige 42
24 limit to user number 50
Ruijie(config)#
Ruijie(config)#
Command Function
Extend RADIUS not to differentiate the IDs of private
radius vendor-specific extend
vendors.
The following example extends RADIUS so as not to differentiate the IDs of private vendors:
Command Function
Configuration Guide Configuring RADIUS
This command is required if the server pushes the flow control value through the CLASS attribute. The following example
analyzes the flow control value of the CLASS attribute and sets the format to 52 bytes.
The device can carry out active detection of the specified RADIUS server, and this feature is disabled by default. If you
enable active detection of the specified RADIUS server, the device will periodically send detection requests
(authentication requests or accounting requests) to the RADIUS server. The corresponding interval will be:
RADIUS server in reachable state: the default interval for active detection is 60 minutes.
RADIUS server in unreachable state: fixed to 1 minute.
To enable active detection of the specified RADIUS server, the following conditions must be met: Testing user
name for this RADIUS server has been configured on the device. At least one tested port of this RADIUS
server (authentication port or accounting port) has been configured on the device.
For a RADIUS server in reachable state, the device will considered this RADIUS server unreachable if the
following two conditions are met: The time configured by "radius-server dead-criteria time seconds" is
exceeded after correct response is last received from this RADIUS server. After correct response is last
received from this RADIUS server, the number of tries to send requests to this RADIUS server when no
correct response is received has exceeded the number set by "radius-server dead-criteria tries number".
For a RADIUS server in unreachable state, the device will considered this RADIUS server reachable if any of
the following conditions is met: Correct response is received from this RADIUS server. The duration that this
RADIUS server remains unreachable exceeds the time set by "radius-server deadtime", and active
detection of this RADIUS server is not enabled. The authentication port or accounting port of this RADIUS
server is updated on the device.
Configuration Guide Configuring RADIUS
RADIUS server reachability detection allows the user to configure the dead-criteria conditions for a RADIUS server and
active detection.
To configure RADIUS dead-server detection, execute the following commands in global configuration mode:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Globally configure the dead-criteria conditions for a
Ruijie (config)# radius-server dead-criteria { time RADIUS server to be marked as dead.
seconds [ tries number ] | tries number } The default value of “seconds” is 60, and the default
value of “number” is 10.
Configure the duration for the device to stop sending
Ruijie (config)# radius-server deadtime minutes request packets to the RADIUS server in unreachable
state (default: 0 minute).
Configure the IP address of remote RADIUS server,
Ruijie (config)# radius-server host [ oob ] { ipv4-address |
specify the authentication port and accounting port, and
ipv6-address } [ auth-port port-number ] [ acct-port
specify relevant parameters of active detection (testing
port-number ] [ test username name [ idle-time time ]
user name, interval for active detection of RADIUS server
[ ignore-auth-port ] [ ignore-acct-port ] ] [ key [ 0 | 7 ]
in reachable state, and whether the authentication port or
text-string ]
the accounting port shall be neglected).
The dedicated testing user name shall be used. This user name must not be used by other valid access users,
so as not to affect the authentication, authorization or accounting of other valid users.
Command Function
radius-server account update re-transmit Configure accounting update packet re-transmission.
This command is used to configure accounting update packet re-transmission for the second generation Web
authentication user exclusively.
Command Function
Configuration Guide Configuring RADIUS
Command Function
Configure the source port to send RADIUS packets.
radius-server source-port port
port : The port number, in the range from 0 to 65535.
The following example configures source port 10000 to send RADIUS packets.
Command Function
show radius acct statistics Display RADIUS accounting statistics.
Server Index..................................... 1
Server Address................................... 192.168.1.1
Server Port...................................... 1813
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 1
Retry Requests................................... 1
Accounting Responses............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 1
Command Function
Configuration Guide Configuring RADIUS
Server Index..................................... 1
Server Address................................... 192.168.1.1
Server Port...................................... 1812
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Pending Requests................................. 0
Timeout Requests................................. 0
Unknowntype Msgs................................. 0
Other Drops...................................... 0
Monitoring
To monitor the RADIUS, execute the following commands in the privileged user mode:
Command Function
Turn on the Radius debug switch to view the Radius
debug radius event
debug information
Configuration Examples
Configuring Radius
In a typical Radius network configuration diagram, the RADIUS server performs authentication for the visiting users,
enables the accounting function for the visiting users and records the network usage of the users.
The RADIUS server can be a component that comes with the Windows 2000/2003 server (IAS) or the UNIX
system, or the special server software of some manufacturers.
RADIUS server shall be running Windows 2008 Server or other dedicated IPv6 server software recognized by
the manufacturer.
The following example shows how to configure RADIUS on the network device:
Configuring 802.1X
Overview
In an IEEE 802 LAN, users can access the network device without authorization and authorization as long as they are
connected to the network device. Therefore, an unauthorized user can access the network unobstructed by connecting
the LAN. As the wide application of LAN technology, particularly the appearance of the operating network, it is necessary
to address the safety authentication needs of the network. It has become the focus of concerns in the industry that how to
provide user with the authentication on the legality of network or device access on the basis of simple and cheap Ethernet
technologies. The IEEE 802.1X protocol is developed under such a context.
As a Port-Based Network Access Control standard, the IEEE802.1X provides LAN access point-to-point security access.
Specially designed by the IEEE Standardization Commission to tackle the safety defects of Ethernet, this standard can
provide a means to authenticate the devices and users connected to the LAN by utilizing the advantages of IEEE 802
LAN.
The IEEE 802.1X defines a mode based on Client-Server to restrict unauthorized users from accessing the network.
Before a client can access the network, it must first pass the authentication of the authentication server.
Before the client passes the authentication, only the EAPOL (Extensible Authentication Protocol over LAN) packets can
be transmitted over the network. After successful authentication, normal data streams can be transmitted over the
network.
By using 802.1X, our switches provide Authentication, Authorization, and Accounting (AAA).
Authentication: It is used to determine whether a user has the access, restricting illegal users.
Authorization: It authorizes the services available to users, controlling the rights of valid users.
Accounting: It records users' use of network resources, providing the supporting data for charging.
Device Roles
Authentication Initiation and Packet Interaction During Authentication
States of Authorized Users and Unauthorized Users
Topology of Typical Applications
Device Roles
In the IEEE802.1X standard, there are three roles: supplicant, authenticator, and authentication server. In practice, they
are the Client, network access server (NAS) and Radius-Server.
Configuration Guide Configuring 802.1X
Supplicant:
The supplicant is a role played by the end user, usually a PC. It requests for the access to network services and
acknowledges the request packets from the authenticator. The supplicant must run the IEEE 802.1X client. Currently, the
most popular one is the IEEE802.1X client carried by Windows XP. In addition, we have also launched the STAR
Supplicant software compliant of this standard.
Authenticator:
The authenticator is usually an access device like the switch. The responsibility of the device is to control the connection
status between client and the network according to the current authentication status of that client. Between the client and
server, this device plays the role of a mediator, which requests the client for username, verifies the authentication
information from the server, and forwards it to the client. Therefore, the switch acts as both the IEEE802.1X authenticator
and the RADIUS Client, so it is referred to as the network access server (NAS). It encapsulates the acknowledgment
received from the client into the RADIUS format packets and forwards them to the RADIUS Server, while resolving the
information received from the RADIUS Server and forwards the information to the client.
The device acting as the authenticator has two types of ports: controlled Port and uncontrolled Port. The users connected
to a controlled port can only access network resources after passing the authentication, while those connected to a
uncontrolled port can directly access network resources without authentication. We can control users by simply
connecting them to an controlled port. On the other hand, the uncontrolled port is used to connect the authentication
server, for ensuring normal communication between the server and switch.
Authentication server:
The authentication server is usually an RADIUS server, which works with the authenticator to provide users with
authentication services. The authentication server saves the user name and password and related authorization
information. One server can provide authentication services for multiple authenticators, thus allowing centralized
management of users. The authentication server also manages the accounting data from the authenticator. Our 802.1X
device is fully compatible with the standard Radius Server, for example, the Radius Server carried on Microsoft Win2000
Server and the Free Radius Server on Linux.
required for an MAC address (01-80-C2-00-00-03) for the protocol for packet exchange during the initial authentication
process.
The following diagram shows a typical authentication process, during which the three role devices exchange packets with
one another.
Figure 1-1
This is a typical authentication process initiated by users (in some special cases, the switch can actively initiate
authentication request, whose process is the same as that shown in the diagram, except that it does not contain the step
where the user actively initiates the request).
If the workstation does not support 802.1X while the machine is connected with the controlled port, when the equipment
requests the username of the user, the workstation will not respond to the request due to no support. This means that the
user is still unauthorized and cannot access the network resources.
On the contrary, if the client supports 802.1X, while the connected switch does not: The EAPOL-START frames from the
user are not responded, and the user deems it connected port as an uncontrolled port and directly uses network
resources, when the user fails to receive any response after it sends the specified number of EAPOL-START frames.
On a 802.1X-enabled device, all ports are uncontrolled ports by default. We can set a port as a controlled port, to impose
authentication over all the users under that port.
Configuration Guide Configuring 802.1X
When a user has passed authentication (the switch has received success packets from the RADIUS Server), the user is
authorized and therefore can freely use network resources. If the user fails in the authentication and remains in the
unauthenticated status, it is possible to initiate authentication once again. If the communication between the switch and
the RADIUS server is faulty, the user is still unauthorized and therefore still cannot use the network.
When the user sends the EAPOL-LOGOFF packets, its status changes from authorized to unauthorized.
When a port of the switch changes to the LINK-DOWN status, all the users on the port change to be in the unauthorized
status.
When the device restarts, all users on the device turn into the unauthorized status.
To force a user to pass the authentication, you can add a static MAC address.
Figure 1-2
The user supports 802.1X. That is, it is installed with the 802.1X client (Windows XP carried, Star-supplicant or other
IEEE802.1X compliant client software).
The access layer device supports IEEE 802.1X.
One or multiple RADIUS compliant servers are available as the authentication server.
The ports connected to the Radius Server and the uplink ports are configured as uncontrolled ports, so that the
switch can normally communicate with the server and the authorized users can access network resources through
the uplink interface.
The ports connected to the user must be set as controlled ports to control the accessed users, and the users
cannot access network resources unless they first pass the authentication.
Each 802.1X-enabled switch is responsible for a small number of clients, thus offering higher speed. The devices are
mutually independent, and the restart operation of the device does not affect the users connected with other devices.
User management is performed on the Radius Server in a centralized manner. The administrator does not have to
know which switch a user is connected to, making management much easier.
The administrator can manage the device on the access layer through the network.
Figure 1-3
The user supports 802.1X. That is, it is installed with the 802.1X client (Windows XP carried, Star-supplicant or other
IEEE802.1X compliant client software).
The access layer device should be able to transparently transmit IEEE 802.1X. frames (EAPOL)
The convergence layer device supports 802.1X (playing the role of the authenticator)
One or multiple RADIUS compliant servers are available as the authentication server.
The ports connected to the Radius Server and the uplink ports are configured as uncontrolled ports, so that the
switch can normally communicate with the server and the authorized users can access network resources through
the uplink interface.
Configuration Guide Configuring 802.1X
The ports connected to the access layer switches must be set as controlled ports to control the accessed users, and
the users cannot access network resources unless they first pass the authentication.
The convergence layer device must be of high quality since the network is large and numerous users are connected,
since any of its faults may cause the failures of many users to normally access the network.
User management is performed on the Radius Server in a centralized manner. The administrator does not have to
know which switch a user is connected to, making management much easier.
The access layer device can be the less expensive non-NM switches (as long as they support transparent
transmission of EAPOL frames).
The administrator cannot manage the device on the access layer through the network.
Configuration
Item Default
Authentication DISABLE
Accounting DISABLE
Radius Server *No default
*ServerIp *1812
*Authentication UDP port *No default
*Key
Accounting Server *No default
*ServerIp *1813
*Accounting UDP port
All port types Uncontrolled port (all ports can perform communication
directly without authentication)
Timed re-authentication Off
Timed reauth_period 3,600 seconds
Interval between two authentication requests 10 seconds
Re-transmission interval 3 seconds
Maximum intermissions 3
Client timeout period 3 seconds, if within which no response is received from the
client, the communication is deemed as a failure
Server timeout period 5 seconds, if within which no response is received from the
server, the communication is deemed as a failure
Lists of authenticable hosts under a port No default
Configuration Guide Configuring 802.1X
In order for the switch to normally communicate with the RADIUS SERVER, you must set the following parameters:
Radius Server end: You must register a Radius Client. At registration, you must supply the Radius Server switch’s IP
address, authentication UDP port (add the accounting UDP port, if needed), and the agreed key for communication
between the switch and Radius Server, and select EAP support for the Client. The procedure for registering one Radius
Client on the Radius Server varies with different software settings. Please refer to the appropriate document.
Device end: The following settings are necessary at the device end to ensure the communication between the device and
the server: Configure the IP address of the Radius Server, authentication (accounting) UDP port and the agreed password
for the communication with the server.
In the global configuration mode, you can set the communication between the switch and the Radius Server via the
following steps:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#radius-server host ip-address [ auth-port port] Configure the RADIUS server.
[ acct-port port]
Ruijie (config)#radius-server key string Configure RADIUS key.
Ruijie#show radius server Show the RADIUS server.
Configuration Guide Configuring 802.1X
You can use the no radius-server host ip-address auth-port command to restore the authentication UDP port of the
Radius Server to its default. You can use the no radius-server key command to delete the authentication key of the
Radius Server. The following example sets the Server IP as 192.168.4.12, authentication UDP port as 600, and the key as
agreed password:
In the global configuration mode, you can enable the 802.1X authentication by performing the following steps:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#radius-server host ip-address Configure the RADIUS server.
[auth-port port ] [acct-port port]
Ruijie (config)#radius-server key string Configure RADIUS Key.
Ruijie (config)#aaa authentication dot1x auth Configure the 802.1X authentication method list.
group radius
Ruijie (config)#dot1x authentication list-name 802.1X applies authentication method list
Ruijie#show running-config Display the configuration.
In case of the domain-name-based AAA service switch is enabled, that is when the aaa domain enable
command is configured, the authentication method list chosen by the dot1x authentication command will
not be used. Instead, the authentication method list configured by the domain where the user locates will be
used. For detailed configuration, see Configuring the AAA Service Based on Domain Names.
To apply the RADIUS authentication method in the 802.1X, configure the IP address of the Radius Server and make sure
normal communication between the device and the Radius Server. Without the coordination of the Radius Server, the
switch cannot perform authentication. For setting the communication between the Radius Server and the switch, please
see the previous section.
Command Function
dot1x multi-account enable Enable multi-account authentication for users with single
MAC address.
Use the command to enable the multiple-account authentication if you want to switch the username in the authentication
or re-authentication, especially in the windows domain authentication.
In the global configuration mode, you can enable/disable re-authentication and set the re-authentication interval by
performing the following steps.
Command Function
Ruijie (config)#dot1x re-authentication Enable timed re-authentication.
Ruijie (config)#dot1x timeout re-authperiod time Set the re-authentication interval.
Ruijie#show dot1x Display the 802.1X configuration.
You can use the no dot1x re-authentication command to disable timed re-authentication, and use the no dot1x timeout
re-authperiod command to restore the re-authentication interval to the default. Use show dot1x re-authentication to
display the re-authentication configuration.
The following example enables re-authentication and sets the re-authentication interval as 1000 seconds.
If re-authentication is enabled, please pay attention to the reasonableness of the re-authentication interval, which must be
set according to the specific network size.
Configuration Guide Configuring 802.1X
In the global configuration mode, you can set the quiet period by performing the following steps:
Command Function
dot1x timeout quiet-period seconds Set the quiet period after authentication failure.
show dot1x Display the 802.1X configuration.
Use show dot1x timeout quiet-period command to display the configuration. In the example below the quiet period
value is set as 500 seconds:
In the global configuration mode, you can set the packet re-transmission interval by performing the following steps:
Command Function
Ruijie(config)#dot1x timeout tx-period seconds Set the packet re-transmission Interval.
Ruijie#show dot1x Display the 802.1X configuration.
The following example sets the packet re-transmission interval as 100 seconds:
In the global configuration mode, you can set the maximum number of intermissions by performing the following steps:
Command Function
Ruijie(config)#dot1x max-req count Set the maximum number of packet re-transmissions.
Ruijie#show dot1x Display the 802.1X configuration.
You can use the no dot1x max-req command to restore the maximum number of packet re-transmissions to its default.
The following example sets the maximum number of packet intermissions to 5:
Configuration Guide Configuring 802.1X
In the global configuration mode, you can set the maximum re-auth attempts by performing the following steps:
Command Function
Ruijie (config)#dot1x reauth-max count Set the maximum re-auth attempts.
Ruijie#show dot1x Display the 802.1X configuration.
You can use the no dot1x reauth-max command to restore the default setting. Use show dot1x reauth-max command
to display the configuration. The following example sets the maximum re-auth attempts to 3:
In the global configuration mode, you can set the Server-timeout and restore its default by performing the following steps:
Command Function
Ruijie (config)#dot1x timeout server-timeout time Set the maximum response time of the Radius Server. You
can use the no option of the command to restore its default.
Ruijie#show dot1x Display the 802.1X configuration.
After the first successful user authentication, the switch sends an accounting start request to the server. When the user
gets off-line or the switch finds that the user has got off line or when the physical connection of the user is broken, the
switch sends an accounting end request to the server. The server group records this information in the database of the
server group. Based on such information, the NMS can provide the basis for accounting.
Our 802.1X stresses the reliability of accounting, and it specially supports the backup accounting server to avoid failures
of the accounting server. When a server can no longer provide the accounting service due to various reasons, the switch
Configuration Guide Configuring 802.1X
will automatically forward the accounting information to another backup server. This greatly improves the reliability of
accounting.
When a user exits by itself, the accounting duration is accurate. When the connection of the user is broken by accident,
the accounting accuracy depends on the re-authentication interval (the switch detects the disconnection of a user by using
the re-authentication mechanism).
To enable the accounting function of the device, the following settings are necessary on the device:
On the Radius Server, register the switch as a Radius Client, like the authentication operation.
Set the IP address of the accounting server.
Set the accounting UDP port.
Enable the accounting service on the precondition that the 802.1X has been enabled.
In the privileged EXEC mode, you can set the accounting service by performing the following steps:
Command Function
Ruijie (config)#aaa new-model Enable the AAA function
Ruijie (config)#aaa group server radius gs Configure the accounting server group.
Ruijie (config-gs-radius)#server address acct-port Add a server to the server group.
port-id
aaa accounting network acct start-stop group gs Configure the accounting method list.
Ruijie (config-gs-radius)# dot1x accounting Apply the accounting method list for the 802.1X.
list-name
Ruijie#show running-config Display the configuration.
The no aaa accounting network command deletes the accounting method list. The no dot1x accounting command
restores the default dot1x accounting method. The following example sets the IP address of the accounting server to
192.1.1.1, that of the backup accounting server to 192.1.1.2, and the UDP port of the accounting server to 1200, and
enables 802.1X accounting:
The agreed accounting key must be the same as that of the Radius Server and authentication.
Configuration Guide Configuring 802.1X
For the database format of accounting, see the related Radius Server documentation.
In case of the domain-name-based AAA service switch is enabled, that is when the aaa domain enable
command is configured, the accounting method list chosen by the dot1x accounting command will not be
used. Instead, the accounting method list configured by the domain where the user locates will be used. For
detailed configuration, see Configuring the AAA Service Based on Domain Names.
Also, the account update is supported. After the account update interval is set on the NAS device, the NAS device will
send account update packets to the Radius Server at periodical intervals. On the Radius Server, you can define the
number of periods before which the account update packet of a user is not received from the NAS device, the NAS or user
will be regarded as off-line. Then, the Radius Server can stop the accounting of the user, and delete the user from the
on-line user table.
In the global configuration mode, you can set the account update function by performing the following steps:
Command Function
Ruijie (config)#aaa new-model Enable the AAA function
Ruijie (config)#aaa accounting update Set the account update function.
Ruijie#show running-config Display the configuration.
You can disable the account update service by using the no aaa accounting update command.
The following chapters introduce the propriety features of ’Ruijie network products:
To make it easy for broadband operators and to accommodate use in special environments, our 802.1X has been
expanded on the basis of the account (such expansion is completely based on the standard, and has totally compatible
with IEEE 802.1X).
Configuration Guide Configuring 802.1X
DISABLE mode (default): The device has no limitation for the user IP, and the user only needs to pass the
authentication to be able to access the network.
DHCP SERVER mode: The user IP is obtained via specified DHCP SERVER, and only the IP allocated by the
specified DHCP SERVER is considered legal. For the DHCP mode, it is possible to use DHCP relay option82 to
implement a more flexible IP allocation policy with the 802.1X. Here is a typical diagram for the plan:
Figure 1-2
The user initiates IP requests via the DHCP Client. The network device with dhcp relay option82 converges the user
authority on the SAM server to construct the option82 field and encapsulate it in the DHCP request message. That
option82 field consists of “vid + permission”. The DHCP Server chooses different allocation policies by using the option82
field.
In this mode, it is required to configure the DHCP Relay and the related option82. If the DHCP relay function is enabled
and the option82 policy is selected, see the DHCP Relay Configuration Guide and Command References for the
configuration.
RADIUS SERVER mode: The user IP is specified by the RADIUS SERVER. The user can only use the IP specified by the
RADIUS SERVER to be able to access the network.
SUPPLICANT mode: The IP bound to the user is the IP of the PC during the SUPPLICANT’s authentication. After the
authentication, the user can only use that IP to be able to access the network.
DISABLE mode: Suitable for the environment with no limits for the users. The user can access the network once
he/she passes the authentication.
DHCP SERVER mode: The user PC gets the IP address via DHCP. The administrator configures the DHCP RELAY
of the device to limit the DHCP SERVER that the users can access. In this way, only the IPs allocated by the
specified DHCP SERVER are legal.
RADIUS SERVER mode: The user PC uses fixed IP. The RADIUS SERVER is configured with <user-IP> mapping
relations that are notified to the device via the Framed-IP-Address attributes of the device. The user has to use that
IP to be able to access the network.
SUPPLICANT mode: The user PC uses fixed IP. The SUPPLICANT notifies the information to the device. The user
has to use the IP at authentication to be able to access the network.
When the user switches modes, it will cause all authenticated users to get offline. So, it is recommended to
configure the authentication mode before the use.
Releasing Advertisement
Our 802.1X allows you to configure the Reply-Message field on the Radius Server. When authentication succeeds, the
information of the field is shown on our 802.1X client of Star-Supplicant, by which the operators can release some
information.
Such information is shown at the first user authorization, but not at re-authentication. This avoids frequently disturbing the
user.
The window for showing the advertisement information supports html, which converts the http://XXX.XXX.XX in the
message into links capable of direct switching, for easier browsing.
The operator configures the Reply Message attribute on the Radius Server end.
Only our Star-supplicant client supports such information (free for the users of our switch), while other clients cannot
see the information, which however does not affect their normal use.
No setting is required at the device end.
Authorization
To make it easier for operators, our products can provide services of different qualities for different types of services, for
example, offering different maximum bandwidths. Such information is all stored on the Radius Server, and the
administrator does not need to configure every switch.
Since the Radius has no standard attribute to represent the maximum data rate, we can only transfer the authorization
information by the manufacturer customized attribute.
Figure 0-3
Configuration Guide Configuring 802.1X
Figure 0-4
For the maximum data rate, you need to fill in the following values:
For users with the maximum data rate of 10M, you need to fill in the following values:
Figure 0-5
For the customized header, follow those provided above. The maximum data rate is 10M, that is, 10000kbsp, and makes
0x00002710 in the Hex system. You only need to fill in the corresponding field.
This function calls for no settings on the device end, and works as long as the device end supports authorization.
In the global configuration mode, you can set the authentication mode of the 802.1X by performing the following steps in
global configuration mode.
Command Function
Ruijie (config)#dot1x auth-mode { eap | chap | pap } Configure the authentication mode.
eap: Enables EAP-MD5 authentication mode.
chap: Enables CHAP authentication mode.
pap: Enables PAP authentication mode.
Ruijie#show dot1x Display the configuration.
The following example configures the authentication mode to the CHAP mode.
In the privileged EXEC mode, you can set the backup authentication server by performing the following steps:
Command Function
Ruijie (config)#aaa new-model Turn on the AAA switch.
Ruijie (config)#aaa group server radius gs-name Configure the server group.
Ruijie (config-gs-radius)#server sever Configure the server.
Ruijie (config-gs-radius)#server server-backup Configure the backup server.
Ruijie#show dot1x Display the configuration.
For this function, you do not need to configure the switch. The user needs to use our client and the administrator needs to
configure the Radius Server.
This function calls for no configuration on the device but need the support of the Radius server.
You shall use the show dot1x summary command to on the access device to view the actual VLAN where the user is.
Use the show dot1x user id command to view the VLAN assigned by the RADIUS server.
The access device is able to receive the VLAN assigned by the RADIUS server in two ways of the extension RADIUS
attributes and the standard RADIUS attributes.
The RADIUS server assigns the VLAN to the access device using the standard-extension attributes. The server
encapsulates the extension attributes into the No.26 RADIUS standard attributes. The extension manufacturing ID is in
hex 0x00001311. By default, the extension attribute type is 4, you can use the radius attribute 4 vendor-type type
command to set the extension attribute type number to assign the VLAN. For the configuration command, see RADIUS
Configuration.
Configuration Guide Configuring 802.1X
The access device supports the RADIUS server to use the standard RADIUS attributes to assign the VLAN, including the
following attribute combinations:
The processing steps of receiving the assigned VLAN for the access device are: 1. use the assigned VLAN attribute as
the VLAN name and view that whether there is the same VLAN name on the access device; 2. if there is the same VLAN
name, the port where the user is switches to the VLAN automatically; if there is no same VLAN name, then the assigned
VLAN attribute will be used as the VLAN ID; 3. if the VLAN ID is valid(within the VLAN ID range of the system supported),
the port where the user is auto-switches to this VLAN; if the VLAN ID is 0, no VLAN assignment information exist; 4.
except for those conditions mentioned above, the user authentication is faulty.
Only the ACCESS port and the TRUNK port are supported by the access device for the 802.1X authentication. In other
port modes, it fails to enable the auto-switching function of the dynamic VLAN. The following describes the conditions of
the VLAN auto-switching function on the ACCESS and TRUNK ports:
Without the assigned VLAN configured on the device, if the assigned VLAN is identified as the VLAN ID by the device, the
device will create the VLAN with the corresponding VLAN ID and switch the auth-port to the newly- created VLAN; while if
the assigned VLAN is identified as the VLAN name by the device, the user authentication will be faulty.
With the assigned VLAN configured on the device, if the assigned VLAN is set as the VLAN not supporting the
auto-switching on the ACCESS port, the user authentication will be faulty; while if the assigned VLAN is set as the VLAN
supporting the auto-switching on the ACCESS port, the user authentication and the auto-switching implementation of the
assigned VLAN will be successful.
The following lists the VLANs not supporting the auto-switching on the ACCESS port:
Private VLAN
Remote VLAN
Super VLAN, including Sub VLAN
For the TRUNK port with the authentication enabled, set the assigned VLAN as the Native VLAN for the port to be
authenticated.
Without the assigned VLAN configured on the device, if the assigned VLAN is identified as the VLAN ID by the device, the
Native VLAN for the port to be authenticated will be set as the assigned VLAN; while if the assigned VLAN is identified as
the VLAN name by the device, the user authentication will be faulty.
With the settings of the assigned VLAN configured on the device, if the assigned VLAN is set as the VLAN not supporting
the auto-switching on the TRUNK port, the user authentication will be faulty; while if the assigned VLAN is set as the
Configuration Guide Configuring 802.1X
VLAN supporting the auto-switching on the TRUNK port, the user authentication will be successful and the Native VLAN
for the port to be authenticated will be set as the assigned VLAN.
The following lists the VLANs not supporting the auto-switching on the TRUNK port:
Private VLAN
Remote VLAN
Super VLAN, including Sub VLAN
For the HYBRID port with the MAC VLAN disabled, handling methods for the assigned VLAN are as below:
Without the assigned VLAN configured on the device, if the assigned VLAN is identified as the VLAN ID, the device will
automatically create the corresponding VLAN and allows the assigned VLAN to pass current HYBRID port without TAG,
and changes the Native VLAN of the port to the assigned VLAN. In such case, the user authentication will be successful.
While if the assigned VLAN is identified as the VLAN name and the corresponding VLAN ID cannot be found by the device,
the user authentication will be faulty.
With the settings of the assigned VLAN configured on the device, if the assigned VLAN is set as the VLAN not supporting
the auto-switching on the HYBRID port, or the designated VLAN has existed in the TAG VLAN list carried by the HYBRID
port, the user authentication will be faulty; or else, the assigned VLAN can pass the current HYBRID port without TAG and
the Native VLAN of the port is changed to the assigned VLAN. In such case, the user authentication will be successful.
With the MAC VLAN enabled on the HYBRID port, handling methods for the assigned VLAN are as blow:
If the VLAN assigned by the authentication server is not existent in the device (MAC VLAN requires that the
corresponding VLAN must be statically configured and existent), or the assigned VLAN has been added to the HYBRID
port with TAG carried, or the VLAN type is not supported by MAC VLAN (see the description in MAC-VLAN-SCG.doc), the
user authentication will be faulty; or else, the device creates the MAC VLAN entry dynamically according to the
authentication server assigned VLAN and user MAC address, the user authentication will be successful.
When the user goes offline, the MAC VLAN entry is deleted dynamically.
The following lists the VLANs not supporting the auto-switching on the HYBRID port:
Private VLAN
Remote VLAN
Super VLAN, including Sub VLAN
When the MAC VLAN is not enabled on the port, VLAN assignment changes the Native VLAN of this port, but
the Native VLAN configured by commands is not changed. The priority of the assigned VLAN is higher than
the VLA configured by commands. That is, the Native VLAN that takes effect after the authentication is
assigned VLAN, and the Native VLAN configured by commands takes effect after the user goes offline.
Configuration Guide Configuring 802.1X
When the MAC VLAN is enabled on the port and the authentication mode is based on MAC, VLAN assignment
is implemented through dynamically generating MAC VLAN entry without changing the Native VLAN of this
port.
For the HYBRID port with MAC VLAN enabled or disabled, VLAN assignment will fail if the assigned VLAN has
been added to the port with TAG carried.
If the MAC VLAN is enabled on the port, VLAN assignment will create the MAC VLAN entry with the network
mask being all Fs. For example, the MAC address of the authenticated user is 00d0.f800.0001, the entry
with VLAN: VLAN-radius (the VLAN delivered under the server), MAC address: 00d0.f800.0001 and mask:
FFFF.FFFF.FFFF will be created. If the MAC address of 802.1X user is overridden by the statically
configured MAC address in the MAC VLAN entry with the network mask being not all Fs, For example, if the
following entry with VLAN: VLAN-static (manually configured VLAN), MAC address: 00d0.f800.0001, and
mask: FFFF.FFFF.0000 is configured manually, the two MAC addresses must be same, that is VLAN-radius
and VLAN-static must be the same; otherwise, the following abnormalities about 802.1X users of VLAN
assignment will occur: (The following listed do not cover all abnormalities)
802.1X users can be authenticated successfully, but the legal data packets will be dropped after the
authentication, resulting in network access failure.
After the user sends EAPOL-LOGOFF message to goes offline, the authentication server still shows that user
is online as the 802.1X authentication entry is still in the device.
To enable the dynamic VLAN auto-switching function on an interface, run the following commands:
Command Function
Ruijie (config)#aaa new-model Enable the AAA function
Command Function
Ruijie (config)#radius-server host host-ip Configure the RADIUS server.
Ruijie (config)#radius-server key text Configure the RADIUS server shared key.
Command Function
Ruijie (config)#aaa authentication dot1x list1 group Configure the authentication method list1.
radius
Ruijie (config)#aaa accounting network list2 Configure the accounting method list2.
start-stop group radius
Command Function
Ruijie (config)#dot1x authentication list1 Select list1 as the authentication method list, which is
configured in step 3.
Ruijie (config)#dot1x accounting list2 Select list2 sd the authentication method list, which is
configured in step 3.
Display the dynamic VLAN auto-switching settings
Command Function
show dot1x user id session_id Display the user information in session-id, including the
dynamic VLAN auto-switching information.
show dot1x summary
Display the actual VLAN where the user is.
The VLAN auto-switching function is configured on access devices. For the related precautions, see the chapter of Other
Precautions of 802.1X Configuration.
To implement this function needs no settings on the device end and needs only the corresponding attributes configured on
the Radius server end. Since the Radius has no standard attributes to indicate the maximum data rate, we can transfer
the authorization information only through the manufacturer custom attributes. For the general format defined, see the
Authorization section.
The proxy server shielding function defines the Vendor type of 0x20, and the dial-up shielding function defines the Vendor
type of 0x21.
The Attribute-Specific field is a 4-byte manufacturer defined attribute, which defines the actions taken against proxy server
access and dial-up access. 0x0000 means normal connection, without shielding detection. 0x0001 means shielding
detection.
To shield the access via the proxy server, you should fill in the following information:
Figure 0-6
Configuration Guide Configuring 802.1X
To shield the access via the dial-up connection, you should fill in the following information:
Figure 0-7
To implement dynamic acl assignment, you need to set the port as mac-based authentication mode or port-based
single-user authentication mode. For the configuration, please refer to the related command configuration manual.
In single-host authentication mode, it supports to renew acl when reauthenticating. That is, acl takes effect
when the authenticated user sets acl on the server and reauthenticates.
The mac-based authentication mode does not support ACL update when re-authenticating. That is to say, ACL
of the authenticated user can only be assigned once. The new acl is ignored and the original acl remains if
the acl changes when re-authenticating.
Supported acl type: extension type which can explain acl function on our switch.
Execute the following command if you need to support dynamic acl assignment on the server which is not authenticated
by our company.
Configuration Guide Configuring 802.1X
Ruijie#configure terminal
Ruijie(config)# radius vendor-specific extend
However, under certain circumstances, after user passes authentication, it may need to move to other ports. For example:
a separate switch is deployed between 802.1X authentication enabled switch and user PC to connect them. When user
directly pulls out the network cable and moves from port 1 to port 2, since port 1 didn't receive the Down event and is
unaware that the user is disconnected, the PC connected to port 2 won't be able to pass authentication and access
network.
To enable the user to access network after being switched to port 2, configure to allow station-move in global
configuration mode. When user appears on port 2, the user on port 1 will be forced to disconnect from network, and
re-authentication will be initiated on port 1. The user can move between different ports of the same device or even across
different devices. The user can also move between controlled ports, or move from a controlled port to an uncontrolled
port.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie (config)# station-move permit Permit authenticated station move.
Ruijie (config)# end Return to privileged EXEC mode.
Ruijie# show dot1x Display 802.1X global configuration.
Configuration example:
You can use this command if you want an online station to move to another physical place (with a different port
NO. or VLAN) and get re-authenticated while keeping online. If there is MAC address spoofing on the
network, after enabling MAC move, authenticated users may be preempted by fake users.
If the user doesn't move to another port but change IP address on the original port or unplug/replug the network
cable, the re-authentication process will be triggered.
If user's MAC address is configured as a static MAC address, the user won't be able to move.
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie (config)# aaa new-model Enable AAA.
Ruijie (config)# aaa authentication dot1x mlist local Configure the 802.1X authentication method list mlist to
perform local authentication.
Ruijie (config)# username xxx password xxx Create a local user xxx.
Ruijie (config)# dot1x authentication mlist It indicates the application method list mlist.
Ruijie (config)# dot1x auht-mode pap/chap Configure the authentication method as PAP or CHAP.
Ruijie (config)# end Return to the privileged mode.
Ruijie# show running-config Display all configurations.
After local authentication is configured, the local database is used to authenticate users. This function also
applies to MAC bypass authentication. It only needs to create a local user with the username and password
being the MAC address.
Command Function
Set the maximum auth-user number on controlled
dot1x default-user-limit num
interfaces.
num: The maximum number allowed by a controlled
interface, in the range from 1 to 1000000.
Use the show dot1x dynamic-vlan command to display the 802.1X setting.
The following example sets the maximum auth-user number on a controlled interface.
Command Function
Configuration Guide Configuring 802.1X
The following example sets the authentication timeout between the device and the supplicant to 10s:
Command Function
dot1x encryption only Enable the 802.1X authentication for only encryption
purpose.
The following example enables the 802.1X authentication for only encryption purpose.
Command Function
Configuration Guide Configuring 802.1X
DHCP-server authorization mode requires the server to enable DHCP snooping or DHCP relay.
Interface IP authorization mode is prior to global configuration mode. The following example enables supplicant
authorization mode.
Command Function
Enable the RADIUS server bypass function and support the
dot1x event server-invalid action bypass-wlan
bypass WLAN.vlan-list: configures the MAB VLANs.
wlan-id
wlan-id: The ID of the bypass WLAN
Use this command to enable the RADIUS server bypass function and support the bypass WLAN. The following example
enables the RADIUS server bypass function.
Command Function
dot1x max-req count During interaction between the dot1x and the server, the
dot1x will send a request to the server again if it does not
receive a response from the server within a certain period of
time. Use this command to set the maximum number of
authentication requests sent to the server.
count: Maximum auth-request number sent to the server.
Command Function
dot1x logging rate-limit value Set the logging rate-limit.
value: Logging rate
0: logging rate is not limited.
The default setting is recommended. Lower the limit in case of much online/offline which raises CPU occupation. The
following example sets the logging rate-limit to 20 logs per second.
Command Function
clear dot1x user name name-str name-str: The username of the 802.1X authentication user
clear dot1x user id session-id Clear 802.1X authentication users based on session IDs.
session-id: Session ID
clear dot1x user ip ip-addr Clear 802.1X authentication users according to IP
addresses.
ip-addr: IP address
clear dot1x user mac mac-addr Clear 802.1X authentication users based on MAC
addresses.
mac-addr: MAC address
clear dot1x user all Clear all the 802.1X authentication users on the device.
Command Function
dot1x valid-ip-acct enable Enable IP address-triggered accounting.
Use this command to enable accounting only when users obtain valid IP addresses. The following example enables IP
address-triggered accounting.
Command Function
dot1x valid-ip-acct timeout time Configure IP address-triggered accounting.
