Back

Compare Products

Hide

Clear All

VS

Home> Support> Downloads>

S86E Implementation Cookbook V1.1

2017-02-01 View:
11.x项目配置指南模板

Installation and Device Management

1.1      System Management

1.1.1     Console Management

 

.

l  Cables

consolecable , USB to RS232 cable

l  loginthe device

Openyour software Putty, set baud rate to 9600


After systemprompts "Ruijie>", you can start your configuration

1.1.2     Telnet Management

I. Network Topology

 

 

II. ConfigurationSteps

1.      console connect todevice and set passwords

2.     set ip and gateway

ruijie(config)#interfacevlan 1

ruijie(config-if-VLAN1)#ip address 192.168.1.1 255.255.255.0

ruijie(config)#ip route0.0.0.0 0.0.0.0 192.168.1.2

3.     set telnet password

ruijie(config)#line vty 0 4

ruijie(config-line)#password ruijie

4.     set enable password

Ruijie(config)#enable password ruijie

 

III. Verification

Telnet 192.168.1.1

 

Input telnetpassword

 

Input enablepassword

1.1.3     SSH Management

I. Network Topology

 

II. ConfigurationSteps

1.     enable SSH service

Ruijie#configure terminal    

Ruijie(config)#enable service ssh-server    

 

2.     generate key

Ruijie(config)#crypto key generate dsa        

Choose the size of the key modulus in the range of 360 to2048 for your Signature Keys. Choosing a key modulus greater than 512 may takea few minute

How many bits in the modulus [512]:                 //press enter

% Generating 512 bit DSA keys ...[ok]

 

3.     configure IP address

Ruijie(config)#interface gigabitEthernet 0/0       

Ruijie(config-if-GigabitEthernet 0/0)#ip address 192.168.1.1255.255.255.0      

Ruijie(config-if-GigabitEthernet 0/0)#exit    

 

Solution 1password login

Ruijie(config)#line vty 04                                           

Ruijie(config-line)#login     

Ruijie(config-line)#password ruijie         

Ruijie(config-line)#exit      

Ruijie(config)#enable password  ruijie        

Ruijie(config)#end         

Ruijie#write         

 

Solution 2: username & password login

Ruijie(config)#line vty 0 4            

Ruijie(config-line)#login local           

Ruijie(config-line)#exit   

Ruijie(config)#username admin password ruijie       

Ruijie(config)#enable password ruijie     

Ruijie(config)#end         

Ruijie#write   

 

III. Verification

check SSHservice

 

check SSHservices

 

show users

1.1.4 Creating a ManagementIP Address

Creating aManagement IP Address

The SVI and routerport address can be used as the management address of the layer 3 switch.

Layer 3 Switch:

The address of alayer-3 switch can be configured for management or communication, for example,as the gateway for a user.

ConfigurationMethod 1:

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#interface vlan 10

Ruijie(config-if-VLAN 10)#ip address 192.168.1.1255.255.255.0

Ruijie(config-if-VLAN 10)#end

Ruijie#write

Note: To configure the address for VLANs otherthan VLAN 1 in interface configuration mode, create the corresponding VLANfirst; otherwise, a failure prompt is displayed.

 

Configuration Method2:

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#int GigabitEthernet 1/1

Ruijie(config-if-GigabitEthernet 1/1)#no switchport------>configurethe port as layer 3 port before configuring ip address

Ruijie(config-if-GigabitEthernet 1/1)#ip add 192.168.16.1255.255.255.0

Ruijie(config-if-GigabitEthernet 1/1)#end

Ruijie#write------>save configuration after checking.

 

Verification

Ruijie#show ip int brief

Interface           IP-Address(Pri)          IP-Address(Sec)       Status        Protocol

GigabitEthernet 1/1       192.168.16.1/24        noaddress          up          up

VLAN 10                  192.168.1.1/24         noaddress          up          up

VLAN 100                 192.168.100.1/24     192.168.10.1/24      up          up

1.1.5 Configuring a DefaultGateway

Note: The default gateway of a layer 3 switch is provided bystatic routing. A device can also learn network routing through a dynamicrouting protocol so as to implement remote management. For the configurationspecification of other routing protocols, see IP Route (for theconfiguration method, see Common Function Configuration > IP Route).

Configuring theDefault Gateway of a Switch

Configure thedefault gateway, that is, default route, of a layer 3 switch.

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254------>configuredefault gateway of switch as 192.168.1.254

Ruijie(config)#end

Ruijie#write------>save configuration after checking.

 

Verification

Ruijie#show ip route

Codes:C - Connected, L - Local, S - Static

R - RIP, O - OSPF, B - BGP, I - IS-IS, V - Overflow route

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type2

E1 - OSPF external type 1, E2 - OSPF external type 2

SU - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

IA - Inter area, * - candidate default

Gateway of last resort is 192.168.1.254 to network 0.0.0.0

S*  0.0.0.0/0 [1/0] via 192.168.1.254

 

1.2       Firmware Upgrade

Overview

Two upgradepackages are available to 11.X switches, namely rack package and patch package.

A rack packagecontains main installation packages of the supervisor module and all line cardsand is used to upgrade all line cards on a rack device at one time.

A hot patch packagecontains hot patches for several functional components and is generally used tofix minor bugs. The functional component package can be patched by upgradingthe hot patch package. After the upgrade, the device can immediately have newfeatures without being restarted.

Both the rackpackage and the hot patch package are upgraded with their configurations saved.

 

 

Notes(Must-Read)

The difference between an 11.X box-type switch and arack-type switch lies in that the former restarts after the upgrade command isrun while the latter restarts after the reload command is run.

Ruijie#upgrade flash:S2910_RGOS11.4(1)B1_02162700_install.bin

Upgrade the device must be auto-reset after finish, are yousure upgrading now?[Y/N]y

 

Upgrade in theRunning Mode

Rack PackageUpgrade Using a USB Flash Disk

Notes

1. To fix softwarebugs or get new features, upgrade the switch software version in the runningmode.

2. A USB flash diskis recommended for 11.X switch upgrade because the installation package is bigand upgrade using other methods is slow. Upgrade with a USB flash disk is easyand quick.

3. The CMsupervisor module only has a capacity of 512 MB. Therefore, the rack packagecan be directly upgraded only with a USB flash disk.

4. If the CMsupervisor module has a capacity of 1 GB, upgrade the device by copying theinstallation package from TFTP to the installation partition as well as byusing a USB flash disk. Run the dir install: command to view thecorresponding drive.

5. If the CMIIsupervisor module has a large capacity, upgrade the device by copying theinstallation package from TFTP to the data partition as well as using a USBflash disk. Run the dir flash: command to view the corresponding drive.

 

Patch PackageUpgrade Using a USB Flash Disk

Notes

1. To fix softwarebugs or get new features, upgrade the switch software version in the runningmode.

2. A hot patchpackage contains hot patches for several functional components and is generallyused to fix minor bugs. The functional component package can be patched byupgrading the hot patch package. After the upgrade, the device can immediatelyhave new features without being started.

3. There is abaseline version for the patch package upgrade. Upgrade the device to thecorresponding baseline version before upgrading the patch package. The devicemay be upgraded compulsively to the corresponding baseline version but it maycause version incompatibility. Therefore, compulsive upgrade is not advised.

4. To permanentlyactivate patches, run the patch active command to temporarily activatethe patch before running the patch running command.

 

1.2.2 Upgrade with USB Drive

I. Configuration Tips

Run the show version detail commandto display the current version, that is, system software number.

Verify the upgrade file used by checking Release Notes.

Copy the upgrade file from the PC to the root directoryof the USB flash drive.

Insert the USB flash drive to the USB port of thesupervisor engine. The USB flash drive is automatically identified.

Note: Before removing the USB flash drivefrom the switch, run the show usb command to check the USB ID, and then run theusb remove xx command to remove the USB flash drive.

II. ConfigurationSteps

1.     On CLI, run the upgradecommand.

Ruijie#dir usb0:  Checks whether the upgrade file exists onthe USB flash drive.

Ruijie#upgrade usb0: /xxxxx_install.bin  (xxxx_install.bin isthe upgrade file copied to the USB flash drive)

 

2.      Wait until the upgradeprogress reaches 100%, or run the show upgrade status command to check theupgrade progress.

Ruijie#show upgrade status

 

3.     Wait until the upgradeprocess of all the line cards, FE cards, and supervisor engines reaches 100%and the result is success, run the reload command to restart the device. (Theentire upgrade process generally takes four to five minutes and does not affectservices. In this operation, the Flash file on the line card is upgraded, butthe earlier version still runs on the memory.) After the device is restarted,the new version runs.

 

4.     Wait three to fiveminutes until the device is restarted.

 

III. Verification

Ruijie#show version detail

1.2.3      Upgrade with FTP

 

Run the showversion detail command to display the current version, that is, system softwarenumber.

 

Verify the upgradefile used by checking Release Notes.

II. ConfigurationSteps

1.     Start the FTP server onthe device, and designate the root directory as the USB0 root directory. (Thespace on the built-in Flash of CMI is small, and may be insufficient forstoring the upgrade file. The CMII can be specified as the Flash root directory.),the reference commands are as follows:

Ruijie(config)#ftp-server username admin

Ruijie(config)#ftp-server password ruijie

Ruijie(config)#ftp-server topdir usb0: /                 //The USBflash drive must be installed in advance on the main engine.

Ruijie(config)#ftp-server timeout 300

Ruijie(config)#ftp-server enable

 

2.     The local PC serves asthe FTP client. Start the client software (such as FLASHFTP) and connect to theFTP server (N18K). Ensure that the PC can communicate properly with the S86E.

 

3.     Use the FTP client onthe PC to load the upgrade file to the FTP server.

 

4.     Run the upgrade command.(The subsequent procedures and methods are the same as those in the USB upgrademode.)

The only differencebetween the FTP and USB onsite upgrade modes lies in the file transfer mode. InFTP upgrade mode, the upgrade file is transferred to the remote device throughFTP to meet the remote upgrade requirement. In USB onsite upgrade mode, theupgrade file is directly copied from a PC to the USB flash drive.

 

The subsequentupgrade method is the same. That is, run the upgrade command to update the fileand then restart the device to finish the upgrade.

1.2.4      Upgrade with TFTP

Run the show versiondetail command to display the current version, that is, system software number.

 

Verify the upgrade fileused by checking Release Notes.

 

I. ConfigurationSteps

1. Start the TFTPserver on the PC and specify the directory of the upgrade file. Ensure that thePC communicates properly with the S86E.

 

2. The S86E servesas the TFTP client. The upgrade method is the same as that in the common TFTPupgrade mode. Copy the upgrade file to the USB flash drive on the CMI, or tothe built-in Flash on the CMII.

Ruijie#copy tftp://192.168.1.1/S86e_install.bin usb0://S86e_install.bin

 

4.     Run the upgrade command.(The subsequent procedures and methods are the same as those in the USB upgrademode.)

The only differencebetween the TFTP and USB onsite upgrade modes lies in the file transfer mode.In TFTP upgrade mode, the upgrade file is transferred to the remote devicethrough TFTP to meet the remote upgrade requirement. In USB onsite upgrademode, the upgrade file is directly copied from a PC to the USB flash drive.

 

The subsequentupgrade method is the same. That is, run the upgrade command to update the fileand then restart the device to finish the upgrade.

 

The TFTPtransmission rate is lower than the FTP transmission rate. Data is transmittedusing TCP in FTP mode, and using UDP in TFTP mode. TFTP is simple and easy touse.

1.2.5      Install Patch

1. 11.X is amodular OS and the bug of a software function can be fixed by using a patch.After the patch is installed, the device can fix the bug and can run normallywithout being restarted. This OS is applicable to the scenario that imposesrigid requirements on the network interruption time during maintenance.

 

2. A patch is inthe uninstalled, installed, or activated state, where:

 

The installed stateindicates that the patch is installed on the memory of the device but the pathfunction does not take effect yet.

 

Only a patch in theactivated state takes effect.

 

I. ConfigurationSteps

1. Install a patch.

Copy the path fileto a USB flash drive, and run the upgrade command to install the path.Thereference command is as follows:

Ruijie#upgrade usb0: /N18K-octeon-cm_RGOS11.0(1b2)_20140708_patch.bin

 

2. Activate apatch.

The referencecommand is as follows:

Ruijie#patch active slot all

Ruijie#patch running slot all

Note: active meansthat the patch is currently effective and is ineffective after the device isrestarted. running indicates that the patch is effective permanently.

 

3.     Display the patchstatus.

The referencecommand is as follows:

Ruijie#show patch slot all

1.3       Restore Password

I. Configuration Tips

1.Prepare console cable before recovering

2.Password recovery require system rebooting and network downtime

3.Improper operation may cause config file lost.

 

II. ConfigurationSteps

1.     connect console cable tothe switch

 

2.     Refer to chapter systemmanagement>console management

1)     manually reboot the switch

 

2)     Press Ctrl+C when systemrebooting

 

3)      Press CTRL + to enter uboot CLI mode

 

4)     then system will rebootautomatically

 

5)     At this moment, nopassword is required to enter CLI

Note: The passwordis reset just temporarily .Once you quit privilege mode, password is requiredagain. You have to reset the password quickly.

