manualshive.com logo in svg

Ruijie RG-S2900G-E Series, Configuration Manual

The Ruijie RG-S2900G-E Series Configuration Manual is a comprehensive user guide designed to assist users in setting up and optimizing their Ruijie RG-S2900G-E Series products. This easy-to-follow manual provides step-by-step instructions and can be downloaded for free from manualshive.com, ensuring a seamless and efficient configuration process.

Share
Download
background image

Configuration Guide 

 

                                                                    802.1x Configuration 

 

It is required to configure the IP address of the authentication server before the Radius-server authentication mode 

can operate normally. 

 

You cannot enable 1X authentication on the 802.1Q TUNNEL port. 

 

You cannot enable 1X authentication for Aggregate Port. 

 

If the 1x function is enabled on only one port of a switch, all the port will send the 1x protocol packets to the CPU. 

 

Security  addresses  of  static  ports  can  access  the  Internet  without  authentication.  If  there  is  authorization,  the 

addresses  must  comply  with  authorization  binding  to  access  the  Internet.  When  the  port-based  transferable 

authentication mode and port security are used concurrently, the learned addresses become security addresses and 

cannot be transferred. 

 

When the port-based transferable authentication mode and port security are used concurrently, if an authenticated 

address is aged securely by a port, the port must be re-authenticated to communicate. 

 

After the port-based transferable authentication mode passes the authentication, and port security is enabled, the 

port must be re-authenticated to communicate. 

 

If  there  is  IP  and  MAC  binding,  the  authentication  mode  cannot  be  switched  between  the  port-based  one  and 

user-based one. 

Configuring the communication between the device and Radius server 

The Radius Server maintains the information of all users: user name, password, authorization information and accounting 

information. All users are managed on the Radius Server in a centralized manner, without being distributed over various 

switches, making easier management for the administrator. 

In order for the switch to normally communicate with the RADIUS SERVER, you must set the following parameters: 

Radius Server end: You must register a Radius Client. At registration, you must supply the Radius Server switch’s IP 

address,  authentication  UDP  port  (add  the  accounting  UDP  port,  if  needed),  and  the  agreed  key  for  communication 

between the switch and Radius Server, and select EAP support for the Client. The procedure for registering one Radius 

Client on the Radius Server varies with different software settings. Please refer to the appropriate document. 

Device end: The following settings are necessary at the device end to ensure the communication between the device and 

the server: Configure the IP address of the Radius Server, authentication (accounting) UDP port and the agreed password 

for the communication with the server. 

In the privileged EXEC mode, you can set the communication between the switch and the Radius Server via the following 

steps: 

Command 

Function 

Ruijie(config)#

aaa new-model 

Turn on the AAA switch. 

Ruijie(config)#

radius

-

server

 

host

 

ip-address

  [

auth

-

port

 

port

[

acct

-

port

   

port

]

 

Configure the RADIUS server. 

Ruijie(config)#

radius

-

server

 

key

 string

 

Configure RADIUS key. 

Ruijie#

show radius server

 

Show the RADIUS server. 

You  can  use  the 

no  radius-server  host 

ip-address

  auth-port 

command  to  restore  the  authentication  UDP  port  of  the 

Radius  Server  to  its  default.  You  can  use  the 

no  radius-server  key 

command  to  delete  the  authentication  key  of  the 

Radius Server. The following example sets the Server IP as 192.168.4.12, authentication UDP port as 600, and the key as 

agreed password: 

Summary of Contents for RG-S2900G-E Series

Page 1: ...RG S2900G E Series Switch RGOS Configuration Guide Release 10 4 2b12 p1 ...

Page 2: ... or by any means without the prior written consent of Ruijie Networks is prohibited Exemption Statement This document is provided as is The contents of this document are subject to change without any notice Please obtain the latest information through the Ruijie Networks website Ruijie Networks endeavors to ensure content accuracy and will not shoulder any responsibility for losses and damages cau...

Page 3: ...ng command modes parameter descriptions usage guides and related examples Hardware Installation and Reference Guide Describes the functional and physical features and provides the device installation steps hardware troubleshooting module technical specifications and specifications and usage guidelines for cables and connectors Conventions This manual uses the following conventions Convention Descr...

Page 4: ... Symbols Means reader take note Notes contain helpful suggestions or references Means reader be careful In this situation you might do something that could result in equipment damage or loss of data ...

Page 5: ...nfiguration 5 System Upgrade Configuration 6 File System Configuration 7 System Management Configuration 8 System Memory Display Configuration 9 Syslog Configuration 10 Configuring PoE 11 USB SD Configuration 12 System Upgrade and Maintenance 13 Stack Management 14 Threshold Configuration 15 Configuring EEE 16 Device Management Configuration ...

Page 6: ... a session connection to the network device management interface you enter in the user EXEC mode first In the user EXEC mode only a few commands are usable with limited functions for example command show The command results are also not saved To use all commands enter the privileged EXEC mode with the privileged password Then you can use all privileged commands and enter the global configuration m...

Page 7: ... Ctrl C To access the interface configuration mode enter command interface with an interface specified To access the VLAN configuration mode enter command vlan vlan_id In this mode you can execute command s to configure global parameter s influencing the whole switch Interface configuratio n In the global configuration mode enter command interface Ruijie config i f To return to the privileged EXEC...

Page 8: ...tion mark For example Ruijie di dir disable abbreviated command entry Tab Complete a partial command name For example Ruijie show conf Tab Ruijie show configuration Command List a command s associated keywords Leave a space between the keyword and question mark For example Ruijie show command keyword List a command s associated arguments Leave a space between the keyword and question mark For exam...

Page 9: ...some commands are enabled by default In this case the default and no options serve different purposes where the default option enables the command and restores the arguments to the default settings Understanding CLI Error Messages The following table lists the error prompt messages that may occur when you use the CLI to manage equipments Common CLI error messages Error message Meaning How to obtai...

Page 10: ...ls like VT100 series support arrow keys Using Editing Features This section describes the editing functions that may be used for command line edit including Edit Shortcut Keys Sliding Window of Command Line Editing Shortcut Keys The following table lists the edit shortcut keys Function Shortcut Key Description Move cursor in an editing line Left direction key or Ctrl B Move the cursor to left by o...

Page 11: ...r Left direction key or Ctrl B Move the cursor to the head of a line Ctrl A Move the cursor to the right by one character Right direction key or Ctrl F Move the cursor to the end of a line Ctrl E For example the contents of the mac address table static command may exceed the screen width When the cursor approaches the line end for the first time the whole line move left by 20 characters and the hi...

Page 12: ...s Command Description Ruijie show any command exclude regular expression Filter the content from the information outputted by the show command and output other information excluding the line that includes the specified content Ruijie show any command include regular expression Filter the content from the information outputted by the show command and output the line that includes the specified cont...

Page 13: ...EXEC mode the alias s indicates the show command by default Enter s to obtain the help information on the command and the aliases beginning with s Ruijie s s show show start chat start terminal service If the command that an alias represents has more than one word the command will be included by the quotation marks As shown in the following example configure the alias sv to replace the show versio...

Page 14: ...n the system Accessing CLI Before using CLI you need to use a terminal or PC to connect with the network device Power on the network device After the initialization of hardware and software you can use CLI If the network device is used for the first time you can only connect the network device through the serial port Console which is referred to as out band management In addition you can connect a...

Page 15: ...CLI commands mentioned in this chapter see the Reference Configuration of Switch Management Command Command Authorization based Access Control Overview A simple way to manage the terminals access to a network is to use passwords and assign privileged levels Password restricts access to a network or network devices Privileged levels define the commands users can use after they have logged in to a n...

Page 16: ...static password as the level 15 security password the system will show a warning message Ruijie config enable secret level level encryption type encrypted password Set the security password which has the same function but better password encryption algorithm than the static password For the purpose of security it is recommended to use the security password Ruijie enable level and Ruijie disable le...

Page 17: ...vel level reset command string Set the privileged level for a command mode The CLI command mode at which you are authorizing the command For example config indicates the global configuration mode exec indicates the privileged command mode and interface indicates the interface configuration mode all Change the privileges of all the sub commands of the specified commands into the same level level le...

Page 18: ...ine Password Protection Our products offer password authentication for remote logons such as Telnet A password is required for the protection purpose Execute the following command in the line configuration mode Command Purpose Ruijie config line password password Specify a line password Ruijie config line login Enable the line password protection Note If no logon authentication is configured the p...

Page 19: ...than the minimum length is configured after the minimum length has been configured the configuration failure will be prompted Configuring the Strong Password Check The strong password check is the check of the password strength to restrict the use of weak passwords A strong password must be composed of digits lower case letters upper case letters and special symbols Command Purpose Ruijie configur...

Page 20: ...ured at different privilege levels e g passwords configured through the command enable password or enable secret the passwords used recently are recorded based on the privilege level For passwords configured by local users e g user passwords configured through the command username the passwords used recently are recorded based on a user Configuring the Password Lifecycle The password lifecycle con...

Page 21: ...k the session terminal temporarily using the lock command so as to prevent access To this end enable the terminal locking function in the line configuration mode and lock the terminal using the lock command in the EXEC mode of the terminal Command Purpose Ruijie config line lockable Enable the function of locking the line terminal Ruijie lock Lock the current line terminal Logon Authentication Con...

Page 22: ... to files when no permissions are configured To configure file operation permissions of the local user run the following commands in global configuration mode Command Function Ruijie config username name permission oper mode filename Configure permissions to the specified files Ruijie config no username name permission oper mode filename Delete permissions to the specified files The oper mode para...

Page 23: ...l configuration mode Command Function Ruijie config username name reject rlogin Restrict the local user from remote login Ruijie config no username name reject rlogin Delete restrictions on the local user from remote login When this command is configured you cannot use the local user account to login in to the device Configuring Line Logon Authentication To enable the line logon identity authentic...

Page 24: ...nless you need to modify the time of device it is not necessary to configure the time again However for the network devices that don t provide the hardware clock manually setting time actually configures software clock which only takes effect for this operation When the network devices are powered off the manually set time will not be valid Command Function Ruijie clock set hh mm ss month date day...

Page 25: ...o schedule a restart scheme to restart the system at the specified time This function facilitates user s operation in some circumstance for the purpose of test for example Modifiers is a set of options provided by the reload command making the command more flexible The optional modifiers includes in at and cancel The following are the details 1 reload in mmm hhh mm string This command sets the sys...

Page 26: ...ater than the current system time Besides after you set reload you should not set the system clock Otherwise your setting may fail to take effect such as setting system time after reload time Specifying the System to Restart at the Specified Time In the privileged mode you can configure the system reload at the specified time using the following commands Command Function Ruijie reload at hh mm day...

Page 27: ...ffect Reload scheduled System will reload in 2 hours and 4 minutes7485 seconds Immediate Restart The reload command without any parameters will restart the device immediately In the privileged mode the user can restart the system immediately by typing the reload command Deleting the Configured Restart Scheme In the privileged mode use the following command to delete the configured restart scheme C...

Page 28: ...with the system name You can use the prompt command to configure the command prompt in the global configuration mode and the command prompt is only valid in the EXEC mode Command Function Ruijie prompt string Set the command prompt with printable characters If the name exceeds 32 characters intercept the first 32 characters To restore the prompt to the default value use the no prompt command in th...

Page 29: ...o complete the type Note that if you type additional characters after the end delimiter these characters will be discarded by the system Also note that you cannot use the delimiter in the message and the message length should be no more than 255 bytes To delete the MOTD use the no banner motd command in the global configuration mode The following example describes how to configure a MOTD The symbo...

Page 30: ...nfigure a login banner The pound sign is used as the starting and end delimiters and the text of the login banner is Access for authorized users only Please enter your password Ruijie config banner login Start delimiter Enter TEXT message End with the character Access for authorized users only Please enter your password End delimiter Ruijie config Displaying a Banner A banner is displayed when you...

Page 31: ... description if no module is plugged on the slot number of physical ports of the module on the slot and maximum number of ports possibly supported on the slot number of ports of the module plugged You may use the following commands to show the information of the device and slots in the privileged mode Command Function Ruijie show version devices Show device information Ruijie show version slots Sh...

Page 32: ...eed Overruns 0 CON 57600 0 Line 0 Location Type vt100 Length 25 lines Width 80 columns Special Chars Escape Disconnect Activation x none M Timeouts Idle EXEC Idle Session never never History is enabled history size is 10 Total input 22 bytes Total output 115 bytes Data overflow 0 bytes stop rx interrupt 0 times Modem READY Configuring Telnet Overview Telnet an application layer protocol in the TCP...

Page 33: ...19 Open User Access Verification Enter into the logon interface of the remote device Password Setting Connection Timeout Overview You can control the connections that a device has set up including the accepted connections and the session between the devece and a remote terminal by configuring the connection timeout time for the device When the idle time exceeds the set value and there is no input ...

Page 34: ...with the remote terminal Command Function Ruijie Config line session timeout 20 Configure the timeout for the session set up with the remote terminal over the line If there is no input within the specified time this session will be interrupted The timeout setting for the session set up with the remote terminal over the line can be removed by using the no exec timeout command in the line configurat...

Page 35: ...pecified Once edited users send the batch file to the FLASH of the network device in TFTP The contents of the batch file will simulate the input completely Hence it is necessary to edit the contents of the batch file by the sequence that CIL commands are configured Furthermore for some interactive commands it is necessary to write corresponding response information in the batch file guaranteeing t...

Page 36: ...secret command for authentication where the password must be 15 levels local Use the username and password set by the username command for authentication where the user must be bound with 15 level right In the configuration mode you can use the no form of the command to restore the setting to the default value The following example enables the HTTP Server sets the service port to 8080 and uses the...

Page 37: ...e Internet HTTP 1 0 is the HTTP protocol version in common use As a Web server may be accessed for tens of thousands or millions of times a day HTTP 1 0 adopts the short connection mode to facilitate connection management A TCP connection is created for a request After the request completes the connection will be released The server does not need to record or track previous requests Despite that H...

Page 38: ...l version is used by the switch is determined by the Web browser HTTPS Service HTTPS service adds an SSL layer based on HTTP to enhance safety To make the protocol effective the server must have a Public Key Infrastructure PKI certificate which is unnecessary for clients The SSL protocol provides the following services Authenticating users and servers to ensure that data is sent to the right clien...

Page 39: ...ent and server The default port number of the HTTP service and HTTPS service is 80 and 443 respectively The client sends a request to the server After processing the client s request the server responds to the client After the HTTP service processes a request the TCP connection between the client and server is cancelled the HTTPS can process multiple requests until the client sends a termination r...

Page 40: ...n cannot be monitored or altered by third parties Users only need to enter https and the IP address of the device on the browser to enter the Web management interface after authentication Figure1 4 describes a typical application scenario of Web management The user can access the device remotely over the Internet also log in to the Web server in LAN to configure and manage the device The user can ...

Page 41: ...default the mode is manual upgrade HTTP upgrade auto detect time By default it is random Configuration Preconditions If the authentication mode of the ordinary HTTP service is enable users need to configure the enable secret or enable password password with the authority level of 15 If the authentication mode of ordinary HTTP service is local users need to configure the local database s identity i...

Page 42: ...Function Ruijie configure terminal Enters global configuration mode Ruijie config enable service web server http Required enables the ordinary HTTP service Ruijie config enable service web server https Required enables the HTTPS service Ruijie config enable service web server all Required enables both HTTP and HTTPS services Configuration examples The following example enables the HTTP and HTTPS s...

Page 43: ...ssword ruijie Configuring HTTP Service Port Configuring the port number can reduce illegal users attack on the HTTP service Ruijie s devices support HTTP and HTTPS services Configuring HTTP port number Command Function Ruijie configure terminal Enters global configuration mode Ruijie config ip http port port number Optional configures the HTTP service port number which is 80 by default Configurati...

Page 44: ...atus http server status enabled http server port 80 https server status enabled https server port 443 http s use memory block 768 create task num 0 Configuration Examples HTTP Service Configuration Example Networking Requirements The network administrator wants to manage a switch through Web management to log in to the switch through the Web browser and configure related functions Use the local da...

Page 45: ...The username is admin and the plaintext password is ruijie with an authority level of 15 Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config username admin password ruijie Ruijie config username admin privilege 15 2 Enable the HTTP and HTTPS services Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config enabl...

Page 46: ... https server port 4430 http s use memory block 768 create task num 0 Remote HTTP Upgrade Configuration Example Networking Requirements A company purchases a Ruijie s product and intends to use the HTTP upgrade function to upgrade files The device can acquire information about files that can be upgraded remotely from Ruijie s server at a fixed time everyday The device can show files that can be up...

Page 47: ...ction Ruijie config ip name server 192 168 5 134 Configure the DNS server address 2 Configure the upgrade server address Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config http update server rgos ruijie com cn 3 Enable auto detect mode and configure the remote monitoring time at 2 00 AM everyday Ruijie configure terminal Enter configuration commands o...

Page 48: ...orking Requirements Users can acquire the latest Web package from Ruijie s website and the device can run the latest Web package Networking Topology Figure 1 8 Local HTTP upgrade service topology Configuration Tips The following tips are provided to meet the above mentioned requirements Connect the device to the local PC whose IP address is 10 10 10 13 configure the IP address of the device as 10 ...

Page 49: ... VLAN 1 ip address 10 10 10 131 255 255 255 0 2 Enable the tftp server on PC and use copy tftp command on the device to download the Web package Ruijie copy tftp 10 10 10 13 web_management_pack upd flash web_management_pack upd 3 Update the Web package Ruijie http web file update Showing Authentication Log in to Web management interface again on the PC and detect whether the page is updated ...

Page 50: ...ecified LINE mode Increasing Decreasing LINE VTY By default the number of line vty is 5 You can execute the following commands to increase or decrease line vty up to 36 line vty is supported Command Function Ruijie config line vty line number Increase the number of LINE VTY to the specified value Ruijie config no line vty line number Decrease the number of LINE VTY to the specified value Configuri...

Page 51: ... default value Configuring the Access Control List on the Line To configure the access control list on the line you can use the command By default no access control list is configured on the line That is all incoming and outgoing connections are permitted Command Description configure terminal Enter the configuration mode line vty line number Enter the line configuration mode access class access l...

Page 52: ...d line cards of the switch CTRL This is a boot program provided with network functions This program image is initialized by BOOT and features network communication function and main program booting and upgrading function Bootloader Device initialization network communication and main program booting and upgrading function This is the first image loaded when the device is powered on and can boot th...

Page 53: ...e upgrade file and upgrade the corresponding images on the device Operating Principle The RGOS program image release for Ruijie devices is a self extracting executable program The RGOS program image carries the main program image for the device For box devices the RGOS program image contains main program and boot program for chassis devices the RGOS program image contains the main program and boot...

Page 54: ...ion is easy to operate and no intervention by user is needed once the upgrade process commences Note Version 10 4 2 has well optimized and improved the upgrade function including safer and more reliable upgrade process less times of device reset and service interruption and easy to understand upgrade interface Therefore the upgrade interface is quite different before and after Version 10 4 2 but t...

Page 55: ...ilization rate goes down Preparation Before Upgrade Make the following preparations before implementing device upgrade Confirm the method of file download Confirm the space of file system Backup configuration file Caution The upgrade may fail if implemented when the device is busy or being attacked Please use show cpu command to verify whether the system is busy or not and implement upgrade when t...

Page 56: ...e master management board of the device as it is the safest upgrade method Caution TFTP only supports the transfer of files with size below 32M If the file size is larger than 32M the file will have to be downloaded via FTP or flash disk Download via xmodem Xmodem download is applicable to some exceptional cases such as the failure in network connection Before using xmodem download make sure the d...

Page 57: ... then during the upgrade process the original boot main program will be renamed as original filename bak When the CTRL version is 10 4 or above this file will be used as the backup image of new program image When the new program image fails the system will boot with this back image This can save the rollback operation required in the case of upgrade failure When the system has hardly any residual ...

Page 58: ...ckup of configuration files is needed before the upgrade Since different versions of software may contain different default configurations the newly added default configurations may conflict with the current configurations In order to ensure successful upgrade please backup the original configuration file before the upgrade After successful upgrade verify whether there is any conflict in configura...

Page 59: ... system will display the following prompt of BOOT or CTRL image upgrade Upgrading CTRL DO NOT POWER OFF Erasing device eeeeeeeeeeeeeeeeeeeeeeeee ok Writing flash OK 1 215 488 bytes Apr 1 07 32 44 UPGRADE 5 LOCAL_FIN New software image installed in flash Caution When the system prompts any flash operation such as Erasing device or Writing flash as shown above never turn the device off Any power fai...

Page 60: ...Reset the device Ruijie reload Wait for device installation after device reboot After reboot the device will automatically commence local image installation For example Prepare installation data Load install package file rgos bin OK Installation is in process ATTENTION Do not restart your machine before finish Upgrading main Size of main file rgos bin is 10406464 Bytes Checking file please wait fo...

Page 61: ...or device installation Upgrade to 10 4 2 or higher version Copy the new version software to the device Ruijie copy tftp 192 168 201 97 rgos bin flash rgos bin Accessing tftp 192 168 201 97 rgos bin Checkin g file please wait for a few minutes Check file success Transmission finished file length 22655264 THE PROGRAM VERSION RGOS 10 4 Release 64046 Upgrade file to Module s in slot M2 Please wait Upg...

Page 62: ...e corresponding installation automatically This automatic installation process will generally take place when the current device version is lower than 10 4 2 These images in linecard will be updated Slot image linecard 3 MAIN M8600 24GT 12SFP M2 CTRL M8610 CM II Aug 7 07 46 25 UPGRADE 5 SLOT_BEG Slot 3 Installing MAIN Slot 3 Download image Aug 7 07 47 21 UPGRADE 5 SLOT_SUCC Slot 3 MAIN installed A...

Page 63: ...eeeeeeeeeeeeeeeeeeeeeeeeee ok Writing flash OK 1 088 0 bytes Aug 7 07 48 37 UPGRADE 5 SLOT_SUCC Slot 3 CTRL installed Aug 7 07 48 37 UPGRADE 5 SLOT_FIN Slot 3 All images is installed Aug 7 07 48 37 UPGRADE 5 RESET_CARD Slot 3 Reset Upon completion of installation normal services can start directly without the need to reset the device Degrade to 10 4 1 or older version Copy the new version software...

Page 64: ...K Reset the device Ruijie reload Wait for automatic installation of device The following installation information will prompt after device reboot Prepare installation data Load install package file rgos bin OK Installation is in process ATTENTION Do not restart your machine before finish Upgrading main Size of main file rgos bin is 8914464 Bytes Checking file please wait for a few minutes Check fi...

Page 65: ...6 11 30 7 Card in slot 1 CPU 0 need to do version synchronization Current software version Apr 1 06 11 30 7 BOOT VERSION 10 4 63238 Apr 1 06 11 30 7 CTRL VERSION 10 4 63967 Apr 1 06 11 30 7 MAIN VERSION 10 4 63967 Apr 1 06 11 30 7 Need update to software version Apr 1 06 11 30 7 BOOT VERSION 10 4 59831 Apr 1 06 11 30 7 CTRL VERSION 10 4 59831 Apr 1 06 11 30 7 MAIN VERSION 10 4 61477 Apr 1 06 11 41...

Page 66: ...ent software version during the stacking process subject to the software version of master device or the highest version During the automatic installation process of stacked devices apart from the installation information of master device the interface will also prompt the installation information of slave devices Jan 2 00 01 39 STACK 5 INST Device 2 Install CTRL Jan 2 00 03 39 STACK 5 INST Device...

Page 67: ...agement Board The user may accidentally delete the boot main program of the file system and the system will give the following warning information Warning System boot file rgos bin is missing However if the user doesn t notice such loss of main program and dynamically inserts a new line card during the subsequent use the system will prompt Aug 25 13 21 50 UPGRADE 3 DISPATCH_FAIL Dispatch program t...

Page 68: ...file system space the current boot main program can be deleted as long as the device is powered on and then use copy tftp command to copy the new upgrade file to the device as the new boot main program Boot main Program not Overwritten during Upgrade If the boot main program is not upgraded during the upgrade the new program will not run after system reboot As for the slave board please verify the...

Page 69: ... solutions can be used 1 Ensure whether the boardcards to be upgraded are plugged or reset 2 Ensure whether the boardcards to be upgraded are busy with high CPU utilization rate 3 Ensure whether the boardcards to be upgraded are using large file system space if so remove some useless files and retry the upgrade after freeing the file system space ...

Page 70: ...de fragment the storage device and recycle the trash This is for providing the sufficient space for file operations This is done in a very short period without your perception To make full use of the limited space the file system provides the data compression function and the data node index Configuring File System The following sections describe how to configure the file system Changing Directori...

Page 71: ...he flash storage space excluding the storage space for the extended flash is 512M when the free memory is less than 4M it is recommended to clear the useless outdated files manually to ensure the normal operation to the flash file system For example when the USB mounts the operation system deals with the flash file system Therefore when it fails to mount the USB file system and the free flash memo...

Page 72: ...e to the specified file The following example shows how to copy a file to a directory and another file Ruijie cp dest bak sour config text Ruijie cp dest con_bak txt sour config text Showing Directories This shows the contents of the current working directory or specified directory Command Function Ruijie dir Show the contents in the current directory Ruijie dir directory Show the contents in the ...

Page 73: ...The following example creates a bak directory in the root directory Ruijie mkdir bak Moving Files In the privileged mode move the specified files to the specified directory Command Function Ruijie rename flash old_filename flash new_filename Name the file named as old_filename to new_filename Showing the Current Working Path In the privileged mode show the current working path by performing the fo...

Page 74: ...g Empty Directories In the privileged mode delete an empty directory permanently by performing the following step Command Function Ruijie rmdir directoryname Delete an empty directory The above example deletes an empty directory named MNT Ruijie rmdir mnt ...

Page 75: ... CPU utilization By default the switch name is Ruijie Below is the result of executing this command Ruijie show cpu CPU Using Rate Information CPU utilization in five seconds 25 CPU utilization in one minute 20 CPU utilization in five minutes 10 NO 5Sec 1Min 5Min Process 0 0 0 0 LISR INT 1 7 2 1 HISR INT 2 0 0 0 ktimer 3 0 0 0 atimer 4 0 0 0 printk_task 5 0 0 0 waitqueue_process 6 0 0 0 tasklet_ta...

Page 76: ... tpp_task 30 0 0 0 ip6timer 31 0 0 0 rtadvd 32 0 0 0 tnet6 33 2 0 0 tnet 34 0 0 0 Tarptime 35 0 0 0 gra_arp 36 0 0 0 Ttcptimer 37 8 1 0 ef_res 38 0 0 0 ef_rcv_msg 39 0 0 0 ef_inconsistent_daemon 40 0 0 0 ip6_tunnel_rcv_pkt 41 0 0 0 res6t 42 0 0 0 tunrt6 43 0 0 0 ef6_rcv_msg 44 0 0 0 ef6_inconsistent_daemon 45 0 0 0 imid 46 0 0 0 nsmd 47 0 0 0 ripd 48 0 0 0 ripngd 49 0 0 0 ospfd 50 0 0 0 ospf6d 51 ...

Page 77: ...uart_debug_file_task 79 0 0 0 ssp_init_task 80 0 0 0 rl_listen 81 0 0 0 ikl_msg_operate_thread 82 0 0 0 bcmDPC 83 0 0 0 bcmL2X 0 84 3 3 3 bcmL2X 0 85 0 0 0 bcmCNTR 0 86 0 0 0 bcmTX 87 0 0 0 bcmXGS3AsyncTX 88 0 2 1 bcmLINK 0 89 0 0 0 bcmRX 90 0 0 0 mngpkt_rcv_thread 91 0 0 0 mngpkt_recycle_thread 92 0 0 0 stack_task 93 0 0 0 stack_disc_task 94 0 0 0 redun_sync_task 95 0 0 0 conf_dispatch_task 96 0 ...

Page 78: ...PU utilization of all HISRs respectively All the lines starting the third line indicate the CPU utilization of processes The last line indicates the CPU utilization of idle process As with System Idle Process under Windows it indicates an idle status The above example shows that the CPU utilization of idle processes in the last 5 seconds is 75 meaning that 75 CPU is available Configuring CPU Log L...

Page 79: ...he show memory command to show the usage and status of system memory Command Function Ruijie show memory Show the usage of system memory By default the switch name is Ruijie Below is the result of executing this command Ruijie show memory System Memory Statistic Free pages 13031 watermarks min 378 lower 756 low 1534 high 1912 System Total Memory 128MB Current Free Memory 54892KB Used Rate 58 The a...

Page 80: ...e memory lack exit policy command low The memory resources are insufficient The route protocol will be in OVERFLOW state if the low watermark has been reached In the overflow state the routers do not learn new routes any more The commands are not allowed to be executed when the memory lacks high A plenty of memory resources Each route protocol attempts to restore the state from OVERFLOW to normal ...

Page 81: ...e information includes the following parts 1 Free pages the memory size of one free page is about 4k 2 Watermarks see the following table Parameter Description Free pages Total number of free page watermarks min The memory resources are extremely insufficient It can only keep the kernel running All application modules fails to run if the minimum watermark has been reached lower The memory resource...

Page 82: ...ption high A plenty of memory resources Each route protocol attempts to restore the state from OVERFLOW to normal System Total Memory Total memory of the system System Free Memory Total free memory including the space of free pages and buffer pool Used Rate Usage of memory ...

Page 83: ...ording to the priority of log information Log Message Format The format of the our log message is as follows priority seq no timestamp sysname severity ModuleName severity MNEMONIC description They are priority Sequential number timestamp device name module name severity information type abbre information contents Priority value Device value 8 Severity For example 189 226 Mar 5 02 09 10 Ruijie SYS...

Page 84: ...ended FLASH Logging Buffered will record log information in the memory buffer The memory buffer for log is used in recycled manner That is when it is full the oldest information will be overwritten To show the log information in the memory buffer run show logging at the privileged user level To clear the log information in the memory buffer run clear logging at the privileged user level Terminal M...

Page 85: ...log or debug The log type means the log information with severity levels 0 6 The debug type means that with severity level 7 Caution If the current device has no RTC the configured time is invalid and the device automatically uses the startup time as the timestamp for the log information Enabling Switches in Log System By default the system name is not included in the log information To add or rem...

Page 86: ...een user input and log output in the line configuration mode Command Function Ruijie config line logging synchronous Set synchronization between user input and log output Ruijie config no logging synchronous Delete synchronization between user input and log output Configuring Log Rate Limit By default log rate is not limited Use this command to configure log rate limit in the global configuration ...

Page 87: ...annot run normally Alerts 1 Problems that need immediate remedy Critical 2 Critical conditions Errors 3 Error message Warnings 4 Alarm information Notifications 5 Information that is normal but needs attention Informational 6 Descriptive information Debugging 7 Debugging messages Lower value indicates higher level That is level 0 indicates the information of the highest level When the level of log...

Page 88: ...ogging facility facility type Configure the log information device value Ruijie config no logging facility facility type Restore the default of the log information device value The meanings of various device values are described as below Numerical Code Facility 0 kernel messages 1 user level messages 2 mail system 3 system daemons 4 security authorization messages 5 messages generated internally b...

Page 89: ...ding User Log By default no log is output when a user logs in or out and executes configuration commands To output user login logoff logs or configuration command logs execute the following commands in the global configuration mode Command Function Ruijie config logging userinfo Set user login logoff log Ruijie config logging userinfo command log Send a log when a configuration command is executed...

Page 90: ...nfig if exit Ruijie config service sequence numbers Enable sequence number Ruijie config service timestamps debug datetime Enable debug information timestamp in date format Ruijie config service timestamps log datetime Enable log information timestamp in date format Ruijie config logging 192 168 200 2 Specify the syslog server address logging trap debugging The log information of all levels will b...

Page 91: ...Configuration Guide Configuring PoE Configuration ...

Page 92: ...un and the entire switch will be in mute state If the working environment temperature is above 35 C or the current power consumption of the PoE switch is higher than 50 of the rated power of the PoE switch the cooling fans of the PoE switch will start running with automatic speed control to quicken heat dissipation inside the PoE switch In this document the voltage is expressed in volts V for shor...

Page 93: ...sted pair Category 5 twisted pair According to IEEE 802 3af a PoE switch can supply power over the idle line or signal line of a twisted pair whereas a PD must simultaneously support power supply over the idle line and power supply over the signal line Some Ruijie PoE switches supply power over the idle line and the others supply power over the signal line For details see related product specifica...

Page 94: ...o mode a PoE switch allocates power to PDs according to the classes of PDs detected on ports It allocates power supply to PDs of various power classes as follows 15 4 W for Class 0 4 W for Class 1 7 W for Class 2 15 4 W for Class 3 and 30 W for Class 4 In auto mode the PoE switch allocates 15 4 W to a port if the power class of the PD on the port is Class 3 even if the actual power consumption is ...

Page 95: ...e ports which have been powered normally For example the S2928G 12P device is in energy saving mode Assume that there are six class4 PDs the actual power is 29 W and one class3 PD the actual power is 5 W At first five class4 PDs and one class3 PD are powered up The system has the remaining power of 35 W 185 29 5 5 35 W Now another class 4 PD is connected As the remaining power of the system is gre...

Page 96: ...xample you can run the following commands in turn to enable the PoE function on port 1 of line card 1 Ruijie configure Ruijie config time range poe time Ruijie config time range periodic weekdays 8 30 to 17 30 Ruijie config time range exit Ruijie config interface gigabitEthernet 1 1 Ruijie config if poe power off time range poe time Ruijie config if no poe enable Ruijie config if end In the comman...

Page 97: ...ffect Setting Compatibility with Non Standard PDs Currently IEEE 802 3af and 802 3at are applied as PoE standards in the industry In practical applications however PDs are diversified and may not necessarily conform to the two standards The following commands are available on Ruijie switches to provide compatibility with some non standard PoE devices Command Function Ruijie configure Enters the gl...

Page 98: ...the port For example you can run the following commands in turn to set the maximum power of a port to 17 W and then enable the PoE function on this port Ruijie configure Ruijie config interface FastEthernet 0 1 Ruijie config if poe max power 17 Ruijie config if poe enable Ruijie config if end This command is valid only for a switch in auto or energy saving mode For a switch in auto or energy savin...

Page 99: ... in static mode setting the power to be allocated to a port to 0 will cause the port to be powered off and no longer powered on Setting the Reserved Power of the System The power consumption of a PoE switch working in energy saving mode will be calculated according to the actual power consumption of PDs on its ports If the power consumption of the PDs greatly fluctuates the PoE switch may be overl...

Page 100: ...turns to the global configuration mode Ruijie write Saves the settings to ensure that the settings take effect upon the next startup Ruijie config if no poe uninterruptible power Disables uninterrupted power supply with hot startup For example you can run the following commands in turn to enable and then disable uninterrupted power supply with hot startup Ruijie configure Ruijie config poe uninter...

Page 101: ... available on Ruijie switches to set the trap sending function of the system Command Function Ruijie configure Enters the global configuration mode Ruijie config poe notification control enable Enables PoE trap sending Ruijie config no poe notification control enable Disables PoE trap sending For example you can run the following commands in turn to enable the system to send trap notifications abo...

Page 102: ...n a port by specifying the value of pethPsePortType in the MIB Setting the Link Layer Discovery Protocol LLDP Classification Function According to IEEE 802 3at PDs supporting 802 3at must be able to support both 2 Event Physical Layer classification and LLDP classification which is known as Data Link Layer classification in protocols PDs must be able to exchange LLDP packets with the PSE switch to...

Page 103: ...able LLDP classification Ruijie configure Ruijie config poe class lldp enable Ruijie config no poe class lldp enable Ruijie config end After LLDP classification is enabled the PD on a port is of Type 1 by default Ruijie config show poe interface fastEthernet 0 2 Interface Fa0 2 Power enabled enable Power status on Max power 30 0 W Allocate power N A Current power 14 8 W Average power 14 7 W Peak p...

Page 104: ... show poe interfaces status Interface Power Power Curr Avg Peak Curr Trouble PD Port Control Status Power Power Power Current Cause Class Voltage Fa0 1 enable on 15 1W 13 1W 15 1W 284mA 0 0 53 5V Fa0 2 enable on 14 8W 11 9W 14 8W 277mA 0 4 Type2 53 5V Fa0 3 enable on 15 2W 13 3W 15 2W 285mA 0 0 53 5V Fa0 4 enable on 14 7W 8 0W 14 7W 275mA 0 4 Type2 53 5V Fa0 5 enable on 28 7W 14 8W 28 7W 538mA 0 4...

Page 105: ... 5 V Current 278 mA PD class 4 Trouble cause None Priority critical Legacy off Power off time range N A Power management auto The outputs are described as follows Output Item Description Interface Indicates the number of the port Power enabled Indicates whether the PoE function is enabled on the port Power status Indicates the power supply status of the port Max power Indicates the maximum power o...

Page 106: ...value corresponds to one LED status as defined in the following table ID Port Trouble Cause Description 0 None Indicates that the power supply is normal The LED is green Indicates that the AC DC has detected that the PD is disconnected The LED is off Indicates that the PoE function is disabled on the port The LED is off 1 Overload during start up Indicates that the PD is disconnected because the c...

Page 107: ... Fa0 19 enable off 0 0W 0 0W 0 0W 0mA 6 N A 0 0V Fa0 20 enable off 0 0W 0 0W 0 0W 0mA 6 N A 0 0V Fa0 21 enable off 0 0W 0 0W 0 0W 0mA 6 N A 0 0V Fa0 22 enable off 0 0W 0 0W 0 0W 0mA 6 N A 0 0V Fa0 23 enable off 0 0W 0 0W 0 0W 0mA 6 N A 0 0V Fa0 24 enable off 0 0W 0 0W 0 0W 0mA 6 N A 0 0V Run the following command to show configuration information about all PoE ports Ruijie show poe interfaces conf...

Page 108: ...the following show command in the privileged mode Command Function Ruijie show poe powersupply Shows the PoE status of the entire PoE system For example you can run the following command to show the PoE status of the entire PoE system Ruijie show poe powersupply Device member 1 Power management auto PSE total power 370 0 W PSE total power consumption 0 0 W PSE available power 0 0 W PSE total remai...

Page 109: ...Indicates the available power of the system which varies according to different power management modes PSE total remain power Indicates the total remaining power of the system PSE peak power value Indicates the peak power of the system which is the current maximum power of the software system PSE average power Indicates the average power of the PSE switch within the sampling period since the devic...

Page 110: ...evice into the USB slot Messages as below are displayed if the system finds the device and loads the driver Jan 1 00 09 42 USB 5 USB_DISK_FOUND USB Disk Mass Storage has been inserted to USB port 0 Jan 1 00 09 42 USB 5 USB_DISK_PARTITION_MOUNT Mount usb0 type FAT32 size 1050673152B 1002MB USB Mass Storage Device is the name of the found device usb0 is the first USB device and size is the partition...

Page 111: ... the later versions allow users to access U disc card by URL For the earlier versions use path to position and access the device Example Access the U disk partition Ruijie cd mnt usb0 Access the SD card partition Ruijie cd mnt Copy a txt under root directory to U disk Ruijie copy flash mnt usb0 a txt flash a txt Copy a txt under root directory to SD card Ruijie copy flash mnt a txt flash a txt Dis...