The SNMP server will not start accounting until users obtain IP addresses. In this case, use this command to configure the
IP address-triggered accounting timeout. The following example configures IP address-triggered accounting timeout.
Command Function
dot1x valid-ip-acct timeout time Configure user info-triggered accounting.
Command Function
dot1x-mab Enable MAB function.
(Optional) Use this command to enable MAB function for MAC-based security authentication in WLAN.
Ruijie(config-wlansec)# dot1x-mab
Command Function
dot1x user-trap enable Enable users to send online/offline traps.
Use this command to enable users to send online/offline traps to the SNMP server. The following example enables STAs
to send online/offline traps.
Command Function
dot1x offline-detect {[interval val] | [flow num]} Enable traffic detection.
val: Traffic detection interval in the unit of minutes
The default is 15 minutes.
num: Traffic threshold in the unit of KB
The default is 0 KB.
(Optional) Use this command to prevent the device from accounting when a STA has been offline. The traffic detection
parameters configured in WLAN security configuration mode are prior to those configured in global configuration mode.
Command Function
dot1x dbg-filter H.H.H Enable debug information print for a user with a specified
MAC address.
H.H.H: The MAC address of a device
Use this command to print the debug information of a specific user. If you want to locate the fault on the network where
there are multiple users.
Command Function
dot1x default Restore 802.1X configuration to the default setting.
Monitoring
Our 802.1X provides a full range of state machine information, which is very useful for network management and can be
used by the administrator to monitor user status in real time and make easy troubleshooting.
Configuration Guide Configuring 802.1X
In the privileged EXEC mode, run the show dot1x command to check the current number of users and authenticated
users, 1x configuration, including the current number of users and authenticated users.
In the interface configuration mode, you can view the user authentication status information by performing the following
steps:
Command Function
show dot1x summary Display the user authentication status information.
It is convenient to display the 802.1X authentication summary according to the MAC address or username.
Ruijie(config)#show dot1x u
Ruijie(config)#show dot1x user i
Ruijie(config)#show dot1x user id 16777226
Students
Trusted students (such as student cadres)
Teaching and administrative staff
Each member of these three user groups can be connected to any port of the access device and join the
corresponding VLAN.
Complete data isolation shall be achieved between VLANs corresponding to three user groups, namely the
members of one group cannot exchange data with members of another group.
Include a managerial access device of 192.168.197.241, which uses the default authentication and accounting ports of
1812 and 1813 and the shared key of "shared".
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-ID = "students"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-ID = "trusted_students"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-ID = "staff"
Other Precautions
In the non-IP authorization mode, if you enable the 802.1X authentication function of a port and at the same time
associate one ACL with a interface, the ACL takes effect on the basis of the MAC address. In other words, only the
packets from the source MAC addresses of the authenticated users can pass ACL filtering, and the packets from other
source MAC addresses will be discarded. The ACL can only work on the basis of the MAC address.
For example, if the authenticated MAC address is 00d0.f800.0001, then all the packets from the source MAC address of
00d0.f800.0001 can be switched. If the port is associated with an ACL, the ACL will further filter these packets that can be
switched, for example, rejecting the ICMP packets from the source MAC address of 00d0.f800.0001.
The restrictions for the condition that the users on the interface have being authenticated or the users have been
authenticated:
The port mode cannot be modified, such as the command switchport mode trunk cannot be used.
The port Allowed VLAN and Native VLAN cannot be modified in the TRUNK mode.
The restrictions for the condition that the users in the VLAN have being authenticated or the users have been
authenticated:
VLAN type cannot be modified, such as the command private-vlan primary cannot be used.
Configuration Examples
Networking Requirements
To ensure the validity of network access, the following requirements must be met:
It is required that access users on each port must be subject to 1X authentication in order to control Internet access
(unauthenticated users won't be able to access network);
Only our client software (supplicant) can be used as the client for 802.1X authentication;
Accounting shall be based on online time, and accounting update packets will be periodically sent to Radius Server
(real-time accounting packets will be sent to RADIUS server every 15 minutes);
After sending the authentication request to RADIUS server, the device will resend the request if no reply is received
within 5 seconds, and will try for totally 6 times;
Online monitoring of users to prevent authenticated user from being preempted by other users and to detect whether
the user is disconnected;
To protect server from hostile attacks, the access user can only initialize re-authentication after 500 seconds if it fails
in authentication. Meanwhile, after trying for over 5 times, this user will be considered as disconnected and the
authentication process will end.
Configuration Tips
Turn on AAA switch and configure the communication between device and RADIUS SERVER; configure 802.1X
authentication and configure the device port for client access as controlled port (here we take port F0/1 as the
example); (corresponding to paragraph 1 of "Application Needs")
Filter non-Ruijie supplicant (corresponding to paragraph 2 of "Networking requirements")
Configure 802.1X accounting and accounting update, and configure the interval of accounting update packets
(corresponding to paragraph 3 of " Networking requirements ")
Configure the reply timeout timer of Radius Server as 5s, and configure the maximum authentication retries as 6
times (corresponding to paragraph 4 of " Networking requirements ")
Configure periodic re-authentication of device (corresponding to paragraph 5 of " Networking requirements ")
Configure the quiet period for failed authentication as 500s (waiting time) and configure the maximum authentication
retries as 5 times (corresponding to paragraph 6 of " Networking requirements ")
Configuration Steps
Login SAM Security Accounting Management System and click "System Management - Device Management" to
insert information about NAS device. The required configuration include: "Device IP" - 192.168.217.81, "Device
Group" - haha, "Device Type" - switch, "Specific Model" - S21XX and later, "Device Key" - Ruijie, "Read/Write
Community" - weilin, "Device Aging Duration" - 3s, as shown below:
Figure 0-8
Click "User Management - User Management" to insert user information. The required configuration include:
"Username" - qq, "Password" - 1234567, "User Group" - ceshi, as shown below:
Figure 0-9
Ruijie(config)#aaa new-model
Ruijie(config)#dot1x max-req 6
Ruijie(config)#dot1x re-authentication
Ruijie(config)#dot1x reauth-max 5
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.217.81 255.255.255.0
Step 3: Use authentication client (such as supplicant) to carry out authentication; type in the correct username and
password and select the network adapter, and the authentication will succeed after a few seconds.
Verify Configurations
Step 1: Display the authentication state information of current user in order to eliminate faults.
User name: qq
User id: 1
Type: static
Mac address is 00d0.f864.6909
Vlan id is 1
Access from port Fa0/1
Time online: 0days 0h 2m24s
User ip address is 192.168.217.82
Max user number on this port is 6000
Authorization session time is 20736000 seconds
Supplicant is private
Start accounting
Permit proxy user
Permit dial user
IP privilege is 0
user acl-name qq_1_0_0 :
Step 3: Display 1X configuration about the existing number of users and the number of authenticated users;
Ruijie#show dot1x
Networking requirements
A company has three user groups, namely "development" department, "finance" department and "market" department.
The following needs must be met:
Each member of these three user groups can be connected to any port of the access device and join the
corresponding VLAN after successful authentication ("development" department to join VLAN2, "finance"
department to join VLAN3, and "market" department to join VLAN4).
Complete data isolation shall be achieved between VLANs corresponding to three user groups, namely the
members of one group cannot exchange data with members of another group.
Configuration Tips
Turn on AAA switch and configure the communication between device and RADIUS SERVER;
Configure 802.1X authentication and configure the device port for client access as controlled port;
Enable dynamic VLAN assignment on the corresponding interface;
Create VLANs to join after user authentication.
Configuration Steps
Step 1: Configure relevant attributes of Radius Server (Only key configuration will be described below, and we will not give
other unnecessary details):
Configuration Guide Configuring 802.1X
! Click "User Management - User Group Management" and add the corresponding user group (taking user group
"development" as the example):
Figure 0-10
! Click "User Management - User Management" to insert the basic information about user and corresponding VLAN
information (taking user group "development" as the example; the VLAN to which the user belongs is configured as
Figure 0-11
Figure 0-12
Ruijie(config)#aaa new-model
Ruijie(config)#vlan 2
Ruijie(config-vlan)#name development
Ruijie(config-vlan)#exit
Ruijie(config)#vlan 3
Ruijie(config-vlan)#name finance
Ruijie(config-vlan)#exit
Ruijie(config)#vlan 4
Ruijie(config-vlan)#name market
Ruijie(config-vlan)#exit
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.217.81 255.255.255.0
Step 3: Use client to complete authentication. After successful authentication, the CLI will display:
"%DOT1X-4-TRANS_AUTHOR: Setting interface FastEthernet 0/1 author-VLAN 2 succeeded."
Verify Configurations
Step 1: Display the authentication state information of current user to see the true VLAN to which the user belongs.
User name: st
User id: 5
Type: static
Mac address is 00d0.f864.6909
Vlan id is 2
Access from port Fa0/1
Configuration Guide Configuring 802.1X
Figure 14 Topology for 802.1X port-based Guest VLAN and VLAN assignment
Networking Requirements
The client accesses network through 802.1X authentication. RADIUS server is the authentication server, and FTP server
is the server used by the client for software downloading and pack upgrade while it belongs to VLAN10. Radius Server is
used for authentication, authorization, accounting and dynamic VLAN assignment, and it belongs to VLAN1. The
Internet-connecting port F0/24 of switch belongs to VLAN2. The following needs must be met:
If the switch receives no reply after sending authentication request packets (EAP-Request/Identity) for the configured
number of tries, F0/1 will join the Guest VLAN (VLAN10). By this time, both Supplicant and FTP Sever belong to
VLAN10, and Supplicant can access FTP Server and download 802.1X client.
After successful authentication, RADIUS server will assign VLAN2. By this time, both Supplicant and F0/24 belong to
VLAN2, and Supplicant can access Internet.
Configuration Tips
Turn on AAA switch and configure the communication between device and RADIUS SERVER;
Configuration Guide Configuring 802.1X
Configure 802.1X authentication and configure the device port for client access as controlled port;
Enable dynamic VLAN assignment on the corresponding interface;
Configure whether or not enable guest VLAN on the corresponding interface.
Configuration Steps
Ruijie(config)#aaa new-model
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.217.81 255.255.255.0
Verify Configurations
Configuration Guide Configuring 802.1X
Step 1: If no reply is received after sending authentication request packets (EAP-Request/Identity) for the configured
number of tries, the user connected to the port will automatically join VLAN10. The CLI will prompt:
Step 2: The user downloads 802.1X client. After successful authentication, the CLI will prompt:
User name: st
User id: 8
Type: static
Mac address is 00d0.f864.6909
Vlan id is 2
Access from port Fa0/1
Time online: 0days 0h 4m25s
User ip address is 192.168.201.56
Max user number on this port is 6000
Authorization vlan is 2
Authorization session time is 20736000 seconds
Supplicant is private
Start accounting
Permit proxy user
Permit dial user
IP privilege is 0
user acl-name st_1_0_0 :
Networking Requirements
The client accesses network through 802.1X authentication. RADIUS server is the authentication server. The following
application needs must be met:
When the active server fails due to certain reason, the device can automatically submit authentication request to the
next server in the method list.
When a user connected to one port of device passes the authentication, all users connected to this port will be able
to access network freely.
Dynamic user is not allowed to move between multiple authentication ports.
The IP of an authenticated user must be assigned by the RADIUS Server, namely the authenticated user can only
use the IP specified by RADIUS Server to access network.
Configuration Tips
Turn on AAA switch and configure the communication between device and RADIUS SERVER;
Configure 802.1X authentication and configure the device port for client access as controlled port;
Configure active/standby server group
Configure the control mode of user authentication under the corresponding port as port-based authentication;
Configure to prohibit dynamic user from moving between ports;
Configure IP authorization mode as radius Server mode.
Configuration Steps
Ruijie(config)#aaa new-model
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.217.81 255.255.255.0
Verify Configurations
Step 2: Move this user to another authenticated port. It can be found that the user won't be able to access network.
Configuration Guide Configuring ARP Check
Overview
ARP check function filters all ARP packets on the logic interface and drops all illegal ARP packets, avoiding the ARP fraud
in the network and improving the network stability.
Ruijie switches support multiple IP security application(such as IP Source Guard, global IP+MAC binding, port security),
which effectively filter the user IP packets and avoid the illegal user to use the network resources. The ARP check function
generates the corresponding ARP filtering information according to the legal user information (IP or IP+MAC),
implementing the illegal ARP packet filtering in the network.
As shown in the above figure, ARP check function checks whether the Sender IP field or the <Sender IP, Sender MAC>
field of all ARP packets on the logic interface matches with the legal user information(IP or IP+MAC), and the ARP
packets that not match with the legal user information. The ARP check function supported security function modules
include:
Check the IP field only: IP mode for the port security and the IP source guard.
Check the IP+MAC field: IP+MAC binding mode for the port security, global IP+MAC binding, 802.1x IP authorization,
IP Source Guard, GSN binding function.
There are two modes of ARP check: enabled, disabled mode. By default, the ARP check function is disabled.
ARP check function is enabled or disabled according to the current security function running state on the switch.
Enabling/disabling the following functions may trigger to enable/disable the ARP Check function:
Configuration Guide Configuring ARP Check
Adding the legal user for the first time or removing the last legal user may trigger to enable/disable the ARP check
function:
ARP check is enabled no matter whether there is security configuration. If there is no legal user on the port, all the ARP
packets from this port will be discarded.
Enabling ARP check of port security addresses will decrease the maximum number of the security addresses
of binding IP on all the ports by half.
Configuration
Use the following commands to configure ARP check in interface configuration mode:
Command Function
Ruijie (config )#interface interface-id Enter interface configuration mode.
Ruijie (config-if )# arp-check Enable ARP check.
Ruijie (config-if )# no arp-check Disable ARP check.
The ARP check function can be configured on the Layer2 interfaces only.
Monitoring
Use the following command to display ARP check entries on the interface:
Command Function
Ruijie#show interface { interface-type interface-number } Display the ARP check entries.
arp-check list
In the global mode, to configure IP address and MAC address binding, execute the following commands.
Command Function
Ruijie(config)# address-bind { ip-address | ipv6-address } Configure IP address and MAC address binding.
mac-address
Ruijie(config)# address-bind install Enable the address binding function.
To cancel the IP address and MAC address binding, use the no address-bind { ip-address | ipv6-address } mac-address
command in the global configuration mode.
To disable the address binding function, execute the no address-bind install command.
The following example shows how to bind the IP address and MAC address:
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#address-bind 192.168.5.1 00d0.f800.0001
Ruijie(config)#address-bind install
Problem: In the stack environment, if one switch learns the MAC address when receiving the IP packets not
correspond to the address binding, this MAC address can only be learned by the chip of that switch and
cannot be learned by the chips of other switches in the stack environment.
Phenomenon: In the stack environment, if one switch learns the MAC address when receiving the IP packets not
correspond to the address binding, this address entry is displayed using the show mac command and the IP packets
can still be broadcasted to other stack switches. The MAC address learning is normal when receiving the non-IP
packets or the IP packets correspond to the address binding.
Workaround: N/A.
After executing the address-bind install command but the IP+MAC binding is not configured, then allow all
packets to be transmitted on the interface.
In the global mode, to configure the address binding mode, execute the following commands.
Configuration Guide Configuring Global IP-MAC Binding
Command Function
Ruijie(config)# address-bind ipv6-mode { compatible | Configure the address binding mode.
loose | strict }
Ruijie(config)# no adress-bind ipv6-mode Restore to the default address binding mode.
The following example shows how to set the address binding mode to strict:
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#address-bind ipv6-mode strict
In the IPv6 mode, DHCP Snooping address binding, port security MAC+IP address binding functions are
enabled at the same time.
Setting the Exceptional Ports for the IP Address and MAC Address
Binding
To make the IP address and MAC address binding not to take effect on some ports, you can set these ports as
exceptional ports. To configure an exceptional port, execute the following command in the global configuration mode.
Command Function
Ruijie(config)#address-bind uplink interface-id Configure the exceptional port for the IP address and MAC
address binding.
interface-id: port or Aggregate port
Use the no address-bind uplink interface-id command to cancel the configuration of the specified exceptional port.
The following example shows how to set the interface GigabitEthenet 0/1 to the exceptional port:
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# address-bind uplink GigabitEthernet 0/1
Configuration Guide Configuring Global IP-MAC Binding
Displaying Configuration
Use the following commands to display the IP-to-MAC address binding on the device.
Command Function
Ruijie# show address-bind Display the IP-to-MAC address binding on the device.
Ruijie# show address-bind uplink Display exceptional interface information on the device.
Ruijie#show address-bind
Total Bind Addresses in System : 1
IP Address Binding MAC Addr
--------------- ----------------
192.168.5.1 00d0.f800.0001
Configuration Guide Configuring DHCP Snooping
Overview
DHCP
The DHCP protocol is widely used to dynamically allocate the recycled network resources, for example, IP address. A
typical IP acquisition process using DHCP is shown below:
The DHCP Client sends a DHCP DISCOVER broadcast packet to the DHCP Server. The Client will send the DHCP
DISCOVER again if it does not receive a response from the server within a specified time.
After the DHCP Server receives the DHCP DISCOVER packet, it allocates resources to the Client, for example, IP
address according to the appropriate policy, and sends the DHCP OFFER packet.
After receiving the DHCP OFFER packet, the DHCP Client sends a DHCP REQUEST packet to obtain the server lease
and notify other servers of receiving the address allocated by the server.
After receiving the DHCP REQUEST packet, the server verifies whether the resources are available. If so, it sends a
DHCP ACK packet. If not, it sends a DHCP NAK packet. Upon receiving the DHCP ACK packet, the DHCP Client starts to
use the resources assigned by the server in condition that the ARP verification resources are available. If it receives the
DHCP NAK packet, the DHCP Client will send the DHCP DISCOVER packet again.
DHCP Snooping
DHCP Snooping monitors users by snooping the packets exchanged between the clients and the server. DHCP
Snooping can filter DHCP packets and illegal servers by proper configuration. Some terms and functions used in DHCP
Snooping are explained below:
DHCP Snooping TRUST port: Because the packets for obtaining IP addresses through DHCP are in the form of
broadcast, some illegal servers may prevent users from obtaining IP addresses, or even cheat and steal user
information. To solve this problem, DHCP Snooping classifies the ports into two types: TRUST port and UNTRUST
port. The device forwards only the DHCP reply packets received through the TRUST port while discarding all the
Configuration Guide Configuring DHCP Snooping
DHCP reply packets from the UNTRUST port. In this way, the illegal DHCP Server can be shielded by setting the
port connected to the legal DHCP Server as a TRUST port and other ports as UNTRUST ports.
DHCP Snooping binding database: By snooping the packets between the DHCP Clients and the DHCP Server,
DHCP Snooping combines the IP address, MAC address, and VID, port and lease time into a entry to form a DHCP
Snooping user database. DHCP Snooping checks the validity of DHCP packets that pass through the device,
discards illegal DHCP packets, and records user information to create a DHCP Snooping binding database for ARP
inspection and query. The following DHCP packets are considered illegal:
The DHCP reply packets received on the UNTRUST ports, including DHCPACK, DHCPNACK, DHCPOFFER, etc.
DHCP Client values in the source MAC and DHCP packets are in different packets when MAC check is enabled.
DHCPRELEASE packets whose port information is inconsistent with that in the DHCP Snooping binding database.
Agent Circuit ID
Agent Remote ID
Configuration Guide Configuring DHCP Snooping
For the details on the priorities of DHCP Snooping and other security functions, refer to Port Security White Paper and
Security Function Deployment White Paper.
By snooping the DHCP process, the DHCP Snooping maintains a user IP address database and offers it to the IP Source
Guide function for filtering so that only the users dynamically obtaining IP address can access the network.
Furthermore, the DHCP binding filters IP packets rather than ARP messages. To enhance security and prevent from ARP
Spoofing, check the ARP validity of DHCP bound users. For more information, refer to DAI Configuration.
DHCP Snooping snoops only the DHCP process of users. ARP Inspection is necessary to restrict users to use the IP
address assigned by the DHCP protocol for Internet access. However, ARP Inspection needs to check all ARP messages,
which will influence the overall performance of the switch.
When the DHCP client with Hybrid interface connects to the DHCP Server through untagged VLAN, the share VLAN
should be enabled and the untagged VLAN should be set to be share VLAN. For the number of share VLANs supported,
refer to Section Share VLAN Configuration of Configuration Guide.
Configuration
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# [ no ] ip dhcp snooping Enable or disable DHCP Snooping.
The following example demonstrates how to enable the DHCP Snooping function of the device:
DHCP Snooping and Private VLAN function cannot enabled at the same time.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# interface interface Enter the interface configuration mode.
Ruijie (config )# [ no ] ip dhcp snooping suppression Enable or disable filtering the DHCP request message.
The following example demonstrates how to enable filtering the DHCP request message:
Command Function
Ruijie# configure terminal Enter global configuration mode.
Ruijie (config )# [ no ] ip dhcp snooping vlan { vlan-rng |
Enable DHCP Snooping in the VLAN.
{ vlan-min [ vlan-max ] } }
To configure the source MAC address check function, execute the following command:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# [ no ] ip dhcp snooping verify Enable or disable the source MAC address check
mac-address function.
The following example enables the DHCP source MAC address check function:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# [ no ] ip dhcp snooping Enable or disable the DHCP Snooping information
Information option option.
After this function is configured, DHCP relay option82 function configured on the device will be ineffective.
Configuration Guide Configuring DHCP Snooping
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Specify the interval at which the switch writes the DHCP
Ruijie (config )# [ no] ip dhcp snooping
database to the flash.
database write-delay [ time ]
time: 600s to 86400s. The default value is 0.
The following example sets the interval at which the switch writes the DHCP database to the flash to 3600s:
You need to set a proper time for writing to the flash since erasing and writing to the flash frequently shortens
its life. A shorter time helps to save the device information more effectively. A longer time reduces the times
of writing to the flash and increases service life of flash.
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# ip dhcp snooping database Write the DHCP Snooping binding database to the flash
write-to-flash manually.
The following example demonstrates how to write the DHCP Snooping binding database to the flash:
Command Function
Ruijie# configure terminal Enter the global configuration mode.
Ruijie (config )# interface interface-id Enter the interface configuration mode.
Ruijie (config-if )# [ no ] ip dhcp snooping trust Set the port as a trust port.
Command Function
Set the maximum number of users bound with the VLAN
in interface configuration mode.
ip dhcp snooping vlan vlan-word max-user user-number vlan-word: The VLAN range.
user-number: The maximum number of users bound with
the VLAN.
This function combined with the corresponding topology can prevent illegal DHCP packet attacks.
The following example sets the maximum number of users bound with VLAN 1-10 and VLAN 20 to 30 respectively.
Clearing Dynamic User Information from the DHCP Snooping Binding Database
To clear dynamic user information from the DHCP Snooping binding database, execute the following command.
Command Function
Ruijie# clear ip dhcp snooping binding Clear information from the current database.
The following example clears information from the current database manually:
Monitoring
Command Function
Ruijie# show ip dhcp snooping Display the configuration of DHCP Snooping.
For example:
Command Function
Display the user information in the DHCP Snooping
Ruijie# show ip dhcp snooping binding
binding database.
For example:
Configuration Examples
Network Topology
Figure 8
Configuration Guide Configuring DHCP Snooping
Application Requirements
The DHCP client obtains the IP address dynamically through the legal DHCP server.
Configuration Points
Enable the DHCP Snooping function on the access device (Switch B), and set the uplink port (Gi0/1 ) as the trusted port.
Configuration Steps
Configure the Switch B
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#ip dhcp snooping
Displaying Verifications
Step 1, check the configuration for the Switch B. Key points: whether the DHCP Snooping function is enabled or not,
whether the trusted port configured is the uplink port.
Ruijie#show running-config
!
ip dhcp snooping
!
interface GigabitEthernet 0/1
ip dhcp snooping trust
Step2, display the DHCP Snooping configuration of the Switch B. Key points: whether the trusted port is correctly.
Step3, display the information about the DHCP Snooping binding database.
Configuration Guide Configuring DHCP Snooping
Overview
In the typical DHCP-enabled network, the DHCP server is responsible for managing and allocating addresses for hosts.
The hosts apply for legal network addresses from the DHCP server. DHCP is helpful for administrators to manage
network addresses and avoid address conflict.
However, the server/client mode cannot guarantee the efficiency and security of network address management. The
traditional DHCP mode is required to have higher security characters because of the illegal packets or even attack
packets from the clients (as shown in Figure 3) and various feigned servers (as shown in Figure 2 ) in the network.
DHCP Snooping solves the problem. The security problem of traditional DHCP mode can be solved by enabling DHCP
Snooping on the device connecting the DHCP server with the DHCP clients. DHCP Snooping divides the network into two
parts: untrusted network that shields all the DHCP Server response packets in the network and checks the security of the
request from the client; trusted network that forwards the request received from legal client to the server in that trusted
network which allocates and manages addresses.
By filtering DHCP packets, DHCP Snooping shields feigned servers and block the attacks from the clients. However, it
cannot control the users assign IP addresses privately. Those users easily lead to conflict of network addresses and be
harm to the management of network addresses. To prevent the clients from assigning addresses privately in the DHCP
network, enable IP Source Guard on the device connecting the DHCP server to the DHCP clients. DHCP Snooping-based
Configuration Guide Configuring IP Source Guard
IP Source Guard ensures that DHCP clients access network resources properly and block the users who assign
addresses privately to access.
The hardware-based IP packet filtering database is the key for IP Source Guard to enable efficient security control in
DHCP applications. This database is on the basis of DHCP Snooping database. After IP Source Guard is enabled, the
DHCP Snooping database is synchronized with the hardware-based IP packet filtering database. In this way, IP Source
Guard can strictly filter IP packets from clients on the device with DHCP Snooping enabled.
By default, once IP Source Guard is enabled on a port, all the IP packets traveling through the port (except for DHCP
packets) will be checked on the port. Only the users attaining IP addresses through DHCP and the configured static
binding users can access the network.
IP Source Guard supports source MAC- and source IP-based filtering or source IP-based filtering. In the former case, IP
Source Guard will check the source MAC and source IP addresses of all packets and only allow those packets matching
the hardware-based IP packet filtering database to pass through. In the latter case, IP Source Guard checks the source IP
addresses of IP packets.
Configuration
Command Function
Ruijie (config )# interface interface-id Enter the interface configuration mode.
Enable IP Source Guard on the interface.
Ruijie (config-if )# [ no ] ip verify source [ port-security ]
Use port-security to set MAC-based filtering.
The application of IP Source Guard is combined with DHCP Snooping. That is to say, port-based IP Source
Guard only takes effect on untrusted port under the control of DHCP Snooping.
Command Function
Ruijie# configure terminal Enter configuration mode
Add static IP source binding user into the database. If the
Ruijie (config )# [ no ] ip source binding mac-address interface is not specified, the binding entry will apply to all
vlan vlan-id ip-address [interface interface-id | wlan binding interfaces on the VLAN.
wlan-id | ip-mac | ip-only ] ip-mac: global IP+MAC binding;
ip-only: global IP binding.
The following example shows how to bind a static user to port 9 of the device:
Function
Command
Exclude a VLAN from the IP source guard configuration
on the port.
ip verify source exclude-vlan vlan-id
vlan-id: The ID of VLAN excluded from the IP source
guard configuration.
no ip verify source exclude-vlan vlan-id Restore the default setting.
This command is used to exclude a VLAN from the IP source guard configuration. IP packets in this VLAN are forwarded
without being checked and filtered.
Once the IP source guard function is disabled, the excluded VLAN is cleared automatically.
This command is supported on the wired L2 switching port, AP port, subinterface and WLAN.
Only when the IP source guard configuration is enabled on the port can a VLAN be excluded.
Configuration Guide Configuring IP Source Guard
The following example configuration configures the IP source guard configuration for the port and excludes a VLAN.
Monitoring
Command Function
Ruijie# show ip verify source [ interface interface-id ]
Display IP Source Guard filtering entry.
[wlan wlan-id]
For example:
Command Function
Ruijie# show ip source binding [ ip-address ]
[ mac-addres s] [ dhcp-snooping ] [ static] [ vlan vlan-id ] Display the hardware-based IP packet filtering database.
[ interface interface-id ]
For example:
Configuration Examples
Network Topology
Configuration Guide Configuring IP Source Guard
Deployment
Application Requirements
The user can only use the IP address dynamically allocated by a valid DHCP server or statically allocated by the
administrator to access network. IP packets with source IP different from the IP addresses contained in the hardware
filtering list of switch will be blocked to ensure network security.
Configuration Tips
Configure IP Source Guard and DHCP Snooping on the access device (Switch A) to meet the requirements:
Configure the uplink port (GigabitEthernet 0/1) as trusted port to avoid DHCP server spoofing.
Enable IP Source Guard on PC-connecting ports (GigabitEthernet 0/2 and GigabitEthernet 0/3).
The user with IP address assigned by the administrator can be configured through IP Source Guard static binding (IP
address: 192.168.216.4; MAC address: 0000.0000.0001).
Configuration Steps
Configure Switch A
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#ip dhcp snooping
Step 2: Configure the uplink port as the trusted port of DHCP Snooping.
Verification
Step 1: Check the configurations of Switch A. Key points: whether DHCP Snooping has been enabled, whether the uplink
port has been configured as the trusted port, whether IP Source Guard has been enabled on the user-connecting port,
and whether the static binding entries are correct.
Ruijie#show running-config
Configuration Guide Configuring IP Source Guard
ip dhcp snooping
!
ip source binding 0000.0000.0001 vlan 1 192.168.216.1 interface GigabitEthernet 0/2
!
interface GigabitEthernet 0/1
ip dhcp snooping trust
!
interface GigabitEthernet 0/2
ip verify source port-security
!
interface GigabitEthernet 0/3
ip verify source port-security
Step 3: Display the IP hardware filtering list jointly generated through DHCP Snooping user binding database and static
bindings:
Overview
Internet Group Management Protocol, abbreviated as IGMP Snooping, is an IP multicast flow mechanism running in the
VLAN, and used to manage and control the IP multicast flow forwarding in the VLAN and belongs to the Layer2 multicast
function. The IGMP Snooping function described below is in the VLAN, and the related ports are the member ports in the
VLAN.
The device running IGMP Snooping sets up the mapping for the port and the multicast address by analyzing the received
IGMP packets, and forwards the IP multicast packets based on the mapping. As shown in the Figure 1, with IGMP
Snooping enabled, the IP multicast packets are broadcasted in the VLAN; while with IGMP Snooping enabled, the known
IP multicast packets are not broadcasted in the VLAN but sent to the specified recipient.
Figure 1 Contrast between VLAN with IGMP Snooping disabled and VLAN with IGMP Snooping enabled
Configuration Guide Configuring IGMP Snooping
Ruijie multicast products support both the layer 2 multicast (IGMP Snooping) function and the layer 3
multicast(Multicast-routing) function. That is to say, to realize better packet forwarding function, Ruijie device supports not
only the layer 3 multicast route forwarding, but also the snooping in the VLAN.
Multicast Router Port: the switch is connected with the multicast router(the Layer3 multicast device), take the
SwitchA interface Eth0/1 for example. All router ports on the switch(including the dynamic and static ports) are
recorded in the router port list. By default, the router port corresponds to the recipient of the multicast data in the
VLAN, and can also be added to the IGMP Snooping forwarding list.
Member Port: the abbreviation of the IP multicast group member port, also named Listener Port, representing the
port connected with the IP multicast group member on the switch, take the SwitchA interface Eth0/2, Eth0/3 and
Eth0/4 for example. All member ports on the switch(including the dynamic and static ports) are recorded in the IGMP
Snooping forwarding list.
port.
IGMP querier sends the general query packets to all hosts and routers(with the address: 224.0.0.1) in the local network
segment periodically to query for the IP multicast group member in the network segment. Upon receiving the IGMP
general query packets, the switch forwards those query packets to all ports in this VLAN, and processes the
packet-receiving port as follows:
If this port has already been in the router port list, reset the aging timer.
If this port has not been in the router port list, add the port to the list and enable the aging timer.
After receiving the IGMP general query packets, the multicast device enable the aging timer for all member ports. Set the
aging time as the maximum respond time of the IGMP query packets. When the aging time is 0, no member port receives
the multicast flow and the port will be removed from the IGMP Snooping forwarding list.
After receiving the IGMP specific-group query packets, the multicast device enable the aging timer for all member ports in
the specific group. Set the aging time as the maximum respond time of the IGMP query packets. When the aging time is 0,
no member port receives the multicast flow and the port will be removed from the IGMP Snooping forwarding. For the
IGMP specific-group source query packets, it is no need to update the aging timer.
Membership Report
In the following circumstances, the host sends the IGMP membership report to the IGMP querier:
After receiving the IGMP query(general or specific-group query) packets, the IP multicast group member host
responds to the received packets.
If the host wants to join in an IP multicast group, it will take the initiative to send the IGMP membership report to the
IGMP querier and claim to join in the IP multicast group.
Upon receiving the IGMP membership report message, the switch forwards the message through all router ports in the
VLAN, analyzes the IP multicast group address from the message to add to the host, and deals with the packet-receiving
port as follows:
If the corresponding forwarding entry of IP multicast group is inexistent, create a forwarding entry, add the dynamic
member port to the outgoing port list, and enable the aging timer.
If the corresponding forwarding entry of IP multicast group exists but the outgoing port list excludes the port, add the
dynamic member port to the outgoing port list, and enable the aging timer.
If the corresponding forwarding entry of IP multicast group exists and the outgoing port list includes the port, reset
the aging timer.
Configuration Guide Configuring IGMP Snooping
When leaving the IP multicast group, the host notifies the multicast router of the leave event by sending the IGMP leave
group packets. At present, Ruijie products provide two ways of leaving:
Automatic leave: Upon receiving the IGMP leave group packets from a dynamic member port, the switch forwards
those packets to the router ports, and enables a timeout timer for the member port. If the switch fails to receive the
corresponding response packets before the timeout, it will age relevant member ports.
Fast leave: Upon receiving the IGMP leave group packets from a dynamic member port, the switch forwards those
packets to the router ports, and deletes relevant member ports.
SVGL mode and IVGL-SVGL mode conflict with the IP multicast function.
PIM Snooping must depend on either IVGL or IVGL-SVGL mode of IGMP Snooping.
IGMP Profiles are used to define the range of group addresses for other functions' reference.
Multicast VLAN
Multicast VLAN is a typical application that can be realized when IGMP Snooping is running in the SVGL or IVGL-SVGL
mode. As shown above, when the switch runs the SVGL or IVGL-SVGL mode of IGMP Snooping, it sets the VLAN where
the user host resides as the sub VLAN. In this way, when the user host requests multicasting at the same time, the switch
can send the packet to each sub VLANs as long as the multicast router duplicates one copy of the multicast packet to the
shared VLAN.
If the switch runs the IVGL mode of IGMP Snooping, the multicast router needs to duplicates a separate copy of multicast
data in each user VLAN. This results in not only waste of network bandwidth but also additional pressure for the layer-3
device.
1st way: Create multicast entries on the VLAN to which IMGP packets belong, and forward IMGP packets on such VLAN.
For example: It is assumed that IGMP Snooping has been enabled on the device; port A is a dot1q-tunnel port; the default
VLAN of port A is VLAN 1, and packets from VLAN 1 and VLAN 10 can pass through port A. When multicast requests of
VLAN 10 are sent to port A, IGMP Snooping will create the multicast entry of VLAN 10 and forward the multicast requests
to the router port of VLAN 10.
2nd way: Create multicast entries on the default VLAN to which dot1q-tunnel belong, and forward multicast packets on the
default VLAN of dot1q-tunnel port after inserting the VLAN Tag of the default VLAN of dot1q-tunnel port. For example: It is
assumed that IGMP Snooping has been enabled on the device; port A is a dot1q-tunnel port; the default VLAN of port A is
VLAN 1, and packets from VLAN 1 and VLAN 10 can pass through port A. When multicast requests of VLAN 10 are sent
to port A, IGMP Snooping will create the multicast entry of VLAN 1 and insert the VLAN Tag of VLAN 1 into multicast
requests before forwarding the multicast requests to the router port of VLAN 1.
However, in a network without layer-3 multicast device, a layer-2 multicast device does not support IGMP, and therefore
cannot realize the relevant functions of IGMP querier. By enabling IGMP snooping on a layer-2 device, the layer-2 device
can establish and maintain multicast forwarding entries at the data link layer, thus to forward multicast traffic correctly at
the data link layer.
IGMP itself cannot control whether or not a user can join a specific multicast group. Since the multicast traffic is replicated
at the access node, it is important to control whether or not a user can obtain a multicast video stream at the access node
as it can guarantee the security of video data and benefit of the carrier and avoid illegal users. Currently, the customized
Profile can be preconfigured on the user port through the feature of device management, so as to permit or deny user
joining, control multicast service and avoid illegal users from occupying network resources when controlling the access to
one or multiple multicast programs. Through similar functions, precise control of user access to multicast programs can
also be realized at the access node, such as multicast preview. We can also control the number of programs accessible to
a specific user, thus effectively protecting the network bandwidth resources.
The multicast devices released by Ruijie can realize diversified control of users:
IGMP SNOOPING source port check is intended to limit the ingress of IGMP multicast traffic. When IGMP Snooping
source port check is disabled, video streams entering from any port are considered valid, the multicast device will forward
them to registered member ports as per IGMP Snooping forwarding table. When IGMP Snooping source port check is
enabled, only the multicast traffic entering from router port will be considered valid, and layer-2 multicast device will then
Configuration Guide Configuring IGMP Snooping
forward them to the registered ports. Multicast traffic entering from non-router port will be considered invalid and
discarded.
IGMP Snooping source port check needs to use Masks. The definition of Masks is detailed in "Access Control
List Configuration". Masks are shared among address binding, source port check and ACL, and the total
number of available masks depends on the product. Since masks are limited in number, these three features
will be affected by each other. Enabling address binding needs to occupy two masks, and enabling source
port check will also occupy two masks; the available masks for ACL depends on the fact that whether these
two features have been enabled. Assuming that ACL can by default use up to 8 masks, if address binding or
source port check is enabled, the total number of masks available to ACL will drop to 6. If address binding
and source port check are enabled at the same time, the masks available to ACL will drop to 4. In contrast, if
ACL uses multiple masks and the remaining number of masks cannot meet the needs of these two
applications, the system will prompt that masks resource is used up when enabling address binding and
source port check. When one of these three features cannot run normally due to the restriction in masks,
normal application of such feature can be achieved by reducing the masks used by other two features. For
example, when three features are enabled at the same time, the system will prompt that masks are used up
when enabling port check. You can disable address binding (remove all address bindings) or delete the ACE
of ACL occupying multiple masks, so that the source port check can be enabled normally.