 

6)     Reset new password

 

7)     Verify new password

Login with the newpassword

11.x项目配置指南模板

Configuration Guide

2.1      Initialization

2.1.1      Overview (Must Read)

For Standardizationreason, we strongly suggest you to initialize every new switch following thesteps below:

1. Hostnamemandatory)

2. Access a devicemandatory , see Chapter Installation and DeviceManagement --->System Management) 

2.1. Assignmanagement IP addressmandatory)

2.2. Set defaultgatewayoptional for layer 3 switchbut mandatory for layer 2 switch)

2.3. Telnetoptional)

2.4. SSHrecommended)

2.5. Web Userinterfaceoptional)

3. Logmandatory , and choose one)

3.1. Record log toFLASHrecommended)

3.2. Send log toserverrecommended)

4. Clockmandatory , and choose one)

4.1. Local clockrecommended)

4.2. NTPrecommended)

5. Configuring aportmandatory)

5.1. Portdescriptionmandatory)

5.2. Speed, duplexand flowcontrol (optional)

5.3. Combo portoptional)

5.4. ACCESS orTRUNK port (mandatory)

5.5. Storm controlrecommended)

6. SNMPrecommended)

6.1. SNMPV1/V2recommended)

6.2. SNMPV3recommended)

7. SPANoptional)

7.1. Many to onemirrorOptional)

7.2. One to manymirrorOptional)

7.3. Flow-basedmirrorOptional)

2.1.2      Hostname

Configuring Hostname

By default, system name is "Ruijie mostly, theexample shows how to configure the system name:

Ruijie>en

Ruijie#configure terminal

Ruijie(config)#hostname Switch           ------>changename to "Switch"

Switch(config)#end

Switch#write                                        ------>saveconfiguration

NoteWe suggest you to name a switch with these information physicallocation(AA), network location(BB) ,model(CC),serial number(DD), and the formatis (AA_BB_CC_DD) , for example:

Ruijie(config)#hostname WLZX_Core_S8610_1

WLZX_Core_S8610_1(config)#

 

Verifying

Switch#show run

Building configuration...

Current configuration : 34129 bytes

 

version NOS_11.0_4_21

hostname hostname Switch

 

 

2.2       Log

2.2.1      Copying log to FLASH

I. Requirements

1. Copy logs with a severity higher thandebugging in the flash ,then set size of each log file to 128Kbytes.

2. Set size of log buffer to 128Kbytes.

3. Record action when user logs in andoperates.

4. Add system name , sequence number andtime stamps to each log entry.

 

II. Network Topology

 

III. Configuration Tips

System doesn't copy logs from buffer to flashonce finishing configuration, andit costs about half an hour to copy logs from buffer to flash , or the log bufferexceeds.

 

IV. ConfigurationSteps

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#logging file flash:syslog 6            ------>setlog file name to "syslog" and system copies all logs with severityfrom 0 to 6 to flash

Ruijie(config)#logging file flash:syslog 131072 ------>setsize of each log file in flash to 128K

Ruijie(config)#logging buffered 131072            ------>setlog buffer size to 128K

Ruijie(config)#logging userinfo                          ------>recordactions when user logs in

Ruijie(config)#logging userinfo command-log   ------>recordactions when user operates commands

Ruijie(config)#service sysname                          ------>addsystem name to each log entry

Ruijie(config)#service sequence-numbers          ------>addsequence number to each log entry

Ruijie(config)#service timestamps                     ------>addtime stamps to each log entry

Ruijie#wr

NoteWe suggest you to set log buffer sizeto 128K because the buffer size is too small by defaut.

If the 1st log file is full , system copieslogs to 2nd log file , then the 3th log file ……there're 16 log files at most inthe same time , and if all 16 log files are full ,the new log entry overwritesthe old one , so Log file never takes up the whole flash room.

Enter "more flash:xxx" privilegeEXEC command to display log entries and "delete flash:xxx" privilegeEXEC command to delete log file in flash.

 

v. Verification

1. This example shows how to display logs inbuffer

 

2. Enter "dir" privilege EXECcommand to check log files in flash

 

3. This example shows how to display logs inflash

 

4. Enter "clear logging" privilegeEXEC command to clear logs in buffer

 

 

2.2.2      Copying log to Server

I. Requirements

Copy logs with severity from 0 to 7 tosyslog server.

 

II. Network Topology

 

III. Configuration Tips

Timestamps and sequence number features must be enabledbefore system copys logs to log server

 

IV. ConfigurationSteps

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#service sequence-numbers          ------>enablesequence number

Ruijie(config)#service timestamps                     ------>enabletimestamps

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0

Ruijie(config-if-VLAN 1)#exit

Ruijie(config)#logging server 192.168.1.2          ------>specifylog server IP address

Ruijie(config)#logging source ip 192.168.1.1     ------>specifyIP address on switch to communicate with log server

Ruijie(config)#logging trap 7        ------>copyall logs(severity from  0 to 7) to log server

Ruijie(config)#end

Ruijie#wr

 

V. Verification

This example shows how to verify the logs ina syslog server using "Kiwisyslog"

 

2.2.3     Log Filtering

Scenario

By default, the log information generated onthe system can be output to various destinations. You can use the log filteringfunction to display required log information.

Features

1        The administrator can choose to hide some typesof log information as required.

2        Generally, log information of all modules isdisplayed on the console or terminal. You can set log filter rules to enablelog information printing on designated terminals or print only certain types oflog information on designated terminals.

3        Two types of log information filtering aresupported, including "contain only..." and "filteronly...". Only one type of filtering is supported.

Working Principles & ConfigurationDetails

Log filtering configuration mainly covers thefilter rules, filter direction, and filter mode. During the configurationprocess:

1        If only the filter direction and filter mode areconfigured, the configuration does not take effect and log information is notfiltered.

2        If only the filter rule is configured, theconfiguration takes effect. Log information in all directions is filtered andthe filter mode is filter only.

1) Filter rule: sets the rule for filteringlog information in global mode. Exact match and singular match are supported.

Filter rule in exact match mode: loggingfilter rule exact-match [ module module-name mnemonic mnemonic-name level level]

Filter rule in singular match mode: loggingfilter rule single-match [ level level | mnemonic mnemonic-name | modulemodule-name ]

Parameter description

exact-match      Indicatesan exact-match filter based on all three filter options. In exact match mode,all three filter options, including log module name (module module-name), loglevel (level level), and mnemonic character (mnemonic mnemonic-name), must beselected.

single-match      Indicatesa single-match filter based on all three filter options. In exact match mode,all three filter options, including log module name (module module-name), loglevel (level level), and mnemonic character (mnemonic mnemonic-name), must beselected.

module module-name        Indicatesthe name of the module about which the log information is to be filtered.

mnemonic mnemonic-name       Indicates the name of the mnemonic character for which thelog information is to be filtered.

level level  Indicatesthe log level to be filtered.

 

Tips

1.      In some scenarios, you may want to filter out certain types of loginformation. You can use the exact match mode and specify the module name,mnemonic character name, and log level in configuring the filter rule.

2.      In some scenarios, you may want to filter out some types of loginformation. You can use the single match mode and specify the module name,mnemonic character name, or log level in configuring the filter rule.

3.      If the configuration of the module name, mnemonic character name, orlog level in a single-match filter rule is the same as that in an exact-matchfilter rule, the single-match filter rule is assigned with higher priority thanthe exact-match filter rule.

Configuration example

1. Set the filter rule to exact match, modulename to LOGIN, log level to 5, and mnemonic character to LOGOUT.

Ruijie(config)# logging filter ruleexact-match module LOGIN mnemonic LOGOUT level 5

2. Set the filter rule to single-matchand module name to SYS.

Ruijie(config)# logging filter rulesingle-match module SYS

 

FAQs

1. To filter logs 046188: *Aug 13 08:36:16: 401-C1&D1-RG-N18010%SPANTREE-6-RCVDTCBPDU: (*2/M1) Received tc bpdu on port AggregatePort 256 onMST0

Command: ruijie(conifg)#logging filter ruleexact-match module SPANTREE mnemonic RCVDTCBPDU level 6

2. To filter logs *Jul 30 12:35:51: %SNMP-3-AUTHFAIL:Authentication failure for SNMP req from host 185.94.111.1

Command: ruijie(conifg)#logging filter ruleexact-match module SNMP mnemonic AUTHFAIL level 3

3. To filter logs %PARAM-6-CONFIG_SYNC: Sync'ingthe startup configuration to the standby supervisor

Command: ruijie(config)#logging filter ruleexact-match module PARAM mnemonic CONFIG_SYNC level 6

 

2) Filter direction: sets the direction forfiltering log information in global mode.

logging filter direction { all | buffer |file | server | terminal }  //By default, the filter direction is set to all,that is, to filter log information in all directions.

default logging filterdirection                      // The filter direction for the log informationrestoration command is all.

 

Parameter description

         all          Indicates to filter loginformation in all directions, including the console, virtual type terminal(VTY), log buffer area, log file, and log server.

         buffer        Indicates to filterlogs sent to the log buffer area, that is the logs configured in the showlogging command.

         file    Indicates to filter the logssent to the log files.

         server       Indicates to filter thelogs sent to the log server.

         terminal     Indicates to filterlogs sent to the console and VTY (including via Telnet and SSH).

Tips

1.Generally, you may filter the logs meetingthe filter rule in all directions (including to the console, VTY terminal, logbuffer area, log file, and log server) after the log filter function isconfigured. In some cases, you may want to filter logs only for certaindestinations. For example, you may need the logs filtered out for the terminalon the log file or log server. In these cases, you need to set log filter rulesfor the terminal direction.

2. You can set the filter direction tomultiple destinations by separating each other with a vertical line"|" or only one destination.

 

3) Filter type: sets the log informationfilter type.  The configuration takes effect globally.

logging filter type { contains-only |filter-only }  //The default value is filter-only, indicating that onlyfilter is used.

 

Parameter description

         contains-only     Indicates thatonly logs containing keywords specified in the filter rule are output.

         filter-only  Indicates that logscontaining keywords specified in the filter rule are filtered out and notoutput.

 

Tips 

1. In some scenarios, a module may output toomuch log information that it may causes screen downpour on the terminal withfew valuable information being displayed. In this case, you can use thefilter-only mode to filter out undesired log information.

2. In some scenarios, you may want to checkwhether a certain type of log information is generated only. In this case, youcan use the contain-only mode to output logs matching the filter rule to theterminal for observation.

3. In actual application, the two filtermodes are mutually exclusive. Choose one filter mode only.

 

Configuration example

[Example 1]

[Requirement]

Assume there are following log informationfiltering requirements on the live network:

1. Set the filter direction to terminaland server.

2. Set the filter mode to filter-only.

3. Set the filter rule to single-matchand module name to SYS.

2. Set the filter mode to filter-only.

3. Set the filter rule to single-matchand module name to SYS.

3. Set the filter rule to single-matchand module name to SYS.

[Configuration method]

Configure log information filter on the system.

Ruijie# configure terminal

Ruijie(config)# logging filter direction server

Ruijie(config)# logging filter direction terminal

Ruijie(config)# logging filter type filter-only

Ruijie(config)# logging filter rule single-match module SYS

 

[Verification method]

1. Run the show running-config | includelogging command to check the parameter configuration.

2. Check the output log information on thesystem by entering and quitting the global configuration mode

Ruijie#configure

Enter configuration commands, one per line. End with CNTL/Z.

Ruijie(config)#exit

.

2.3       Clock

2.3.1      Local Clock

I. Requirements

System time plays a very important role fortroubleshooting and logs .We suggest you to deploy local clock to a scenario inwhich there're only a few nodes with a small maintenance.

 

II. ConfigurationSteps

Ruijie>enable 

Ruijie#configure terminal                       ------>enterglobal configuration mode

Ruijie(config)#clock timezone beijing 8  ------>settimezone to UTC +8

Ruijie(config)#exit

Ruijie#clock set 18:00:00 12 3 2013     ------>setclock in format "hh:mm:ss month day year"

Ruijie(config)#end

Ruijie#write                                           ------>doubleconfirm and save configuration

 

III. Verification

Ruijie#show clock                                                  

18:01:03 beijing Tue, Dec 3, 2013

2.3.2      NTP

Overview

 

Network Time Protocol (NTP) is designed for timesynchronization on network devices. A device can synchronize its clock sourceand the server. Moreover, the NTP protocol can provide precise time correction(less than one millisecond on the LAN and dozens of milliseconds on the WAN,compared with the standard time) and prevent from attacks by means ofencryption and confirmation.

To provide precise time, NTP needs precise time source,the Coordinated Universal Time (UTC). The NTP may obtain UTC from the atomclock, observatory, satellite or Internet. Thus, accurate and reliable timesource is available.

To prevent the time server from malicious destroying,an authentication mechanism is used by the NTP to check whether the request oftime correction really comes from the declared server, and check the path ofreturning data. This mechanism provides protection of anti-interference.

Ruijie switches support the NTP client and server. Thatis, the switch can not only synchronize the time of server, but also be thetime server to synchronize the time of other switches. But when the switchworks as the time server, it only support the unicast server mode.

 

I. Requirements

Switch synchronizes system clock to NTPServer in order to keep system clock more accurate.