Page 112: ...ulling out USB Device Card Before pulling out USB device card run the command on the CLI to uninstall the device in case system is using the USB device card to avoid an error Command Function Step 1 Ruijie usb remove Device_ID It is used to uninstall the USB device card with number of Device_ID As shown above IDO indicates a USB device and ID1 indicates SD card The commands below can uninstall the...

Page 113: ...t out to avoid any error USB Failure Assume that the system prints the following message Jan 2 00 00 39 USB 3 OHCI_ERR USB1 0 controller is not available now USB 1 0 controller is not available while 2 0 USB card is still available In this case reset the whole system to use corresponding version U disk card Assume that the system prints the following message Jan 2 00 00 39 USB 3 EHCI_ERR USB2 0 co...

Page 114: ...the files by using the following commands If no location is specified you need to separately input the IP address of the TFTP server Command Function Ruijie copy tftp location filename flash filename vrf vrfname Download the specified file from the URL on the host to the equipment In the CLI command mode upload the files by performing the following steps Before upload first run the TFTP server sof...

Page 115: ...ng commands in the privileged EXEC mode Command Function Ruijie copy flash filename tftp location filename Upload the specified file from the equipment to the directory specified by the URL on the host You can also rename the file Caution If location is the local link address use the following command to specify the egress Ruijie copy tftp flash Address of remote host fe80 5efe 192 168 195 90 Outp...

Page 116: ...he following steps Prior to upload first log in to the out band management interface of the switch by using the Windows HyperTerminal Then upload the files by using the following command in the privileged EXEC mode Finally select the Receive File from the Transfer menu on the Windows HyperTerminal on the local host It s shown in the following figure In the pop up dialog box select the storage loca...

Page 117: ... mount equipment the upgrading file upgrades only its single supervisor engine After upgrading the system automatically resets The equipment works normally after restart 2 The chassis mount equipment includes supervisor engines line cards and multi service cards To upgrade the whole system with a upgrading file first upgrade the supervisor engine The system resets When the equipment restarts the a...

Page 118: ...rade CM MAIN successful 4 Reset the equipment 5 After reset the upgrade file will run automatically The system prompts Installing is in process Do not restart your machine before finish 6 After the upgrade operation is completed the system prompts Installing process finished Restart machine operation is permitted now 7 After the operation of the upgrade file is completed the system resets automati...

Page 119: ...tter indicates the version of the line card and it is necessary to upgrade the line card The system will carry out above operation for the slave supervisor engine and each module in turn After checking the version consistency on all modules and upgrading the system will work normally Caution During the upgrade or automatic upgrade the system may prompt that the reboot is not allowed In this case n...

Page 120: ...cost stack solution To use this solution you need the special stack cables The length of such cable influences the distances between stack member devices Common module A common module can provide a high bandwidth and long distance stack solution To adopt this solution you do not need special stack cables However its disadvantage is high cost Fixed port A fixed port can provide a low cost and long ...

Page 121: ...er stack In a stably working stack environment if any switch is powered off and is re powered on all other switches in the stack will be automatically reset and another election will be made to create a new stack Caution When the stack is running if you insert remove or replace the member devices the stack will be reset and another election will be made to create a new stack Configuring a Stack De...

Page 122: ...iority Run the following commands to configure the device priority in the global mode Command Description Ruijie config device priority member priority member 1 MAX configuring the member device priority 1 10 specifying the priority of the device Device 1 is configured as a member device by default For example Specify the priority of member device 2 to 8 Ruijie config device priority 2 8 Caution A...

Page 123: ...ernet 0 49 to GigabitEthernet 0 52 can be set to stack ports Saving Parameters The stack information configured by using the following commands can be saved into the member device device priority member priority device description member member description stack on Such configuration information is moved as the member device is moved Other system configuration information is only saved in the host...

Page 124: ... For the detailed displaying see the actual device information For example Show all kinds of information of the stack system Ruijie show version devices Device Slots Description 1 3 RG S5750 24GT 12SFP 2 3 RG S5750 48GT 4SFP 3 3 RG S5750 24GT 12SFP 4 3 RG S5750 24GT 12SFP 5 3 RG S5750 24GT 12SFP 6 3 RG S5750 24GT 12SFP 7 3 RG S5750 24GT 12SFP 8 3 RG S5750 48GT 4SFP Ruijie show version slots Device...

Page 125: ...0002 Device information Device 1 Hardware version 1 0 Software version RGOS 10 1 00 2 Release 12889 BOOT version 10 1 11330 CTRL version 10 1 11330 Serial Number 1234942570002 Device 2 Hardware version 1 0 Software version RGOS 10 1 00 2 Release 12889 BOOT version 10 1 11330 CTRL version 10 1 11330 Serial Number 1234942570001 Device 3 Hardware version 1 0 Software version RGOS 10 1 00 2 Release 12...

Page 126: ...erial Number 1234942570008 Ruijie show member Member Mac Address Priority Software Version Hardware Version Description 1 00d0 f810 3323 1 RGOS 10 1 00 2 Release 12889 1 0 SWITCH 2 00d0 f822 33aa 1 RGOS 10 1 00 2 Release 12889 1 0 SWITCH 3 00d0 f822 33ae 1 RGOS 10 1 00 2 Release 12889 1 0 SWITCH 4 00d0 f822 33b0 1 RGOS 10 1 00 2 Release 12889 1 0 SWITCH 5 00d0 f822 33b2 1 RGOS 10 1 00 2 Release 12...

Page 127: ...used to show the temperature condition of the current device When the device temperature is lower than the warning threshold the system temperature is in the normal condition When the device temperature is higher than the warning threshold but lower than the critical threshold the system temperature is in the warning condition When the device temperature is higher than the critical threshold the s...

Page 128: ...hreshold and critical threshold of the CPU utilization for the specific device in the range of 1 100 Use the no threshold set cpu command to return to the default configuration Configuring the Memory Utilization Threshold Command Purpose Ruijie configure terminal Enter the global configuration mode Ruijie config threshold set memory M1 M2 slot n member n warning_value critical_value Specify the wa...

Page 129: ...CPU utilization and temperature to 80 and 90 50 and 80 respectively Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config threshold set cpu member 1 80 90 Ruijie config threshold set temperature member 1 60 80 Configuration Verification Use the show threshold command to view the threshold of each category Ruijie show threshold cpu Device Warning Critical...

Page 130: ...amount of power is wasted EEE puts switch ports to LPI mode to save energy In LPI mode low link usage needs low power consumption EEE also enables fast transition from LPI mode to normal operation which ensures high performance data transmission If an EEE enabled port is always up and does not transmit data within tens of microseconds it will enter LPI mode automatically When the port needs to tra...

Page 131: ...n Ruijie show eee interface gigabitEthernet interface id Displays the EEE status on a specific port Ruijie show eee interfaces status Displays EEE statuses on all ports The following example displays the EEE status of GigabitEthernet 0 1 Ruijie show eee interface gigabitEthernet 0 1 Interface Gi0 1 EEE Support Yes Admin Status Enable Oper Status Disable Remote Status Disable Trouble Cause Remote D...

Page 132: ...nknown 1 Gi0 2 Yes Enable Disable Unknown 1 Gi0 3 Yes Enable Enable Enable 0 Gi0 4 Yes Enable Enable Enable 0 Gi0 5 Yes Enable Enable Enable 0 Gi0 6 Yes Enable Enable Enable 0 Gi0 7 Yes Enable Enable Enable 0 Gi0 8 Yes Enable Enable Enable 0 Gi0 9 Yes Enable Enable Enable 0 Gi0 10 Yes Enable Enable Enable 0 Gi0 11 Yes Enable Enable Enable 0 Gi0 12 Yes Enable Enable Enable 0 Gi0 13 Yes Enable Enabl...

Page 133: ...Configuration Guide EEE Configuration ...

Page 134: ...tive and efficient management of assets Basic Concepts Intelligent Temperature Control The intelligent temperature control system consists of intelligent fans and over temperature protection By default intelligent temperature control is enabled Disabling this feature is not supported The default value of different temperature threshed is shown in the following table note the temperature value refe...

Page 135: ...ure When the temperature in the device chassis is restored to normal all ports are enabled and the PoE is started Asset Management Asset management displays asset information such as software version hardware version and serial number Working Principles An intelligent fan uses independent software to adjust rotation speed based on the real time temperature to lower the device working temperature I...

Page 136: ...ple Set the working mode of a fan on Device 1 to the force enable mode Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config fan force enable device 1 Monitoring and Maintenance Displaying Fans Command Function Ruijie show fans Displays the working state mode and rotation speed of a fan Example Display the working mode of a fan Ruijie show fans Device Fa...

Page 137: ...re Status and Value Command Function Ruijie show temperature Displays the temperature status and value of the current device Example Display the temperature status and value of the current device Ruijie show temperature Device Temperature Slot State Current C 1 0 normal 46 Ruijie ...

Page 138: ...3 Aggregate Port Configuration 4 VLAN Configuration 5 Protocol VLAN Configuration 6 Private VLAN Configuration 7 Share VLAN Configuration 8 Voice VLAN Configuration 9 MSTP Configuration 10 Configuring Transparent Transmission of Protocol Frames 11 GVRP Configuration 12 QinQ Configuration ...

Page 139: ...h Port command in the interface configuration mode Switch port is used to manage a physical interface and relevant layer 2 protocols rather than handling routing or bridging Access Port An access port belongs to only one VLAN that transports only the frames belonging to the same VLAN Typically it is used to connect computers Default VLAN An access port belongs to only one VLAN Therefore its defaul...

Page 140: ...t is recommended to set the native VLAN of the trunk port on the local device to be consistent with that of the trunk port on the remote device Otherwise the trunk port cannot forward packets properly Receiving and sending frames The trunk port can receive untagged frames and the tagged frames of the VLANs permitted by the port All the frames of non native VLANs sent by the trunk port are tagged a...

Page 141: ...le ports together In addition the frames that pass through the L2 aggregate port will undergo traffic balancing on the member ports of the L2 aggregate port If one member link of AP fails the L2 aggregate port automatically transfers the traffic on this link to other working member links making the connection more reliable Caution The member port of the L2 aggregate port can be either access port ...

Page 142: ... Note that using the no switchport command in the interface configuration mode will close and restart this port and delete all the layer 2 features of this port Caution However when a port is a member port of an L2 aggregate port or an unauthenticated DOT1x authentication port the switchport no switchport command will not work L3 Aggregate Port Just like a L2 aggregate port a L3 aggregate port is ...

Page 143: ...lot For the devices which have a choice of optical or electrical interfaces in either case they use the same port number You can view information on a slot and ports on it by using the show command in CLI Aggregate ports are numbered from 1 to the number of aggregate ports supported on the device A SVI is numbered by the VID of its corresponding VLAN Caution The number of the static slot on a devi...

Page 144: ...face range command you should pay attention to the format of range A valid range format vlan vlan ID vlan ID with VLAN ID in the range of 1 4094 Fastethernet slot the first port the last port Gigabitethernet slot the first port the last port TenGigabitethernet slot the first port the last port Aggregate Port Aggregate port number with Aggregate port number in the range of 1 to MAX The interfaces i...

Page 145: ... string To delete a macro use the no define interface range macro_name command in the global configuration mode When defining an interface range using the define interface range command you should pay attention to the range format A valid range format is vlan vlan ID vlan ID with VLAN ID in the range of 1 to 4094 fastethernet slot the first port the last port gigabitethernet slot the first port th...

Page 146: ...ly the ports that supports media selection The ports configured to be the members of an aggregate port must have the same media type Otherwise they cannot be added to the AP The port type of the members of the aggregate port cannot be changed Command Function Ruijie config if medium type fiber copper Set the media type of a port This example sets the media type of gigabitethernet 1 1 Ruijie config...

Page 147: ...wn Ruijie config if end Setting Speed Duplexing Flow Control and Auto negotiation for an Interface The section deals with the setting of speed duplexing flow control and auto negotiation for interfaces The auto negotiation status on an interface depends on the speed duplex flow control and auto negotiation mode of the interface By sending and receiving fast link pulses on a copper port or coded ne...

Page 148: ...is set to auto or the auto negotiation mode is on for the interface the state of auto negotiation is on that is the auto negotiation feature is enabled on the interface Otherwise if all of them are set to non auto and the auto negotiation mode is off for the interface the state of auto negotiation is off that is the auto negotiation feature is disabled As for 100M fiber ports the auto negotiation ...

Page 149: ...l Enter configuration commands one per line End with CNTL Z Ruijie config interface gigabitethernet 1 1 Ruijie config if mtu 64 Ruijie config if end Configuring L2 Interfaces The following table shows the default settings of L2 interfaces For the configurations of VLAN and ports please refer to Configuring VLAN and Configuring Port based Flow Control Attribute Default Configuration Working mode L2...

Page 150: ...Ruijie config if switchport access vlan vlan id Set the VLAN to which the access port belongs The following example shows how to configure the VLAN to which the access port gigabitethernet 2 1 to be 100 Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config interface gigabitethernet 2 1 Ruijie config if switchport access vlan 100 Ruijie config if end Set ...

Page 151: ...ijie config interface gigabitethernet 2 1 Ruijie config if switchport access vlan 100 Ruijie config if speed auto Ruijie config if duplex auto Ruijie config if flowcontrol auto Ruijie config if switchport port security Ruijie config if end Configuring Hybrid Port You can configure the hybrid port by performing the following steps Command Description configure terminal Enter configuration mode inte...

Page 152: ...y interface statistics or use the clear counters command to clear the counters If no interface is specified the counters of all layer 2 interfaces will be cleared The following example shows how to clear the counter of gigabitethernet 1 1 Ruijie clear counters gigabitethernet 1 1 Configuring L3 Interfaces To configure a layer 3 interface execute the following steps Command Function Ruijie config i...

Page 153: ...example shows how to enter the interface configuration mode and assign an IP address to SVI 100 Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config interface vlan 100 Ruijie config if ip address 192 168 1 1 255 255 255 0 Ruijie config if end Configuring Routed Ports This section deals with how to create and configure a routed port You may create a rout...

Page 154: ...55 255 255 0 Ruijie config if no shutdown Ruijie config if end Showing Interface Configuration and Status This section covers interface status display and gives examples You may view interface status by using the show command in the privileged EXEC mode To show interface status use the following commands Command Function Ruijie show interfaces interface id Show the status and configuration of the ...

Page 155: ...ddress 192 168 65 230 24 Broadcast address 192 168 65 255 PhysAddress 00d0 f800 0001 LastChange 0 0h 0m 5s The following example shows the status of aggregate port 3 Ruijie show interfaces aggregateport 3 Interface AggreatePort 3 Description AdminStatus up OperStatus down Hardware Mtu 1500 LastChange 0d 0h 0m 0s AdminDuplex Auto OperDuplex Unknown AdminSpeed Auto OperSpeed Unknown FlowControlAdmin...

Page 156: ...vents due to lack of resources 0 packets received of length in octets 64 46264 65 127 47427 128 255 3478 256 511 658 512 1023 18016 1024 1518 125 Showing the Optical Module Information This section describes display commands and examples of optical modules You can view the optical module information by the show command in the privileged EXEC mode Use the following commands to show the optical modu...

Page 157: ...terfaces gigabitEthernet 5 4 transceiver alarm gigabitEthernet 5 4 transceiver current alarm information RX loss of signal The following table shows the alarm information for the SFP optical modules Field Description SFP RX loss of signal Loss of the receiving signal RX power high Alarm of the high receiving power of the optical module RX power low Alarm of the low receiving power of the optical m...

Page 158: ...X CDR loss of lock RX power high Alarm of the high receiving power of the optical module RX power low Alarm of the low receiving power of the optical module TX fault Sending fault TX CDR loss of lock TX CDR loss of lock TX bias high Alarm of the bias high current TX bias low Alarm of the bias low current TX power high Alarm of the high sending power of the optical module TX power low Alarm of the ...

Page 159: ... OK 6 13 OK 35 64 warning 5 19 alarm The following table shows the optical module transceiver diagnosis parameter Field Description diagnostic information The diagnostic information for the optical module on the interface Current diagnostic parameters Current diagnostic parameters Temp C The diagnostic parameter temperature in C correct to 1 C Voltage V The diagnostic parameter voltage in V correc...

Page 160: ...iguration mode execute command line detect Command Function Ruijie config interface interface Enter the Interface configuration mode Ruijie config if line detect detail Detect lines Caution Only L2 exchange ports can support line detection Optical and AP port can not support line detection The following gives an example to execute the command to detect line Ruijie config interface gigabitEthernet ...

Page 161: ... Open states refers to the length from the port to the defective line point LinkTrap Policy Configuration You can determine whether to send the LinkTrap of an interface according to the interface configuration on a device With this funciton enabled when the interface s link status changes the SNMP protocol will send a LinkTrap message Otherwise it will not send a LinkTrap message By default this f...

Page 162: ...ring IP address and MAC address binding Configuring the Bridge Protocol Frame Forwarding Control Configuration Examples Understanding the MAC Address Table Overview Layer 2 forwarding a major function of the Ethernet Switch is to forward the messages by identifying the data link layer information The switch forwards the messages to the corresponding interface through the destination MAC addresses ...

Page 163: ...witch searches for the corresponding entry of the packet destination MAC address and VLAN ID in the MAC address table and the outgoing forward interface is sole the packets are forwarded through this interface Multicast forwarding if the switch searches for the corresponding entry of the packet destination MAC address and VLAN ID in the MAC address table and this entry is correspondent with a grou...

Page 164: ... the MAC address for User A is learnt in the MAC address table There is no source MAC address for User B in MAC address table Therefore the switch sends the packets to all ports except for the ports of User A in broadcast form User C can receive the packets sent from User A and don t belong to User A Figure2 Dynamic Address Learn Step 1 Status VLAN MAC address Interface Dynamic 1 00d0 f8a6 5af7 Gi...

Page 165: ...nd UserB The mutual packets between UserA and UserB are forwarded in the unicast form and UserC can not receive them again Address Aging The capacity of MAC address is restricted The switch updates the MAC address list by learning new addresses and aging out unused addresses For an address in the MAC address table if the switch has not received any packet from the MAC address for a long time depen...

Page 166: ...dress Forward Process 1 The UserA under the Line Card1 sends the packets to the UserB For the MAC address for the UserB does not exist on the switch the packets will be sent to all line cards on the switch in broadcast form The switch learns the address after receiving the packets from the UserA At this time Line Card 1 and Line Card 2 both receive the packets from the UserA so they learn the MAC ...

Page 167: ...ets sent by the UserB are forwarded to the port of UserA through the Line Card 1 the switch only learn the Mac addresses on the Line Card 1 and the MAC addres for UserB can not be learned on the Line Card 2 MAC address table Line card 1 Status VLAN MAC address Interface Dynamic 1 00d0 f8a6 5af7 GigabitEthernet 1 1 Dynamic 1 00d0 f864 c9b6 GigabitEthernet 1 2 MAC address table Line card 2 Status VL...

Page 168: ...erA the packet will be forwarded to the UserA in the unicast form When the UserC under the Line Card 2 sends a packet to the UserB since the Line Card 2 has learned the MAC address for the UserB the packet will be forwarded in the broadcast form At this time the UserD that is in the same VLAN of UserC also receives the packet The packet will be forwarded in the unicast form to the UserB after bein...

Page 169: ...d disabling other VLANs to learn the dynamic addresses which leads the packets in other VLANs to be forwarded in the broadcast way the switch provides the limit of dynamic addresses for a VLAN The user can specify the number of dynamic addresses learned in each VLAN and configure the upper limit of dynamic addresses for each VLAN For the VLAN with the limit of dynamic addresses configured only the...

Page 170: ... outside through the device Caution A filtering address is invalid for the packets sent to the CPU For example the L2 source MAC address for an ARP packet is a filtering address this ARP packet can still be sent to the CPU but can not be forwarded MAC Address Change Notification The MAC address notification function is an effective way to let you know user changes for the devices in a network Figu...

Page 171: ...hange by checking the MAC address notification history list Caution MAC address change notification is effective only for dynamic addresses not for static addresses and filtering addresses IP address and MAC address Binding Overview IP address and MAC address binding lets you filter pakcets After you bind an IP address and a MAC address the switch will only receive the IP packets whose source IP a...

Page 172: ...al bridge protocol destination multicast addreses and agrees that the corresponding frames are not forwarded on the switch with bridge protocol disabled but the frames are transparently forwarded in the actual application You can use the command to specify the frame forwarding action when the bridge protocol is disabled The supported protocols and multicast addresses are as follows Protocol Descri...

Page 173: ...red vlan id the specified VLAN to which the MAC address to be cleared belongs Ruijie clear mac address table dynamic interface interface id vlan vlan id Clear all dynamic addresses on the specified port or Aggregate Port or clear all dynamic addresses on all interfaces Interface id the specified port or Aggregate Port vlan id the specified VLAN to which the dynamic address to be cleared belongs Ru...

Page 174: ...dresses in the specified VLAN vlan id the specified VLAN to which the dynamic address belongs Ruijie show mac address table count interface interface id vlan vlan id Show the statistics in the MAC address table interface id show the statistic in the MAC address table on the specified interface vlan id show the statistic in the MAC address table in the specified VLAN The following example shows all...

Page 175: ...t 0 Total Mac Addresses 10 Setting the Address Aging Time Setting the Aging Time The following table shows how to set the aging time of address Command Function Ruijie config mac address table aging time 0 10 1000000 Set the time for an address to be stored in the dynamic MAC address table after it has been learned It is in the range of 10 to 1000000 seconds 300 seconds by default When you set the...

Page 176: ... table below sets the limit of the dynamic addresses for a VLAN Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config vlan 1 4094 Enter the VLAN configuration mode Ruijie config vlan max dynamic mac count 1 32768 Set the maximum number of dynamic MAC addresses that the VLAN can learn To disable the limit of the dynamic addresses for a VLAN use the no max dyna...

Page 177: ... id mac addr Specify the destination MAC address to which the entry corresponds vlan id Specify the VLAN to which this address belongs interface id specify the interface physical port or aggregate port to which the packet is forwarded Upon receiving the packets to the destination MAC address in the VLAN the switch will forward them to the interface Ruijie config no mac address table static mac add...

Page 178: ... directly discard the packets from the MAC address in the VLAN To add a filtering address execute the following command Command Function Ruijie config mac address table filtering mac addr vlan vlan id mac addr Specify the MAC address to be filtered by the device vlan id Specify the VLAN to which this address belongs Ruijie config no mac address table filtering mac addr vlan vlan id Remove the filt...

Page 179: ...s turned off so the MAC address change notification function is disabled on all interfaces To configure the MAC address change notification function execute the following command Command Function Ruijie config snmp server host host addr traps version 1 2c 3 auth noauth priv community string Configure the NMS to receive the MAC address change notification host add IP address of the receiver version...

Page 180: ...ress change notification funciton on a specified interface use the no snmp trap mac notification added removed command in the interface configuration mode This example shows how to enable the MAC address change notification funciton use public as the authentication name to send a MAC address change notification to the NMS whose IP address is 192 168 12 54 at the interval of 40 seconds set the size...

Page 181: ...he MAC address change notification Ruijie show mac address table notification MAC Notification Feature Enabled Interval Sec 2 Maximum History Size 154 Current History Size 2 Ruijie show mac address table notification interface Interface MAC Added Trap MAC Removed Trap Gi0 1 Disabled Enabled Gi0 2 Disabled Disabled Gi0 3 Enabled Enabled Gi0 4 Disabled Disabled Gi0 5 Disabled Disabled Gi0 6 Disabled...

Page 182: ... the no address bind install command The following example shows how to bind the IP address and MAC address Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config address bind 192 168 5 1 00d0 f800 0001 Ruijie config address bind install Setting the Address Binding Mode In the global mode to configure the address binding mode execute the following command...

Page 183: ...arded Setting the Exceptional Ports for the IP Address and MAC Address Binding To make the IP address and MAC address binding not to take effect on some ports you can set these ports as exceptional ports To configure an exceptional port execute the following command in the global configuration mode Command Function Ruijie config address bind uplink interface id Configure the exceptional port for t...

Page 184: ...he database server connects to the switch through the interface GigabitEthernet 0 1 the web server connects to the switch through the interface GigabitEthernet 0 2 and the server administrator connects to the switch through the interface GigabitEthernet 0 3 Other users access the web server through the interface GigabitEthernet 0 10 All data are forwarded in VLAN 1 The static MAC address configura...

Page 185: ...0 f800 0001 vlan 1 interface GigabitEthernet 0 1 Ruijie config mac address table static 00d0 f800 0002 vlan 1 interface GigabitEthernet 0 2 Ruijie config mac address table static 00d0 f800 0003 vlan 1 interface GigabitEthernet 0 3 The following example shows the switch configurations Ruijie show mac address table static Vlan MAC Address Type Interface 1 00d0 f800 0001 STATIC GigabitEthernet 0 1 1 ...

Page 186: ...er link AP function also supports link backup When a link member in an AP is disconnected the system will automatically allocate the traffic of the member link to other active member links in the AP except for the broadcast or multicast packets it received Typical AP configurations Each AP includes up to 8 member ports Understanding Traffic Balancing Traffic can be evenly distributed on the member...

Page 187: ...affic balancing refers to distribute the traffic on the member links of an AP according to the source IP addresses or destination IP addresses of packets Those packets with different source IP addresses or destination IP addresses are evenly distributed on the member links of an AP according to different source or destination IP addresses Those packets with the same source IP address or destinatio...

Page 188: ...ever traffic balancing should be performed based on the source MAC address on the switch Note When the traffic balancing mode is source IP address based destination IP address based or source IP address and destination IP address based traffic balancing mode Layer 2 packets are distributed under the default device mode You can execute show aggregateport load balance command to get the default devi...

Page 189: ...config if range port group port group number Add the interface to an AP the system will create the AP if it does not exist In the interface configuration mode use the no port group command to remove a physical port from the AP The example below shows how to configure the layer2 Ethernet interface 1 0 to a member of layer2 AP 5 Ruijie configure terminal Ruijie config interface range gigabitEthernet...

Page 190: ...e terminal Ruijie config interface range gigabitEthernet 0 1 3 Ruijie config if no switchport Ruijie config if port group 2 Configuring Traffic Balancing on an Aggregate Port In the configuration mode configure traffic balancing on the AP by performing the following steps Command Function Ruijie config aggregateport load balance dst mac src mac src dst mac dst ip src ip src dst ip Set the AP traff...

Page 191: ...ation of an AP to the default value execute the no aggregateport loag balance command in the global configuration mode Showing an Aggregate Port In the privileged mode show the AP configuration by performing the following steps Command Function Ruijie show aggregateport port number load balance summary Show the AP settings Ruijie show aggregateport load balance Load balance Source MAC address Ruij...

Page 192: ... wants to communicate with another host in another VLAN a layer 3 device must be used as shown in the following diagram You can define a port as the member of a VLAN All the terminals connected to the specified port are part of the VLAN A network can support multiple VLANs In this case when you add delete and modify users in the VLANs you do not need to modify the network configuration physically ...

Page 193: ...he VLANs However you can impose restriction by setting a list of allowed VLANs Configuring a VLAN A VLAN is identified by its VLAN ID You can add remove and modify the VLANs in the range of 2 to 4094 on a device VLAN 1 is created by a device automatically and cannot be removed You can configure the member type of a port in a VLAN add a port to a VLAN and remove a port from a VLAN in the interface ...

Page 194: ... name of VLAN 4 To restore the name of a VLAN to its default simply enter the no name command The following example creates VLAN 888 names it test888 and saves its configuration into the configuration file Ruijie configure terminal Ruijie config vlan 888 Ruijie config vlan name test888 Ruijie config vlan end Deleting a VLAN You cannot delete the default VLAN VLAN 1 In the privileged mode you can d...

Page 195: ... vlan can also be configured on the trunk port the access port configuration does not take effect and the port remains in the trunk port Only the configuration of native vlan and allowed vlan list takes effect Configuring Access Permission of the MIB node dot1qVlanIndex in the Dot1qVlanCurrentEntry Table In global configuration mode you can change the maximum access permission of the MIB node dot1...

Page 196: ...Configuring Aggregate Port In order to switch an interface between the access mode and the trunk mode use the switchport mode command Command Function Ruijie config if switchport mode access Set an interface to the access mode Ruijie config if switchport mode trunk Set an interface to the Trunk mode A native VLAN must be defined for a trunk port The untagged packets received and sent through the p...

Page 197: ...nk port However you can restrict the traffic of some VLANs from passing the trunk port by setting its allowed VLAN list In the priviledged mode you can modify the allowed VLAN list of a trunk port by executing the following command Command Function Ruijie config if switchport trunk allowed vlan all add remove except vlan list Optional Configure the allowed VLAN list of the trunk port The vlan list...

Page 198: ... trunk native vlan vlan id Configure a native VLAN To restore the native VLAN of a trunk port to its default execute the no switchport trunk native vlan command in the interface configuration command If a frame carries the VLAN ID of the native VLAN it will be automatically untagged when being forwarded through the trunk port When you set the native VLAN of a trunk port to an inexistent VLAN the s...

Page 199: ...Gi0 6 Gi0 7 Gi0 8 Gi0 9 Gi0 10 Gi0 11 Gi0 12 Gi0 13 Gi0 14 Gi0 15 Gi0 16 Gi0 17 Gi0 18 Gi0 19 Gi0 20 Gi0 21 Gi0 22 Gi0 23 Gi0 24 10 VLAN0010 STATIC Gi0 2 Gi0 3 20 VLAN0020 STATIC Gi0 2 Gi0 3 Gi0 4 30 VLAN0030 STATIC Gi0 3 Gi0 4 Ruijie show vlan id 20 VLAN Name Status Ports 20 VLAN0020 STATIC Gi0 2 Gi0 3 Gi0 4 ...

Page 200: ...o VLAN ID and be of the same protocol type to the same VLAN The protocol VLAN configuration takes effect for Trunk port and Hybrid port not for the Access port Ruijie products support both global IP address based VLAN classification and packet type and Ethernet type based VLAN classification on a port Because IP address based VLAN classification is a global configuration once configured it will ap...

Page 201: ...dress subnet mask and VLAN classification no protocol vlan ipv4 IP address mask mask address Remove the IP address configuration no protocol vlan ipv4 Remove all IP address configuration end Exit the VLAN mode show protocol vlan ipv4 Show the configured IP address Note Specify the IP address and subnet mask in the x x x x format The following command configures the IP address of 192 168 100 3 and ...

Page 202: ...9b Ruijie config vlan end Ruijie show protocol vlan profile profile frame type ether type Interfaces vid 1 ETHERII EHTER_AARP NULL NULL 2 SNAP ETHER_APPLETALK NULL NULL Note 1 The configuration will not become effective until the profile is applied to a port 2 Before updating a profile you must delete the profile and then reconfigure it 3 The number of profiles varies with different products Apply...

Page 203: ...type ether type Interfaces vid 1 ETHERII EHTER_AARP gi3 1 101 2 SNAP ETHER_APPLETALK gi3 1 102 Note 1 All profiles can be applied to each interface 2 Different VIDs can be specified for the same profile on different interfaces 3 The number of VIDs vary with different series of products Showing a Protocol VLAN To show a protocol VLAN execute the following command Command Description show protocol v...

Page 204: ...er 2 communication is not possible for the ports in the same isolated VLAN There is only one isolated VLAN in a private VLAN domain Community VLAN The ports in the same community VLAN can perform layer 2 communication but not with the ports in other community VLANs There can be multiple community VLANs in a private VLAN domains Promiscuous port a port in the primary VLAN can communicate with any p...

Page 205: ... other community VLANs and isolated ports in the isolated VLANs The following list shows the packet forwarding relationship between various port types Output Port Input Port Promiscuous Port Isolated Port Community Port Isolated Trunk Port In the same VLAN Trunk Port In the same VLAN Promiscuous port Isolated Port X X X Community Port X Isolated Trunk Port In the same VLAN X X Trunk Port In the sa...

Page 206: ...g conditions must be met in order to make a private VLAN become active 1 The primary VLAN is available 2 The secondary VLANs are available 3 The secondary VLANs are associated with the primary VLAN The following example configures 802 1Q VLAN as a private VLAN Ruijie configure terminal Ruijie config vlan 303 Ruijie config vlan private vlan community Ruijie config vlan end Ruijie show vlan private ...

Page 207: ... 202 prim inactive Disabled 303 307 309 440 303 comm inactive Disabled 202 304 comm inactive Disabled 202 305 comm inactive Disabled 202 306 comm inactive Disabled 202 307 comm inactive Disabled 202 309 comm inactive Disabled 202 440 comm inactive Disabled 202 Note This operation is performed in the configuration mode of the VLAN declared as the primary VLAN Mapping Secondary VLANs to the Layer 3 ...

Page 208: ... interface interface Enter the interface configuration mode Three kinds of interfaces are available fastethernet GE and 10GE switchport mode private vlan host Configure the interface as the host interface of the private VLAN no switchport mode Remove the configuration End Exit the interface mode switchport private vlan host association p_vid s_vid Associate the layer 2 interface with the private V...

Page 209: ...he configuration Ruijie config if switchport trunk allowed vlan all add remove except vlan list Optional Configure the allowed VLAN list on the Trunk port all all supported VLANs in the allowed VLAN list add add the specified VLAN list to the allowed VLAN list remove remove the specified VLAN from the allowed VLAN list except add all VLANs beyond the VLAN list to the allowed VLAN list vlan list ca...

Page 210: ...witchport mode private vlan promiscuous Configure the interface as the promiscuous port of the private VLAN no switchport mode Remove the configuration switchport private vlan mapping p_vid svlist add svlist remove svlist Map the secondary VLANs to the promiscuous port no switchport private vlan mapping Remove the mapping For example Ruijie configure terminal Ruijie config interface gigabitEtherne...

Page 211: ...on Examples Private VLAN configuration on multiple switches Configuration Purpose Create a Primary VLAN a Community VLAN and an Isolated VLAN and realize Private VLAN configuration on two devices The hosts in the same Community VLAN can communicate in L2 network The hosts in Isolated VLAN can not communicate with other hosts But all the hosts in Private VLAN can communicate with routers Topology C...

Page 212: ... VLAN 101 interface gigabitEthernet 0 4 as Promiscuous Port Ruijie config interface gigabitEthernet 0 1 Ruijie config if switchport mode private vlan host Ruijie config if switchport private vlan host association 99 100 Ruijie config if exit Ruijie config interface gigabitEthernet 0 2 Ruijie config if switchport mode private vlan host Ruijie config if switchport private vlan host association 99 10...

Page 213: ... 4 Gi0 5 100 101 100 community active Disabled Gi0 1 Gi0 2 Gi0 4 99 101 isolated active Disabled Gi0 3 Gi0 4 99 Private VLAN configuration on single L3 switch Configuration Purpose On L3 switch supporting Private VLAN you can set a SVI for Private VLAN Because all VLANs including Primary VLAN and Secondary VLANs in the same Private VLAN can be in the same SVI you just set an IP address for the Pri...

Page 214: ...fig vlan exit Set interface gigabitEthernet 0 1 0 2 in Community VLAN 100 interface gigabitEthernet 0 3 in Isolated VLAN 101 interface gigabitEthernet 0 4 as Promiscuous Port Ruijie config interface gigabitEthernet 0 1 Ruijie config if switchport mode private vlan host Ruijie config if switchport private vlan host association 99 100 Ruijie config if exit Ruijie config interface gigabitEthernet 0 2...

Page 215: ...w vlan private vlan VLAN Type Status Routed Ports Associated VLANs 99 primary active Enabled Gi0 4 100 101 100 community active Enabled Gi0 1 Gi0 2 99 101 isolated active Enabled Gi0 3 99 Private VLAN supported Switch and Protected Port supported Switch Configuration Configuration Requirement Connect multiple switches supporting Protected Port to the switch supporting Private VLAN and it is requir...

Page 216: ...ne End with CNTL Z Ruijie config vlan 101 Ruijie config vlan private vlan isolated Ruijie config vlan exit Ruijie config vlan 99 Ruijie config vlan private vlan primary Ruijie config vlan private vlan association 101 Ruijie config vlan exit On the SwitchA and SwitchB set interface gigabitEthernet 0 1 as the Trunk Port interface gigabitEthernet 0 2 0 3 as the Isolated Trunk Port interface gigabitEt...

Page 217: ...gabitEthernet 0 4 Ruijie config if switchport mode private vlan host Ruijie config if switchport private vlan host association 99 101 Ruijie config if exit Create VLAN101 on the SwitchC and the SwitchD set the interface gigabitEthernet 0 1 as the Protected Port the interface gigabitEthernet 0 2 0 3 as the Trunk Port Ruijie config vlan 101 Ruijie config vlan exit Ruijie config interface gigabitEthe...

Page 218: ... VLAN The address triggering this address application procedure is called home address and the replicated addresses are called sub addresses The sub addresses will not trigger replication anymore When the home address is deleted or aged out the sub addresses are deleted or aged out at the same time However deleting sub addresses will not bring any influence on the home address Application Model Pa...

Page 219: ...Note A switch supports only one Share VLAN Only replicating dynamic MAC address and static MAC address is allowed The protocol VLAN private VLAN remote VLAN or interface address table replication function is mutually exclusive with the Share VLAN and vice versa The super VLAN cannot be set to be the Share VLAN and vice versa The sub VLAN cannot be set to be the Share VLAN and vice versa The MAC ad...

Page 220: ...tus of MAC address Ruijie show vlan Show the Share VLAN For example Show the Share VLAN Ruijie show vlan VLAN Name Status Ports 1 VLAN0001 STATIC Gi0 1 Gi0 2 Gi0 3 Gi0 4 Gi0 5 Gi0 6 Gi0 7 Gi0 8 Gi0 9 Gi0 10 Gi0 11 Gi0 12 Gi0 13 Gi0 14 Gi0 15 Gi0 16 Gi0 17 Gi0 18 Gi0 19 Gi0 20 Gi0 21 Gi0 22 Gi0 23 Gi0 24 2 VLAN0002 STATIC Gi0 1 4 VLAN0004 STATIC Gi0 2 10 VLAN0010 Share Gi0 1 Show the status of the ...

Page 221: ... all VLANs are untagged port 3 and port 4 are trunk ports all VLANs are allowed VLANs the native VLAN is VLAN 1 Aggregate switch 1 Port 2 and port 3 are trunk ports all VLANs are allowed VLANs the native VLAN is VLAN 1 Aggregate switch 2 Port 2 and port 4 are trunk ports all VLANs are allowed VLANs the native VLAN is VLAN 1 Access switch 1 ...

Page 222: ...C DYNAMIC Port 3 Upon receiving the data with VLAN 2 tag from the aggregate switches the core switch will check if port 1 connecting the core switches allows receiving the data If so it removes the tag Sending packets to the server through a port Upon receiving the data request the server will return packets When the packets arrive the core switch it adds VLAN 10 tag to the packets according to it...

Page 223: ...ss Type Interface 2 PC1 MAC DYNAMIC Port 1 10 PC1 MAC DYNAMIC Port 1 The response packets will be sent to TV set 1 through port 1 not other users For example configure and show the Share VLAN on the core switch Ruijie config vlan 10 Ruijie config vlan Share Ruijie config vlan show vlan VLAN Name Status Ports 1 VLAN0001 STATIC Gi0 1 Gi0 2 Gi0 3 Gi0 4 Gi0 5 Gi0 6 Gi0 7 Gi0 8 Gi0 9 Gi0 10 Gi0 11 Gi0 ...