When enabling IGMP Snooping or configuring router port, if source port check is enabled, source port check
may fail due to the inadequate masks resources. The system will prompt: Source port check applying failed
for hardware out of resources. At this time, other resources shall be released first and then source port check
shall be enabled again.
Source IP Check
Among the multicast devices released by Ruijie, certain products support IGMP SNOOPING source IP check, further
enhancing network security.
IGMP SNOOPING source IP check is intended to limit the source IP address of IGMP multicast traffic. When IGMP
Snooping source IP check is disabled, all incoming video streams are considered valid, the layer-2 multicast device will
forward them to registered member ports as per IGMP Snooping forwarding table. When IGMP Snooping source IP check
is enabled, only the multicast traffic with the configured source IP address will be considered valid, and the multicast
device will then forward them to the registered ports. Multicast traffic with other source IP addresses will be considered
invalid and discarded.
Configuration Guide Configuring IGMP Snooping
Configuration
After layer-2 multicasting is enabled on the Private VLAN or Super VLAN, if the multicast source exists in the
Sub-VLAN, another route entry needs to be duplicated and the ingress is the Sub-VLAN in which the
multicast streams enter. As the ingress validity check is required for multicast forwarding, one more multicast
hardware entry will be occupied with one less multicast capacity. It is recommended to configure the master
VLAN as the ingress for multicast streams on the Private VLAN and Super VLAN, the other Sub-VLAN as
egress VLAN connected to the host to receive multicast streams.
When the layer-2 multicasting is enabled on the Private VLAN or Super VLAN, it is recommended to configure
the port Access as the forwarding egress of multicast streams. If the forwarding egress of multicast streams
is configured as port Trunk, it may forward multiple duplicate multicast streams.
After the IGMP Snooping function is enabled, multicast protocol packets within the VLAN will be broadcast by
software instead of hardware in the VLAN. The forwarding performance by software is lower than that by
hardware. Therefore, if there are massive multicast protocol packets to be forwarded in the VLAN; you are
advised to disable the IGMP Snooping function to ensure the forwarding performance of multicast protocol
packets.
If a VLAN is configured as a remote VLAN and the IGMP Snooping function on the VLAN is disabled, you can
still configure IGMP Snooping related to the VLAN, for example, the VLAN-based configuration of router
ports and member ports. However, the configuration does not take effect.
By default, with IGMP Snooping globally enabled, the IGMP Snooping function is auto-enabled in all VLANs. Use the no
ip igmp snooping vlan command to disable the IGMP Snooping function for a specified VLAN.
vlan 1
-------------
IGMP Snooping :Enabled
Multicast router learning mode :pim-dvmrp
IGMPv2 immediate leave :Disabled
vlan 2
-------------
IGMP Snooping :Enabled
Multicast router learning mode :pim-dvmrp
IGMPv2 immediate leave :Disabled
vlan 3
-------------
IGMP Snooping :Disabled
Multicast router learning mode :pim-dvmrp
IGMPv2 immediate leave :Disabled
vlan 4
-------------
IGMP Snooping :Enabled
Multicast router learning mode :pim-dvmrp
IGMPv2 immediate leave :Disabled
With the IGMP Snooping enabled in the VLAN, the MLD Snooping function must also be enabled if the IPv6
multicast is applied in the VLAN.
Command Function
Ruijie(config)# ip igmp snooping vlan vid mrouter
Set the interface as the static router interface.
interface interface-id
Ruijie(config)# no ip igmp snooping vlan vlid mrouter
Restore the default setting.
interface interface-id
In SVGL mode, if Sub VLAN is not configured, only the configuration of the static router port belonging to the
Shared VLAN will take effect. Other ports can be configured but the configuration will not take effect. If Sub
VLAN is configured, the configuration of the static router port belonging to the Shared VLAN or non-sub
VLAN will take effect. Other ports can be configured but the configuration will not take effect.
In IVGL-SVGL mode, if Sub VLAN is not configured, the configuration of the static router ports of all VLANs will
take effect. If Sub VLAN is configured, the configuration of the static router port belonging to the Shared
VLAN or non-sub VLAN will take effect. Other ports can be configured but the configuration will not take
effect.
In IVGL mode, the configuration of the static router ports of all VLANs will take effect.
Command Function
Ruijie(config)# ip igmp snooping vlan vlan-id mrouter Enable the dynamic learning function for the router port in
learn pim-dvmrp the VLAN. By default, the function is enabled.
Ruijie(config)# no ip igmp snooping vlan vlan-id Disable the dynamic learning function for the router port in
mrouter learn pim-dvmrp the VLAN and clear all router ports learned dynamically.
If the dynamic router port has not received IGMP group-general query packet or PIM Hello packet before its aging is timed
out, the switch will delete the port from the list of router ports.
Example: Set Ethernet interface 1/1 as the static router port and enable dynamic learning function of router ports in the
VLAN1:
Command Function
Statically configure a port to receive a certain multicast flow.
Ruijie(config)# ip igmp snooping vlan vlid static • vid: vid of multicast flow
ip-addr interface interface-id • ip-addr : multicast group address
• interface-id: Interface ID
Restore the default setting.
Ruijie(config)# no ip igmp snooping vlan vid static • vid: of multicast flow
ip-addr interface interface-id • ip-addr : multicast group address
• interface-id: Interface ID
If a host connected to a port needs to receive IP multicast data sent to a specific IP multicast group regularly, add the port
statically to this IP multicast group, making it a static member port.
Use no ip igmp snooping vlan vlan-id static ip-addr interface interface-id to delete the static member of IGMP
Snooping.
Command Function
Configure the survival time for IGMP dynamic member
Ruijie(config)# ip igmp snooping host-aging-time time ports in the range from 1 to 65535 in the unit of seconds.
The default is 260.
Restore the default maximum response time of 260s to
Ruijie(config)# no ip igmp snooping host-aging-time
the IGMP query packet.
Configuration Guide Configuring IGMP Snooping
The aging time of a dynamic member port refers to the time set for this port when it receives the IGMP join-in packet sent
by a host to join a specific IP multicast group.
After receiving the IGMP join-in packet, the aging timer of this dynamic member port will be reset to host-aging-time. If the
timer is timed out, it is considered that no user host that receives multicast packets exists under this port. The multicast
device will remove the port from the member ports of IGMP Snooping. After this command is configured, the value of an
aging timer set for dynamic member ports when they receive the IGMP join-in packet is host-aging-time. This
configuration takes effect when the next join-in packet is received and the currently-started timer of member ports will not
be updated.
Command Function
Set the maximum response time of the IGMP Query
Ruijie(config)# ip igmp Snooping
message in the range from 1 to 65535 in the unit of
query-max-response-time seconds
seconds.. The default is 10.
Ruijie(config)# no ip igmp Snooping
Restore the maximum response time to the default value.
query-max-response-time
After receiving IGMP general group query packets, the multicast device will reset the aging timer for all dynamic member
ports to query-max-response-time. If the timer is timed out, it is considered that no user host that receives multicast
packets exists under this port. The multicast device will remove the port from the member ports of IGMP Snooping.
After receiving IGMP query packet from a specific group, the multicast device will reset the aging timer for all dynamic
member ports of this specific group to query-max-response-time. If the timer is timed out, it is considered that no user host
that receives multicast packets exists under this port. The multicast device will remove the port from the member ports of
IGMP Snooping.
For the source query packet for a specific group of IGMPv3, no timer is updated. This configuration takes effect when the
next query packet is received and the timer started currently will not be updated.
The following example configures the maximum response time of the IGMP Query message to 15s:
Configuring Fast-Leave
Command Function
Enable the fast-leave function. By default, this function is
Ruijie(config)# ip igmp snooping fast-leave enable
disabled.
Ruijie(config)# no ip igmp snooping fast-leave enable Restore the default setting.
Port fast-leave means that when receiving from a port the IGMP leave group message sent from a host for leaving certain
IP multicast group, a switch will directly remove the port from the list of member ports in the corresponding forwarding
Configuration Guide Configuring IGMP Snooping
entry. If there is only one receiver connecting to the port on the switch, you may enable the port fast-leave function to save
band width and resources. This function applies when only one requester exists on the relevant port.
Whenever a member port receives an IGMP Report packet, it will transmit this packet to the router port. If the member port
of a VLAN receives multiple identical Report packets within a query interval, the router port will receive multiple identical
Report packets. If the Report packet suppression function is enabled, the router port only forwards the first received IGMP
Report packet of a specific IP multicast group within a query interval. Otherwise, the router port will forward out all
received IGMP Report packets. The IGMP Report packet suppression function can reduce the number of packets on the
network.
Under certain circumstances, you may need to control the reception of multicast traffic on the egress of specific VLAN.
VLAN-based filter well meets such need.
Configuration Guide Configuring IGMP Snooping
You can apply an IMGP Profile to a VLAN. If IMGP Report packets are received on the port belong to this VLAN, the
layer-2 multicast device will verify whether the multicast address to be joined by this port falls within the range permitted
by IGMP Profile. If yes, the port will join and process subsequently.
Command Function
Ruijie(config)# ip igmp snooping vlan num querier Enable IGMP Snooping querier for a specific VLAN.
Ruijie(config)# no ip igmp snooping vlan num querier Disable IGMP Snooping querier for a specific VLAN.
Command Function
Ruijie(config)# no ip igmp snooping querier address Globally disable querier source IP address.
Ruijie(config)# ip igmp snooping vlan num querier Configure the source IP address for the querier of a
address a.b.c.d specific VLAN.
Ruijie(config)# no ip igmp snooping vlan num querier Cancel the source IP address for the querier of a specific
address VLAN.
The following example shows how to globally configure the source IP address of IGMP querier:
Example: Configure the source IP address for the querier of a specific VLAN.
Command Function
Ruijie(config)# ip igmp snooping querier Globally configure the maximum response time to
max-response-time seconds queries. The default value is 10 seconds.
Configuration Guide Configuring IGMP Snooping
Ruijie(config)# no ip igmp snooping querier Globally restore the maximum response time to queries to
max-response-time default value.
Ruijie(config)# ip igmp snooping vlan vid querier Configure the maximum response time to query packets
max-response-time seconds of a specific VLAN. The default is 10 seconds.
Ruijie(config)# no ip igmp snooping vlan vid querier Restore the default maximum response time to query
max-response-time packets.
The following example shows how to configure the maximum response time to queries:
Example: Configure the maximum response time to query packets of a specific VLAN:
Command Function
Ruijie(config)# ip igmp snooping querier query-interval Globally configure the interval for periodically sending
num IGMP queries. The default value is 60 seconds.
Ruijie(config)# no ip igmp snooping querier Globally restore the interval for periodically sending IGMP
query-interval queries to default value.
Configure the interval for periodically sending IGMP query
Ruijie(config)# ip igmp snooping vlan num querier
packets of a specific VLAN. The default value is 60
query-interval num
seconds.
Ruijie(config)# no ip igmp snooping vlan num querier Restore the default interval for periodically sending IGMP
query-interval query packets of a specific VLAN.
The following example shows how to globally configure the query interval:
Command Function
Ruijie(config)# no ip igmp snooping vlan num querier Configure the non-querier timeout period of a specific
timer expiry VLAN to default.
The following example shows how to globally configure querier expiration timer:
Command Function
The following example shows how to globally configure IGMP version number:
Monitoring
The following example uses the show ip igmp snooping command to view the IGMP Snooping configuration
information:
SVGL vlan-id : 1
SVGL profile number : 0
Source port check : Disabled
Source ip check : Disabled
IGMP Fast-Leave : Disabled
IGMP Report suppress : Disable
vlan 1
-------------
IGMP Snooping state: Enabled
Multicast router learning mode: pim-dvmrp
IGMPv2 fast leave: Disabled
IGMP VLAN querier: Disable
The following example uses the show ip igmp snooping command to view the router interface information of IGMP
Snooping:
Command Function
View the forwarding table of IGMP Snooping,
Ruijie# show ip igmp snooping gda-table
namely the Group Destination Address (GDA ) table.
Clear the GDA table.
If IGMP Snooping is enabled on Private-VLAN or Super-VLAN, the established entries of GDA forwarding table
are all based on the master VLAN of the Private-VLAN or Super-VLAN. The forwarding table entry indicates
that all forwarding egresses can receive multicast stream information from the master VALN. For the
multicast stream information from the Sub VLAN, the forwarding rules must comply with that of the
Private-VLAN or Super-VLAN. In this case, each GDA forwarding table entry may correspond to multiple
hardware forwarding table entries. As a result, the capacity of the forwarding table entry may lower than the
desired value.
This example shows the source port check status of IGMP Snooping:
Ruijie# show ip igmp snooping interface interface-id View IGMP port filter information.
--------------------------------------------------------
admin state : Disable
admin version : 2
source IP address : 1.1.1.1
query-interval (sec) : 125
max-response-time (sec) : 10
querier-timeout (sec) : 60
operational state : Disable
operational version : 2
Configuration Guide Configuring ACL
Configuring ACL
Overview
As part of Ruijie security solution, an access control list (ACL) is used to provide a powerful traffic filtering function.
Currently, Ruijie products support many access lists.
Depending on networks conditions, you can choose different ACLs to control data flows.
ACLs is the shortened form of Access Control Lists, or Access Lists. It is also popularly called firewall, or packet filtering in
some documentation. ACL controls the messages on the device interface by defining some rules: Permit or Deny.
According to usage ranges, they can be divided into ACLs and QoS ACLs.
By filtering the data streams, you can restrict the communication data types in the network and restrict the users of the
network and the device they can use. When data streams pass the switch, ACLs classify and filter them, that is, check the
data streams input from the specified interface and determine whether to permit or deny them according to the matching
conditions.
To sum up, the security ACL is used to control which dataflow is allowed to pass through the network device. The QoS
policy performs priority classification and processing for the dataflow.
ACLs consist of a series of entries, known as Access Control Entry (ACE). Each entry specifies its matching condition and
behavior.
Access list rules can be about the source addresses, destination addresses, upper layer protocols, time-ranges or other
information of data flows.
Restrict route updating: Control where to send and receive the route updating information.
Restrict network access: To ensure network security, by defining rules, make users unable to access some services.
(When a user only need access the WWW and E-mail services, then other services like TELNET are disabled). Or,
allow users to access services only during a given period or only allow some hosts to access networks.
Figure 1-1 is a case. In the case, only host A is allowed to access Finance Network, while Host B is disallowed to do so.
See Figure 1-1.
A inherent problem of all access lists is electric spoofing, the behavior of providing spoof source addresses to
deceive switches Even you use the dynamic list, a spoofing problem occurs. During the valid access period
of an authenticated user, a hacker may use a counterfeit user address and accesses the network. There are
two methods to resolve the problem. One method is to set free time for a user to access the network as little
as possible, making it hard for a hacker to attack the network. Another method is to use the IPSEC
encryption protocol to encrypt network data, ensuring that all the data entering switches are encrypted.
Access lists are usually configured in the following locations of network devices:
Devices between the inside network and outside network (such as the Internet)
Devices at the borders of two parts in a network
Devices on the access control port
The execution of the ACL statements must follow the order in the table strictly. Starting from the first statement, once the
header of a packet matches a conditional judge statement in the table, the sequential statements are ignored.
When detailed filtering rules are formulated, all or some of the above eight items may be used. As long as the message
matches one ACE, the ACL processes the message as the ACE defined (permit or deny). The ACE of an ACL identifies
Ethernet messages according to some fields of Ethernet messages. The fields include the following:
Layer-2 fields:
Configuration Guide Configuring ACL
Layer 3 fields:
Source IP address field (you can specify all the 32 bits of the IP address, or specify a type of streams of the defined
subnet)
Destination IP address field (you can specify all the 32 bits of the IP address, or specify a type of streams of the
defined subnet)
Protocol type fields
Layer-4 fields:
You can specify one UDP source port, destination port, or both
You can specify one UDP source port, destination port, or both
The filtering domain consists of the fields in the packets based on which the packets are identified and classified when you
create an ACE. A filtering domain template is the definition formed by these fields. For example, when one ACE is
generated, you want to identify and classify messages according to the destination IP field of a message. When another
ACE is generated, you want to identify and classify messages according to the source IP address field of a message and
the source port field of UDP. In this way, these two ACEs use different filtering domain templates.
Rules refer to the values of the ACE mask. For example, one ACE is:
In this ACE, the filtering domain template is a collection of the following fields: Source IP Address Fields, IP Protocol
Fields and Destination TCP Port Fields. Corresponding values (rules) are respectively as follows: Source IP Address=host
192.168.12.2; IP Protocol=tcp; TCP Destination Port=telnet.
Figure 1-2 Analysis of the ACE: permit tcp host 192.168.12.2 any eq telnet
Configuration Guide Configuring ACL
A filtering domain template can be the collection of L3 fields (Layer 3 Field) and L4 fields (Layer 4 Field) or the
collection of multiple L2 fields (Layer 2 Field). However, the filtering domain templates of a standard and
extended ACL cannot be the collection of L2 and L3, L2 and 4, L2 and L3, or L4 fields. To use the
combination of L2, L3 and L4 fields, it is possible to apply the Expert ACLs.
When associating SVI with the ACL at the outbound direction, you should note that:
Standard IP ACL, extended IP ACL, extended MAC ACL and expert ACL are supported. There are some
limits on matching the destination IP address and the destination MAC address in an ACL. When you
configure to match the destination MAC address in an extended MAC ACL or expert ACL and then apply this
ACL to the outbound direction of SVI, the entry will be set, but will not take effect. If you need to match the
destination IP address not in the subnet IP range of the associated SVI in the standard IP ACL, extended IP
ACL or expert ACL, this ACL will not take effect. For example, VLAN 1’s IP address is 192.168.64.1
255.255.255.0. Now you create an ACL with the ACE of deny udp any 192.168.65.1 0.0.0.255 eq 255 and
apply this ACL at the egress of VLAN 1. This ACL will not function for the destination IP address is not in the
subnet IP range of VLAN 1. If the ACE is deny udp any 192.168.64.1 0.0.0.255 eq 255, this ACL will take
effect.
When configuring and applying the expert ACL to the outbound direction of the interface, failure occurs in
controlling the non-IP packets transmitted on the interface by using the ACL permit and deny rules if some
ACEs in the ACL contain L3 matching information (such as IP and L4 port).
When applying the ACL, the tagged MPLS packet matching is invalid if the ACEs in the ACL (including the IP
access list and expert extended access list) match with the non-L2 field (such as SIP and DIP).
ACL logging
To enable you to learn of the ACL running status on the device, you need to determine whether to specify the output
option for packet-matching logs. If you specify the option, the packet-matching log information is exported when the
matching rule is satisfied. The ACL logging information contains the ACE log information. That is, the device periodically
records the ACE information in packets, including the number of packets matching the ACE. The following is an example:
*Sep 9 16:23:06: %ACL-6-MATCH: ACL 100 ACE 10 permit icmp any any, match 78 packets.
To properly control the number and frequency of exporting logs, ACL logging supports the configuration of the log output
intervals, involving configuring log output intervals respectively for IPv4 ACL and IPv6 ACL.
Configuration Guide Configuring ACL
An ACE with the ACL logging option uses more hardware resources. If all the configured ACEs carry the ACL
logging option, the ACE capacity on the device decreases by a half.
By default, the log output interval is 0 for ACL logging. That is, no log is exported. After you specify the ACE
output option for packet-matching logs, you need to configure the output interval for ACL logging, so that the
required logs can be exported.
For an ACE with the ACL logging option:
No packet-matching log related to the ACE is exported if no packet is matched within the specified interval;
Packet-matching logs related to the ACE are exported after the time interval is due if packets are matched
with the specified interval. Specifically, the packet hit count is the number of packets matched with the ACE
within the interval, counted from the last time the ACE exports logs to the current time the ACE exports logs.
Configuration
When you create an access list, defined rules will be applied to all packet messages on a switch. The switch decides
whether to forward or block a packet messages by judging whether the packet matches a rule.
Configuration Guide Configuring ACL
Basic Access Lists include standard access lists and extended access lists. The typical rules defined in access lists are
the following:
Source address
Destination address
Upper layer protocol
Time range
Standard IP access lists (1 – 99, 1300 – 1999) forward or block packets according to source addresses. Extended IP
access lists (100 – 199, 2000 – 2699) use the above four combinations to forward or block packets. Other types of access
lists forward or block packets according to related codes.
A single access list can use multiple separate access list sentences to define multiple rules. Where, all sentences use a
same number or name to bind these sentences to a same access list. However, the more the used sentences are, the
more difficult to read and understand an access list.
The ending part of each access list implicates a “Deny any data flow” rule sentence. Therefore, if a packet matches no
rule, then it is denied, as shown in the following example:
This list allows only the message of host 192.168.4.12 and denies any other host. This is because the list contains the
following rule statement at the end: access-list 1 deny any
If the list contains the only statement above, the messages from any host will be denied on the port.
It is required to consider the routing update message when defining the access list. Since the end of the access
list “denies all dataflow”, this may cause all routing update messages blocked.
Each added rule is appended to the access list. If a sentence is created, then you cannot delete it separately and can only
delete the whole access list. Therefore, the order of access list sentences is very important. When deciding whether to
forward or block packets, a switch compares packets and sentences in the order of sentence creation. After finding a
matching sentence, it will not check other rule sentences.
If you have created a sentence and it allows all data flows to pass, then the following sentences will not be checked, as
shown in the following example:
Because the first rule sentence denies all IP messages, the host telnet message of the 192.168.12.0/24 network will be
denied. Because the switch discover that the messages match the first rule sentence, it will not check other rule
sentences.
The configuration of the basic access list includes the following steps:
Command Function
Ruijie(config)# access-list id { deny | permit } { src Defines an access list
src-wildcard | host src | any | interface idx } [ time-range
tm-rng-name ]
Ruijie(config)# interface interface Selects the interface to which the access list is to be
applied.
Ruijie(config-if)# ip access-group id { in | out } Applies the access list to the specific interface
Command Function
Ruijie(config)# ip access-list { standard | extended } { id | Enters the access list configuration mode.
name }
Ruijie (config-xxx-nacl)# [ sn ] { permit | deny } {src Adds table entries for ACL. For details, please see
src-wildcard | host src | any } [ time-range tm-rng-name ] command reference.
Ruijie(config-xxx-nacl)# exit Exits from the access control list mode.
Ruijie(config)# interface interface Selects the interface to which the access list is to be
applied.
Ruijie(config-if)# ip access-group id { in | out } Applies the access list to the specific interface.
Method 1 only configures the numerical value ACL. Method 2 can configure the names and numerical value
ACL, and specify the table entry priorities (in the devices that support ACE priorities).
Displaying IP ACL
To monitor access lists, run the following command the in privileged user mode:
Command Function
Ruijie# show access-lists [ id | name ] [ summary ] Displays the access list.
Configuration example:
Configuration Guide Configuring ACL
When a MAC access list is created, the defined rules will be applied to all packet messages on a switch. The switch
decides whether to forward or block a packet message by judging whether the packet matches a rule.
The typical rules defined in MAC access lists are the following:
The MAC extended access list (number 700 – 799) forwards or blocks the packets based on the source and destination
MAC addresses, and can also match the Ethernet protocol type.
A single MAC access list can use multiple separate access list sentences to define multiple rules. Where, all sentences
use a same number or name to bind these sentences to a same access list.
Command Function
Ruijie(config)# access-list id { deny | permit } { any | host Defines an access list. For details about commands,
src-mac-addr } { any | host dst-mac-addr } [ ethernet-type ] please see command reference.
[ cos cos ]
Configuration Guide Configuring ACL
Ruijie(config)# interface interface Selects the interface to which the access list is to be
applied.
Ruijie(config-if)# mac access-group id { in | out } Applies the access list to the specific interface
Command Function
Ruijie(config)# mac access-list extended { id | name } Enters the access list configuration mode
Ruijie (config-mac-nacl)# [ sn ] { permit | deny } { any | Adds table entries for ACL. For details about
host src-mac-addr } { any | host dst-mac-addr } commands, please see command reference.
[ ethernet-type ] [ cos cos ]
Ruijie(config-mac-nacl)# exit Exits from the access control list mode and select the
Ruijie(config)# interface interface interface to which the access list is to be applied.
Ruijie(config-if)# mac access-group { id | name } { in | out } Applies the access list to the specific interface
Method 1 only configures the numerical value ACL. Method 2 can configure the names and numerical value
ACL, and specify the table entry priorities (in the devices that support ACE priorities).
To monitor access lists, please run the following command the in privileged EXEC mode:
Command Function
Ruijie# show access-lists [ id | name ] Displays the basic access list.
When you create an expert extended access list, defined rules will be applied to all packet messages on a switch. The
switch decides whether to forward or block a packet messages by judging whether the packet matches a rule.
The typical rules defined in expert access lists are the following:
All information in basic access lists and MAC extended access lists
VLAN ID
Expert extended access lists (2700 – 2899) are the syntheses of basic access lists and MAC extended access lists and
can filter VLAN IDs.
Configuration Guide Configuring ACL
A single expert access list can use multiple separate access list sentences to define multiple rules. Where, all sentences
use a same number or name to bind these sentences to a same access list.
Command Function
Ruijie (config)# access-list id { deny | permit } [ prot | Defines an access list. For details about
{ [ ethernet-type ] [ cos cos ] } ] [ vid vid ] { src src-wildcard | host commands, please see command reference.
src | interface idx } { host src-mac-addr | any } { dst dst-wildcard
| host dst | any } { host dst-mac-addr | any } ] [ precedence
precedence ] [ tos tos ] [ dscp dscp ] [ fragment ] [ time-range
tm-rng-name ]
Ruijie(config)# interface interface Selects the interface to which the access list is to
be applied.
Ruijie(config-if)# expert access-group { id | name } { in | out } Applies the access list to the specific interface
Command Function
Ruijie(config)# expert access-list extended { id | name } Enters the access list configuration mode
Ruijie (config-exp-nacl)# [ sn ] { permit | deny } [ prot | Adds table entries for ACL. For details about
{ [ ethernet-type ] [ cos cos ] } ] [VID vid ] { src src-wildcard | host commands, please see command reference.
src | interface idx} {host src-mac-addr | any } { dst dst-wildcard |
host dst | any } { host dst-mac-addr | any } ] [ precedence
precedence ] [ tos tos ] [ dscp dscp ] [ fragment ] [ time-range
tm-rng-name ]
Ruijie(config-exp-nacl)# exit Exit s from the access control list mode.
Ruijie(config)# interface interface Selects the interface to which the access list is to
be applied.
Ruijie(config-if)# expert access-group { id | name } { in | out } Applies the access list to the specific interface
Method 1 only configures the numerical value ACL. Method 2 can configure names and the numerical value
ACL. In a version supporting priority table entries, method 2 can also specify the priorities of table entries
(the [sn] option in a command).
Configuration Guide Configuring ACL
To monitor access lists, please run the following command the in privileged user mode:
Command Function
Ruijie# show access-lists [ id | name ] Displays the expert access list.
There is the following method to configure a basic access list. Run the following command in the ACL configuration mode:
Command Function
Ruijie(config)# ipv6 access-list name Enters the access list configuration mode
Ruijie (config-ipv6-nacl)# [ sn ] { permit | deny } prot
{ src-ipv6-prefix/prefix-len | host src-ipv6-addr | any } Adds table entries for ACL. For details about
{ dst-ipv6-pfix/pfix-len | any | host dst-ipv6-addr } [ dscp dscp ] commands, please see command reference.
[ flow-label flow-label ] [ time-range tm-rng-name ]
Ruijie(config-exp-nacl)# exit Exits from the access control list mode.
Selects the interface to which the access list is to
Ruijie(config)# interface interface
be applied.
Ruijie(config-if)# ipv6 traffic-filter name { in | out } Applies the access list to the specific interface
To monitor access lists, please run the following command the in privileged user mode:
Command Function
Ruijie# show access-lists [ name ] Displays the basic access list.
Configuration example:
An IPv6 ACL supports any one of the following three matching areas:
Configuration Guide Configuring ACL
sip, dip
An ACL cannot match all the above areas. Besides, the IPv6 ACL does not support the fragment matching.
Besides, when an ACL match sip and dip at the same time, it cannot support the matching of type code of
icmp or source and destination port.
The SMAC/DMAC/SIP/DIP/ETYPE of the packets are not contained in any fields. In other words, you can
select to match the above fields or other 16 bytes.
For any 16-byte field, it is possible to compare or not the configured value by bits. In other words, it allows setting any bit
of those 16 bytes as 0 or 1. There are two factors in filtering any byte: filtering rule and filter domain template. The bits of
the both are one-to-one corresponding. The filtering rule specifies the value of the field to be filtered. The filter domain
template specifies whether to filter the related fields in the filtering rule (“1” indicates matching the bit in the corresponding
filtering rule, 0 for not). Therefore, when it is time to match a bit, it is required to set 1 for the corresponding bit in the filter
domain template. If the filter domain template bit is set as 0, no match will be done no matter what the corresponding bit is
in the filtering rule.
Command Function
Creates an advanced expert access list and place
the device in expert advanced access list
Ruijie(config)# expert access-list advanced name
configuration mode.
name: Name of the advanced expert access list
For example,
Configuration Guide Configuring ACL
The user custom access control list matches any byte of the first 80 bytes in the layer-2 data frames according to the user
definitions, and then performs corresponding processing for the messages. To use the user custom access control list
correctly, it is necessary to have in-depth knowledge about the structure of layer-2 data frame. The following illustrates the
first 64 bytes in a layer-2 data frame (each letter indicates a hexadecimal number, and each two letters indicate a byte).
AA AA AA AA AA AA BB BB BB BB BB BB CC CC DD DD
DD DD EE FF GG HH HH HH II II JJ KK LL LL MM MM
NN NN OO PP QQ QQ RR RR RR RR SS SS SS SS TT TT
UU UU VV VV VV VV WW WW WW WW XY ZZ aa aa bb bb
In the figure above, the meaning of each letter and the value of offset are shown below:
As shown in the above table, the offset of each field is it offset in the SNAP+tag 802.3 data frame. In the user custom
access control list, the user can use two parameters, the rule mask and offset, to abstract any byte from the first 80 bytes
of the data frame, and then compare it with the user defined rule to filter the matched data frame for corresponding
processing. The user defined rule can be some fixed attributes of the data. For example, the user wants to filter all the
TCP messages by defining the rule as “06”, rule mask as “FF” and offset as 35. Here, the rule mask and offset work
together to abstract the contents of the TCP protocol ID field in the received data frame, and compare it with the rule to
filter all TCP messages.
Configuration Guide Configuring ACL
ACL80 supports matching against Ethernet packets, 803.3 SNAP packets, and 802.311c packets. If the value
for matching DSAP to the cnt1 field is set to AAAA03, it indicates to match the 803.3 SNAP packets. If the
value is set to E0E003, it indicates to match the 803.311c packets. This field cannot be set to match Ethernet
packets.
Configuration note:
The ACL180 has only 16 bytes for matching. If the 16 bytes are used, no fields other than the 16 bytes can
be matched. For example:
The configuration will fail because the 16 bytes are used by the first ACE. To match the second ACE, you must firstly
delete the first ACE.
For example,
Allow the messages with a TCP Flag RST set and 0 in other positions to pass
Allow the packet whose TCP Flag RST or ACK is set to pass, disregarding whether other positions are set.
When the protocol number of the naming ACL and numerical value configuration is TCP, you can select to
configure this filtering feature. MAC extended and IP standard ones do not have this function.
Command Function
Ruijie(config)# ip access-list extended { id | name } Enters the access list configuration mode
Configuration Guide Configuring ACL
ACE is sorted in the ascend order in the chain table by the sequential numbers.
Starting from the start point number, if no number is specified, it increases by step on the basis of the previous ACE
number.
Configuration Guide Configuring ACL
To specify number, the ACE is inserted in sorting mode, and the increment ensures new ACE can be inserted
between two adjacent ACEs.
The ACL specifies the start point number and the number increment.
The ip access-list resequence {acl-id| acl-name} sn-start sn-inc command is available, with details in the related
command reference.
Whenever the above command is run, the ACEs will be re-sorted under the ACL list. For example, the ACE numbers
under the ACL named tst_acl is as follows:
In the beginning
ace1: 10
ace2: 20
ace3: 30
The ACE numbers are as follows after “ip access-list resequence tst_acl 100 3” is run:
When adding ace4 without entering sn-num, the numbers are as follows:
Ruijie(config-std-nacl)# permit …
ace1: 100
ace2: 103
ace3: 106
ace4: 109
When adding ace5 by entering seq-num = 105, the numbers are as follows:
The reference of the numbers is to implement the priority adding ace mode.
Delete ACE
Ruijie(config-std-nacl)# no 106
ace1: 100
ace2: 103
ace5: 105
ace4: 109
Time-Range implementation depends on the system clock. If you want to use this function, you must assure that the
system has a reliable clock.
In the privileged configuration mode, you can create a time-range by performing the following steps:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Ruijie(config)# time-range time-range-name Identifies a time-range by using a meaningful display
character string as its name
Ruijie(config-time-range)# absolute [ start time date ] end Sets the absolute time range (optional).
time date For details, see the configuration guide of
time-range.
Ruijie(config-time-range)# periodic day-of-the-week time to Sets the periodic time range (optional).
[day-of-the-week] time
Ruijie# show time-range Verifies the configurations.
Ruijie# copy running-config startup-config Saves the configuration.
Ruijie(config)# ip access-list extended 101 Enters the ACL configuration mode.
Ruijie(config-ext-nacl)# permit ip any any time-range Configures the ACE of a time-range.
time-range-name
The length of the name should be 1-32 characters, which should not include any space.
You can set one absolute time range at most. The application based on time-ranges will be valid only in this
time range.
You can set one or more periodic intervals. If you have already set a running time range for the time-range,
the application takes effect at periodic intervals in that time range.
The following example shows how to deny HTTP data streams during the working hours in a week by using the ACLs as
example:
Note that the "deny" behavior of an ACL is invalid when applied to a security tunnel. In addition, the ACL ending
part contains no "deny any" rule sentence. If a packet does not meet the matching criteria of the security
tunnel, the packet proceeds to the access control check as required by the process.
You can set a maximum of eight exceptional interfaces for each global security tunnel. Besides, an
exceptional interface of a global security tunnel cannot be used to set an interface-based security tunnel.
Existing access control functions involve 802.1x authentication, port security, global Ip+MAC binding, GSN
binding, and Ip Source Guard.
A security tunnel is invalid when the interface-based movable authentication mode is enabled.
In the privileged configuration mode, execute the following commands to configure a global security tunnel:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Ruijie(config)# security global access-group acl-name Configures a global security tunnel.
In the privileged configuration mode, execute the following commands to set an exception port:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Ruijie# interface interface-id Enters the interface configuration mode.
Ruijie(config)# security uplink enable Sets the interface as an exception port..
In the privileged configuration mode, execute the following commands to configure a security tunnel on the interface:
Command Function
Configuration Guide Configuring ACL
The following example shows how to configure a security tunnel on a security port where IP+MAC binding is configured,
so that IPX packets can pass:
Set port 4 as security port and bind IP address and MAC address
Only the packets whose source IP address is 192.168.6.3 and MAC address is 0000.0000.0011 can flow in the device
from port 4. To receive IPX packets, set a security tunnel as follows:
Ruijie#configure
Ruijie(config)#expert access-list extended safe_channel
Ruijie(config-exp-nacl)#permit ipx any any
Ruijie(config-exp-nacl)#exit
Ruijie(config)#security global access-group safe_channel
Ruijie#configure
Ruijie(config)#expert access-list extended safe_channel
Ruijie(config-exp-nacl)#permit ipx any any
Ruijie(config-exp-nacl)#exit
Ruijie(config)#interface FastEthernet 0/4
Ruijie(config-if)#security access-group safe_channel
Up to one ACL remark and 2048 ACE remarks are configured in one ACL.
In the privileged configuration mode, execute the following commands to configure the ACL remark:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Ruijie(config)# ip access-list standard id Enters the ACL configuration mode.
Configuration Guide Configuring ACL
You can also execute the following commands to set the ACL remark:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Sets the ACL remark. The procedure is similar for
Ruijie(config)# access-list id list-remark comment
other types of ACLs.
In the privileged configuration mode, execute the following commands to configure the ACE remark:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Ruijie(config)# ip access-list standard id Enters the ACL configuration mode.
Ruijie(config-std-nacl)# remark comment Configures the ACE remark.
You can also execute the following commands to set the ACE remark:
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Sets the ACE remark. The procedure is similar for
Ruijie(config)# access-list id remark comment
other types of ACLs.
The following example configures the ACL remark and the ACE remark:
To realize the features of Router ACLs on SVI ACL, SVI Router ACLs enabling command is provided on Ruijie switches.
After enabling this command, the ACL applied to SVI will only apply to the layer 3 packets forwarded between VLANs, and
will not apply to the bridge forwarded packets within the VLAN.
Default Configuration
Configuration Guide Configuring ACL
By default, SVI Router ACLs is disabled. SVI ACL applies to both inter-VLAN layer 3 packets and intra-VLAN
bridge-forwarded packets.
Command Function
Ruijie# configure terminal Enters the global configuration mode.
Ruijie# [no] svi router-acls enable Enables/Disables the SVI Router ACLs.
Configuration Examples
IP ACL Example
Configuration requirements:
It is required to implement the following security functions by configuring access lists on device B.
Hosts at the 192.168.12.0/24 network section can only access the remote UNIX host TELNET service during the normal
working time period and deny the PING service.
On the device B console, access to any of the services of hosts at the 192.168.202.0/24 network section is denied.
The above case simplifies the application in the bank system. Namely, it only allows the hosts on the Local
Area Network of branches or savings agencies to access the central host and disallows accessing the
central host on the device.