 

II. Network Topology

 

III. Configuration Tips

1. Basic network routes setting

2. (Optional)Configuring a switch as NTPServer

3. Configuring a switch as NTP client

4. (Optional)Specifying a interface onswitch to communicate with NTP Server

 

IV. ConfigurationSteps

NTP configuration without authentication

1. Basic network routes setting

Ensure that NTP client can communicate withthe NTP server

 

2. (Optional) Configuring a switch as NTPServer

Note

Mostly NTP server is a particular serverrather than a switch in production network. This example shows how to configurea switch as a NTP server:

Ruijie(config)#ntp master   

 

3. Configuring a switch as NTP client

Ruijie(config)#ntp server 192.168.2.1   ------>setNTP server IP address

Ruijie(config)#ntp update-calendar     ------>allowsystem to save clock in hardware even power interruption

 

4. (Optional) Specifying a interface onswitch to communicate with NTP Server

Ruijie(config)#ntp server 192.168.1.2 source loopback 0   ------>specify interface loopback 0 to communicate with NTP Server

 

NTP configuration with authentication

1. Basic network routes setting

Ensure that NTP client can communicate withthe NTP server

 

2. (Optional) Configuring a switch as NTPServer

Note

Mostly NTP server is a particular serverrather than a switch in production network. This example shows how to configurea switch as a NTP server and how to configure NTP authentication on a switchNTP Server

 

Ruijie(config)#ntp master   

Ruijie(config)#ntp authenticate    ------>enable NTPauthentication

Ruijie(config)#ntp authentication-key 6 md5 ruijie     ------>NTPkey id is "6" , and password is "ruijie"

Ruijie(config)#ntp trusted-key 6    

 

3. Configuring a switch as NTP client

Ruijie(config)#ntp update-calendar      ------>allowsystem to save clock in hardware even power interruption

Ruijie(config)#ntp authenticate    ------>enableNTP authentication

Ruijie(config)#ntp authentication-key 6 md5 ruijie     ------>NTPkey id is "6" , and password is "ruijie"

Ruijie(config)#ntp trusted-key 6  

Ruijie(config)#ntp server 192.168.2.1 key 6    ------>applykey id 6 to corresponding NTP server 192.168.2.1

 

4. (Optional) Specifying a interface onswitch to communicate with NTP Server

Ruijie(config)#ntp server 192.168.1.2 source loopback 0       ------>specifyinterface loopback 0 to communicate with NTP Server

 

V. Verification

1. This example displays the clock on NTPserver

 

2. This example displays the clock on NTPclient before synchronization

 

3. This example displays NTP status on NTPclient before synchronization

 

4. System returns a message aftersynchronizing successfully:

*Mar 12 10:55:04: %SYS-6-CLOCKUPDATE: Systemclock has been updated to 10:55:04 UTC Tue Mar 12 2013.

This example displays NTP status on NTPclient before synchronization

 

 

2.4       Configuring a Layer 2 Port

2.4.1 Port Description

Function Overview

Port description is very important for dailymaintenance and trouble shooting. We suggest you to use the format "Link-peername-peer port" to define port description. For example:

Ruijie(config-if-GigabitEthernet 0/1)#description Link-to-WLZX_Core_S8610_1-G1/2

 

I. ConfigurationSteps

Configuring port description on G0/1

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#descriptionLink-to-Core-S8610_1-G2/3

Ruijie(config-if-GigabitEthernet 0/1)#end

Ruijie#write

 

II. Verification

Ruijie#show interfaces description

Interface                Status   Administrative Description

------------------------ -------- -------------- -----------

GigabitEthernet 0/1      down     up            Link-to-Core-S8610_1-G2/3

GigabitEthernet 0/2      down     up            

GigabitEthernet 0/3      down     up    

  

2.4.2 Speed, Duplex and Flowcontrol

Overview

By default, speed and duplex negotiateautomatically. You can also set speed and duplex manually to ensure that bothends of a link have the same speed and duplex .Usually we keep the defaultsetting for flow control.

 

I. ConfigurationSteps

In the following example, the"speed" config-interface command with the keyword 100 is used tomanually set speed on Giga0/24 to 100M

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#int gigabitEthernet 0/24

Ruijie(config-if-GigabitEthernet 0/24)#speed 100

Ruijie(config-if-GigabitEthernet 0/24)#end

Ruijie#write   

 

In the following example, the"duplex" command config-interface with the keyword full is used tomanually set duplex on Giga0/24 to full duplex

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#int gigabitEthernet 0/24

Ruijie(config-if-GigabitEthernet 0/24)#duplex full   

Ruijie(config-if-GigabitEthernet 0/24)#end

Ruijie#write

 

This example shows how to disable flowcontrol feature on Giga0/1

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#flowcontrol off

Ruijie(config-if-GigabitEthernet 0/1)#end

Ruijie#write

 

NoteBydefault flow control feature is enabled, but different switches vary,and you can enter "show interface" privilege EXEC command toverify.

 

II. Verification

This example shows how to display interfacestatus including duplex and speed.

2.4.3 Combo Port

I. ConfigurationSteps

Following example shows how to convert combo mode onGiga0/23 to fiber

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/23

Ruijie(config-if-GigabitEthernet 0/23)#medium-type fiber   ------>convertcombo mode to fiber

Ruijie(config-if-GigabitEthernet 0/23)#end

Ruijie#write    ------>confirm and save

 

Following example shows how to convert combo mode onGiga0/23 to copper

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/23

Ruijie(config-if-GigabitEthernet 0/23)#medium-type copper     ------>convertcombo mode to copper

Ruijie(config-if-GigabitEthernet 0/23)#end

Ruijie#write   

 

II. Verification

1. To display combo mode status , enter"show interface status" privilege EXEC command

Ruijie#show interfaces status

Interface                        Status    Vlan    Duplex  Speed     Type 

-------------------------------- --------  ------  ------- --------- ------

GigabitEthernet 0/22             down      1       Unknown Unknown   copper

GigabitEthernet 0/23             up        1       Full    1000M     fiber

GigabitEthernet 0/24             down      1       Unknown Unknown   copper

 

2. This example shows how to display thetransceiver information of Giga0/23

Ruijie#show interfaces g0/23 transceiver

Transceiver Type    :  1000BASE-LX-SFP  

Connector Type      :  LC                          

Wavelength(nm)      :  1310                     

Transfer Distance   :                                

    SMF fiber

        -- 10km                         

    50/125 um OM2 fiber

        -- 550m

    62.5/125 um OM1 fiber

        -- 550m

Digital Diagnostic Monitoring  : NO        ------>Thistransceiver doesn't support DDM . DDM provides you the light intensity ofreceiving and sending direction.

Vendor Serial Number           : LP201093226676  

 

3. This example shows how to display thelight intensity of a 10G transceiver which supports DDM

Ruijie#show interfaces tenGigabitEthernet 1/25 transceiverdiagnosis

Current diagnostic parameters[AP:Average Power]:

Temp(Celsius)   Voltage(V)      Bias(mA)            RXpower(dBm)       TX power(dBm)

26(OK)          3.26(OK)        5.22(OK)           -3.65(OK)[AP]       -2.09(OK)

 

4. This example shows how to display thetransceiver alarm

Ruijie#show interfaces tenGigabitEthernet 1/25 transceiveralarm   ------> if the transceivers is plugged in , but the portdoesn't come up , system returns the following warning message

RX power low

RX loss of signal

Module not ready

RX not ready

RX CDR loss of lock

 

Ruijie#show interfaces tenGigabitEthernet 1/25 transceiveralarm  ------>if the transceivers is plugged in and the port comesup , system returens no warning message

 

Ruijie transceivers specification

1. MINI-GBIC transceiver

 

MINI-GBIC cabling specification

 

2. 10G  XFP

 

3. 10G SFP+

 

2.4.4 Access orTrunk Port

NoteBydefault , trunk port carries traffic for all vlans that is created , and westrongly recommend you to prune every trunk port to allow only the traffic ofuseful vlan pass through in case that unknown unicast ,broadcast and multicastpackets floods through the overall network ,leading to a heavier CPU burden anduseless consumption of system resource.

 

I. ConfigurationSteps

1.  Configuring access port

The following example shows how to configureinterface F0/1 as an access port and assign interface F0/1 to VLAN 100

Ruijie>en

Ruijie#conf t

Ruijie(config)#interface fastEthernet 0/1

Ruijie(config-if)#switchport mode access

Ruijie(config-if)#switchport access vlan 100

Ruijie(config-if)#end

Ruijie#wr

 

NoteBydefault, all ports are access mode and belongs to VLAN 1

Enter "show vlan" privilege EXECcommand to verify that interface F0/1 belongs to VLAN 100

Ruijie# show vlan

VLAN Name                             Status    Ports    

---- -------------------------------- --------- -----------------------------------

   1 VLAN0001                         STATIC   Fa0/3, Fa0/4,Fa0/5           

                                                Fa0/6, Fa0/7,Fa0/8, Fa0/9           

                                                Fa0/10,Fa0/11, Fa0/12, Fa0/13       

                                                Fa0/14,Fa0/15, Fa0/16, Fa0/17       

                                                Fa0/18,Fa0/19, Fa0/20, Fa0/21       

                                                Fa0/22,Fa0/23, Fa0/24, Fa0/25       

                                                Fa0/26,Fa0/27, Fa0/28, Fa0/29       

                                                Fa0/30,Fa0/31, Fa0/32, Fa0/33       

                                                Fa0/34,Fa0/35, Fa0/36, Fa0/37       

                                                Fa0/38,Fa0/39, Fa0/40, Fa0/41       

                                                Fa0/42,Fa0/43, Fa0/44, Fa0/45       

                                                Fa0/46,Fa0/47, Fa0/48, Gi0/49       

                                               Gi0/50                               

 100 VLAN0100                       STATIC    Fa0/1,Fa0/2

 

2.  Configuring trunk port

The following example shows how to configure interfaceG0/49 as a trunk port

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/49

Ruijie(config-if)#switchport mode trunk

Ruijie(config-if)#end

 

 In the following example, "show interfacetrunk" privilege EXEC command is used to verify all trunk port status

Ruijie# show interfaces trunk

Interface                      Mode   Native VLAN VLAN lists

------------------------ ------ ----------- ----------

FastEthernet 0/48            Off    1           ALL

GigabitEthernet 0/49     On     1           ALL     

GigabitEthernet 0/50       Off    1           ALL

 

3. Pruning a Trunk port (Mandatory)

This example shows how to prune a trunk port to carrytraffic only for vlan 5, 10 and 20-30

Ruijie#configure terminal

Ruijie(config)#interface gigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet 0/1)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 0/1)#switchport trunkallowed vlan remove 1-4,6-9,11-19,31-4094  

Ruijie(config-if-GigabitEthernet 0/1)#end

Ruijie#wr

 

2.4.5 Storm Control

Overview

1. We suggest you to apply storm-control on edge porton access switch and Don't apply storm-control on uplink port.

2. If access switch doesn't support storm-control , wesuggest you to apply storm-control on distribution switch.

3. The limitation of 100 pps to 300 pps for unknownunicast/broadcast/multicast packets is proper.

 

I. ConfigurationSteps

To configure storm control on a port with keywordlevel, perform this task:

Ruijie>enable

Ruijie#configure termina

Ruijie(config)#interface gigabitEthernet 0/1  

Ruijie(config-if-GigabitEthernet 0/1)#storm-control broadcastlevel 1    ------>storm-control limits the number of broadcast packetsto 1% of the bandwidth that is 1G*1%=10M

Ruijie(config-if-GigabitEthernet 0/1)#storm-control unicast level1         ------>storm-control limites the number of unknown unicastpackets to 1% of the bandwidth that is 1G*1% =10M

Ruijie(config-if-GigabitEthernet 0/1)#storm-control multicastlevel 1    

 

To configure storm control on a port with keyword pps, performthis task:

Ruijie>enable

Ruijie#configure termina

Ruijie(config)#interface gigabitEthernet 0/1  

Ruijie(config-if-GigabitEthernet 0/1)#storm-control broadcastpps 200    ------>storm-control limits the number of broadcast packetsto 200 packets per seconds

Ruijie(config-if-GigabitEthernet 0/1)#storm-control unicastpps 200      ------>storm-control limits the number of unknown unicastpackets to 200 packets per seconds

Ruijie(config-if-GigabitEthernet 0/1)#storm-control multicast200

Ruijie(config-if-GigabitEthernet 0/1)#end

 

II. Verification

Ruijie#show storm-control

Interface                 Broadcast Control Multicast ControlUnicast Control Action

------------------------- ----------------- -------------------------------- --------

      GigabitEthernet 0/1           1     %           1    %         1     %     none

      GigabitEthernet 0/2          Disabled         Disabled        Disabled     none

      GigabitEthernet 0/3          Disabled         Disabled        Disabled     none

 

2.5       SNMP

2.5.1      SNMPV1/V2

Overview

SNMPAs theabbreviation of Simple Network Management Protocol, SNMP has been a networkmanagement standard (RFC1157) since the August, 1988. So far, the SNMP becomesthe actual network management standard for the support from many manufacturers.It is applicable to the situation of interconnecting multiple systems fromdifferent manufacturers. Administrators can use the SNMP protocol to queryinformation, configure network, locate failure and plan capacity for the nodeson the network. Network supervision and administration are the basic functionof the SNMP protocol.

SNMP versions:

SNMPv1 The first formal versionof the Simple Network Management Protocol, which is defined in RFC1157

SNMPv2C Community-basedAdministrative Framework for SNMPv2, an experimental Internet protocol definedin RFC1901.

SNMPv3 Offers the followingsecurity features by authenticating and encrypting packets:

1. Ensure that the data are not tampered duringtransmission

2. Ensure that the data come from a valid data source

3. Encrypt packets to ensure the data confidentiality

 

Both the SNMPv1 and SNMPv2C use acommunity-based security framework. They restrict administrator’s operations onthe MIB by defining the host IP addresses and community string. With the GetBulk retrieval mechanism, SNMPv2C sends more detailed error information type tothe management station. Get Bulk allows you to obtain all the information or agreat volume of data from the table at a time, and thus reducing the times ofrequest and response. Moreover, SNMPv2C improves the capability of handingerrors, including expanding error codes to distinguish different kinds oferrors, which are represented by one error code in SNMPv1. Now, error types canbe distinguished by error codes. Since there may be the management workstationssupporting SNMPv1 and SNMPv2C in a network, the SNMP agent must be able torecognize both SNMPv1 and SNMPv2C messages, and return the correspondingversion of messages.