Page 224: ...specially designed for voice streams By creating a voice VLAN and adding the ports connecting voice devices to the voice VLAN users can centrally transmit voice streams in the voice VLAN and configure QoS specific for voice streams to improve the priority of voice stream transmission and ensure voice quality Following figure illustrates the basic networking of Voice VLAN Figure 1 Basic Voice VLAN ...

Page 225: ...n User terminal equipment IP phones and users PCs Voice VLAN enabled device determines whether the packet is the voice stream to the specific voice device by matching the source MAC address of incoming packet with the OUI Organizationally Unique Identifier of the voice device If so the packet is partitioned into the voice VLAN for transmission Note QUI is the first 24 bits of the MAC address that ...

Page 226: ...y to modify the priority of voice message as the one of voice stream of voice VLAN configured on the equipment In manual mode adding or deleting a port to or from voice VLAN is done by administrators manually No matter which mode is adopted the tagged packets from IP phone are forwarding by label in the same way as forwarding rule of VLAN Generally speaking there are two kinds of IP phones by the ...

Page 227: ...while the port allows native VLAN passing Uplink interface Yes native VLAN of the access port must exist and must not be Voice VLAN Meanwhile the port allows native VLAN message passing Untagged voice stream Access Port No Private VLAN host port interface No Private VLAN hybrid port interface No Trunk Port No Hybrid Port No Uplink interface No Manual mode Tagged voice stream Access Port No Private...

Page 228: ...ve VLAN passing and the Voice VLAN should be in the list of tagged VLANs whose passing is allowed by the port Uplink interface Yes Native VLAN of the access port must exist and must not be Voice VLAN Meanwhile the access port allows native VLAN and Voice VLAN messages passing Untagged voice stream Access Port Yes Voice VLAN must be consistent with the VLAN which the access port belongs to Private ...

Page 229: ...authentication and Guest VLAN are enabled on the input port you need to allocate different VLAN IDs for the voice VLAN the default VLAN of the input port and the Guest VLAN of 802 1x in order to ensure the normal use of various functions 3 Since Protocol VLAN takes effect only for untagged packets from Trunk Port Hybrid Port and only tagged voice streams are processed on the Trunk Hybrid Port unde...

Page 230: ...nt one VLAN dedicated to transmitting voice packets i e Voice VLAN and enables Voice VLAN function on the port that connects with IP phone Step 2 As a key step the port that connects with IP phone joins Voice VLAN in different ways by the working mode of Voice VLAN Under auto mode after receiving untagged message from the port the equipment will match its source MAC address with legal OUI address ...

Page 231: ...ons will describe how to configure basic Voice VLAN features Mandatory Enabling Voice VLAN Mandatory Enabling Voice VLAN on a port Optional Configuring Voice VLAN working mode on a port Optional Configuring Voice VLAN aging time Mandatory Configuring Voice VLAN OUI address Optional Configuring Voice VLAN safe mode Optional Configuring voice stream priority of Voice VLAN Showing Voice VLAN configur...

Page 232: ...nabled on the port 802 1x authentication is necessary for PCs not IP phones Caution 1 It is necessary to create corresponding VLAN before configuring Voice VLAN 2 VLAN 1 is default VLAN and does not need creating However VLAN 1 must not be set as Voice VLAN 3 A VLAN is not allowed to set as both Voice VLAN and Super VLAN 4 If 802 1x VLAN automatic skip function is enabled on the access port please...

Page 233: ...ort Trunk Port Hybrid Port Uplink Port Private VLAN port not AP port or Routed Port 2 After voice VLAN is enabled on a port do not switch over the Layer2 mode of the port Access Port Trunk Port Hybrid Port for normal operation To switch over Layer 2 mode disable voice VLAN on the port in advance Configuring Voice VLAN Working Mode on a Port There are two kinds of Voice VLAN working modes auto mode...

Page 234: ...ative VLAN of a port as Voice VLAN for normal operation 3 For Ruijie products all VLAN packets can be transmitted on Trunk Port Hybrid Port by default Remove voice VLAN from the allowable VLAN list of the port and then enable voice VLAN ensuring that the port not connecting voice device will not join Voice VLAN or the port unused for a long time always locates in Voice VLAN Configuring Voice VLAN ...

Page 235: ...ion text Configure the OUI address of voice VLAN Ruijie config show voice vlan oui Show the OUI address of voice VLAN To delete the OUI address run the no form of this command For example Set 0012 3400 0000 as the legal OUI address of voice VLAN Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config voice vlan mac address 0012 3400 0000 mask ffff ff00 000...

Page 236: ...an be improved by modifying CoS and DSCP values For details on CoS and DSCP refer to Section QoS Configuration To configure the priority of voice stream run the following commands Command Function Ruijie configure terminal Enter global configuration mode Ruijie config voice vlan cos cos value Set CoS value for voice stream 6 by default Ruijie config voice vlan dscp dscp value Set DSCP value for vo...

Page 237: ...e display command of general VLAN 1 4 Voice VLAN Configuration Example Voice VLAN Auto Mode Networking requirements Suppose the configuration under Voice VLAN auto mode has following requirements Create VLAN 2 as Voice VLAN Voice VLAN aging time is 1 000 minutes IP phones send tagged voice stream and the input port is Trunk type port Fa0 1 It is an example here and when using Voice VLAN function p...

Page 238: ...e auto mode properly and prevent the port not connecting voice device from joining voice VLAN remove VLAN 5 from the VLAN allowable list of Fa0 1 Since 802 1x authentication should be enabled on Fa0 1 you need to set security tunnel and permit voice streams with OUI address of 0012 3400 0000 and mask code of ffff ff00 0000 Configuring procedure 1 Create VLAN 2 as Voice VLAN create VLAN 2 and enabl...

Page 239: ...onfig interface fastEthernet 0 1 Ruijie config if voice vlan enable 5 Enable 802 1x function on the port simultaneously Configure expert ACL and permit the streams matching OUI address Ruijie config expert access list extended safe_channel Ruijie config exp nacl permit ip any 0012 3400 0000 ffff ff00 0000 any any configure security tunnel Ruijie config security global access group safe_channel Set...

Page 240: ...untagged voice stream and the access port is Hybrid type port Fa0 1 3 Fa0 1 works in manual mode The equipment allows voice messages with OUI address of 0012 3400 0000 and mask code of ffff ff00 0000 being transmitted through Voice VLAN And the descriptor is Company A Networking topology Figure 3 Networking topology for configuring Voice VLAN manual mode Points for configuration According to netwo...

Page 241: ...quipment allows voice messages with OUI address of 0012 3400 0000 and mask code of ffff ff00 0000 being transmitted through Voice VLAN And the descriptor is Ruijie Configure Voice VLAN OUI address Ruijie config voice vlan mac address 0012 3400 0000 mask ffff ff00 0000 description Company A 4 The access port is Hybrid type port Fa 0 1 and native VLAN of the port is VLAN 2 set Fa 0 1 as Hybrid Port ...

Page 242: ...e Security Enable global safe mode Voice Vlan aging time 1440minutes Voice Vlan cos 6 Voice Vlan dscp 46 Current voice vlan enabled port mode PORT MODE Fa0 1 MANUAL Fa 0 1 enables Voice VLAN as manual mode Viewing Voice VLAN OUI address of the equipment Ruijie config show voice vlan oui Oui Address Mask Description 0012 3400 0000 ffff ff00 0000 Company A ...

Page 243: ...he network topology to offer the possible optimal tree type structure at any time The LAN topology is automatically calculated by a set of bridge parameters set by the administrator The proper configuration of these parameters is helpful to offer an optimal solution The RSTP protocol is completely compatible with the 802 1D STP protocol downward As with traditional protocol the RSTP protocol can p...

Page 244: ...e is elected to be the root bridge in the network Each bridge other than the root bridge has a root port that offers a shortest path to the root bridge Each bridge will calculate the shortest path to the root bridge Each LAN has a designated bridge that lies in the shortest path between this LAN and the root bridge The port for connecting the designated bridge and the LAN is referred to as the des...

Page 245: ...network topology Root port The port that provides the shortest path to the root bridge Designated port The port through which each LAN is connected to the root bridge Alternate port The alternate port of the root port that will take up its work when the root port fails Backup port The backup port of the designated port If two ports of a bridge are connected to a LAN the port with higher priority i...

Page 246: ...d port can be the forwarding status while other ports are only in the discarding status Generating a Network Topology Tree Typical Application Solution We now describe how the STP and RSTP protocols span a tree type structure by the mixed network topology As shown in Figure 4 the bridge IDs of Switches A B and C are assumed in the ascending order Namely Switch A presents the highest priority There...

Page 247: ...gh Switch B or directly However Switch C discovers that the cost of the path from Switch B to Switch A is lower than that directly For the costs corresponding to various paths refer to table so Switch C selects the port connected with Switch B as the root port while the one that connected with Switch A as the alternate port Various ports enter the corresponding status after their roles are determi...

Page 248: ...ard packets after 30s since the port roles are selected which is twice as the Forward Delay Time you can set the Forward Delay Time which is 15s by default Furthermore the root port and designated port of each bridge will carry out the forwarding again after 30s so it will take about 50s to stabilize the tree type structure of the whole network topology The forwarding procedure of the RSTP protoco...

Page 249: ... designated port to extend the spanning tree in turn In theory the RSTP protocol can immediately restore the tree type network structure to implement rapid convergence when the network topology changes Figure 8 Caution Point to point Connection between ports is required for the above handshaking process In order to make full use of you device do not use non point to point connection between device...

Page 250: ...Configuration Guide MSTP Configuration Figure 9 Figure 10 In addition the following figure is a point to point connection and should be differentiated by users carefully Figure 11 ...

Page 251: ...er if Switch A is connected with the RSTP enabled Switch C Switch A still sends the STP BPDU message and thus causing that Switch C considers Switch A a STP enabled bridge As a result two RSTP supported switches run the STP protocol reducing their efficiency greatly For this reason the RSTP protocol provides the protocol migration function to send the RSTP BPDU message forcibly in case that the pe...

Page 252: ...artitions one or more vlans of the switch into an instance so the switches with the same instance configuration form a region MST region to run a separated spanning tree this internal spanning tree is referred to as the IST The MST region is equivalent to a large device which executes the spanning tree algorithm with other MST regions to obtain a whole spanning tree referred to as the common spann...

Page 253: ...n number of 16 bits identifying the MSTP region MST instance vlan table Each device can create up to 64 instances with IDs ranging from 1 to 64 Instance 0 always exists so the system totally supports 65 instances You can allocate 1 to 4094 VLANs for different instances 0 to 64 as needed and the unallocated VLANs belong to instance 0 by default In this way each MSTI MST instance is a VLAN group and...

Page 254: ... formed by exchanging the MSTP BPDU message and various instances have their own spanning trees MSTI The spanning tree corresponding to the instance 0 is referred to as the CIST Common Instance Spanning Tree in conjunection with CST That is to say each instance provides each VLAN group with a single network topology without loop As shown in the following figure Switches A B and C form a loop withi...

Page 255: ...between switch B and switch C is discarded according to other parameters Hence for the VLAN group of instance 2 only the path from switch A to switch B and switch B to switch C are available which break the loop of the VLAN group Figure 19 It should note that the MSTP protocol is not concerned on which VLAN a port belongs to so users should configure corresponding path costs and priorities for por...

Page 256: ...ith the smallest bridge ID in that region It is the device in the region that has the lowest root path cost to the CST root At the same time the root port of the CIST regional root takes a new port role for the MSTI namely the Master port as the outlet of all instances which is forwarded to all instances In order to make the topology more stable it is recommended to configure the outlet of the reg...

Page 257: ...and STP section For the RSTP protocol it will process the CIST part of the MSTP BPDU so it is not necessary for the MSTP to send the RSTP BPDU to be compatible with it Each device that runs the STP or RSTP protocol is an independent region and does not form the same region with any other device Overview of Optional Features of MSTP Understanding Port Fast If a port of a device is connected with th...

Page 258: ...the STP protocol doesn t support AutoEdge If the designated port is in the forwarding status Autoedge does not take effect on the port It will take effect during repaid renegotiation such as pluging unpluging network cables 3 If a port enables the BPUD Filter it forwards the BPDU message directly but not be identified as the edge port automatically 4 AutoEdge function is only applicable for the de...

Page 259: ...e port receives the BPDU message You can also use the spanning tree bpdufilter enable command to enable the BPDU filter on individual interface in the interface configuration mode it is not related to whether it is AutoEdge port or not In this situation this interface will not receive or transmit the BPDU message but execute the forwarding directly Understanding TC protection TC BPDU messages are ...

Page 260: ...u use tc guard function incorrectly You are recommended to enable this function when you ensure that there is illegal tc message attack in the network If you enable global tc guard then all the ports will not spread tc message It is applicable for those devices that are accessed on the desk to enable this function If you enable interface tc guard then the topology change and tc message received on...

Page 261: ... messages it receives when topology changes This function resolves the problems of clearing addresse s and interruptin g core routing when a port is not configure d with Portfast and changes between UP and Down frequently It also ensures timely update of core route table when topology changes Caution TC filter is disabled by default ...

Page 262: ... this BPDU message is discarded in order to avoid receiving invalid BPDU messages Understanding ROOT Guard In network design root bridge and backup root bridge are always divided in the same region Due to error configuration of accendant and malicious attack in the network it is possible that root bridge receives configuration message of higher priority and loses the current root bridge position l...

Page 263: ... port being ready to forward because they can not receive BPDU causing the loop in the network which Loop Guard function can prevent For the ports configured loop guard if they can not receive BPDU the port roles will be migrated However the port state is always set as discarding till the port receive BPDU again and recalculate spanning tree Caution You can enable LOOP Guard based on global or int...

Page 264: ...arameters to its default configuration except for disabling STP by using the spanning tree reset command Enabling and Disabling the Spanning Tree Protocol The spanning tree protocol is disabled on the device by default To enable the spanning tree protocol execute the following command in the privileged mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie confi...

Page 265: ...figure terminal Enter the global configuration mode Ruijie config spanning tree mode mstp rstp stp Switch the spanning tree version Ruijie config end Return to the privileged EXEC mode Ruijie show spanning tree Verify the configuration Ruijie copy running config startup config Save the configuration To restore the spanning tree mode to the default value use the no spanning tree mode command in the...

Page 266: ...t instance id priority command in the global configuration mode Configuring Port Priority When two ports are connected to the shared media the device will set the one of the higher priority or smaller value to be the forwarding status and the one of the lower priority or larger value to be the discarding status If the two ports are of the same priority the device will set the one with the smaller ...

Page 267: ...d in the interface configuration mode Configuring Path Cost of a Port The switch determines a root port upon the total of the path costs along the path from a port to the boot bridge The port the total of paths costs from the port to the root brdige is the smallest is elected the root port Its default value is calculated by the media speed of the port automatically The higher the media speed the s...

Page 268: ...d in the interface configuration mode Configuring the Default Calculation Method of Path Cost path cost method If the path cost of a port is the default value the device will calculate the path cost of this port by port rate However IEEE 802 1d and IEEE 802 1t specify different path cost values for a port rate respectively The value range of the 802 1d is short 1 to 65535 while the value range of ...

Page 269: ...ng commands in the privileged mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config spanning tree hello time seconds Configure the hello time ranging from 1 to 10s 2s by default Ruijie config end Return to the privileged EXEC mode Ruijie show running config Verify the configuration Ruijie copy running config startup config Save the configuration To resto...

Page 270: ...spanning tree max age seconds Configure the max age time ranging from 6 to 40s 20s by default Ruijie config end Return to the privileged EXEC mode Ruijie show running config Verify the configuration Ruijie copy running config startup config Save the configuration To restore the max age time to the default value execute the no spanning tree max age command in the global configuration mode Caution H...

Page 271: ...he full duplex port and shared for the half duplex port To configure the link type of a port execute the following commands in the interface configuration mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config interface interface id Enter the interface configuration mode Ruijie config if spanning tree link type point to point shared Configure the link typ...

Page 272: ...tocol is disabled After configuration you should enable the MSTP protocol again to ensure the stability and convergence of the network topology To configure a MSTP region execute the following commands in the global configuration mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config spanning tree mst configuration Enter the MST configuration mode Ruijie ...

Page 273: ... name and MST revision number settings to the default value respectively The following is the example of configuration Ruijie config spanning tree mst configuration Ruijie config mst instance 1 vlan 10 20 Ruijie config mst name region1 Ruijie config mst revision 1 Ruijie config mst show Multi spanning tree protocol Enable Name region1 Revision 1 Instance Vlans Mapped 0 1 9 21 4094 1 10 20 Ruijie c...

Page 274: ...de In interface compatibility mode when a port sends BPDU it will carry different MSTI information according to the current port attribute to realize interconnection with other vendors To configure the interface compatibility mode execute the following commands in the privileged mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config interface interface id...

Page 275: ... disabled by default except for AutoEdge function Enabling Port Fast Enabling Port Fast lets a port directly forward the BPDU message When Port Fast is disabled due to the receipt of the BPDU message the port will participate in the STP algorithm and forward the BPDU message normally To enable Port Fast execute the following commands in the global configuraiton mode Command Function Ruijie configu...

Page 276: ...ijie config interface interface id Enter the interface configuration mode A legal interface contains a physical port and an Aggregate Link Ruijie config if spanning tree autoedge Enable AutoEdge on the interface Ruijie config if end Return to the privileged EXEC mode Ruijie show spanning tree interface interface id portfast Verify the configuration Ruijie copy running config startup config Save th...

Page 277: ...uard enable command or the spanning tree bpduguard disable command on the interface respectively Enabling BPDU Filter A port neither transmit nor receive the BPDU message after the BPDU filter is enabled To configure the BPDU Filter execute the following commands in the global configuration mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config spanning t...

Page 278: ...d Return to the privileged EXEC mode Ruijie show running config Verify the configuration Ruijie copy running config startup config Save the configuration To disable Tc_Protection execute the no spanning tree tc protection command in the global configuration mode Enabling TC Guard To enable TC Guard globally execute the following commands in the global configuration mode Command Function Ruijie con...

Page 279: ...Enter global configuration mode Ruijie config interface Interface id Enter configuration mode of the specified interface Legal interfaces include physical ports and Aggregate Link Ruijie config if spanning tree ignore tc Enable TC filter on the interface Ruijie config if end Return to privileged EXEC mode Ruijie show running config Verify the configuration Ruijie copy running config startup config...

Page 280: ...e BPDU source MAC check execute the no bpdu src mac check command in the interface mode Enabing Root Guard To configure interface ROOT Guard execute the following commands in the privileged mode Command Fun ctio n Ruijie configure terminal Enter the global configuration mode Ruijie config interface Interface id Enter the interface configuration mode Valid interface includes physical port and Aggre...

Page 281: ...ie copy running config startup config Save the configuration To configure interface LOOP Guard execute the following commands in the privileged mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config interface Interface id Enter the interface configuration mode Valid interface includes physical port and Aggregate Link Ruijie config if spanning tree guard l...

Page 282: ... startup config Save the configuration Showing MSTP Configuration and Status You can use the following show commands to view the configuration of MSTP Command Meaning Ruijie show spanning tree Show the information on the parameters and topology of MSTP Ruijie show spanning tree summary Show the information on various instances and port forwarding status of MSTP Ruijie show spanning tree inconsiste...

Page 283: ...ie show spanning tree pathcost Method Show pathcost method Ruijie show spanning tree counters interface interface id Show the statistics of the receive transmit packets of the STP MSTP Configuration Example Configuration Purpose 1 Interconnect three switches to construct a triangle ring network and MSTP configuration mode 2 Set the corresponding VLAN INSTANCE mapping MST configuration name MST Rev...

Page 284: ... trunk Ruijie config if exit Ruijie config interface gigabitEthernet 0 2 Ruijie config if switchport mode trunk Ruijie config if exit Ruijie config vlan 2 Ruijie config vlan exit Ruijie config vlan 3 Ruijie config vlan exit Set the spanning tree to MSTP mode VLAN 2 Instance 1 and VLAN 3 Instance 2 mapping and set the MST configuration name to Ruijie MST Revision Number to 1 View the MST configurat...

Page 285: ...protocol Enable Name Ruijie Revision 1 Instance Vlans Mapped 0 1 4 4094 1 2 2 3 Ruijie config mst exit Ruijie config spanning tree Enable spanning tree Set the priority for Instance 0 to 4096 Ruijie config spanning tree mst 0 priority 4096 2 Configuring Switch B Set interface Gi0 1 and Gi 0 2 as Trunk port and create VLAN 2 and VLAN 3 Ruijie config interface gigabitEthernet 0 1 Ruijie config if sw...

Page 286: ... relationship Ruijie config mst instance 2 vlan 3 Warning you must create vlans before configuring instance vlan relationship Ruijie config mst name Ruijie Ruijie config mst revision 1 Ruijie config mst exit Ruijie config spanning tree Enable spanning tree Set the priority for Instance 0 to 4096 Ruijie config spanning tree mst 1 priority 4096 3 Configuring Switch C Set interface Gi0 1 and Gi 0 2 a...

Page 287: ...vlan relationship Ruijie config mst name Ruijie Ruijie config mst revision 1 Ruijie config mst exit Ruijie config spanning tree Enable spanning tree Set the highest priority for Instance 2 Ruijie config spanning tree mst 2 priority 4096 Enable BPDU Guard function globally and set the interface Fa 0 3 to Port Fast enabled port Ruijie config spanning tree portfast bpduguard default Ruijie config int...

Page 288: ... mst 0 vlans map 1 4 4094 BridgeAddr 00d0 f82a aa8e Priority 32768 TimeSinceTopologyChange 0d 0h 19m 44s TopologyChanges 1 DesignatedRoot 1000 00d0 f822 33aa RootCost 0 RootPort 1 CistRegionRoot 1000 00d0 f822 33aa CistPathCost 200000 mst 1 vlans map 2 BridgeAddr 00d0 f82a aa8e Priority 32768 TimeSinceTopologyChange 0d 0h 1m 46s TopologyChanges 7 DesignatedRoot 1001 00d0 f834 56f0 RootCost 200000 ...

Page 289: ...ast Disabled PortOperPortFast Disabled PortAdminAutoEdge Enabled PortOperAutoEdge Disabled PortAdminLinkType auto PortOperLinkType point to point PortBPDUGuard Disabled PortBPDUFilter Disabled PortGuardmode None MST 0 vlans mapped 1 4 4094 PortState forwarding PortPriority 128 PortDesignatedRoot 1000 00d0 f822 33aa PortDesignatedCost 0 PortDesignatedBridge 1000 00d0 f822 33aa PortDesignatedPort 80...

Page 290: ...ForwardTransitions 5 PortAdminPathCost 200000 PortOperPathCost 200000 Inconsistent states normal PortRole alternatePort MST 2 vlans mapped 3 PortState forwarding PortPriority 128 PortDesignatedRoot 1002 00d0 f82a aa8e PortDesignatedCost 0 PortDesignatedBridge 1002 00d0 f82a aa8e PortDesignatedPort 8001 PortForwardTransitions 1 PortAdminPathCost 200000 PortOperPathCost 200000 Inconsistent states no...

Page 291: ...d frames developed by the IEEE for authentication of users accessing the network including frames stipulated by the IEEE standards and private protocol frames of Ruijie The frames are identified by the Layer 2 destination MAC address which is 0180 C200 0003 for standard protocol frames and 01D0 F800 0003 for Ruijie 802 1X frames Reserved multicast protocol frames Reserved multicast addresses stipu...

Page 292: ...ansparent transmission of GVRP frames Ruijie config end Returns to the privileged mode Configuring Transparent Transmission of 802 1X Frames Execute the following commands globally to enable transparent transmission of 802 1X frames Command Function Ruijie configure terminal Enters the global configuration mode Ruijie config bridge frame forwarding protocol 802 1x Enables transparent transmission ...

Page 293: ... Configuration Example Networking topology Figure 1 1 Simple configuration of transparent transmission of PVST frames Configuration requirements In this network topology Ruijie switch is working with Cisco devices Enable Cisco PVST on the Cisco switches and the multicast function on the Ruijie switch Make sure that Cisco PVST works properly Configuration procedure Configure transparent transmissio...

Page 294: ... create VLAN and maintain the consistency of VLAN configurations in a real time manner Through automatic declaration of VLAN ID within the network GVRP well reduces the possibility of faults caused by inconsistent configurations In case of any change in the VLAN configurations on a device GVRP can automatically change the VLAN configurations on the connected devices thus reducing manual configurat...

Page 295: ...ll be lost after the device resets The user cannot save such dynamically learned VLAN information The user cannot change the parameters of dynamic VLANs created by GVRP All devices requiring exchanging GVRP information must have consistent GVRP Timers Join Leave Leaveall Enable GVRP You must enable GVRP globally before running GVRP When GVRP is not enabled globally you can configure other GVRP par...

Page 296: ...le Spanning tree GVRP can run in the Spanning tree Context which VLAN 1 is affiliated with and the user cannot specify other Spanning tree Contexts Configure Port Registration Mode There are two port registration modes GVRP Registration Normal GVRP Registration Disabled Configuring a port in normal registration mode allows dynamic creation if dynamic VLAN creation is enabled registration and dereg...

Page 297: ... one per line End with CNTL Z Ruijie config interface gigabitethernet 1 1 Ruijie config if gvrp applicant state normal Ruijie config if end Configure GVRP Timers GVRP uses three timers 1 Join Timer Join timer controls the maximum latency before the port sends declaration and the actual sending interval will range between 0 and this maximum latency The default value is 200ms 2 Leave Timer Leave Tim...

Page 298: ...n 1050ms The effective size for timer configuration is 10ms Make sure all interconnected GVRP devices use the same GVRP Timer configurations or else the GVRP may not function well Adjust the value of GVRP Timer Command Function Ruijie config no gvrp timer join leave leaveall timer value Set the timer value of port Example of setting GVRP Join Timer Ruijie configure Enter configuration commands one...

Page 299: ...istics so that it will restart calculation Command Function Ruijie clear gvrp statistics interface id all Clear all statistics for the port Example of clearing GVRP statistics for port 1 Ruijie clear gvrp statistics gigabitethernet 1 1 Display GVRP status Execute show gvrp status command to display the current GVRP status This command can be used to display the dynamic ports of dynamically created...

Page 300: ...in Timers ms 10000 Port based GVRP Configuration Port GigabitEthernet 3 1 app mode normal reg mode normal Port GigabitEthernet 3 2 app mode normal reg mode normal Port GigabitEthernet 3 3 app mode normal reg mode normal Port GigabitEthernet 3 4 app mode normal reg mode normal Port GigabitEthernet 3 5 app mode normal reg mode normal Port GigabitEthernet 3 6 app mode normal reg mode normal Port Giga...

Page 301: ... the packet travels the network with two tags The packet is propagated in the ISP s network by outer VLAN tag or the VLAN tag of ISP s network which is stripped when the packet leaves Then the packet is propagated in the private network by the VLAN tag of the private network As shown in Figure 1 the packets from Network A s VLAN 1001 are added with the outer VLAN tag 1005 before entering the ISP s...

Page 302: ... packet is already of a VLAN tag this means it has two tags Basic QinQ is simple but the encapsulation of outer VLAN tag is not flexible enough Flexible QinQ Flexible QinQ can flexibly encapsulate different outer VLAN tags for different flows by flow classification method like user VLAN tag MAC address IP protocol source address destination address priority or port number of application program Yo...

Page 303: ...lues To compatible with these devices QinQ offers the function to configure the TPID of packets based on port In the course of packet transmission the TPID of the outer VLAN tag of packets are replaced with the set value Priority duplication refers to duplicating the priority of inner tag user tag to outer tag ISP tag when adding outer tag Priority mapping refers to setting the priority of outer t...

Page 304: ... VLAN 5 has not learned MAC A and the packet is flooded To solve the problem on flooding the packets back from the public network duplicate the MAC address of native VLAN to the VLAN whether outer tag locates Similarly you can execute reverse MAC address duplication to solve the problem on flooding the packets to the public network Layer 2 protocol transparent transmission Layer 2 packet transpare...

Page 305: ...c QinQ flexible QinQ and other QinQ functions are disabled Restriction of QinQ Configuration The following restrictions apply to QinQ configuration The routed ports cannot be configured as tunnel ports The 802 1x function cannot be enabled on the port configured as a tunnel port Port security cannot be enabled on the port configured as a tunnel port For the ACL applied on the tunnel port the inner...

Page 306: ...not when outputting the packets of allowed VLAN switchport dot1q tunnel allowed vlan remove v_list Delete the allowed VLAN on the dot1q tunnel port switchport dot1q tunnel native vlan VID Set the default VLAN for the dot1q tunnel port End Exit the interface mode show running config Show the configuration Note It is not recommended to set the native VLAN of trunk port in the ISP network as the defa...

Page 307: ...e interface configuration mode switchport mode dot1q tunnel Set the port as a dot1q tunnel port dot1q outer vid VID register inner vid v_list Configure the protocol based policy to add the VID of outer tag no dot1q outer vid VID register inner vid v_list Remove the configuration end Exit the interface mode show running config Show the configuration The following example adds the VID 3 of outer tag...

Page 308: ...switchport mode trunk Ruijie config if dot1q relay vid 100 translate local vid 10 20 Ruijie config if end Configuring flow based VID change policy table Configuring VID add policy table Configuring outer VID change policy table Configuring inner VID change policy table Configuring VID add policy table For an incoming packet on dot1q tunnel port in some case it is necessary to specify the VID of ou...

Page 309: ...g by flow based match rule If a packet matches two or more flow policies without priority specified simultaneously the early configured policy takes effect The following example adds the VID 9 to the packets from 1 1 1 3 Ruijie configure Ruijie config ip access list standard 20 Ruijie config acl std permit host 1 1 1 3 Ruijie config acl std exit Ruijie config interface gigabitEthernet 0 1 Ruijie c...

Page 310: ...on AP the configured VID add policy or VID change policy will be deleted Reconfiguration of VID add policy or VID change policy is necessary It is recommended to configure VID policy on AP after configuring member port Once ACL is deleted the ACL related policies will be deleted as well If a packet matches two or more flow policies without priority specified simultaneously the early configured pol...

Page 311: ...pping in the ingress direction vlan mapping out vlan svlan remark cvlan Configure one to one VLAN mapping in the egress direction This command changes the Server VLAN ID of the egress packet back to the specified Customer VLAN ID no vlan mapping out vlan svlan remark cvlan Cancel one to one VLAN mapping in the egress direction end Exit interface configuration mode show interface intf id vlan mappi...

Page 312: ...how to change the VIDs of 3 to 7 in the tag of the ingress packet back to 8 before forwarding it Ruijie config interface gigabitEthernet 0 1 Ruijie config if switchport mode trunk Ruijie config if vlan mapping in vlan 3 7 remark 8 Ruijie config if end Caution After VLAN mapping is configured the VLAN ID of the packet delivered to CPU is the changed VLAN ID It is recommended that you do not configu...

Page 313: ...and Description configure terminal Enter the global configuration mode interface interface Enter the interface configuration mode frame tag tpid tpid Set the TPID value of ISP tag If you want to set it as 0x9100 directly enter frame tag tpid 9100 Note that the hexadecimal system is used by default This function takes effect on egress end Exit the interface mode show frame tag tpid View the TPID va...

Page 314: ...y duplication of the user tag only on the dot1q tunnel port whose priority is higher than QoS in the trusted mode but lower than flow based QOS Priority duplication and priority mapping cannot be enabled on one interface at the same time The following example shows how to configure the priority duplication of the user tag Ruijie config interface gigabitethernet 0 1 Ruijie config if mls qos trust c...

Page 315: ...ng example shows how to configure the priority mapping of the user tag Ruijie config interface gigabitethernet 0 1 Ruijie config if dot1q Tunnel cos 3 remark cos 5 Ruijie config end Ruijie show interface gigabitethernet 0 1 remark Ports Type From value To value Gi0 1 Cos To Cos 3 5 Configuring Address Duplication Follow these steps to duplicate the learned dynamic address form one VLAN to another ...

Page 316: ...but lower than other types of address When the source MAC address is aging the duplicated address is aging as well This also applies to deleting MAC address Hot backup is not supported When master slave handover occurs it is recommended users to disable and then enable address duplication The MAC address entries obtained by inter VLAN MAC address duplication cannot be deleted by hand To delete the...

Page 317: ...e configuration An example below shows how to enable transparent transmission of STP protocol packets Ruijie configure Ruijie config l2protocol tunnel stp Ruijie config interface fa 0 1 Ruijie config if l2protocol tunnel stp enable Configuring Transparent Transmission Address In the privileged mode you can configure transparent transmission address by the following steps Command Description config...

Page 318: ...t1q tunnel port Ruijie show registration table interface intf id Show the protocol based VID change policy table on the dot1q tunnle port Ruijie show translation table interface intf id Show the protocol based VID change policy table on the Access Trunk and Hybird ports Ruijie show traffic redirect interface intf id Show the flow based VID change policy table Ruijie show frame tag tpid interface i...

Page 319: ...Configuration Guide QinQ Configuration ...

Page 320: ...2 IPv6 Configuration 3 DHCP Configuration 4 DHCP Relay Configuration 5 DHCPv6 Configuration 6 DHCPv6 Relay Agent Configuration 7 DNS Configuration 8 FTP Server Configuration 9 FTP Client Configuration 10 Network Communication Detection Tools 11 IPv4 Express Forwarding Configuration ...

Page 321: ... According to the first several bits of the network address of an IP address an IP address is divided into four categories Class A Total of 128 class A IP addresses The highest bit is 0 followed by seven bits identifying Network ID and the remaining 24 bits identify Host ID 8 16 24 32 Class A IP address 0 Network ID Host ID Class B Total of 16 384 class B IP addresses The highest two bits are 10 f...

Page 322: ...ssign private IP addresses for them The following table lists those reserved and available addresses by class Class Address Range Status Class A 0 0 0 0 Reserved 1 0 0 0 to 126 0 0 0 Available 127 0 0 0 Reserved Class B 128 0 0 0 to191 254 0 0 Available 191 255 0 0 Reserved Class C 192 0 0 0 Reserved 192 0 1 0 to 223 255 254 0 Available 223 255 255 0 Reserved Class D 224 0 0 0 to 239 255 255 255 A...

Page 323: ...mands in the interface configuration mode Command Function Ruijie config if ip address ip address mask Assign an IP address for the interface Ruijie config if no ip address Remove the IP address configuration for the interface A 32 bit mask identifies the network part of an IP address In a mask the IP address bit corresponding to 1 represetns network ID and the IP address bit corresponding to 0 re...

Page 324: ...etically you can configure secondary addresses up your mind A secondary IP address can reside in the same or different network with the primary IP address The secondary IP address will be used frequently during the building of a network for example in the following cases There may not enough host addresses for a network For example a LAN requires a Class C IP address to support up to 254 hosts How...

Page 325: ...nk layer it is normally called MAC address representing an IP network device in a network Network address represents a device in the Internet and indicates the network to which the device belongs For inter communication a device in a LAN must know the 48 bit MAC address of another device The ARP can resolve the MAC address upon an IP address and the reversed ARP RARP can resolve the IP address upo...

Page 326: ...g ARP timeout takes effect for only the dynamically learned IP address to MAC address mapping The shorter the timeout the truer the mapping table saved in the ARP cache is but the more network bandwidth the ARP occupies Hence the advantages and disadvantages should be weighted Generally it is not necessary to configure the ARP timeout time unless there is a special requirement To configure ARP tim...

Page 327: ...responsibility for a network administrator to manage and control broadcast packets Forwarding flooding broadcast packets may make the network overburden and thus influencing network operation This is known as broadcast storm There are some ways to supress and restrict broadcast storm in the local network However layer 2 network devices like bridges and switches will forward and propagate broadcast...

Page 328: ...atching the ACLs are translated from directed broadcasts to physical broadcasts To configure the directed broadcast to physical broadcast translation execute the following command in the interface configuration mode Command Function Ruijie config if ip directed broadcast access list number Enable directed broadcast to physical broadcast translation on the interface Ruijie config if no ip directed ...

Page 329: ...g path that the packets of your device are taking through the network To display system and network status execute the following commands in the privileged mode Command Function Ruijie show arp Show the ARP table Ruijie show ip arp Show the IP ARP table Ruijie show ip interface interface type interface number Show the interface information Ruijie show ip route network mask Show the routing table R...

Page 330: ...d should be set to the same value as that of the interface network if the route and the interface network belong to the same network By configuring routers A and B you can build a secondary netowrk 172 16 3 0 24 on the network 192 168 12 0 24 to link the two separated subnets The following presents a configuraiton description of routers A and B Router A interface FastEthernet 0 0 ip address 172 16...

Page 331: ...sks described in the following sections Enabling ICMP Protocol Unreachable Messages Enabling ICMP Redirect Messages Enabling ICMP Mask Reply Messages Setting the IP MTU Configuring IP Source Routing Enabling the ICMP Protocol Unreachable Message When a router receives a non broadcast packet destined to it and this packet uses an IP protocol that it cannot handle it will return an ICMP protocol unr...

Page 332: ...essage Occasionally a network device needs to know the mask of a subnetwork in the Internet To obtain this information the device can send the ICMP mask request message The receiving device will send the ICMP mask reply message Ruijie product can respond the ICMP mask request message This function is enabled by default To enable the ICMP mask reply message execute the following command in the inte...

Page 333: ...ing an IP packet the device will check its IP header like strict source route loose source route and recorded route which are defined in RFC 791 If one of these options is enabled the device performs appropriate action Otherwise it sends an ICMP error message to the source and then discards the packet Our product supports IP source routing by default To enable IP source routing execute the followi...

Page 334: ...mproved IPv6 packet header is more efficient for forwarding for instance there is no checksum in the IPv6 packet header and it is not necessary for the IPv6 router to process the fragment during forwarding the fragment is completed by the originator High efficient hierarchical Addressing and Routing Structure The IPv6 adopts the aggregation mechanism and defines flexible hierarchical addressing an...

Page 335: ...v6 packet header is used to identify the data flow ID by which the IPv6 allows users to put forward the requirement for the QoS of communication The router can identify all packets of some specified data flow by this field and provide special processing for these packet on demand Neighbor Nodes Interaction specific New Protocol The Neighbor Discovery Protocol of the IPv6 uses a series of IPv6 cont...

Page 336: ...t address In this way the 16 bit group can be replaced with two colons only when they are all 0s and the two colons can only present for one time In the mixture environment of IPv4 and IPv6 there is a mixture denotation method The lowest 32 bits in an IPv6 address can be used to denote an IPv4 address The address can be expressed in a mixture mode i e X X X X X X d d d d Where the X denotes a 16 b...

Page 337: ... introduce these types of addresses one by one Unicast Addresses IPv6 unicast addresses include the following types Aggregateable Global Addresses Link level Local Addresses Site level Local Addresses IPv6 of IPv4 Addresses 1 Aggregateable Global Addresses The format of the aggregateable global unicast addresses is shown as follows 3 13 8 24 16 64 bits FP TLA RES NLA SLA Interface ID ID ID ID Abov...

Page 338: ...some institutions Each institution can use the same way as that in the IPv4 to create the hierarchical network structure themselves If the 16 bits are taken as the plane address space there are up to 65535 different subnets If the former 8 bits are taken as the higher level of routes within this organization 255 large scale subnets are allowed Furthermore each large scale subnet can be subdivided ...