Equipment Configuration
Configuration Guide Configuring ACL
Device B configuration:
access-list 101 permit tcp 192.168.12.0 0.0.0.255 any eq telnet time-range check
Ruijie(config)# access-list 101 deny icmp 192.168.12.0 0.0.0.255 any
Ruijie(config)# access-list 101 deny ip 2.2.2.0 0.0.0.255 any
Ruijie(config)# access-list 101 deny ip any any
For access list 101. the lat rule sentence ”access-list 101 deny ip any any” is not needed, for the ending part of
the access list implicates a “deny any” rule sentence.
Device A configuration:
The 0013.2049.8272 host using the ipx protocol cannot access the giga 0/1 port of a device.
It can access other ports.
Ruijie> enable
Ruijie# configure terminal
Ruijie(config)# mac access-list extended mac-list
Ruijie(config-mac-nacl)# deny host 0013.2049.8272 any ipx
Ruijie(config-mac-nacl)# permit any any
Configuration Guide Configuring ACL
Ruijie(config-mac-nacl)# exit
Ruijie(config)# interface gigabitEthernet 0/1
Ruijie(config-if)# mac access-group mac-list in
Ruijie(config-if)# end
Ruijie# show access-lists
mac access-list extended mac-list
deny host 0013.2049.8272 any ipx
permit any any
For access lists, ”permit any any” cannot be discarded, for the ending part of an access list implicates a “deny
any” rule sentence.
The 0013.2049.8272 host using VLAN 20 cannot access the giga 0/1 port of a device.
It cannot access other ports.
Ruijie> enable
Ruijie# config terminal
Ruijie(config)# expert access-list extended expert-list
Ruijie(config-exp-nacl)# permit ip vid 20 any host 0013.2049.8272 any any
Ruijie(config-exp-nacl)# deny any any any any
Ruijie(config-exp-nacl)# exit
Ruijie(config)# interface gigabitEthernet 0/1
Ruijie(config-if)# expert access-group expert-list in
Ruijie(config-if)# end
Ruijie# show access-lists
expert access-list extended expert-list
permit ip vid 20 any host 0013.2049.8272 any any
deny any any any any
Ruijie(config-ipv6-nacl)# exit
Ruijie(config)# interface gigabitEthernet 0/1
Ruijie(config-if)# ipv6 traffic-filter v6-list in
Ruijie(config-if)# end
Ruijie# show access-lists
ipv6 access-list extended v6-list
petmit ipv6 ::192.168.4.12 any
deny any any
Configuration Requirements
For the security of network A, the hosts in network A are allowed to originate the TCP connection request to the hosts in
network B. However, the hosts of network B are not allowed to originate the TCP communication requests to network A.
Topology View
As shown in the above figure, two networks are connected through an intermediate device. Network A connects to the
G3/1 port of the device and network B connects to the G3/2 port of the device.
Analysis
By filtering the packets of TCP connection request originated by network B on the G3/2 port of the device, you can block
the TCP connection request from hosts in network B to network A. According to the analysis of TCP connection, the SYN
of the flag field in the TCP header of the initial TCP request packet is reset and the ACK is set to 0. Therefore, to enable
network A to access network B in the one-way direction, configure the Match-all option of the extended ACL to set the
SYN of the TCP header to 1 and ACK to 0 on the inbound direction of theG3/2 port.
Configuration Steps
# Deny the packets whose SYN is 1 and permit other packets whose SYN is 0 (including ACK)
Ruijie(config-ext-nacl)# exit
Ruijie(config)# interface vlan 1
Ruijie(config)# ip address 1.1.1.1 255.255.255.0
Ruijie(config)# interface gigabitEthernet 0/1
Ruijie(config-if)#ip access-group ifaddr in
# In the privileged EXEC mode, use the show command to display related configuration of ACL
Figure 1-4
Configuration Guide Configuring ACL
The access switch (Switch C) connecting PCs of respective departments is connected to the convergence switch through
1000M optical fiber cable (trunk mode).
The convergence switch (Switch B) assigns one VLAN for each department and is connected to the core switch through
10G optical fiber cable (trunk mode).
The core switch (Switch A) is connected with multiple servers, such as FTP, HTTP server and etc, and is connected to
Internet through firewall.
Networking Requirements
The above scenario of Intranet ACL application mainly involves the following needs:
Internet viruses are almost everywhere. Various vulnerable ports must be blocked in order to guarantee Intranet security.
Only the internal PCs can access the servers. External PCs are not allowed to access the servers.
PCs other than the finance department cannot access PCs of finance department; PCs other than the development
department cannot access PCs of development department.
QQ, MSN and other IM applications cannot be used by the staff of development department during working hours (namely
9:00-18:00).
Configuration Tips
The viruses can be avoided by configuring extended ACL on the router-connecting port (G2/1) of core switch
(SwitchA) to filter packets destined for relevant ports.
Configuration Guide Configuring ACL
As for the requirement that internal PCs can access the servers while external PCs are not allowed to access these
servers, we can define the IP extended ACL and apply to ports (G2/2, SVI2) of the core switch (SwitchA) that
connect with the convergence switch and server.
As for the requirement that specific departments cannot access each other, we can define the IP extended ACL
(apply IP extended ACL to G0/22 and G0/23 of Switch B).
Configuring time & IP based extended ACL can prevent development departments from suing QQ/MSN and other IM
application during a specific period (applying time & IP based extended ACL to SVI2 of Switch B).
Configuration Steps
The worm viruses on the network will create a TFTP server on the local port of "udp/69" in order to transmit the
binary virus program to other infected systems. While selecting the destination IP address, the worms will
generally select the IP of subnet to which the infected system belongs, and then randomly select the attack
target on Internet as per certain algorithm. Once the connection is established, the worms will send attack
data to TCP ports (135, 445, 593, 1025, 5554, 9995, and 9996), UDP ports (136, 445, 593, 1433, and 1434)
and UDP/TCP ports (135, 137, 138, and 139) of targets. If the attack is successful, TCP/4444 port of target
system will be used as the backdoor port. After that, worms will connect to this port and send TFTP
command in order to transmit virus file to the target system and run the file. The infected server will send
substantive invalid data packets to the network, thus wasting network bandwidth and even causing failure of
network devices and the network. In such a case, the extended ACL can be used to filter data packets
destined for these ports.
A#configure terminal
A(config)#ip access-list extended Virus_Defence
! Block packets destined for internal and external TCP ports which may have been used by viruses.
! Block packets destined for internal and external UDP ports which may have been used by viruses.
Step 2: Apply the ACL Virus_Defence to the router-connecting interface of the core device.
! Apply the ACL Virus_Defence in the IN direction of G2/1 to block virus packets from an external network.
Step 3: Define the ACL access_server that permits only Intranet PCs to access the server.
! Permit only specified Intranet PCs to access the server (IP address being 192.168.4.100).
Step 2: Apply the ACL access_server to the interface connecting with convergence device and server.
! Create a VLAN.
A(config)#vlan 2
Configuration Guide Configuring ACL
A(config-vlan)#exit
A(config)#interface gigabitEthernet 2/48
A(config)#interface vlan 2
A(config-if-VLAN 2)# ip access-group access_server in
A(config-if-VLAN 2)# ip address 192.168.4.2 255.255.255.0
A(config-ext-nacl)#end
Configure the convergence switch: Switch B
B#configure terminal
! Prohibit the finance department and market department from accessing the development department.
! Prohibit the development department and market department from accessing the finance department.
B(config)#interface vlan 2
B(config-if)#ip address 192.168.1.100 255.255.255.0
B(config)#interface vlan 3
B(config-if)#ip address 192.168.2.100 255.255.255.0
B(config)#interface vlan 4
B(config-if)#ip address 192.168.4.1 255.255.255.0
B#configure terminal
B(config)#time-range worktime
B(config-time-range)#periodic weekdays 9:00 to 18:00
B#configure terminal
! Prohibit all hosts of development department from using QQ, MSN and other IM applications during 9:00-18:00 of every
working day.
B(config)#interface vlan 2
B(config-if)#ip access-group yanfa in
Verification
Step 1: Verify whether ACE entries are correct. The key is that whether the precedence order of entries is correct and
whether entries are effective.
SwitchA#show access-lists
ip access-list extended Virus_Defence
10 deny tcp any any eq 135
20 deny tcp any eq 135 any
30 deny tcp any eq 4444 any
40 deny tcp any any eq 5554
50 deny tcp any eq 5554 any
60 deny tcp any any eq 9995
70 deny tcp any eq 9995 any
80 deny tcp any any eq 9996
90 deny tcp any eq 9996 any
100 deny udp any any eq tftp
110 deny udp any eq tftp any
120 deny udp any any eq 135
130 deny udp any eq 135 any
140 deny udp any any eq netbios-ns
150 deny udp any eq netbios-ns any
160 deny udp any any eq netbios-dgm
170 deny udp any eq netbios-dgm any
180 deny udp any any eq netbios-ss
190 deny udp any eq netbios-ss any
200 deny udp any any eq 445
210 deny udp any eq 445 any
220 deny udp any any eq 593
230 deny udp any eq 593 any
240 deny udp any any eq 1433
250 deny udp any eq 1433 any
260 deny udp any any eq 1434
270 deny udp any eq 1434 any
280 deny tcp any any eq 136
290 deny tcp any eq 136 any
Configuration Guide Configuring ACL
120 deny udp 192.168.1.0 0.0.0.255 eq 6004 any time-range worktime (active)
Step 2: Verify whether ACL configurations are complete. The key is that whether the correct ACL has been applied to the
specified interface.
Device A configuration:
A#show run
interface GigabitEthernet 2/1
no switchport
no ip proxy-arp
ip access-group Virus_Defence in
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet 2/2
switchport mode trunk
ip access-group access_server in
!
interface VLAN 2
no ip proxy-arp
ip access-group access_server in
ip address 192.168.4.2 255.255.255.0
Device B configuration:
B#show run
!
interface GigabitEthernet 0/22
switchport mode trunk
ip access-group vlan_access1 in
!
interface GigabitEthernet 0/23
switchport mode trunk
ip access-group vlan_access2 in
!
interface VLAN 2
no ip proxy-arp
ip access-group yanfa in
Configuration Guide Configuring SCC
Configuring SCC
Overview
The Security Control Center (SCC) provides common configuration methods and policy integration for various access
control and network security services, so that these access control and network security services can coexist on one
device to meet diversified access and security control requirements in various scenarios.
Typical access control services are dot1x, Web authentication, Address Resolution Protocol (ARP) check, and IP Source
Guard. The network security services include Access Control List (ACL), Network Foundation Protection Policy (NFPP),
and anti-ARP gateway spoofing. When two or more access control or network security services are simultaneously
enabled on the device, or when both access control and network security services are simultaneously enabled on the
device, the SCC coordinates the coexistence of these services according to relevant policies.
For details about the access control and network security services, see the related configuration guide. This
document describes the SCC only.
Protocol Specification
None.
Applications
Application Scenario
Students on a campus network of a university usually need to be authenticated through the dot1x client or Web before
accessing the Internet, so as to facilitate accounting and guarantee the benefits of the university.
The students can access the Internet through dot1x client authentication or Web authentication.
ARP spoofing between the students is prevented, so as to guarantee the stability of the network.
Terminal devices in some departments (such as the headmaster's office) can access the Internet without
authentication.
Figure 0-1
Configuration Guide Configuring SCC
A traditional campus network is hierarchically designed, which consists of an access layer, a convergence layer
and a core layer, where the access layer performs user access control. On an extended Layer 2 campus
network, however, user access control is performed by a core switch, below which access switches exist
without involving any convergence device in between. The ports between the core switch and the access
switches (such as switches B, C, and D in Figure 1-1) are all trunk ports.
The user access switches B, C, and D connect to PCs in various departments via access ports, and VLANs
correspond to sub VLANs configured on the downlink ports of the core switch, so that access users are in
different VLANs to prevent ARP spoofing.
The core switch A connects to various servers, such as the authentication server and the DHCP server. Super
VLANs and sub VLANs are configured on the downlink ports. One super VLAN correspond to multiple sub
VLANs, and each sub VLAN represents an access user.
Deployment
On the core switch, different access users are identified by VLAN and port numbers. Each access user (or a group of
access users) corresponds to one VLAN. The ports on each access switch that connect to downstream users are
configured as access ports, and one user VLAN is assigned to each access user according to VLAN planning. The
Configuration Guide Configuring SCC
core switch does not forward ARP requests. The core switch replies to the ARP requests from authenticated users
only, so as to prevent ARP spoofing. On the core switch A, user VLANs are regarded as sub VLANs, super VLANs
are configured, and SVIs corresponding to the super VLANs are configured as user gateways.
On the downlink ports of the core switch (switch A in this example) that connect to the teachers' living area and the
students' living area, both dot1x authentication and Web authentication are enabled, so that users can freely select
either authentication mode for Internet access.
Any special department (such as the headmaster's office in this example) can be allocated to a particular VLAN, and
this VLAN can be configured as an authentication-exemption VLAN so that users in this department can access the
Internet without authentication.
Features
Basic Concepts
Authentication Mode
There are two authentication modes: access authentication and gateway authentication. On a traditional hierarchical
network, access authentication is usually performed by access switches. On a extended Layer 2 network, the access
function moves forward to a core switch while the access devices need only to support basic VLAN and Layer 2
forwarding functions. As the access authentication is performed by access switches on a traditional hierarchical network
while performed by a core switch on a de-layered extended Layer 2 network, some extrinsic functions and behaviors will
differ accordingly with the two different authentication modes. Therefore, the authentication mode falls into gateway
authentication and access authentication. If the access authentication moves to the core switch, the core switch needs to
be enabled with the gateway authentication mode to support a large number of user entries, typically including a
large-capacity MAC address table, ARP table and routing table. Otherwise, the supported user capacity is subject to
hardware ACL entry restrictions. In general, the capacity of hardware ACL entries is limited and cannot support a large
user capacity. The access authentication mode is generally applicable only in scenarios where the access authentication
is deployed on access switches.
Authentication-exemption VLAN
Some special departments may be allocated to authentication-exemption VLANs to simplify network management, so that
users in these departments can access network resources without authentication. For example, the headmaster's office
can be divided into the authentication-exemption VLANs on the campus network, so that users in the headmaster's office
can access the Internet without authentication.
The number of IPv4 access users can be restricted to protect the access stability of online users on the Internet and
improve the operational stability of the device.
The number of IPv4 access users is not restricted by default; that is, a large number of users can get online
after being authenticated, till reaching the maximum hardware capacity of the device.
Configuration Guide Configuring SCC
IPv4 access users include IP users (such as IP authenticated users) based on dot1x authentication, users
based on Web authentication, and IP users manually bound (using IP source guard, ARP check, or other
means).
Authenticated-User Migration
Online-user migration means that an online user can get authenticated again from different physical locations to access
the network. On the campus network, however, for ease of management, students are usually requested to get
authenticated from a specified location before accessing the Internet, but cannot get authenticated on other access ports.
This means that the users cannot migrate. In another case, some users have the mobile office requirement and can get
authenticated from different access locations. Then the users can migrate.
For a chargeable user, accounting starts immediately after the user passes the authentication and gets online. The
accounting process does not end until the user actively gets offline. Some users, however, forget to get offline when
leaving their PCs, or cannot get offline because of terminal problems. Then the users suffer certain economical losses as
the accounting process continues. To more precisely determine whether a user is really online, we can preset a traffic
value, so that the user is considered as not accessing the Internet and therefore directly brought offline when the user's
traffic is lower than the preset value in a period of time or there is not traffic of the user at all in a period of time.
Features
Feature Function
Authentication Mode This feature determines whether access control is deployed on access switches or core switches
depending on network deployment needs.
Authentication-exem Users in a specified VLAN can be configured as authentication-exemption users.
ption VLAN
IPv4 User Capacity The IPv4 user capacity of a specified interface can be restricted to guarantee the access stability of
users on the Internet.
Authenticated-User You can specify whether the authenticated can migrate.
Migration
User Online-Status You can specify whether to detect the traffic of online users, so that a user is forced offline when the
Detection traffic of the user is lower than a preset value in a period of time.
Authentication Mode
There are two authentication modes: access authentication and gateway authentication. In access authentication mode,
access control such as dot1x or Web authentication is enabled on access switches. In gateway authentication mode,
access control is enabled on core switches. On a large-scale network such as a campus network, there are hundreds of
access switches. Compared with the access authentication mode, the gateway authentication mode simplifies the routine
maintenance and management on the access switches, because the access switches need only to support basic VLAN
and Layer 2 forwarding functions. Therefore, the gateway authentication mode is recommended.
Working Principle
Configuration Guide Configuring SCC
The authentication mode on a device depends on the network layer where the access control device works. If access
control is deployed on core switches (for example, on an extended Layer 2 network), gateway authentication mode on
core switches is required. If access control is deployed on access switches, the authentication mode should be set to
access authentication on the access switches.
The access authentication mode applies by default. In addition, only the N18000 switches support
authentication mode switching.
Restart the device after the authentication mode is changed, so that the new authentication mode takes effect.
Save the current configuration before restarting the device.
Authentication-Exemption VLAN
Authentication-exemption VLANs are used to accommodate departments with special access requirements, so that users
in these departments can access the Internet without authentication such as dot1x or Web authentication.
Working Principle
Suppose the authentication-exemption VLAN feature is enabled on a device. When the device detects that a packet
comes from an authentication-exemption VLAN, access control is not performed. In this way, users in the
authentication-exemption VLAN can access the Internet without authentication. The authentication-exemption VLAN
feature can be regarded as a kind of applications of secure channels.
The authentication-exemption VLANs occupy hardware entries. When access control such as authentication is
disabled, configuring authentication-exemption VLANs has the same effect as the case where no
authentication-exemption VLANs are configured. Therefore, it is recommended that
authentication-exemption VLANs be configured for users who need to access the Internet without
authentication, only when the access control function has been enabled.
Although packets from authentication-exemption VLANs are exempt from access control, they still need to be
checked by a security ACL. If the packets of the users in an authentication-exemption VLAN are denied
according to the security ACL, the users still cannot access the Internet.
Configuration Guide Configuring SCC
In gateway authentication mode, the device does not initiate any ARP request to a user in an
authentication-exemption VLAN, and the ARP proxy will not work. Therefore, in gateway authentication
mode, users in different authentication-exemption VLANs cannot access each other unless the users have
been authenticated.
Working Principle
If the total number of IPv4 access users is restricted, new users going beyond the total number cannot access the
Internet.
The number of IPv4 access users is not restricted on the device by default, but depends on the hardware
capacity of the device.
The number of IPv4 access users includes the IPv4 authenticated users based on dot1x authentication, IPv4
users based on Web authentication, and IPv4 users based on various binding functions. Because the
number of IPv4 access users is configured in interface configuration mode, the restriction includes both the
number of IPv4 users generated on the port and IPv4 users globally generated. For example, you can set the
maximum number of IPv4 access users on the Gi 0/1 port to 2, run commands to bind an IPv4 user to the
port, and then run commands to bind a global IPv4 user to the port. Actually there are already two access
users on the port. If you attempt to bind another IPv4 user or another global IPv4 user to the port, the binding
operation fails.
Authenticated-User Migration
On an actual network, users do not necessarily access the Internet from a fixed place. Instead, users may be transferred
to another department or office after getting authenticated at one place. They do not actively get offline but remove
network cables and carry their mobile terminals to the new office to access the network. Then this brings about an issue
about authenticated-user migration. If authenticated-user migration is not configured, a user who gets online at one place
cannot get online at another place without getting offline first.
Working Principle
When authenticated-user migration is enabled, the dot1x or Web authentication module of the device detects that the port
number or VLAN corresponding to a user's MAC address has changed. Then the user is forced offline and needs to be
authenticated again before getting online.
Configuration Guide Configuring SCC
Only the switches or wireless devices support authenticated-user migration. In addition, cross-switch migration
is not supported. For example, authentication and migration are enabled on two N18000, and a user gets
online after being authenticated on one of the two N18000. If the user attempts to migrate to the other
N18000, the migration fails.
The authenticated-user migration function requires a check of users' MAC addresses, and is invalid for users
who have IP addresses only.
The authenticated-user migration function enables a user who gets online at one place to get online at another
place without getting offline first. If the user gets online at one place and then gets offline at that place, or if
the user does not get online before moving to another place, the situation is beyond the control range of
authenticated-user migration.
During migration, the system checks whether the VLAN ID or port number that corresponds to a user's MAC
address has changed, so as to determine whether the user has migrated. If the VLAN ID or port number is
the same, it indicates that the user does not migrate; otherwise, it indicates that the user has migrated.
According to the preceding principle, if another user on the network uses the MAC address of an online user,
the system will wrongly disconnect the online user unless extra judgment is made. To prevent such a
problem, the dot1x or Web authentication will check whether a user has actually migrated. For a user who
gets online through Web authentication or dot1x authentication with IP authorization, the dot1x or Web
authentication sends an ARP request to the original place of the user if detecting that the same MAC
address is online in another VLAN or on another port. If no response is received within the specified time, it
indicates that the user's location has indeed changed and then the migration is allowed. If a response is
received within the specified time, it indicates that the user actually does not migrate and a fraudulent user
may exist on the network. In the latter case, the migration is not performed. The ARP request is sent once
every second by default, and sent for a total of five times. This means that the migration cannot be confirmed
until five seconds later. Timeout-related parameters, including the probe interval and probe times, can be
changed using the arp retry times times and arp retry interval interval commands. For details about the
specific configuration, see ARP-SCG.doc. It should be noted that the migration check requires the
configuration of IP authorization for users based on dot1x authentication. In addition, the ARP probe is
triggered only for user migration in gateway authentication mode but not triggered for user migration in
access authentication mode.
Working Principle
A specific detection interval is preset on the device. If a user's traffic is lower than a certain value in this interval, the device
considers that the user is not using the network and therefore directly disconnects the user.
Only the switches and wireless devices support the user online-status detection function.
The user online-status detection function applies to only users who get online through dot1x or Web
authentication.
Currently, due to hardware chip restrictions of the N18000, the time to disconnect a user without any traffic
relates to the configured MAC address aging time. If the traffic detection interval is set to m minutes and the
MAC address aging time is set to n minutes, the interval from the moment when an authenticated user
leaves the network without actively getting offline to the moment when the user is disconnected upon
detection of zero traffic is about [m, m+n] minutes. In other words, if an online user does not incur any
Internet access traffic, the user is disconnected about [m, m+n] minutes later.
Configuration Guide Configuring SCC
Configuration
Configuring
Optional configuration, which is used to specify the users of which VLANs can
Authentication-Exemption
access the Internet without authentication.
VLANs
Configures authentication-exemption
[no] direct-vlan
VLANs.
Configuring the IPv4 User Optional configuration, which is used to specify the maximum number of users who
Capacity are allowed to access a certain interface.
Configure authentication-exemption VLANs, so that users in these VLANs can access the Internet without experiencing
dot1x or Web authentication.
Precautions
Authentication-exemption VLANs only mean that users in these VLANs do not need to experience a check related to
access authentication, but still need to experience a check based on a security ACL. If specified users or VLANs are
denied according to the security ACL, corresponding users still cannot access the Internet. Therefore, during ACL
configuration, you need to ensure that specified VLANs or specified users in the authentication-exemption VLANs are not
blocked if you hope that users in the authentication-exemption VLANs can access the Internet without being
authenticated.
Configuration Steps
Optional configuration. To spare all users in certain VLANs from dot1x or Web authentication, configure these
VLANS as authentication-exemption VLANs.
Perform this configuration on access, convergence, or core switches depending on user distribution.
Command [no] direct-vlan vlanlist
Syntax
Parameter no: If the command carries this parameter, it indicates that the authentication-exemption VLAN
Description configuration will be deleted.
vlanlist: This parameter indicates the list of authentication-exemption VLANs to be configured or
deleted.
Default No authentication-exemption VLAN has been configured.
Configuratio
n
Command Global configuration mode
Mode
Usage Guide Use this command to configure or delete authentication-exemption VLANs.
Verification
Enable dot1x authentication on downlink ports that connect to user terminals, add the downlink ports that connect to
the user terminals to a specific VLAN, and configure the VLAN as an authentication-exemption VLAN. Then open the
Internet Explorer, and enter a valid extranet address (such as www.baidu.com). If the users can open the
corresponding webpage on the Internet, it indicates that the authentication-exemption VLAN is valid; otherwise, the
authentication-exemption VLAN does not take effect.
Use the show direct-vlan command to check the authentication-exemption VLAN configuration on the device.
Command show direct-vlan
Parameter N/A
Description
Command Privileged EXEC mode, global configuration mode, or interface configuration mode
Mode
Usage Guide Global configuration mode
Usage Ruijie#show direct-vlan
Example direct-vlan 100
Configuration Examples
Configure the IPv4 user capacity, so as to restrict the number of users who are allowed to access an access port.
Precautions
None.
Configuration Steps
Verification
Check the IPv4 user capacity configuration on a port using the following method:
dot1x authentication: When the number of users who get online based on 1x client authentication on the port
reaches the specified user capacity, no any new user can get online from this port.
Web authentication: When the number of users who get online based on Web authentication on the port reaches the
specified user capacity, no any new user can get online from this port.
Use the show nac-author-user [ interface interface-name ] command to check the IPv4 user capacity configured
on the device.
Command show nac-author-user [ interface interface-name ]
Parameter interface-name: This parameter indicates the interface name.
Description
Command Privileged EXEC mode, global configuration mode, or interface configuration mode
Mode
Usage Guide Global configuration mode
Usage Ruijie#show nac-author-user interface GigabitEthernet 0/1
Example Port Cur_num Max_num
-------- ------- -------
Configuration Guide Configuring SCC
Gi0/1 0 4
Configuration Examples
Restricting the Number of IP4 Users on a Port to Prevent Excessive Access Terminals from Impacting the
Network
Network
Environment
Figure 1-2
Configuration Assume that the dot1x authentication environment has been well configured on the access
Method switch A, and dot1x authentication is enabled on the Gi 0/2 port.
Set the maximum number of IPv4 access users on the Gi 0/2 port to 4.
Switch A SwitchA(config)#int GigabitEthernet 0/2
SwitchA(config-if-GigabitEthernet 0/2)#nac-author-user maximum 4
Verification Perform dot1x authentication for all the four PCs in the dormitory, so that the PCs get online.
Then take an additional terminal to access the network, and attempt to perform dot1x
authentication for this terminal. Verify that the terminal cannot be successfully authenticated to
get online.
Use the show nac-author-user command to check whether the configuration has taken effect.
Switch A SwitchA(config)#show nac-author-user
Port Cur_num Max_num
-------- ------- -------
Gi0/1 0 4
After the user online-status detection function is enabled, if a user's traffic is lower than a certain threshold within the
specified period of time, the device automatically disconnects the user, so as to avoid the economical loss incurred by
constant charging to the user.
Precautions
It should be noted that if disconnecting zero-traffic users is configured, generally software such as 360 Security Guard will
run on a user terminal by default. Then such software will send packets time and again, and the device will disconnect the
user only when the user's terminal is powered off.
Configuration Steps
Verification
Check the user online-status detection configuration using the following method:
After the user online-status detection function is enabled, power off the specified authenticated terminal after the
corresponding user gets online. Then wait for the specified period of time, and run the online user query command
associated with dot1x or Web authentication on the device to confirm that the user is already offline.
Configuration Examples
Configuration Guide Configuring SCC
Configuring User Online-Status Detection so that a User Is Disconnected if the User Does Not Have Traffic Within
Five Minutes
Network
Environment
Figure 1-3
Configuration Enable dot1x authentication on the access port Gi 0/2, and configure authentication
Method parameters. The authentication is MAC-based.
Configure user online-status detection so that a user is disconnected if the user does not have
traffic within five minutes.
Switch A sw1(config)# offline-detect interval 5 threshold 0
Verification Perform dot1x authentication using dot1x SU client for a PC in the R&D department, so that the
PC gets online. Then power off the PC, wait for 6 minutes, and run the online user query
command available with dot1x authentication on switch 1 to confirm that the user of the PC is
already offline.
Switch A sw1(config)#show running-config | include offline-detect
offline-detect interval 5
Monitoring
None.
Command Function
show direct-vlan Displays the authentication-exemption VLAN
configuration.
Displays information about IPv4 user entries on a specific
show nac-author-user [ interface interface-name ]
interface.
System resources are occupied when debugging information is output. Therefore, close the debugging switch
immediately after use.
Command Function
debug scc event Displays information about the access list running process.
Displays debugging information about user entries of the
debug scc user [ mac | author | mac ]
current SCC.
Displays summary debugging information about ACLs stored
debug scc acl-show summary
in the current SCC and delivered by various services.
Displays debugging information about all ALCs stored in the
debug scc acl-show all
current SCC.
Configuration Guide Configuring Password Policy
Overview
The Password Policy is a password security function provided for local authentication of the device. It is configured to
control users' login passwords and login states.
N/A
Features
Basic Concepts
Administrators can set a minimum length for user passwords according to system security requirements. If the password
input by a user is shorter than the minimum password length, the system does not allow the user to set this password but
displays a prompt, asking the user to specify another password of an appropriate length.
The less complex a password is, the more likely it is to crack the password. For example, a password that is the same as
the corresponding account or a simple password that contains only characters or digits may be easily cracked. For the
sake of security, administrators can enable the strong password detection function to ensure that the passwords set by
users are highly complex. After the strong password detection function is enabled, a prompt will be displayed for the
following types of passwords:
The so-called password dictionary is used in combination with password cracking software. It contains many conventional
passwords, and therefore improves the cracking rate and shortens the time taken to crack a password.
The password dictionary detects the input password and prevents the user from configuring any password contained in it,
thereby improving the security of the password configured by the user and helping to guard against password cracking.
The password dictionary detection function detects a user-input password based on the following aspects:
Configuration Guide Configuring Password Policy
Detects a system-defaulted password dictionary: If the user-input password exists in the system-defaulted password
dictionary, the user-configured password fails to pass the detection and the system displays a prompt indicating that
the user cannot use this password.
Detects a date dictionary, which is a birthday dictionary in most cases: The system detects a combination of four to
eight digits for the user-input password, because the birthday password format is 4-digit mmdd, 5-digit yymmd or
yymdd, 6-digit yymmdd or yyyymd, 7-digit yyyymdd or yyyymmd, or 8-digit yyyymmdd, where the year yy ranges
from 00 to 99, the year yyyy ranges from 1900 to 2100, the month mm ranges from 1 to 12, and the day dd ranges
from 1 to 31.
Detects a surname spelling dictionary: The system checks the user-input password against the spellings of the latest
100 common surnames.
Detects a combination of the date dictionary and the name spelling dictionary: The system checks the user-input
password against a combination of the date dictionary and the name spelling dictionary, which can be the
combination of a birthday and a surname, the combination of a surname and a birthday, or a birthday or surname
only.
A weak password is one that may be easily guessed by others or one that may be easily cracked by using a password
cracking tool. It contains only simple digits and letters, such as 123 or abc. Since such a password may be easily cracked
to threaten the security of the user's PC, it is not recommended for use.
The weak password detection function detects a user-input password based on the following aspects:
Detects whether the password contains only digits or letters: If yes, the user-input password fails to pass the
detection.
Provides a command for the user to configure a custom password dictionary: The user can configure a custom weak
password using the command. After the weak password is configured, the user cannot use this weak password
during later password configuration.
The password life cycle defines the validity time of a user password. When the service time of a password exceeds the life
cycle, the user needs to change the password.
If the user inputs a password that has already expired during login, the system will give a prompt, indicating that the
password has expired and the user needs to reset the password. If the new password input during password resetting
does not meet system requirements or the new passwords consecutively input twice are not the same, the system will ask
the user to input the new password once again.
When changing the password, the user will set a new password while the old password will be recorded as the user's
history records. If the new password input by the user has been used previously, the system gives an error prompt and
asks the user to specify another password.
The maximum number of password history records per user can be configured. When the number of password history
records of a user is greater than the maximum number configured for this user, the new password history record will
overwrite the user's oldest password history record.
Administrators can enable the storage of encrypted passwords for security consideration. When administrators run the
show running-config command to display configuration or run the write command to save configuration files, various
user-set passwords are displayed in the cipher text format. If administrators disable the storage of encrypted passwords
next time, the passwords already in cipher text format will not be restored to plaintext passwords.
Configuration
Networking Requirements
Provide a password security policy for local authentication of the device. Users can configure different password
security policies to implement password security management.
Notes
The configured password security policy is valid for global passwords (configured using the commands enable
password and enable secret) and local user passwords (configured using the username name password password
command). It is invalid for passwords in Line mode.
Configuration Steps
Optional
Perform this configuration on each device that requires password dictionary detection unless otherwise stated.
Optional
Perform this configuration on each device that requires the configuration of a password life cycle unless otherwise
stated.
Optional
Configuration Guide Configuring Password Policy
Perform this configuration on each device that requires a limit on the minimum length of user passwords unless
otherwise stated.
Optional
Perform this configuration on each device that requires a limit on the no-repeat times of latest password
configuration unless otherwise stated.
Optional
Perform this configuration on each device that requires weak password detection unless otherwise stated.
Optional
Perform this configuration on each device that requires strong password detection unless otherwise stated.
Optional
Perform this configuration on each device that requires the storage of passwords in encrypted format unless
otherwise stated.
Verification
Configure a local user on the device, and configure a valid password and an invalid password for the user.
When you configure the valid password, the device correctly adds the password.
When you configure the invalid password, the device displays a corresponding error log.
Corresponding
Usage Guide This command is used to configure the minimum length of passwords. If the minimum length of passwords is
not configured, users can input a password of any length.
displayed and stored in plaintext format, unless the passwords are configured in cipher text format. You can
enable the storage of encrypted passwords for security consideration. When you run the show
running-config command to display configuration or run the write command to save configuration files,
various user-set passwords are displayed in the cipher text format. If you disable the storage of encrypted
passwords next time, the passwords already in cipher text format will not be restored to plaintext passwords.
Configuration Examples
The following configuration example describes configuration related to a password security policy.
Typical Assume that the following password security requirements arise in a network environment:
Application The minimum length of passwords is 8 characters;
The password life cycle is 90 days;
Passwords are stored and transmitted in cipher text format;
The number of no-repeat times of password history records is 3;
Passwords shall not be the same as user names, and shall not contain simple characters or digits only.
Verification When you create a user and the corresponding password after configuring the password security policy, the
system will perform relevant detection according to the password security policy.
Run the show password policy command to display user-configured password security policy
information.
Ruijie# show password policy
Configuration Guide Configuring Password Policy
Common Errors
The time configured for giving a pre-warning notice about password expiry to the user is greater than the password life
cycle.
Monitoring
Command Function
show password policy Displays user-configured password security policy information.
Configuration Guide Configuring SSH
Configuring SSH
Overview
SSH is the shortened form of Secure Shell. The SSH connection functions like a Telnet connection, except that all
transmissions based on the connection are encrypted. When the user logs onto the device via a network environment
where security cannot be guaranteed, the SSH feature provides safe information guarantee and powerful authentication
function to protect the devices from IP address fraud, plain password interception and other kinds of attacks.
Ruijie SSH service supports both the IPv4 and IPv6 protocols.
Configuration
For the consideration of the SSH connection security, the login without authentication is forbidden. Therefore, in the
login authentication of the users, the login authentication mode must have password configured (no-authentication
login allowed for telnet).
The username and password entered every time must have lengths greater than zero. If the current authentication
mode does not need the username, the username can be entered randomly but the entry length must be greater
than zero.
Command Description
configure terminal Enter the global configuration mode.
enable service ssh-server Enable SSH Server.
crypto key generate { rsa|dsa } Generate the key.
To delete the key, use the crypto key zeroize command rather than the [no] crypto key generate command.
The SSH module does not support hot standby. For products supporting management module hot standby,
after the management module is switched over, if no SSH key files are in the new main board, the crypto
key generate command must be used to regenerate the key in order to use the SSH.
Command Description
configure terminal Enter the global configuration mode
no enable service ssh-server Delete the key to disable SSH Server.
Command Description
Configuration Guide Configuring SSH
Command Description
ssh [ oob ] [ -v { 1 | 2 } ] [ -c { 3des | aes128-cbc |
aes192-cbc | aes256-cbc } ] [ -l username ] [ -m
{ hmac-md5-96 | hmac-md5-128 |
hmac-sha1-96 | hmac-sha1-160 } ] [ -p Establish an encrypted session with a remote device.
port-num ] { ip-addr | hostname } [ /source { ip
A.B.C.D | ipv6 X:X:X:X::X | interface
interface-name } ] [ /vrf vrf-name ]
Use the ssh command to create a secure and encrypted session between the current device (SSH client) and the other
device (SSH server, or the server that supports SSHv1 or SSHv2). This session is similar to the Telnet session except that
the SSH session is encrypted. Therefore, the SSH client can create a secure session on the insecure network based on
authentication and encryption.
SSHv1 supports only DES (56-bit secret key) and 3DES (168-bit secret key).
SSHv2 supports the following AES algorithm: ase128-cbc, aes192-cbc and aes256-cbc.
SSHv1 does not support HMAC algorithm.
If the specified SSH version is incompatible with the specified encryption algorithm or authentication
algorithm, the algorithm configuration does not take effect
The following example creates a session with the username admin to the SSH server whose IP address is
192.168.23.122 via SSH.
The following example creates a session with the username admin to the SSH server whose IP address is
192.168.23.122 via SSHv2, setting aes128-cbc and hmac-md5-128 as encryption algorithm and authentication algorithm
respectively. Ruijie#ssh -v 2 -c aes128-cbc -m hmac-md5-128 -l admin 192.168.23.122
Command Description
configure terminal Enter the configuration mode
ip ssh version { 1|2 } Configure the supported SSH version.
no ip ssh version Restore the SSH default version.
Command Description
configure terminal Enter the configuration mode
Configuration Guide Configuring SSH
Command Description
ip ssh time-out time Configure the SSH timeout period (1-120sec)
Restore the SSH default user authentication timeout period 120
no ip ssh time-out
seconds.
Command Description
configure terminal Enter the configuration mode
ip ssh authentication-retries retry times Configure SSH re-authentication times (range 0-5)
no ip ssh authentication-retries Restore the default SSH re-authentication times as 3.
For details of the above commands, see SSH Command Reference Manual.
Command Function
Ruijie# configure terminal Enter the configuration mode.
Ruijie(config)# ip ssh peer username public-key { rsa |
Set the RSA public-key file associated with the user test.
dsa } filename
Ruijie(config)# ip ssh peer test public-key dsa
Set the DSA public-key file associated with the user test.
flash:dsa.pub
For details of the above commands, see SSH Command Reference Manual.