 

I. Requirements

1. Only SNMP network manager(IP:192.168.1.2/24) can access switch SNMP service with community string"ruijie"

2. SNMP agent on switch sends SNMP trap toSNMP manager actively

3. SNMP manager can get basic information ofswitch ---location, contact method and chassis id

 

II. Network Topology

 

III. Configuration Tips

1. Set Read-Only community string andRead-Write community string on switch independently

2. Define ACL to allow authorized SNMPmanager to access SNMP agent of switch only

3. Enable SNMP trap

4. Configure SNMP manager

 

IV. ConfigurationSteps

1.      Define an access-list named "abc"and an entry to permit IP address of SNMP manager

Ruijie(config)#ip access-list standard abc

Ruijie(config-std-nacl)#permit host 192.168.1.2 

Ruijie(config-std-nacl)#exit

 

2.      Set read-write community string to"ruijie" and read-only community string to "public" , thenassociate both community strings with ACL to allow only the SNMP manager toaccess SNMP agent  of switchonly

Ruijie(config)#snmp-server community ruijie rw abc

Ruijie(config)#snmp-server community public ro abc   

 

3.      SNMP agent  on switch actively sends trap to SNMP network manager

Ruijie(config)#snmp-server host 192.168.1.2 traps ruijie         ------>bydefault , SNMP trap version is version 1

Ruijie(config)#snmp-server host 1.1.1.1 version 2c ruijie        ------>setSNMP trap version to version 2c

 

4.      Enable trap feature

Ruijie(config)#snmp-server enable traps 

 

5.      Set SNMP optional parameters

Set location

Ruijie(config)#snmp-server location fuzhou

 

 Set contact method

Ruijie(config)#snmp-server contact ruijie.com.cn

 

 Set chassis-id

Ruijie(config)#snmp-server chassis-id 1234567890

 

6.      Assign a management IP address to SVI 1

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0

 

7.      Save configuration

Ruijie(config-if-VLAN 1)#end

Ruijie#wr

 

V. Verification

1. This example shows how to verify SNMPagent status

 

Following example provides how to disableSNMP agent if snmp agent issue leads to heavy load of CPU :

Ruijie(config)#no enable service snmp-agent

 

2. This examples shows how to display SNMPhost information

 

3. This example shows how to access the SNMPagent in a SNMP manager using "Mib-Browser"

 

4. Other SNMP manager except for 192.168.1.2cannot access SNMP agent at the same time.

2.5.2      SNMPV3

I. Requirements

1) The SNMP manager can access the SNMP agent on switch byapplying user-based security model. The user name is "admin",authentication mode is MD5, authentication key is "ruijie",encryption algorithm is DES56, and the encryption key is "123"

2) User "admin" can read the MIB objects underSystem (1.3.6.1.2.1.1) node, and can only write MIB objects under SysContact(1.3.6.1.2.1.1.4.0) node.

3) The switch can actively send authentication andencryption messages to the SNMP manager  

 

II. Network Topology

 

III. Configuration Tips

1. Create MIB view and specify the includedor excluded MIB objects.  

2. Create SNMP group and set the version to"v3"; specify the security level of this group, and configure theread-write permission of the view corresponding to this group. 

3. Create user name and associate thecorresponding SNMP group name in order to further configure the user'spermission to access MIB objects; meanwhile, configure the version number to"v3" and the corresponding authentication mode, authentication key,encryption algorithm and encryption key.  

4. Configure the address of SNMP manager,configure the version "3" and configure the security level to beadopted.  

 

IV. Configuration Steps

Configuring switch

Ruijie#configure terminal

Ruijie(config)#snmp-server view view1 1.3.6.1.2.1.1include                        ------> Create a MIB view of"view1" and include the MIB object of 1.3.6.1.2.1.1

Ruijie(config)#snmp-server view view2 1.3.6.1.2.1.1.4.0include                   ------> Create a MIB view of "view2" and includethe MIB object of 1.3.6.1.2.1.1.4.0

Ruijie(config)#snmp-server group group1 v3 priv read view1write view2    ------>Create a group named "g1" ,using SNMPv3 ;configure security level to "priv" ,and can read "view1" and write "view2"

Ruijie(config)#snmp-server user admin group1 v3 auth md5ruijie priv des56 ruijie123    ------>Create a user named"admin", which belongs to group "group1"; using SNMPv3 andauthentication mode is "md5", authentication key is"ruijie", encryption mode is "DES56" and encryption key is"123".

Ruijie(config)#snmp-server host 192.168.1.2 traps version 3priv admin      ------>Configure the SNMP server address as 192.168.1.2 ,using SNMPv3,then configure security level to "priv" and associatethe corresponding user name of "admin"

Ruijie(config)#snmp-server enabletraps                                                       ------>Enablethe Agent to actively send traps to NMS

Ruijie(config)#interface vlan 1

Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0

Ruijie(config-if-VLAN 1)#end

 

Set SNMP optional parameters

Ruijie(config)#snmp-server location fuzhou

Ruijie(config)#snmp-server contact ruijie.com.cn         

Ruijie(config)#snmp-server chassis-id 1234567890 

Note Ifyou don't create a new SNMP view, Ruijie switch uses the default SNMP viewnamed "default" ,including MIB object of 1

 

Minimun SNMPv3 configuration example:

snmp-server group group1 v3 priv read default writedefault   

snmp-server user admin group1 v3 auth md5 ruijie priv des56ruijie123   

snmp-server host 192.168.1.2 traps version 3 priv admin    

snmp-server enable traps   

 

V. Verification

1. This example shows how to verify SNMPagent status

 

Following example provides how to disableSNMP agent if snmp agent issue leads to heavy load of CPU :

Ruijie(config)#no enable service snmp-agent

 

2. Following examples show how to displaysnmp view, snmp group and snmp user individually

 

 

 

2.6       SPAN

2.6.1      Many to one mirror

Overview

With SPAN, you can analyze thecommunications between ports by copying a frame from one port to another portconnected with a network analysis device or RMON analyzer. The SPAN mirrors allthe packets sent/received at a port to a physical port for analysis.SPAN doesnot affect the exchange of packets between the source and destination ports.Instead, it copies the frames incoming/outgoing the source port to thedestination port. However, the frames may be discarded on an overfloweddestination port, for example, when a 100Mbps port monitors an 1000Mbps port.

 

I. Requirements

Core switch copies traffic of G0/1 and G0/2on both directions to Monitor Server and Monitor Server can also visit Internetat the same time

 

II. Network Topology

 

III. Configuration Tips

Enter "monitor session" globalconfiguration command with "switch" keyword to allow mirrordestination port to forward additional traffic more than mirroring traffic

 

IV. ConfigurationSteps

Ruijie>enable                                     

Ruijie#configure terminal

Ruijie(config)#monitor session 1 source interfacegigabitEthernet 0/1 both      ------>define G0/1 as source port inmonitor session , and both traffic directions are monitored. If you want tomonitor income or outcome traffic only , you can use keyword rx or tx insteadof both , such as "monitor session 1 source interface gigabitEthernet 0/1rx"

Ruijie(config)#monitor session 1 source interfacegigabitEthernet 0/2 both    

Ruijie(config)#monitor session 1 destination interfacegigabitEthernet 0/24 switch  

Ruijie(config)#end

Ruijie#wr

 

V. Verification

1. This example shows how to verify status ofmonitor session

 

2. This examples verifies that the MonitorServer can visit Internet while monitoring

2.6.2      One to Many Mirror

NoteOnly S8600E and N18000 seriesswitch support one to many (or many to many) SPAN so far.

Tips: For those switches that do not supportone to many SPAN, you can apply another fallback method as below:

1. Configure the ordinary many to one SPAN

2. Connect a HUB to the mirror destinationport, so packets floods through the HUB

3. Connect your Monitor Server to the HUB.

HUB can also be a default setting switch.You must assign ports to the remote-vlan and disable the mac-learning feature(enter "no mac-address-learning" config-interface command) andstorm-control feature.

 

I. Requirements

Core switch copies traffic of G4/1 and G4/2on both directions to Monitor Server 1 connected to port G4/21 and  MonitorServer 2 connected to port G4/22

 

II. Network Topology

 

III. Configuration Tips

1) Create VLAN 100 as remote-vlan on switch

2) Define G4/1 and G4/2 as source port inmonitor session, and both traffic directions are monitored

3) Create a mac-loopback port, assign thismac-loopback port to Remote vlan and define it as destination port in monitorsession

4) Assign ports G4/21 and G4/22 to Remotevlan 100

 

Note

1) Utilize an unused port as mac-loopbackport .You cannot connect cable to this port, even so switch puts link status ofmac-loopback port to up status and port LED is green

2) Don't configure any other commands to themac-loopback port and Don't specify  "switch"keyword when configuring monitor session (monitor session 1 destination remotevlan 100 interface gigabitEthernet 4/23  no switch keyword)

 

IV. ConfigurationSteps

1. Create VLAN 100 as remote-vlan on switch

Ruijie#configure terminal

Ruijie(config)#vlan 100   ------> VLan 100 mustbe dedicated for mirroring

Ruijie(config-vlan)#remote-span 

Ruijie(config-vlan)#exit

 

2. Define G4/1 and G4/2 as source port inmonitor session, and both traffic directions are monitored

Ruijie(config)#monitor session 1 remote-source

Ruijie(config)#monitor session 1 source interfacegigabitEthernet 4/1 both

Ruijie(config)#monitor session 1 source interfacegigabitEthernet 4/2 both

 

3. Configure G4/23 as mac-loopback port,assign this mac-loopback port to Remote vlan and define it as destination portin monitor session

Ruijie(config)#interface gigabitEthernet 4/23

Ruijie(config-if-GigabitEthernet 4/23)#switchport access vlan100

Ruijie(config-if-GigabitEthernet 4/23)#mac-loopback         ------>Don'tconfigure any other commands or connect cable to this port

Ruijie(config-if-GigabitEthernet 4/23)#end

Ruijie(config)#monitor session 1 destination remote vlan 100interface gigabitEthernet 4/23 switch

Ruijie# clear mac-address-table dynamic interfacegigabitEthernet 4/23    ------> clear mac-address-table of this port when finishconfiguring

 

4. Assign ports G4/21 and G4/22 to Remotevlan 100

Ruijie(config)#interface range gigabitEthernet 4/21-22

Ruijie(config-if-range)#switchport access vlan 100

Ruijie(config-if-range)#end

Ruijie#wr

 

V. Verification

1. This example shows how to verify statusof monitor session

 

 

2. This example shows how to displayconfiguration of port G4/23

 

VI. Script

conft

vlan100

remote-span 

exit

monitorsession 1 remote-source

monitorsession 1 source interface gigabitEthernet 4/1 both

monitorsession 1 source interface gigabitEthernet 4/2 both

monitorsession 1 destination remote vlan 100 interface gigabitEthernet 4/23 switch

interfacegigabitEthernet 4/23

switchportaccess vlan 100

mac-loopback

interfacerange gigabitEthernet 4/21-22

switchportaccess vlan 100

 

2.6.3     Flow-Based Mirroring

Scenario

Flow-based mirroring: During network troubleshooting, when the traffic on the port ishigh, a common mirroring analysis solution may lead to analysis failure due tolimited PC performance, and it would be difficult for the system to capturerequired traffic packets (for example, a traffic packet of a certain MACaddress, or a traffic packet originated by a designated IP address and destinedfor another designated IP address). In this case, you can use the flow-basedmirroring analysis function. If the traffic on the port is too high for themonitoring server or log auditing server deployed on the network to carry outall the data analysis tasks, you can choose to capture specified trafficpackets only.

Function Overview

Port mirroring: You can use the switched port analyzer (SPAN) to replicate packetson a specified port to the port that connects a network surveillance device onthe switch for network monitoring and traffic analysis. You can monitor packetsflow in and out of a source port through SPAN for fast and packet replication.

The SPAN does not change packet informationor affect packet transmission. In addition, the SPAN does not have requirementon the media type for the source and destination ports. Port mirroring can beoptical ports to electrical ports or electrical ports to optical ports. TheSPAN has no requirement on the property of the source and destination ports. Itsupports mirroring from an access port to a trunk port or a trunk port to anaccess port.

Flow-based mirroring: You can define the desired types of traffic packets (for example,PPPOE packets, IP packets on a specified network segment, and HTTP packets onTCP 80) using the ACL. Ruijie switches provide rich ACL functions, and supporttraffic packet matching by L2 frame types, MAC addresses, IP addresses, TCP/UDPports, and ACL80 (the first 80 bytes of a packet). The SPAN captures trafficpackets on the source port according to the defined ACL, and mirrors thetraffic packets to the destination port. Traffic packets not matching thedefined ACL are not mirrored.

Note: The switch supportsflow-based mirroring in the RX direction (inbound on the port) only. Monitoringon the TX (outbound on the port) direction or bi-direction are not supported.

I. Networking Requirements

1. The monitoring server monitors trafficconsumption on the core server by users on the 192.168.10.0/24 network segment.

2. The monitoring server monitors the trafficfrom the core server to the access server.

II. Network Topology

III. Configuration Tips

1. On the core server, configure the ACL toallow users on the network segment 192.168.10.0/24.

2. On the core server, configure the portmirroring function. Set the g1/1 port that connects the access server as thesource port of port mirroring and enable the ACL association.

3. Set the port connecting the monitoringserver (port g1/24) as the destination port of port mirroring.

IV. Configuration Steps

Configure the core server.