Page 339: ...er of the site level local address is 16 bits while the latter 64 bits also indicate the interface identifier usually for the EUI 64 address of IEEE 4 IPv6 of IPv4 Addresses The RFC2373 also defines 2 types of special IPv6 addresses embedded with IPv4 addresses IPv4 compatible IPv6 address 80 bits 16 32 bits 0000 0000 0000 IPv4 address IPv4 mapped IPv6 address 80 bits 16 32 bits 0000 0000 ffff IPv...

Page 340: ... local link and the local site or any position nodes in the IPv6 global address space Group Identifier field 112 bits long and used to identify a multicast group Depending on whether a multicast address is temporary or known and the range of the address a multicast identifier can denote different groups The multicast address of the IPv6 is this type of address taking FF00 8 as the prefix One multi...

Page 341: ... all packets sending to this address The anycast address is assigned to normal IPv6 unicast address space so the anycast address cannot be differentiated from the unicast address from the style For this reason each member of all anycast addresses has to be configured explicitly to identify the anycast address Caution The anycast address can only be assigned to the router but cannot be assigned to ...

Page 342: ...s In the IPv6 packet header the following fields are defined Version The length is 4 bits For IPv6 the field must be 6 Traffic Class The length is 8 bits It indicates a type of service provided to the packey and is equal to the TOS in the IPv4 Flow Label The length is 20 bits used to identify the packets of the same service flow One node can be taken as the sending source of several service flows ...

Page 343: ...ing extended headers are defined for the IPv6 Hop by Hop Options This extended header must directly follow an IPv6 header It contains the option data that must be checked by each node along the path Routing Header Routing Type 0 This extended header indicates the nodes that a packet will go through before reaching the destination It contains the address table of various nodes that the packet goes ...

Page 344: ...8 bytes The minimum link MTU is 1280 bytes in the IPv6 It is strongly recommended to use the link MTU of 1500 bytes for the link in the IPv6 IPv6 Neighbor Discovery The main functions of the IPv6 Neighbor discovery protocol include Router Discovery Prefix Discovery Parameter Discovery Address Auto configuration Address Resolution ARP Next hop Confirmation Neighbor Unreachability Check Address Conf...

Page 345: ...packet to the neighbor can be co processed During the detection it continues to forward the IPv6 packet to the neighbor Address Conflict Detection After configuring the IPv6 address to the host enabling the address conflict detection function to check whether the IPv6 address in the link is sole or not Router Prefix and Parameter Advertisement The router sends the Router Advertisement RA to all th...

Page 346: ...host is activated the Router Solicitation RS message sent by the host will use the unassigned address 0 0 0 0 0 0 0 0 as the source address of the solicitation message Otherwise the existing unicast address is taken as the source address while the Router Solicitation RS message uses the multicast address FF02 2 of all routers for the local link as the destination address As the response router sol...

Page 347: ... IPv6 packets to the better next hop directly IPv6 Configuration The following will introduce the configuration of various function modules of the IPv6 respectively Configuring IPv6 Address This section describes how to configure an IPv6 address on an interface By default no IPv6 address is configured Caution Once an interface is created and its link status is UP the system will automatically gene...

Page 348: ... the no ipv6 address ipv6 prefix prefix length eui 64 command to delete the configured IPv6 address The following is an example of the configuration of the IPv6 address Ruijie config interface vlan 1 Ruijie config if ipv6 enable Ruijie config if ipv6 address fec0 0 0 1 1 64 Ruijie config if end Ruijie config if show ipv6 interface vlan 1 Interface vlan 1 is Up ifindex 2001 address es Mac Address 0...

Page 349: ...ress of the packet is a neighbor of the local router Namely this node exists in the router s neighbor table Caution The router other than the host can generate the redirection message and the router will not update its routing table when it receives the redirection message To enable redirection on the interface execute the following commands in the global configuration mode Command Meaning configu...

Page 350: ...tic neighbor is not configured In general a neighbor learns and maintains its status by the Neighbor Discovery Protocol NDP dynamically Moreover you can configure the static neighbor manually To configure the static neighbor execute the following commands in the global configuration mode Command Meaning configure terminal Enter the global configuration mode ipv6 neighbor ipv6 address interface id ...

Page 351: ...ll enable the address conflict detection process for the configured address when the interface changes to the Up status from the Down status The following is the configuration procedure of the quantity of the neighbor solicitation message sent for the address conflict detection Command Meaning configure terminal Enter the global configuration mode interface vlan 1 Enter the SVI 1 configuration mod...

Page 352: ...smit interval is 1000 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds 240 160 ND router advertisements live for 1800 seconds Configuring Other Interface Parameters The IPv6 parameters on an interface fall into 2 parts one is used to control the behavior of the router itself the other is used to control the contents of the router ...

Page 353: ...the direct connected network ipv6 nd ra interval seconds Optional Set the time interval for the router to send the router advertisement RA message periodically ipv6 nd managed config flag Optional Set the managed address configuration flag bit of the router advertisement RA message and determine whether the host will use the stateful auto configuration to obtain the address when it receives this r...

Page 354: ...or information Show ipv6 route static local connected Show the information of the IPv6 routing table 1 View the IPv6 information of an interface Ruijie show ipv6 interface interface vlan 1 is Down ifindex 2001 address es Mac Address 00 d0 f8 00 00 01 INET6 fe80 2d0 f8ff fe00 1 subnet is fe80 64 INET6 fec0 1 1 1 1 subnet is fec0 1 1 1 64 Joined group address es ff01 1 1 ff02 1 1 ff02 1 2 ff02 1 1 f...

Page 355: ...ve for 1800 seconds ND router advertisements are sent every 200 seconds 240 160 Flags M O Adv MTU 1500 ND advertised reachable time is 0 milliseconds ND advertised retransmit time is 0 milliseconds ND advertised CurHopLimit is 64 Prefixes total 1 fec0 1 1 1 64 Def Auto vltime 2592000 pltime 604800 flags LA 3 View the neighbor table information of the IPv6 Ruijie show ipv6 neighbors IPv6 Address Li...

Page 356: ...selves 3 Configure IP addresses manually Network administrators specify IP addresses and send the specified IP addresses to the clients through the DHCP Among the above mentioned three methods only dynamic assignment allows reuse of the IP address that the client does not need any more The format of DHCP message is based on that of BOOTP Bootstrap Protocol message Hence it is necessary for the dev...

Page 357: ...he first received DHCPOFFER packet only The address specified in the DHCPOFFER packet from the DHCP server is not necessarily the finally assigned address Generally the DHCP server reserves this address until the client sends a formal request The goal of broadcasting the DHCPREQUEST packet is to let all the DHCP servers that send the DHCPOFFER packet receive this packet and then release the IP add...

Page 358: ...figuration errors Centrally manage IP address assignment Caution The DHCP Client are supported on the Ethernet interface FR PPP HDLC interfaces Introduction to the DHCP Relay Agent The DHCP relay agent forwards DHCP packets between the DHCP server and the DHCP clients When the DHCP clients and the server are not located in the same subnet a DHCP relay agent must be available for forwarding the DHC...

Page 359: ...CP may conflict with some functions For the details see the prompting message of specific product Configuring Ping Packet Timeout By default the DHCP server considers the IP address inexistent if it has not received a response within 500 milliseconds after pinging an IP address You can adjust the Ping packet timeout To configure the Ping packet timeout execute the following commands in the global ...

Page 360: ...interface configuration mode Command Function Ruijie config if ip address dhcp Obtain an IP address through DHCP Configuring the DHCP Client in the HDLCEncapsulation Link Ruijie products support obtaining the IP address dynamicaly assigned by the DHCP server on an HDLC encapsulation interface To configure the DHCP client execute the following command in the interface configuration mode Command Fun...

Page 361: ...events packet Debug the DHCP server Monitoring and Maintaining the DHCP Client There are two types of commands for monitoring and maintaining the DHCP client The following operations can be performed on the DHCP client Debug commands used to output necessary debugging information Such commands are mainly used to diagnose and clear faults Show commands used to show information about DHCP To debug t...

Page 362: ...s the DHCP NAK packet When the DHCP Client receives the DHCP ACK packet it starts to use the resources allocated by the DHCP server If it receives the DHCP NAK packet it may re send the DHCP DISCOVER packet to request another IP address Understanding the DHCP Relay Agent The destination IP address of DHCP REQUEST packet is 255 255 255 255 This type of packets is only forwarded inside the subnet an...

Page 363: ...his option can be divided into several sub options Currently the sub options in frequent use are Circuit ID and Remote ID Ruijie provides two types of relay agent information One is the relay agent information option dot1x that is combined with the 802 1x SAM application scheme the other is relay agent information option82 that is combined with the port VID slot port and MAC address Depicted below...

Page 364: ...ion according to the port that receives the DHCP request message and the physical IP address of the device itself and uploads the option82 information to the DHCP server The option is in the following format Agent Circuit ID Agent Remote ID Understanding DHCP relay Check Server id Function When the DHCP is used generally multiple DHCP servers are configured for a network for the purpose of backup ...

Page 365: ...the DHCP request message received by the device will be forwarded to it At the same time the DHCP response message received from the DHCP server will also be forwarded to the DHCP Client The IP address of the DHCP server can either be configured globally or on the layer 3 interface Up to 20 IP addresses can be configured for the DHCP server in every mode When the DHCP request message is received f...

Page 366: ...e such as S29 users are more likely use it as layer 2 device So normally users only configures a manage vlan address which is configured on the designated SVI interface in a certain VLAN Here we can designae all source interfaces of the DHCP RELAY downlink interfaces as the manage vlan and the packet can be successfully sent to the DHCP RELAY application module and implement the DHCP managemeng fu...

Page 367: ...HCP option dot1x access group In the option dot1x application scheme the device needs to restrict the unauthorized IP address or the IP address with low privilege to access certain IP addresses and restrict the access between users with low privileges To do so configure the command ip dhcp relay information option dot1x access group acl name Here the ACL defined by acl name must be configured in a...

Page 368: ...nfig ext nacl deny ip 192 168 4 0 0 0 0 255 192 168 5 0 0 0 0 255 Ruijie config ext nacl deny ip 192 168 5 0 0 0 0 255 192 168 5 0 0 0 0 255 Ruijie config ext nacl deny ip 192 168 5 0 0 0 0 255 192 168 3 0 0 0 0 255 Ruijie config ext nacl deny ip 192 168 5 0 0 0 0 255 192 168 4 0 0 0 0 255 Ruijie config ext nacl exit Then apply the command to the global interfaces using the ip dhcp relay informati...

Page 369: ... mode Command Function Ruijie config ip dhcp relay check server id Enable the DHCP relay check server di function Ruijie config no ip dhcp relay check server id Disable the DHCP relay check server id function Configuring DHCP Relay Suppression After the ip dhcp relay suppression command is configured the port will not relay the DHCP request broadcast packet by transforming it into the unicast form...

Page 370: ...led for the layer 2 device Precautions on DHCP option dot1x Configuration 1 This command works only when the configuration related to AAA 802 1x is correct 2 When this scheme is adopted the IP authorization of the DHCP mode of 802 1x should be enabled 3 This command cannot be used together with command dhcp option82 because they are conflicted 4 When the IP authorization of the DHCP mode of 802 1x...

Page 371: ...192 168 200 2 interface VLAN 1 ip address 192 168 193 91 255 255 255 0 line con 0 exec timeout 0 0 line vty 0 exec timeout 0 0 login password 7 0137 line vty 1 2 login password 7 0137 line vty 3 4 login end Typical Configuration Example Applying for IP address to surf the Internet by the user in different network segments Configuration Requirement 1 Obtaning the IP address and surfing the Internet...

Page 372: ...nfiguration Steps Set up the configuration environment based on the above topology figure and configurate according to the following steps DHCP Snooping Configuration Enable DHCP Snooping Ruijie config ip dhcp snooping Set Gi0 2 connecting the server as the Trust Port Ruijie config interface gigabitEthernet 0 2 Ruijie config if ip dhcp snooping trust Set Gi0 2 as the Trust Port of ARP detection Ru...

Page 373: ...fig if no switchport Ruijie config if ip address 10 1 0 1 255 255 0 0 DHCP Server Configuration Set the IP address for the port connecting the DHCP Relay device Ruijie config interface gigabitEthernet 4 1 Ruijie config if no switchport Ruijie config if ip address 10 1 1 1 255 255 0 0 Enable the DHCP Server Ruijie config service dhcp Configure the default gateway for the DHCP Client Ruijie dhcp con...

Page 374: ...Pv6 Similar to the framework of sDHCPv4 the application model of DHCPv6 is composed of the DHCP server DHCP clients and DHCP relay The configuration parameters can be obtained through the interaction between DHCP clients and DHCP server while the DHCP relay can link the DHCP clients with the DHCP server outside the local link The message interaction and parameter maintenance basically follow the p...

Page 375: ...entity Association Each DHCPv6 client is associated with one IA and each IA can contain multiple addresses and relevant time information The corresponding IA can be generated in accordance with the type of address such as IA_NA Identity association for non temporary addresses and IA_TA Identity association for temporary addresses New DHCP client server identifier namely DUID DHCP Unique Identifier...

Page 376: ...he desktop computer completes address and parameter configuration via ND or address assignment NA based DHCPv6 client In the above model DHCPv6 fulfils the following functions The DHCP client host node sends out prefix delegation PD based multicast solicit message within the link to look for DHCPv6 servers The DHCP servers will send unicast advertisement message to the DHCP client after receiving ...

Page 377: ...the DHCP message the DHCP relay will regenerate and forward another one The DHCP relay is just like a DHCP server for the DHCP clients and a DHCP client for the DHCP server DHCPv6 Configuration Task List The DHCPv6 configuration tasks include 错误 未找到引用源 错误 未找到引用源 错误 未找到引用源 错误 未找到引用源 错误 未找到引用源 Configure the DHCPv6 Client This task involves how to enable DHCPv6 client function and prefix solicitation...

Page 378: ...nfig if ipv6 dhcp relay destination ipv6 address interface type interface number Enable the DHCPv6 relay on the interface and designate the address for relay forwarding For example Ruijie configure terminal Ruijie config interface fastethernet 0 1 Ruijie config if ipv6 dhcp relay destination 2008 1 1 Restart the DHCPv6 Client on the Interface To restart DHCPv6 Client on the interface run the follo...

Page 379: ... server receives the Solicit packet it responses the Advertise packet in the unicast form declaring that it can provide the DHCP service for the client 3 After the DHCPv6 client selects the DHCPv6 server the client sends the Request packet in the multicast form destined to the address FF02 1 2 and the UDP port 547 within the local network segment 4 After the DHCPv6 server receives the Request pack...

Page 380: ...he Relay Reply packet and sends the Relay reply packet to the DHCPv6 Relay Agent in unicast form 8 The DHCPv6 Relay Agent resolutes the Relay Reply packet from the DHCPv6 Server and sends it to the DHCPv6 client in unicast form Protocol and Standard The related protocol and standard is RFC3315 Dynamic Host Configuration Protocol for IPv6 DHCPv6 Default Configuration Function Default value DHCPv6 R...

Page 381: ...with the destination address of 3001 2 Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config interface vlan 1 Ruijie config if ipv6 dhcp relay destination 3001 2 Ruijie config if end Caution 1 The IPv6 DHCP Relay Destination command can only be used on the layer 3 interface 2 Up to 20 Relay Agent Destination addresses can be configured on one device 3 If...

Page 382: ...ate limit 0 Packets received 28 SOLICIT 0 REQUEST 0 CONFIRM 0 RENEW 0 REBIND 0 RELEASE 0 DECLINE 0 INFORMATION REQUEST 14 RELAY FORWARD 0 RELAY REPLY 14 Packets sent 16 ADVERTISE 0 RECONFIGURE 0 REPLY 8 RELAY FORWARD 8 RELAY REPLY 0 Typical Configuration Example of DHCPv6 Relay Agent Network Requirements 1 Enable DHCPv6 Relay Agent on the Device1 and configure the destination address 3001 2 2 Enab...

Page 383: ...ess 3001 2 Ruijie config Enter configuration commands one per line End with CNTL Z Ruijie config interface vlan 1 Ruijie config if ipv6 dhcp relay destination 3001 2 2 Enable the DHCPv6 Relay Agent function on the Device2 and specify the destination address FF02 1 2 Ruijie config Enter configuration commands one per line End with CNTL Z Ruijie config interface vlan 1 Ruijie config if ipv6 dhcp rel...

Page 384: ...nt Configuration Server address es Output Interface 3001 2 2 Show the DHCPv6 Relay Agent configurations on the Device2 Ruijie show ipv6 dhcp relay destination all Interface Interface vlan 1 Server address es Output Interface FF02 1 2 gi0 ...

Page 385: ...rocess that the device obtains IP address which corresponds to the host name by the host name The Ruijie switches support the host name resolution locally or by the DNS During the resolution of domain name you can firstly adopt the static method If it fails use the dynamic method instead Some frequently used domain names can be put into the resolution list of static domain names In this way the ef...

Page 386: ... six DNS servers at most Configuring the Host Name to IP Address Mapping Statically This section describes how to configure the host name to IP address mapping The switch maintains a host name to IP address corresponding table which is also referred to as the host name to IP address mapping table You can obtain the mapping table in two ways manual configuration and dynamic learning Command Functio...

Page 387: ...n Ruijie show hosts DNS name server 192 168 5 134 static host type address www 163 com static 192 168 5 243 www Ruijie com dynamic 192 168 5 123 Application examples Ping the host with specified domain name Ruijie ping www ietf org Resolving host www ietf org Sending 5 100 byte ICMP Echos to 192 168 5 123 timeout is 2000 milliseconds Success rate is 100 percent 5 5 Minimum 1ms Maximum 1ms Average ...

Page 388: ...P client commands are supported at present The following table shows the FTP client commands supported ascii delete mdelete mput quit send bin dir mdir nlist recv size bye disconnection mget open rename system cd get mkdir passive rhelp type cdup image mls put rmdir user close ls modtime pwd rstatus For the method to use above mentioned FTP client commands refer to FTP client software document In ...

Page 389: ...e FTP client can access For the details on how to view and manage the directories on the device refer to File System Configuration Guide For instance you can set the top directory to the syslog directory After logging in the FTP Server the FTP client can access only the files and folders under the syslog directory To configure the top directory run the ftp server topdir command in the global confi...

Page 390: ...ction Ruijie config ftp server timeout time Sets the session idle timeout time idle timeout in the range of 1 3600 minutes Ruijie config no ftp server timeout Restores the idle timeout to the default value 30 minutes The following example sets the session idle timeout to 5 minutes Ruijie config ftp server timeout 5 If the FTP client has not executed any operation within five minutes the FTP Server...

Page 391: ... in plain text mode ranges from 1 to 25 characters and a password in cipher text mode ranges from 4 to 52 characters The following example sets the user name to admin and password to letmein Ruijie config ftp server username admin Ruijie config ftp server password letmein View Status and Debugging Information To view status and debugging information run the show ftp server and debug ftpserver comm...

Page 392: ...RV_DEBUG REPLY 200 PORT Command okay The following example turns off the debugging of the FTP Server Ruijie no debug ftpserver Configuration Example Below shows how to configure the FTP Server Step 1 Set the user name to admin and the password to letmein Ruijie config ftp server username admin Ruijie config ftp server password letmein Step 2 Set the session idle timeout to 5 minutes Ruijie config ...

Page 393: ...the local files to the remote computer FTP protocol is detailed in RFC 959 FTP Connection Mode FTP maintains two TCP connections Control link also referred to command link for transferring command between FTP client and server Data link for uploading or downloading data Control connection For certain simple connections only the control connection is needed The client sends commands to the server w...

Page 394: ...ith the port 21 of server The client requests to establish connection and notify the server that it is using the port 5151 Upon receipt of the request the server responds with OK ACK message The client and server then exchange control signals through the control port The server opens the port 20 as the source port for sending data to the port 5151 of client The client replies and the transfer proc...

Page 395: ... is only established when needed The application of PASV mode or PORT mode is determined only by FTP client which will send relevant commands to use different modes of data connection By default Ruijie FTP client uses passive mode FTP Transfer Mode There are two FTP transfer modes text ASCII transfer mode and binary BINARY data transfer mode Currently Ruijie FTP Client supports both modes and the ...

Page 396: ...al configuration mode Command Function configure terminal Enter global configuration mode ftp client vrf vrfname port Configure FTP to use active connection mode To configure the device to use passive mode execute the following command in global configuration mode Command Function configure terminal Enter global configuration mode no ftp client vrf vrfname port Configure FTP to use passive connect...

Page 397: ...moved Downloading File In CLI command mode execute the following steps to complete file download Before downloading launch FTP Server program on the host and then log into the device In privileged EXEC mode execute the following command to download file Command Function Ruijie copy ftp username password dest address remote directory remote file flash local directory local file vrf vrfname Download...

Page 398: ... to complete file upload Before uploading launch FTP Server program on the host and then log into the device In privileged EXEC mode execute the following command to upload file The key word dest address specifies the IP address of FTP Server Command Function Ruijie copy flash local directory local file ftp username password dest address remote directory re mote file vrf vrfname Upload the file sp...

Page 399: ...he basic ping function can be performed in either the user EXEC mode or the privileged EXEC mode By default this command sends five 100 byte packets to the specified IP address If the system receives a response within the specified time 2 seconds by default it shows Otherwise it shows Finally the system shows statistics This is a normal ping example Ruijie ping 192 168 5 1 Sending 5 100 byte ICMP ...

Page 400: ... specified IP address If the system receives a response within the specified time 2 seconds by default it shows Otherwise it shows If the response does not match the request the system shows C and outputs statistics This is a normal ping example Ruijie ping ipv6 2000 1 Sending 5 100 byte ICMP Echoes to 2000 1 timeout is 2 seconds press Ctrl C to break Success rate is 100 percent 5 5 round trip min...

Page 401: ...EXEC mode The command format is as follows Command Function Ruijie traceroute protocol address probe probe ttl minimum maximum source source timeout seconds Trace the path that a packet passes through The following are two examples that apply traceroute In one example network connectivity is good In another example some gateways in a network are not connected 1 traceroute example where network con...

Page 402: ...re is failure in gateway 4 Traceroute IPv6 Connectivity Test The Traceroute ipv6 command is mainly used to check the network connectivity It shows all the gateways that a packet passes through from the source to the destination and exactly locates the fault when the network fails For network transmission refer to the previous section The traceroute ipv6 command can run in the user EXEC mode and th...

Page 403: ...s very useful for network analysis 2 traceroute ipv6 example where some gateways in a network are not connected Ruijie traceroute ipv6 3004 1 press Ctrl C to break Tracing the route to 3004 1 1 3000 1 0 msec 0 msec 0 msec 2 3001 1 4 msec 4 msec 4 msec 3 3002 1 8 msec 8 msec 4 msec 4 5 3004 1 4 msec 28 msec 12 msec As you can see to access the host with an IP address of 3004 1 the network packet pa...

Page 404: ...be realized Adjacency Adjacent node including the output interface information of routed packets such as next hop list next processing unit link layer output encapsulation and etc When packets matches with such adjacent node the packets will be encapsulated and forwarded by calling the transmit function of this node To facilitate lookup and update the adjacent nodes will generally form a hash tabl...

Page 405: ... existing adjacency information Command Function Ruijie show ip ref adjacency glean local ip interface interface_type interface_number Display the glean adjacency local adjacency IP specific adjacency interface specific adjacency and all adjacent nodes In the event of the following cases the adjacency table will be used to forward packets 1 Direct route such as 1 1 0 0 16 vlan1 2 A route with long...

Page 406: ...nd hardware forwarding table are inconsistent execute this command to synchronize In case the capacity of hardware forwarding table is insufficient or there is a conflict between hardware and hash bucket such event will be printed in logs in the format of EFHW 4 TBL_NO_RESOURCE DESCRIPTION Configuring ECMP WCMP Policy for Express Forwarding When there are ECMP WCMP routes on the switch there will ...

Page 407: ...emove KEY components represented by the keywords carried in no command For example the combination of SIP DIP Port has been saved by the system After executing no ip ref ecmp route dip port command SIP will be the only component of KEY If the components specified in no command are not included in the configurations saved by the system no fault will arise by executing this command ...

Page 408: ......

Page 409: ...IP Routing Configuration 1 Static Route Configuration ...

Page 410: ... number of static routes If they are not deleted Ruijie product will always retain the static routes However you can replace the static routes with the better routes learned by the dynamic routing protocols Better routes mean that they have smaller distances All routes including the static ones carry the parameters of the management distance The following table shows the management distances of va...

Page 411: ...e weight distance metric weight S 10 0 0 0 8 1 0 6 via 172 0 1 2 The maximum number of static routes is 32 by default If the number of static routes configured exceeds the specified upper limit they will not be automatically deleted but the addition will fail To view the configuration of IP route execute the show ip route command to view the IP routing table For details refer to Static Route Confi...

Page 412: ......

Page 413: ...Multicast Configuration 1 IGMP Snooping Configuration 2 MLD Snooping Configuration ...

Page 414: ...MP Snooping function described below is in the VLAN and the related ports are the member ports in the VLAN The device running IGMP Snooping sets up the mapping for the port and the multicast address by analyzing the received IGMP packets and forwards the IP multicast packets based on the mapping As shown in the Figure 1 with IGMP Snooping enabled the IP multicast packets are broadcasted in the VLA...

Page 415: ...ticast router the Layer3 multicast device take the SwitchA interface Eth0 1 for example All router ports on the switch including the dynamic and static ports are recorded in the router port list By default the router port corresponds to the recipient of the multicast data in the VLAN and can also be added to the IGMP Snooping forwarding list Member Port the abbreviation of the IP multicast group m...

Page 416: ...s in this VLAN and processes the packet receiving port as follows If this port has already been in the router port list reset the aging timer If this port has not been in the router port list add the port to the list and enable the aging timer After receiving the IGMP general query packets the multicast device enable the aging timer for all member ports Set the aging time as the maximum respond ti...

Page 417: ...e outgoing port list includes the port reset the aging timer Leaving the Multicast Group When leaving the IP multicast group the host notifies the multicast router of the leave event by sending the IGMP leave group packets Upon receiving the IGMP leave group packets on a dynamic member port the switch forwards those packets to the router ports IGMP Profiles IGMP Profiles is the group filterings ac...

Page 418: ...MP Snooping the IGMP Snooping working mode IVGL SVGL and IVGL SVGL must be specified Caution The Layer2 multicast device does not support IGMP Snooping if the device works in the private VLAN mode If VLAN is configured as Remote VLAN and the IGMP Snooing function is disabled on the VLAN the related IGMP Snooping function for example VLAN configuration route connector or configuration member port b...

Page 419: ... auto enabled in all VLANs To disable the IGMP Snooping in the specified VLAN run the following command In the global configuration mode run the following command to disable IGMP Snooping Command Function Ruijie config no ip igmp snooping vlan num Disable the IGMP Snooping in the specified VLAN By default the IGMP Snooping in the VLAN is enabled Ruijie config ip igmp snooping vlan num Enable the I...

Page 420: ...r learning mode pim dvmrp IGMPv2 immediate leave Disabled vlan 4 IGMP Snooping Enabled Multicast router learning mode pim dvmrp IGMPv2 immediate leave Disabled Configuring the Aging Time for the Dynamic Router Port If no IGMP general query packets or PIM Hello packets are received on the dynamic router port within the aging time the router port will be deleted To configure the aging time for the d...

Page 421: ...rt from the multicast forwarding table The default time is 10 seconds To configure the maximum response time of the IGMP Query message execute the following commands in the global configuration mode Command Function Ruijie config ip igmp Snooping query max respone time seconds Set the maximum response time of the IGMP Query message in the range of 1 to 65535 seconds The default time is 10 seconds ...

Page 422: ...ijie configure terminal Ruijie config ip igmp snooping vlan 1 mrouter interface gigabitEthernet 0 7 Ruijie config ip igmp snooping vlan 1 mrouter learn pim dvmrp Ruijie config end Ruijie show ip igmp snooping mrouter Vlan Interface State IGMP profile 1 GigabitEthernet 0 7 static 0 1 GigabitEthernet 0 12 dynamic 0 Ruijie show ip igmp snooping mrouter learn Vlan learn method 1 pim dvmrp Configuring ...

Page 423: ... the multicast router should first send an IGMP Query packet and lets a port leave the group only when the host does not respond However in specific environments for example one port is connected to only one multicast user the port can immediately leave the multicast group after the multicast router receives the IGMP Leave message a mechanism known as Fast Leave To enable fast leave execute the fo...

Page 424: ...albe Ruijie config end Configuring IGMP Profiles An IGMP Profile entry defines a set of multicast address range and permit deny activity for the funcitons like multicast address range for SVGL mode multicast data range filtered on the router interface and IGMP Filtering range Note that modifying an IGMP Profile after associating it with a function will influence the multicast forwarding table gene...

Page 425: ...rofile If so the switch allows it to join the multicast group You can also configure the maximum number of multicast groups that the port is allowed to join If the number of the multicast groups that the port joins exceeds the threshold the switch will no longer receive or handle the IGMP Report message To enable IGMP Filtering execute the following commands in the global configuration mode Comman...

Page 426: ...ration mode and global configuration of IGMP Snooping The following example uses the show ip igmp snooping command to view the IGMP Snooping configuration information Ruijie show ip igmp snooping IGMP snooping mode IVGL SVGL vlan id 1 SVGL profile number 0 IGMP Fast Leave Disabled IGMP Report suppress Disable Viewing and Clearing IGMP Snooping Statistics To view and clear the IGMP Snooping statist...

Page 427: ...mp snooping mrouter Show the router interface information of IGMP Snooping The following example uses the show ip igmp snooping command to view the router interface information of IGMP Snooping Ruijie show ip igmp snooping mrouter Vlan Interface State IGMP profile number 1 GigabitEthernet 0 7 static 1 1 GigabitEthernet 0 12 dynamic 0 Viewing Dynamic Forwarding Table To view the forwarding rule of ...

Page 428: ...Clearing IGMP Snooping Statistics To clear the forwarding rule of each port in the multicast group that is the GDA Group Destination Address table execute the following commands in the privileged mode Command Function Ruijie clear ip igmp snooping statistics Clear the dynamic statistics of the entry node in the forwarding table This example clears the multicast group statistics in the GDA table Ru...

Page 429: ...ing command in the privileged mode Command Function Ruijie show ip igmp snooping interface interface id View IGMP Filtering information The following example views the IGMP Filtering information Ruijie show ip igmp snooping interface GigabitEthernet 0 7 Interface Filter Profile number max groups GigabitEthernet 0 7 1 4294967294 ...

Page 430: ... address and such relationship provides a basis for the transmission of IPv6 multicast data on layer 2 When the MLD Snooping is not running IPv6 multicast data message is broadcast on layer 2 while after the switch places MLD Snooping into operation the known multicast data message of IPv6 multicast group will not be broadcast on layer 2 but be exchanged to specified receiver s on layer 2 Basic Co...

Page 431: ...icast stream among all VLANs is inter independent A host can only request multicast stream from the router port in the same VLAN where the host is located switch can only transmit the multicast data flow being received from any VLAN to listener ports in the same VLAN Working Principle The switch that runs MLD Snooping processes different MLD messages in the following ways 1 MLD QUERY Layer 3 multi...

Page 432: ...oining certain IPv6 multicast group a host will actively send MLD membership report message to MLD queriers to announce its joining in this IPv 6 multicast group A switch transmits through all routers in VLAN the MLD membership report message being received resolve the IPv6 multicast group addresses which hosts will join and process the receive port in the following ways If the forwarding table co...

Page 433: ...f router ports 300s Max response time for MLD query 10s Function as a dynamic learn router port Disabled The function of fast leave from multicast listener ports Disabled The function of restraining MLD report Disabled The function of source port check Disabled Port based filtration of unicast group of specific multicast Disabled Number of port based max restriction multicast group 1024 Configurat...

Page 434: ...ld snooping MLD snooping mode IVGL SVGL VLAN ID 1 SVGL profile number 0 Source check port Disable Query Max Response Time 10 Seconds Disabling Global MLD Snooping To disable the MLD Snooping function run the following commands in the global configuration mode Command Function Ruijie config no ipv6 mld snooping Disable the MLD Snooping function By default the MLD Snooping is disabled Ruijie config ...

Page 435: ...an no ipv6 mld snooping Disable the VLAN based MLD Snooping function By default with the global MLD Snooping enabled the MLD Snooping function in all VLANs are enabled Ruijie config vlan end Return to the privilege mode Ruijie show ipv6 mld snooping Verify the configurations The following example shows how to disable the MLD Snooping in vlan 2 Ruijie configure terminal Ruijie config vlan 2 Ruijie ...

Page 436: ...timer for dynamic route port time the valid range is 1 3600 and the default value is 300s Use the no IPv6 MLD Snooping dyn mr aging time command to restore the aging time for the dynamic route port to the default value The following example shows how to set the aging time for the dynamic route port as 100s Ruijie configure terminal Ruijie config ipv6 mld snooping dyn mr aging time 100 Product supp...

Page 437: ...jie configure terminal Ruijie config ipv6 mld snooping query max response time 15 Product support As for Version 10 4 all products support this configuration Configuring Router port By default you may enable the dynamic router port learning in a VLAN for the layer 2 multicast device Use the no form of this command to disable dynamic learning and clear all dynamically learned router port You may al...

Page 438: ...configuration Configuring Static Listener Port Use this command to set a port joins to the IPv6 multicast group statically to become a static listener port if the host that connects to the port needs to receive the IPv6 multicast data sent to an IPv6 multicast group in a fixed manner To configure the MLD Snooping static listener port run the following commands Command Function Ruijie config ipv6 m...

Page 439: ...Fast leave Port Fast leave means that when receiving from a port the MLD leave message sent from a host for leaving certain IPv 6 multicast group a switch will directly delete the port from the list of outgoing ports in the corresponding forwarding table If there is only one receiver connecting underneath the port on the switch you may enable Port Fast leave to save band width and resource To conf...

Page 440: ...uipment will only forward to layer 3 equipment the first MLD membership report message of one IPv 6 multicast group it receives within one query interval instead of keeping on forwarding to layer 3 equipment other MLD membership report message from the same multicast group In this way message quantity will be reduced in the network Run the following command to enable the response suppression for t...

Page 441: ... that the range of multicast address and other multicast address will be permitted or denied By default all groups are denied Ruijie config profile range low address high_address Add the multicast address range which can be both a single IPv6 group address low IPv6 group address and a group address zone high IPv6 group address Meanwhile multiple ranges may be configured Ruijie config end Return to...

Page 442: ...cast address for this port to join is permitted by MLD Profile If so joining is permitted before later processing You may also configure the max group number that are permitted to join one port When the max group number is exceeded layer 2 multicast equipment will no longer receive and process MLD report message To configure the MLD Filtering run the following commands Command Function Ruijie conf...

Page 443: ...w the current working mode and global configuration of MLD Snooping run the following command Command Function Ruijie show ipv6 mld snooping View the current working mode and global configuration of MLD Snooping The following example shows the MLD Snooping configurations Ruijie show ipv6 mld snooping MLD snooping mode IVGL SVGL VLAN ID 1 SVGL profile number 0 Source check port Disabled Query max R...

Page 444: ...2003 1111 Report pkts 1 Leave pkts 0 Product support As for Version 10 4 all products support this configuration Viewing Router port Information To view and clear the MLD Snooping router port information run the following command Command Function Ruijie show ipv6 mld snooping mrouter View the MLD Snooping router port information The following example shows the MLD Snooping router port information ...

Page 445: ...e show ipv6 mld snooping gda table Abbr M mrouter D dynamic S static VLAN Address Listener ports 1 FF88 1 GigabitEthernet 0 7 S Product support As for Version 10 4 all products support this configuration Clearing Dynamic Forwarding table Information To clear GDA Group Destination Address information from dynamic forwarding table run the following command Command Function Ruijie clear ipv6 mld snoo...

Page 446: ...ile information run the following command Command Function Ruijie show ipv6 mld profile profile number View the MLD Snooping Profile information The following example shows the MLD Snooping Profile information Ruijie show ipv6 mld profile 1 MLD Profile 1 permit range FF77 1 FF77 100 range FF88 123 ...

Page 447: ...Configuration 8 GSN Configuraiton 9 CPU Protection Configuration 10 Port based Flow Control Configuration 11 DoS Protection Configuration 12 DHCP Snooping Configuration 13 Dynamic ARP Inspection Configuration 14 IP Source Guard Configuration 15 ND Snooping Configuration 16 DHCPv6 Snooping Configuration 17 Gateway Anti Arp spoofing Configuration 18 NFPP Configuration 19 Ruijie Swithches Security Co...

Page 448: ...aces The defined method list overwrites the default method list All authentication methods other than the local line password and allowing authentication must be defined with AAA Authorization This means authorizing the user with services The AAA authorization is implemented through the definition of series attributes that describe the operations on the user by the authorization These attributes c...

Page 449: ...on for users can be implemented in a variety of ways you need to use the method list to define the sequence of using different method to perform authentication for the users The method list can define one or more security protocols for authentication so that there are backup systems available for the authentication in case of the failure of the first method Our product works with the first method ...

Page 450: ... not pass the authentication thus the access request will be refused TIMEOUT means there is no reply from the security server to the authentication When an ERROR is detected the AAA selects the next authentication method in the method list to continue the authentication process Note In this chapter take RADIUS for example of the configuration of the related authentication authorization and accouti...

Page 451: ...abling AAA To disable AAA execute the following command in the global configuration mode Command Function Ruijie config no aaa new model Disable AAA Sequential Configuration Steps After the AAA is enabled it is time to configure the other parts related with the selected security solutions Following table lists the possible configuration tasks and their description chapters Methods of AAA access co...

Page 452: ... of no reply from that method This process goes on till an authentication method listed successfully allows communication or all methods listed are used up If all methods listed are used up but the communication is not allowed it declares failure of authentication Caution Only when there is no reply from a method our product will attempt the next method During the authentication if the user access...

Page 453: ...ion to R2 This process continues for the remaining methods till the user passes the authentication is refused or the session is terminated If all servers R1 and R2 returns TIMEOUT the authentication will be performed by the NAS local database Caution The REJECT response is not the same as the TIMEOUT response REJECT means the user fails to comply with the standard in the available authentication d...

Page 454: ...orm line based authentication No matter which line authentication method you decide to use you just need to execute the aaa authentication login command to define one or more authentication method list and apply it on the specific line that need the line authentication To configure the AAA PPP authentication execute the following command in the global configuration mode Command Function configure ...

Page 455: ...ion group radius Use Radius for authentication The table above lists the AAA login authentication methods supported by our product Using the local database for Login authentication To configure the login authentication with local database it is required to configure the local database first Our product supports authentication based on the local database To establish the username authentication run...

Page 456: ...n the RADIUS server To configure the RADIUS server run the following commands in the global configuration mode Command Function configure terminal Enter the global configuration mode aaa new model Turn on the AAA switch radius server host ip address auth port port acct port port Configure the RADIUS server end Return to the privileged mode show radius server Show the RADIUS server After the RADIUS...

Page 457: ...mprove the privilege level if you fail to execute some commands due to low initial privilege level To prevent the unauthorized access to the network the identity authentication named Enable authentication is necessary when improving the privilege level To configure the AAA Enable authentication execute the following command in the global configuration mode Command Function configure terminal Enter...

Page 458: ...rocess of authentication except for the returned response according to the security protocol it is necessary to verify the binded security level If the service protocol can bind the security level the level shall be verified while authenticating If the binded level is more than or equal to the level to be configured the enable authentication and level switchover succeed But if the binded level is ...