Command Function
Configuration Guide Configuring SSH
With the advancement of cryptography study, CBC and Others encryption modes are proved to easily decipher. It is
recommended to enable the CTR mode to raise assurance for organizations and enterprises demanding high security.
The following example enable CTR encryption mode.
Command Function
Ruijie# configure terminal Enter the configuration mode.
Ruijie(config)#ip scp server enable Enable the SCP server function.
Ruijie(config)# no ip scp server enable Disable the SCP server function.
For details of the above commands, see SSH Command Reference Manual.
Command Function
Set the algorithm for message authentication.
md5: MD5 algorithm
ip ssh hmac-algorithm { md5 | md5-96 | sha1 | sha1-96 } md5-96: MD5-96 algorithm
sha1: SHA1 algorithm
sha1-96: SHA1-96 algorithm
Configuration Guide Configuring SSH
Ruijie SSHv1 servers do not support algorithms for message authentication. The following example sets the algorithm for
message authentication to SHA1.
Command Function
ssh-session session-id ID of the SSH client session to be restored
After creating the SSH client session via the SSH command, you can use the hot key (ctrl+shift+6 x) to temporarily
suspend the session, If you want to restore the suspended SSH client session, run the ssh-session command. Use the
show ssh-session command to display the established session.
Ruijie# ssh-session 1
Command Function
Disconnect the suspended SSH client session.
disconnect ssh-session session-id
session-id: ID of the suspended SSH client session
This command is used to disconnect the suspended SSH client session by specifying its session ID. The following
example disconnects a SSH client session by specifying its session ID.
Command Function
show ssh-session Display SSH configuration.
This command is used to display the information about the established SSH client instance, including the VTY number,
SSH version, and server address.
The following example displays the information about the established SSH client instance.
Ruijie#show ssh-session
Connect No. SSH Version Server Address
----------- ----------- ---------------
0 2.0 192.168.23.122
1 1.5 192.168.23.122
Configuration Guide Configuring SSH
Figure 1-1
As shown in Figure-1, protocol 2 is used for login, so SSH2 is chosen in “Protocol”. “Hostname” indicates the IP address
of the host that will log in, 192.168.5.245. Port 22 is the default number of the port for SSH listening. “Username” indicates
the username, and does not take effect when the device only requires password. “Authentication” indicates the
authentication mode, and the username/password authentication is supported here. The used password is the same as
the Telnet password.
Ruijie devices support the user-name-password based authentication method and the public-key based authentication
method. For the user-name-password based authentication method, the password used is the same as the Telnet
password. The public-key based authentication method is described in the next section.
Figure 1-2
Configuration Guide Configuring SSH
Click “Connect” to log into the host just configured, as shown below:
Figure 1-3
Ask the machine that is logging into the host 192.168.5.245 to see whether the key from the server end is received or not.
Select “Accept & Save” or “Accept Once” to enter the password confirmation dialog box, as shown below:
Figure 1-4
Enter the Telnet login password to enter the UI that is the same as the Telnet. See the diagram below:
Figure 1-5
Configuration Guide Configuring SSH
To use the public-key based authentication method on a client, you need to generate a key pair (RSA or DSA) on the
client, put the key on the SSH server, and select the PublicKey authentication method. The following uses the client
software SecureCRT as an example for describing how to generate the key pair on the client.
Step 1: In the Authentication option of Session Option, select PublicKey and then Properties. See the following figure.
Figure 1-6
Configuration Guide Configuring SSH
Figure Click Properties... If the key pair has been generated, you can choose the used private key (Use identity or
certificate file). Note that the private key must be paired with the public key on the server. Otherwise, authentication fails.
See the following figure.
Figure 1-7
Configuration Guide Configuring SSH
If the key pair has not been generated, generate a new key pair (Create Identity File). During key generation, you can set
a password (the password can be blank) for the private key. If so, you need to enter the password in every authentication.
See the following figure.
Figure 1-8
During key generation, do not move the cursor continuously, or the creation takes a long time.
The key file of the OpenSSH format must be selected, or the key file cannot be used. If Putty serves as the
client, the puttygen.exe tool must be used to transform the private key into the Putty format. The
puttygen.exe tool can generate the key pair of the OpenSSH format, but Putty cannot directly use such a key
pair. The public-key file on the server does not need to be transformed. Its format is still OpenSSH. See the
following figure.
Figure1-9
Configuration Guide Configuring SSH
Operations on a Server
After keys are generated on the client, the SSH server, namely the network device, needs to copy the client public-key file
to flash, and associate the file with the SSH user name. Each user can associate with an RSA public key and a DSA
public key. See the following contents.
In this way, the client can log in to the network device using the public-key based authentication method.
Secure CoPy (SCP) is used in SSH file transfer. The SCP server function needs to be enabled on the network device, so
that the client can use SCP to transfer files to the network device, or download files from the network device. See the
following contents.
In this way, the client can use SCP to connect to the server and transfer files. The SCP server uses the SSH thread. When
connecting the network device for SCP transfer, the client uses a VTY connection. When you run the show user command,
you can find that the user type is SSH.
Operations on a Client
The SCP command is carried on both the Unix and Linux platforms. With Ubuntu Linux as an example, the SCP command
usage is described as follows:
File transfer examples (all the following operations are performed on Ubuntu 7.10)
Example 1:
Specify the user name as test. Copy the config.text file from the network device (IP address: 192.168.195.188) to the
local /root directory. See the following contents.
Example 2:
Specify the user name as test. Copy all files in the /tmp directory from the network device (IP address: 192.168.195.188)
to the local /root/ccc/ directory. If the /roo/ccc/tmp/ directory does not exist on the local device, the directory will be
automatically created. See the following contents.
Most options are related to the client. A few options require support of both the client and the server. However,
the SCP server on Ruijie network devices does not support the options -d -p –q. When these options are
used, the system will prompt that they are not supported.
During files downloading, if the speed is not restricted (option –l is not used), the CPU usage of the network
device increases during downloading, and recovers to normal status after downloading ends. The console
can still be used, but other application tasks will be affected.
Configuration Guide Configuring SSH
Configuration Examples
Networking Requirements
As shown above, to ensure the security of information exchange, PC1 and PC2 serve as SSH clients which will login the
SSH Server through SSH protocol. The specific requirements are shown below:
Configuration Tips
There are many SSH client programs, such as Putty, Linux, OpenSSH and etc. Here we will only take the client software
of SecureCRT as the example to introduce how to configure SSH Client. The configuration details are given in
"Configuration Steps".
Configuration Steps
Before configuring relevant SSH features, make sure the route from SSH client to SSH server is reachable. The IP
addresses of respective interfaces are shown in the topological diagram, and the steps of IP and route configuration are
omitted herein.
Step 3: Configure the address of interface Gi 1/1. The client will use this address to connect SSH server.
Ruijie(config)#line vty 0
Ruijie(config-line)#password passzero
Ruijie(config-line)#privilege level 15
Ruijie(config-line)#exit
Ruijie(config)#line vty 1 4
Ruijie(config-line)#password pass
Ruijie(config-line)#privilege level 15
Ruijie(config-line)#exit
Configure SSH Client (PC1/PC2)
Open SecureCRT connection dialog box, as shown below. Use SSH1 for login authentication. Any session name can be
specified (here the session name is configured as PC1-SSH1-10.10.10.10).
Figure 1-11
Configuration Guide Configuring SSH
Configure SSH attributes. The host name is the IP address of SSH server (10.10.10.10 in this example). Since user name
is not required by the currently-used authentication mode, you can type in any user name in the field of "User Name", but
this field cannot be left blank (the user name is "anyname" in this example).
Figure 1-12
Configuration Guide Configuring SSH
Verification
Ruijie#show running-config
Building configuration...
!
enable secret 5 $1$eyy2$xs28FDw4s2q0tx97
enable service ssh-server
!
interface gigabitEthernet 1/1
ip address 10.10.10.10 255.255.255.0
line vty 0
privilege level 15
login
password passzero
line vty 1 4
privilege level 15
login
password pass
!
Configuration Guide Configuring SSH
end
Verify the configurations of SSH Client
Establish connection and type in the correct password in order to enter the operating interface of SSH Server. The login
password for line 0 is "passzero", and the login password for other four lines is "pass".
Figure 1-13
Ruijie#show users
Line User Host(s) Idle Location
0 con 0 idle 00:03:16
1 vty 0 idle 00:02:16 192.168.217.10
* 2 vty 1 idle 00:00:00 192.168.217.20
Networking Requirements
As shown above, to ensure the security of information exchange, PC serves as SSH clients which will login the SSH
Server using SSH protocol.
Configuration Guide Configuring SSH
To better implement security management, SSH client adopts the AAA authentication mode. Meanwhile, for stability
consideration, two authentication methods are configured in the AAA authentication method list: Radius server
authentication and local authentication. Radius server will always be selected first, and the local authentication method
will be selected later if no reply is received from Radius server.
Configuration Tips
The route from SSH client to SSH server and the route from SSH server to Radius client shall be reachable,
Complete SSH Server related configurations on the network device. The configuration tips have been described in
the previous example, and won't be further introduced herein.
Complete AAA authentication related configurations on the network device. AAA defines ID authentication and type
by creating the method list, which is then applied to the specific service or interface. Details are given in the section
of "Configuration Steps".
Configuration Steps
The route from SSH client to SSH server and the route from SSH client to Radius server shall be reachable. Route related
configurations won't be further introduced. Please refer to the section of route configuration in this manual.
Step 3: Configure the IP address of device. The client will use this address to connect SSH server.
Ruijie(config-if-gigabitEthernet 1/1)#exit
Configure relevant features of AAA authentication on the network device
Ruijie#configure terminal
Ruijie(config)#aaa new-model
Step 2: Configure information about Radius server (the shared key used by device for communicating with RADIUS server
is "aaaradius"
! Configure login authentication method list (Radius first, followed by Local), and the name of method list shall be
"method".
Ruijie(config)#line vty 0 4
Ruijie(config-line)#login authentication method
Ruijie(config-line)#exit
! Configure local user database (configure user name and password, and bind the privilege level)
Ruijie(config)#enable secret w
Verification
Ruijie#show run
aaa new-model
!
aaa authentication login method group radius local
!
username user1 password 111
username user2 password 222
username user2 privilege 10
username user3 password 333
Configuration Guide Configuring SSH
no service password-encryption
!
radius-server host 192.168.32.120
radius-server key aaaradius
enable secret 5 $1$hbgz$ArCsyqty6yyzzp03
enable service ssh-server
!
interface gigabitEthernet 1/1
no ip proxy-arp
ip address 192.168.217.81 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.217.1
!
line con 0
line vty 0 4
login authentication method
!
end
Step 2: Configure Radius Server. This example configures the SAM server.
In "System Management-Device Management", type in device IP of "192.168.217.81" and device key of "aaaradius";
In "Security Management - Device Management Privilege", configure the privilege level for the login user;
In "Security Management - Device Administrator", type in the user name of "user" and password of "pass".
SSH client configuration and connection establishment: please refer to the previous example.
Type in the correct password: "user" for SSH user name and "pass" for password. The user will login successfully.
Ruijie#show users
Line User Host(s) Idle Location
0 con 0 idle 00:00:31
* 1 vty 0 user idle 00:00:33 192.168.217.60
RG-WLAN Series Access Point RGOS Configuration Guide,
Release 11.1(5)B6
System Configuration
4. Configuring RMON
5. Configuring SNMP
7. Configuring Syslog
8. Configuring RLOG
9. Configuring CWMP
This chapter describes the method to use the command line interface(CLI). You can manage network devices by the
command line interface.
Command Mode
Getting Help
Abbreviating Commands
Using no and default Options
Understanding CLI Error Messages
Using History Commands
Using Editing Features
Filtering and Looking Up CLI Output Information
Using Command Alias
Accessing CLI
Command Mode
The management interface of Ruijie network devices falls into multiple modes. The command mode you are working with
determines the commands you can use.
To list the usable commands in each mode, enter a question mark (?) at the command prompt.
After setting up a session connection to the network device management interface, you enter in user EXEC mode first. In
user EXEC mode, only a few commands are usable with limited functions, for example, command show. The command
results are not saved.
To use all commands, enter privileged EXEC mode with the privileged password. Then you can use all privileged
commands and enter global configuration mode.
Using commands in a configuration mode (for instance, global configuration or interface configuration) will influence the
current configuration. If you have saved the configuration information, these commands will be saved and executed when
the system restarts. To enter any of the configuration modes, first enter global configuration mode.
The following table lists the command modes, access methods, prompts, and exit methods. Suppose the equipment is
named "Ruijie" by default.
Getting Help
To obtain a list of commands that are available for each command mode, enter a question mark(?) at the command
prompt. You can also obtain a list of command keywords beginning with the same character or parameters of each
command. See the following table.
Command Function
Obtain the brief description of the help system under any
Help
command mode.
Obtain a list of commands that begin with a particular
character
string. ( Do not leave a space between the keyword and
abbreviated-command-entry? question mark.)
For example:
Ruijie# di?
dir disable
Complete a partial command name.
abbreviated-command-entry For example:
<Tab> Ruijie# show conf<Tab>
Ruijie# show configuration
List a command's associated keywords. ( Leave a space
between the keyword and question mark.)
?
For example:
Ruijie# show ?
List a command's associated arguments. (Leave a space
between the keyword and question mark.)
For example:
command keyword ?
Ruijie( config )# snmp-server
community ?
WORD SNMP community string
Obtain the brief description of the help system under any
Help
command mode.
Abbreviating Commands
To abbreviate a command, simply enter part of the command that can uniquely identify the command.
If the entered command cannot be uniquely identified by the system, the system will prompt "Ambiguous command:”.
Configuration Guide Configuring Command Line Interface
For example, when you want to view the information about access lists, the following command is not complete.
Almost all commands have the no option generally used to disable a feature or function or perform a reversed action of
the command. For example, the no shutdown command turns on the interface, the opposite operation of the shutdown
command. You can use the commands without the no option to enable the features that have been disabled or are
disabled by default.
Most configuration commands have the default option that restores the command setting to its default. Most commands
are disabled by default. In this case, the default and no options generally serve the same purpose. However, some
commands are enabled by default. In this case, the default and no options serve different purposes, where the default
option enables the command and restores the arguments to the default settings.
The following table lists the error prompt messages that may occur when you use the CLI to manage equipment.
The system records the commands you have input recently, which is very useful when you input a long and complex
command again.
To re-execute the commands you have input from the historical records, perform the following operations.
Operation Result
Configuration Guide Configuring Command Line Interface
This section describes the editing functions that may be used for command line edit, including:
When editing a command line, you can move the cursor using the shortcut keys in the following table:
For example, the contents of the mac-address-table static command may exceed the screen width. When the cursor
approaches the line end for the first time, the whole line move left by 20 characters, and the hidden beginning part is
replaced by "$" on the screen. The line moves left by 20 characters when the cursor reaches the right border.
Now you can press Ctrl+A to return to the beginning of the command line. In this case, the hidden ending part is replaced
by "$".
Combined with historical commands, the sliding window enables you to invoke complicated commands repeatedly. For
details about shortcut keys, see Edit Shortcut Keys.
Command Function
Look up the specified content from the information output
Ruijie# show any-command | begin regular-expression by the show command and output all information of the
first line that contains this content and subsequent lines.
Configuration Guide Configuring Command Line Interface
The information to be looked up is case sensitive, and the following is the same.
To filter the specified content in the information output by the show command, execute the following commands:
Command Description
Filter the content from the information output by the
Ruijie# show any-command | exclude regular-expression show command and output other information excluding
the line that includes the specified content.
Filter the content from the information output by the
Ruijie#show any-command | include regular-expression show command and output the line that includes the
specified content. Other information will be filtered.
To look up and filter the contents output by the show command, it is necessary to input the pipeline sign
( vertical line, “|” ) followed by lookup and filtration rules and contents ( characters or strings ). The contents
to be looked up and filtered are case sensitive.
The system provides the command alias function. Any word can be specified as the alias of a command. For example,
you can define the word “mygateway” as the alias of “ip route 0.0.0.0 0.0.0.0 192.1.1.1”. Inputting this word is equal to
inputting the whole string.
You can use one word to replace one command by configuring an alias for the command. For example, you can define an
alias to represent the front part of one command, and then continue to enter the following part.
The command that an alias represents must run under the mode you have defined in the current system. In global
configuration mode, you can enter alias? to list all command modes that can configure alias.
Ruijie(config)#alias ?
aaa-gs AAA server group mode
acl acl configure mode
bgp Configure bgp Protocol
config globle configure mode
......
An alias supports help information. An alias appears with an asterisk (*) before it in the following format:
*command-alias=original-command
Configuration Guide Configuring Command Line Interface
For example, in EXEC mode, the alias “s” indicates the show command by default. Enter “s?”
to obtain the help information on the command and the aliases beginning with „s‟.
Ruijie#s?
*s=show show start-chat start-terminal-service
If the command that an alias represents has more than one word, the command will be included by the quotation marks.
As shown in the following example, configure the alias “sv” to replace the show version command in the EXEC mode.
Ruijie#s?
*s=show *sv=”show version” show start-chat
start-terminal-service
An alias must begin with the first character of the command line entered without any blank before it. As shown in the
above example, the alias is invalid if you have inputted a blank before the command.
Ruijie# s?
show start-chat start-terminal-service
An alias can also be used to get the help information on obtaining command parameters. For example, the alias “ia"
represents “ip address” in the interface configuration mode.
Ruijie(config-if)#ia ?
A.B.C.D IP address
dhcp IP Address via DHCP
Ruijie(config-if)#ip address
Here lists the parameter information after the command “ip address”, and replaces the alias with the actual command.
An alias must be inputted fully for use. Otherwise, it can not be identified.
Use the show aliases command to view the setting of aliases in the system.
Accessing CLI
Before using CLI, you need to use a terminal or PC to connect with the network device. Power on the network device.
After the initialization of hardware and software, you can use CLI. If the network device is used for the first time, you can
only connect the network device through the serial port (Console), which is referred to as out-band management. In
addition, you can connect and manage the network device through Telnet virtual terminal by performing corresponding
configurations. In either case, you can access the command line interface.
Configuration Guide Configuring Basic Switch Management
Overview
For more information about the usage and description of the CLI commands mentioned in this chapter, see
the Reference Configuration of Switch Management Command.
Overview
A simple way to manage the terminals‟ access to a network is to use passwords and assign privileged levels. Password
restricts access to a network or network devices. Privileged levels define the commands users can use after they have
logged in to a network device.
From the perspective of security, password is stored in the configuration file. Password must be safe when the
configuration file is transmitted, for example, over TFTP, across a network. Password is encrypted before being stored
into the configuration file, and the clear text password is changed to the cipher text password. The enable secret
command uses a private encryption algorithm.
Command Function
Set a static password. You can only set a level-15
password only when no level-15 security password is
configured.
Ruijie ( config )# enable password If a non- level -15 password is set, the system will show a
[ level level ] { password | encryption-type prompt and automatically convert it into a security
encrypted-password } password.
If you have set the same level-15 static password as the
level 15 security password, the system will show a
warning message.
Set the security password, which has the same function
Ruijie ( config )# enable secret [ level but better password encryption algorithm than the static
Level ] { encryption-type encrypted-password } password. For the purpose of security, it is recommended
to use the security password.
Switch over between user levels. To switch over from a
Ruijie# enable [ level ], and
lower level to a higher level, you need to input the
Ruijie# disable [ level ]
password for the higher level.
During the process of setting a password, the keyword "level" is used to define the password for a specified privileged
level. After setting, it is only applicable for the users who are at that level.
When no password is set for the privileged user level, you can enter the privileged EXEC mode without password
authentication. For security, you are recommended to set the password for the privileged user level.
Command Purpose
Ruijie ( config-line )# password password Specify a line password.
Ruijie ( config-line )# login Enable the line password protection.
Configuration Guide Configuring Basic Switch Management
If no logon authentication is configured, the password authentication on line layer will be ignored even when
the line password is configured. The logon authentication will be described in the next section.
Command Purpose
Ruijie ( config-line )# lockable Enable the function of locking the line terminal
Ruijie# lock Lock the current line terminal
Overview
In the previous section, we have described how to control the access to network devices by configuring the locally stored
password. In addition to line password protection and local authentication, in AAA mode, we can authenticate users‟
management privilege based on their usernames and passwords on some servers when they log on to the switch, take
RADIUS server for example.
With RADIUS server, the network device sends the encrypted user information to the RADIUS server for authentication
rather than authenticates them with the locally stored credentials. The RADIUS server configures user information
consistently like user name, password, shared key, and access policy to facilitate the management and control of user
access and enhance the security of user information.
To enable the username identity authentication, run the following specific commands in the global configuration mode:
Command Function
username name [ login mode { aux | console | ssh |
telnet } ] [ online amount number ] [ permission
Enable the username identity authentication with
oper-mode path ] [ privilege privilege-level ] [ reject
encrypted password.
remote-login ] [ web-auth ] [ pwd-modify ] [ nopassword
| password [ 0 | 7 ] text-string ]
Command Function
Ruijie ( config-line )# login local Set local authentication for line logon in non-AAA mode.
Set AAA authentication for line logon in AAA mode. The
Ruijie ( config-line )# login authentication methods in the AAA method list will be
authentication { default | list-name } used for authentication, including Radius authentication,
local authentication and no authentication.
For more information on how to set AAA mode, configure Radius service and configure the method list, see
the sections for AAA configuration.
To import user information from a file, use the following command in the privileged EXEC mode:
Command Function
Import user information from a file.
username import filename
filename: name of the file.
Command Function
Export user information from a file.
username export filename
filename: name of the file.
Overview
Every switch has its system clock, which provides date (year, month, day) and time (hour, minute, second) and week.
When you use a switch for the first time, you must configure the system clock manually. Of course, you can adjust the
system clock when necessary. System clock is used for such functions as system logging that need recording the time
when an event occurs.
Configuration Guide Configuring Basic Switch Management
However, for the network devices that don‟t provide the hardware clock, manually setting time actually configures software
clock, which only takes effect for this operation. When the network devices are powered off, the manually set time will not
be valid.
Command Function
Ruijie# clock set hh:mm:ss month
Set system date and time.
date day year
Ruijie# clock set 10:10:12 6 20 2003 //Set system time and date.
If hardware clock and software clock are asynchronous, then software clock is more accurate. Execute clock
update-calendar command to copy date and time of software clock to hardware clock.
In the privileged EXEC mode, execute clock update-calendar command to make software clock overwrite the value of
hardware clock.
Command Function
Ruijie# clock update-calendar Update hardware clock via software clock.
Execute the command below to copy current date and time of software clock to hardware clock.
Scheduled Restart
Overview
This section describes how to use the reload [modifiers] command to schedule a restart scheme to restart the system at
the specified time. This function facilitates user's operation in some circumstance (for the purpose of test, for example).
Modifiers is a set of options provided by the reload command, making the command more flexible. The optional modifiers
includes in, at and cancel. The following are the details:
This command sets the system restart in fixed intervals in the format of mmm or hhh:mm. string is a help prompt. You can
give the scheme a memorable name by the string to indicate its purpose. string is a prompt. For example, to reload the
system at the interval of 10 minutes for test, type reload in 10 test.
This command sets the system restart at the specified time in the future ,which must not be more than 200 days from the
curent system time . The usage of string is just like above. For example, if the current system time is 14:31 on January 10,
2005, and you want the system to reload tomorrow, you can input reload at 08:30 11 1 2005 newday. If the current
system time is 14:31 on December 10, 2005, and you want the system to reload at 12:00 a.m. on January 1, 2006, you
can input reload at 12:00 1 1 2006 newyear.
reload cancel
This command deletes the restart scheme specified by the user. As mentioned above, you have specified the system to
reload at 8:30 a.m. tomorrow, the setting will be removed after you input reload cancel.
Only if the system supports clock function can users use option at. Before the use, it is recommended to
configure the system clock according to your needs. If a restart scheme has been set before, the subsequent
settings will overwrite the previous settings. If the user has set a restart scheme and then restarts the system
before the scheme takes effect, the scheme will be lost.
The span from the time in the restart scheme to the current time shall be within 200 days and must be
greater than the current system time. Besides, after you set reload, you should not set the system clock.
Otherwise, your setting may fail to take effect, such as setting system time after reload time.
Command Function
The system will reload at hh:mm,month day,year.
Ruijie# reload at hh:mm day month year [ reload-reason ] reload-reason ( if any ) indicates the reason that the
system reloads.
The following is an example specifying the system reload at 12:00 a.m. January 11, 2005 (suppose the current system
clock is 8:30 a.m. January 11,2005):
Ruijie# reload at 12:00 1 11 2005 midday //Set the reload time and date.
Ruijie# show reload //Confirm the modification takes effect.
Reload scheduled for 2005-01-11 12:00 (in 3 hours 29 minutes)16581 seconds.
At 2005-01-11 12:00
Reload reason: midday
Configuration Guide Configuring Basic Switch Management
Command Function
Ruijie# reload in Configure the system reload in mmm minutes, where the
mmm [ reload-reason ] reload reason is described in reload-reason ( if inputted )
Configure the system reload in hhh hours and mm
Ruijie# reload in
minutes, where the reload reason is described in
hhh:mm [ reload-reason ]
reload-reason ( if inputted )
The following example shows how to reload the system in 125 minutes (assumes that the current system time is 12:00
a.m. January 10, 2005):
Or
Immediate Restart
The reload command without any parameters will restart the device immediately. In the privileged EXEC mode, the user
can restart the system immediately by typing the reload command.
Command Function
Ruijie# reload cancel Delete the configured restart scheme.
If no reload scheme is configured, you will see an error message for the operation.
Overview
For easy management, you can configure a system name for the switch to identify it. If you configure a system name of
more than 32 characters, the first 32 characters are used as the system prompt. The prompt varies with the system name.
By default, the system name and command prompt are specific device names, for example "S2924G”or ”R2692”.
Command Function
To restore the name to the default value, use the no hostname command in the global configuration mode. The following
example changes the equipment name to RGOS:
Command Function
Set the command prompt with printable characters. If the
Ruijie# prompt string name exceeds 32 characters, intercept the first 32
characters.
To restore the prompt to the default value, use the no prompt command in the global configuration mode.
Banner Configuration
Overview
When the user logs in the switch, you may need to tell the user some useful information by configuring a banner. There
are two kinds of banners: message-of-the-day (MOTD) and login banner. The MOTD is specific for all users who connect
with switches. And when users log in the switch, the notification message will appear on the terminal. MOTD allows you
send some urgent messages (for example, the system is to be shut down) to network users. The login banner also
appears on all connected terminals. It provides some common login messages. By default, the MOTD and login banner
are not configured.
Command Function
Configuration Guide Configuring Basic Switch Management
The system discards all the characters next to the terminating symbol.
When you are logging in to the device, the MOTD message is displayed at first, and then the banner login message. After
you have logged in, the EXEC message or the incoming message is displayed. If it‟s a reverse Telnet session, the
incoming message is displayed. Otherwise, the EXEC message is displayed.
The messages are for all lines. If you want to disable display the EXEC message on a specific line, configure the no
exec-banner command on the line.
The system discards all the characters next to the terminating symbol.
When you are logging in to the device, the MOTD message is displayed at first, and then the banner login message. After
you have logged in, the welcome message or the prompt message is displayed. If it‟s a reverse Telnet session, the prompt
message is displayed. Otherwise, the welcome message is displayed.
The following example configures a prompt message for reverse Telnet session.
Configuring a Message-of-the-Day
You can create a notification of single or multi-line messages that appears when a user logs in the switch. To configure
the message of the day, execute the following commands in the global configuration mode:
Command Function
Configuration Guide Configuring Basic Switch Management
To delete the MOTD, use the no banner motd command in the global configuration mode. The following example
describes how to configure a MOTD. The # symbol is used as the delimiter, and the text is “Notice: system will shutdown
on July 6th.”
Command Function
Specify the text of the login banner, with c being the
delimiter, for example, a pound sign (&). After inputting
the delimiter, press the Enter key. Now, you can start to
type text. You need to input the delimiter and then press
Ruijie ( Config )# banner login c Enter to complete the type. Note that if you type
message c additional characters after the end delimiter, these
characters will be discarded by the system. Also note that
you cannot use the delimiter in the text of the login
banner and the text length should be no more than 255
bytes.
To delete the login banner, use the no banner login command in the global configuration mode.
The following example shows how to configure a login banner. The pound sign (#) is used as the starting and end
delimiters and the text of the login banner is "Access for authorized users only. Please enter your password."
The system discards all the characters next to the terminating symbol.
The system discards all the characters next to the terminating symbol.
When the SLIP/PPP session is created, the slip-ppp message is displayed on the corresponding terminal.
The following example configures the banner slip-ppp message for the SLIP/PPP session.
Displaying a Banner
A banner is displayed when you log in the network device. See the following example:
C:\>telnet 192.168.65.236
Notice: system will shutdown on July 6th.
Access for authorized users only. Please enter your password.
User Access Verification
Password:
As you can see, “Notice: system will shutdown on July 6th." is a MOTD banner and "Access for authorized users only.
Please enter your password." is a login banner.
Configuration Guide Configuring Basic Switch Management
Overview
You can view some system information with the show command on the command-line interface, such as version, device
information, and so on.
Command Function
Ruijie# show version Show system information.
For sequence number ,run the show version command on the main program interface to view
SYSTEMUPTIME in the form of DD:HH:MM:SS.
During upgrading, the running software version may be different from the version in the file system. In this
case, the main program version shown by running the show version command is the one running in the
memory, but the Boot/Ctrl version is the one saved in Flash.
Command Function
Ruijie# show version devices Show device information.
Ruijie# show version slots Show the information about slots and modules.
Overview
The switch comes with a console interface for management. When using the switch for the first time, you need to execute
configuration through the console interface. You can change the console rate on the equipment if necessary. Note that the
rate of the terminal used to managing the switch must be the same as that of the console interface on the switch.
Configuration Guide Configuring Basic Switch Management
Command Function
Set transmission rate in bps on the console interface. For
a serial interface, you can only set the transmission rate
Ruijie ( config-line )# speed speed
to one of 9600, 19200, 38400, 57600 and 115200 bps,
with 9600 bps by default.
This example shows how to configure the baud rate of the serial interface to 57600 bps:
Configuring Telnet
Overview
Telnet, an application layer protocol in the TCP/IP protocol suite, provides the specifications of remote logon and virtual
terminal communication functions. The Telnet Client service is used by the local or remote user who has logged onto the
local network device to work with the Telnet Client program to access other remote system resources on the network. As
shown below, after setting up a connection with Switch A through the terminal emulation program or Telnet, users can log
on the Switch B for management and configuration with the telnet command.
Configuration Guide Configuring Basic Switch Management
Command Function
Log on to a remote device via Telnet. host may be an
Ruijie# telnet host [ port ] [ /source { ip A.B.C.D ipv6 IPv4 or IPv6 host name or an IPv4 or IPv6 address.
X:X:X::X | interface interface-name } ] [ /vrf vrf-name ] For supported optional parameters, refer to relevant
[ via mgmt-name ] Telnet command section in Basic Configuration
Management Command.
The following example shows how to establish a Telnet session and manage the remote device with the IP address
192.168.65.119:
Ruijie# telnet 192.168.65.119 //Establish the telnet session to the remote device
Trying 192.168.65.119 ... Open
User Access Verification //Enter into the logon interface of the remote device
Password:
The following example shows how to establish a Telnet session and manage the remote device with the IPv6 address
2AAA:BBBB::CCCC:
Ruijie# telnet 2AAA:BBBB::CCCC //Establish the telnet session to the remote device
Trying 2AAA:BBBB::CCCC ... Open
User Access Verification //Enter into the logon interface of the remote device
Password:
The following example shows how to establish a Telnet session to IPv4 address 192.168.1.1 and specifies the MGMT port
for the oob option used by the Telnet client.
Overview
You can control the connections that a device has set up (including the accepted connections and the session between
the device and a remote terminal) by configuring the connection timeout time for the device. When the idle time exceeds
the set value and there is no input or output, this connection will be interrupted.
Configuration Guide Configuring Basic Switch Management
Connection Timeout
When there is no information traveling through an accepted connection within a specified time, the server will interrupt this
connection.
Our products provide commands to configure the connection timeout in the line configuration mode.
Command Function
Configure the timeout for the accepted connection. When
Ruijie ( Config-line )#exec-timeout 20 the configured time is due and there is no input, this
connection will be interrupted.
The connection timeout setting can be removed by using the no exec-timeout command in the line configuration mode.
Session Timeout
When there is no input for the session established with a remote terminal over the current line within the specified time,
the session will be interrupted and the remote terminal becomes idle.
RGOS provides commands in the line configuration mode to configure the timeout for the session set up with the remote
terminal.
Command Function
Configure the timeout for the session set up with the
Ruijie ( Config-line )#session-timeout 20 remote terminal over the line. If there is no input within
the specified time, this session will be interrupted.
The timeout setting for the session set up with the remote terminal over the line can be removed by using the no
exec-timeout command in the line configuration mode.
During operation, you can adjust services dynamically, enabling or disabling specified services ( SNMP Server/SSH
Server/Telnet Server/Web Server ).
Command Function
Ruijie ( Config)# enable service snmp-agent Enable SNMP Server.
Ruijie ( Config)# enable service ssh-sesrver Enable SSH Server.
Ruijie ( Config)# enable service telnet-server Enable Telnet Server
Ruijie ( Config )# enable service web-server Enable Http Server.
In the configuration mode, you can use the no enable service command to disable corresponding services.
Configuration Guide Configuring Basic Switch Management
Command Function
Display the help information in global configuration mode/
help
privileged EXEC mode/ Interface configuration mode.
This command is used to display brief information about the help system. You can use ”?” to display all commands or a
specified command with its parameters.
The following example displays brief information about the help system.
Ruijie#help
Help may be requested at any point in a command by entering
a question mark '?'. If nothing matches, the help list will
be empty and you must backup until entering a '?' shows the
available options.
Two styles of help are provided:
1. Full help is available when you are ready to enter a
command argument (e.g. 'show ?') and describes each possible
argument.
2. Partial help is provided when an abbreviated argument is entered
and you want to know what arguments match the input
(e.g. 'show pr?'.)
The following example displays all available commands in interface configuration mode.
Ruijie(config-if-GigabitEthernet 0/0)#?
Interface configuration commands:
arp ARP interface subcommands
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
dampening Enable event dampening
default Set a command to its defaults
description Interface specific description
dldp Exec data link detection command
duplex Configure duplex operation
efm Config efm for an interface
end Exit from interface configuration mode
exit Exit from interface configuration mode
expert Expert extended ACL
flowcontrol Set the flow-control value for an interface
full-duplex Force full duplex operation
global Global ACL
gvrp GVRP configure command
half-duplex Force half duplex operation
Configuration Guide Configuring Basic Switch Management
Overview
After entering the specific LINE mode, you can configure the specified line. Execute the following command to enter the
specified LINE mode:
Command Function
Ruijie ( config )# line [aux | console | tty | vty] first-line
Enter the specified LINE mode.
[ last-line ]
Command Function
Ruijie ( config )# line vty line-number Increase the number of LINE VTY to the specified value.
Ruijie ( config )# no line vty line-number Decrease the number of LINE VTY to the specified value.
Command Description
configure terminal Enter the configuration mode.
line vty first-line [last-line] Enter line configuration mode.
transport input { all | ssh | telnet | none } Configure the protocol to communicate on the line.
Configuration Guide Configuring LINE Mode
Command Description
configure terminal Enter the configuration mode.
line vty first-line [ ast-line ] Enter line configuration mode.
access-class { access-list-number | access-list-name }
Control login into the terminal through IPv4 ACL.
{ in | out }
no access-class{ access-list-number| access-list-name }
Remove the configuration.
{ in|out }
Command Description
Enable command accounting in LINE configuration
mode.
level: Command level ranging from 0 to 15. The
accounting commands level { default | list-name }
command of this level is accounted when it is executed.
default: Default authorization list name.
list-name: Optional list name.
no accounting commands level Restore the default setting.
This function is used together with AAA authorization. Configure AAA command accounting first, and then apply it on the
line.
The following example enables command accounting in line VTY 1 and sets the command level to 15.
Command Description
Configuration Guide Configuring LINE Mode
This function is used together with AAA authorization. Configure AAA EXEC accounting first, and then apply it on the line.
Command Description
Enable authorization on commands in LINE configuration
mode,
level: Command level ranging from 0 to 15. The
authorization commands level { default | list-name } command of this level is executed after authorization is
performed.
default: Default authorization list name,
list-name: Optional list name.
no authorization commands level Restore the default setting.
This function is used together with AAA authorization. Configure AAA authorization first, and then apply it on the line.
Command Description
Enable EXEC authorization in line configuration mode.
authorization { default | list-name } default: Default authorization list name,
list-name: Optional list name.
no authorization exec Restore the default setting.
Configuration Guide Configuring LINE Mode
This function is used together with AAA authorization. Configure AAA EXEC authorization first, and then apply it on the
line.
This command is used to clear connection status of the line and restore the line to the unoccupied status to create new
connections.
The following example clears connection status of line VTY 13. The connected session on the client (such as Telnet and
SSH) in the line is disconnected immediately.
Command Description
Set the hot key that disconnects the terminal service
connection in line configuration mode.
disconnect-character ascii-value ascii-value: ASCII decimal value of the hot key that
disconnects the terminal service connection, in the range
from 0 to 255.
no disconnect-character Restore the default setting.
This command is used to set the hot key that disconnects the terminal service connection. The hot key cannot be the
commonly used ASCII node such as characters ranging from a to z, from A to Z or numbers ranging from 0 to 9.
Otherwise, the terminal service cannot operate properly.
The following example sets the hot key that disconnects the terminal service connection on line VTY 0 5 to Ctrl+E (0x05).
Configuration Guide Configuring LINE Mode
Command Description
Set the escape character in LINE configuration mode.
escape-character escape-value escape-value: Sets the ASCII value corresponding to the
escape character for the line, in the range from 0 to 255.
no escape-character Restore the default setting.
After configuring this command, press the key combination of the escape character and then press x, the current session
is disconnected to return to the original session.
The following example sets the escape character for the line to 23 (Ctrl+w).
Command Description
Enable the line to enter the command line interface in
exec
LINE configuration mode.
no exec Disable the default setting.