Ruijie#configure terminal

Ruijie(config)#ip access-list extended ruijie          ------>CreateACL, named as ruijie

Ruijie(config-ext-nacl)#permit ip  192.168.10.0 0.0.0.255 any

Ruijie(config-ext-nacl)#exit

Ruijie(config)#monitor session 1 source interfacegigabitEthernet 1/1 tx

Ruijie(config)#monitor session 1 source interfacegigabitEthernet 1/1 rx acl ruijie   ------> Set the g1/1 port thatconnects the access server as the source port of port mirroring and enable theACL association.

Ruijie(config)#monitor session 1 destination interfacegigabitEthernet 1/24  switch         ------> Set the port connectingthe monitoring server (port g1/24) as the destination port of port mirroringand enable switching on the mirroring destination port.

Ruijie(config)#end

Ruijie#wr

 

V. Verification

1. Check the port mirroring state.

Ruijie(config)#show monitor

sess-num: 1

span-type: LOCAL_SPAN

src-intf:

GigabitEthernet 1/1         frame-type Both

rx acl id 2900

acl name ruijie

dest-intf:

GigabitEthernet 1/24

mtp_switch on               ------> Allow mirroring portforwarding data stream

 

2. Check the ACL.

3.Capture

2.7       Featured commands

1.     switchport trunkallowed vlan only x-x

 

Previously in 10.xversion, all vlans are able to pass through trunk port by default. Engineershave to remove all vlans first, then permit vlan one by one.

By command"switchport trunk allowed vlan only x-x", only allowed vlans are ableto pass through trunk port, you don't need to remove all vlan anymore.

 

For example:

 

Ruijie(config-if-GigabitEthernet1/1)#show this

Buildingconfiguration...

switchportmode trunk

switchporttrunk allowed vlan only 1-2

end

 

 

2.     show this

 

Previously in 10.xversion, engineers have to execute commands "show run " or "showrun | include xxx" to check configurations.By command "showthis", you can display configurations under current mode directly:

 

For example :

 

Ruijie(config)#intmgmt 0

 

Ruijie(config-if-Mgmt0)#show this

 

Buildingconfiguration...

 

!

 

ipaddress 172.18.10.62 255.255.255.0

 

gateway172.18.10.1

 

3.     show upgradehistory

 

Previously in 10.xversion, engineers have to rename firmware as "rgos.bin" beforeupgrading. In addition, there is no historical upgrade records.

Currently, you cangive any name to firmware for convenient management purpose and system mightrecord historical upgrade.

 

For example:

 

Ruijie#showupgrade history

 

LastUpgrade Information:

 

  Time:         2015-04-20 03:02:05

 

  Method:       LCOAL

 

  Package Name: N18000_RGOS11.0(2)B1_CM_install.bin

 

  Package Type: Distribution

 

4.     debug sysloglimit

 

Previously in 10.xversion, at worst, massive system logs printing might crash device after debugis enable.

By command"debug syslog limit time seconds numbers numbers ", system logs printingis limited,

 

For example:

Ruijie#debugsyslog limit ?

 numbers Syslog limited by numbers

 reset   Syslog reset limit statistics

 time    Syslog limited by time

 

 

5.     one keycollection

 

Previously in 10.xversion, usually engineers have to collect information multiple times whiletrouble shooting which might miss the best opportunity.

By one keycollection, system collects all relevant information in one time.

 

 

For example :

 

Ruijie#debugsupport

Ruijie(support)#tech-support?      

 console Tech-support information to terminal

 package Tech-support information to package

 

2.8       Typical Feature

2.8.1      VSU

Overview

VSU expands the Port Numbers

As figure shown below, when port number on aswitch runs out, you can add one more switch to the VSU to expand port numbers

 

 

VSU expands Forwarding Capacity

As figure shown below, you can add one moreswitch to the VSU to expand the global forwarding capacity. For example,forwarding capacity of one switch is 128M pps, and the global forwardingcapacity expands up to 256 M pps when two switches join in a VSU.

VSU expands Uplink Bandwidth

As figure shown below , you can add one moreswitch to VSU to expand uplink bandwidth to the core switch with the minimumimpact for network topology and configuration. 

 

VSU simplifies the Network Topology

As the first figure shown below, this is acommon scenario consisted of MSTP and VRRP features to ensure high available,and redundant ports are blocked to prevent loops.

As the second figure shown below, VSUreduces the complexity of network and enhance the utilization ratio of networkresources. All ports are occupied in the same time.

Note:

In thetraditional network, in order to strengthen network reliability, the core layeror distribution layer will generally configure two devices into the dual-coresystem to allow redundant standby, with neighboring devices connecting twolinks to reach the dual-core redundant system. Such typical traditional networkarchitecture is shown in the following figure. The redundant networkarchitecture increases the complexity of network design and operations, whilethe enormous standby links also reduce the utilization ratio of networkresources and decrease the rate of return on investment.

VSU (VirtualSwitching Unit) is a common network virtualization technology combining twoswitches into a single virtual switch, thus reducing the complexity of networkand enhancing the utilization ratio of network resources. 

 

Role of Chassis

Each switch in aVSU are called VSU member and there're three VSU roles for VSU member based ondifferent features:

1) ActiveThe active chassis controls the entire VSU system

2) Standby The standby chassis take charge of the control if themain chassis fails

 

VSU Domain ID

VSU Domain IDranges from 1 to 255, and the default value is 100. Only VSU members with thesame Domain ID can establish a VSU.

 

VSU Chassis ID

The value ofChassis id can be 1 or 2.The default value is 1.

In standalonemode, port number takes 2-dimension format (for example, GigabitEthernet 2/3) ;In VSU mode , port number takes 3-dimension format (for example ,GigabitEthernet 1/2/3). 

The firstnumber(GigabitEthernet1/2/3) indicatesthe chassis ID and the last two numbers (GigabitEthernet1/2/3)indicate the slot number and port number. So chassis ID of each VSU member mustbe different.

In addition, iftwo VSU chassises have the same chassis ID, VSU system recalculates a newchassis ID for them.

 

VSU Chassis Priority

The value ofchassis priority ranges from 1 to 255, and the default value is 100. A higherpriority indicates a higher priority to become the active chassis. 

In addition,chassis priority consists of configuring priority and running priority. Runningpriority doesn't change when administrator changes the configuring prioritywhen VSU is running .Running priority changes when administrator savesconfiguration and reloads the VSU.

 

VSL

Since two chassisjointly forms a network entity in VSU system, they need to share controlinformation and partial data streams. VSL (Virtual switching link) is a speciallink between two chassis for transmitting control information and data streams

The VSL acts asan aggregation port. Its member port count is unlimited, and these member portscan reside on line cards in different slots. For the VSLtransferred traffic,load balancing is performed among these member ports according to the trafficbalancing algorithm. 

Currently, 10-GBor 40-GB ports can become member ports of the VSL, while 1-GB ports cannot.Besides, a line card can hold physical member ports of the VSL as well ascommon data service ports. 

 

VSL Interruption

As figure shownbelow, VSL Interruption occurs when the VSL fails and both VSU membersdisconnect

 

VSU Combination

As figure shownbelow, VSU Combination occurs when both VSU members with the same Domain IDestablish a VSU 

 

Swtich Working Mode

Switch workingmode includes: standalone mode and VSU mode, and the default mode is standalonemode

 

VSU VSL Connection medium

Different switchvaries.

For example, youcan only configure VSL on S8600E series switches on 10G/40G optical ports.

 

VSL Detection

VSL detectionstarts to detect peer chassis once VSU members boot and after VSL links comeup, Topology Discovery begins.

 

Topology Discovery

VSU membersacquire global VSU network topology by flooding VSU hello packets through VSL.VSU Hello packets carry topology information including chassis ID, priority,MAC, VSL port etc.

VSU Role Electionstarts when Topology Discovery completes.

 

VSU Role Election

The activechassis election mechanism operates as below:

Current hostfirst

The higherpriority first

The lower MACaddress first

The slave chassiselection mechanism is as follows:

The nearest tomain first

The higherpriority first

The lower MACaddress first

After finishingelection, active chassis floods Convergence packets to the overall VSU, thenVSU establishment completes.

 

Dual ActiveDetection

    When VSL is disconnected, the slavechassis will be switched to main chassis. If the former main chassis is stillrunning, then the existing two chassis will both become the main chassis. Sincethe configurations are completely same, a series of problems such IP addressconflict will arise in the LAN. VSU must detect dual main chassis and takerestoration measures.

 As shown in the figure above, whendeploying the VSU system, you need to configure an independent physical linkbetween chassis in addition to the VSL. The physical link is sued to transferdual-main-chassis packets when the VSL is disconnected. It is calleddual-main-chassis detection link. Ports connecting this link can be used totransfer only dual-main-chassis detection packets. You can run a CLI command tospecify certain ports as the dual-main-chassis detection ports. 

    After dual main chassis are detected,generally, one chassis enters the recovery mode to avoid network abnormity. TheVSU system supports the Bidirectional Forwarding Detection (BFD) and AP-baseddetection.

1) BFD basedDetectionA port of BFD for dual main chassis must bea L3 physical port. Ports of other modes will not do. When you transform theport of BFD for dual main chassis from a L3 port into a port of other modes,the detection is automatically cleared and a prompt is displayed. Here, theextended BFD is used. That is, existing BFD configuration and display commandscannot be used to configure dual-main-chassis detection ports. 

2) AP basedDetectionThe AP-based mechanism of detecting dualmain chassis is similar as that based on BFD. When the VSL is disconnected andtwo main chassis occur, the two main chassis send private protocol packets toeach other for detecting dual main chassis. The difference from BFD baseddetection is AP-based Detection configures on the AP links between VSU and onerelay equipment as figure shown below, and this relay equipment shall supportforward private detection packets.

Recovery mode

    When the main chassis is in the recoverymode, all services ports except the following ports must be disabled: 

    VSL port: when the main chassis in therecovery mode detects that the VSL is UP again, the chassis resets itself, andjoins the VSU system in the hot standby mode, becoming the new slave chassis. 

    MGMT port: You can use this port toperform remote management no matter the main chassis is in the recovery mode ornot. 

    Exception port: You can specify certainports as exception ports, which will not be disabled when the main chassisenters the recovery mode. Exception port: You can specify certain ports asexception ports, which will not be disabled when the main chassis enters therecovery mode. To configure exception ports, run the dual-active excludeinterface interface-name command. 

    In the dual-main-chassis mode or when amain chassis enters the recovery mode, the simplest recovery

Solution is to reconnect the VSL. If VSL isnot reconnected, but the main chassis in the recovery mode is manuallyrestarted, the system enters dual-main-chassis state again when after therestart succeeds. 

 

2.8.1.1         Configuringbasic VSU

1.      Configuring active and standby VSU members

Active switch

Switch1#configure terminal

Enterconfiguration commands, one per line. End with CNTL/Z.

Switch1(config)#switch virtual domain 1

Switch1(config-vs-domain)#switch 1

Switch1(config-vs-domain)#switch 1 priority 200    ------>Priority is 100 by default , switch with the higherpriority becomes the active chassis

Switch1(config-vs-domain)#exit

Switch1(config)#vsl-aggregateport 1         ------>VSL is the heartbeat and traffic channel between 2 VSUmembers. You must configure at least 2 pair of VSL

Switch1(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/1           

Switch1(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/2

Switch1(config-vsl-ap-1)#exit

 

Standby switch

Switch2#configure terminal

Enterconfiguration commands, one per line. End with CNTL/Z.

Switch2(config)#switch virtual domain 1  ------>domain ID must be the same to that of active chassis

Switch2(config-vs-domain)#switch 2     ------>switch ID must be different from that of activechassis

Switch2(config-vs-domain)#switch 2 priority 150

Switch2(config-vs-domain)#exit

Switch2(config)#vsl-aggregateport 1  

Switch2(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/1      

Switch2(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/2

Switch2(config-vsl-ap-1)#exit

 

2. Connect VSL cable and confirm that linkscome up

3. Save configuration and convert both VSUmembers to virtual mode at the same time

Active switch

Switch1#wr

Switch1#switch convert mode virtual         ------>convert switch working mode fromstandalone mode to virtual mode

Areyou sure to convert switch to virtual mode[yes/no]yes

Doyou want to recovery“config.text”from“virtual_switch.text”[yes/no]no  

 

Standby switch

Switch2#wr

Switch2# switch convertmode virtual 

Areyou sure to convert switch to virtual mode[yes/no]yes

Doyou want to recovery“config.text”from“virtual_switch.text”[yes/no]no

 

Both VSU members reloads automatically

 

Attention: Be patient and it costsabout 10 minutes to finish building VSU.

System prints logs continuouslyduring next 10 minutes as below if VSL links failed or peer switch doesn'treload yet:

*Aug 6 13:17:17:%VSU-5-RRP_TOPO_INIT: Topology initializing, please wait for a moment

*Aug 6 13:18:17:%VSU-5-RRP_TOPO_INIT: Topology initializing, please wait for a moment.