Page 459: ...can pass the privilege level binded with the Service Type attribute the standard attribute number is 6 can specify the privilege with 1 or 15 level The extened RADIUS server for example SAM can configure the privilege level of the administrator the private attribute number is 42 can specify 0 15 privilege level For the details of the RADIUS server see Specifying the RADIUS Private Attribute Type i...

Page 460: ...using the local database are the supported authentication methods interface interface type interface number Enter the asynchronous or ISDN interface that needs to apply the AAA authentication ppp authentication chap pap default list name Apply the method list on the asynchronous or ISDN interface For the detailed configuration method for the PPP see the related chapter in Configuring PPP MP Config...

Page 461: ...ication test line vty 1 4 In the example above the access server uses the Radius server IP 192 168 217 64 to perform authentication for the login users If the Radius server has no reply the local database will be used for the identity authentication Example of Terminal Service Application Configuration In the environment of the terminal service application the terminal first connects to the asynch...

Page 462: ...ne login authentication test Ruijie config line exit Ruijie config line vty 0 4 Ruijie config line login authentication test Ruijie config line end Ruijie config show running config aaa new model aaa authentication login test group radius local aaa authentication login terms none username Ruijie password 0 starnet radius server host 192 168 217 64 radius server key 7 093b100133 line con 0 line aux...

Page 463: ...refer to TACACS Configuration Preparations for Authorization The following tasks must be completed before the AAA authorization is configured Enable the AAA server For the details see AAA Overview Optional Configure the AAA authentication The authorization is done after the user passes the authentication But sole authorization can also be done without authentication For details of the AAA authenti...

Page 464: ...iguration mode Command Function configure terminal Enter the global configuration mode aaa new model Turn on the AAA switch aaa authorization exec network default list name method1 method2 Define the AAA Exec authorization method If you need to define multiple methods execute this command repeatedly line vty line num Enter the line to which the AAA Exec authorization method is applied authorizatio...

Page 465: ...e the Exec authorization with local database it is required to configure the local database first You can configure the user privilege level while configuring the local user By default the privilege level is 1 Run the following commands in the global configuration mode Command Function configure terminal Enter the global configuration mode username name password password Establish the local userna...

Page 466: ...configured method list configure terminal Enter the global configuration mode line vty line num Enter the line configuration mode authorization exec default list name Apply the method list end Return to the privileged mode show running config Confirm the configuration Example of Configuring Exec Authorization The example below illustrates how to configure exec authorization The local login authent...

Page 467: ...ed from the server are encapsulated in the RADIUS attribute For different network connection application it is possible that these authorization information are different Caution Now the configuration does not support the 802 1X AAA authorization while the 802 1X is implemented by using other commands For the details of the 802 1X authorization see Configuring 802 1X To configure the AAA network a...

Page 468: ...st name group radius Define RADIUS authentication method Example of Configuring Network Authorization The example below illustrates how to configure network authorization Ruijie configure terminal Ruijie config aaa new model Ruijie config radius server host 192 168 217 64 Ruijie config radius server key test Ruijie config aaa authorization network test group radius local Ruijie config line end Rui...

Page 469: ... Configuring RADIUS For details of the TACACS see Configuring TACACS Optional Configure the AAA authentication The accounting is done after the user passes the authentication for example Exec accounting In some circumstances the accouting can also be done without authentication For details of the AAA authentication see Configuring Authentication Configuring AAA Exec Accounting The exec accounting ...

Page 470: ...pecific none as the last accounting method Note The keyword start stop is used for the network access server to send the accounting information at the start and end of the network service to the security server Using the Radius for exec accounting To configure the use of RADIUS server for Exec acounting it is required to first configure the RADIUS server For the details of the RADIUS server config...

Page 471: ... line vty 0 4 Ruijie config line login authentication auth Ruijie config line accounting exec acct Ruijie config line end Ruijie config show running config aaa new model aaa accounting exec acct start stop group radius aaa authentication login auth local username Ruijie password Ruijie radius server host 192 168 217 64 radius server key 7 093b100133 line con 0 line vty 0 4 accounting exec acct log...

Page 472: ...nfigure the use of RADIUS server for network acounting it is required to first configure the RADIUS server For the details of the RADIUS server configuration see Configuring RADIUS After configuring the RADIUS server the RADIUS server based method list can be configured Run the following commands in the global configuration mode Command Function configure terminal Enter the global configuration mo...

Page 473: ...and Function configure terminal Enter the global configuration mode aaa new model Turn on the AAA switch aaa local authentication attempts 1 2147483647 Configure attempt times of login user aaa local authentication lockout time 1 2147483647 Configure lockout time hour when the user has attempted more than the limited times show aaa user lockout all user name word Display current lockout user list ...

Page 474: ... for each domain including the AAA service method list Note Ruijie product supports the following types of username 1 userid domain name 2 domain name userid 3 userid domain name 4 userid For the type4 username i e userid without the domain name its domain name is default The followings are the basic principles for the domain name based AAA service Resoluting the domain name carried by the user Se...

Page 475: ... AAA Defining the AAA Service Method list Command Function configure terminal Enter the global configuration mode aaa authentication dot1x default list name method1 method2 Define the IEEE802 1x authentication method list aaa accounting network default list name start stop method1 method2 Define the Network accounting method list aaa authorization network default list name method1 method2 Define t...

Page 476: ... string domain name With multiple characters in the username use the character string followed by the first characeter as the domain name For example if the username is a b c d use the b c d as the username and use the a as the domain name 4 The single character is followed by the character string domain name With multiple characters in the username according to the pre settings use the character ...

Page 477: ...zation method list Use this command to configure the domain state Command Function state block active In the domain configuration mode set the domain state Use this command to check whether the username carries with the domain name information Command Function username format without domain with domain In the domain configuration mode check whether the username carries with the domain name informa...

Page 478: ...vice enabled use the method list selected according to the access protocol such as 802 1x ect for the AAA service For example without the service enabled use the dot1x authentication authen list name dot1x accounting acct list name authen list name and dot1x accounting acct list name acct list name command to provide the AAA service for the authentication and accouting method list name 2 With the ...

Page 479: ...Ruijie config aaa authentication dot1x default group radius Ruijie config aaa domain domain com Ruijie config aaa domain authentication dot1x default Ruijie config aaa domain username format without domain After the configuration with the user a1 in the radius server use the 802 1x client to login the server for authentication by keying in the username a1 domain com and the correct password The fo...

Page 480: ...vices Since the RADIUS is a completely open protocol it has become a component and been installed in such systems as UNIX and WINDOWS 2000 so it is the security server most widely used for the time being The running process of the RADIUS is as follows Prompt the user to enter username and password The username and the encrypted password are sent to the RADIUS server via the network The RADIUS retu...

Page 481: ...on Configuring Radius Protocol Parameters Before configuring the Radius on the network device the network communication shall operate perfectly on the Radius server To configure RADIUS protocol parameters run the following commands Command Function configure terminal Enter the global configuration mode radius server host ip address auth port port acct port port Configure the IP address or hostname...

Page 482: ...ling Station ID Format RADIUS Calling Station ID attribute is used to identify the NAS when the NAS is sending the request packets to the RADIUS server The contents of the RADIUS Calling Station ID are character strings which can be in multiple formats The MAC address for the NAS is usually used as the content of the Calling Station ID to solely identify the NAS The table blow lists the formats of...

Page 483: ...2 qos 2 3 user ip 3 4 vlan id 4 5 version to client 5 6 net ip 6 7 user name 7 8 password 8 9 file diractory 9 10 file count 10 11 file name 0 11 12 file name 1 12 13 file name 2 13 14 file name 3 14 15 file name 4 15 16 max up rate 16 17 version to server 17 18 flux max high32 18 19 flux max low32 19 20 proxy avoid 20 21 dailup avoid 21 22 ip privilige 22 23 login privilige 42 24 limit to user nu...

Page 484: ...ion to server 17 18 flux max high32 18 19 flux max low32 19 20 proxy avoid 20 21 dailup avoid 21 22 ip privilige 22 23 login privilige 42 24 limit to user number 50 Note Two functions cannot be configured with the same type number Here is an example on how to configure the private type for network device Ruijie show radius vendor specific id vendor specific type value 1 max down rate 76 2 qos 77 3...

Page 485: ... config show radius vendor specific id vendor specific type value 1 max down rate 76 2 qos 77 3 user ip 3 4 vlan id 4 5 version to client 5 6 net ip 6 7 user name 7 8 password 8 9 file diractory 9 10 file count 10 11 file name 0 11 12 file name 1 12 13 file name 2 13 14 file name 3 14 15 file name 4 15 16 max up rate 75 17 version to server 17 18 flux max high32 18 19 flux max low32 19 20 proxy av...

Page 486: ... on how to configure the Radius for network device Ruijie configure terminal Ruijie config aaa new model Ruijie config radius server host 192 168 12 219 auth port 1645 acct port 1646 Ruijie config radius server key aaa Ruijie config aaa authentication login test group radius Ruijie config end Ruijie show radius server Server IP 192 168 12 219 Accounting Port 1646 Authen Port 1645 Server State Read...

Page 487: ...ession IDs in the request packets and sends response packets that contain processing results to the server This mechanism allows the RADIUS server to manage user logout Working Principle Figure 1 DM exchange for RADIUS dynamic authorization extension The above figure shows the DM exchange between the RADIUS server and device When the RADIUS server sends a Disconnect Request packet to the UDP port ...

Page 488: ...ne End with CNTL Z Ruijie config radius dynamic authorization extension enable Ruijie config show run By default RADIUS dynamic authorization extension is disabled Whether to enable DM depends on whether the servers such as Portal Radius support the offline mechanism A DM message carries attributes used to inform a device of which user is to be logged out The common attribute carried is calling st...

Page 489: ...ge a UDP port to intercept the packets Command Function Step 1 Ruijie configure terminal Enter global configuration mode Step 2 Ruijie config radius dynamic authorization extension port num Set the number of a UDP port for intercepting the packets about RADIUS dynamic authorization extension The value ranges from 1024 to 65535 The default value is 3799 Step 3 Ruijie config show running config View...

Page 490: ... running config Examples for Configuring RADIUS Dynamic Authorization Extension Networking Requirements 1 RADIUS dynamic authorization extension must work with the authentication mechanism The network comprises SAM servers RADIUS servers Ruijie access devices and PCs of users 2 Ruijie access devices must support RADIUS dynamic authorization extension Network Topology Figure 2 Network topology of R...

Page 491: ...etwork default start stop group radius Ruijie config dot1x authentication default Ruijie config dot1x accounting default Ruijie config radius server host 192 168 181 66 key radius key Ruijie config interface range fa0 2 3 Ruijie config if range dot1x port control auto Ruijie config if range exit 2 Enable RADIUS dynamic authorization extension Ruijie config radius dynamic authorization extension en...

Page 492: ...nformation being antagonistic to authenticate authorize and account The table below shows TACACS packet format Figure 1 Major Version Major TACACS Version number Minor Version Minor TACACS Version number Packet Type the value may include TAC_PLUS_AUTHEN 0x01 Authentication TAC_PLUS_AUTHOR 0x02 Authorization TAC_PLUS_ACCT 0x03 Accounting Sequence Number packet sequence number in current session The...

Page 493: ...cation The typical application of TACACS is the login management control of terminal users TACACS client sends user name and password to TACACS server for authentication After authentication and authorization you can login to the switch for operation which is shown as figure 2 Figure 2 Figure 3 describes the interaction of the packets running in TACACS by login AAA ...

Page 494: ...figuration Guide TACACS Configuration Figure 3 The whole process of basic information interaction is divided into three parts 1 Authentication process includes a User requests for logging in to the switch ...

Page 495: ...CACS server sends authentication reply message indicating that user has been authenticated 2 Authorization process includes a TACACS Client sends authorization request message to TACACS server b TACACS server sends authorization reply message indicating that user has been authenticated c TACACS Client receives successful authorization reply message outputting the configuration interface of switch ...

Page 496: ...authorization method list For the detailed information please refer to authorization configuration If you need to account use aaa accounting to define using TACACS accounting method list For the detailed information please refer to accounting configuration You shall use the defined authentication list in the specified line or you use the list by default Configuring TACACS Protocol Parameter You ne...

Page 497: ...ice and TACACS server If the corresponding host does not set key by itself you should set it globally tacacs server timeout seconds Specify the waiting time before the device resends request By default it is 5s if the specified host does not set the specified timeout time you should set the time globally Ip tacacs source interface interface Specify to send tacacs request to the source IP used by t...

Page 498: ...ijie config aaa authentication login test group tacacs Applies the authentication method on the interface Ruijie config line vty 0 4 Ruijie config line login authentication test Through the above configuration you implement to configure login tacacs authentication The configuration is shown as follows Ruijie show running config aaa new model aaa authentication login test group tacacs tacacs server...

Page 499: ...servers in the server list Ruijie config aaa group server tacacs tacgroup1 Ruijie config gs tacacs server 192 168 12 219 Ruijie config gs tacacs server 192 168 12 218 3 Configures authentication method of using tacgroup1 Ruijie config aaa authentication enable default group tacgroup1 Through the above configuration you implement to configure enable authentication of some tacacs servers The configu...

Page 500: ...cs server host 192 168 12 219 Ruijie config tacacs server key aaa 3 Configures the authorization method of using tacacs Ruijie config aaa authorization exex test group tacacs 4 Applies the authorization on the interface Ruijie config line vty 0 4 Ruijie config line authorization exec test Through the above configuration you implement to configure to use tacacs by login authorization The configurat...

Page 501: ... host 192 168 12 219 Ruijie config tacacs server key aaa Configures command audit method of using tacacs Ruijie config aaa accounting commands 15 default group start stop tacacs Applies the authorization on the interface Ruijie config line vty 0 4 Ruijie config line accounting commands 15 default Through the above configuration you implement to configure enable authentication of some tacacs server...

Page 502: ...Configuration Guide TACACS Configuration tacacs server host 192 168 12 219 tacacs server key aaa line con 0 line vty 0 accounting commands 15 default line vty 1 4 accounting commands 15 default ...

Page 503: ...tages of IEEE 802 LAN The IEEE 802 1x defines a mode based on Client Server to restrict unauthorized users from accessing the network Before a client can access the network it must first pass the authentication of the authentication server Before the client passes the authentication only the EAPOL Extensible Authentication Protocol over LAN packets can be transmitted over the network After success...

Page 504: ... controlled Port and uncontrolled Port The users connected to a controlled port can only access network resources after passing the authentication while those connected to an uncontrolled port can directly access network resources without authentication We can control users by simply connecting them to a controlled port On the other hand the uncontrolled port is used to connect the authentication ...

Page 505: ...led port can use network resources while those under a controlled port can access network resources only if they are authorized When a user just initiates an authentication request its status is unauthorized in which case it cannot access the network When it passes the authentication its status changes to be authorized in which case it can use the network resources If the workstation does not supp...

Page 506: ...hen a port of the switch changes to the LINK DOWN status all the users on the port change to be in the unauthorized status When the device restarts all users on the device turn into the unauthorized status To force a user to pass the authentication you can add a static MAC address Topologies of Typical Applications Scheme 1 The 802 1x enabled device is used as the access layer device Figure 0 3 Th...

Page 507: ...or does not have to know which switch a user is connected to making management much easier The administrator can manage the device on the access layer through the network Scheme 2 The 802 1x enabled device is used as the convergence layer device Figure 0 4 This solution is described as below Requirements of this solution The user supports 802 1x That is it is installed with the 802 1x client Windo...

Page 508: ...network Configuration Default Configuration of 802 1x The following table lists some defaults of the 802 1x Item Default Authentication DISABLE Accounting DISABLE Radius Server ServerIp Authentication UDP port Key No default 1812 No default Accounting Server ServerIp Accounting UDP port No default 1813 All port types Uncontrolled port all ports can perform communication directly without authentica...

Page 509: ...zed manner without being distributed over various switches making easier management for the administrator In order for the switch to normally communicate with the RADIUS SERVER you must set the following parameters Radius Server end You must register a Radius Client At registration you must supply the Radius Server switch s IP address authentication UDP port add the accounting UDP port if needed a...

Page 510: ...the AAA switch Ruijie config radius server host ip address auth port port acct port port Configure the RADIUS server Ruijie config radius server key string Configure RADIUS Key Ruijie config aaa authentication dot1x auth group radius Configure the dot1x authentication method list Ruijie config dot1x authentication auth dot1x applies authentication method list Ruijie show running config Show the co...

Page 511: ...or a port when the 802 1x is enabled the port becomes a controlled port and the users under the port must first pass authentication before they can access the network However the users under the uncontrolled port can directly access the network In the privileged EXEC mode you can set authentication for a port by performing the following steps Command Function Ruijie config interface interface Ente...

Page 512: ...eged EXEC mode you can enable disable re authentication and set the re authentication interval by performing the following steps Command Function Ruijie config dot1x re authentication Enable timed re authentication Ruijie config dot1x timeout re authperiod seconds Set the re authentication interval Ruijie show dot1x Show the dot1x configurations You can use the no dot1x re authentication command t...

Page 513: ...ult In the privileged EXEC mode you can enable disable the filtering by performing the following steps Command Function Ruijie config dot1x private supplicant only Enable the filtering function Ruijie show dot1x Show the dot1x configurations Following example is the configuration to enable the supplicant function provided by us Ruijie configure terminal Ruijie config dot1x private supplicant only ...

Page 514: ... should modify this value to suit the specific network size In the privileged EXEC mode you can set the packet retransmission interval by performing the following steps Command Function Ruijie config dot1x timeout tx period seconds Setting the Packet Retransmission Interval Ruijie show dot1x Show the dot1x configurations You can use the no dot1x timeout tx period to restore the packet re transmiss...

Page 515: ...ndicates the maximum response time of the Radius Server If the switch does not receive the response from the Radius Server within this period it deems the authentication as a failure In the privileged EXEC mode you can set the Server timeout and restore its default by performing the following steps Command Function Ruijie config dot1x timeout server timeout seconds Set the maximum response time of...

Page 516: ...nding requests when the users pass the authentication In the privileged EXEC mode you can enable automatic authentication by performing the following steps Command Function Ruijie config dot1x auto req Enable automatic authentication It is enabled by default Ruijie show dot1x Show the dot1x configurations The no option of the command turns off the function Only when the function is enabled the fol...

Page 517: ...ng the following steps Command Function Ruijie config dot1x auto req user detect Stop sending the messages when there is some authentication user under the port This function is enabled by default Ruijie show dot1x auto req Show the configuration The no option of the command disables the function Before setting this function take careful considerations on the current network application environmen...

Page 518: ...ication mechanism To enable the accounting function of the device the following settings are necessary on the device On the Radius Server register the switch as a Radius Client like the authentication operation Set the IP address of the accounting server Set the accounting UDP port Enable the accounting service on the precondition that the 802 1x has been enabled In the privileged EXEC mode you ca...

Page 519: ...n see Configuring the AAA Service Based on Domain Names Also the account update is supported After the account update interval is set on the NAS device the NAS device will send account update packets to the Radius Server at periodical intervals On the Radius Server you can define the number of periods before which the account update packet of a user is not received from the NAS device the NAS or u...

Page 520: ...d the user only needs to pass the authentication to be able to access the network DHCP SERVER mode The user IP is obtained via specified DHCP SERVER and only the IP allocated by the specified DHCP SERVER is considered legal For the DHCP mode it is possible to use DHCP relay option82 to implement a more flexible IP allocation policy with the 802 1X Here is a typical diagram for the plan Figure 0 2 ...

Page 521: ...th user IP mapping relations that are notified to the device via the Framed IP Address attributes of the device The user has to use that IP to be able to access the network SUPPLICANT mode The user PC uses fixed IP The SUPPLICANT notifies the information to the device The user has to use the IP at authentication to be able to access the network When the user switches modes it will cause all authen...

Page 522: ...2 1x allowing the NM to restrict the list of hosts authenticated of a port If the list of hosts authenticated of a port is empty any user can be authenticated If the list is not empty only the hosts in the list can be authenticated The hosts that can be authenticated are identified by using the MAC addresses The following example adds deletes the hosts that can be authenticated under a port Comman...

Page 523: ...or no settings on the device end and works as long as the device end supports authorization Configuring the Authentication Mode In the standard the 802 1x implements authentication through the EAP MD5 The 802 1X designed by Ruijie can perform authentication through both the EAP MD5 default mode and the CHAP and PAP mode The advantage of the CHAP is that it reduces the communication between the swi...

Page 524: ...pplicant Timeout 3 sec Server Timeout 5 sec Re authen Max 3 times Maximum Request 3 times Filter Non RG Supp Disabled Client Oline Probe Disabled Eapol Tag Enable Disabled Authorization Mode Group Server Configuring the backup authentication server Our 802 1x based authentication system can support the backup server When the master server is down due to various reasons the device automatically iss...

Page 525: ...o configuration on the device but need the support of the Radius server Implementing Automatic Switching and Control of VLAN To implement the auto switching of the dynamic VLAN the user VLAN shall be assigned and configured by the remote RADIUS server The remote RADIUS server encapsulates the VLAN assignment information through the defined RADIUS attributes After receiving those information and th...

Page 526: ...CCESS and TRUNK ports VLAN auto switching function on the ACCESS port Without the assigned VLAN configured on the device if the assigned VLAN is identified as the VLAN ID by the device the device will create the VLAN with the corresponding VLAN ID and switch the auth port to the newly created VLAN while if the assigned VLAN is identified as the VLAN name by the device the user authentication will ...

Page 527: ...ntication will be faulty or else the assigned VLAN can pass the current HYBRID port without TAG and the Native VLAN of the port is changed to the assigned VLAN In such case the user authentication will be successful With the MAC VLAN enabled on the HYBRID port handling methods for the assigned VLAN are as blow If the VLAN assigned by the authentication server is not existent in the device MAC VLAN...

Page 528: ...he following listed do not cover all abnormities 802 1x users can be authenticated successfully but the legal data packets will be dropped after the authentication resulting in network access failure After the user sends EAPOL LOGOFF message to goes offline the authentication server still shows that user is online as the 802 1x authentication entry is still in the device To enable the dynamic VLAN...

Page 529: ... control auto Enable the 802 1x authentication on the interface enable the VLAN auto switching on the interface Command Function Ruijie config interface interface_id Enter interface configuration mode Ruijie config if type ID dot1x dynamic vlan enable Enable the VLAN auto switching on the interface For the VLAN auto switching function the dynamic switching must be enabled on the interface That is ...

Page 530: ...eceived within 90 seconds Failed MAC address authentication in MAC mode Use show runninng config to view the configuration and show vlan to check whether the port jumps to guest vlan or not Follow these steps to configure a port whether to be allowed to jump to GUEST VLAN or not Command Function Ruijie config if type ID interface interface Enter interface configuration mode Ruijie config if type I...

Page 531: ...er end Since the Radius has no standard attributes to indicate the maximum data rate we can transfer the authorization information only through the manufacturer custom attributes For the general format defined see the Authorization section The proxy server shielding function defines the Vendor type of 0x20 and the dial up shielding function defines the Vendor type of 0x21 The Attribute Specific fi...

Page 532: ...rtisement Alive Interval Client online interval If the device has not received the client advertisement during this interval it actively disconnects the client and notifies the billing server The interval must be greater than the Hello Interval In the privileged EXEC mode you can configure the on line probe function of the client by performing the following steps Command Function Ruijie config dot...

Page 533: ...and Function Ruijie config interface interface id Enter the interface mode Ruijie config if type ID dot1x port control auto Enable the function being controlled Ruijie config if type ID dot1x port control mode mac based port based Select the controlled mode Ruijie show dot1x port control Show the configuration of port 802 1X You can run no dot1x port control mode to restore the settings to the def...

Page 534: ... port based single host Port based single user control mode Ruijie show dot1x port control Show 802 1x configuration You can run no dot1x port control mode to restore the settings to the default control mode Following example shows how to configure the authentication mode of a port Ruijie config interface interface idRuijie config interface interface id Ruijie config if dot1x port control mode por...

Page 535: ...y Ruijie configure terminal Ruijie config radius vendor specific extend Configuring Dot1x MAC Authentication Bypass GUEST VLAN provides a method of network accessing without the 802 1x authentication client but this technology is unable to determine whether the access device is secure or insecure In some conditions for the network management and security although there is no 802 1x authentication ...

Page 536: ...thentication in the MAB mode With MAB port configured an authentication request packet is sent at the interval of tx period After sending the packets for reauth max times if there is no client response the port enters to the MAB mode The port in the MAB mode can learn the MAC address and use the learned MAC address as the username for the authentication MAB supports the PAP CHAP EAP MD5 authentica...

Page 537: ...annot access the network Configuring Dot1x MAC Authentication Bypass Timeout After a MAC address authentication in the MAB mode is online this MAC address will always be online unless the re auth fails the port is Down or it is forcibly offline due to the administration policy The user can configure the allowed online time of those authentication MAC address 0 is the default value indicating that ...

Page 538: ... MAB violation Ruijie show running config Show all configurations Following example shows how to configure the MAB violation Ruijie configure terminal Ruijie config interface fa 0 1 Ruijie config if dot1x mac auth bypass violation Use the erridisable recover command to restore the MAB violation port The same MAC address for the port in the private vlan appears in the primary and the secondary VLAN...

Page 539: ...nnot access the network Configuring Dot1x Auth Fail Max Attempt Fail VLAN is entered only after the client fails to pass authentication for certain times To configure the auth fail max attempt times run the following commands Command Function Ruijie config dot1x auth fail max attempt value Set the auth fail max attempt times the default value is 3 and the valid range is 1 3 Ruijie show running con...

Page 540: ...directly allow the user to pass authentication without the need to enter username after the RADIUS servers in 802 1x authentication method list have all failed AAA multi domain authentication will fail on this port IAB authenticated users won t send accounting request to the accounting server Normally authenticated users won t be affected and can still access network With 802 1x IP authorization e...

Page 541: ...r the port are disconnected the port will automatically exit from the inaccessible VLAN If the inaccessible VLAN configured doesn t exist the inaccessible VLAN will be created automatically when entered by the port and be removed automatically when exited by the port The inaccessible VLAN doesn t support private VLAN remote VLAN and super VLAN including SUB VLAN Configuring IAB Authentication with...

Page 542: ...pond the authentication request of which the username is changed but the user is still online You need to enable the multiple accounts switching function to support this type of application Use the following commands to configure the multiple accounts switching function Command Function Ruijie configure terminal Enters global configuration mode Ruijie config dot1x multi account enable Configures t...

Page 543: ...sers with multiple MAB support the server to deliver the value of the session_timeout parameter When the users log out depends on which of the two time values runs out first The multiple MAB authentication only supports mac based authentication If the authentication mode of the port is set to port based the multiple MAB authentication mode cannot be configured and take effect Conversely if the mul...

Page 544: ...enticate immediately after the authentication fails Use the following commands to configure the silence period for unauthorized multiple MAB users Command Function Ruijie configure terminal Enters global configuration mode Ruijie config dot1x multi mab quiet period value Configures the silence period for unauthorized multiple MAB users Ruijie config show running config Shows all configurations Thi...

Page 545: ... users and authenticated users 1x configuration including the current number of users and authenticated users The following example shows the 802 1x configuration Ruijie show dot1x 802 1X Status Disabled Authentication Mode EAP MD5 Authed User Number 0 Re authen Enabled Disabled Re authen Period 3600 sec Quiet Timer Period 10 sec Tx Timer Period 3 sec Supplicant Timeout 3 sec Server Timeout 5 sec ...

Page 546: ...uthentication Status Information The following example shows the user authentication status information Ruijie show dot1x summary ID MAC Interface VLAN Auth State Backend State Port Status 1 00d0f8000001 Gi3 1 1 Authenticated IDLE Authed Showing the 1x Client Probe Timer Configuration In the privileged EXEC mode you can view the 1x timer setting by performing the following steps Command Function s...

Page 547: ... below 5 Configure RADIUS server Include a managerial access device of 192 168 197 241 which uses the default authentication and accounting ports of 1812 and 1813 and the shared key of shared Configure the vlan for users of user group students Tunnel Type VLAN Tunnel Medium Type IEEE 802 Tunnel Private Group ID students Configure the vlan for users of user group trusted_students Tunnel Type VLAN T...

Page 548: ...1X to select the authentication method list configure terminal dot1x authentication default dot1x accounting default Enable 802 1X authentication on the interface configure terminal interface range fastEthernet 0 1 48 dot1x port control auto Enable dynamic VLAN assignment on the interface configure terminal interface interface_id dot1x dynamic vlan enable Create VLANs to join after user authentica...

Page 549: ...d VLAN and Native VLAN can not be modified in the TRUNK mode The port can not exit from or be added to the AP port The restrictions for the condition that the users in the VLAN have being authenticated or the users have been authenticated VLAN can not be deleted VLAN type cannot be modified such as the command private vlan primary cannot be used GVRP cannot be co used with the dynamic VLAN auto sw...

Page 550: ...ected and the authentication process will end Configuration Tips Turn on AAA switch and configure the communication between device and RADIUS SERVER configure 802 1X authentication and configure the device port for client access as controlled port here we take port F0 1 as the example corresponding to paragraph 1 of Application Needs Filter non Ruijie supplicant corresponding to paragraph 2 of Net...

Page 551: ...up ceshi as shown below Figure 0 9 Step 2 Configure access switch SwitchA Turn on AAA switch Ruijie config aaa new model Configure RADIUS server Ruijie config radius server host 192 168 32 120 Configure RADIUS Key Ruijie config radius server key ruijie Configure dot1x authentication method list Ruijie config aaa authentication dot1x hello group radius Apply dot1x authentication method list Ruijie ...

Page 552: ...onfigure maximum transmission retries as 6 times Ruijie config dot1x max req 6 Enable periodic re authentication Ruijie config dot1x re authentication Configure the re authentication interval as 1000s Ruijie config dot1x timeout re authperiod 1000 Configure the Quiet Period of device as 500s Ruijie config dot1x timeout quiet period 500 Configure the maximum authentication retries of device as 5 ti...

Page 553: ...0days 0h 2m24s User ip address is 192 168 217 82 Max user number on this port is 6000 Authorization session time is 20736000 seconds Supplicant is private Start accounting Permit proxy user Permit dial user IP privilege is 0 user acl name qq_1_0_0 Step 3 Display 1X configurations about the existing number of users and the number of authenticated users Ruijie show dot1x 802 1X Status enable Authent...

Page 554: ...2 1X port based dynamic VLAN assignment Networking requirements A company has three user groups namely development department finance department and market department The following needs must be met 1 Each member of these three user groups can be connected to any port of the access device and join the corresponding VLAN after successful authentication development department to join VLAN2 finance d...

Page 555: ...described below and we will not give other unnecessary details 1 Click User Management User Group Management and add the corresponding user group taking user group development as the example Figure 0 10 2 Click User Management User Management to insert the basic information about user and corresponding VLAN information taking user group development as the example the VLAN to which the user belongs...

Page 556: ...able Create VLANs to join after user authentication Ruijie config vlan 2 Ruijie config vlan name development Ruijie config vlan exit Ruijie config vlan 3 Ruijie config vlan name finance Ruijie config vlan exit Ruijie config vlan 4 Ruijie config vlan name market Ruijie config vlan exit Configure uplink port F0 24 as the trunk port Ruijie config interface fastEthernet 0 24 Ruijie config if FastEther...

Page 557: ...henticated Idle Authed static Step 2 Display detailed information about authenticated user Ruijie show dot1x user id 5 User name st User id 5 Type static Mac address is 00d0 f864 6909 Vlan id is 2 Access from port Fa0 1 Time online 0days 0h 4m35s User ip address is 192 168 217 82 Max user number on this port is 6000 Authorization vlan is 2 Authorization session time is 20731685 seconds Supplicant ...

Page 558: ...onfigured number of tries F0 1 will join the Guest VLAN VLAN10 By this time both Supplicant and FTP Sever belong to VLAN10 and Supplicant can access FTP Server and download 802 1x client 2 After successful authentication RADIUS server will assign VLAN2 By this time both Supplicant and F0 24 belong to VLAN2 and Supplicant can access Internet Configuration Tips Turn on AAA switch and configure the c...

Page 559: ...accounting jizhang Configure the port as controlled port enable port based authentication Ruijie config interface fastEthernet 0 1 Ruijie config if FastEthernet 0 1 dot1x port control auto Enable dynamic VLAN assignment on the corresponding interface Ruijie config if FastEthernet 0 1 dot1x dynamic vlan enable Enable GUEST VLAN assignment on the interface Ruijie config if FastEthernet 0 1 dot1x gue...

Page 560: ...ummary ID MAC Interface VLAN Auth State Backend State Port Status User Type 8 00d0 f864 6909 Fa0 1 2 Authenticated Idle Authed static Step 2 Display detailed information about authenticated user Ruijie show dot1x user id 8 User name st User id 8 Type static Mac address is 00d0 f864 6909 Vlan id is 2 Access from port Fa0 1 Time online 0days 0h 4m25s User ip address is 192 168 201 56 Max user number...

Page 561: ...e to access network freely 3 Dynamic user is not allowed to move between multiple authentication ports 4 The IP of an authenticated user must be assigned by the RADIUS Server namely the authenticated user can only use the IP specified by RADIUS Server to access network Configuration Tips Turn on AAA switch and configure the communication between device and RADIUS SERVER Configure 802 1X authentica...

Page 562: ...up radius Apply 802 1X accounting method list Ruijie config dot1x accounting jizhang Configure the port as controlled port enable port based authentication Ruijie config interface range fastEthernet 0 1 22 Ruijie config if range dot1x port control auto Configure the control mode of user authentication under the corresponding port as port based authentication Ruijie config if range dot1x port contr...

Page 563: ...te information of current user Ruijie show dot1x summary ID MAC Interface VLAN Auth State Backend State Port Status User Type none 00d0 f864 6909 Fa0 1 1 Authenticated Idle Authed Dynamic Step 2 Move this user to another authenticated port It can be found that the user won t be able to access network ...

Page 564: ...terlinks on the portal server page therefore it has a promising prospect Ruijie Web Authentication There are two versions of Ruijie Portal server They are called Ruijie first generation web authentication and Ruijie second generation web authentication because different version has different authentication process A simple version of the Portal server is designed on devices which is called the bui...

Page 565: ...ackets the receiver responds with a 200 packet if it is able to provide the required resources or the receiver responds with a 302 packet if it is unable to do so A new site path is provided in the 302 message After the user has received the response it may re send the HTTP GET or HEAD request packets to the new site for requesting resources which is called redirection HTTP redirection is an impor...

Page 566: ...nd sends it to the authentication server and then notifies the user and the access device about the results of the authentication 8 Radius Server It provides radius protocol based authentication for remote users The Portal server collects authentication account information of the user and sends authentication request to the RADIUS server based on radius protocol The RADIUS server replies the authe...

Page 567: ...s User logout procedures There are two types of user logout one is the logout detected by the access device because the user s time is out and the flow is used up or the link is interrupted The other one is that the logout detected by Portal Server because the user triggers the logout application through a logout page or the keep alive page is invalid 12 Scenario 1 The access device detects the us...

Page 568: ...equests when the user uses the browser to access the network 16 Access device generally refers to an access layer device for example a wireless AP in a WLAN in the network topology It is generally directly connected to the user s terminal device and web authentication must be enabled on the access device The access device receives the authentication information of the user from the Portal server a...

Page 569: ...ser with a page to indicate the result success or failure Figure 3 Ruijie second generation web authentication procedures User logout procedures There are two types of user logout one is the user logout detected by the access device because user s time is out the flow is used up or the link is interrupted The other is that the user logout detected by the Portal Server because the user triggers the...

Page 570: ... authentication Portal Server In Ruijie first generation web authentication mechanism the Portal Server is only responsible for the webpage interaction with client user authentication and the notification of access device about whether the user can access network In Ruijie second generation web authentication mechanism the Portal Server is responsible for the webpage interaction with the client no...

Page 571: ...ling web authentication on port By default web authentication is not enabled Configuring the IP address of the server to be redirected for web authentication First generation Web authentication By default the IP address of server is not configured on the device Configuring the redirected URL for web authentication first generation Web authentication By default the URL of the authentication page of...

Page 572: ...ctly without authentication required for the first and second generation web authentication By default except the IP address of Portal Server all other IP addresses can only be accessed upon successful authentication Configuring the interval to update the information about authenticated users By default the information about online users is updated every 180 seconds on the device Configuring the I...

Page 573: ...tions for detailed configurations Configuring Relevant Parameters of Ruijie First Generation Web Authentication Configuring Relevant Parameters of Ruijie Second Generation Web Authentication Configuring the Version of Web Authentication Configuring the version of web authentication By default the first generation web authentication mechanism is used To configure global web authentication version p...

Page 574: ...de optional by default after the user passes the web authentication its IP address and MAC address are bound with the port When the physical interface is downlinked with layer 3 device you need to use this parameter to bind user s IP address with the port after passing the authentication in case that a MAC address is associated with multiple IP addresses In switchover mode all online users under t...

Page 575: ...ure relevant parameters of the first generation web authentication Configuring the IP Address of Portal Server Configuring the URL of the Authentication Page of Portal Server Optional Configuring the Communication Key Used Between Device and Portal Server Configuring the SNMP Parameters Used Between Device and Portal Server Configuring the IP Address of Portal Server To successfully deploy Ruijie ...

Page 576: ...ing steps to configure the URL of the authentication page of Portal Server Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config http redirect homepage url string Set the homepage URL of authentication page as url string which must start with http or https and is not case sensitive with maximum length of 255 characters You are allowed to specify the HTTP list...

Page 577: ...rypted to enhance security Therefore to successfully apply the first generation web authentication you have to configure the communication key used between the device and the authentication server By default the communication key used between the device and authentication server is not configured The configuration steps are shown below Command Function Ruijie configure terminal Enter the global co...

Page 578: ...ms version 2c community string web auth Configure the destination host sending web authentication messages type version community and other parameters Ip address IP address of destination host namely the IP address of the first generation Portal Server Inform Configure sending SNMP Inform messages Since the device will send messages to the first generation Portal Server while the user is offline t...

Page 579: ...cond Generation Web Authentication By default the second generation web authentication is disabled Likewise to use the second generation web authentication you have to configure relevant parameters The following sections describe how to configure parameters of the second generation web authentication Creating Portal Server Configuring AAA Authentication Method List of Web authentication Configurin...

Page 580: ...rly created Configuration example The following example shows how to create a Portal Server named edu server with IP address being 172 20 1 10 and authentication page URL being http 172 20 1 10 7080 index php Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config portal server edu server ip 172 20 1 10 url http 172 20 1 10 7080 index php Ruijie config sho...

Page 581: ...evice needs to send accounting messages to the Radius Server If the second generation web authentication mechanism is selected you need to configure AAA accounting method list on the device By default AAA accounting method list is not configured The configuration steps are shown below Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config aaa new model Enable ...

Page 582: ...he communication key used between the device and Portal Server with the maximum length of 255 characters Ruijie config show web auth View global configuration and statistics of web authentication To remove the communication key used between the device and Portal Server execute the no web auth portal key command in the global configuration mode Configuration example Set the communication key used b...

Page 583: ...entication method list is removed the authentication method list named default will be used by default Configuring Global Accounting Method List The accounting method list and the authentication method list are subject to the same restrictions to configuration Please refer to the previous sections for details By default the global accounting method list is named default Perform the following steps...