The following example bans line VTY 1 from entering the command line interface.
The following example sets the number of commands in the command history to 20 for line VTY 0 5.
The following example disables the command history for line VTY 0 5.
The following example uses the ACL named “test” to filter the outgoing IPv6 connections in line VTY 0 4.
The following example describes the line location as Swtich‟s Line VTY 0.
Configuration Guide Configuring LINE Mode
The following example enables log display on the terminal in VTY line 0 5.
Command Description
Set the privilege level in LINE configuration mode.
privilege level level
level: Privilege level, in the range from 0 to 15.
no privilege level Restore the default setting.
The following example sets the privilege level for the line VTY 0 4 to 14.
The following example sets the login refusal message for the line to “Unauthorized user cannot login to the ruijie device”.
The following example displays the information about users logging into the line,
Command Description
Configure the baud rate in LINE configuration mode.
speed baudrate baudrate: Sets the baud rate, in the range from 9600 to
115200.
no speed Restore the default setting.
The following example sets the baud rate to 115200,
Ruijie(config-line)# speed 115200
Command Description
Configuration Guide Configuring LINE Mode
After configuring this command, press the key combination of the escape character and then press x, the current session
is disconnected to return to the original session.
The following example sets the escape character for the current terminal to 23 (Ctrl+w).
Command Description
Enable command history for the line or set the number of
commands in the command history in privileged EXEC
terminal history [ size size ] mode.
size size: The maximum number of commands, in the
range from 0 to 256.
terminal no history Disable command history
terminal no history size Restore the default setting.
The following example sets the number of commands in the command history to 20 for the current terminal.
The following example disables the command history for the current terminal.
Command Description
Set the screen length for the current terminal in privileged
EXEC mode.
terminal length screen-length
screen-length: Sets the screen length, in the range from
0 to 512.
terminal no length Restore the default setting.
The following example sets the screen length for the current terminal to 10.
The following example configures location description of the current device as “Swtich‟s Line Vty 0”.
Command Description
Configure the baud rate for the current terminal in
terminal speed baudrate
privileged EXEC mode.
terminal no speed Restore the default setting.
The following example sets the baud rate for the current terminal to 115200,
Command Description
Set the screen width for the terminal in privileged EXEC
mode.
terminal width screen-width
screen-width; Sets the screen width, in the range from 0
to 256.
terminal no width Restore the default setting.
The following example sets the screen width for the terminal to 10.
Command Description
Configuration Guide Configuring LINE Mode
The following example sets the login authentication timeout to 300 seconds for line VTY 0 5.
This command is used to set the logout message for the line. The characters entered after the ending delimiter are
discarded directly, The logout message is displayed when the user logs out.
The following example sets the logout message to “Logout from the ruijie device”.
Command Description
Set the screen width for the line in LINE configuration
mode.
width screen-width
screen-width: Sets the screen width for the line, in the
range from 0 to 256,
no width Restore the default setting.
Ruijie(config-line)# width 10
Configuration Guide Configuring RMON
Configuring RMON
Overview
Remote Monitoring (RMON) is a standard monitoring specification of IETF (Internet Engineering Task Force). It can be
used to exchange the network monitoring data among various network monitors and console systems. In the RMON,
detectors can be placed on the network nodes, and the NMS determines which information is reported by these detectors,
for example, the monitored statistics and the time buckets for collecting history. The network device such as the switch or
router acts as a node on the network. The information of current node can be monitored by means of the RMON.
There are three stages in the development of RMON. The first stage is the remote monitoring of Ethernet. The second
stage introduces the token ring which is referred to as the token ring remote monitoring module. The third stage is known
as RMON2, which develops the RMON to a high level of protocol monitor.
The first stage of RMON (known as RMON1) contains nine groups. All of them are optional (not mandatory), but some
groups should be supported by the other groups.
The switch implements the contents of Group 1, 2 , 3 and 9: the statistics, history, alarm and event.
Statistics
Statistics is the first group in RMON. It measures the basic statistics information of each monitored subnet. At present,
only the Ethernet interfaces of network devices can be monitored and measured. This group contains a statistics of
Ethernet, including the discarded packets, broadcast packets, CRC errors, size block, conflicts and etc.
History
History is the second group in RMON. It collects the network statistics information regularly and keeps them for
processing later. This group contains two subgroups:
1) The subgroup History Control is used to set such control information as sampling interval and sampling data source.
2) The subgroup Ethernet History provides history data about the network section traffic, error messages, broadcast
packets, utilization, number of collision and other statistics for the administrator.
Alarm
Alarm is the third group in RMON. It monitors a specific management information base (MIB) object at the specified
interval. When the value of this MIB object is higher than the predefined upper limit or lower than the predefined lower limit,
an alarm will be triggered. The alarm is handled as an event by means of recording the log or sending the SNMP Trap
message.
Event
Event is the ninth group in RMON. It determines to generate a log entry or a SNMP Trap message when an event is
generated due to alarms.
Configuring RMON
Configuring Statistics
One of these commands can be used to add a statistic entry.
Command Function
Ruijie(config-if)# rmon collection stats index [owner
Add a statistic entry.
ownername ]
Ruijie(config-if)# no rmon collection stats index Remove a statistic entry.
The current version of Ruijie product supports only the statistics of Ethernet interface. The index value
should be an integer between 1 to 65535. At present, at most 100 statistic entries can be configured at the
same time.
Configuring History
One of these commands can be used to add a history entry.
Command Function
Ruijie(config-if)# rmon collection history index [owner
Add a history entry.
ownername] [buckets bucket-number] [interval seconds]
Ruijie(config-if)# no rmon collection history index Remove a history entry.
The current version of Ruijie product supports only the records of Ethernet. The index value should be within
1 to 65535. At most 10 history entries can be configured.
Bucket-number: Specifies the used data source and time interval. Each sampling interval should be sampled once. The
sampling results are saved. The Bucket-number specifies the maximum number of sampling. When the maximum is
reached for the sampling records, the new one will overwrite the earliest one. The value range of Bucket-number is 1 to
65535. Its default value is 10.
Interval: Sampling interval in the range of 1 to 3600 seconds, 1800 seconds by default.
Configuration Guide Configuring RMON
Command Function
Ruijie(config)# rmon alarm number variable interval
{absolute | delta} rising-threshold value [event-number]
Add an alarm entry.
falling-threshold value [event-number] [owner
ownername]
Ruijie(config)# rmon event number [log] [trap
community] [description description-string] [owner Add an event entry.
ownername]
Ruijie(config)# no rmon alarm number Remove an alarm.
Ruijie(config)# no rmon event number Remove an event.
Absolute: each sampling value compared with the upper and lower limits.
Delta: the difference with previous sampling value compared with the upper and lower limits.
Event-number: when the value exceeds the upper or lower limit, the event with the index of Event-number will be
triggered.
Trap: Send the Trap message to the NMS when the event is triggered.
Community: Community string used for sending the SNMP Trap message.
Configuring Statistics
If you want to get the statistics of Ethernet Port 3 , use the following commands:
Configuring History
Use the following commands if you want to get the statistics of Ethernet Port 3 every 10 minutes:
owner: zhangesan,
stats: 1,
index = 1
interface = FastEthernet 0/1
owner = zhangsan
status = 0
dropEvents = 0
octets = 1884085
pkts = 3096
broadcastPkts = 161
multiPkts = 97
crcAllignErrors = 0
underSizePkts = 0
overSizePkts = 1200
fragments = 0
jabbers = 0
collisions = 0
packets64Octets = 128
packets65To127Octets = 336
packets128To255Octets = 229
packets256To511Octets = 3
packets512To1023Octets = 0
packets1024To1518Octets = 1200
Configuration Guide Configuring SNMP
Configuring SNMP
Overview
As the abbreviation of Simple Network Management Protocol, SNMP has been a network management standard
(RFC1157) since the August, 1988. So far, the SNMP becomes the actual network management standard for the support
from many manufacturers. It is applicable to the situation of interconnecting multiple systems from different manufacturers.
Administrators can use the SNMP protocol to query information, configure network, locate failure and plan capacity for the
nodes on the network. Network supervision and administration are the basic function of the SNMP protocol.
As a protocol in the application layer, the SNMP protocol works in the client/server mode, including three parts as follows:
The SNMP network manager, also referred to as NMS (Network Management System), is a system to control and monitor
the network using the SNMP protocol. HP OpenView, CiscoView and CiscoWorks 2000 are the typical network
management platforms running on the NMS. Ruijie has developed a suite of software (Star View) for network
management against its own network devices. These typical network management software are convenient to monitor
and manage network devices.
The SNMP Agent is the software running on the managed devices. It receives, processes and responds the monitoring
and controlling messages from the NMS, and also sends some messages to the NMS.
The relationship between the NMS and the SNMP Agent can be indicated as follows:
The MIB (Management Information Base) is a virtual information base for network management. There are large volumes
of information for the managed network equipment. In order to uniquely identify a specific management unit in the SNMP
message, the tree-type hierarchy is used to by the MIB to describe the management units in the network management
equipment. The node in the tree indicates a specific management unit. Take the following figure of MIB as an example to
name the objectives in the tree. To identify a specific management unit system in the network equipment uniquely, a
Configuration Guide Configuring SNMP
series of numbers can be used. For instance, the number string {1.3.6.1.2.1.1} is the object identifier of management unit,
so the MIB is the set of object identifiers in the network equipment.
SNMP Versions
This software supports these SNMP versions:
SNMPv1: The first formal version of the Simple Network Management Protocol, which is defined in RFC1157.
SNMPv2C: Community-based Administrative Framework for SNMPv2, an experimental Internet protocol defined in
RFC1901.
SNMPv3: Offers the following security features by authenticating and encrypting packets:
3) Ensure that the data are not tampered during transmission.
4) Ensure that the data come from a valid data source.
5) Encrypt packets to ensure the data confidentiality.
Both the SNMPv1 and SNMPv2C use a community-based security framework. They restrict administrator‟s operations on
the MIB by defining the host IP addresses and community string.
With the GetBulk retrieval mechanism, SNMPv2C sends more detailed error information type to the management station.
GetBulk allows you to obtain all the information or a great volume of data from the table at a time, and thus reducing the
times of request and response. Moreover, SNMPv2C improves the capability of handing errors, including expanding error
codes to distinguish different kinds of errors, which are represented by one error code in SNMPv1. Now, error types can
be distinguished by error codes. Since there may be the management workstations supporting SNMPv1 and SNMPv2C in
a network, the SNMP agent must be able to recognize both SNMPv1 and SNMPv2C messages, and return the
corresponding version of messages.
6) Get-request: The NMS gets one or more parameter values from the SNMP Agent.
7) Get-next-request: The NMS gets the next parameter value of one or more parameters from the SNMP Agent.
8) Get-bulk: The NMS gets a bulk of parameter values from the SNMP Agent.
9) Set-request: The NMS sets one or more parameter values for the SNMP Agent.
10) Get-response: The SNMP Agent returns one or more parameter values, the response of the SNMP Agent to any of
the above 3 operations of the NMS.
11) Trap: The SNMP Agent proactively sends messages to notify the NMS that some event will occur.
The first four messages are sent from the NMS to the SNMP Agent, and the last two messages are sent from the SNMP
Agent to the NMS (Note: SNMPv1 does not support the Get-bulk operation). These operations are described in the
following figure:
NMS sends messages to the SNMP Agent in the first three operations and the SNMP Agent responds a message through
the UDP port 161. However, the SNMP Agent sends a message in the Trap operation through the UDP port 162.
When managing the R2700 switching card(NM2-24ESW/NM2-16ESW) via SNMP, NM2-24ESW obtains the
inexistent error message of port 17-26, while NM2-16ESW obtains the inexistent error message of port
25-26.
SNMP Security
Both SNMPv1 and SNMPv2 use the community string to check whether the management workstation is entitled to use
MIB objects. In order to manage devices, the community string of NMS must be identical to a community string defined in
the devices.
Read-only: Authorized management workstations are entitled to read all the variables in the MIB.
Read-write: Authorized management workstations are entitled to read and write all the variables in the MIB.
Configuration Guide Configuring SNMP
Based on SNMPv2, SNMPv3 can determine a security mechanism for processing data by security model and security
level. There are three types of security models: SNMPv1, SNMPv2C and SNMPv3.
The table below describes the supported security models and security levels.
SNMP Engine ID
The engine ID is designed to identify a SNMP engine uniquely. Every SNMP entity contains a SNMP engine, a SNMP
engine ID identifies a SNMP entity in a management domain. So every SNMPV3 entity has a unique identifier named
SNMP Engine ID.
The first four bytes indicate the private enterprise number of an enterprise (assigned by IANA) in hex system.
The fifth byte indicates how to identify the rest bytes.
0: Reserved
6-127: Reserved
Configuring the SNMP traps with private fields, NE information and SNMPv3 related function are not supported on
AP110-W or AP120-W.
Configuration Guide Configuring SNMP
Configuring SNMP
Configure an ACL rule to allow the NMS of the specified IP address to manage devices.
Set the community‟s operation right: ReadOnly or ReadWrite.
Specify a view for view-based management. By default, no view is configured. That is, the management workstation
is allowed to access to all MIB objects
Indicate the IP address of the NMS who can use this community string. If it is not indicated, any NMS can use this
community string. By default, any NMS can use this community string.
To configure the SNMP community string, run the following command in global configuration mode:
Command Function
Ruijie(config)# snmp-server community string [view
view-name] [ro | rw] [host host-ip] [ipv6 Set the community string and its right.
ipv6-aclname][aclnum | aclname]
One or more community strings can be specified for the NMS of different rights. To remove the community name and its
right, run the no snmp-server community string command in the global configuration mode.
To configure the MIB views and groups, run the following commands in global configuration mode:
Command Function
Ruijie(config)# snmp-server view view-name oid-tree Create a MIB view to include or exclude associated MIB
{include | exclude} objects.
Ruijie(config)# snmp-server group groupname {v1 | v2c
|v3 {auth | noauth | priv}} [read readview] [write
Create a group and associate it with the view.
writeview] [access {[ipv6 ipv6_aclname] [aclnum |
aclname] }]
Configuration Guide Configuring SNMP
You can delete a view by using the no snmp-server view view-name command, or delete a tree from the view by using
the no snmp-server view view-name oid-tree command. You can also delete a group by using the no snmp-server
group groupname {v1 | v2c | v3} command.
For SNMPv3 users, you can specify security level, authentication algorithm (MD5 or SHA), authentication password,
encryption algorithm (only DES now) and encryption password.
To configure a SNMP user, run the following commands in global configuration mode:
Command Function
Ruijie(config)# snmp-server user username roupname
{v1 | v2c | v3 [encrypted] [auth { md5|sha }
Configure the user information.
auth-password ] [priv des56 priv-password] } [access
{[ipv6 ipv6_aclname] [aclnum | aclname] }]
To remove the specified user, execute the no snmp-server user username groupname {v1 | v2c | v3} command in the
global configuration mode.
To configure the NMS host address that the SNMP Agent proactively sends messages to, execute the following
commands in the global configuration mode:
Command Function
Ruijie(config)# snmp-server host { host-addr | ipv6
ipv6-addr } [ vrf vrfname ] [ traps ] [ version { 1 | 2c | 3 Set the SNMP host address, vrf, community string,
{ auth | noauth | priv } ] community-string [ udp-port message type (or security level in SNMPv3).
port-num ] [ via mgmt-name ] [ notification-type ]
The via parameter can take effect only when the oob parameter is configured. The vrf parameter cannot be
used together with the oob parameter.
To configure the SNMP agent parameters, run the following commands in global configuration mode:
Command Function
Ruijie(config)# snmp-server contact text Configure the contact.
Ruijie(config)# snmp-server location text Configure the location.
Ruijie(config)# snmp-server chassis-id number Configure the sequence number.
Command Function
Ruijie(config)# snmp-server packetsize byte-count Set the maximum packet size of the SNMP Agent.
Command Function
Ruijie(config)# no snmp-server Shield the SNMP agent service.
Command Function
Ruijie(config)# no enable service snmp-agent Disable the SNMP agent service.
Configuring the SNMP Agent to Send the Trap Message to the NMS Initiatively
The TRAP message is a message automatically sent by the SNMP Agent to the NMS unsolicitedly, and is used to report
some critical and important events. By default the SNMP Agent is not allowed to send the TRAP message. To enable it,
run the following command in global configuration mode:
Configuration Guide Configuring SNMP
Command Function
Allow the SNMP Agent to send the TRAP message
Ruijie(config)# snmp-server enable traps [type] [option]
proactively.
Ruijie(config)# no snmp-server enable traps [type] Forbid the SNMP Agent to send the TRAP message
[option] proactively.
Command Function
Ruijie(config)# interface interface-id Enter the interface configuration mode.
Enable or disable sending the LinkTrap message of the
Ruijie(config-if)# [no] snmp trap link-status
interface.
Command Function
Ruijie(config)# snmp-server trap-source interface Specify the source port sending the Trap message.
Ruijie(config)# snmp-server queue-length length Specify the queue length of each Trap message.
Ruijie(config)# snmp-server trap-timeout seconds Specify the interval of sending Trap message.
To configure the network element coding information of the device, execute the following command:
Command Function
Configure the network element coding information of the
device.
Ruijie(config)# snmp-server trap-source interface
text: The text length ranges from 1 to 255. The text is
case-sensitive, and may contain spaces.
Ruijie(config)# no snmp-server trap-source Remove the network element coding information.
The following example configures the network element coding text to FZ_CDMA_MSC1.
Configuration Guide Configuring SNMP
To configure the SNMP traps with private fields, execute the following command:
Command Function
Ruijie(config)# snmp-server trap-format private Configure the SNMP traps with private fields.
Ruijie(config)# no snmp-server trap-format private Restore the default trap format.
The following example configures the SNMP trap format with the private field.
Ruijie(config)# snmp-server trap-format private
Command Function
Ruijie(config)# snmp-server udp port port-number Specify a port to receive SNMP packets.
Ruijie(config)# no snmp-server udp port Restore the default port number.
The following example specifies port 15000 to receive the SNMP packets.
To configure the resend times for informing requests and the inform request timeout, execute the following command:
Command Function
Ruijie(config)# snmp-server inform [ retries retry-time | Configure the resend times for informing requests and
timeout time ] the inform request timeout.
Ruijie(config)# no snmp-server inform Restore the default resend times.
Monitoring
snmpOutGetResponses
snmpOutTraps
snmpEnableAuthenTraps
snmpSilentDrops
snmpProxyDrops
entPhysicalEntry
entPhysicalEntry.entPhysicalIndex
entPhysicalEntry.entPhysicalDescr
entPhysicalEntry.entPhysicalVendorType
entPhysicalEntry.entPhysicalContainedIn
entPhysicalEntry.entPhysicalClass
entPhysicalEntry.entPhysicalParentRelPos
entPhysicalEntry.entPhysicalName
entPhysicalEntry.entPhysicalHardwareRev
entPhysicalEntry.entPhysicalFirmwareRev
entPhysicalEntry.entPhysicalSoftwareRev
entPhysicalEntry.entPhysicalSerialNum
entPhysicalEntry.entPhysicalMfgName
entPhysicalEntry.entPhysicalModelName
entPhysicalEntry.entPhysicalAlias
entPhysicalEntry.entPhysicalAssetID
entPhysicalEntry.entPhysicalIsFRU
entPhysicalContainsEntry
entPhysicalContainsEntry.entPhysicalChildIndex
entLastChangeTime
securityModel: v3
securityLevel:authPriv
readview: default
writeview: default
notifyview:
groupname: public
securityModel: v1
securityLevel:noAuthNoPriv
readview: default
writeview: default
notifyview:
groupname: public
securityModel: v2c
securityLevel:noAuthNoPriv
readview: default
writeview: default
notifyview:
To view the view configured on the current SNMP agent, run the show snmp view command in the privileged EXEC
mode:
Networking Topology
Networking Requirements
12) The Network Management Station (NMS) manages the network device (Agent) by applying the community-based
authentication model, and the network device can control the operation permission (read or write) of the community
to access the specified MIB objects. For example, community "user1" can only read and write objects under System
(1.3.6.1.2.1.1) node.
13) The network device can only be managed by NMS with a specific IP (i.e., 192.168.3.2/24).
14) The network device can actively send messages to NMS.
15) The NMS can acquire the basic system information of the device, such as contact, location, ID and etc.
Configuration Tips
16) By creating MIB view and associating authentication name (Community) and access permission (Read or Write), the
first application need can be met.
17) While configuring the authentication name and access permission, associate ACL or specify the IP of administrator
using this authentication name to meet the second application need (this example associates the ACL).
18) Configure the address of SNMP host and enable the Agent to actively send Traps.
19) Configure the parameters of SNMP proxy.
Configuration Steps
! Create a MID view named "v1", which contains the associated MIB object (1.3.6.1.2.1.1).
! Configure Community of "user1", associate read and write permission for MIB view of "v1", and associate the ACL of
"a1".
! Configure the address of SNMP host to 192.168.3.2, message format to Version 2c and authentication name to "user1".
Verification
Ruijie#show running-config
!
ip access-list standard a1
10 permit host 192.168.3.2
!
interface GigabitEthernet 0/1
no ip proxy-arp
ip address 192.168.3.1 255.255.255.0
!
snmp-server view v1 1.3.6.1.2.1.1 include
snmp-server location fuzhou
snmp-server host 192.168.3.2 traps version 2c user1
snmp-server enable traps
snmp-server contact ruijie.com.cn
snmp-server community user1 view v1 rw a1
snmp-server chassis-id 1234567890
Step 3: Install MIB-Browser. Type in device IP of "192.168.3.1" in the field of IP Address; type in "user1" in the field of
Community Name; click "Add Item" button and select the specific management unit for querying MIB, such as the System
shown below. Click Start button to implement MIB query of network device. The query result is shown in the bottommost
box:
Networking Requirements
20) Network Management Station manages the network device (Agent) by applying user-based security model. For
example: the user name is "user1", authentication mode is MD5, authentication key is "123", encryption algorithm is
DES56, and the encryption key is "321".
21) The network device can control user's permission to access MIB objects. For example: "User1" can read the MIB
objects under System (1.3.6.1.2.1.1) node, and can only write MIB objects under SysContact (1.3.6.1.2.1.1.4.0) node.
22) The network device can actively send authentication and encryption messages to the network management station.
Configuration Tips
23) Create MIB view and specify the included or excluded MIB objects.
24) Create SNMP group and configure the version to "v3"; specify the security level of this group, and configure the
read-write permission of the view corresponding to this group.
25) Create user name and associate the corresponding SNMP group name in order to further configure the user's
permission to access MIB objects; meanwhile, configure the version number to "v3" and the corresponding authentication
mode, authentication key, encryption algorithm and encryption key.
26) Configure the address of SNMP host, configure the version number to "3" and configure the security level to be
adopted.
Configuration Steps
! Create a MIB view of "view1" and include the MIB object of 1.3.6.1.2.1.1; further create a MIB view of "view2" and include
the MIB object of 1.3.6.1.2.1.1.4.0.
! Create a group named "g1" and select the version number of "v3"; configure security level to "priv" to read "view1" and
write "view2".
! Create a user named "user1", which belongs to group "g1"; select version number of "v3" and configure authentication
mode to "md5", authentication key to "123", encryption mode to "DES56" and encryption key to "321".
! Configure the host address as 192.168.3.2 and select version number of "3"; configure security level to "priv" and
associate the corresponding user name of "user1".
Verification
Ruijie#show running-config
!
interface GigabitEthernet 0/1
no ip proxy-arp
ip address 192.168.3.1 255.255.255.0
!
snmp-server view view1 1.3.6.1.2.1.1 include
snmp-server view view2 1.3.6.1.2.1.1.4.0 include
snmp-server user user1 g1 v3 encrypted auth md5 7EBD6A1287D3548E4E52CF8349CBC93D priv des56
D5CEC4884360373ABBF30AB170E42D03
snmp-server group g1 v3 priv read view1 write view2
snmp-server host 192.168.3.2 traps version 3 priv user1
snmp-server enable traps
default(include) 1.3.6.1
Step 6: Install MIB-Browser. Type in device IP of "192.168.3.1" in the field of IP Address; type in "user1" in the field of
UserName; select "AuthPriv" from Security Level; type in "123" in the field of AuthPassWord; select "MD5" from
AuthProtocol; type in "321" in the field of PrivPassWord. Click "Add Item" button and select the specific management unit
for querying MIB, such as the System shown below. Click Start button to implement MIB query of network device. The
query result is shown in the bottommost box:
Configuration Guide Configuring HTTP Service
Understanding HTTP
Overview
The Hypertext Transfer Protocol (HTTP) is used to transmit Web page information over the Internet. HTTP resides at the
application layer of the TCP/IP protocol stack. The transmission layer uses connection-oriented TCP.
Hypertext Transfer Protocol Secure (HTTPS) is the HTTP supporting the Secure Sockets Layer (SSL). HTTPS sets up a
secure channel on an insecure network to ensure that information can hardly be intercepted and to defend against
man-in-the-middle attacks to some extent. Currently, HTTPS has been widely used among security-sensitive
communication services, such as electronic payment.
Basic Concept
HTTP Service
The HTTP service facilitates HTTP to transmit Web page information over the Internet. HTTP/1.0 is the most popular
HTTP version in the industry. HTTP/1.0 uses the short connection mode to simplify connection management, as a Web
server may be accessed for tens of thousands or even a million times each day. When receiving a connection request, the
server sets up a TCP connection and releases it after the request is completed. The server does not record or trace
previous requests. Although HTTP/1.0 simplifies connection management, it introduces certain performance defects.
For example, a Web page may contain URLs of multiple images, so that the browser sends multiple requests in the
access process. When receiving a request, the server sets up an independent connection which is completely isolated
from other connections. The process of setting up and releasing a connection consumes plenty of resources, and
therefore has serious severe impact on the performance of the client and the server, as shown in Figure 0-1.
Configuration Guide Configuring HTTP Service
HTTP/1.1, however, has solved this defect. HTTP/1.1 supports a persistent connection, through which multiple requests
and responses can be transmitted. The client can send the next request before the previous request is completed, thereby
reducing network delay and enhancing performance, as shown in Figure 0-2.
The protocol version used by a device depends on the specific Web browser.
HTTPS Service
HTTPS adds the security base of SSL to HTTP. To enable HTTPS to run normally, the server must have a Public Key
Infrastructure (PKI) certificate, which is not necessary for the client. SSL provides the following services:
Authenticating users and servers to ensure that data is sent to correct clients and servers
Configuration Guide Configuring HTTP Service
Keeping data integrity to ensure that data is not changed during transmission
The HTTP upgrade service includes local and remote HTTP upgrade services.
During local upgrade, the device works as an HTTP server. Users can log in to the device through the Web browser
and upload the upgrade files to the device so as to upgrade files on the device.
During remote upgrade, the device works as a client connected to a remote HTTP server. It obtains the upgrade files
from the server so as to upgrade local files.
Working Principle
HTTP Working Process
HTTP is used for Web management. Users log in to the device through the Web interface for configuration and
management. Web management involves the Web client and Web server. The HTTP service adopts the client/server
mode accordingly. The HTTP client is embedded in the Web browser of the Web management client and can send HTTP
packets, receive HTTP response packets, and handle HTTP response packets. The Web server (HTTP server) is
embedded in the device. The client and the server exchanges information with each other according to the following
process:
The client sets up a TCP connection with the server. The default HTTP port number is 80, and the default HTTPS
port number is 443.
After processing the request, the server sends a response to the client.
After processing a request, the HTTP service directly closes the TCP connection between the client and the server;
while HTTPS can handle multiple requests until the client sends a TCP connection closure request or until the
connection is closed due to server timeout.
The device connects to the server. In this process, the user-configured server address is preferentially used. If the
connection fails, the server address in the local upgrade record file is used to establish the connection.
The device sends the version numbers of local programs to the server.
The device connects to file servers according to the list and downloads the upgrade files as necessary.
The device can connect to different file servers according to the different files to be downloaded.
Protocol Specification
RFC1945 - Hypertext Transfer Protocol -- HTTP/1.0
Typical Application
HTTP Application Service
Currently, the Web NMS is still a major method for users to maintain and manage devices. Ruijie network devices also
provide the Web management function. When HTTP is enabled, users can log in to the Web management interface after
entering "http://+device IP address" on the PC browser and passing the authentication. Through the Web interface, users
can perform various operations, such as monitoring device states, configuring devices, uploading files, and downloading
files.
The common HTTP-based service is actually insecure. For security-sensitive communications, Ruijie devices also provide
the more secure HTTPS service, which encrypts the information transmitted between users and the device, so that
third-party devices cannot intercept or modify the information. Users can perform Web management simply after entering
"https://+device IP address" on the Web browser and passing the authentication.
Figure 0-4 illustrates a typical Web management scenario. Users can remotely access and manage the device through
the Internet or log in to the Web server through a LAN to perform configuration management for the device. Users can
enable either HTTPS or HTTP, or both as necessary on the device. Users can also specify HTTP/1.0 or HTTP/1.1 on the
Web browser for accessing the HTTP service of the device.
Configuration Guide Configuring HTTP Service
The HTTP Remote Upgrade Service means that a device serving as a client connects the remote HTTP server and
obtains files from the server to upgrade local files. The default domain name of Ruijie Web server is "rgos.ruijie.com.cn."
Figure 0-5 shows a typical application scenario.
Configuring HTTP
Default Configuration
Prerequisites
Before configuring the domain name of the HTTP upgrade server, enable the DNS function on the device and configure
the address of the DNS server.
Configuration Steps
Use the following commands to enable the HTTP service in configuration mode.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)#enable service web-server http (Mandatory) Enables the HTTP service.
Ruijie(config)#enable service web-server https (Mandatory) Enables the HTTPS service.
Ruijie(config)#enable service web-server [all] (Mandatory) Enables both HTTP and HTTPS services.
Configuration Guide Configuring HTTP Service
Configuration example:
The following example enables both HTTP and HTTPS services on a Ruijie device.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(confing)# webmaster level privilege-level (Mandatory) Configures the login authentication mode,
username name password { password | [ 0 | 7 ] which is not configured by default.
encrypted-password }
Usernames and passwords come with three permission levels, each of which includes at most 10
usernames and passwords.
Configuration example:
The following example uses the username admin and plain-text password ruijie at level 0 to perform Web authentication
on a Ruijie device.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# http port port-number (Optional) Configures the HTTP port number, which is 80
by default.
Configuration example:
The following example configures the HTTP port number as 8080 on a Ruijie device.
Command Function
Ruijie# configure terminal Enters global configuration mode.
Ruijie(config)# http secure-port port-number (Optional) Configures the HTTPS port number, which is
443 by default.
Configuration example:
The following example configures the HTTPS port number as 4430 on a Ruijie device.
Command Function
Ruijie# upgrade web uri Upgrades the Web package in local file system.
Please use the copy command to copy the Web package into the file system before you use this command
to upgrade the Web package.
Configuration example:
The following example copies a Web package into the file system and upgrades the package.
Command Function
Configuration Guide Configuring HTTP Service
Configuration example:
The following example downloads a Web package form the TFTP server and upgrade the package automatically.
Configuration example:
The following example displays the HTTP configuration information of a Ruijie device.
Configuration Examples
Network administrators hope to manage a device through Web, and therefore log in to the switch through the Web
browser to configure the switch.
Ensure that the Web browser can be accessed through HTTP or HTTPS so as to enhance security.
Configure the HTTP port to reduce attacks from unauthorized users to HTTP.
Networking Topology
Configuration Tips
The old version Web management system adopts ip http authentication to configure authentication mode. When be
upgraded to the new version Smart Web management system, the configuration ip http authentication, will be
automatically removed, for the Smart Web management system adopts webmaster level to configure authentication
mode.
Enable HTTP and HTTPS at the same time to meet the customer's security requirements.
Configure the HTTP port number as 8080 and the HTTPS port number as 4430.
When upgrading device from the old version Web management system to new version Smart Web
management system. The accounts in the old version Web will be invalid to the Smart Web management
Configuration Guide Configuring HTTP Service
system. However, Smart Web management system provides two default accounts for the user (admin/admin
or guest/guest). User can use the command webmaster level to modify default accounts or add other
accounts. And when be upgraded to the new version Smart Web management system, the configuration ip
http authentication, will be automatically removed
Configuration Steps
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# webmaster level 0 username admin password ruijie
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#enable service web-server
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# http port 8080
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# http secure-port 4430
Verification
An enterprise purchasing a Ruijie device hopes to use the HTTP upgrade function to upgrade files.
Ensure that the device can periodically and remotely obtain information about the files available for upgrade from a
Ruijie server.
Download the latest files from the Ruijie server and update the device to be upgraded.
Networking Topology
Configuration Tips
Configure the device to remotely obtain information about the latest files at 2:00 am each day.
Configuration Steps
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#ip domain-lookup //Enable the DNS function on the
device.
Ruijie(config)#ip name-server 192.168.5.134 //Configure the IP address of
the DNS server.
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# http update server rgos.ruijie.com.cn
34) Obtain information about the files available for upgrade from the remote server.
Ruijie#http check-version
app name:web
Configuration Guide Configuring HTTP Service
sn version filename
-- ------------------- -------------------------
0 1.2.1(82381) web1.2.1(145680).upd
1 1.2.1(82380) web1.2.1(145680).upd
2 1.2.1(82379) web1.2.1(145680).upd
3 1.2.1(82378) web1.2.1(145680).upd
Verification
Users hope to run the latest Web package, which is obtained from an official Website, on a device.
Networking Topology
Configuration Tips
Connect the device to a local PC whose IP address is 10.10.10.13, and configure the device with an IP address
10.10.10.131 in the same network segment.
Configuration Steps
Ruijie#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#vlan 1
Ruijie(config-vlan)#exit
Ruijie(config)#interface vlan 1
Ruijie(config-VLAN 1)#ip address 10.10.10.131 255.255.255.0
Configuration Guide Configuring HTTP Service
36) Enable the TFTP server function on the PC and run the copy tftp command on the device to download the Web
package.
Verification
On the PC, log in with Web authentication once again to check whether the latest Web interface is displayed.
Configuration Guide Configuring Syslog
Configuring Syslog
Overview
During the operation of a device, there are various state changes, such as the link status up/down, and various events
occurring, such as receiving abnormal messages and handling abnormities. Our product provides a mechanism to
generate messages of fixed format ( log message ) in case of status change or event occurring. These messages can be
displayed in related windows ( console, VTY, etc. ) or recorded in related media ( memory buffer, FLASH ), or sent to a
group of log servers in the network for the administrators to analyze and locate problems. Meanwhile, in order to make it
easy for administrators to read and manage log messages, these log messages can be labeled time stamps and serial
numbers, and is graded according to the priority of log information.
Command Function
Ruijie(config-if)# ip address dhcp Obtain an IP address through DHCP
Command Function
< priority > Priority, priority value = device value * 8 + severity
seq no Sequential number of the system, which is a 6-digit
integer. You can disable the export of this information
using the command.
timestamp Timestamp, which is the local time by default.Format:
Mmm dd hh:mm:ss, where Mmm is the abbreviation of
the month in English, as shown below: Jan, Feb, Mar,
Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec
sysname System name. You can disable the output of the system
name using the command.
ModuleName Abbreviation of the module name
severity Severity level of a log
MNEMONIC Information in the shortened form
description Information content
For example:
The priority field is not attached to the log messages that are printed in the user window. It only appears in
the log messages that are sent to the syslog server.
Log Configuration
Log Switch
The log switch is turned on by default. If it is turned off, the device will not print log information in the user window, or send
log information to the syslog server, or record the log information in the related media ( memory buffer, flash ).
To turn on or off the log switch, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# logging on Turn on the log switch
Ruijie ( config )# no logging on Turn off the log switch
Do not turn off the log switch in general case. If it prints too much information, you can reduce it by setting
different displaying levels for device log information.
To configure different displaying devices for receiving logs, run the following commands in the global configuration mode
or privileged level:
Command Function
Ruijie ( config )# buffered [ buffer-size ] [ level ] Record log in memory buffer
Ruijie# terminal monitor Allow log to be displayed on VTY window
Ruijie ( config )# logging server host Send log information to the syslog sever in the network
Ruijie ( config )# logging file flash:filename Save log messages in the log file, which can be saved in
[ max-file-size ] [ level ] { sata0:filename | hardware, expanded FLASH, USB or SD card.. A file will be
flash:filename | usb0:filename | usb1:filename | created on FLASH according to the specified file name for
sd0:filename } [ max-file-size ] [ level ] saving logs. The size of the file increases with the log size,
but no more than the set max-file-size.
Configuration Guide Configuring Syslog
Logging Buffered will record log information in the memory buffer. The memory buffer for log is used in recycled manner.
That is, when it is full, the oldest information will be overwritten. To show the log information in the memory buffer, run
show logging at the privileged user level. To clear the log information in the memory buffer, run clear logging at the
privileged user level.
Terminal Monitor allows log information to be displayed on the current VTY ( such as the telnet window ).
Logging Host specifies the address of the syslog server that will receive the log information. Our product allows the
configuration of at most 5 syslog servers. The log information will be sent to all the syslog servers at the same time. You
can use logging host configuration to achieve the same purpose.
To send the log information to the syslog server, it is required to turn on the timestamp switch or sequential
number switch of the log information. Otherwise, log information will not be sent to the syslog server.
Logging File Flash: Record log information in FLASH. The filename for log shall not have any extension to indicate the file
type. The extension of the log file is fixed as txt. Any configuration of extension for the filename will be refused.
More flash: filename command shows the contents of the log file in the flash.
Some devices support expanded FLASH. If the device has expanded FLASH, the log information will be
recorded there. If the device has no expanded FLASH, the log information will be recorded in the serial
FLASH.
Command Function
Ruijie ( config )# service timestamps [ message-type Enable the timestamp in the log information
[ uptime | datetime [ msec ] [ year ] ] ]
Ruijie ( config )# no service timestamps Disable the timestamp in the log information
[ message-type ]
The timestamp are available in two formats: device uptime and device datetime. Select the type of timestamp
appropriately.
Message type: log or debug. The "log" type means the log information with severity levels 0-6. The "debug" type means
that with severity level 7.
Configuration Guide Configuring Syslog
If the current device has no RTC, the configured time is invalid, and the device automatically uses the startup
time as the timestamp for the log information. If the current device has a RTC, the device time is used as the
timestamp for the log information by default.