 

4. Verification

1. When VSUcompletes, you can manage VSU on active chassis.

2. You canidentify the active switch by viewing the Primary LED on the front main boardwhich is solid green

3. When VSUcompletes, you can no longer manage VSU on standby chassis through console portby default.

Ruijie#show switch virtual  

Switch_id     Domain_id       Priority         Position        Status     Role

--------------------- ---------- ---------- -------- ---------

1(1)       1(1)              200(200)     LOCAL     OK        ACTIVE------>active

2(2)                   1(1)             150(150)      REMOTE    OK           STANDBY------>standby

 

Ruijie#shversion slot

DevSlot  Configured Module Online Module  User Status   Software Status --- ---- -----------------   -----  --------------

11     none           none

12 M8606-24SFP/12GT M8606-24SFP/12GT installed none

13 M8606-2XFP M8606-2XFP uninstalled  cannot startup

14 M8606-24GT/12SFP M8606-24GT/12SFP installed ok

1M1 M8606-CM   M8606-CM                 master

1  M2

 

2.8.1.2     Configuring VSU optimization

Overview

1.      When VSL is disconnected, the standbychassis will be switched to active chassis. If the former active chassis isstill running, then the existing two chassis will both become the activechassis. Since the configurations are completely same, a series of problemssuch IP address conflict will arise in the LAN. VSU must detect dual-active chassisand take restoration measures.

        

2.      After enable dual-active detection , systemdetects dual-active via control packets between BFD dedicated link and puts onechassis which has lower priority into recovery mode ,all port ,except for VSLport, MGMT port and exception port that administrator specifies (reserved fortelnet), are mandatory shutdown

 

When dual-active occurs, dual-active detection ensuresthe stability and high availability of your network. (youmust use redundant connection to connect other switches to VSU . In addition,you must connect one link to the active chassis, the other to standby chassis)

 

I. ConfigurationSteps

1. Configuring Dual-active Detections

Ruijie(config)#interface gi2/4/2

Ruijie(config-if)#no switchport ------>BFD detection must be applid on a Layer 3 port

Ruijie(config-if)#exit

Ruijie(config)#interface gi1/4/2

Ruijie(config-if)#no switchport 

Ruijie(config-if)# exit

 

Ruijie(config)# switch virtual domain 1

Ruijie(config-vs-domain)#dual-active detection bfd ------>enable BFD feature

Ruijie(config-vs-domain)#dual-active pair interface gi1/4/2 interface gi2/4/2    ------>configurea pair of BFD detection ports

Ruijie(config-vs-domain)#dual-active exclude interface  ten1/1/2   ------>configure theexception port

Ruijie(config-vs-domain)#dual-active exclude interface  ten2/1/2  

 

2.8.1.3     Configuring AP in VSU

Overview

Inter-chassis aggregate port (AP) groupincludes member ports of two VSU chassis. Inter-chassis AP can connect to alldevices (such as server, switch and router) supporting port aggregationfunction.

Inter-chassis AP allows load balancing ofinter-chassis data streams. For example, when data streams enter from mainchassis into VSU system, VSU will give preference to member ports located inthe main chassis. This feature guarantees that some unnecessary data streamsare not transmitted over VSL, thus reducing the load pressure of VSL.

The following figure shows the typicalapplication of AP in a VSU.

 

I. ConfigurationSteps

1. Configuring layer 3 AP on VSU:

Ruijie(config)#interfaceaggregateport 2

Ruijie(config-if-AggregatePort2)#no switchport

Ruijie(config-if-AggregatePort2)#description link-to-xxxx

Ruijie(config-if-AggregatePort2)#ip add 172.16.1.6 255.255.255.252

Ruijie(config-if-AggregatePort2)#exit

Ruijie(config)#interfaceten 1/3/1

Ruijie(config-if-TengabitEthernet1/3/1)#no switchport

Ruijie(config-if-TengabitEthernet1/3/1)#description linktoyyyy

Ruijie(config-if-TengabitEthernet1/3/1)#port-group 2

Ruijie(config-if-TengabitEthernet1/3/1)#exit

Ruijie(config)#interfaceten 2/3/1

Ruijie(config-if-TengabitEthernet2/3/1)#no switchport

Ruijie(config-if-TengabitEthernet2/3/1)#description link-to-yyyy

Ruijie(config-if-TengabitEthernet2/3/1)#port-group 2

Ruijie(config-if-TengabitEthernet2/3/1)#exit

 

2.      Configuring layer 2 AP on VSU:

Ruijie(config)#interfaceaggregateport 4

Ruijie(config-if-AggregatePort4)#switchport mode trunk

Ruijie(config-if-AggregatePort4)#switchport trunk allowed vlan remove xxxx ----->prune trunk portbased on requirement

Ruijie(config-if-AggregatePort4)#description linktoxxxx

Ruijie(config-if-AggregatePort4)#exit

Ruijie(config)#interfacegigabitEthernet 1/4/1

Ruijie(config-if-GigabitEthernet1/4/1)#port-group 4

Ruijie(config-if-GigabitEthernet1/4/1)#description link-to-yyyy

Ruijie(config-if-GigabitEthernet1/4/1)#exit

Ruijie(config)#interfacegigabitEthernet 2/4/1

Ruijie(config-if-GigabitEthernet2/4/1)#port-group 4

Ruijie(config-if-GigabitEthernet2/4/1)#description link-to-yyyy

Ruijie(config-if-GigabitEthernet2/4/1)#exit

 

2.8.1.4     Verifying VSU

 

2.8.2     1X-Web Authentication

2.8.2.1     Secure Channel, Authentication-Free, andEmergency Channel

Features

Secure channel: Generally, after 1Xauthentication is deployed, data packets from unauthenticated user ports arediscarded. The secure channel allows users access designated websitesunauthenticated. It can be deployed to facilitate client distribution, backdoorreservation for leaders and terminals that do not support authentication (forexample, printers and all-purpose terminals).

Emergency channel: In an 1X authenticationscenario with only one Radius server, all users fail to access the Internetonce the Radius server fails, services will be seriously affected. In thatcase, authentication configuration must be cancelled on all the ports one byone to recover services. If an emergency channel is deployed, the switch allowsusers access the Internet without authentication when authentication failsmultiple times or the Radius server is considered dead.

I. NetworkingRequirements

1. The 1X function is enabled on the coreserver for resource access authentication on managed users.

2. Authenticated users can access allresources while unauthenticated users can access only certain Intranetresources.

3. Authentication-free access to intranetresources is enabled for some users (PC2).

4. When the active Radius server fails tofunction normally, user authentication is switched to the backup Radius server.When both active and standby Radius servers fail, managed users can accessresources without authentication (through an emergency channel).

II. Network Topology

III. ConfigurationTips

1. On the core server, enable AAA andconfigure the Radius server and key associated parameters.

2. On the Radius server, configure therelated parameters. (In this example, the SAM is used as the Radius server.)

3. Configure a professional ACL to implementserver access before user authentication.

4. The core switch, managed users, and theRadius server can be on different network segments, so long as the core switchcan properly communicate with the Radius server and the clients can reach thecontrolled ports on the core switch via the access switch.

5. Configure the parameters for thecommunication between the switch and the Radius server to deploy an emergencychannel.

 

IV. ConfigurationSteps

Configure the core server.

1.     Basic dot1x configuration

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#aaa new-model    ------>trun on aaaswitch

Ruijie(config)#radius-server host 192.168.33.244   ------>configureradius server

Ruijie(config)#radius-server host 192.168.33.245   ------>configurebackup radius server

Ruijie(config)#radius-server key ruijie      ------>configureradius key

Ruijie(config)#aaa authentication dot1x ruijie group radius none  ------> Define an IEEE802.1x authentication method list.

Ruijie(config)#aaa accounting network ruijie start-stop groupradius   ------> Define the AAA network accounting method list.

Ruijie(config)#aaa accounting update periodic 15   ------> Setthe account update function.

Ruijie(config)#dot1x authentication ruijie        ------>802.1X to select the authentication method list

Ruijie(config)#dot1x accounting ruijie            ------>802.1X to select the accounting method list

Ruijie(config)#interface gigabitEthernet 1/2

Ruijie(config-if-GigabitEthernet 1/2)#switchport mode trunk

Ruijie(config-if-GigabitEthernet 1/2)#dot1x port-controlauto       ------> Enable 802.1X authentication on the interface

Ruijie(config-if-GigabitEthernet 1/2)#ip add 192.168.33.161255.255.255.0    ------> configure switch ip address

Ruijie(config-if-GigabitEthernet 1/2)#end

Ruijie#write   ------> save configuration

 

2.     Enable the secure channel function

Ruijie(config)#expert access-list extended ruijie

Ruijie(config-exp-nacl)#permit arp any any any any any  ------>makethe ip and arp packets free authentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.61any ------> To allow access to the home page of the site beforeauthentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.62any ------> To allow access to the home page of the site beforeauthentication

Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.244any------> To allow access to the home page of the site before authentication

Ruijie(config-exp-nacl)#permit host 192.168.33.163 host001a.a9c4.062f any any------> This host implements authentication free

Ruijie(config-exp-nacl)#exit

Ruijie(config)#security global access-group ruijie

 

1x free authentication description

There are two ways to achieve user authentication: (1)configure the security channel to put the IP or MAC address; 2, configure thefree VLAN authentication will be the corresponding VLAN users free ofauthentication

Plan 1Configure security channelthere are three methods

 

Method 1permit host ip address

expert access-list extended no1x

10 permit arp any any  any any any

20  permit ip host 192.168.1.23 any anyany   ------->permithost ip address

security global access-group no1x

 

method 2permit host mac address

expert access-list extended no1x

10 permit arp any any  any any any

30 permit ip any host 0010.123c.513d any any   ------->permithots mac address

security global access-group no1x

 

method 3permit ip+mac

expert access-list extended no1x

10 permit arp any any  any any any

40  permit ip host 192.168.1.23 host 0010.123c.513d any any  ------->permitip and mac address

security global access-group no1x

 

Plan 2Configure direct-vlan

Configuration commanddirect-vlan 1-20// direct-vlan can take effect on both 1xauthentication and web authentication

 

 

Notes:

If the secure channel (inpriority over 1x authentication) is enabled, user ARP packets must be allowedto pass. In this way, users can communicate with the gateway. As the securechannel has higher priority, the anti ARP spoofing function will becomeinvalid.

Solution: Do not permit allARP packets. Permit only ARP packets destined for the gateway. In this way, ARPcheck is implemented and ARP spoofing among users are prevented. However, ARPspoofing is not completely prevented, because users can still spoof anotheruser on the gateway.

Ruijie(config)#expert access-list extended permit1x

Ruijie(config-exp-nacl)#permit ip any any host 192.168.1.254any           ------> To allow access to the home page of the site beforeauthentication

Ruijie(config-exp-nacl)#permit arp any any any any any   ------>Allow ARP message interaction between a user and a gateway

Ruijie(config)#security global access-group permit1x

Ruijie(config-exp-nacl)#permit arp any any any any host192.168.33.1 

 

3. You can change the time parameterbetween the switch and the Radius server to switch the authentication method.For example, the configuration "aaa authentication dot1x ruijie groupradius  none" indicates that authentication by the active Radius server isimplemented first, is switched to the backup Radius server if the active Radiusserver does not respond in a specified period, and is switched to noneauthentication mode if both the active and backup Radius servers fail torespond.

Ruijie(config)#radius-server timeout 2       ------>Specify the waiting time before the router resend request (2 s by default)

Ruijie(config)#radius-server retransmit 2   ------>Specify the times of sending requests before the router confirms Radius invalid(3 by default)

Ruijie(config)#radius-server dead-criteria time 6 tries 3     ------>definethe dead-criteria time and tries of the server

Ruijie(config)#radius-server deadtime 5     ------>Specify the waiting time before the server is considered dead in case of noresponse to the request sent by the device (5 minutes by default).

Ruijie(config)#dot1x timeout server-timeout 20  

 

dot1x timeout indicatesthe timeout period of 1x authentication. The parameter is independent from theRadius timeout period (radius timeout*). However, radius timeout*(retransmit+1) must be smaller than dot1x timeout server-timeout.Otherwise, the emergency channel does not take effect. In this example,2*(2+1)=6s, which is smaller than 20s, and therefore, the emergency channel iseffective.

 

V. Verification

1. Before authentication, users can accessthe resources inside the secure channel, but can not access the resourcesinside the non secure channel

The same can also be verified, the securitychannel is free to authenticate users of IP and MAC, the user can alsocommunicate properly.

 

2When the radius server hangs, the user can achieve escape function

image006

Check the user info.

 

3. open debug radius event, you can see theentire process of an escape function

Ruijie#debug radius event

Ruijie#*Mar 16 18:07:20: %7: [radius] aaa req authenticationto group radius

*Mar 16 18:07:20: %7:  __rds_add_attr  type = 24 len = 0

*Mar 16 18:07:20: %7: [radius] 16 send

*Mar 16 18:07:20: %7: pkt len 676 code 1 id 16

*Mar 16 18:07:20: %7: calcu msg auth ok

*Mar 16 18:07:20: %7: [radius] radius access requests(12).   ------>sent access-request for the first time

*Mar 16 18:07:22: %7: [radius] user 16 retry

*Mar 16 18:07:22: %7: [radius] 16 send

*Mar 16 18:07:22: %7: pkt len 676 code 1 id 16

*Mar 16 18:07:22: %7: calcu msg auth ok

*Mar 16 18:07:22: %7: [radius] radius access requestsretransmissions(18) timeout(18). ------>timeout for the first time after 2seconds

*Mar 16 18:07:24: %7: [radius] user 16 retry

*Mar 16 18:07:24: %7: [radius] 16 send

*Mar 16 18:07:24: %7: pkt len 676 code 1 id 16

*Mar 16 18:07:24: %7: calcu msg auth ok

*Mar 16 18:07:24: %7: [radius] radius access requestsretransmissions(19) timeout(19).   ------> timeout for the second time after4 seconds

*Mar 16 18:07:26: %7: [radius] user 16 retry

*Mar 16 18:07:26: %7: [rds_user] rds delete user, state 2,atype 0

*Mar 16 18:07:26: %7: [rds_user] rds free user id 7, pkid16   ------> timeout for the third time after 6 seconds

*Mar 16 18:07:26: %AAA-7-FAILOVER: Failing over from 'dot1x'for client 0021.cccf.6f70 on Interface GigabitEthernet 0/1.