Page 584: ...2 ip ip address port port num url url string Creating a Portal Server Ruijie config web auth portal eportalv2 Specify the global Portal Server Ruijie config show running config View the configuration of the device To restore to the default Portal Server execute the web auth portal eportalv2 command in the global configuration mode Configuration example Create a portal server named centre portal an...

Page 585: ...global configuration mode Configuration example Set the accounting update interval to 3 minutes Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config web auth acct update interval 3 Ruijie config show web auth portal parameters If the Access Accept message from the Radius Server carries the attribute of the accounting update interval and the attribute va...

Page 586: ...ortal Display relevant configuration and statistics of the second generation web authentication Configuring the Optional Features of Web Authentication The preceding description provides the required configurations for web authentication In addition to these configurations web authentication also provides some optional features which apply to both the first generation and the second generation web...

Page 587: ...the redirection port Actually except for port 80 HTTP protocol hardly uses port whose port number is less than 1000 To avoid confliction with well known TCP ports it is not recommended to set port with small port number as the redirection port unless it is necessary 2 Although port 80 is the default port it can be deleted by the user However as port 80 is a standard HTTP communication port you are...

Page 588: ...ie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config http redirect session limit 10 Ruijie config show http redirect If you see no authentication page during authentication it is very likely that the HTTP sessions imitated by the user has reached maximum number In this case you are recommended to temporarily quit some applications which may take up HTTP ses...

Page 589: ...ding security patches visiting bulletins this command may be used to define the scope of network resources requiring no authentication If a site falls within the scope network resources requiring no authentication after the scope has been set all users including unauthenticated users can access the site By default no network resources requiring no authentication is set so authenticated users are n...

Page 590: ...raffic generated of authenticated users every 180 seconds To change the interval for updating information of online users perform the following steps Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config web auth update interval seconds Set seconds to be the information updating interval of online users with the value scope being 30 3600 seconds Ruijie config...

Page 591: ... 4 Set the maximum number of entries of authentication free IP addresses and authentication free accessible network resources to 50 Ruijie config show http redirect View the global configuration information and the statistics of Web authentication To cancel the authentication free IP in the global configuration mode use no web auth direct host ip address ip mask Configuration Example Configure the...

Page 592: ...re terminal Enter configuration commands one per line End with CNTL Z Ruijie config web auth offline detect flow idle timeout 3 threshold 1024 Ruijie config show running config The Web authentication supports the following three methods of logout detection 1 Link based detection Assume that the user logs out when user s physical signal is disconnected 2 Traffic based detection This functionality i...

Page 593: ...Figure 2 Networking topology for web authentication solution The user PCs are connected to the access devices whose upstream ports are connected to the convergence device The convergence device is connected to the core device which allows the user PCs to access the Internet The servers are deployed in the server area and they are connected to the core device through an internal network PC1 and PC2...

Page 594: ...e maximum number of connections for each IP address must be set to a large value if possible If users with web authentication enable too much software that features automatic connection the software must be disabled before users access the Internet When a user PC needs to perform web authentication the user PC must initiate an HTTP connection which requires the user PC to obtain an IP address reso...

Page 595: ... If the ARP function is enabled configure the IP address of the gateway as the network resource range of free authentication and add the arp option This ensures that PCs can complete the DNS and ARP query process before authentication On the access devices configure the IP address of the gateway that is connected to PCs downstream as the network resource range of free authentication Ruijie config ...

Page 596: ...92 168 4 12 255 255 255 255 Fa0 3 On 38 Query the authentication configuration and statistics on interfaces Ruijie show web auth port control Port Control FastEthernet 0 1 Off FastEthernet 0 2 On FastEthernet 0 3 On Typical Configuration Examples of Second generation Web Authentication Networking Requirements The network is deployed with a Radius server a Portal server which may integrate the func...

Page 597: ...gateway serving PC1 and PC2 is 192 168 4 1 The domain name of the Portal server is www web_auth com which can be resolved by the internal DNS server The URL of the web authentication page is http www web_auth com webportal index jsp If no internal DNS server is deployed go to the preceding URL to configure the IP address of the web authentication server The SAM server works as the Radius server wh...

Page 598: ...d an ARP reply packet sent by the gateway In this case the access device allows the user PC to send an ARP request packet to the gateway before authentication This situation may create chance for ARP spoofing If a user sends ARP packets to the gateway by forging the IP addresses of other users on the same VLAN the gateway will learn incorrect ARP entries affecting other users on the same VLAN The ...

Page 599: ...WEB Authentication Configuration Verification Query the authentication configuration and statistics on interfaces Ruijie show web auth port control Port Control FastEthernet 0 1 Off FastEthernet 0 2 On FastEthernet 0 3 On ...

Page 600: ...upport Algorithms Support algorithm SSH1 SSH2 Signature authentication algorithm RSA RSA DSA Key exchanging algorithm RSA public key encryption based key exchanging algorithm KEX_DH_GEX_SHA1 KEX_DH_GRP1_SHA1 KEX_DH_GRP14_SHA1 Encryption algorithm DES 3DES Blowfish DES 3DES AES 128 AES 192 AES 256 User authentication algorithm User password based authentication method User password based authentica...

Page 601: ...SH Server is disabled by default To enable the SSH Server run the enable service ssh server command in the global configuration mode while generating SSH key Command Description configure terminal Enter the global configuration mode enable service ssh server Enable SSH Server crypto key generate rsa dsa Generate the key Caution To delete the key use the crypto key zeroize command rather than the n...

Page 602: ...meout period Command Description configure terminal Enter the configuration mode ip ssh time out time Configure the SSH timeout period 1 120sec no ip ssh time out Restore the SSH default user authentication timeout period 120 seconds Configuring SSH Re authentication Times This command is used to set the authentication attempts for SSH user requesting connections to prevent illegal actions such as...

Page 603: ...CP Server Function With the SCP server enabled on a network device the user can directly download files from the network device and upload local files to the network device Meanwhile the user can transfer all interactive data in encrypted text manner featuring authentication and security Command Description Ruijie configure terminal Enter the configuration mode Ruijie config ip scp server enable E...

Page 604: ...e default number of the port for SSH listening Username indicates the username and does not take effect when the device only requires password Authentication indicates the authentication mode and the username password authentication is supported here The used password is the same as the Telnet password Click OK to pop up the following dialog Figure 2 Click Connect to log into the host just configu...

Page 605: ...e host 192 168 5 245 to see whether the key from the server end is received or not Select Accept Save or Accept Once to enter the password confirmation dialog box as shown below Figure 4 Enter the Telnet login password to enter the UI that is the same as the Telnet See the diagram below Figure 5 ...

Page 606: ...wing uses the client software SecureCRT as an example for describing how to generate the key pair on the client Step 1 In the Authentication option of Session Option select PublicKey and then Properties See the following figure Figure 6 Figure Click Properties If the key pair has been generated you can choose the used private key Use identity or certificate file Note that the private key must be p...

Page 607: ...tion During key generation do not move the cursor continuously or the creation takes a long time The key file of the OpenSSH format must be selected or the key file cannot be used If Putty serves as the client the puttygen exe tool must be used to transform the private key into the Putty format The puttygen exe tool can generate the key pair of the OpenSSH format but Putty cannot directly use such...

Page 608: ...ic key and a DSA public key See the following contents Ruijie configure terminal Ruijie config ip ssh peer test public key rsa flash rsa pub Ruijie config ip ssh peer test public key dsa flash dsa pub In this way the client can log in to the network device using the public key based authentication method Using SSH to Transfer Files Operations on a Server Secure CoPy SCP is used in SSH file transfe...

Page 609: ...out some options 1 uses the SSH1 version If the value is not specified SSH2 is used by default 2 uses SSH2 by default C specifies that compression transfer is used c specifies the encryption algorithm that is used r specifies that an entire directory is transferred i specifies the key file that is used l restricts the transfer speed in Kbits For the description about other parameters see the scp 0...

Page 610: ...network devices does not support the options d p q r When these options are used the system will prompt that they are not supported During files downloading if the speed is not restricted option l is not used the CPU usage of the network device increases during downloading and recovers to normal status after downloading ends The console can still be used but other application tasks will be affecte...

Page 611: ... to make the corresponding secure policy Meanwhile RG Security Agent automatically downloads new secure policy from the SMP and implement the specified secure policy at the local end RG Restore System RG Restore System performs the following operations for the abnormal actions For the users not correspond to the enterprise secure policy the administrator shall pre set the corresponding policies in...

Page 612: ...Switch is responsible for receiving the policy from RG SMP installing the policy and controlling the users according to the installed policy Configuring GSN Security Switch Enabling the GSN Security Switch By default the GSN security solution switch is enabled Command Function configure terminal Enter the global configuration mode no security gsn enable Enable the global GSN security switch The fo...

Page 613: ...e Minimum Security Event Interval To prevent the illegal users from faking the security event and frequently sending the security events to attck the security switch and SMP you can set the minimum interval to notify the security event Run the following commands to set the minimum security event interval Command Function configure terminal Enter the global configuration mode no security event inte...

Page 614: ... function shall be disabled Viewing GSN Configuration show smp server In the privileged mode show the smp server information by using the following commands Command Function Ruijie show smp server Show the smp server information For example Ruijie show smp server SMP Server IP 192 168 217 220 showing security event interval In the privileged mode show the minimum security event interval by using t...

Page 615: ...onflicted with GSN Due to the GSN application features GSN conflicts with the following functions 1 GSN can not be co used with 802 1x IP authorization 2 GSN can not be co used with port security 3 GSN does not support the policy installation on the AP port and the port with policy installed can not join in the AP port The installed policy on the corresponding port shall be removed before adding a...

Page 616: ...PU of the supervisor engine are classified according to their L2 L3 and L4 information The types of packets are different for L2 and L3 switches The CPU ports have eight priority queues You can configure the queue for each type of packet and the hardware can automatically send the packets of the type to the specified queue according to your configuration To ensure that the protocol packets with di...

Page 617: ...et In the configuration mode configure the priority value of each type of packet by performing the following steps Command Function Ruijie config cpu protec type arp bpdu dhcp ipv6mc igmp rip ospf vrrp pim err ttl unknown ipmc pri pri_vaule Set the priority value for the packets pri_value is an integer Ruijie end Return to the privileged mode This example shows the priority value configuration pro...

Page 618: ...00 24 0 dhcp 0 0 0 gvrp 0 0 0 ipv6 mc 0 0 0 igmp 0 0 0 ospf 0 0 0 pim 0 0 0 rip 0 0 0 vrrp 0 0 0 unknow ipmc 0 0 0 err ttl 0 0 0 Showing the Statistics of the Packets Received by the CPU of the Line Card In the privileged mode show the statistics of the packets received by the CPU of a specific line card by using the following commands Command Function Ruijie show cpu protect slot slot_id Show the...

Page 619: ...config show cpu protect type arp Slot Type Pps Total Drop MainBoard arp 200 15 0 Slot 2 arp 200 15 0 Caution 1 Packet speed restriction is measured by the software so a slight number deviation of packets is normal 2 The actual information printed may be different from the example Showing the Summary of CPP Priority Queue and Bandwidth In the privileged mode show the summary of CPP priority queue a...

Page 620: ...6 tunnel bpdu 180 6 ipv4 icmp local 180 0 dhcps 180 4 gvrp 180 4 tunnel gvrp 180 4 dvmrp 180 3 igmp 180 3 ospf 180 5 pim 180 3 rip 180 5 vrrp 180 5 stargv 180 0 unknown ipmc 180 2 err ttl0 180 0 err ttl1 180 0 isis es 180 0 isis is 180 0 isis l1is 180 0 isis l2is 180 0 ipv6mc 600 0 dhcp relay c 180 4 dhcp relay s 180 4 option82 180 4 ...

Page 621: ...Configuration Guide CPU Protection Configuration udp helper 180 4 dhcp client 180 4 lacp 180 4 ...

Page 622: ...ets from entering the LAN to form a storm Configuring Storm Control In the interface configuration mode use the following command to configure storm control Command Function Ruijie config if storm control broadcast multicast unicast level percent pps packets rate bps broadcast Enable the broadcast storm control function multicast Enable the unknown multicast storm control function unicast Enable t...

Page 623: ...0 1 Disabled Disabled Disabled none GigabitEthernet 0 2 Disabled Disabled Disabled none GigabitEthernet 0 3 Disabled Disabled Disabled none GigabitEthernet 0 4 Disabled Disabled Disabled none GigabitEthernet 0 5 Disabled Disabled Disabled none GigabitEthernet 0 6 Disabled Disabled Disabled none GigabitEthernet 0 7 Disabled Disabled Disabled none GigabitEthernet 0 8 Disabled Disabled Disabled none ...

Page 624: ...ing to the SPAN setting Therefore it is not recommended to set the destination port of SPAN as the protected port and you can also save system resources by doing so The device supports setting the Aggregated Port as the protected port Once you do that all the member ports of the Aggregated Port will be set as the protected port Configuring the Protected Port Set one port as the protected port Comm...

Page 625: ...e maximum value Note that however the automatically learned secure addresses will not be bound with the IP address On the same port if you have configured a secure address bound with the IP address the port cannot be added with any secure address by automatic learning Manually configure some secure addresses and let the device to learn the rest The port security also supports the Sticky MAC addres...

Page 626: ...ty can ensure the validity of the network users You can enable either of them to control port access At the same time the secure addresses of the IP MAC addresses and IP addresses share with the ACLs the hardware resources of the system Therefore when you apply the ACLs on one secure port the IP MAC addresses and IP addresses on the port can be configured with less secure addresses The secure addr...

Page 627: ...ess sticky Enable the Sticky MAC address learning In the interface configuration mode you can disable the port security function of an interface with the command no switchport port security Use the command no switchport port security maximum to recover to the default maximum value Use the command no switchport port security violation to set violation handling to the default mode Use the command no...

Page 628: ...terface id mac address mac address vlan vlan_id In the global configuration mode manually configure the secure addresss on the port In the interface configuration mode add secure addresses for secure ports by using the following commands Command Function Ruijie config if switchportport security mac address mac address vlan vlan_id In the interface configuration mode manually configure the secure a...

Page 629: ...an 1 Ruijie config if end Configuration of Secure Address Binding on the Secure Port In the global configuration mode add secure address binding for secure ports by using the following commands Command Function Ruijie config switchport port security interface interface id binding mac address vlan vlan_id ipv4 address ipv6 address In the global configuration mode manually configure the secure addre...

Page 630: ...espond to the secure addrss binding or IP binding can not be forwarded Configuration of Aging Time for Secure Addresses You can configure the aging time for all the secure addresses on an interface To enable this function you need to set the maximum number of secure addresses In this way you can make the device automatically add remove the secure addresses to from the interface In the interface co...

Page 631: ...commands Command Function Ruijie show port security interface interface id View the port security configuration of an interface Ruijie show port security address View the secure address information Ruijie show port security address interface id Show the secure address information on an interface Ruijie show port security Show the statistics of all the security ports including the maximum number of...

Page 632: ...P Check function filters all ARP packets on the logic interface and dropps all illegal ARP packets avoiding the ARP fraud in the network and improving the network stability Ruijie switches support multiple IP security application such as IP Source Guard globle IP MAC binding port security ect which effectively filter the user IP packets and avoid the illegal user to use the network resources The A...

Page 633: ...disable the ARP Check function 1 Global IP MAC binding 2 802 1X IP authorizaiton 3 IP Source Guard 4 GSN binding Adding the legal user for the first time or removing the last legal user may trigger to enable disable the ARP Check function 1 IP MAC binding mode for the port security 2 IP only mode for the port security ARP check is enabled no matter whether there is security configuration If there ...

Page 634: ...on the interface Command Actio n Ruijie show interface interface type interface number arp check list Show the ARP check entry information The example below shows the ARP check entry information Ruijie show interfaces arp check list Interface Sender MAC Sender IP Policy Source Gi 0 1 00D0 F800 0003 192 168 1 3 address bind Gi 0 1 00D0 F800 0001 192 168 1 1 port security Gi 0 4 192 168 1 3 port sec...

Page 635: ...receives a TCP message with nonexistent target port it will reply a message with RST flag 5 PSH notifies the protocol stack to push up TCP data to the upper layer program as soon as possible Invalid TCP message attack consumes host resources and leads to system crash by setting invalid flag fields The followings are some frequently found invalid TCP messages 1 TCP message with both SYN bit and FIN...

Page 636: ... no ACK flag to the target host leading to the crash of target host DoS Protection Configuration Default DoS Protection Configuration The default DoS protection configuration is given below Function Default setting land attack Off against invalid tcp attack Off Defend against Land attack To enable Land attack protection function run the following commands Command Function Ruijie configure terminal...

Page 637: ...ip deny invalid tcp DoS Protection Mode State protect against invalid tcp attack On Ingress Filtering for DoS Attack Protection Overview In recent years the spread of various DoS Denial of Service attack messages over Internet has brought about considerable troubles to Internet users There are many kinds of DoS attacks while the basic form of DoS attack utilizes valid service requests to occupy ex...

Page 638: ...DoS attacks The filtering is achieved through the automatic generation of specific ACLs by the switch itself and will not pile any pressure on network forwarding Of course you can also use the address binding or Dot1x function of Ruijie network switch to achieve filtering effect or by setting up ACLs Typical applications A ISP deploys ingress filtering on the access router to prevent messages with...

Page 639: ...ltering on the designated layer 3 interface the system will automatically establish the corresponding ACL for the network interface to restrict the access of disguised source IP and apply the ACL to the ingress of layer 3 interface For example The network address on SVI 1 is 192 168 5 1 24 If ip deny spoofing source is configured in the interface configuration mode the following ACL will be genera...

Page 640: ...t DoS Attack To set up ingress filtering run the following commands Command Function Ruijie configure terminal Enter global configuration mode Ruijie config interface interface id Enter layer 3 interface Ruijie config if ip deny spoofing source Ingress filtering function to defend against disguised source IP based DoS attacks Drop all incoming messages without consistent prefix with this network i...

Page 641: ...ds the DHCP OFFER packet After receiving the DHCP OFFER packet the DHCP Client sends a DHCP REQUEST packet to obtain the server lease After receiving the DHCP REQUEST packet the server verifies whether the resources are available If so it sends a DHCP ACK packet If not it sends a DHCP NAK packet Upon receiving the DHCP ACK packet the DHCP Client starts to use the resources assigned by the server i...

Page 642: ...tion to create a DHCP Snooping binding database for ARP inspection and query The following DHCP packets are considered illegal The DHCP reply packets received on the UNTRUST ports including DHCPACK DHCPNACK DHCPOFFER etc DHCP Client values in the source MAC and DHCP packets are in different packets when MAC check is enabled DHCPRELEASE packets whose port information is inconsistent with that in th...

Page 643: ...database to the IP packet hardware filtering entry DHCP Snooping only allows those legal users to send the IP packets preventing the illegal users from setting the private IP addresses DHCP Snooping Related Security Functions DHCP Snooping address binding only filters the IP packets rather than the ARP packets To enhance the security and prevent ARP spoof it is necessary to filter the illegal ARP ...

Page 644: ...inal Enter the global configuration mode Ruijie config no ip dhcp snooping Enable or disable DHCP snooping The following example demonstrates how to enable the DHCP snooping function of the device Ruijie configure terminal Ruijie config ip dhcp snooping Ruijie config end Caution DHCP Snooping and Private VLAN function can not be co used Configuring DHCP Snooping VLAN This command enables DHCP Snoo...

Page 645: ... all DHCP request packets and removed from all reply packets Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config no ip dhcp snooping Information option standard format dot1x format Set DHCP snooping information option including extension standard and DOT1X formats Ruijie config no ip dhcp snooping information option format remote id string ASCII string host...

Page 646: ...Enter the global configuration mode Ruijie config no ip dhcp snooping database write delay time Specify the interval at which the switch writes the DHCP database to the flash time 600s to 86400s The default value is 0 The following example sets the interval at which the switch writes the DHCP databse to the flash to 3600s Ruijie configure terminal Ruijie config ip dhcp snooping database write dela...

Page 647: ...ow to set GigabitEthernet 4 1 as a TRUST port Ruijie configure terminal Ruijie config interface GigabitEthernet 4 1 Ruijie config if ip dhcp snooping trust Ruijie config if end Configuring Rate of Receiving DHCP Packet This command configures rate of receiving DHCP in the corresponding interface Command Description Ruijie configure terminal Enter the global configuration mode Ruijie config interfa...

Page 648: ...CP Snooping execute the following command Command Description Ruijie show ip dhcp snooping Show the configuration of DHCP snooping For example Ruijie show ip dhcp snooping Switch DHCP snooping status ENABLE DHCP snooping Verification of hwaddr fieled status DISABLE DHCP snooping database wirte delay time 0 seconds DHCP snooping option 82 status ENABLE DHCP snooping Support Bootp bind status ENABLE...

Page 649: ...from setting up DHCP Server without permission Configuration Tips Enable DHCP Snooping on the access device Switch B and configure the uplink port Gi0 1 as the trusted port Configuration Steps Configure Switch B Step 1 Enable DHCP Snooping Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config ip dhcp snooping Step 2 Configure the uplink port as the trust...

Page 650: ...04204204204204204 Ruijie show ip dhcp snooping Switch DHCP snooping status ENABLE DHCP snooping Verification of hwaddr status DISABLE DHCP snooping database write delay time 0 seconds DHCP snooping option 82 status DISABLE DHCP snooping Support bootp bind status DISABLE Interface Trusted Rate limit pps GigabitEthernet 0 1 YES unlimited S tep 3 Verify the database bound with DHCP Snooping address U...

Page 651: ...protocol The most typical one is the man in the middle attack which is described as follows As shown in the diagram devices A B and C are connected to Ruijie device and located in the same subnet Their IP and MAC addresses are respectively represented by IPA MACA IPB MACB and IPC MACC When device A needs to communicate with device B in the network layer device A broadcasts an ARP request in the su...

Page 652: ...nction enabled Check the validity of the intercepted ARP packets according to the setting of DHCP database before further processing Release the packets that do not pass the inspection Appropriately process the packets that pass the inspection and send them to the destinations According to the DHCP snooping binding database whether ARP packets is valid or not can be checked For details refer to DH...

Page 653: ...th vlan id vid ARP packet rate restriction is not skipped Use the show ip arp inspection vlan command to check whether the DAI packet check function has been enabled for all VLANs To configure the DAI packet check function for VLAN execute the following commands in the interface configuration mode Command Function Ruijie config ip arp inspection vlan vlan id Turn on the DAI packet check function s...

Page 654: ...g Whether DAI Function Is Enabled for VLAN To show the enabling status of VLAN execute the following command in the global configuration mode Command Function Ruijie config show ip arp inspection vlan Show the enabling status of each VLAN Showing DAI Configuration Status of Each Layer 2 Interface To show the DAI configuration status of each layer 2 interface execute the following command in the gl...

Page 655: ...d to have higher security characters because of the illegal packets or even attack packets from the clients as shown in Figure 3 and various feigned servers as shown in Figure 2 in the network DHCP Snooping solves the problem The security problem of traditional DHCP mode can be solved by enabling DHCP Snooping on the device connecting the DHCP server with the DHCP clients DHCP Snooping divides the...

Page 656: ... Snooping By filtering DHCP packets DHCP Snooping shields feigned servers and block the attacks from the clients However it cannot control the users assign IP addresses privately Those users easily lead to conflict of network addresses and be harm to the management of network addresses To prevent the clients from assigning addresses ...

Page 657: ...pt for DHCP packets will be checked on the port Only the users attaining IP addresses through DHCP and the configured static binding users can access the network IP Source Guard supports source MAC and source IP based filtering or source IP based filtering In the former case IP Source Guard will check the source MAC and source IP addresses of all packets and only allow those packets matching the h...

Page 658: ...ss Binding User By default static binding user is not existent In some application environment you may need to use static IP address to access networks which can be implemented by configuring static binding users Command Description Ruijie configure terminal Enter the global configuration mode Ruijie config no ip source binding mac addrees vlan vlan_id ip address interface interface id Configure s...

Page 659: ...t 0 4 ip mac active deny all Showing Hardware based IP Packet Filtering Database Use this command to show the related information of hardware based IP packet filtering database Command Description Ruijie show ip source binding ip address mac address dhcp snooping static vlan vlan id interface interface id Show the hardware based IP packet filtering database For example Ruijie show ip source bindin...

Page 660: ...ify the next hop information of relevant route in the host routing table Therefore the attacker may send invalid RA message and redirect message to modify the routing table of the host being attacked such as gateway IP address so as to implement DoS attack and man in the middle attack Such forms of attacks are called routing information attack In order to defend against the aforementioned attacks ...

Page 661: ...device flow limiting ND Snooping and IPv6 Compatibility Mode In order to control IPv6 messages some IPv4 security policies provide the configuration option of IPv6 compatibility mode ND Snooping function can only work under the strict mode of IPv6 compatibility mode For details about IPv6 compatibility mode please refer to the section of IPv4 MAC binding Protocol Specification RFC 2464 Transmissio...

Page 662: ...Ethernet 0 1 to Trust interface Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config interface fastethernet 0 1 Ruijie config if ipv6 nd snooping trust Displaying ND Snooping Displaying ND Snooping Configurations Command Function Ruijie show ipv6 nd snooping interface Display the ND snooping configurations Interface only display interface information Fo...

Page 663: ...guration to assign IPv6 addresses and now intends to deploy IPv6 ND Snooping to realize the following objectives ND routing information attack protection Network Topology The network adopts stateless address auto configuration to configure the IPv6 address of interface The FA 0 1 interface of Switch is linked to router Host A is linked to FA 0 2 interface of Switch VLAN1 Host B is linked to FA 0 3...

Page 664: ...uration commands one per line End with CNTL Z Ruijie config ipv6 nd snooping Configure trust attribute of the interface Ruijie config interface fastethernet 0 1 Ruijie config if ipv6 nd snooping trust Ruijie config if exit Verification Ruijie show ipv6 nd snooping Global switch enabled ND Snooping is disabled in following VLANs ...

Page 665: ...oping Configuration None Address resolution check disabled software Route information check enabled software Stateless user monitor disabled Stateless user bind disabled loose IP only Interface Trusted Combine security Gi0 1 Y N ...

Page 666: ...low illustrates a typical DHCPv6 interaction process Solicit Advertise Request Reply DHCPv6 Client DHCPv6 Server Figure 1 Typical DHCPv6 interaction process 1 The DHCPv6 client sends a multicast solicitation message with the destination IP address of FF02 1 2 and the destination UDP port of 547 through a local link All the DHCPv6 server and the DHCPv6 relays along this link will receive this messa...

Page 667: ...e user belongs to and lease period and thus the DHCPv6 Snooping prefix database is generated If the DHCPv6 server allocates IPv6 address a user entry is formed based on the information like the allocated IPv6 address user MAC address port where the user is located in ID of the VLAN the user belongs to and lease period and thus the DHCPv6 Snooping binding database is generated Basic Concepts Truste...

Page 668: ...do IPv6 communication through this address Caution Once IPv6 source guard is enabled all IPv6 packets will not be forwarded by default To enable communication through local link address configure security channel and associate with corresponding ACL For details refer to ACL Configuration Guide Protocol Standards Related protocol standards RFC3315 Dynamic Host Configuration Protocol For Ipv6 RFC500...

Page 669: ...Disabled Filter DHCPv6 request packet on the port Disabled Port address binding Disabled Ignore the failure to look up the destination port Disabled Clear the dynamically bound entry when the port is down Disabled Add dynamically bound entry delay to the hardware filtering table Disabled Enabling Disabling DHCPv6 Snooping Globally By default DHCPv6 Snooping is disabled To enable DHCPv6 Snooping gl...

Page 670: ...g commands in the privileged EXEC mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config ipv6 dhcp snooping vlan vlan list vlan min vlan max Enable DHCPv6 Snooping for the specific VLAN Ruijie config show ipv6 dhcp snooping Show the DHCP Snooping configuration To restore the setting to the default value run the default ipv6 dhcp snooping vlan vlan list vl...

Page 671: ...lash file at the interval of 10 minutes or 600 seconds Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config ipv6 dhcp snooping database write delay 600 Writing the Bound Database to Flash File in Real Time Administrator can manually write the bound database to Flash file before rebooting the device to guarantee the normal operation of the bound user in ...

Page 672: ...ed by DHCPv6 Snooping To delete the statically bound entries run the no ipv6 source binding mac address vlan vlan id ipv6 address interface interface name command in the global configuration mode Configuration example Add a statically bound user Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config ipv6 source binding 00d0 f866 4777 vlan 10 2001 2002 200...

Page 673: ... DISABLE DHCPv6 snooping link detection DISABLE Interface Trusted Filter DHCP FastEthernet0 10 yes DISABLE Caution When DHCPv6 Snooping is enabled globally and enabled on the specific VLAN the port in the VLAN connecting to the DHCPv6 server should be set to be trusted for normal DHCPv6 interaction for the users in the VLAN Filtering DHCPv6 Request Message on the Port To limit the users under a po...

Page 674: ...s should be allowed to pass through this port Configuring security channel or enable ND Snooping can realize this end to detect IPv6 address conflict For details refer to the configuration sections of related functions When a user applies IPv6 address through DHCPv6 interaction DHCPv6 Snooping will add the corresponding user bound information to the hardware filtering table so that his IPv6 packet...

Page 675: ...e ports of the specific VLAN in broadcast form or directly forwarded to the source port the DHCP request message recorded in the DHCPv6 Snooping database To ignore the failure to look up the destination port run the following commands in the privileged EXEC mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config ipv6 dhcp snooping ignore dest not found Ign...

Page 676: ...added to the hardware filtering table in real time When the DHCPv6 client detects IPv6 address conflict it responds with the DHCPv6 decline message based on which DHCPv6 Snooping deletes the dynamically bound entry With this function enabled the dynamically bound entries will be added to the hardware filtering table only when IPv6 address conflict is not detected in the specific period of time In ...

Page 677: ...6 dhcp snooping Show DHCPv6 Snooping configuration show ipv6 dhcp snooping statistics Show DHCPv6 Snooping statistics show ipv6 dhcp snooping binding Show all dynamically bound entries of DHCPv6 Snooping binding database show ipv6 dhcp snooping prefix Show all entries of the DHCPv6 Snooping prefix database show ipv6 source binding Show all manually added statically bound entries and all dynamicall...

Page 678: ...intercepted and results in ARP spoofing Thus we may configure gateway anti arp spoofing on the Layer 2 switches to prevent the gateway anti ARP spoofing After gateway anti arp spoofing has been configured we may check at the port whether the source IP address of an ARP packet is the IP address of the gateway we have configured If it is this packet will be discarded to prevent an user to receive a ...

Page 679: ...oofing at an upper link port After gateway anti arp spoofing or arp check has been configured ipv6 acl cannot be used any longer Vice versa Monitoring View the gateway anti arp spoofing of a switch Command Function Ruijie show anti arp spoofing Show the gateway anti arp spoofing information of all interfaces ...

Page 680: ...revents the system from being attacked releasing the CPU load and ensuring the normal and stable operation of various system services and the whole network NFPP Principle As shown in the Figure 1 the processes of the NFPP datagram processing include hardware filtering CPU Protect Policy CPP packet attack detection rate limit Protocol Manage Route flow classification focus rate limit and ultimately...

Page 681: ... executing the show cpu protect summary command 2 Packet attack detection Rate limit NFPP provides the host based port based attack and rate limit threshold configuration for the administrator to set in the specific network flexibly to control the rate of receiving the packets based on the host port With the attack threshold configured after detecting the attack the anti attack policy implements t...

Page 682: ...low classification ensures that the set packet type on the device takes the precedence over other types of packet The administrator can flexibly allocate the bandwidth of the three types of the packet according to the actual network environment and make sure that the protocol and manage packets takes the precendence of being handled for the purpose of normal protocol running and the administrator ...

Page 683: ...default configurations of NFPP are as follows Packet type Default traffic bandwidth Default packet percent Manage 3000PPS 30 Route 3000PPS 25 Protocol 3000PPS 45 Configuring the packet traffic bandwidth This section describes how to configure the packet traffic bandwidth Command Function Ruijie config cpu protect sub interface manage protocol route pps pps_vaule Configure the traffic bandwidth thr...

Page 684: ...ted into the MAC address by ARP protocol in the local area network LAN ARP protocol plays an important role in the network security ARP DoS attack sends a large amount of illegal ARP packets to the gateway preventing the gateway from providing the services To deal with this attack on one hand you can configure the rate limit of the ARP packet on the other hand you can detect and isolate the attack...

Page 685: ...h the ARP attack problems in the network ARP guard configuration commands include Enabling arp guard Configuring the isolated time Configuring the monitored time Configuring the monitored host limit Host based rate limit and attack detection Port based rate limit and attack detection Clearing the monitored hosts Clearing the ARP scanning list Showing related arp guard information Enabling ARP guar...

Page 686: ... of the attacker it can be configured in the global or interface configuration mode By default the isolated time is configured in the global configuration mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config nfpp arp guard isolate period seconds permanent Configure the global isolated time ranging 0s ...

Page 687: ...d command to remove the port based isolated time configuration in the interface configuration mode Configuring the monitored time If the isolated time is 0 that is no isolation the serviceview monitor will be performed to auto monitor the attacker according to the configured monitored period providing the attacker information in the system If the isolated time is but not 0 the arp guard will perfo...

Page 688: ...uration mode Ruijie config nfpp arp guard monitored host limit seconds Configure the monitored host limit ranging 1 4294967295 The default value is1000 Ruijie config nfpp end Return to the privileged EXEC mode Ruijie show nfpp arp guard summary Show the arp guard parameter settings Ruijie copy running config startup config Save the configurations To restore the monitored host limit to the default ...

Page 689: ...s is changing ARP scan is detected and recorded in the syslog and the TRAP messages are sent It prompts the following message if the ARP DoS attack was detected NFPP_ARP_GUARD 4 DOS_DETECTED Host IP N A MAC 0000 0000 0004 port Gi4 1 VLAN 1 was detected 2009 07 01 13 00 00 The content in brackets is the attack detection time The following example shows the describing information included in the sen...

Page 690: ...e is full It prompts the following message to remind the administrator that the configured rate limit threshold is higher than the attack threshold ERROR rate limit is higher than attack threshold 500pps It prompts the following message to remind the administrator that the configured attack threshold is smaller than the rate limit threshold ERROR attack threshold is smaller than rate limit 300pps ...

Page 691: ...e arp guard attack threshold ranging from 1 to 9999 8 by default When the ARP packet number sent from a host exceeds the attack threshold the attack is detected and ARP guard isolates the host records the message and sends the TRAP packet per src ip detect the hosts based on the source IP address VID port per src mac detect the hosts based on the source MAC address VID port Ruijie config nfpp arp ...

Page 692: ...P VID port per src mac to detect the hosts based on the source MAC VID port on the link layer Ruijie config if nfpp arp guard scan th reshold pkt cnt Configure the arp guard scan threshold value on each interface the valid range is 1 9999 in 10s By default it adopts the global arp guard scan threshold value Ruijie config if end Return to the privileged EXEC mode Ruijie show nfpp arp guard summary ...

Page 693: ...om 1 to 9999 100 by default Ruijie config nfpp arp guard attack threshold per port pps Configure the arp guard attack threshold ranging from 1 to 9999 200 by default When the ARP packet number on a port exceeds the attack threshold the CLI prompts and the TRAP packets are sent Ruijie config nfpp end Return to the privileged EXEC mode Ruijie configure terminal Enter the global configuration mode Ru...

Page 694: ...hreshold When configuring the rate limit on the port you can refer to the user count on this port For example if 500 users exist on a port you can set the rate limit on this port to 500 Clearing the monitored hosts The isolated hosts can be recovered automatically after a period of the time The administrator can use the following command to clear the isolated hosts manually Command Function Ruijie...

Page 695: ...le Showing arp guard configuration Use this command to show the arp guard configurations Command Function Ruijie show nfpp arp guard summary Show the arp guard configurations For example Ruijie show nfpp arp guard summary Format of column Rate limit and Attack threshold is per src ip per src mac per port Interface Status Isolate period Rate limit Attack threshold Scan thresh old Global Enable 300 ...

Page 696: ...ics Show the arp guard hosts statistics including total host amount isolated host amount and non isolated host amount Ruijie show nfpp arp guard hosts vlan vid interface interface id ip address mac address Show the isolated hosts information show nfpp arp guard hosts vlan vid Show the isolated hosts in a VLAN show nfpp arp guard hosts vlan vid interface interface id Show the isolated hosts on a in...

Page 697: ...the host is identified by the source IP address If the IP address columm shows it means the host is identified by the source MAC address Showing the ARP scan table Command Function Ruijie show nfpp arp guard scan statistics Show the arp guard scan statistics Ruijie show nfpp arp guard scan vlan vid interface interface id ip address mac address Show the arp guard scan information show nfpp arp guar...

Page 698: ...rp guard scan vlan 1 interface G 0 1 0000 0000 0001 VLAN interface IP address MAC address timestamp 1 Gi0 1 N A 0000 0000 0001 2008 01 23 16 23 10 Total 1 record s IP guard IP guard Overview As is known to all many hacker attacks and the network virus invasions begin with the network scanning To this end a large amount of the scanning packets take up the network bandwidth leading to the abnormal n...

Page 699: ...P packet will be dropped when the packet rate exceeds the rate limit threshold When the ARP packet rate exceeds the warning threshold it will prompt the warning messages and send the TRAP message The host based attack detection can isolate the attack source Caution It is worth mentioning that the IP guard is for the attack of the IP packets with the destination IP address not the host IP address F...

Page 700: ...end Return to the privileged EXEC mode Ruijie show nfpp ip guard summary Show the configurations Ruijie copy running config startup config Save the configurations Caution With the ip guard disabled the monitored hosts are auto cleared Configuring the isolated time For the isolated time of the attacker it can be configured in the global or interface configuration mode By default the isolated time i...

Page 701: ... command in the nfpp configuration mode If the isolated time has been configured on a port you can use the no ip guard isolate period command to remove the port based isolated time configuration in the interface configuration mode Configuring the monitored time If the isolated time is 0 that is no isolation the serviceview monitor will be performed to auto monitor the attacker according to the con...

Page 702: ...mit Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config nfpp ip guard monitored host limit seconds Configure the monitored host limit ranging 1 4294967295 The default value is1000 Ruijie config nfpp end Return to the privileged EXEC mode Ruijie show nfpp ip guard summary Show the parameter settings Ruijie...

Page 703: ...1 1 1 1 MAC N A port Gi4 1 VLAN 1 was detected 2009 07 01 13 00 00 The following example shows the describing information included in the sent TRAP messages IP DoS attack from host IP 1 1 1 1 MAC N A port Gi4 1 VLAN 1 was dete cted If the isolated time is not set as 0 by the administrator when the hardware isolation succeeds it prompts NFPP_IP_GUARD 4 ISOLATED Host IP 1 1 1 1 MAC N A port Gi4 1 VL...

Page 704: ...dministrator This section shows the administrator how to configure the host based rate limit and attack detection in the nfpp configuration mode and in the interface configuration mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config nfpp ip guard rate limit per src ip pps Configure the ip guard rate l...

Page 705: ...alid range is 1 9999 and by default it adopts the global attack threshold value per src ip to detect the hosts based on the source IP VID port Ruijie config if nfpp ip guard scan thr eshold pkt cnt Configure the ip guard scan threshold value on each interface the valid range is 1 9999 in 10s By default it adopts the global arp guard scan threshold value Ruijie config nfpp end Return to the privile...