Command Function
Ruijie ( config )# no service sysname Cancel the system name in the log message.
Ruijie ( config )# service sysname Add the system name to the log message.
Command Function
Ruijie ( config )# no logging count Disable the log statistics function and delete the statistics
information
Ruijie ( config )# logging count Enable the log statistics function
Command Function
Ruijie ( config )# no service sequence-numbers Delete sequential number in the log messages
Ruijie ( config )# service sequence-numbers Add sequential number to the log messages
The log sequential number is a long integer, and increases whenever a log is added. As the number is a
5-digit number, it will return to 00000 once it increases from 1 to 10000 or reaches 2^32.
With the input synchronization configured, even if logs are printed during the input by users, the information inputted by
the users will be displayed after the printing to ensure the integrity and continuity of the input. As shown below, the status
of interface 0/1 changes after the user types in “VLAN” and the log is printed. After the printing, the log module will print
out the “VLAN” inputted by the user so as the user can proceed with the type-in.
Ruijie(config)#vlan
*Aug 20 10:05:19: %LINK-5-CHANGED: Interface GigabitEthernet 0/1, changed state to up
*Aug 20 10:05:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet 0/1, changed
state to up
Ruijie(config)#vlan
Use this command to configure synchronization between user input and log output in the line configuration mode:
Command Function
Ruijie ( config-line )# logging synchronous Set synchronization between user input and log output.
Ruijie ( config )# no logging synchronous Delete synchronization between user input and log output.
Configuration Guide Configuring Syslog
Command Function
Ruijie ( config )# no logging rate-limit Delete the setting of log rate limit.
To configure the log information displaying level, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# logging console [ level ] Set the level of log information that is allowed to be
displayed on the console
Ruijie ( config )# logging monitor [ level ] Set the level of log information that is allowed to be
displayed on the VTY window ( such as telnet window )
Ruijie ( config )# logging buffered [ buffer-size ] [ level ] Set the level of log information that is allowed to be recorded
in memory buffer
Ruijie ( config )# logging trap [ level ] Set the level of log information that is allowed to be sent to
syslog server
Configuration Guide Configuring Syslog
The log information of our products is classified into the following 8 levels:
Lower value indicates higher level. That is, level 0 indicates the information of the highest level.
When the level of log information that can be displayed is set for the specified device, the log information that is at or
below the set level will be displayed. For example, after the command logging console 6 is executed, all log information at
or below level 6 will be displayed on the console.
By default, the log information that is allowed to be displayed on the console is at level 7.
By default, the log information that is allowed to be displayed on the VTY window is at level 7.
By default, the log information that is allowed to be sent to the syslog server is at level 6.
By default, the log information that is allowed to be recorded in the memory buffer is at level 7.
By default, the log information that is allowed to be recorded in the expanded flash is at level 6.
The privileged command show logging config can be used to show the level of log information allowed to be displayed on
different devices.
Command Function
Configuration Guide Configuring Syslog
This command is used to send logs to different destinations based on module and severity.
The following example sends logs of the SYS module leveled above 5 to the console and sends logs of the SYS module
leveled below 3 to the buffer.
Ruijie(config)# logging policy module SYS not-lesser-than 5 direction console
Ruijie(config)# logging policy module SYS 3 direction buffer
Command Function
Configuration Guide Configuring Syslog
logging server [ oob ] { ip-address | ipv6 Send the logs to the specified Syslog Sever in global
ipv6-address } [ via mgmt-name ] [ udp-prot port ] [ vrf configuration mode.
vrf-name ] oob: Specifies out-of-band communication for the logging
server. (logs are sent through the MGMT port to the logging
server.)
ip-address: Specifies the IP address of the host that
receives log information.
vrf-name: Specifies the VRF instance (VPN device
forwarding table) connecting to the log host.
ipv6-address: Specifies IPV6 address for the host receiving
the logs.
via mgmt-name: Specifies the MGMT port for the oob
option.
udp-port port: Specifies the port number for the specified
host (The default port number is 514).
no logging server [ oob ] { ip-address [ vrf vrf-name ] | Remove the setting.
ipv6 ipv6-address } [ via mgmt-name ] oob: Specifies out-of-band communication for the logging
server. (logs are sent through the MGMT port to the logging
server.)
ip-address: Specifies the IP address of the host that
receives log information.
ipv6-address: Specifies IPV6 address for the host receiving
the logs.
via mgmt-name: Specifies the MGMT port for the oob
option.
no logging server { ip-address [ vrf vrf-name ] | ipv6 Restore the default port number.
ipv6-address } [ via mgmt-name ] udp-prot ip-address: Specifies the IP address of the host that
receives log information.
vrf-name: Specifies the VRF instance (VPN device
forwarding table) connecting to the log host.
ipv6-address: Specifies IPV6 address for the host receiving
the logs.
via mgmt-name: Specifies the MGMT port for the oob
option.
This command specifies a Syslog server to receive the logs of the device. Users are allowed to configure up to 5 Syslog
Servers. The log information will be sent to all the configured Syslog Servers at the same time.
Only when the oob option is enabled can the via parameter be specified. Meanwhile, the vrf parameter cannot be set.
To configure the log information device value, run the following command in the global configuration mode:
Command Function
Ruijie ( config )# logging facility facility-type Configure the log information device value
Ruijie ( config )# no logging facility Restore the default of the log information device value
It is possible to directly set the source IP address of the log messages or the source port of the log messages.
To configure the source address of the log messages, run the following command in the global configuration mode:
Configuration Guide Configuring Syslog
Command Function
Ruijie ( config )# logging source interface Configure the source port of log information
interface-type interface-number
Ruijie ( config )# logging source { ip ip-address | Configure the source IP address of log messages
ipv6 ipv6-address }
If the source IP address of log packets has been configured, but such address has not been configured on all
interfaces of the device, the source IP address of log packets is the non-existent IP address. Try to avoid
such configuration in practical use.
Command Function
logging statistic enable Enable logging periodically in global configuration mode.
no logging statistic enable Restore the default setting.
This command is used to send performance statistics at a certain interval for the server to monitor the system
performance.
Command Function
logging statistic mnemonic mnemonic interval Configure the interval at which logs are sent in global
minutes configuration mode.
mnemonic: Sets the mnemonics to identify the object.
minutes: Sets the interval at which logs are sent, in the unit
of minutes.
no logging statistic mnemonic mnemonic Restore the default setting.
The available settings include 0, 15, 30, 60 and 120. 0 indicates this function is disabled.
The following example set the interval at which logs are sent to 30 minutes.
Command Function
logging statistic terminal Enable logs to be sent to the console and the remote
terminal in global configuration mode.
no logging statistic terminal Restore the default setting.
The following example enables logs to be sent to the console and the remote terminal periodically.
Command Function
service log-format rfc5424 Enable the RFC5424 format in global configuration mode.
no service log-format rfc5424 Restore the default setting.
After the RFC5424 format is enabled, the service sequence-numbers, service sysname, service timestamps, service
private-syslog and service standard-syslog commands become invalid and hidden.
After switching back to the RFC3164 format, the logging delay-send, logging policy and logging statistic commands
become invalid and hidden.
After switching the log format, the results of running the show logging and show logging config commands change,
Command Function
Ruijie ( config )# logging userinfo Set user login/logoff log.
Ruijie ( config )# logging userinfo command-log Send a log when a configuration command is executed
Log Monitoring
To monitor log information, run the following commands in the privileged user mode:
Command Function
Ruijie# show logging Display the log messages in memory buffer as well as the
statistical information of logs
Ruijie# show logging count Display the statistical information of logs in every modules
Ruijie# show logging config Display log configuration and statistics.
Ruijie# show logging reverse Display configured parameters and statistics of logs and log
messages in the memory buffer at privileged user layer.
Ruijie# clear logging Clear the log messages in the memory buffer
Configuration Guide Configuring Syslog
The format of the timestamp in the output result of show logging count is the format in the latest log output.
Command Function
Ruijie ( config )# logging filter direction { all | buffer | Use this command to filter the log messages destined to a
file | server | terminal } certain direction. Use the no form of this command to
restore the default setting. Log messages destined to all
directions are filtered by default.
all: Log messages destined to all directions are filtered,
including console, VTY terminal, log buffer, log file and log
server.
buffer: Log messages destined to the log buffer are filtered,
including log messages displayed by running the show
logging config command.
file: Log messages destined to the log file are filtered.
server: Log messages destined to the log server are
filtered.
terminal: Log messages destined to the console and the
VTY terminal (including Telnet and SSH).
Ruijie ( config )# logging filter type { contains-only | Use this command to configure the filter type of log
filter-only } messages. Use the no form of this command to restore the
default setting. The default filter type is filter-only.
contains-only: The log message containing the key word
of the filter rule is printed.
filter-only: The log message containing the key word of the
filter rule is filtered.
Ruijie ( config )# logging filter rule { exact-match Use this command to configure the filter rule of the log
module module-name mnemonic mnemonic-name message, No filter rule is configured by default,
level level | single-match { level level | mnemonic exact-match: Exact-match filter rule. Fill in all the following
mnemonic-name | module module-name } } three parameters.
single-match: Single-match filter rule. Fill in one of the
following three parameters.
module module-name: Module name.
mnemonic mnemonic-name: Mnemonic name.
level level: Log level,
In general, log messages destined to all directions are filtered, including console, VTY terminal, log buffer, log file and log
server. If you want to filter log messages destined to a certain direction, the terminal for instance, configure the terminal
parameter.
Configuration Guide Configuring Syslog
When too many log messages are printed, the terminal screen keeps being refreshed. If you are not concerned with these
log messages, use the “filter-only” filter type to filter the log messages,
If you are concerned with certain log messages, use the “contains-only” filter type to print log messages containing the key
word of the filter rule, so as to monitor whether certain events happen.
In real operation, the contains-only and the fitler-only filter types cannot be configured at the same time.
If you configure the filter direction and the filter type without configuring the filter rule, the log messages are
not filtered.
If you want to filter a specific log message, use the “exact-match” filter rule and fill in all three parameters, namely, module
name, mnemonic name and log level.
If you want to filter a specific kind of log messages, use the “single-match” filter rule and fill in one of three parameters,
namely, module name, mnemonic name and log level.
When configured with the same module name, mnemonic name or log level, the “single-match” filter rule has a higher
priority than the “exact-match” filter rule,
Command Function
Ruijie# logging flash flush Write log messages in the system buffer into the flash file
immediately.
In general, the log messages are cached in the log buffer. Only when the buffer is full or the timer expires are log
messages written into the flash file. This command is used to write log messages in the system buffer into the flash file
immediately.
The logging flash flush command takes effect only once for each configuration. The log messages cached in
the buffer are written into the flash file immediately after configuration.
The following example writes log messages in the system buffer into the flash file immediately.
Configuration Guide Configuring Syslog
Command Function
logging delay-send file flash:filename Set the name of the log file saved locally for delay sending in
global configuration mode.
flash:filename: Sets the name of the log file saved locally
for delay sending.
no logging delay-send file Restore the default setting
The file name cannot contain special symbols including . \/ : * ” < > and |.
For example, the file name is log_server, file index 5, file size 1000B and device IP address 10.2.3.5. The log file sent to
the remote server is named log_server_1000_10.2.3.5_5.txt and the log file saved locally is named log_server_5.txt.
If the device has an IPv6 address, the colon (:) in the IPv6 address is replaced by the hyphen (-).
For example, the is log_server, file index 6, file size 1000B and device IPv6 address 2001::1. The log file sent to the
remote server is named log_server_1000_2001-1_6.txt and the log file saved locally is named log_server_6.txt.
The following example sets the name of the log file saved locally to log_server.
Command Function
logging delay-send interval seconds Set the interval at which log sending is delayed in global
configuration mode.
seconds: Sets the interval at which log sending is delayed,
in the range from 600 to 65535 seconds.
no logging delay-send interval Restore the default setting
The following example sets the the interval at which log sending is delayed to 600 seconds.
Command Function
Configuration Guide Configuring Syslog
logging delay-send server { [ oob ] ip-address | ipv6 Configure the serve address and log sending mode in global
ipv6-address } [ vrf vrf-name ] mode { ftp user configuration mode.
username password [ 0 | 7 ] password | tftp } oob: Indicates that logs are sent to the server through the
MGMT port. It is required that the device have the MGMT
port.
ip-address: Specifies the IP address of the server.
ipv6 ipv6-address: Specifies the IPv6 address of the server.
vrf vrf-name: Specifies the VRF instance connected to the
server.
username: Sets the FTP server username.
password: Sets the FTP server password.
0: (Optional) The password is displayed in plaintext.
7: The password are encrypted.
no logging delay-send server { [ oob ] ip-address | Restore the default setting
ipv6 ipv6-address } [ vrf vrf-name ]
This command is used to specify an FTP/TFTP server to receive logs. You can configure five FTP/TFTP servers. Logs are
sent to all configured servers simultaneously.
The following example specifies an FTP server whose IP address is 192.168.23.12, username admin and password
admin,
Ruijie(config)# logging delay-send server 192.168.23.12 mode ftp user admin password admin
The following example specifies a TFTP server whose IPv6 address is 2000::1.
Command Function
logging delay-send terminal Enable delay in sending logs to console and remote terminal
in global configuration mode.
no logging delay-send terminal Restore the default setting
The following example enables delay in sending logs to console and remote terminal.
The device is connected with the log server, which has an IP address of 192.168.200.2. To have all logs to carry a
timestamp and the logs at all levels to be sent to the log server, perform the following configuration:
Ruijie(config)# service timestamps debug datetime // enable DEBUG timestamp, date format
Configuration Guide Configuring Syslog
Ruijie(config)# service timestamps log datetime // enable LOG timestamp, date format
Ruijie(config)# logging 192.168.200.2 // specify the address of the syslog server
Ruijie(config)# logging trap debugging //logs at all levels are sent to the syslog server
Ruijie(config)# end
Configuration Guide Configuring RLOG
Configuring RLOG
Overview
RLOG (Remote Log) is developed to export log files to remote servers (like ELOG and SNC).
With RLOG enabled, devices collect and send logs to the servers. Then, servers analyze and write logs into their libraries.
Thus, it is convenient to refer to specific logs from the servers. RLOG is available to multiple types of logs concerning
device running, user behavior, and system security.
Protocols and
Standards
N/A
Applications
Application Description
Log Export With RLOG enabled, remote logs are exported to RLOG servers for reference.
Log Export
Scenario
With RLOG and URL audit logging configured, the AP/AC outputs URL audit logs when users access the network through
the AP. Once users go offline, the logs are sent to the ELOG server.
Figure 0-1
Configuration Guide Configuring RLOG
Deployment
Enable log modules and RLOG on the AC/AP. Configure the RLOG server.
The RLOG server receives and analyzes logs for reference and statistics.
Features
Basic Concepts
N/A
Overview
Function Description
RLOG Export Exports remote logs on AC/AP to RLOG servers.
RLOG-specific Server Configures remote log-differentiated servers for different types of logs.
Working Principle
Different log modules on AC/AP, such as flow logging, device audit logging, flow audit logging and content audit logging,
generate various logs. RLOG servers receive, analyze and display these logs.
Related Configuration
Configuration Guide Configuring RLOG
For instance, use the flow-audit enable command to enable the flow audit log module.
Enabling RLOG
Working Principle
According to RLOG types, export requests from log modules are handled differently.
Related Configuration
For instance, use the flow-audit enable command to enable the flow audit log module.
Configure server for flow logs: rlog type 16 server 192.168.1.100 priority 1
Configure server for interface flow logs: rlog type 25 server 192.168.1.101 priority 1
Configuration
Enabling RLOG
Networking
Requirements
Notes
N/A
Configuration Steps
Mandatory
Mandatory
Verification
If RLOG export is functional, check whether the RLOG server receives every log.
Related Commands
relevant commands. For instance, use the ip session log-on command to enable the flow log module. Use
the no rlog server ip-address to remove RLOG server configuration.
Configuration
Example
Scenario
Figure 0-2
[26]RLOG_TYPE_IP_OFFLINE : 0
[27]RLOG_TYPE_MAIL_AUDIT : 0
[28]RLOG_TYPE_TELNET_AUDIT : 0
[29]RLOG_TYPE_WEB_SEARCH_AUDIT : 0
[30]RLOG_TYPE_WEB_BBS_AUDIT : 0
[31]RLOG_TYPE_IM_AUDIT : 0
[32]RLOG_TYPE_FTP_AUDIT : 0
[33]RLOG_TYPE_WEB_AUDIT : 0
[34]RLOG_TYPE_APP_AUDIT : 0
[35]RLOG_TYPE_FLOOD : 0
[36]RLOG_TYPE_FLOOD_CEASEm : 0
[37]RLOG_TYPE_SCAN : 0
[38]RLOG_TYPE_SCAN_CEASE : 0
[39]RLOG_TYPE_ATTACK_FRAG : 0
If logs are produced, the value of RLOG_TYPE_FLOW will rise.
A# show rlog
rlog server is enable
port 20000 server 192.168.1.100
port 20000 server 10.10.10.10
rlog dev-ip 0.0.0.0
rlog export-rate 10000 rlog queue remain 10000
A
send log count : 0 error count : 0 errorno : 0
recv buf: 0 poll buf err: 0 push buf: 0 local buf: 0
recv err cnt: 0 depatch err cnt: 0
Common Errors
Though the RLOG server is configured, the RLOG type is not specified.
Though the RLOG server and type are configured, the log module is not enabled.
Notes
In case of RLOG malfunction, make sure to fully understand each command parameter before the configuration.
Configuration Steps
Optional
Verification
Configuration Guide Configuring RLOG
Check whether RLOG export normally and the servers receive the logs.
Related Commands
Configuration
Example
Configuration
Configuration Guide Configuring RLOG
Steps
Ruijie# configure terminal
Ruijie(config)# rlog dev-ip 10.10.10.1
Ruijie(config)# rlog export-rate 10000
Ruijie(config)# end
Common Errors
Monitoring
Clearing Configuration
N/A
Displaying Running
Status
Command Function
show rlog Displays the RLOG configuration.
show rlog-type Displays the RLOG type.
show rlog-status [server ip] Displays the RLOG server status.
show rlog-status client Displays the RLOG module status.
show rlog-status log Displays the RLOG count.
Displaying Debugging
Information
Outputting debugging information consumes system resources. Therefore, disable the debugging device
immediately after use.
Command Function
debug rlog info Enables RLOG debugging function.
Configuration Guide Configuring RLOG
Configuring CWMP
Overview
The CPE WAN Management Protocol (CWMP) provides a general framework for unified device management, as well as
related message specifications, management methods, and data models, so as to solve difficulties in unified management
and maintenance of scattered CPEs, improve troubleshooting efficiency, and save O&M costs.
Auto configuration and dynamic service provisioning. When a CPE initially accesses the network after being started,
it automatically obtains configuration from a management server. The management server can dynamically change
the configuration and status of the CPE while the CPE is running.
Main program and configuration file management. CWMP manages the main programs and configuration files of
CPEs, and upgrade the configuration files of the CPEs.
Software module management. CWMP manages software modules according to data models implemented for these
software modules.
Status monitoring. CWMP notifies the management server of the running status of a CPE or configuration changes
to the CPE, so as to monitor the CPE according to the real-time change notifications.
Fault diagnosis. The management server diagnoses or solves connectivity problems and other service problems
according to information from CPEs, and can also perform pre-defined diagnosis operations.
Protocol Specification
For details about TR069 protocol specifications, visit the official forum at
http://www.broadband-forum.org/technical/trlist.php. Listed below are some major specifications:
Typical Applications
Scenario auto-configuration server (ACS), so as to upgrade the main program of the CPE,
upload the configuration file of the CPE, restore the configuration of the CPE, or
attain other purposes.
The major components of a CWMP network are CPEs, an ACS, a management center, a DHCP server, and a domain
name system (DNS) server. The plenty of CPEs are managed by the ACS. The management center controls the ACS, so
as to manage and control the CPEs. In general, a web browser is used in the management center to control the ACS.
Figure 1-1
Note The DHCP server dynamically obtains the URL of the ACS. If the URL of the ACS is statically
configured, the DHCP server is optional.
The DNS server parses the domain name of the ACS or the domain names of the CPEs. If the URLs of
the ACS and CPEs are IP addresses instead of domain names, the DNS server is optional.
Functional
Deployment
The CWMP function is supported only on AP320, AP330, AP120, AP530, AP630.
Functions
Basic Concept
Common Terminologies
Protocol Structure
Figure 1-2
As shown in Figure 1-2, CWMP consist of six layers. These layers have respective functions as follows:
This layer is actually not within the scope of CWMP. It is the development performed for various functional modules of the
CPEs/ACS to support the management function of CWMP, just like the Simple Network Management Protocol (SNMP),
which does not cover the MIB management of functional modules.
RPC Methods
This layer provides various RPC methods for interactions between the ACS and the CPEs, and implements operations for
these RPC methods.
SOAP
The Simple Object Access Protocol (SOAP) layer provides CWMP protocol encapsulation and decapsulation in XML
format. The format of a CWMP message must comply with the encapsulation syntax of SOAP.
HTTP
All CWMP messages are ultimately transmitted through the Hypertext Transfer Protocol (HTTP). Both the ACS and the
CPEs support HTTP client and server functions. The server function is used to monitor reverse connections from the peer.
SSL/TLS
This layer provides CWMP security guarantees, including data integrity, confidentiality, and authentication.
TCP/IP
The ACS manages and monitors a CPE using mostly the following RPC methods:
The ACS uses these methods to remotely obtain information about RPC methods supported by the CPE, names of data
model parameters supported by the CPE, values of the data model parameters, and attributes of the data model
parameters.
The ACS uses these methods to remotely set the values and attributes of the data model parameters supported by the
CPE.
INFORM method
The CPE uses the INFORM method to inform the ACS of its own device identifier, parameter information, or events. The
INFORM method is the first method involved for establishing a session between the ACS and the CPE.
DownLoad method
The DownLoad method enables the ACS to remotely control the file downloading of the CPE, including controlling the
upgrade of the CPE's main program, controlling configuration file update, and controlling web package upgrade.
UpLoad method
The UpLoad method enables the ACS to remotely control the file uploading of the CPE, including controlling the upload of
the configuration file of the CPE and controlling the upload of the log file of the CPE.
Reboot method
The ACS uses the Reboot method to remotely control the reboot behavior of the CPE.
Session Management
CWMP sessions are the basis for CWMP to operate normally, and CWMP interactions are CWMP session interactions.
All CWMP interactions between the ACS and the CPE are based on the session between the two. Interactions between
the ACS and the CPE are effectively performed through session transfer, management, and maintenance, so that the
ACS can manage and monitor the CPE. A TCP connection is established between the ACS and the CPE in a session
process between the two. The process from the beginning of Inform negotiation to the teardown of the TCP connection
upon completion of all current interactions is called a session process. Sessions are classified into CPE-initiated sessions
and ACS-solicited sessions, depending on the specific role of the session initiator. The following sections will describe the
two application scenarios.
CWMP operates based on CWMP data models, and CWMP's management of all functional modules is a set of operations
performed on the CWMP data models. Each functional module registers and implements a respective data model, just like
the MIBs implemented by various functional modules of SNMP.
A CWMP data model is represented in the form of a character string. For a clear hierarchy of the data model, a dot (.) is
used as a delimiter to distinguish an upper-level data model node from a lower-level data model node. For instance, in the
Configuration Guide Configuring CWMP
data model InternetGatewayDevice.LANDevice, InternetGatewayDevice is the parent data model node of LANDevice,
and LANDevice is the child data model node of InternetGatewayDevice.
Data model nodes are classified into two types: object nodes and parameter nodes. The parameter nodes are also known
as leaf nodes. An object node is a node under which there are child nodes, and a parameter node is a leaf node under
which there is no any child node. Object nodes are further classified into single-instance object nodes and multi-instance
object nodes. A single-instance object node is an object node for which there is only one instance, whereas a
multi-instance object node is an object node for which there are multiple instances.
Data model nodes can also be classified into readable nodes and readable-and-writable nodes. A readable node is a
node whose parameter values can be read but cannot be modified, and a readable-and-writable node is a node whose
parameter values can be both read and modified.
A data model node has two attributes. One attribute relates to a notification function; that is, whether to inform the ACS of
changes (other than changes caused by CWMP) to parameter values of the data model. The other attribute is an identifier
indicating that the parameters of the data model node can be written using other management modes (than the ACS); that
is, whether the values of the parameters can be modified using other management modes such as Telnet. The ACS can
modify the attributes of the data models using RPC methods.
Event Management
When some events concerned by the ACS or interesting to the ACS occur on the CPE, the CPE needs to inform the ACS
of these events. The ACS monitors these events so as to monitor the working status of the CPE. The events of CWMP are
just like trap messages of SNMP or logs involved in the product log function. The ACS can control and adjust concerned
events using RPC methods, so as to filter out the types of events that the ACS does not care about. Events in CWMP are
classified into two types: singular events and incremental events. A singular event means that there is no quantitative
change to the same event upon second occurrence of the event, and the old is discarded and the new kept. An
incremental event means that the old is not discarded and the new event is kept as a complete event when the same
event occurs for multiple times later; that is, the number of this event is incremented by 1.
All events that occur on the CPE are notified to the ACS using the INFORM method.
Features
Feature Description
Upgrading the Main The ACS controls the upgrade of the main program of a CPE using the DownLoad method.
Program
Updating the The ACS controls the upgrade of the configuration file of a CPE using the DownLoad method.
Configuration File
Uploading the The ACS controls the upload of the configuration file of a CPE using the UpLoad method.
Configuration File
Backing up and When a CPE breaks away from the NMS, this feature can remotely restore the CPE to the
Restoring a CPE previous status.
Configuration Guide Configuring CWMP
Working Principle
Figure 1-3
A user selects to upgrade the main program of the CPE, and the ACS delivers the DownLoad method to the CPE for the
CPE to upgrade its main program. The CPE downloads the latest main program from a file server specified in the
DownLoad method, upgrades its own main program, and restarts after the main program is updated. After restarting, the
CPE informs the ACS that its main program has been upgraded.
The ACS may simultaneously serve as the file server; or the file server may be separately deployed.
Related Configuration
Configuration Guide Configuring CWMP
Run the cwmp command in global configuration mode to enable the CWMP function.
Run the acs url command in CWMP configuration mode to configure the URL of the ACS.
Run the acs username command in CWMP configuration mode to configure the username of the ACS.
Run the acs password command in CWMP configuration mode to configure the user password of the ACS.
Run the cpe url command in CWMP configuration mode to configure the URL of the CPE.
Run the cpe username command in CWMP configuration mode to configure the username of the CPE.
Run the cpe password command in CWMP configuration mode to configure the user password of the CPE.
Run the cpe inform command in CWMP configuration mode to enable the periodical notification function on the
CPE.
Run the timer cpe-timeout command in CWMP configuration mode to configure the session timeout period of the
CPE.
Run the no disable download command in CWMP configuration mode to enable the file download function on
the CPE, so that the CPE can download main program and configuration files from the ACS.
Working Principle
Figure 1-4
A user selects to upgrade the configuration file of the CPE, and the ACS delivers the DownLoad method to the CPE for
the CPE to upgrade its configuration file. The CPE downloads the latest configuration file from a file server specified in the
DownLoad method, upgrades its own configuration file, and restarts after the configuration file is updated. After restarting,
the CPE informs the ACS that its configuration file has been upgraded.
The ACS may simultaneously serve as the file server; or the file server may be deployed as another
separate server.
Related Configuration
Configuration Guide Configuring CWMP
Same as enabling the CWMP function in the "Upgrading the Main Program" section.
Same as configuring the URL of the ACS in the "Upgrading the Main Program" section.
Same as configuring the username of the ACS in the "Upgrading the Main Program" section.
Same as configuring the user password of the ACS in the "Upgrading the Main Program" section.
Same as configuring the URL of the CPE in the "Upgrading the Main Program" section.
Same as configuring the username of the CPE in the "Upgrading the Main Program" section.
Same as configuring the user password of the CPE in the "Upgrading the Main Program" section.
Same as enabling the periodical notification function on the CPE in the "Upgrading the Main Program" section.
Same as configuring the session timeout period of the CPE in the "Upgrading the Main Program" section.
Same as configuring the file download function of the CPE in the "Upgrading the Main Program" section.
Configuration Guide Configuring CWMP
Working Principle
Figure 1-5
When the CPE initially accesses the ACS, the ACS needs to learn the configuration file of the CPE in the following
learning process:
The ACS initially receives an INFORM message from the CPE, and finds or establishes corresponding CPE database
information according to device information carried in the INFORM message.
The ACS database does not contain the configuration file of the CPE. Therefore, the ACS delivers the Upload method
to the CPE for the CPE to upload the configuration file.
The CPE informs the ACS that the configuration file has been uploaded.
Related Configuration
Same as enabling the CWMP function in the "Upgrading the Main Program" section.
Same as configuring the URL of the ACS in the "Upgrading the Main Program" section.
Same as configuring the username of the ACS in the "Upgrading the Main Program" section.
Same as configuring the user password of the ACS in the "Upgrading the Main Program" section.
Same as configuring the URL of the CPE in the "Upgrading the Main Program" section.
Same as configuring the username of the CPE in the "Upgrading the Main Program" section.
Same as configuring the user password of the CPE in the "Upgrading the Main Program" section.
Same as enabling the periodical notification function on the CPE in the "Upgrading the Main Program" section.
Same as configuring the session timeout period of the CPE in the "Upgrading the Main Program" section.
Run the no disable upload command in CWMP configuration mode to enable the CPE to upload configuration
files and log files to the ACS.
Working Principle
You can configure the restoration function on a CPE, so that the CPE can restore itself from exceptions of its main
program or configuration file. Then when the CPE fails to connect to the ACS and breaks away from the NMS after its
main program or configuration file is upgraded, the previous main program or configuration file of the CPE can be restored
in time for the ACS to manage the CPE. This kind of exception is generally caused by delivery of a wrong main program or
configuration file.
Configuration Guide Configuring CWMP
Before the CPE receives a new main program or configuration file to upgrade its main program or configuration file, the
CPE will back up its current main program and configuration file. In addition, there is a mechanism for determining
whether the problem described in the preceding scenario has occurred. If the problem has occurred, the CPE is restored
to the previous manageable status.
Related Configuration
The CPE backup and restoration function is enabled by default, and the default restoration time is 60 seconds.
Run the cpe back-up command in CWMP configuration mode to enable the CPE backup and restoration function.
The greater the restoration time, the longer delay it takes for the CPE to start the restoration.
Configuration Details
This configuration is mandatory. You need to configure the ACS username and
password to be authenticated for the CPE to connect to the ACS, as well as the
CPE username and password to be authenticated for the ACS to connect to the
CPE.
This configuration is optional. You can configure the URLs of the CPE and the ACS
or not.
This configuration is optional. You can configure the basic functions of the CPE,
such as backing up and restoring the main program or configuration file of the
CPE, and disabling the CPE's function of uploading configuration and log files
to the ACS.
Precautions
None.
Configuration Method
Configuring the ACS Username to Be Authenticated for the CPE to Connect to the ACS
Only one username can be configured for the ACS. If you configure the username of the ACS for multiple times, the
latest configuration applies.
Configuring the ACS User Password to Be Authenticated for the CPE to Connect to the ACS
The user password of the ACS can be in plaintext or encrypted form. Only one user password can be configured for
the ACS. If you configure the user password of the ACS for multiple times, the latest configuration applies.
Configuring the CPE Username to Be Authenticated for the ACS to Connect to the CPE
Only one username can be configured for the CPE. If you configure the username of the CPE for multiple times, the
latest configuration applies.
Configuring the CPE User Password to Be Authenticated for the ACS to Connect to the CPE
The user password of the CPE can be in plaintext or encrypted form. Only one user password can be configured for
the CPE. If you configure the user password of the CPE for multiple times, the latest configuration applies.
Configuring the URL of the ACS to Which the CPE Will Connect
Only one ACS URL can be configured. If you configure the URL of the ACS for multiple times, the latest configuration
applies. The URL of the ACS must be in HTTP format.
Configuring the URL of the CPE to Which the ACS Will Connect
Only one CPE URL can be configured. If you configure the URL of the CPE for multiple times, the latest configuration
applies. The URL of the CPE must be in HTTP format, and cannot be in domain name format.
Verification
Related Commands
Command cwmp
Syntax
Parameter None.
Description
Command Global configuration mode
Mode
Usage Guide None.
Configuration Guide Configuring CWMP
Configuring the ACS Username to Be Authenticated for the CPE to Connect to the ACS
Configuring the ACS User Password to Be Authenticated for the CPE to Connect to the ACS
Configuring the CPE Username to Be Authenticated for the ACS to Connect to the CPE
Configuring the CPE User Password to Be Authenticated for the ACS to Connect to the CPE
Parameter Password: Specifies the CPE user password to be authenticated for the ACS to connect to the CPE.
Description encryption-type: Specifies the encryption type, which can be set to 0 (indicating that no encryption is
used) or 7 (indicating that simple encryption is used).
encrypted-password: Specifies the password in encrypted form.
Command CWMP configuration mode
Mode
Usage Guide Use this command to configure the CPE user password to be authenticated for the ACS to connect to
the CPE. In general, the encryption type does not need to be specified. The encryption type needs to be
specified only when copying and pasting the encrypted password of this command. A valid password
should meet the following format requirements
The password contains only English letters in upper or lower case and numeric characters.
Configuration Guide Configuring CWMP
Blanks are allowed at the beginning of the password but will be ignored. Intermediate and ending
blanks, however, are regarded as a part of the password.
When the encryption-type is set to 7, the legitimate characters includes only 0~9, a~f and A~F.
Configuring the URL of the ACS to Which the CPE Will Connect
Configuring the URL of the CPE to Which the ACS Will Connect
Configuration
Examples
Network
Environment
Figure 1-6
On the CPE, configure the CPE username and password to be authenticated for the ACS to
connect to the CPE.
CPE Ruijie# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)# cwmp
Ruijie(config-cwmp)# acs username USERB
Ruijie(config-cwmp)# acs password PASSWORDB
Ruijie(config-cwmp)# cpe username USERB
Ruijie(config-cwmp)# cpe password PASSWORDB
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie # show cwmp configuration
CWMP Status : enable
ACS URL : http://10.10.10.1:7547/acs
ACS username : USERA
ACS password : ******
CPE URL : http://10.10.10.2:7547/
CPE username : USERB
CPE password : ******
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie #show cwmp configuration
CWMP Status : enable
ACS URL : http://10.10.10.1:7547/acs
ACS username : USERA
ACS password : ******
CPE URL : http://10.10.10.2:7547/
Common Errors
The user-input encrypted password is longer than 254 characters, or the length of the password is not an even
number.
The user-input encrypted password contains illegal characters (the legitimate characters includes only 0~9, a~f and
A~F)
You can configure common functions of the CPE, such as the backup and restoration of its main program or
configuration file, whether to enable the CPE to download main program and configuration files from the ACS, and
whether to enable the CPE to upload its configuration and log files to the ACS.
Configuration Method
This configuration is optional. The value range is from 30 to 3600 in seconds. The default value is 600.
Perform this configuration to reset the periodical notification interval of the CPE.
Disabling the Function of Downloading Main Program and Configuration Files from the ACS
This configuration is optional. The CPE can download main program and configuration files from the ACS by default.
Perform this configuration if the CPE does not need to download main program and configuration files from the ACS.
Disabling the Function of Uploading Configuration and Log Files to the ACS
This configuration is optional. The CPE can upload configuration and log files to the ACS by default.
Perform this configuration if the CPE does not need to upload configuration and log files to the ACS.
This configuration is performed on the CPE, so that the CPE does not upload configuration and log files to the ACS.
Configuring the Backup and Restoration of the Main Program and Configuration File of the CPE
This configuration is optional. The backup and restoration of the main program and configuration file of the CPE is
enabled by default. The value range is from 30 to 10000 in seconds. The default value is 60.
Perform this configuration to modify the function of backing up and restoring the main program and configuration file
of the CPE.
Configuring the Session Timeout Period of the CPE in Which the ACS Does Not Return Any Response
The configuration is optional. The value range is from 10 to 600 in seconds. The default value is 30.
Perform this configuration to modify the session timeout period of the CPE in which the ACS does not return any
response.
Configuration Guide Configuring CWMP
Verification
Related Commands
Disabling the Function of Downloading Main Program and Configuration Files from the ACS
Disabling the CPE's Function of Uploading Configuration and Log Files to the ACS
Configuring the Backup and Restoration of the Main Program and Configuration File of the CPE
Configuring the Session Timeout Period of the CPE in Which the ACS Does Not Return Any Response
Configuration
Examples
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie #show cwmp configuration
CWMP Status : enable
……
CPE inform interval : 60s
Disabling the Function of Downloading Main Program and Configuration Files from the ACS
Configuration Guide Configuring CWMP
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie #show cwmp configuration
CWMP Status : enable
……
CPE download status : disable
Disabling the CPE's Function of Uploading Configuration and Log Files to the ACS
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie #show cwmp configuration
CWMP Status : enable
……
CPE upload status : disable
Configuration Guide Configuring CWMP
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie #show cwmp configuration
CWMP Status : enable
……
CPE back up delay time : 30s
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE Ruijie#show cwmp configuration
CWMP Status : enable
……
CPE wait timeout : 100s
Common
Configuration Errors
None
Configuration Guide Configuring CWMP
Command Function
show cwmp configuration Shows the current configuration of CWMP.
show cwmp status Shows the running status of CWMP.
Configuration Guide Configuring LED
Configuring LED
Overview
Light Emitting Diode (LED) is a solid luminous semiconductor. It serves as an indicator light to show AP's working status in
different colors.
Protocols and
Standards
N/A
Typical Application
N/A
Function Details
Ruijie products support one or multiple LEDs to display AP's working status. For example, the LED on an Ethernet
interface blink when there comes the data flow. It is controlled through GPIO or CPLD ports with different lighting, such as
solid green, blinking green, blinking red and so on. By observing the LED, you can easily tell AP's working status and
faults.
Configuration Details
Notes
You must configure the effective time for the quiet mode at first.
Configuration Guide Configuring LED
Configuration Method
Configuring session
Optional configuration.
Command schedule session sid time-range n period day1 [ to day2 ] time hh1:mm1 to hh2:mm2
Syntax
Parameter sid: scheduled session ID.