*Mar 16 18:07:26: %7: [radius] aaa req accounting to groupradius

*Mar 16 18:07:26: %7: [accounting] acct len 116

*Mar 16 18:07:26: %7:  __rds_add_attr  type = 25 len = 0

*Mar 16 18:07:26: %7: [radius] 17 send

*Mar 16 18:07:26: %7: [radius] radius acc requests(5) andpending(3).

*Mar 16 18:07:28: %7: [radius] user 17 retry

*Mar 16 18:07:28: %7: [radius] 17 send

*Mar 16 18:07:28: %7: [radius] radius acc retransmissions(5)timeout(5).

*Mar 16 18:07:30: %7: [radius] user 17 retry

*Mar 16 18:07:30: %7: [radius] 17 send

*Mar 16 18:07:30: %7: [radius] radius acc retransmissions(6)timeout(6).

*Mar 16 18:07:32: %7: [radius] user 17 retry

*Mar 16 18:07:32: %7: [rds_user] rds delete user, state 2,atype 2

*Mar 16 18:07:32: %7: [rds_user] rds free user id 7, pkid 17

 

2.8.3      MSTP+VRRP

2.8.3.1     MSTP+VRRP Overview

Two common deployment patterns ofMSTP+VRRP

1. MSTP with single instance:

As figure shown below, SW1 is the root bridge for MSTPinstance 0 to which all vlans are mapped and master VRRP gateway for all vlans.This deployment patterns of MSTP is almost the same to RSTP.

 

Merit Easier maintenance andimplementation

DemeritSW2 is the second root andbackup VRRP gateway which doesn't forward any traffic .It is a waste of networkresource.

 

2. MSTP with Multiple instances:

As figure shown below, SW1 is the root bridge for MSTPinstance 1 and secondary root for instance

2. SW2 is Root Bridge for MSTP instance 2 and secondaryroot for instance 1. MSTP instance 1 includes VLAN 10, 60 and 80 and instance 2includes VLAN 20, 30 and 70.

SW1 is the master VRRP gateway for VLAN 10, 60 and 80and the backup VRRP gateway for VLAN 20, 30 and 70. SW2 is the master VRRPgateway for VLAN 20, 30 and 70 and the backup gateway for VLAN 10, 60 and 80.

 

MeritFully occupy networkresource

DemeritMore complicatedconfiguration and maintenance than MSTP with single instance

 

2.8.3.2     Configuring MSTP with single instance

Note:

The deployment pattern of "MSTP +VRRP" is replaced by deployment pattern of VSU day by day and we suggestyou to apply VSU if possible. Even so, deployment pattern of "MSTP +VRRP" is still a fallback method to ensure a redundant and reliablenetwork if core and distribution switches don't support VSU

We suggest you to remove someinterconnection links first to avoid a Layer 2 loop

 

I. Network Topology

 

SW1 is the master VRRP gateway for users on all vlans,and SW2 is the backup VRRP gateway for users on all vlans. Connect SW1 and SW2through an Aggregate port to ensure reliability and configure this AP as Trunkport.

The IP address of SW1 on VLANs from 10 to 80 are192.168.10.1 to 192.168.80.1 , and IP address of SW2 on VLANs from 10 to 80 are192.168.10.2 to 192.168.80.2 , and VRRP IP address are 192.168.10.254 to192.168.80.254.

 

II. ConfigurationSteps

Configuring SW1

Ruijie#configterminal

Ruijie(config)#spanning-treemst 0 priority 0   ------>instance id=0 , priority=0(The lower the number, themore likely the switch will be chosen as the root bridge) by default , allvlans are mapped to instance 0 .

Ruijie(config)#spanning-tree       ------>enable STP feature and the default STP mode is MSTP

Ruijie(config)#e xit

 

Configure MSTP

 

Configuring AP

Ruijie#configterminal

Ruijie(config)#interfaceaggregateport 1

Ruijie(config-if-AggregatePort1)#switchport mode trunk

Ruijie(config-if-AggregatePort1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/1                       

Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/2     

Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/2)#exit

 

Ruijie(config)#interfacerange gigabitEthernet 1/1-5  

Ruijie(config-if-range)#switchportmode trunk      ----->don't forget to prune trunk port

 

Configuring VRRP

Ruijie(config)#vlan10

Ruijie(config)#intervlan 10

Ruijie(config-if-VLAN10)#ip address 192.168.10.1 255.255.255.0

Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254

Ruijie(config-if-VLAN10)#vrrp 10 priority 120            ------> vrrp group id=10 , priorityvalue=120 (the bigger the number , the more likely the switch will be chosen asthe  master ,and default value is 100)

Ruijie(config-if-VLAN10)#exit

 

Ruijie(config)#vlan20

Ruijie(config)#intervlan 20

Ruijie(config-if-VLAN20)#ip address 192.168.20.1 255.255.255.0

Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254

Ruijie(config-if-VLAN20)#vrrp 20 priority 120

Ruijie(config-if-VLAN20)#exit

 

...........configurationof VLAN 30 ~ VLAN 70 are omitted............

 

Ruijie(config)#vlan80

Ruijie(config)#intervlan 80

Ruijie(config-if-VLAN80)#ip address 192.168.80.1 255.255.255.0

Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254

Ruijie(config-if-VLAN80)#vrrp 80 priority 120

Ruijie(config-if-VLAN80)#exit

 

Configuring SW2

Ruijie#configterminal

Ruijie(config)#spanning-treemst 0 priority 4096   ------>instance id=0 , priority=4096(The lower the number,the more likely the switch will be chosen as the root bridge) by default , allvlans are mapped to instance 0

 

Ruijie(config)#spanning-tree       ------>enable STP feature and default mode is MSTP

Ruijie(config)#exit

 

Configuring AP

Ruijie#configterminal

Ruijie(config)#interfaceaggregateport 1

Ruijie(config-if-AggregatePort1)#switchport mode trunk

Ruijie(config-if-AggregatePort1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/1                       

Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/2              

Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/2)#exit

Ruijie(config)#interfacerange gigabitEthernet 1/1-5  

Ruijie(config-if-range)#switchportmode trunk  ----->don't forget to prune trunk port

 

Configuring VRRP

Ruijie(config)#vlan10

Ruijie(config)#intervlan 10

Ruijie(config-if-VLAN10)#ip address 192.168.10.2 255.255.255.0

Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254         ------>vrrp groupid=10 , priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN10)#exit

 

Ruijie(config)#vlan20

Ruijie(config)#intervlan 20

Ruijie(config-if-VLAN20)#ip address 192.168.20.2 255.255.255.0

Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254

Ruijie(config-if-VLAN20)#exit

 

...........configurationof VLAN 30 ~ VLAN 70 are omitted............

 

Ruijie(config)#vlan80

Ruijie(config)#intervlan 80

Ruijie(config-if-VLAN80)#ip address 192.168.80.2 255.255.255.0

Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254

Ruijie(config-if-VLAN80)#exit

 

Configuring SW11SW12S13S14S15S16

Ruijie#configterminal

Ruijie(config)#interfacerange gigabitEthernet 0/25-26  

Ruijie(config-if-range)#switchportmode trunk

Ruijie(config-if-range)#exit

 

Ruijie(config)#spanning-tree  ------>enableSTP feature and default mode is MSTP

Ruijie(config)#exit

 

Ifwe want to manully conduct MSTP to put G0/25 on SW11 and SW12 in forwardingstate , we can assign a higher cost value to G0/26  , then MSTP blocks G0/26.(If a loop occurs, MST uses the path cost when selecting an interface to placeinto the forwarding state. A lower path cost represents higher-speedtransmission)

Ruijie(config)#interfacegi0/26

Ruijie(config-if-GiagaEthernet0/26)#spanning-tree cost 200000    ------>the default value is derived fromthe media speed of the interface , and the cost value of an 1000M port is 20000

Ruijie(config-if-GiagaEthernet0/26)#exit

 

Connectting cable and verifying status ofSTP and VRRP

1.  This example displays that SW1 is theroot bridge

SW1

Ruijie#showspanning-tree

StpVersion: MSTP

SysStpStatus: ENABLED

MaxAge: 20

HelloTime: 2

ForwardDelay: 15

BridgeMaxAge: 20

BridgeHelloTime: 2

BridgeForwardDelay: 15

MaxHops:20

TxHoldCount: 3

PathCostMethod: Long

BPDUGuard: Disabled

BPDUFilter: Disabled

LoopGuardDef : Disabled

 

######mst 0 vlans map : ALL

BridgeAddr: 1414.4b19.ecc0 ------>local MAC address

Priority:0

TimeSinceTopologyChange: 12d:0h:19m:46s

TopologyChanges: 0

DesignatedRoot: 0.1414.4b19.ecc0  ------>root MAC address

RootCost: 0  

RootPort: 0

CistRegionRoot: 0.1414.4b19.ecc0

CistPathCost: 0 

 

2. This example displays that SW1 is theVRRP master

Ruijie#showvrrp 10

VLAN10 - Group 10

 State is Master        

 Virtual IP address is 192.168.10.254 configured

 Virtual MAC address is 0000.5e00.010a

 Advertisement interval is 1 sec

 Preemption is enabled

   min delay is 0 sec

 Priority is 120

 Master Router is 192.168.10.1 (local), priority is 120

 Master Advertisement interval is 1 sec

 Master Down interval is 3.53 sec

 

Ruijie#showvrrp brief

Interface            Grp  Pri   timer   Own  Pre   State   Master addr                              Group addr                             

 

VLAN10               10   120   3.53    -    P     Master 192.168.10.1                              192.168.10.254                         

 

VLAN20               20   120   3.53    -    P     Master 192.168.20.1                             192.168.20.254                         

 

VLAN30               30   120   3.53    -    P     Master  192.168.30.1                              192.168.30.254                         

 

VLAN40               40   120   3.53    -    P     Master 192.168.40.1                             192.168.40.254                         

 

VLAN50               50   120   3.53    -    P     Master  192.168.50.1                              192.168.50.254                      

 

VLAN60               60   120   3.53    -    P     Master 192.168.60.1                             192.168.60.254                         

 

VLAN70               70   120   3.53    -    P     Master 192.168.70.1                             192.168.70.254                         

 

VLAN80               80   120   3.53    -    P     Master  192.168.80.1                              192.168.80.254  

 

3. This example displays that SW1 is theroot bridge on SW2

SW2:

Ruijie#showspanning-tree

StpVersion: MSTP

SysStpStatus: ENABLED

MaxAge: 20

HelloTime: 2

ForwardDelay: 15

BridgeMaxAge: 20

BridgeHelloTime: 2

BridgeForwardDelay: 15

MaxHops:20

TxHoldCount: 3

PathCostMethod: Long

BPDUGuard: Disabled

BPDUFilter: Disabled

LoopGuardDef : Disabled

 

######mst 0 vlans map : ALL

BridgeAddr: 00d0.f834.ea70   ------>SW2 MAC address

Priority:4096

TimeSinceTopologyChange: 0d:0h:9m:2s

TopologyChanges: 6

DesignatedRoot: 0000.1414.4b19.ecc0  ------> root MAC address(SW1)

RootCost: 0

RootPort: 3

CistRegionRoot: 0000.1414.4b19.ecc0

CistPathCost: 20000

 

4. This example displays that SW2 is theVRRP Backup

CistPathCost: 20000 Ruijie#show vrrp 10

VLAN10 - Group 10

 State is Backup       

 Virtual IP address is 192.168.10.254 configured

 Virtual MAC address is 0000.5e00.010a

 Advertisement interval is 1 sec

 Preemption is enabled

   min delay is 0 sec

 Priority is 100

 Master Router is 192.168.10.1 , priority is 120

 Master Advertisement interval is 1 sec

 Master Down interval is 3 sec

 

5. This exmaple displays how to verify rootbridge on SW11 and SW12 and whether MSTP has blocked G0/26 as per design.

Ruijie#showspanning-tree summary

Spanningtree enabled protocol mstp

MST0 vlans map : ALL

 Root ID    Priority    0

            Address     1414.4b19.ecc0 ------>root bridge MAC address

            this bridge is root

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 

 Bridge ID  Priority    32768

            Address     00d0.f8b5.0a0b  ------>local MAC address

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 

Interface       Role Sts Cost       Prio     Type  OperEdge

-------------------- --- ---------- -------- ----- ---------------

Gi0/25         Root FWD 200000     128      P2p   False         ------>root port

Gi0/26                 Altn BLK 200000     128      P2p     ------>blocked port

 

When you connect Ruijie switch toother vendors, pay attention to spanning-tree compatibility:

1.    When youconnect Ruijie to Cisco, you must double confirm whether Cisco firmwaresupports standard MSTP .  So far, Cisco switch with firmware 12.25(SE) and abovesupports standard MSTP , but any other older firmware doesn't  ,so the oldfirmware that runs nonstandard MSTP has compatibility issue .So you mustupgrade switch to version 12.25(SE) and above.If Cisco switch is too old toupgrade to version 12.25(SE) and above, you can disable STP and enable BPDUbridge mode to bypass all bpdu packets. To enable BPDU bridge mode, performthis task:

Ruijie(config)#no spanning-tree

Ruijie(config)#bridge-frameforwarding protocol bpdu

 

2.     We suggest you to configurecompletely the same MSTP name, revision, instance mapping when you enable MSTPon Ruijie and other vendors switch to prevent STP compatibility issue. You canalso enable RSTP because RSTP has better compatibility.