Page 706: ...1 to 9999 100 by default Ruijie config ip guard attack threshold per port pps Configure the ip guard attack threshold ranging from 1 to 9999 200 by default When the IP packet number on a port exceeds the attack threshold the CLI prompts and the TRAP packets are sent Ruijie config nfpp end Return to the privileged EXEC mode Ruijie configure terminal Enter the global configuration mode Ruijie config...

Page 707: ... configuration mode Ruijie config nfpp ip guard trusted host ip mask Configure the IP address range for the trusted hosts Up to 500 pieces of IP addresses can be configured Ruijie config nfpp end Return to the privileged EXEC mode Ruijie config if show nfpp ip guard trusted host Show the trusted host settings Ruijie copy running config startup config Save the configurations In the nfpp configurati...

Page 708: ...55 0 to inform the administrator of the failure of adding the trusted host It prompts that ERROR Failed to add trusted host 1 1 1 0 255 255 255 0 to inform the administrator of the failure of adding the trusted host It prompts that ERROR Trusted host 1 1 1 0 255 255 255 0 has already been configured to inform the administrator of the exisitence of the trusted host to be added It prompts that ERROR...

Page 709: ...e IP address to identify the hosts Showing ip guard Showing ip guard configuration Showing monitored host configuration Showing trusted host configuration Showing ip guard configuration Use this command to show the ip guard configurations Command Function Ruijie show nfpp ip guard summary Show the ip guard configurations For example Ruijie show nfpp ip guard summary Format of column Rate limit and...

Page 710: ...solated host amount and non isolated host amount Ruijie show nfpp ip guard hosts vlan vid interface interface id ip address mac address Show the isolated hosts information show nfpp ip guard hosts vlan vid Show the isolated hosts in a VLAN show nfpp ip guard hosts vlan vid interface interface id Show the isolated hosts on a interface in a VLAN show nfpp ip guard hosts vlan vid interface interface ...

Page 711: ...tion Ruijie show nfpp ip guard trusted host Show the trusted hosts For example Ruijie show nfpp ip guard trusted host IP address mask 1 1 1 0 255 255 255 0 1 1 2 0 255 255 255 0 Total 2 record s ICMP guard ICMP guard Overview The ICMP attack detection could be host based or port based Host based ICMP protocol is used to diagnose the network trouble Its basic principle is that the host sends an ICM...

Page 712: ...Enabling icmp guard Configuring the isolated time Configuring the monitored time Configuring the monitored host limit Host based rate limit and attack detection Port based rate limit and attack detection Configuring trusted host Clearing monitored host Showing related icmp guard information Enabling ICMP guard You can enable icmp guard in the nfpp configuration mode or in the interface configurati...

Page 713: ...he attacker it can be configured in the global or interface configuration mode By default the isolated time is configured in the global configuration mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config nfpp icmp guard isolate period seconds permanent Configure the global isolated time ranging 0s 30 8...

Page 714: ...guring the monitored time Without the global and port based isolated period configured including set the interface isolated time 0 the serviceview monitor will be performed to auto monitor the attacker according to the configured monitored period providing the attacker information in the system With the global or port based isolated period configured the ICMP guard will perform hardware isolation ...

Page 715: ...mit seconds Configure the monitored host limit ranging 1 4294967295 The default value is1000 Ruijie config nfpp end Return to the privileged EXEC mode Ruijie show nfpp icmp guard summary Show the parameter settings Ruijie copy running config startup config Save the configurations To restore the monitored host limit to the default value use the no icmp guard monitored host limit command in the nfpp...

Page 716: ...oS attack from host IP 1 1 1 1 MAC N A port Gi4 1 VLAN 1 was de tected If the isolated time is not set as 0 by the administrator when the hardware isolation succeeds it prompts NFPP_ICMP_GUARD 4 ISOLATED Host IP 1 1 1 1 MAC N A port Gi4 1 VLAN 1 was isolated 2009 07 01 13 00 00 The following example shows the describing information included in the sent TRAP messages Host IP 1 1 1 1 MAC N A port Gi...

Page 717: ... address based rate limit When the ICMP packet number sent from a host exceeds the attack threshold the attack is detected and ICMP guard isolates the host records the message and sends the TRAP packet per src ip detect the hosts based on the source IP address VID port Ruijie config nfpp end Return to the privileged EXEC mode Ruijie configure terminal Enter the global configuration mode Ruijie con...

Page 718: ...FPP_ICMP_GUARD 4 PORT_ATTACKED ICMP DoS attack was detected on port Gi4 1 2009 07 01 13 00 00 The following is additional information of the sent TRAP packet ICMP DoS attack was detected on port Gi4 1 This section shows the administrator how to configure the port based rate limit and attack detection in the nfpp configuration mode and in the interface configuration mode Command Function Ruijie con...

Page 719: ... by default it adopts the global attack threshold value Ruijie config nfpp end Return to the privileged EXEC mode Ruijie config if show nfpp icmp guard summary Show the parameter settings Ruijie copy running config startup config Save the configurations Caution The source IP address based rate limit takes precedence over port based rate limit Configuring the trusted hosts Use the following command...

Page 720: ... Save the configurations In the nfpp configuration mode use the no form of this command to delete a trusted host entry and use the all form of this command to delete all trusted hosts For example The following example shows how to delete all trusted hosts Ruijie config nfpp no icmp guard trusted host all The following example shows how to delete a trusted host entry Ruijie config nfpp no icmp guar...

Page 721: ...55 0 to inform the administrator of the failure of adding the trusted host It prompts that ERROR Failed to add trusted host 1 1 1 0 255 255 255 0 to inform the administrator of the failure of adding the trusted host It prompts that ERROR Trusted host 1 1 1 0 255 255 255 0 has already been configured to inform the administrator of the exisitence of the trusted host to be added It prompts that ERROR...

Page 722: ...ed Use the IP address to identify the hosts Showing icmp guard Showing icmp guard configuration Showing monitored host configuration Showing trusted host configuration Showing icmp guard configuration Use this command to show the icmp guard configurations Command Function Ruijie show nfpp icmp guard summary Show the icmp guard configurations For example Ruijie show nfpp icmp guard summary Format o...

Page 723: ...ding total host amount isolated host amount and non isolated host amount Ruijie show nfpp icmp guard hosts vlan vid interface interface id ip address Show the isolated hosts information show nfpp icmp guard hosts vlan vid Show the isolated hosts in a VLAN show nfpp icmp guard hosts vlan vid interface interface id Show the isolated hosts on a interface in a VLAN show nfpp icmp guard hosts vlan vid ...

Page 724: ...ortant role in the network security The DHCP exhaustion attack occurs in the way of broadcasting the DHCP request packets through faking the MAC address If there are too many DHCP request packets the attacker may use up the addresses provided in the DHCP server To this end a legal host fails to request for a DHCP IP address and access to the network The workaround for the DHCP exhaustion attack on...

Page 725: ...interface configuration mode By default the dhcp guard is enabled Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config nfpp dhcp guard enable Enable the dhcp guard By default dhcp guard is enabled Ruijie config nfpp end Return to the privileged EXEC mode Ruijie configure terminal Enter the global configura...

Page 726: ...ged EXEC mode Ruijie configure terminal Enter the global configuration mode Ruijie config interface interface name Enter the interface configuration mode Ruijie config if nfpp arp guard isolate period seconds permanent Configure the isolated time on the port ranging 0s 180 86400s one day By default the isolated time is configured globally 0s represents no isolation Permanent represents permanent i...

Page 727: ...onfig startup config Save the configurations To restore the monitored time to the default value use the no dhcp guard monitor period command in the nfpp configuration mode Caution If the isolated time is 0 the serviceview monitor will be perform to monitor the detected attacker and the timeout time will be the monitored period In the process of the serviceview monitor if the isolated time is but n...

Page 728: ...e message that NFPP_DHCP_GUARD 4 SESSION_LIMIT Attempt to exceed limit of 1000 monitored hosts if the monitored host table is full Host based rate limit and attack detection Use the source MAC VID port based method to detect the host based attack For each attack detection you can configure the rate limit threshold and attack threshold also called warning threshold The DHCP packet will be dropped w...

Page 729: ...ded in the sent TRAP messages Failed to isolate host IP N A MAC 0000 0000 0001 port Gi4 1 VLAN 1 Caution When it fails to allocate the memory to the detected attackers it prompts the message like NFPP_DHCP_GUARD 4 NO_MEMORY Failed to alloc memory to inform the administrator This section shows the administrator how to configure the host based rate limit and attack detection in the nfpp configuratio...

Page 730: ...attack threshold on the specified interface rate limit pps set the rate limit threshold The valid range is 1 9999 and by default it adopts the global rate limit threshold value attack threshold pps set the attack threshold The valid range is 1 9999 and by default it adopts the global attack threshold value per src mac to detect the hosts based on the source MAC VID port Ruijie config nfpp end Retu...

Page 731: ...om 1 to 9999 150 by default Ruijie config dhcp guard attack threshold per port pps Configure the dhcp guard attack threshold ranging from 1 to 9999 300 by default When the DHCP packet number on a port exceeds the attack threshold the CLI prompts and the TRAP packets are sent Ruijie config nfpp end Return to the privileged EXEC mode Ruijie configure terminal Enter the global configuration mode Ruij...

Page 732: ...cp guard hosts vlan vid interface interface id mac address clear nfpp dhcp guard hosts Clear all isolated hosts clear nfpp dhcp guard hosts vlan vid Clear all isolated hosts in a VLAN clear nfpp dhcp guard hosts vlan vid interface interface id Clear all isolated hosts on a interface in a VLAN clear nfpp dhcp guard hosts vlan vid interface interface id mac address An isolated host has been cleared ...

Page 733: ... rate limit threshold port based rate limit threshold Attack threshold In the same format of the Rate limit No configuration Showing monitored host configuration Command Function Ruijie show nfpp dhcp guard hosts statistics Show the dhcp guard hosts statistics including total host amount isolated host amount and non isolated host amount Ruijie show nfpp dhcp guard hosts vlan vid interface interfac...

Page 734: ...w The DHCPv6 protocol is widely used to dynamically allocate the IPv6 address in the LAN and plays an important role in the network security Being similar to the DHCP attack the DHCPv6 attack occurs in the way of broadcasting the DHCPv6 request packets through faking the MAC address If there are too many DHCPv6 request packets the attacker may use up the addresses provided in the DHCPv6 server To ...

Page 735: ...tored host Showing related dhcpv6 guard information Enabling DHCPv6 guard You can enable dhcpv6 guard in the nfpp configuration mode or in the interface configuration mode By default the dhcpv6 guard is enabled Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config nfpp dhcpv6 guard enable Enable the dhcpv6 ...

Page 736: ...guard isolate period seconds permanent Configure the global isolated time ranging 0s 30 86400s one day The default value is 0s representing no isolation Permanent represents permanent isolation Ruijie config nfpp end Return to the privileged EXEC mode Ruijie configure terminal Enter the global configuration mode Ruijie config interface interface name Enter the interface configuration mode Ruijie c...

Page 737: ...ding to the configured monitored period providing the attacker information in the system If the isolated time is but not 0 the DHCPv6 guard will perform hardware isolation towards the hosts using the serviceview monitor Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config nfpp dhcpv6 guard monitor period s...

Page 738: ...t seconds Configure the monitored host limit ranging 1 4294967295 The default value is1000 Ruijie config nfpp end Return to the privileged EXEC mode Ruijie show nfpp dhcpv6 guard summary Show the parameter settings Ruijie copy running config startup config Save the configurations To restore the monitored host limit to the default value use the no dhcpv6 guard monitored host limit command in the nf...

Page 739: ...ost IP N A MAC 0000 0000 0001 port Gi4 1 VLAN 1 was detected If the isolated time is not set as 0 by the administrator when the hardware isolation succeeds it prompts NFPP_DHCPV6_GUARD 4 ISOLATED Host IP N A MAC 0000 0000 0001 port Gi4 1 VLAN 1 was isolated 2009 07 01 13 00 00 The following example shows the describing information included in the sent TRAP messages Host IP N A MAC 0000 0000 0001 p...

Page 740: ...ected and DHCPv6 guard isolates the host records the message and sends the TRAP packet per src mac detect the hosts based on the source MAC address VID port Ruijie config nfpp end Return to the privileged EXEC mode Ruijie configure terminal Enter the global configuration mode Ruijie config interface interface name Enter the interface configuration mode Ruijie config if nfpp dhcpv6 guard policy per...

Page 741: ... DHCPV6 DoS attack was detected on port Gi4 1 This section shows the administrator how to configure the port based rate limit and attack detection in the nfpp configuration mode and in the interface configuration mode Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config nfpp Enter the nfpp configuration mode Ruijie config dhcpv6 guard rate limit per port pps...

Page 742: ... running config startup config Save the configurations Caution The source MAC address based rate limit takes precedence over port based rate limit Clearing the monitored hosts The isolated hosts can be recovered automatically after a period of the time The administrator can use the following command to clear the isolated hosts manually Command Function Ruijie clear nfpp dhcpv6 guard hosts vlan vid...

Page 743: ... threshold Global Enable 300 5 150 10 300 G 0 1 Enable 180 6 8 G 0 2 Disable 200 5 30 10 50 Maximum count of monitored hosts 1000 Monitor period 300s Note Field Description Interface Global refers to the global configuration Status Enable disable the arp guard Rate limit In the format of source IP address based rate limit threshold source MAC address based rate limit threshold port based rate limi...

Page 744: ...ace interface id mac address Show the isolated hosts Use the MAC address to identify the hosts For example Ruijie show nfpp dhcpv6 guard hosts statistics success fail total 100 20 120 Ruijie show nfpp dhcpv6 guard hosts If column 1 shows it means hardware do not isolate user VLAN interface MAC address remain time s 1 Gi0 1 0000 0000 0001 110 2 Gi0 2 0000 0000 2222 61 Total 2 host s Ruijie show nfp...

Page 745: ...ement used for the address resolution 2 RS the Router Solicitation used for the gateway discovery by the host 3 RA and Redirect the Router Advertisement and Redirect used to advertise the gateway and prefix and the better next hop At present only the port based ND packet attack detection is implemented You may configure the rate limit threshold and the attack threshold for the ND packets When the ...

Page 746: ... the ND packet rate on a port exceeds the limit the ND packets are dropped When the ND packet rate on a port exceeds the attack threshold limit the CLI prompts and the TRAP packets are sent ND Snooping divides the port into the untrusted port and the trusted port which connect to the host and the gateway respectively The rate limit threshold for the trusted port shall be higher than the one for th...

Page 747: ...ATTACKED RA REDIRECT DoS attack was detected on port Gi4 1 2009 07 01 13 00 00 The following is additional information of the sent TRAP packet RA REDIRECT DoS attack was detected on port Gi4 1 This section shows the administrator how to configure the port based rate limit and attack detection in the nfpp configuration mode and in the interface configuration mode Command Function Ruijie configure t...

Page 748: ...ps set the attack threshold The valid range is 1 9999 Ruijie config nfpp end Return to the privileged EXEC mode Ruijie config if show nfpp nd guard summary Show the parameter settings Ruijie copy running config startup config Save the configurations Showing dhcpv6 guard Showing ND guard configuration Showing ND guard configuration Use this command to show the ND guard configurations Command Functi...

Page 749: ... and delete the NFPP log from the NFPP syslog buffer area NFPP syslog configuration commands include Configuring NFPP log buffer entry number Configuring the rate of generating NFPP syslog Configuring NFPP log filtering Clearing NFPP syslog Showing NFPP syslog Configuring NFPP log buffer entry number The administrator can configure the NFPP log buffer entry number in the nfpp configuration mode Co...

Page 750: ... information in the NFPP syslog buffer area will be removed while generating the syslog number_of_message The valid range is 0 1024 the default value is 1 0 indicates that all syslogs are recorded in the NFPP syslog buffer area and the syslog is not generated length_in_seconds The valid range is 0 86400s one day the default value is 30s 0 indicates to generate the syslog immediately Setting the nu...

Page 751: ...p log summary Show the configurations Clearing NFPP syslog Command Function Ruijie clear nfpp log Clear the NFPP syslog in the log buffer area Showing NFPP syslog Command Function Ruijie show nfpp log summary Show the NFPP syslog configuration Ruijie show nfpp log buffer statistics Show the NFPP syslog in the log buffer area The parameter statistics shows the log number in the log buffer area The ...

Page 752: ...RP 1 Gi0 1 0000 0000 0001 SCAN 2009 05 30 16 30 10 ARP Gi0 2 PORT_ATTACKED 2009 05 30 16 30 10 Field Description Protocol Includes ARP IP ICMP DHCP DHCPv6 NS NA RS RA REDIRECT Reason Includes DoS ISOLATED ISOLATED_FAILED SCAN PORT_ATTACKED Caution If the syslog buffer area is full the subsequent syslog will be discarded and an entry with all attributes will be shown in the syslog buffer area The a...

Page 753: ... come with a rich of security functions to address various requirements Logically the security functions are divided into two parts access control components and network security components which check the incoming packets in order Figure 4 Forwarding sketch map of security functions Basic Concepts Access control components Access control components include Security channel Also known as escape ch...

Page 754: ...work Security Components Network security components include Anti gateway ARP spoofing The packets matching the anti gateway ARP spoofing setting are directly dropped NFPP Network Foundation Protection Policy The packets matching the NFPP setting are directly dropped GSN isolation and blocking The packets matching the GSN blocking setting are dropped and the ones matching the GSN isolation setting...

Page 755: ...n the rgos security compatible command save configuration and then restart Protocol Specifications None Default Configuration of Security Compatible Mode Below is the default configuration of security compatible mode Function Default value Coexistence in RGOS compatible mode Enabled Configure the Security Compatible Mode Command By default Ruijie Switches security functions coexist in RGOS compati...

Page 756: ...rity compatible mode configuration into effect View Security Compatible Mode Configuration No specific show command is available to view the configuration of the security compatible mode You can view the details of compatible mode by running the show running config command Command Function Ruijie config show running config View the configuration of the security compatible mode ...

Page 757: ......

Page 758: ...ACL QoS Configuration 1 Access Control List Configuration 2 QoS Configuration ...

Page 759: ...ication data types in the network and restrict the users of the network and the device they can use When data streams pass the switch ACLs classify and filter them that is check the data streams input from the specified interface and determine whether to permit or deny them according to the matching conditions To sum up the security ACL is used to control which dataflow is allowed to pass through ...

Page 760: ...twork security Note A inherent problem of all access lists is electric spoofing the behavior of providing spoof source addresses to deceive switches Even you use the dynamic list a spoofing problem occurs During the valid access period of an authenticated user a hacker may use a counterfeit user address and accesses the network There are two methods to resolve the problem One method is to set free...

Page 761: ... field you can specify all the 32 bits of the IP address or specify a type of streams of the defined subnet Protocol type fields Layer 4 fields You can specify one UDP source port destination port or both You can specify one UDP source port destination port or both The filtering domain consists of the fields in the packets based on which the packets are identified and classified when you create an...

Page 762: ...Configuration Guide Access Control List Configuration Figure 2 Analysis of the ACE permit tcp host 192 168 12 2 any eq telnet ...

Page 763: ...tch the destination IP address not in the subnet IP range of the associated SVI in the standard IP ACL extended IP ACL or expert ACL this ACL will not take effect For example VLAN 1 s IP address is 192 168 64 1 255 255 255 0 Now you create an ACL with the ACE of deny udp any 192 168 65 1 0 0 0 255 eq 255 and apply this ACL at the egress of VLAN 1 This ACL will not function for the destination IP a...

Page 764: ...Flow Rule Sentence The ending part of each access list implicates a Deny any data flow rule sentence Therefore if a packet matches no rule then it is denied as shown in the following example access list 1 permit host 192 168 4 12 This list allows only the message of host 192 168 4 12 and denies any other host This is because the list contains the following rule statement at the end access list 1 d...

Page 765: ... the following command in the global configuration mode Command Function Ruijie config access list id deny permit src src wildcard host src any interface idx time range tm rng name Define an access list Ruijie config interface interface Select the interface to which the access list is to be applied Ruijie config if ip access group id in out Apply the access list to the specific interface Method 2 ...

Page 766: ...and Switch B as shown in Figure 3 Figure 3 Basic Access List Example It is required to implement the following security functions by configuring access lists on Switch B 1 Hosts at the 192 168 12 0 24 network section can only access the remote UNIX host TELNET service during the normal working time period and deny the PING service 2 On the Switch B console access to any of the services of hosts at...

Page 767: ...is not needed for the ending part of the access list implicates a deny any rule sentence Switch A configuration Ruijie config hostname Ruijie Ruijie config interface GigabitEthernet 0 1 Ruijie config if ip address 192 168 202 1 255 255 255 0 Ruijie config interface GigabitEthernet 0 2 Ruijie config if ip address 2 2 2 1 255 255 255 0 Configuring Extended MAC Address based Access Control List To co...

Page 768: ...ode Command Function Ruijie config access list id deny permit any host src mac addr any host dst mac addr ethernet type cos cos Define an access list For details about commands please see command reference Ruijie config interface interface Select the interface to which the access list is to be applied Ruijie config if mac access group id in out Apply the access list to the specific interface Metho...

Page 769: ...ll the messages passing in and out on the port Ruijie enable Ruijie configure terminal Ruijie config mac access list extended mac list Ruijie config mac nacl deny host 0013 2049 8272 any ipx Ruijie config mac nacl permit any any Ruijie config mac nacl exit Ruijie config interface gigabitEthernet 0 1 Ruijie config if mac access group mac list in Ruijie config if end Ruijie show access lists mac acc...

Page 770: ...L The configuration of an expert access list includes the following steps 1 Define an expert access list 2 Apply the access list to a specific interface application particular case There are two methods to configure an expert access list Method 1 Run the following command in the global configuration mode Command Function Ruijie config access list id deny permit prot ethernet type cos cos VID vid s...

Page 771: ...rity table entries method 2 can also specify the priorities of table entries the sn option in a command Showing Configuration of Extended Expert ACL To monitor access lists please run the following command the in privileged user mode Ruijie show access lists id name You can view expert access lists Expert Extended Access List Example It is required to implement the following security functions by ...

Page 772: ... rng name Add table entries for ACL For details about commands please see command reference Ruijie config exp nacl exit Ruijie config interface interface Exit from the access control list mode and select the interface to which the access list is to be applied Ruijie config if ipv6 traffic filter name in Apply the access list to the specific interface Showing Configuration of IPv6Extended Access Li...

Page 773: ...onding The filtering rule specifies the value of the field to be filtered The filter domain template specifies whether to filter the related fields in the filtering rule 1 indicates matching the bit in the corresponding filtering rule 0 for not Therefore when it is time to match a bit it is required to set 1 for the corresponding bit in the filter domain template If the filter domain template bit ...

Page 774: ...servation bit and flags bit 59 L IP packet length 28 a Windows size field 60 M ID 30 b Others 62 N Flags field 32 As shown in the above table the offset of each field is it offset in the SNAP tag 802 3 data frame In the user custom access control list the user can use two parameters the rule mask and offset to abstract any byte from the first 80 bytes of the data frame and then compare it with the...

Page 775: ...e first ACE Configuring TCP Flag Filtering Control The TCP Flag filtering feature provides a flexible mechanism At present TCP Flag filtering control supports the match all option Namely when the TCP Flags in a received message exactly match those defined in the ACL table entry the message will be checked by the ACL rule A user can define any combination of TCP Flags to filter some messages with s...

Page 776: ... Ruijie config ext nacl deny tcp any any match all fin Adding delete entries repeatedly end Ruijie config ext nacl end Show Ruijie show access list test tcp flag ip access lists extended test tcp flag 10 permit tcp any any match all rst 20 deny tcp any any match all fin Configuring ACL Entries by Priority To embody the ACE priority there are standards for each ACL to normalize the ACE arranging me...

Page 777: ...ce1 100 ace2 103 ace3 106 ace4 109 When adding ace5 by entering seq num 105 the numbers are as follows Ruijie config std nacl 105 permit ace1 100 ace2 103 ace5 105 ace3 106 ace4 109 The reference of the numbers is to implement the priority adding ace mode in step 4 Delete ACE Ruijie config std nacl no 106 ace1 100 ace2 103 ace5 105 ace4 109 The above numbers can also facilitate deleting ACE Config...

Page 778: ...of a time range Note The length of the name should be 1 32 characters which should not include any space You can set one absolute time range at most The application based on time ranges will be valid only in this time range You can set one or more periodic intervals If you have already set a running time range for the time range the application takes effect at periodic intervals in that time range...

Page 779: ...entication so as to avoid the case that resource exhaustion causes the authenticated users cannot access the Interface due to the configuration of security tunnel midway You can use an exist ACL to configure a security tunnel In the privileged configuration mode execute the following commands to configure a global security tunnel Command Function Ruijie configure terminal Enter the global configur...

Page 780: ...itch from port 4 To receive IPX packets set a security tunnel as follows Ruijie configure Ruijie config expert access list extended safe_channel Ruijie config exp nacl permit ipx any any Ruijie config exp nacl exit Ruijie config security global access group safe_channel Or configure a security tunnel on the interface Ruijie configure Ruijie config expert access list extended safe_channel Ruijie co...

Page 781: ... ace_remark_permit_62_start Ruijie config std nacl permit 192 168 197 62 0 0 0 0 Ruijie config std nacl remark ace_remark_permit_62_end Ruijie config std nacl list remark acl_remark_foo Ruijie config std nacl end Ruijie write Ruijie show access lists 1 ip access list standard 1 remark ace_remark_permit_62_start 10 permit host 192 168 197 62 remark ace_remark_permit_62_end list remark acl_remark_fo...

Page 782: ...e TCP header to 1 and ACK to 0 on the inbounding direction of theG3 2 port Configuration Procedure 1 Define an Access Control List ACL Enter the configuration mode of the switch Ruijie configure terminal Create the extended ACL101 in the configuration mode Ruijie config ip access list extended 101 Deny the packets whose SYN is 1 and permit other packets whose SYN is 0 including ACK Ruijie config e...

Page 783: ...Configuration 3 Show the configuration of ACL In the privileged mode use the Show command to display related configuration of ACL Ruijie show access lists 101 ip access list extended 101 10 deny tcp any any match all syn 20 permit ip any any ...

Page 784: ...e use of its switching bandwidth is maximized The device of this module features the QoS function to provide transmission quality service This makes it possible to select specific network traffic prioritize it according to its relative importance and use congestion management and congestion avoidance techniques to provide preferential treatment The network environment with QoS configured is added ...

Page 785: ... the dataflow indicated with CoS value according to the trust policy or the analysis of the message contents As a result the core task of classifying is to determine the CoS value of a message It happens when the port is receiving the inbound messages When a port is associated with a policy map that represents a QoS policy the classification will take effect and be applied on all the messages inpu...

Page 786: ... bits and now the CoS value is got from the default CoS value of the message input port Case 2 is that the layer 2 packet header contains User Priority bits and now the CoS is got directly from the packet header If the Policy map associated with the port is using the ACLs classifying based on the ip access list extended the associated ACLs will be matched by getting the source IP address destinati...

Page 787: ...P to CoS Map and Cos to Queue Map configured on the switch convert the DSCP value of the message into output queue number so as to determine which output queue to transfer the messages into Scheduling The Scheduling action is the last cycle in the QoS process After the messages are transferring into different output queues of the port the switch works with WRR or another algorithm to transmit the ...

Page 788: ...ues 8 Queue Scheduling WRR Queue Weight 1 1 1 1 1 1 1 1 WRR Weight Range 1 15 DRR Weight Range 1 15 Trust mode No Trust Default mapping table from CoS value to queue CoS Value 0 1 2 3 4 5 6 7 Queue 1 2 3 4 5 6 7 8 Default mapping table from CoS to DSCP CoS Value 0 1 2 3 4 5 6 7 DSCP value 0 8 16 24 32 40 48 56 Default mapping table from IP Precedence to DSC IP Prec edence 0 1 2 3 4 5 6 7 DSCP 0 8 ...

Page 789: ...for every interface through the following steps By default the CoS value of an interface 0 Command Description Ruijie configure terminal Enter the configuration mode Ruijie config interface interface Enter the interface configuration mode Ruijie config if mls qos cos default cos Configure the default CoS value of the interface where default cos is the desired default CoS value ranging 0 7 Ruijie c...

Page 790: ...e no option will delete an existing class map Ruijie config cmap no match access group acl num acl name Set the matching ACL where acl name is the name of the created ACL acl num is the ID of the created ACL the no option delete that match For example the following steps creates a class map named class1 which is associated with a ACL acl_1 This class map will classify all TCP messages with port 80...

Page 791: ... specify the action for the excessive bandwidth part where rate bps is the limited bandwidth per second kbps burst byte is the limited burst bandwidth Kbyte drop means dropping the message of the excessive bandwidth part dscp dscp value means changing the DSCP value of the message in excessive bandwidth part and dscp value value range varies with specific products The effective range of the burst ...

Page 792: ...hod through the following steps For details of the algorithm see the overview of QoS Command Description Ruijie configure terminal Enter the configuration mode Ruijie config mls qos scheduler sp wrr drr Set the port priority queue scheduling method where sp is absolute priority scheduling wrr is weighted round robin with frame quantity and drr weighted round robin with frame length Ruijie config n...

Page 793: ...2 3 4 5 6 7 8 Ruijie config end Ruijie show mls qos queueing Cos queue map cos qid 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 wrr bandwidth weights qid weights 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 Ruijie config Configuring Cos Map You may set cos map to change which queue to select for the messages in output The default value of cos map is provided in the default QoS configuration section Command Description Ruij...

Page 794: ... You may follow these steps to set CoS to DSCP Map The default value of CoS to DSCP is provided in the default QoS configuration section Command Description Ruijie configure terminal Enter the configuration mode Ruijie config mls qos map cos dscp dscp1 dscp8 Ruijie config no mls qos map cos dscp Change the CoS to DSCP Map settings where dscp1 dscp8 are the DSCP values corresponding to CoS values 0...

Page 795: ...s to be set DSCP values delimited by spaces value range varying with specific products cos means the CoS values corresponding to the DSCP values ranging 0 7 Ruijie config no mls qos map dscp cos Restore default For example the following steps set the DSCP values 0 32 and 56 to map 6 Ruijie configure terminal Ruijie config mls qos map dscp cos 0 32 56 to 6 Ruijie config show mls qos maps dscp cos d...

Page 796: ...6 Ruijie config if end Ruijie Configuring IPpre to DSCP Map IPpre to Dscp is used to map the IPpre values of message to internal DSCP values The default settings of IPpre to DSCP Map are provided in the default QoS configuration section you may follow these steps to configure IPpre to Dscp Map Command Description Ruijie configure terminal Enter the configuration mode Ruijie config mls qos map ip p...

Page 797: ...name of policy map specified as class Show the class map bound with the policy map in case of class name For example Ruijie show policy map Policy Map pp Class cc Ruijie Showing mls qos interface You may show the QoS information of all ports through the following steps Command Description show mls qos interface interface policers Show the QoS information of the interface The Policers option shows ...

Page 798: ...p cos qid 0 1 1 2 2 1 3 4 4 1 5 1 6 1 7 1 wrr bandwidth weights qid weights 0 1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 Showing mls qos scheduler You may show the QoS scheduling method through the following steps Command Description Show mls qos scheduler Show the port priority queue scheduling method For example Ruijie show mls qos scheduler Global Multi Layer Switching scheduling Strict Priority Ruijie Show...

Page 799: ...0 3 0 4 0 5 0 6 0 7 0 8 1 9 1 10 1 11 1 12 1 13 1 14 1 15 1 16 2 17 2 18 2 19 2 20 2 21 2 22 2 23 2 24 3 25 3 26 3 27 3 28 3 29 3 30 3 31 3 32 6 33 4 34 4 35 4 36 4 37 4 38 4 39 4 40 5 41 5 42 5 43 5 44 5 45 5 46 5 47 5 48 6 49 6 50 6 51 6 52 6 53 6 54 6 55 6 56 6 57 7 58 7 59 7 60 7 61 7 62 7 63 7 Ruijie show mls qos maps ip prec dscp ip precedence dscp 0 56 1 48 2 46 3 40 4 34 5 32 6 26 7 24 Sho...

Page 800: ...face GigabitEthernet 0 4 rate limit input bps 100 burst 100 Showing the policy map interface You can show the configuration of port policy map by performing following steps Command Function show policy map interface interface Showing the configuration of port policy map Ruijie show policy map interface f0 1 FastEthernet 0 1 input tc policy pp Class cc set ip dscp 22 ...

Page 801: ...Reliability Configuration 1 RLDP Configuration 2 TPP Configuration 3 SEM Configuration ...

Page 802: ...ications Here is another example There is an intermediate network between two Ethernet devices Due to the existence of the network transmission relay devices the same problem may occur if those relay devices are faulty The RLDP enables easy detection of Ethernet device link fault including the one way link fault two way link fault and loop link fault The RLDP implements the detection by exchanging...

Page 803: ...ions of every neighbor link Typical Application Loop detection Figure 2 Loop detection The so called loop fault means that a loop appears on the links connected with the port A shown above on a port the RLDP receives the RLDP message sent from its machine so the port is considered as loop fault So the RLDP deals with the fault according to the user configurations including alarming setting port vi...

Page 804: ...ith the fault accordingly according to the user configurations In addition if the port cannot receive any RLDP detection message it is also considered one way link fault Two way link detection Figure 4 Two way link detection This means that fault occurs at the frame transmission receiving at both ends of the link As shown above the port of the device sends the RLDP probe message but has never rece...

Page 805: ...e configured on the port is block it is recommended to disable STP otherwise since the STP cannot recognize one way link possibly the STP allows port forwarding but the RLDP is configured with port blocking Configuring RLDP Globally The RLDP works on the port only when the global RLDP is enabled In the global configuration mode follow these steps to enable RLDP Command Function Ruijie config rldp ...

Page 806: ...rt bidirection detect warning Ruijie config if rldp port loop detect block Ruijie config if end Ruijie show rldp interface gigabitEthernet 0 5 port state normal local bridge 00d0 f822 33ac neighbor bridge 0000 0000 0000 neighbor port unidirection detect information action shutdown svi state normal bidirection detect information action warnning state normal loop detect information action block stat...

Page 807: ...he privileged mode The no option of the command restores the value to its default Configuring the Maximum RLDP Detection Times If the port with RLDP enabled cannot receive messages from neighbors in the maximum detection period maximum detection times X detection interval that port will be diagnosed as faulty See the Overview for details of the fault types In the global configuration mode follow t...

Page 808: ...disable recover interval that is the value of detect interval detect max total time is greater than that of errdisable recover interval to prevent error judgment Viewing RLDP Information Viewing the RLDP Status of All Ports In the privileged mode run the following commands to view the RLDP global configuration and the port detection information with RLDP detection configured Command Function Ruiji...

Page 809: ...on information of interface id In the example below the show rldp interface GigabitEthernet 0 1 command is used to view the RLDP detection information of port fas0 1 Ruijie show rldp int GigabitEthernet 0 1 port state error local bridge 00d0 f8a6 0134 neighbor bridge 00d0 f822 57b0 neighbor port GigabitEthernet 0 1 unidirection detect information action shutdown svi state normal bidirection detect...

Page 810: ...nt network topology turbulence TPP Application The topology protection is generated to address the network topology turbulence that my be caused in the MSTP or VRRP and other distributed network protocol The MSTP VRRP and other protocols work with the message notification mechanism to automatically maintain the network topological structure and automatically adapt to the topological change in the ...

Page 811: ...ology protection function is enabled Here it will detect the running conditions of the local and neighbor devices and perform treatment for the abnormities that occur However it does not notify the local running conditions to neighbor devices The port function configuration is used to enable the topology protection function of the port When the topology protection function is enabled on the port i...

Page 812: ...face configuration mode Ruijie config if tp guard port enable Enable the port topology protection function Ruijie config if end Exit to the privileged mode The no tp guard port enable command disables the topology protection on the port This command is suitable only on layer 2 switching ports and routing ports It is inapplicable to AP member ports Note The global topology protection is the global ...

Page 813: ...ry vibration of the network topology The global topology protection function is enabled on A B C D and E and the topology protection function is enabled on all the ports View TPP information Viewing the TPP configuration and status of the device In the privileged mode run the following command to view the TPP configuration and status of the device Command Function Ruijie show tpp View the TPP conf...

Page 814: ...rt syslog key trap and time point or user inputs operations such as CLI commands inputted and user s SNMP operations They can also be the thresholds related to interface statistics count snmp object value system resources statistics and etc SEM also supports multiple actions all CLI commands log sending device reload and etc Basic concepts Event The event concerned and configured by the user and i...

Page 815: ...e policy the word and symbol between and the subsequent first character which is not a letter number or underline will be substituted as the name of variable The global variable can be used in all policies while system local variable and user local variable are both local variables which can only be used in a specific policy System local variable is read only and cannot be changed User local varia...

Page 816: ...fferent kinds of event detectors which are embedded in different services to monitor service operation in a real time manner These detectors will compare the conditions generated through user configuration with the service operation events Once matched the event detector will notify the intelligent management server of event occurrence The intelligent management server will determine whether the e...

Page 817: ...EM When the named counter exceeds the specified threshold the counter event will be triggered after which the counter event detection will be disabled temporarily until the counter restores to the threshold The value of named counter will be changed by the counter action being executed Therefore other policies may accumulate the value of the counter and when the value reaches the threshold the cou...

Page 818: ...MIB object value exceeds the threshold configured SNMP MIB event will be triggered after which this SNMP MIB event detector will be temporarily disabled until the SNMP MIB object value reaches the recovery threshold or the out of service time has exceeded its recovery cycle SNMP Trap detector By detecting SNMP traps it will trigger SNMP event when any SNMP Trap complies with event configurations S...

Page 819: ...itch to a standby engine switching between main device and standby device 5 Reload device reload the device 6 Trigger an application specific event publish an application specific event in SEM 7 Respond to SNMP operation respond to the operations detected by SNMP Object 8 Suspend policy execution suspend policy execution for a while Environment variables supported by SEM SEM allows environment var...

Page 820: ...events Display the counter defined currently Display the SEM global variable defined currently The user can manage the policies being executed during the operation of SEM intelligent management server Suspend and resume the scheduler of SEM policy Hold and release a specific policy or policies in the specified class Adjust the scheduling priority of a specific class Force to end a specific policy ...

Page 821: ...y execute no smart manager applet applet name command in the global configuration mode Configuration example Configure a policy named policy_A on the device and then enter SEM configuration mode Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config smart manager applet policy_a Ruijie SEM applet Caution A newly created policy or a policy being modified w...

Page 822: ...olicy execute no event tag event name command in the SEM configuration mode Configuration example Configure a syslog event named event_a for a policy named policy_a to detect logs containing shutdown content Ruijie configure terminal Enter configuration commands one per line End with CNTL Z Ruijie config smart manager applet policy_a Ruijie SEM applet event tag event_a syslog pattern shutdown Caut...

Page 823: ...ubmitted without configuring action the policy can still be registered but it will do nothing when triggered You can configure multiple actions for one policy When the policy is triggered the actions will be executed according to the alphabetical order of action s label parameter Configure description Command Function Ruijie enable Enter privileged EXEC mode Ruijie configure terminal Enter global ...

Page 824: ...lue correlate start period start value correlate period correlate period value delay delay value maxrun maxruntime number Configure policy trigger parameters To restore policy trigger parameters to default settings execute no trigger command in the SEM configuration mode Configuration example Configure trigger parameters for a policy named policy_a so that it will be executed 5 seconds after being...