Description n: scheduled session period No.
day1: scheduled session period; day 1indicates the start date, in the range of { sun | mon | tue | wed | thu
| fri | sat }.
to day2: the end date, only one day of the interval by default.
time hh1:mm1 to hh2:mm2: scheduled session time. hh1:mm1 is the start time and hh2:mm2 the end
time in the range from 0 to 23 hours and 0 to 59 minutes.
Defaults N/A
Command Global configuration mode
Mode
Usage Guide Configure a session at first.
Optional configuration.
Check Method
All LEDs are off when the system time is within the session interval.
Configuration
Examples
Configuring LED Quiet Mode from Monday 11pm to Tuesday 7am Every Week
Verification When the system time is within the session interval, all LEDs on the AP are off.
Common Mistakes
Clear Configuration
N/A
Display Operation
N/A
Display Debugging
N/A
Configuration Guide Configuring USB
Configuring USB
Overview
This document describes USB storage devices (mainly USB disk). The system only recognizes the USB disk partitioned
by FAT. Other file systems cannot be identified.
After inserting a USB disk, the system prompts that USB disk is found. The files in this USB disk can be positioned and
accessed through URL, such as usb0:/abc/1.txt.
Just insert a USB device into the USB slot. Messages as below are displayed if the system finds the device and loads the
driver.
*Jan 1 00:09:42: %USB-5-USB_DISK_FOUND: USB Disk <Mass Storage> has been inserted to USB port
0!
*Jan 1 00:09:42: %USB-5-USB_DISK_PARTITION_MOUNT: Mount usb0 (type: FAT32), size: 1050673152B
(1002MB)
<USB Mass Storage Device> is the name of the found device; usb0 is the first USB device, and size is the partition size.
This U-disk has 1002 MB space.
Ruijie# cd usb0:/
Enter the SD card partition.
Ruijie# cd sd0:/
Run the dir command. The result shows that the b.txt file has been added to the USB disk.
For other operation commands, see the “File System Management” section.
Configuration Guide Configuring USB
The RGOS system uses devices that support standard SCSI instructions (USB disks that are generally used).
Other devices (such as USB disks attached to the USB network access cards and USB disks attached with
virtual the USB optical drive) cannot be used in the RGOS system.
USB disks only support the FAT file system. Other file systems can be used only after being transformed into
the FAT file system.
When there are multiple partitions on a USB disk, only the first FAT partition can be accessed.
Upper-layer directories do not function in USB disks. After entering a USB disk through cd usbX:\, you can
return to the flash file system via cd flash:\.
For the description about usage scenarios of USB disks, see the command configuration guide of each
application. Copied cases exist in the command configuration guide of copy or FS. Redirection of syslog is
described in the command configuration guide of the SYSLOG module. "Designating a file on the USB to
start the system" is described in the command configuration guide of multi-boot.
In CRTL, a USB disk serves only for the multi-boot function, which is described in the command configuration guide of
multi-boot.
Device information is displayed if there is a USB device. Otherwise, there is no output. If the USB disk is connected to the
USB port on the device, the ID displayed by running the show usb command is X, the USB port number. If the USB disk
is connected to the USB port on the device via a HUB, the ID displayed by running the show usb command is X-Y, in
which X stands for the USB port number and Y for the HUB slot number.
In the CLI command mode, use the show usb command to view the USB information of the system. The displayed
information is as follows:
usb0(type:FAT32)
Size : 131,072,000B(125MB)
Available size: 1,260,020B(1.2MB)
Size means the available space in USB disk that can be accessed.
Command Function
Ruijie# usb remove device_id Uninstall the USB device with Device_id
As shown above, ID0 indicates a USB device. The commands below can uninstall the corresponding USB device.
Sometimes, it may lead to failure to uninstall the device for the device is being used. Wait a while, and then run the
uninstall command to pull out the device.
Be sure to uninstall the device first and then unplug the device to prevent the system error.
USB Faults
Assume that the system prints the following message:
Configuration Guide Configuring USB
USB 1.0 controller is not available, while 2.0 USB card is still available. In this case, reset the whole system to use
corresponding version USB disk.
USB 2.0 controller is not available, while 1.0 USB disk is still available. In this case, reset the whole system to use
corresponding version USB disk.
Configuration Guide Configuring PKG_MGMT
Configuring PKG_MGMT
Overview
Package management (pkg_mgmt) is a package management and upgrade module. This module is responsible for
installing, upgrading/degrading, querying and maintaining various components of the device, among which upgrade is the
main function. Through upgrade, users can install new version of software that is more stable or powerful. Adopting a
modular structure, the RGOS system not only supports overall upgrade and subsystem upgrade but also supports
separate upgrade of a feature package. In addition, the RGOS system supports upgrade through hot patches.
Component upgrade described in this document applies to both the box device and rack device. In addition, this
document is for only version 11.0 and later, excluding those upgraded from earlier versions.
Protocol Specification
None
Typical Application
After the upgrade of a subsystem package is complete, all system software on the device is updated, and the overall
software is enhanced. Generally, the subsystem package of the box device is called main package, and the subsystem
package of the rack-mount device is called rack package.
The main features of this upgrade mode are as follows: The upgrade lasts for a long time; all software on the device is
updated after the upgrade is completed; all known software bugs are fixed.
Function Deployment
You can store the main package in the root directory of the TFTP server, download the package to the device, and then
run an upgrade command to upgrade the package locally. You can also store the main package in a USB flash drive or
SD card, connect the USB flash drive or SD card to the device, and then run an upgrade command to upgrade the
package.
Configuration Guide Configuring PKG_MGMT
You must store the rack package in a USB flash drive or SD card before performing the upgrade because the rack
package is too large to be stored in the memory space of the device.
Device software consists of several components, and each component is an independent feature module. After an
independent feature package is upgraded, only the feature bug corresponding to this package is fixed. Besides, this
feature is enhanced with the other features unchanged.
The features of this upgrade mode are as follows: Generally, a feature package is small and the upgrade speed is high.
After the upgrade is completed, only the corresponding functional module is improved, and other functional modules
remain unchanged.
Function Deployment
You can store this package in the root directory of the TFTP server, download the package to the local device, and then
complete the upgrade. You can also store the package in a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then complete the upgrade.
To fix software bugs without restarting the device, you can install hot patch packages. Hot patch packages are only
applicable to fixing a specific software version. Generally, hot patch packages are released to fix the software of a certain
version only when the device cannot be started in the user's environment.
The most significant feature of hot patch upgrade is that all bugs can be fixed without device restart after the upgrade is
completed.
Function Deployment
You can store this package in the root directory of the TFTP server, download the package to the local device, and then
complete the upgrade. You can also store the package in a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then complete the upgrade.
Function Details
Basic Concepts
Subsystem
A subsystem exists on a device in the form of images. The subsystems of the RGOS include:
boot: After being powered on, the device loads and runs the boot subsystem first. This subsystem is responsible for
initializing the device, and loading and running system images.
kernel: kernel is the OS core part of the system. This subsystem shields hardware composition of the system and
provides applications with abstract running environment.
Configuration Guide Configuring PKG_MGMT
Main package is often used to upgrade/degrade a subsystem of the box device. The main package may be a combination
package of the kernel and rootfs subsystems or a combination package of the boot, kernel, and rootfs subsystems. The
main package can be used for overall system upgrade/degradation.
A rack package is used to upgrade a subsystem component of the rack device. This type of package contains the main
packages of the supervisor module and all line cards. Therefore, a rack package can be used to upgrade all line cards on
a rack device once for all.
The feature package of RGOS refers to a collection which enables a certain feature. When the device is delivered, all
supported functions are contained in the rootfs subsystem. You can upgrade only a specific feature by upgrading a single
feature package.
A hot patch package contains the hot patches of several features. You can upgrade a hot patch package to install patches
for various features. New features are provided immediately without device restart after the upgrade.
"Installation package" in this document refers to an installation file that contains a subsystem or feature module.
Functions and
Features
Working Principle
Upgrade/Degradation
Configuration Guide Configuring PKG_MGMT
Various subsystems exist on the device in different forms. Therefore, upgrade/degradation varies with different
subsystems.
boot: Generally, this subsystem exists on the norflash device in the form of images. Therefore, upgrading/degrading
this subsystem is to write the image into the norflash device.
kernel: This subsystem exists in a specific partition in the form of files. Therefore, upgrading/degrading this
subsystem is to write the file.
rootfs: Generally, this subsystem exists on the nandflash device in the form of images. Therefore,
upgrading/degrading this subsystem is to write the image into the nandflash device.
Management
Query the subsystem components that are available currently and then load subsystem components as required.
boot: The boot subsystem always contains a master boot subsystem and a slave boot subsystem. Only the master
boot subsystem is involved in the upgrade, and the slave boot subsystem serves as the redundancy backup all
along.
kernel: as the kernel subsystem contains at least one redundancy backup. More redundancy backups are allowed if
there is enough space.
rootfs: The rootfs subsystem always contains a redundancy backup.
The boot component is not included in the scope of subsystem management due to its particularity. During upgrade of the
kernel or rootfs subsystem component, the upgrade/degradation module always records the subsystem component in use,
the redundant subsystem component, and various information in the configuration file. This design enables the functions
of querying, selecting, and loading subsystem components.
Relevant
Configuration
Upgrade
Store the upgrade file on the local device, and then run the upgrade command for upgrade.
In fact, upgrading a feature is replacing feature files on the device with the feature files in the package.
Managing feature components and hot patches is aimed at recording the information of feature components and hot
patches by using a database. In fact, installing, displaying and uninstalling a component is the result of performing the Add,
Query and Delete operation on the database.
Relevant
Configuration
Upgrade
Store the upgrade file on the local device, and then run the upgrade command for upgrade.
Configuration Guide Configuring PKG_MGMT
Upgrading/degrading feature components and installing hot patches are based on the same technology.
In fact, upgrading a feature component is replacing feature files on the device with the feature files in the package.
Upgrading hot patch packages is similar to upgrading features. The difference is that only files to be revised are replaced
during hot patch package upgrade. In addition, after the files are replaced, the new files take effect automatically.
Management
Similar to feature component management, hot patch management also includes the query, installation, and uninstallation
operation, which is the result of adding, querying and deleting data respectively.
Hot patches and feature components are managed based on the same technology. The difference is that the hot patches
involve three different states, that is, Not installed, Installed, and Activated. These states are described as follows:
The hot patch in Installed state only indicates that this hot patch exists on the device, but it has not taken effect yet.
Relevant
Configuration
Upgrade
Store the upgrade file on the local device, and then run the upgrade command for upgrade.
You can run the patch active command to activate a patch temporarily. The patch becomes invalid after device
restart. To use this patch after device restart, you need to activate it again.
You can also run the patch running command to activate a patch already permanently. The patch is still valid after
device start.
The patch not activated will never become valid.
You can run the patch delete command to uninstall a hot patch.
Configuration Details
Available installation packages include the main package, rack package, various f feature packages and hot patch
packages.
After the upgrade of the main package is complete, all system software on the line card is updated, and the overall
software is enhanced.
After the upgrade of the rack package is complete, all system software on the rack device is updated, and the overall
software is enhanced.
After an independent feature package is upgraded, only the feature bug corresponding to this package is fixed.
Besides, this feature is enhanced, with other features remain unchanged.
Upgrading hot patch packages is aimed at fixing software bugs without restarting the device. Hot patch packages are
only applicable to fixing bugs for a specific version of software.
Notes
-
Configuration Method
Configuration Guide Configuring PKG_MGMT
Optional configuration. This configuration is required when all system software on the device needs to be upgraded.
Download the installation package to the local device and run the upgrade command.
Optional configuration. This configuration is required when all system software on the device needs to be upgraded.
When using a rack package to upgrade subsystem components, you must store the rack package in a USB flash
drive or SD card and then run the upgrade command because the rack package is very large.
Optional configuration. The configuration is used to fix bugs of a certain feature and enhance the function of this
feature.
Download the installation package to the local device and run the upgrade command.
Optional configuration. The configuration is used to fix software bugs without restarting the device.
Download the installation package to the local device and run the upgrade command.
After being upgraded, the hot patch can be used after it is activated. The configuration in this step is mandatory. Two
activation modes are available: Run the patch active command to activate a patch temporarily, or run the patch
running command to activate a patch permanently.
Generally, the patch running command must be used to activate a patch permanently in the user scenario. The
patch active command can be used to activate a patch only when a user intends to verify the patch.
Subsystem Rollback
Optional configuration. This configuration aims to roll a subsystem back to the state before the upgrade, select this
configuration item..
This configuration takes effect after you run the upgrade command to upgrade the subsystem component (for
example, the main package or the rack package).
After you run the upgrade command to upgrade a subsystem component in the user scenario, you can run the
rollback command once, that is, consecutive rollback is not supported.
Check Method
After upgrading a subsystem component, you can run the show version detail or show subsys command to check
whether the upgrade is successful.
After upgrading a feature component, you can run the show component command to check whether the upgrade is
successful.
After upgrading a hot patch package, you can run the show patch command to check whether the upgrade is
successful.
Configuration Guide Configuring PKG_MGMT
Relevant Commands
Command
upgrade rollback [ slot { num | M1 | M2 | all } ]
Syntax
Parameter slot indicates that this command is executed on the device in the specified slot; num indicates the slot
Description number of the specified line card; M1 and M2 indicate the supervisor modules; all indicates all devices.
Command Privileged EXEC mode
Mode
Usage Guide This command is used to undo the last subsystem upgrade operation and make the subsystem restore to
the state before the upgrade. You can perform the rollback operation only if the last upgrade is subsystem
upgrade and the upgrade is successful. The rollback command cannot be executed in succession.
Usage Guide This operation can be performed only on the device already installed with a patch. This command can be
used to activate a patch permanently.
Configuration
Examples
Network Before the upgrade, you must copy the installation package to the device. The upgrade module provides
Environment the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Run the upgrade download tftp://path command directly to upgrade the installation package file
stored on the tftp server.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
Check Check the system version on the current device. If the version information changes, the upgrade is
Method successful.
Configuration Guide Configuring PKG_MGMT
Network Before the upgrade, you must copy the installation package to the device. The upgrade module provides
Environment the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Run the upgrade download tftp://path command directly to upgrade the installation package file
stored on the tftp server.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
Configuratio Run the upgrade command.
n Method Check whether the device needs to be restarted based on the prompt displayed after the upgrade.
Ruijie#upgrade sata0://bridge_eg1000m_2.3.1.1252ea-1.mips.rpm
*May 21 03:32:28: %7: Upgrade processing is 10%
*May 21 03:32:28: %7: Upgrade processing is 60%
*May 21 03:32:28: %7: Upgrade processing is 90%
*May 21 03:32:28: %7:
*May 21 03:32:28: %7: Upgrade info [OK]
*May 21 03:32:28: %7: bridge version[2.0.1.37cd5cda ->2.3.1.1252ea] [OK]
*May 21 03:32:28: %7: Upgrade processing is 100%
*May 21 03:32:28: %7: Restart to take effect !
Reload system?(Y/N)y
[ 1586.114348] Restarting system.
Check Check the version of the feature component on the current device. If the version information
Method changes, the upgrade is successful.
Ruijie# show component
*May 21 03:32:28: %7: Package :sysmonit
*May 21 03:32:28: %7: Version:1.0.1.23cd34aa Build time: Wed Dec 7
Configuration Guide Configuring PKG_MGMT
00:58:56 2011
*May 21 03:32:28: %7: Size:12877 Install time :Wed Mar 5 14:23:12 2012
*May 21 03:32:28: %7: Description:this is a system monit package
*May 21 03:32:28: %7: Required packages: None
-------------------------------------------------------------------
*May 21 03:32:28: %7: package:bridge
*May 21 03:32:28: %7: Version: 2.3.1.1252ea Build time: Wed Dec 7
00:54:56 2011
*May 21 03:32:28: %7: Size:26945 Install time : Wed Mar 19:23:15 2012
*May 21 03:32:28: %7: Description:this is a bridge package
*May 21 03:32:28: %7: Required packages: None
Network Before the upgrade, you must copy the installation package to the device. The upgrade module provides
Environment the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Run the upgrade download tftp://path command directly to upgrade the installation package file
stored on the tftp server.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
You can perform the rollback operation only if the last upgrade is subsystem upgrade and the upgrade is successful.
The rollback command cannot be executed in succession.
Network Before the upgrade, you must copy the installation package to the device. The upgrade module provides
Environment the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Run the upgrade download tftp://path command directly to upgrade the installation package file
stored on the tftp server.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
Check Check the system version on the current device. If t it is restored to the version before the upgrade,
Method the rollback is successful.
Ruijie#show version detail
System description : EG1000m
Configuration Guide Configuring PKG_MGMT
Network Generally, a rack device is supplied with a USB flash drive or SD card. Before installing a rack package,
Environment you need to store the rack package into the USB flash drive or SD card. The upgrade module provides
the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
Check the system version on the current device. If the version information changes, the upgrade is
successful.
N18000#sho version detail
System description : N18010
System start time : 2010-08-12 00:41:23
System uptime : 0:01:22:46
System hardware version : 1.00
System software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131030)
System boot version : 1.0.0-00222-gafcc010
System core version : 2.6.32.abb2b415749f40
System main version : 1.0.0.660e0085
System boot build : unknown
System core build : 2013/10/30 15:43:52
System main build : 2013/10/30 16:38:19
System isolcpus : 1-3
Module information:
Configuration Guide Configuring PKG_MGMT
Slot M1 : M18010-CM
Hardware version : 1.00
System start time : 2010-08-12 00:41:23
Boot version : 1.0.0-00222-gafcc010
Software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131030)
Slot 1 : M18000-40XS-CB
Hardware version : 1.00
System start time : 1970-01-01 00:00:04
Boot version : 1.0.1.1fab7eb
Software version : ca-octeon-lc_RGOS11.0(1B2) Release(20131030)
Network Generally, a rack device is supplied with a USB flash drive or SD card. Before installing a rack package,
Environment you need to store the rack package into the USB flash drive or SD card. The upgrade module provides
the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
Check Check the version of the feature component on the current device. If the version information
Method changes, the upgrade is successful.
Ruijie# show component slot M1
*May 21 16:47:10: %7: [Slot M1]:
*May 21 16:54:58: %7: Package : bridge
*May 21 16:54:58: %7: Version: 1.0.0.05151504 Build time: Wed May 15
07:05:06 2013
*May 21 16:54:58: %7: size: 11 Install time: Thu Jan 1 00:48:09 1970
*May 21 16:54:58: %7: Description: bridge component
*May 21 16:54:58: %7: Required packages: None
*May 21 16:54:58: %7: -----------------------------------
…………………………………………………
Network Generally, a rack device is supplied with a USB flash drive or SD card. Before installing a rack package,
Environment you need to store the rack package into the USB flash drive or SD card. The upgrade module provides
the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
device_name: ca-octeon-lc
status: NOT SUPPORT
Ruijie#patch running slot M1
*May 21 17:05:41: %7: The patch on the system now is in running status
You can perform the rollback operation only if the last upgrade is subsystem upgrade and the upgrade is successful.
The rollback command cannot be executed in succession.
The rack device allows you to perform the rollback operation on a specified line card.
Network Generally, a rack device is supplied with a USB flash drive or SD card. Before installing a rack package,
Environment you need to store the rack package into the USB flash drive or SD card. The upgrade module provides
the following solutions.
Run some file system commands like copy tftp and copy xmodem to copy the installation
package on the server to the device file system, and then run the upgrade url command to
upgrade the installation package in the local file system.
Copy the installation package to a USB flash drive or SD card, connect the USB flash drive or SD
card to the device, and then run the upgrade url command to upgrade the installation package in
the USB flash drive or SD card.
Check Check the system version on the current device. If it is restored to the version before the upgrade,
Method the rollback is successful.
N18000#sho version detail
System description : N18010
System start time : 2010-08-12 00:41:23
System uptime : 0:01:22:46
System hardware version : 1.00
System software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131029)
System boot version : 1.0.0-00222-gafcc010
System core version : 2.6.32.abb2b41f170c81
System main version : 1.0.0.d5f0de03
System boot build : unknown
System core build : 2013/10/29 13:27:42
System main build : 2013/10/29 14:11:10
System isolcpus : 1-3
Module information:
Slot M1 : M18010-CM
Hardware version : 1.00
System start time : 2010-10-30 09:41:23
Boot version : 1.0.0-00222-gafcc010
Software version : ca-octeon-cm_RGOS11.0(1B2) Release(20131029)
Common Errors
If an error occurs during the upgrade, the upgrade module displays an error message. The following provides an example:
Invalid installation package: The cause is that the installation package may be damaged or incorrect. It is
recommended to obtain the installation package again and perform the upgrade operation.
Installation package not supported by the device: The cause is that you may use the installation package of other
devices by mistake. It is recommended to obtain the installation package again, verify the package, and perform the
upgrade operation.
Insufficient device space: Generally, this error occurs on a rack device. It is recommended to check whether the
device is supplied with a USB flash drive or SD card. Generally, this device has a USB flash drive.
Notes
Configuration Guide Configuring PKG_MGMT
A hot patch that is not activated does not take effect; therefore, you cannot deactivate it.
Configuration Method
Optional configuration. To deactivate an activated patch, run the patch deactive command.
Optional configuration. To uninstall a hot patch already installed, run the patch delete command.
Check Method
You can run the show patch command to check whether a patch is activated or uninstalled.
Relevant Commands
Configuration
Examples
Common
Configuration Errors
Run the patch deactive command when the patch is not activated. It is recommended to check the patch status.
You can run the patch deactive command only when the patch is in the status:running state.
Configuration Guide Configuring PKG_MGMT
Clearing Various
Information
Function Command
Deletes a hot patch package patch delete [ slot { num | M1 | M2 | all } ]
already installed.
Function Command
Displays all components already installed on the show component [ slot { num | M1 | M2 | all } ] [ component
current device and their information. _name ]
Displays the information about the hot patch show patch [ slot { num | M1 | M2 | all } ] [ patch _name ]
packages already installed on the device.
Displays available kernel and rootfs subsystem show subsys [ slot { num | M1 | M2 | all } ]
components stored on the device, and specify
what components will be loaded by the device.
Displays the upgrade status of various line cards show upgrade status
on a rack device.
Displays the upgrade history. show upgrade history
Configuration Guide Configuring NTP
Configuring NTP
Overview
Network Time Protocol (NTP) is designed for time synchronization on network devices. A device can synchronize its clock
source and the server. Moreover, the NTP protocol can provide precise time correction (less than one millisecond on the
LAN and dozens of milliseconds on the WAN, compared with the standard time) and prevent from attacks by means of
encryption and confirmation.
To provide precise time, NTP needs precise time source, the Coordinated Universal Time (UTC). The NTP may obtain
UTC from the atom clock, observatory, satellite or Internet. Thus, accurate and reliable time source is available.
To prevent the time server from malicious destroying, an authentication mechanism is used by the NTP to check whether
the request of time correction really comes from the declared server, and check the path of returning data. This
mechanism provides protection of anti-interference.
Ruijie switches support the NTP client and server. That is, the switch can not only synchronize the time of server, but also
be the time server to synchronize the time of other switches. But when the switch works as the time server, it only support
the unicast server mode.
Configuring NTP
There are two steps to configure the NTP client to communicate with the NTP server by means of encryption:
Step 1, Authenticate the NTP client and configure the key globally;
To initiate the encrypted communication with the NTP server, you need to set authentication key for the NTP server in
addition to perfomring Step 1.
By default, the NTP client does not use the global security authentication mechanism. Without this mechanism, the
communication will not be encrypted. However, enabling the global security authentication does not mean that the
encryption is used to implement the communication between the NTP server and the NTP client. You need to configure
other keys globally and an encryption key for the NTP server.
To configure the global security authentication mechanism, run the following commands in global configuration mode:
Command Function
Configuration Guide Configuring NTP
The message is verified by the trusted key specified by the ntp authentication-key or ntp trusted-key command.
Each key is identified by a unique key-id globally. The customer can use the command ntp trusted-key to set the key
corresponding to the key-id as a global trusted key.
To specify a global authentication key, run the following commands in global configuration mode:
Command Function
Specify a global authentication key.
key-id: in the range of 1 to 4294967295
ntp authentication-key key-id md5 key-string [enc-type]
key-string: Any
enc-type: Two types: 0 and 7
no ntp authentication-key key-id Remove a global authentication key.
The configuration of global authentication key does not mean the key is effective; therefore, the key must be configured as
a global trusted key before using it.
The current NTP version can support up to 1024 authentication keys and only one key can be set for each
server for secure communication.
To specify a global trusted key, run the following commands in global configuration mode:
Command Function
ntp trusted-key key-id Specify a global trusted key ID.
no ntp trusted-key key-id Remove a global trusted key ID.
The above-mentioned three steps of settings are the first procedure to implement security authentication mechanism. To
initiate real encrypted communication between the NTP client and the NTP server, a trusted key must be set for the
corresponding server.
When a global authentication key is removed, its all trusted information are removed.
Configuration Guide Configuring NTP
NTP version 3 is the default version of communication with the NTP server. Meanwhile, the source interface can be
configured to send the NTP message, and the NTP message from the relevant server can only be received on the
sending interface.
To configure the NTP server, run the following commands in global configuration mode:
Command Function
Configure the NTP server.
oob: (Optional) Access the NTP server from the MGMT
interface. By default, this option is disabled.
Only when the global security authentication and key setting mechanisms are completed, and the trusted key for
communicating with server is set, can the NTP client initiate the encrypted communication with the NTP server. To this end,
the NTP server should have the same trusted key configured.
Configuration Guide Configuring NTP
By default, the NTP messages received on any interface are available to the NTP client for clock synchronization. This
function can shield the NTP messages received on the relevant interface.
This command takes effect only for the interface whose IP address can be configured to receive and send
packets.
To disable the interface to receive the NTP message, run the following commands in interface configuration mode:
Command Function
interface interface-type number Enter interface configuration mode.
Disable the function of receiving NTP messages on the
ntp disable
interface.
To enable the function of receiving NTP messages on the interface, use the command no ntp disable in interface
configuration mode.
The NTP function is disabled by default, but may be enabled as long as the NTP server is configured.
To disable the NTP, run the following commands in global configuration mode:
Command Function
no ntp Disable the NTP function.
ntp authenticate or
ntp server ip-addr [version version][ source if-name Enable the NTP function.
number][key keyid][prefer]
To configure the NTP update-calendar, run the following commands in global configuration model:
Command Function
ntp update-calendar Configure the update calendar.
no ntp update-calendar Disable the function of NTP update calendar.
By default, the NTP update-calendar is not configured. After configuration, the NTP client updates the calendar at the
same time when the time synchronization of external time source is successful. It is recommended to enable this function
for keeping the accurate calendar.
Configuration Guide Configuring NTP
In general, the local system synchronizes the time from the external time source directly or indirectly. However, if the time
synchronization of local system fails for the network connection trouble, ect, use the command to set the reliable reference
source of the local time, providing the synchronized time for other devices.
Once set, the system time can not be synchronized to the time source with higher starum.
The starum indicates the level of current clock, reference indicates the address of the server used for
synchronization, freq indicates the clock frequency of current system, precision indicates the precision of
current system clock, reference time indicates the UTC time of reference clock on the synchronization server,
clock offset indicates the offset of current clock, root delay indicates the delay of current clock, root
dispersion indicates the precision of top server, peer dispersion indicates the precision of synchronization
server.
To configure the NTP master, run the following commands in global configuration mode:
Command Function
Set the local time as the NTP master and specify the
ntp master [stratum] corresponding stratum. The time stratum ranges from
1-15, 8 by default.
no ntp master Cancel the NTP master settings.
The following example shows how to set the reliable reference source of the local time and set the time starum as 12:
Using this command to set the local time as the master (in particular, specify a lower starum value), is likely
to be covered by the effective clock source. If multiple devices in the same network use this command, the
time synchronization instability may occur due to the time difference between the devices.
In addition, before using this command, if the system has never been synchronized with an external clock
source, it is necessary to manually calibrate the system clock to prevent too much bias. (For how to how to
manually calibrate the system clock, please refer to the section of system time configuration of "Basic switch
management Configuration Guide")
This command is not restricted by ntp access control (even if the NTP access control function has
corresponding matching limit, this command is still in force).
To set the NTP services access control privilege, run the following command in global configuration mode.
Command Function
ntp access-group { peer | serve | serve-only |
Set the access control privilege of the local service.
query-only } access-list-number | access-list-name
no ntp access-group { peer | serve | serve-only | Cancel the settings of access control privilege of the local
query-only } access-list-number | access-list-name service.
peer: not only allow the time requests and control queries for the local NTP service, but also allow the time
synchronization between the local device and the remote system (full access privilege).
serve: only allow the time requests and control queries for the local NTP service, not allow the time synchronization
between the local device and the remote system.
serve-only: only allow the time requests for the local NTP service.
query-only: only allow the control queries for the local NTP service.
access-list-number: IP access control list label; the range of 1 ~ 99 and 1300 ~ 1999. On how to create IP access control
list, refer to the relevant description in "Access Control List Configuration Guide".
access-list-name: IP access control list name. On how to create IP access control list , refer to the the relevant description
in "Access Control List Configuration Guide" .
When an access request arrives, NTP service matches the rules in accordance with the sequence from the smallest to the
largest to access restriction, and the first matched rule shall prevail. The matching order is peer, serve, serve-only,
query-only.
Control query function (the network management device controls the NTP server, such as setting the leap
second mark or monitor the working state,ect) is not supported in the current system. Although it matches
with the order in accordance with the above rules, the related requests about the control and query are not
supported.
If you do not configure any access control rules, then all accesses are allowed. However, once the access control rules
are configured, only the rule that allows access can be carried out.
The following example shows how to allow the peer device in acl1 to control the query, request for and synchronize the
time with the local device; and limit the peer device in acl2 to request the time for the local device:
To display the NTP function, run the following command in privileged EXEC mode:
Command Function
show ntp status Show the current NTP information.
Only when the relevant communication server is configured can this command be used to print the display information.
The stratum indicates the level of current clock, reference indicates the address of the server used for
synchronization, freq indicates the clock frequency of current system, precision indicates the precision of
current system clock, reference time indicates the UTC time of reference clock on the synchronization server,
clock offset indicates the offset of current clock, root delay indicates the delay of current clock, root
dispersion indicates the precision of top server, peer dispersion indicates the precision of synchronization
server.
Application Requirements
On Host A, configure local clock as the NTP master clock, with clock stratum being 12;
Configure the Host B as the NTP client and specify the Host A as the NTP server;
The hardware clock of Host B shall be synchronized as well.
Configuration Tips
NTP server
Configuration Guide Configuring NTP
Generally, the local system will directly or indirectly synchronize with the external clock sources. However, the local
system may not be able to synchronize with the external clock sources due to the failure of network connections. In such a
case, you can execute "ntp master" command to configure the local clock as NPT master clock to synchronize time to
other devices.
NTP client
Configuration Steps
! Configure NTP master clock. Configure local clock as the trusted reference clock source, with clock stratum being 12;
HostA(config)#ntp master 12
Configuration of NTP client
Verify Configurations
*Sep 8 18:10:37: %SYS-6-CLOCKUPDATE: System clock has been updated to 18:10:37 UTC Tue Sep
8 2009.
HostB#show ntp status
Clock is synchronized, stratum 13, reference is 1.1.1.1
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is CE511CC9.37EB5B2D (18:11:21.000 UTC Tue, Sep 8, 2009)
clock offset is -0.00107 sec, root delay is 0.00000 sec
root dispersion is 0.00002 msec, peer dispersion is 0.00002 msec
Configuration Guide Configuring NTP
The above information shows that the NTP client has connected to the server and the time of Host B has been
synchronized with the time of Host A, with stratum level being higher than that of Host A by 1 level (i.e., 13).
Application Requirements
On Host A, configure local clock as the NTP master clock, with clock stratum being 12;
Configure Host B as the NTP client and specify Host A as the NTP server;
Enable the authentication mechanism to prevent illegal users from maliciously attacking the clock server.
Configuration Tips
The authentication key used by NTP client to communicate with NTP server shall be identical with the corresponding
Key ID.
Configuration Steps
Step 1: Configure NTP master clock. Configure local clock as the trusted reference clock source, with clock stratum being
12;
HostA(config)#ntp master 12
! Configure NTP global authentication key as "helloworld" and the corresponding key ID as "6"
! Configure NTP global authentication key as "helloworld" and the corresponding key ID as "6"
! Configure Host A as the NTP server and set the key ID for communicating with this server as "6"
Verify Configurations
Display the configurations of NTP server. Key points: NTP master clock configuration, NTP server's IP address, and
authentication related configurations.
HostA#show run
!
After proper configuration, the following log will be printed on the CLI interface:
*Sep 9 11:31:29: %SYS-6-CLOCKUPDATE: System clock has been updated to 11:31:29 UTC Wed Sep
9 2009.
Configuration Guide Configuring NTP
The above log indicates that the clock of HostB (NTP client) has been updated.
The above information shows that the NTP client has successfully connected to the server and the time of Host B has
been synchronized with the time of Host A, with stratum level being higher than that of Host A by 1 level (i.e., 13).
Configuration Guide Configuring SNTP
Configuring SNTP
Overview
Network Time Protocol (NTP) is designed for time synchronization on network devices. Another protocol, Simple Network
Time Protocol(SNTP) can be used to synchronize the network time, too.
NTP protocol can be used across various platforms and operating systems and provide precise time calculation (1-50 ms
precision) and prevent from latency and jitter in the network. NTP also provides the authentication mechanism with high
security level. However, NTP algorithm is complicated and demands better system.
As a simplified version of NTP, SNTP simplifies the algorithm of time calculation but also has great performance, with
precision of about 1s.
SNTP Client is totally compatible with the NTP Server due to the consistency of the SNTP and NTP messages.
SNTP Fundamentals
SNTP works in the way of Client/Server. The standard Server system time is set by receiving the GPS signal or the atomic
clock. The Client obtains its accurate time from the service time accessing the server regularly and adjusts its system
clock to synchronize the time.
Figure-1
T1: time request sent by client(refer to the client time) with the mark “Originate Timestamp”;
T2: time request received at server(refer to the server time) with the mark “Receive Timestamp”;
T3: time reply by server(refer to the server time) with the mark “Transmit Timestamp ”;
T4: time reply received at client(refer to the client time) with the mark “Destination Timestamp”.
Configuration Guide Configuring SNTP
∵ T2 = T1 + t + d / 2;
∴ T2 - T1 = t + d / 2;
∵ T4 = T3 – t + d / 2;
∴ T3 - T4 = t – d / 2;
∴ d = (T4 - T1) - (T3 - T2);
t = ((T2 - T1) + (T3 - T4)) / 2;
Then, according to the value of t and d, SNTP Client gets the current time: T4+t.
Configuring SNTP
Default Configuration
By default, the SNTP configurations are as follows:
Enabling SNTP
To enable the SNTP, run the following command in global configuration mode:
Command Function
Enable the SNTP and synchronize the time once immediately. (in
Ruijie(config)# sntp enable order to prevent frequent time synchronization, the sync-interval
must not be less than 5s.)
For the detailed NTP server IP addresses, please login to http://www.time.edu.cn/ or http://www.ntp.org/. For example,
192.43.244.18(time.nist.gov).
To set the IP address for the SNTP server, run the following commands in global configuration mode:
Configuration Guide Configuring SNTP
Command Function
To configure the SNTP sync interval, run the following commands in the global configuration mode:
Command Function
Configure the SNTP sync interval, in second.
Ruijie(config)# sntp interval seconds Interval range: 60-65535s;
Default value: 1800s.
The sync interval configuration cannot take effect immediately. You shall execute the sntp enable command
immediately after configuring the SNTP sync interval.
To configure the local time-zone, run the following commands in interface configuration model:
Command Function
To restore the local time-zone to the default, use the command no clock time-zone.
Execute the show sntp command in privileged EXEC mode to display the current SNTP configuration.
Overview
Time Range is a time-based control service that provides some applications with time control. For example, you can
configure a time range and associate it with an access control list (ACL) so that the ACL takes effect within certain time
periods of a week.
Typical Application
An organization allows users to access the Telnet service on a remote Unix host during working hours only, as shown in
Figure 1-7.
Figure 1-7
Note
Configure an ACL on device B to implement the following security function:
Hosts in network segment 192.168.12.0/24 can access the Telnet service on a remote Unix host during
normal working hours only.
Configuration Guide Configuring Time Range
Functional
Deployment
On device B, apply an ACL to control Telnet service access of users in network segment 192.168.12.0/24. Associate
the ACL with a time range, so that the users' access to the Unix host is allowed only during working hours.
Function Details
Basic Concepts
The absolute time range is a time period between a start time and an end time. For example, [12:00 January 1 2000,
12:00 January 1 2001] is a typical absolute time range. When an application based on a time range is associated with the
time range, a certain function can be effective within this time range.
Periodic Time
Periodic time refers to a periodical interval in the time range. For example, “from 8:00 every Monday to 17:00 every
Friday” is a typical periodic time interval. When a time-based application is associated with the time range, a certain
function can be effective periodically from every Monday to Friday.
Features
Feature Function
Using Absolute Sets an absolute time range for a time-based application, so that a certain function takes effect
Time Range within the absolute time range.
Using Periodic Sets periodic time or a time-based application, so that a certain function takes effect within the
Time periodic time.
When a time-based application enables a certain function, it determines whether current time is within the absolute time
range. If yes, the function is effective or ineffective at the current time depending on specific configuration.
Related Configuration
The absolute time range is [00:00 January 1, 0, 23:59 December 31, 9999] by default.
Use the absolute { [start time date] | [end time date] } command to configure the absolute time range.
Configuration Guide Configuring Time Range
Working Principle
When a time-based application enables a certain function, it determines whether current time is within the period time. If
yes, the function is effective or ineffective at the current time depending on specific configuration.
Related Configuration
Use the periodic day-of-the-week time to [day-of-the-week] time command to configure periodic time.
Configuration Details
Configure a time range, which may be an absolute time range or a periodic time interval, so that a time-range-based
application can enable a certain function within the time range.
Configuration Method
Mandatory configuration.
Perform the configuration on a device to which a time range applies.
Optional configuration.
Optional configuration.
Verification
Use the show time-range [time-range-name] command to check time range configuration information.
Related Commands
Function Command
Displays time range configuration. show time-range [time-range-name]