Page 825: ...s one per line End with CNTL Z Ruijie config smart manager applet policy_a Ruijie sem applet action action_1 cli command enable Ruijie sem applet action action_2 cli command show arp Ruijie sem applet policy record per instance 500 per policy 2000 Display current policy configurations Command Function Ruijie enable Enter privileged EXEC mode Ruijie configure terminal Enter global configuration mod...

Page 826: ...the policy submitted will be displayed including commit command Submit configurations Command Function Ruijie enable Enter privileged EXEC mode Ruijie configure terminal Enter global configuration mode Ruijie config smart manager applet applet name class class options Enter SEM configuration mode applet name is the specified policy name class parameter specifies the policy class Ruijie SEM applet ...

Page 827: ... to discard the changes made to policy configurations the user can execute rollback command to roll back policy configurations Display policy registered Command Function Ruijie enable Enter privileged EXEC mode Ruijie show smart manager policy registered policy policy name event type event name class class options time ordered name ordered Display the information of policy registered Configuration...

Page 828: ...not been submitted In the aforementioned two cases the user can execute rollback command to roll back policy configurations which haven t been submitted yet Configure multiple events Command Function Ruijie enable Enter privileged EXEC mode Ruijie configure terminal Enter global configuration mode Ruijie config smart manager applet applet name class class options Enter SEM configuration mode apple...

Page 829: ...e first event is triggered All events other than the first event shall be configured with parallel relation and by default The parallel relation configured for the first event will be neglected Configure and use variables Command Function Ruijie enable Enter privileged EXEC mode Ruijie configure terminal Enter global configuration mode Ruijie smart manager environment variable name string Configur...

Page 830: ... due to the error The priority level of local variable is higher than global variable When a local variable having the same name as the global variable is configured the local variable will be used when such name is referred Suspend resume scheduler Command Function Ruijie enable Enter privileged EXEC mode Ruijie configure terminal Enter global configuration mode Ruijie config smart manager schedu...

Page 831: ...ass or all classes and the subsequent threads in the class will be held as well Parameter policy will only hold a specified class and other policies in the class will remain unaffected Force to end policy execution Command Function Ruijie enable Enter privileged EXEC mode Ruijie smart manager scheduler clear all policy job id class class options Force to end policy execution Configuration example ...

Page 832: ...occurs num occurrences period period value priority priority level Applet Built in Environment Variables _event_id _event_type _event_type_string _event_pub_time _event_pub_sec _event_pub_msec _syslog_msg _syslog_priority Ruijie show smart manager detector syslog statistics Syslog Detecotr Statistics Policy Event Detect NoPri PriPass PriDeny PatternPass trigge policy_a event_a 1000 100 400 500 10 ...

Page 833: ...nmp notification 1 0 sysmon 1 0 timer 1 0 Typical SEM configuration example SEM timer event Networking requirements Device A is connected with Tftp Server Device A will automatically send log file to Tftp Server at 0 00 everyday and delete the original log file Network topology Fig 5 Topology of timer detection Configuration tips 1 Create policy 2 Configure timer event 3 Configure action ...

Page 834: ... timer cron cron entry 0 0 Ruijie SEM applet action action_1 cli command enable Ruijie SEM applet action action_2 cli command copy flash logfile txt tftp 172 16 0 2 device_a log_ _event_pub_time Ruijie SEM applet action action_3 cli command delete flash logfile txt Ruijie SEM applet commit Ruijie SEM applet exit Ruijie config exit Verification Ruijie show smart manager policy registered No Class E...

Page 835: ...the policy configured for Device A as policy_a b Configure a CLI event named event_1 for policy_a to detect commands containing the content of copy running config startup config execute the policy to use synchronization mode by using parameter sync yes c Configure multiple actions for policy_a as shown below Enter privileged EXEC mode Execute copy command to backup configuration file d Submit the ...

Page 836: ...startup config sync yes maxrun 20 000 action action_1 cli command enable action action_2 cli command copy startup config tftp 172 16 0 2 device_a conf_ _event_pub_time action action_3 exit 1 SEM detection of SNMP event Networking requirements NetManager is connected with Device A over Ethernet SNMP service is enabled on Device A so that NetManager can manage Device A through network The SNMP opera...

Page 837: ...uijie configure terminal Ruijie config smart manager applet policy_a Ruijie sem applet event tag event_1 snmp object oid 1 3 6 1 2 1 2 1 istable no type int skip yes Ruijie sem applet action action_1 syslog msg cancel snmp operate priority 5 Ruijie sem applet commit Ruijie sem applet exit Ruijie config Verification Ruijie show smart manager policy registered No Class Event Type Time Registered Sec...

Page 838: ...xecute clear ip route to refresh IPv4 routing table Execute clear ipv6 route to refresh IPv6 routing table d Submit the policy e End policy editing Ruijie configure terminal Ruijie config smart manager applet policy_a Ruijie SEM applet event tag event_1 none Ruijie SEM applet action action_1 cli command enable Ruijie SEM applet action action_2 cli command clear arp cache Ruijie SEM applet action a...

Page 839: ...pology NA Configuration tips 1 Create policy 2 Configure Syslog event 3 Configure action 4 Configure policy trigger parameters 5 Submit policy configurations Configuration steps 1 Configure Device A a Name the policy configured for Device A as policy_a b Configure a Syslog event named event_1 for policy_a to detect logs of level 2 containing No memory content c Configure a switchover action for po...

Page 840: ...Ruijie config Verification Ruijie show smart manager policy registered No Class Event Type Time Registered Secu Name 1 applet syslog Tue Mar 9 18 38 23 2010 none policy_a event_1 syslog pattern No memory priority critical maxrun 20 000 action action_1 switchover ...

Page 841: ...Network Management Monitoring Configuration 1 SNMP Configuration 2 RMON Configuration 3 NTP Configuration 4 SNTP Configuration 5 SPAN Configuration 6 RSPAN Configuration 7 ERSPAN Configuration ...

Page 842: ...ation layer the SNMP protocol works in the client server mode including three parts as follows SNMP network manager SNMP agent MIB management information base The SNMP network manager also referred to as NMS Network Management System is a system to control and monitor the network using the SNMP protocol HP OpenView CiscoView and CiscoWorks 2000 are the typical network management platforms running ...

Page 843: ...ype hierarchy is used to by the MIB to describe the management units in the network management equipment The node in the tree indicates a specific management unit Take the following figure of MIB as an example to name the objectives in the tree To identify a specific management unit system in the network equipment uniquely a series of numbers can be used For instance the number string 1 3 6 1 2 1 ...

Page 844: ... data from the table at a time and thus reducing the times of request and response Moverover SNMPv2C improves the capability of handing errors including expanding error codes to distinguish different kinds of errors which are represented by one error code in SNMPv1 Now error types can be distinguished by error codes Since there may be the management workstations supporting SNMPv1 and SNMPv2C in a ...

Page 845: ...port 162 SNMP Security Both SNMPv1 and SNMPv2 use the community string to check whether the management workstation is entitled to use MIB objects In order to manage devices the community string of NMS must be identical to a community string defined in the devices A community string Features Read only Authorized management workstations are entitled to read all the variables in the MIB Read write Au...

Page 846: ... mechanism SNMPv3 authPriv MD5 or SHA DES Provides HMAC MD5 or HMAC SHA bas ed authentication mechanism and CBC DES base d encryption mechanism SNMP Engine ID The engine ID is designed to identify an SNMP engine uniquely Every SNMP entity contains a SNMP engine a SNMP engine ID identifies a SNMP entity in a management domain So every SNMPV3 entity has a unique identifier named SNMP Engine ID The S...

Page 847: ...g serves as the password between the NMS and the SNMP Agent Configure an ACL rule to allow the NMS of the specified IP address to manage devices Set the community s operation right ReadOnly or ReadWrite Specify a view for view based management By default no view is configured That is the management workstation is allowed to access to all MIB objects Indicate the IP address of the NMS who can use t...

Page 848: ... num Specify a UDP port for SNMP to receive messages Use the no snmp server udp port command to restore the default port Configuring MIB Views and Groups With view based access control model you can determine whether the object of a management operation is in a view or not For access control generally some users are associated with a group and then the group is associated with a view The users in ...

Page 849: ...ypted auth md5 sha auth password priv des56 priv password access num name Configure the user information To remove the specified user execute the no snmp server user username groupname command in the global configuration mode Configuring SNMP Host Address In special cases the SNMP Agent may also proactively send messages to the NMS To configure the NMS host address that the SNMP Agent proactively ...

Page 850: ...he following command in the global configuration mode Command Function Ruijie config snmp server packetsize byte count Set the maximum packet size of the SNMP Agent Shielding the SNMP Agent The SNMP Agent service is a service provided by Ruijieproduct and enabled by default When you do not need it you can shield the SNMP agent service and related configuration by executing the following command in...

Page 851: ...end the LinkTrap message Otherwise it will not By default this function is enabled Command Function Ruijie config interface interface id Enter the interface configuration mode Ruijie config if no snmp trap link status Enable or disable sending the LinkTrap message of the interface The following configures the intereface not to send LinkTrap Message Ruijie config interface gigabitEthernet 1 1 Ruiji...

Page 852: ...ote This configuration does not take effects when SNMP v1 is used to send Trap messages Configuring the Parameters for Sending the Trap Message To set the parameters for the SNMP Agent to send the Trap message execute the following commands Command Function Ruijie config snmp server trap source interface Specify the source port sending the Trap message Ruijie config snmp server queue length length...

Page 853: ... 0 Bad values errors 0 General errors 2370 Get response PDUs 36 SNMP trap PDUs SNMP global trap disabled SNMP logging enabled SNMP agent enabled The above statistics is explained as follows Showing Information Description Bad SNMP version errors SNMP version is incorrect Unknown community name The community name is not known Illegal operation for community name supplied Illegal operation Encoding ...

Page 854: ...Values snmpInReadOnlys snmpInGenErrs snmpInTotalReqVars snmpInTotalSetVars snmpInGetRequests snmpInGetNexts snmpInSetRequests snmpInGetResponses snmpInTraps snmpOutTooBigs snmpOutNoSuchNames snmpOutBadValues snmpOutGenErrs snmpOutGetRequests snmpOutGetNexts snmpOutSetRequests snmpOutGetResponses snmpOutTraps snmpEnableAuthenTraps snmpSilentDrops snmpProxyDrops entPhysicalEntry entPhysicalEntry ent...

Page 855: ...run the show snmp user command in the privileged mode Ruijie show snmp user User name test Engine ID 8000131103000000000000 storage type permanent active Security level auth priv Auth protocol SHA Priv protocol DES Group name g1 Viewing SNMP Views and Groups To view the group configured on the current SNMP agent run the show snmp group command in the privileged mode Ruijie show snmp group groupnam...

Page 856: ...n example is running on the NMS Typical SNMP networking Detailed router configuration Enable the SNMP agent service Ruijie config snmp server community public RO As long as the above command is configured in the global configuration mode the SNMP agent service is enabled on the router and then the NMS can monitor the router However just read only right is configured the NMS can not modify the rout...

Page 857: ...ve configuration Then the NMS can monitor and manage the router Take HP OpenView as an example and a network topology is coming into being as follows Network topology diagram Now it is possible to query or set the management units in the network device Click the TOOL SNMP MIB Brower menu on the HP OpenView to display the following dialog box Enter the IP address 192 168 12 1 in the Name field and ...

Page 858: ... graph For the other functions of SNMP see the document of network management software Statistics graph of interface traffic Example of SNMP Access Control List Association Ruijie product allows the setting of access list association mode Only the NMS allowed in the access list can monitor and manage the SNMP Agent through SNMP This may limit NMS s accesses to the network devices and improve the S...

Page 859: ... and the MD5 Auth is used as the authentication password The DES is used for encryption and the encryption key is Des Priv Meanwhile it is allowed to send the Trap message to 192 168 65 199 in the format of SNMPv3 Use v3user as the user name to send the Trap message in the authentication and encryption mode The authentication method is MD5 and the authentication password is MD5 Auth The DES is use...

Page 860: ...high level of protocol monitor The first stage of RMON known as RMON1 contains nine groups All of them are optional not mandatory but some groups should be supported by the other groups The switch implements the contents of Group 1 2 3 and 9 the statistics history alarm and event Statistics Statistics is the first group in RMON It measures the basic statistics information of each monitored subnet ...

Page 861: ...st Configuring Statistics One of these commands can be used to add a statistic entry Command Function Ruijie config if rmon collection stats index owner ownername Add a statistic entry Ruijie config if no rmon collection stats index Remove a statistic entry Caution The current version of Ruijie product supports only the statistics of Ethernet interface The index value should be an integer between ...

Page 862: ...ommand can be used to configure the alarm Command Function Ruijie config rmon alarm number variable interval absolute delta rising threshold value event number falling threshold value event number owner ownername Add an alarm entry Ruijie config rmon event number log trap community description description string Add an event entry Ruijie config no rmon alarm number Remove an alarm Ruijie config no...

Page 863: ...t Port 3 every 10 minutes Ruijie config interface gigabitEthernet 0 3 Ruijie config if rmon collection history 1 owner aaa1 interval 600 Example of Configuring Alarm and Event If you want to configure the alarm function for a statistical MIB variable the following example shows you how to set the alarm function to the instance ifInNUcastPkts 6 number of non unicast frames received on port 6 the ID...

Page 864: ...st value 64 Startup alarm 3 Rising threshold 10 Falling threshold 22 Rising event 0 Falling event 0 Owner aaa1 show rmon event Ruijie show rmon events Event 1 Description firstevent Event type log and trap Community public Last time sent 0d 0h 0m 0s Owner aaa1 Log 1 Log time 0d 0h 37m 47s Log description ipttl Log 2 Log time 0d 0h 38m 56s Log description ipttl show rmon history Ruijie show rmon hi...

Page 865: ...istics Ruijie show rmon statistics Statistics 1 Data source Gi1 1 DropEvents 0 Octets 1884085 Pkts 3096 BroadcastPkts 161 MulticastPkts 97 CRCAlignErrors 0 UndersizePkts 0 OversizePkts 1200 Fragments 0 Jabbers 0 Collisions 0 Pkts64Octets 128 Pkts65to127Octets 336 Pkts128to255Octets 229 Pkts256to511Octets 3 Pkts512to1023Octets 0 Pkts1024to1518Octets 1200 Owner Zhangsan ...

Page 866: ...data This mechanism provides protection of anti interference Ruijie switches support the NTP client and server That is the switch can not only synchronize the time of server but also be the time server to synchronize the time of other switches But when the switch works as the time server it only support the unicast server mode Configuring NTP This chapter describes how to configure the NTP client ...

Page 867: ...to configure the global security authentication for the NTP is to set the global authentication key Each key is identified by a unique key id globally The customer can use the command ntp trusted key to set the key corresponding to the key id as a global trusted key To specify a global authentication key run the following commands in the global configuration mode Command Function ntp authenticatio...

Page 868: ...removed Configuring the NTP Server No NTP server is configured by default Ruijie s client system supports simultaneous interaction with up to 20 NTP servers and one authentication key can be set for each server to initiate encrypted communication with the NTP server after relevant settings of global authentication and key are completed NTP version 3 is the default version of communication with the...

Page 869: ...ceive and send packets To disable the interface to receive the NTP message run the following commands in the interface configuration model Command Function interface interface type number Enter the interface configuration mode ntp disable Disable the function of receiving NTP messages on the interface To enable the function of receiving NTP messages on the interface use the command no ntp disable ...

Page 870: ...ng commands in the global configuration model Command Function ntp update calendar Configure the update calendar no ntp update calendar Disable the function of NTP update calendar By default the NTP update calendar is not configured After configuration the NTP client updates the calendar at the same time when the time synchronization of external time source is successful It is recommended to enabl...

Page 871: ...um The time starum ranges from 1 15 8 by default no ntp master Cancel the NTP master settings The following example shows how to set the reliable reference source of the local time and set the time starum as 12 Ruijie config ntp master 12 Caution Using this command to set the local time as the master in particular specify a lower starum value is likely to be covered by the effective clock source I...

Page 872: ...also allow the time synchronization between the local device and the remote system full access privilege serve only allow the time requests and control queries for the local NTP service not allow the time synchronization between the local device and the remote system serve only only allow the time requests for the local NTP service query only only allow the control queries for the local NTP servic...

Page 873: ...ntp access group serve only 2 Showing NTP Information NTP Debugging If you want to debug the NTP function this command may be used to output necessary debugging information for troubleshooting To debug the NTP function run the following commands in the privilege mode Command Function debug ntp Enable the debugging function no debug ntp Disable the debugging function Showing NTP Information Execute...

Page 874: ...n Examples In the following configuration there is an NTP server specified as the master in the network relevant authentication mechanism is enabled a key with the key id of 6 and the key string of wooooop is configured as the trusted key for the server To configure the Ruijie client to synchronize the time with the NTP server on the network configure the NTP client as follows enable security auth...

Page 875: ...system As a simplified version of NTP SNTP simplifies the algorithm of time calculation but also has great performance with precision of about 1s SNTP Client is totally compatible with the NTP Server due to the consistency of the SNTP and NTP messages Working Principles SNTP works in the way of Client Server The standard Server system time is set by receiving the GPS signal or the atomic clock The...

Page 876: ...e Server and the Client d time between the Server and the Client The following formula calculates the time T2 T1 t d 2 T2 T1 t d 2 T4 T3 t d 2 T3 T4 t d 2 d T4 T1 T3 T2 t T2 T1 T3 T4 2 Then according to the value of t and d SNTP Client gets the current time T4 t Configuring SNTP This chapter describes how to configure the SNTP Default Configuration By default the SNTP configurations are as follows...

Page 877: ...or http www ntp org For example 192 43 244 18 time nist gov To set the IP address for the SNTP server run the following commands in the global configuration mode Command Function Ruijie config sntp server ip address Specify the IP address for the SNTP server Configuring the SNTP Sync Interval To adjust the time regularly you need to set the sync interval for SNTP Client to access the NTP server SN...

Page 878: ...me zone time zone Configure the time zone ranging from GMT 23 to GMT 23 wherein indicates western area indicates eastern area and 0 indicates Greenwich mean time The default time zone is GMT 8 Beijing time To restore the local time zone to the default use the command no clock time zone Showing SNTP Information Execute the show sntp command in the privileged mode to show the current SNTP informatio...

Page 879: ... allows you to monitor all the frames incoming outgoing the source port including the route input frames The SPAN does not affect the normal packet switching of the switch Instead it copies the frames incoming outgoing the source port to the destination port However the frames may be discarded on an overflowed destination port for example when an 100Mbps port monitors an 1000Mbps port SPAN Concept...

Page 880: ...is does not affect the function of the SPAN Transmitted frames All the frames sent from the source port are copied to the destination port In one SPAN session you can monitor the frames input from one or multiple source ports If a frame from a port to the source port is dropped due to some reasons the frame will not be sent to the destination port as well Moreover the format of the frames destined...

Page 881: ...Interaction between the SPAN and Other Functions The SPAN interacts with the following functions Spanning Tree Protocol STP the destination port of SPAN participates in the STP Configuring SPAN This section describes how to configure the SPAN on your switch Default SPAN Configuration Function Default Configuration SPAN status Disabled SPAN Configuration Guide To configure the SPAN do the following...

Page 882: ...and Function Ruijie config monitor session session_number source interface interface id both rx tx Specify the source port interface id Specify corresponding interface id Ruijie config monitor session session_number destination interface interface id switch Specify the destination port interface id Specify corresponding interface id The switch parameter supports exchange on the mirrored destinatio...

Page 883: ...ace id command to delete the source port from a SPAN session in the global configuration mode The following example shows how to delete port 1 from session 1 and verify your configuration Ruijie config no monitor session 1 source interface gigabitethernet 1 1 both Ruijie config end Ruijie show monitor session 1 sess num 1 dest intf GigabitEthernet 3 8 Configuring VSPAN VSPAN is short for VLAN SPAN...

Page 884: ...ACL name for the mirrored flow and the mirrored source and destination ports Only the incoming port mirror is supported For the ACL configuration commands see the related configuration guide Showing the SPAN Status The show monitor command shows the current SPAN status The following example illustrates how to show the current status of SPAN session 1 Ruijie show monitor session 1 sess num 1 src in...

Page 885: ...shown as below Figure 1 Typical RSPAN application topology Figure 1 illustrates three roles Source switch Where the mirrored port is The source switch copies the packets of source port and forwards them through the Remote VLAN to the middle swithc or the destination swithc Middle switch The one between the source switch and the destination switch It transmmits the mirrored pakcets to the next midd...

Page 886: ...r port and disable any configuration on it Output port Send mirrored packets to the middle switch or the destination switch Middle switch Common port Send mirrored packets to the destination switch It is recommended to configure two Trunk ports on the middle switch to connect the devices on both sides Destination switch Source port Receive remote mirrored packets Destination port Monitoring port o...

Page 887: ...emote VLAN Guarentee L2 interoperability between the source switch and the destination switch in Remote VLAN Determine the direction of monitored packets Enable Remote VLAN Configuring the Source Switch Configuring RSPAN Session RSPAN session has the same features as local SPAN session For details refer to SPAN Configuration Guide Configuring Source Port Source port is also known as monitored port...

Page 888: ...one RSPAN session Configuring Remote VLAN RSPAN mirrored streams are broadcasted via the Remote VLAN The Remote VLAN transmits only mirrored packets rather than bearing normal services All mirrored packets are transmitted from the source swithc through the Remote VLAN to the designated port of the destination switch Hence you can monitor the packets of the source switch on the destination switch R...

Page 889: ...ort should join the remote VLAN switch indicates the destination port joins switching Ruijie config monitor session session_number source interface interface id rx acl name Set theACL for the streams to be mirrored Caution It is not recommended to add common ports to Remote VLAN Do not set the port that is connected to the middle switch or the destination switch to be the mirrored source port or o...

Page 890: ... ports nor the packets from CPU are forwarded Configuration Steps Command Function Ruijie configure terminal Enter the global configuration mode Ruijie config vlan vlan id Enter the VLAN configuration mode Ruijie config Vlan remote span Set the VLAN as remote span Vlan Ruijie config Vlan exit Return to the global configuration mode Ruijie config monitor session session_num remote destination Confi...

Page 891: ...ce on communications Users can set ACL at the inbounding direction of the source port of the source RSPAN switch Standard ACL extended ACL MAC ACL and user defined ACL are supported Users can set port ACL at the inbounding direction of the source port of the source RSPAN switch and set port ACL at the outbounding direction of the destination port of the destination RSPAN switch Users can apply ACL...

Page 892: ...unk Ruijie config if switchport trunk allowed vlan add 7 Ruijie config if exit Ruijie config monitor session 2 remote source Ruijie config monitor session 2 source interface gigabitEthernet1 2 Ruijie config monitor session 2 destination remote vlan 7 interface gigabitEthernet 1 3 switch Configure the middle switch Ruijie configure Ruijie config vlan 7 Ruijie config Vlan remote span Ruijie config V...

Page 893: ...estination switch Ruijie configure Ruijie config vlan 7 Ruijie config Vlan remote span Ruijie config Vlan exit Ruijie config interface gigabitEthernet 1 4 Ruijie config if switchport mode trunk Ruijie config if switchport trunk allowed vlan add 7 Ruijie config if exit Ruijie config monitor session 2 remote destination Ruijie config monitor session 2 destination remote vlan 7 interface gigabitEther...

Page 894: ...oute the IP packets to the destination port of the remote mirroring device The typical application topology is shown below Figure 1 Typical ERPSAN application topology Figure 1 illustrates two roles Source switch where the encapsulated remote mirroring source ports are The source swith copies the packets of source ports and forwards the packets using the GRE encapsulated IP packets to the destinat...

Page 895: ...tion Ruijie config monitor session session_num erspan source Configure the ERSPAN session on the source switch Configuring the Source Ports The source port is also known as the monitored port In a ERSPAN session the data flow on the source port is monitored for the network analysis or troubleshooting In a single ERSPAN session users can monitor the incoming outgoing and bidirectional data flow and...

Page 896: ...gle_interface rx tx both Show the mirrored source port Enabling the ERSPAN Session By default the ERSPAN mirroring is enanled To enable the ERSPAN session run the following commands Command Function Ruijie config mon erspan src shutdown Ruijie config mon erspan src no shutdown Disable the ERSPAN mirroring Enable the ERSPAN mirroring Configuring the Encapsulated Source IP Address The encapsulated s...

Page 897: ...uijie config mon erspan src ip ttl ttl_value Configure the TTL value of encapsulated IP packets The default value is 64 Ruijie config mon erspan src ip dscp dscp_value Configure the DSCP value of encapsulated IP packets The default value is 0 This function takes effect only when the trust DSCP is configured on the mirrored source port Configuration Steps To configure the source switch run the foll...

Page 898: ...jie config mon erspan src original ip address ip_address Configure the ERSPAN encapsulated source IP address Ruijie config mon erspan src ip ttl ttl_value Optional Configure the TTL value of the encapsulated IP packet s header Ruijie config mon erspan src ip dscp dscp_value Optional Configure the DSCP field value of the encapsulated IP packet s header Displaying ERSPAN Sessions Command Function Ru...

Page 899: ...rmediate device the ports Gi 0 1 and Gi 0 2 respectively connected with the source and destination devices should be the member ports of SVI port in two network segments and the two IP network segments must be able to communicate with each other Configuration Steps Configure the ERSPAN source device On the switch A create the ERSPAN Session 1 configure this switch as the source device and configur...

Page 900: ...rigin ip address 10 1 1 2 destination ip address 12 1 1 2 Step2 Display the ERSPAN information of the device Display the Switch A SwitchA show monitor sess num 1 ERSPAN Session span type ERSPAN_SOURCE ERSPAN Source device src intf ERSPAN Source port information GigabitEthernet 0 1 frame type Both status Active dest intf ERPSAN Output port information GigabitEthernet 0 2 orgin ip address 10 1 1 2 d...

Page 901: ...Configuration Guide ERSPAN Configuration ...

Page 902: ...Web based Configuration 1 Web based Configuration ...

Page 903: ...isabled Note To enable the Web services refer to the following section of The Typical Example of Web Management In order to authenticate the Web configuration by using the Enable method directly input the Enable password and no need to enter the user name for the authentication Enter the management IP address of the device in the address bar of the browser such as http 192 168 1 200 Press Enter to...

Page 904: ...elect a type of the languages and click Login to display the authentication dialog box Enter the user name and password in this dialog box Figure 1 2 Logon the authentication dialogue box If the authentication succeeds enter the main page of the Web management as follows ...

Page 905: ...ment platform Note If Web management is authenticated by using Enable directly enter Enable password and no need to enter the user name System Management Switch IP address Configuration Use the function through the menu Switch IP Setting The page of the switch IP address setting ...

Page 906: ...ication If you want to modify the IP address of a switch select the checkbox and click Modify to display the following configuration page Figure 1 5 Switch IP Address Modification Users can modify the IP address and subnet mask After modifying the corresponding parameters click Save to validate the configuration ...

Page 907: ...AN Management 1 VLAN management page Figure 1 6 VLAN management Configuration Description Enter this page to display the VLAN information of the current system Users can create delete and modify the VLAN but the default VLAN cannot be deleted Create Click New to display the following configuration page ...

Page 908: ...fied VLAN select the corresponding checkbox and then click Delete to validate the configuration Modify To modify the configured VLAN select the corresponding checkbox and then click Modify to display the following configuration page Figure 1 8 Modifying VLAN The VLAN information to be modified is displayed in the textbook After modifying the VLAN information click Save to validate the configuratio...

Page 909: ...e Figure 1 9 Specify the VLAN Configuration Description Specify the port mode and VLAN ID to be configured After all the ports are set click Save to validate the configuration Gateway Setting Use the function through the menu item Gateway Setting Gateway setting page ...

Page 910: ...ay when you open the page the IP address of the configured gateway is displayed in the textbox If you want to set a new gateway IP address enter the new one in the textbox and then click Save to validate the configuration Port Mirroring Use the function through the menu item Port Mirroring Port mirroring setting page Figure 1 11 Port mirroring setting ...

Page 911: ...ave to validate the configuration The monitoring port and the port to be monitored should not be the same one Click Delete Port Monitor to delete the configuration of port monitoring Rate Limiting on the Port Use the function through the menu item Rate Limiting on the Port Main page of setting rate limiting on the port Figure 1 12 Setting rate limiting on the port ...

Page 912: ...n multiple ports After the rate limiting value is set click Save to validate the setting The textbox should be null for the port without limiting the rate In order to cancel the rate limiting setting on all the ports click Cancel all Rate Limiting to validate the setting Aggregation Port Use the function through the menu item Aggregation Port Aggregation port setting page ...

Page 913: ...Description 1 Configuring the traffic balancing algorithm To configure the traffic balancing algorithm select the corresponding algorithm item and click Save to validate the configuration 2 Configuring the aggregation port To create an aggregation port click New to display the following interface ...

Page 914: ...guration If a member port belongs to other aggregation port then the check box in front of the member port can not be selected 3 Deleting the Aggregation port To delete an aggregation port tick the check box in front of the corresponding aggregation port and click Delete to validate the configuration Port Setting Use the function through the menu item Port Setting Port setting page ...

Page 915: ...he port to be configured and configure related parameters then click Save to validate the configuration If the selected parameter is not be supported by the device the corresponding paramter setting does not take effect DHCP Relay Use the function menu item through the DHCP Relay DHCP relay setting page ...

Page 916: ...ve to validate the configuration 2 Setting DHCP server Set the IP address for the DHCP server and then click Save to validate the configuration The configuration result is displayed in the following figure To delete the DHCP server tick the check box and click Delete to validate the configuration IGMP Snooping Use the function through the menu item IGMP Snooping IGMP Snooping setting page ...

Page 917: ...m this list If you select the mode svgl or ivgl svgl then you can set the parameters such as identification and the range of the IP addresses After the parameters are configured click Save to validate the configuration To disable the IGMP Snooping function Click the Disable option button and click Save to validate the configuration STP Setting Use the function through the menu item STP Setting The...

Page 918: ...anagement function select the Enable SNMP option button and configure the parameters such as the group name read write attribute Click Save to validate the configuration To disable the SNMP management function select the Disable SNMP option button and click Save to validate the configuration To delete the configured group name tick the check box of the entry to be deleted and click Delete to valid...

Page 919: ...and click Save to validate the configuration A port can be configured with multiple IP addresses of the gateway In order to delete the configured gateway tick the check box of the IP address of the gateway to be deleted and click Delete to validate the configuration Anti ARP Spoofing Use the Anti ARP Spoofing menu item to enable the function The anti ARP spoofing setting page ...

Page 920: ...ddress IP address binding select the port to be configured and configure the IP address and MAC address Click Save to validate the configuration If the selected port learns MAC address automatically the MAC address is displayed in the address textbox as shown in the figure above When you select the GigabitEthernet 0 15 port the textbox lists the MAC address learned by the port ...

Page 921: ...odifying the information of the security port In order to modify the information of the security port tick the check box of the port to be modified and click Modify to display the Modify security port page as shown below Figure 1 22 Security port modification After modifying related parameters click Save to validate the configuration If the port type is dynamic the type of the modified port change...

Page 922: ... ACL information interface is shown as the figure In order to view the detailed information of the specified ACL select the ACL from the ACL drop down list to display all ACEs of the ACL In order to delete an ACE tick the check box and then click Delete to validate the configuration In order to delete the whole ACL click Select All to select all ACEs and click Delete to validate the configuration ...

Page 923: ... standard access list ID or name IP address If you select the Specify IP address range option button enter the correct IP address The wildcard mask textbox is optional After the configuration is complete click Save to validate the configuration In order to configure the extended IP address access list click Configure extended IP address access list option button The following figure is the interfa...

Page 924: ... You can select the TCP UDP IP or ICMP protocol Source IP address You can select the Any source IP address or Specify IP address range option button The wildcard is optional Source port This parameter is optional Destination IP address You can select the Any source IP address or Specify IP address range option button The wildcard is optional Destination port This parameter is optional After the pa...

Page 925: ...e the configuration In order to delete the configuration of the port select the entry to be deleted and then click Delete to validate the configuration Note To configure the port connecting to the PC make sure that the ACL does not affect the interaction between the PC and device If the configuration is incorrect you cannot use Web to manage the device DHCP Snooping Use the function through the me...

Page 926: ...Configuration Guide Web based Configuration Figure 1 28 DHCP Snooping setting Configuration Description 1 DHCP Snooping setting ...

Page 927: ...owing figure To delete the trusted port tick the check box and click Delete to validate the configuration QoS Classification Setting Use the Classification Setting menu item to enable the function The following is the main page of classification setting Figure 1 29 Classification setting Configuration description After setting the classification name and ACL click Save to validate the configuratio...

Page 928: ...on name that is already set If the list is null no classification is set Go to the classification setting page to set the classification Bandwidth Enter the bandwidth value in the specified range Burst traffic Enter a value in the specified range depending on the prompt in the page When the bandwidth is beyond the specified range if the DSCP priority is specified enter a number in the specified ra...

Page 929: ...Delete to validate the configuration In order to delete the policy name while deleting the policy select all and click Delete to validate the configuration Traffic Setting Use the Traffic Setting menu item to enable the function Traffic setting page Figure 1 31 Traffic setting Configuration description Port Select the port to be configured Policy list Select the policy applied in the port If the l...

Page 930: ...delete the configuration of the port tick the check box of the entry to be deleted and then click Delete to validate the configuration System Status System Information Use the System Information menu item to enable the function System information page Figure 1 32 System information Current Configuration Use the Current Configuration menu item to enable the function Current configuration page ...

Page 931: ...Configuration Guide Web based Configuration Figure 1 33 Current configuration Port Status Use the Port Status menu item to enable the function Port status page ...

Page 932: ...figuration Guide Web based Configuration Figure 1 34 Port status Port Status Use the Port Running Status menu item to enable the function Port running status page Figure 1 35 Figure 35 Port running status ...

Page 933: ...ics Use the Port Statistics Information menu item to enable the function Port statistics information page Figure 1 36 Port statistics information Showing the Log information Use the Log Information menu item to enable the function System log information page ...

Page 934: ...iguration Guide Web based Configuration Figure 1 37 Showing system log information System Maintenance Ping Use the Ping menu item to enable the function Ping page Figure 1 38 Ping Configuration description ...

Page 935: ...onse after Ping times out Telnet Use the Telnet menu item to enable the function Telnet page Figure 1 39 Telnet Configuration Description Click the Telnet menu item to enable the Telnet function directly If the PC does not enable the Telnet service enable it first User Management Use the User Management menu item to enable the function User management page ...

Page 936: ... 1 41 Adding the users Enter the user name and password and then click Save to validate the configuration After the configuration succeeds the new user is displayed in the User management page Delete Tick the check box of the user to be deleted and click Delete The selected user is deleted Modify Tick the check box of the user to be modified and click Modify to display the following configuration ...

Page 937: ...odified user is displayed in the User management page Note If the deleted or modified user name is the login user name an authentication dialog box is displayed Use other user name or the modified user name to re authenticate If the current system has only one user name the user name cannot be deleted Password Setting Use the Password Setting menu item to enable the function Password setting page ...

Page 938: ...1 Modifying the password of Enable In order to modify the password of Enable enter the new password and then click Save to validate the configuration The following dialog box is displayed Figure 1 44 Login authentication dialog box Use the new password to log in 2 Modifying the Telnet login password ...

Page 939: ...o enable the function Import Export configuration page Figure 1 45 Import Export configuration Configuration description In order to import or export the config text file in the switch enter the IP address and file name of the TFTP server and click Save to validate the configuration Web Port Setting Use the Web Port Setting menu item to enable the function Web port setting page Figure 1 46 Web Por...

Page 940: ...168 1 1 System Upgrade Use the System Upgrade menu item to enable the function System upgrade page Figure 1 47 Upgrade system Configuration description In order to upgrade the system make sure that the TFTP server is enabled The source file name is the name of the file to be upgraded on the TFTP server and the target file name is the name of the file after the upgrade Enter the IP address of the T...

Page 941: ...ig mode Ruijie configure Enter configuration commands one per line End with CNTL Z b Enable the Web service Ruijie config enable service WEB server c Configure the login authentication method for Web management to Local Ruijie config ip http authentication local d Configure the local user name class 15 users and password Ruijie config user name admin password admin Ruijie config user name admin pr...

Page 942: ...fication 1 Perform login authentication in the Local method Ruijie config show running config Building configuration Current configuration 2014 bytes version RGOS 10 2 4 Release 55435 Wed May 13 11 50 07 CST 2009 ngcf32 vlan 1 user name admin password admin User name and password of authentication for WEB management user name admin privilege 15 The Web management users must be in class 15 no servi...

Page 943: ...figuration 2014 bytes version RGOS 10 2 4 Release 55435 Wed May 13 11 50 07 CST 2009 ngcf32 vlan 1 no service password encryption enable password admin The password authentication for Web management adopts Enable enable service Web server Enable the Web service interface VLAN 1 ip address 192 168 100 1 255 255 255 0 IP address for management of the device no shutdown line con 0 line vty 0 4 login ...

Reviews:

No comments

Related manuals for RG-S2900G-E Series

TAMS 1800 Series Installation & Operation Manual preview
1800 Series
Brand: TAMS Pages: 28
D-Link DUB-H4 - Hub - USB Installation Manual preview
DUB-H4 - Hub - USB
Brand: D-Link Pages: 4
D-Link DSS-16+ Quick Install Manual preview
DSS-16+
Brand: D-Link Pages: 2
NEC 2400 Integration Manual preview
2400
Brand: NEC Pages: 168
A SYSTEMS AV50 User Manual preview
AV50
Brand: A SYSTEMS Pages: 16
Patton electronics 6511RC User Manual preview
6511RC
Brand: Patton electronics Pages: 104
CoolGear USBBG-12U2ML Installation Manual preview
USBBG-12U2ML
Brand: CoolGear Pages: 2
NETGEAR ProSafe GS104 Installation Manual preview
ProSafe GS104
Brand: NETGEAR Pages: 8
AdLuminis 324002 Quick Start Manual preview
324002
Brand: AdLuminis Pages: 8
Dahua PFS3005-5ET-V2 Quick Start Manual preview
PFS3005-5ET-V2
Brand: Dahua Pages: 17
Enterasys SecureStack C3K-2XFP IOM Hardware Installation Manual preview
SecureStack C3K-2XFP IOM
Brand: Enterasys Pages: 72
Vega VEGAWAVE S 61 Operating Instructions Manual preview
VEGAWAVE S 61
Brand: Vega Pages: 44
Extreme Networks ExtremeSwitching SLX 9540 Hardware Installation Manual preview
ExtremeSwitching SLX 9540
Brand: Extreme Networks Pages: 108
TP-Link Tapo S210 User Manual preview
Tapo S210
Brand: TP-Link Pages: 28
Digitronic CamCon DC30 User Manual preview
CamCon DC30
Brand: Digitronic Pages: 24
EtherWAN EX17162A Installation Manual preview
EX17162A
Brand: EtherWAN Pages: 2
EtherWAN EX19164A Installation Manual preview
EX19164A
Brand: EtherWAN Pages: 2
Allen-Bradley 105-C09 Series Installation Instruction preview
105-C09 Series
Brand: Allen-Bradley Pages: 2

Brands by name

Popular brands

Load more brands