 

2.8.3.3     Configuring MSTP with multiple instances

Note:

The deployment pattern of "MSTP +VRRP" is replaced by deployment pattern of VSU day by day and we suggestyou to apply VSU if possible. Even so, deployment pattern of "MSTP +VRRP" is still a fallback method to ensure a redundant and reliablenetwork if core and distribution switches don't support VSU

We suggest you to remove someinterconnection links first to avoid a Layer 2 loop

 

I. Network Topology

 

SW1 is the master VRRP gateway for users on vlan10,20,30,40,60,and 70,and backup VRRP for servers on vlan 50 and 80.SW2 is themaster VRRP gateway for servers on vlans 50 and 80 , and backup VRRP for userson vlan 10,20,30,40,60 and 70. Connect SW1 and SW2 through an Aggregate port toensure reliability and configure this AP as Trunk port.

The IP address of SW1 on VLANs from 10 to 80 are192.168.10.1 to 192.168.80.1 , and IP address of SW2 on VLANs from 10 to 80 are192.168.10.2 to 192.168.80.2 , and VRRP IP address are 192.168.10.254 to192.168.80.254.

 

II. ConfigurationSteps

Configuring SW1

Configuring MSTP

Ruijie#configterminal

Ruijie(config)#vlanrange 10,20,30,40,50,60,70,80

Ruijie(config-vlan-range)#exit

Ruijie(config)#spanning-treemst configuration   ------>enter mst configuration mode

Ruijie(config-mst)#nameruijie      ------>switches in a same MSTP area must have the sameinstance name

Ruijie(config-mst)#instance1 vlan 10,20,30,40,60,70   ----->map vlan 10,20,30,40,60,70 to instance 1 , andswitches in a same MSTP area must have the same mapping

Ruijie(config-mst)#instance2 vlan 50,80   -----> map vlan 50,80 to instance 2 , and switches in a sameMSTP area must have the same mapping

Ruijie(config-mst)#exit

Ruijie(config)#spanning-treemst 0 priority 0   ----->By default , instance 0 exists ,and any other vlansthat haven't mapped to an instance are mapped to instance 0. SW1 is the rootbridge for instance 0

Ruijie(config)#spanning-treemst 1 priority 0   ----->SW1 is the root bridge in instance 1

Ruijie(config)#spanning-treemst 2 priority 4096    ----->SW1 is the secondary bridge in instance 2

Ruijie(config)#spanning-tree  ------>enableSTP feature

 

Configuring AP

Ruijie#configterminal

Ruijie(config)#interfaceaggregateport 1

Ruijie(config-if-AggregatePort1)#switchport mode trunk

Ruijie(config-if-AggregatePort1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/1       

Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/2     

Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/2)#exit

Ruijie(config)#interfacerange gigabitEthernet 1/1-5  

Ruijie(config-if-range)#switchportmode trunk        ----->don't forget to prune trunk port

 

Configuring VRRP

Ruijie(config)#vlan10

Ruijie(config)#intervlan 10

Ruijie(config-if-VLAN10)#ip address 192.168.10.1 255.255.255.0

Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254

Ruijie(config-if-VLAN10)#vrrp 10 priority 120            ------>vrrp group id=10 , priority value=120(the bigger the number , the more likely the switch will be chosen as the master ,and default value is 100)

Ruijie(config-if-VLAN10)#exit

 

Ruijie(config)#vlan20

Ruijie(config)#intervlan 20

Ruijie(config-if-VLAN20)#ip address 192.168.20.1 255.255.255.0

Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254

Ruijie(config-if-VLAN20)#vrrp 20 priority 120

Ruijie(config-if-VLAN20)#exit

 

...........Configurationof VLAN 30,40,60,70 are omitted............

 

VRRPprimary gateway of VLAN 50,80 is SW2 which is the root bridge of instance 2

Ruijie(config)#vlan50

Ruijie(config)#intervlan 50

Ruijie(config-if-VLAN50)#ip address 192.168.50.1 255.255.255.0 

Ruijie(config-if-VLAN50)#vrrp 50 ip 192.168.50.254       ------>vrrp group id=50, priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN50)#exit

 

Ruijie(config)#vlan80

Ruijie(config)#intervlan 80

Ruijie(config-if-VLAN80)#ip address 192.168.80.1 255.255.255.0

Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254             ------>vrrp groupid=80 , priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN80)#exit

 

Configuring SW2

Configuring MSTP

Ruijie#configterminal

Ruijie(config)#vlanrange 10,20,30,40,50,60,70,80

Ruijie(config-vlan-range)#exit

Ruijie(config)#spanning-treemst configuration   ------>enter mst configuration mode

Ruijie(config-mst)#nameruijie      ------>switches in a same MSTP area must have the sameinstance name

Ruijie(config-mst)#instance1 vlan 10,20,30,40,60,70   ----->map vlan 10,20,30,40,60,70 toinstance 1 , and switches in a same MSTP area must have the same mapping

Ruijie(config-mst)#instance2 vlan 50,80   ----->map vlan 50,80 to instance 2 , and switches in a sameMSTP area must have the same mapping

Ruijie(config-mst)#exit

Ruijie(config)#spanning-treemst 0 priority 4096    ----->By default , instance 0 exists ,and any other vlansthat haven't mapped to an instance are mapped to instance 0. SW2 is thesecondary root bridge in instance 0

Ruijie(config)#spanning-treemst 1 priority 4096----->SW2 is the secondary root bridge in instance 1

Ruijie(config)#spanning-treemst 2 priority 0         ----->SW2 is the root bridge in instance 2

Ruijie(config)#spanning-tree  ------>enable STP feature

 

Configuring AP

Ruijie#configterminal

Ruijie(config)#interfaceaggregateport 1

Ruijie(config-if-AggregatePort1)#switchport mode trunk

Ruijie(config-if-AggregatePort1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/1              

Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/1)#exit

Ruijie(config)#interfacetengigabitEthernet 3/2     

Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1

Ruijie(config-if-TenGigabitEthernet3/2)#exit

 

Ruijie(config)#interfacerange gigabitEthernet 1/1-5 

Ruijie(config-if-range)#switchportmode trunk   ----->don't forget to prune trunk port

 

Configuring VRRP

VRRP backup gateway of VLAN10,20,30,40,60,70 is SW2 which is the backup bridge of instance 1

Ruijie(config)#vlan10

Ruijie(config)#intervlan 10

Ruijie(config-if-VLAN10)#ip address 192.168.10.2 255.255.255.0

Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254          ------>vrrp groupid=10 , priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the  master ,and default value is 100) .

Ruijie(config-if-VLAN10)#exit

 

Ruijie(config)#vlan20

Ruijie(config)#intervlan 20

Ruijie(config-if-VLAN20)#ip address 192.168.20.2 255.255.255.0

Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254              ------>vrrp group id=20, priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the  master ,and default value is 100) .

Ruijie(config-if-VLAN20)#exit

 

...........Configurationof VLAN 30,40,60,70 are omitted............

 

Ruijie(config)#vlan50

Ruijie(config)#intervlan 50

Ruijie(config-if-VLAN50)#ip address 192.168.50.2 255.255.255.0 

Ruijie(config-if-VLAN50)#vrrp 50 ip 192.168.50.254      

Ruijie(config-if-VLAN50)#vrrp 50 priority 120            ------>vrrp group id=50 , priority value=120(the bigger the number , the more likely the switch will be chosen as the master ,and default value is 100)

Ruijie(config-if-VLAN50)#exit

Ruijie(config)#vlan80

Ruijie(config)#intervlan 80

Ruijie(config-if-VLAN80)#ip address 192.168.80.2 255.255.255.0

Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254            

Ruijie(config-if-VLAN80)#vrrp 80 priority 120            ------>vrrp group id=80, priority value =120(the bigger the number , the more likely the switch willbe chosen as the  master ,and default value is 100)

Ruijie(config-if-VLAN80)#exit

 

Configuring SW11SW12S13S14S15S16

Ruijie#configterminal

Ruijie(config)#interfacerange gigabitEthernet 0/25-26  

Ruijie(config-if-range)#switchportmode trunk

Ruijie(config-if-range)#exit

Ruijie(config)#vlanrange 10,20,30,40,50,60,70,80

Ruijie(config-vlan-range)#exit

Ruijie(config)#spanning-treemst configuration  

Ruijie(config-mst)#nameruijie     

Ruijie(config-mst)#instance1 vlan 10,20,30,40,60,70  

Ruijie(config-mst)#instance2 vlan 50,80  

Ruijie(config-mst)#exit

Ruijie(config)#spanning-tree  

 

Connectting cables and verifying status ofMSTP and VRRP

1.  This example displays that SW1 is theroot bridge in instance 0 and 1, and SW2 is the root bridge in instance 2.

SW1

RuijieSW1#showspanning-tree summary

Spanningtree enabled protocol mstp

MST0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094

 Root ID    Priority    0

           Address     1414.4b5a.198c   ------> MAC address of Root bridge in instance0

            this bridge is root

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 Bridge ID  Priority    0

            Address     1414.4b5a.198c        ------>local MAC address

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

Interface       Role Sts Cost       Prio     OperEdge Type

-------------------- --- ---------- -------- -------- ----------------

Ag1             Desg FWD 19000      128      False    P2p                            

Gi0/1           Desg FWD 20000      128      False    P2p                            

 

MST1 vlans map : 10, 20, 30, 40, 60, 70

 Region Root Priority   0

            Address     1414.4b5a.198c ------>MAC address of Root bridge in instance 1

            this bridge is region root

 Bridge ID  Priority    0

            Address     1414.4b5a.198c           ------>local MAC address

     Interface        Role Sts Cost       Prio     OperEdge Type

-------------------- --- ---------- -------- -------- ----------------

Ag1             Desg FWD 19000      128      False    P2p                            

Gi0/1           Desg FWD 20000      128      False    P2p                            

 

MST2 vlans map : 50, 80

 Region Root Priority   0

            Address     1414.4b5a.18d4          ------>MAC address of Root bridge ininstance 2

            this bridge is region root

 

 Bridge ID  Priority    4096

            Address     1414.4b5a.198c         

Interface       Role Sts Cost       Prio     OperEdge Type

-------------------- --- ---------- -------- -------- ----------------

Ag1             Root FWD 19000      128      False    P2p                            

Gi0/1           Desg FWD 20000      128      False    P2p   

 

SW2

Ruijie#showspanning-tree summary

Spanningtree enabled protocol mstp

MST0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094

 Root ID    Priority    0

            Address     1414.4b5a.198c        ------>MAC address of Root bridge which isSW1 in instance 0

            this bridge is root

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 Bridge ID  Priority    4096        

            Address     1414.4b5a.18d4          ------>local MAC address

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

Interface       Role Sts Cost       Prio     OperEdge Type

-------------------- --- ---------- -------- -------- ----------------

Ag1             Root FWD 19000      128      False    P2p                             

Gi2/0/1         Desg FWD 20000      128      False    P2p                            

 

MST1 vlans map : 10, 20, 30, 40, 60, 70

 Region Root Priority   0

            Address     1414.4b5a.198c ------>MAC address of Root bridge in instance 1

            this bridge is region root

 Bridge ID  Priority    4096

            Address     1414.4b5a.18d4 ------>local MAC address

    

Interface       Role Sts Cost       Prio     OperEdge Type

-------------------- --- ---------- -------- -------- ----------------

Ag1             Root FWD 19000      128      False    P2p                            

Gi2/0/1         Desg FWD 20000      128      False    P2p                            

 

MST2 vlans map : 50, 80

 Region Root Priority   0

            Address     1414.4b5a.18d4       ------>MAC address of Root bridge ininstance 2

            this bridge is region root     

 Bridge ID  Priority    0

            Address     1414.4b5a.18d4 ------>local MAC address

Interface       Role Sts Cost       Prio     OperEdge Type

-------------------- --- ---------- -------- -------- ----------------

Ag1             Desg FWD 19000      128      False    P2p                            

Gi2/0/1         Desg FWD 20000      128      False    P2p  

 

2. This example displays that SW1 is themaster on vlan 10,20,30,40,60 and 70 , and the backup on vlan 50 and 80. SW2 isthe master on vlan 50 and 80, and the backup on vlan 10,20,30,40,60 and 70.

 

SW1

Ruijie#showvrrp brief

Interface            Grp  Pri   timer   Own  Pre   State   Master addr                              Group addr                             

 

VLAN10               10   120   3.53    -    P     Master 192.168.10.1                             192.168.10.254                         

 

VLAN20               20   120   3.53    -    P     Master 192.168.20.1                              192.168.20.254                         

 

VLAN30               30   120   3.53    -    P     Master 192.168.30.1                             192.168.30.254                         

 

VLAN40               40   120   3.53    -    P     Master 192.168.40.1                             192.168.40.254                         

 

VLAN50               50   100   3.60    -    P     Backup 192.168.50.2                              192.168.50.254       

 

VLAN60               60   120   3.53    -    P     Master 192.168.60.1                             192.168.60.254                         

 

VLAN70               70   120   3.53    -    P     Master 192.168.70.1                              192.168.70.254                         

 

VLAN80               80   100   3.60    -    P     Backup 192.168.80.2                              192.168.80.254         

 

SW2:

RuijieSW2#showvrrp brief

 

Interface            Grp  Pri   timer   Own  Pre   State   Master addr                              Group addr                             

 

VLAN10               10   100   3.60    -    P     Backup 192.168.10.1                             192.168.10.254                         

 

VLAN20               20   100   3.60    -    P     Backup 192.168.20.1                             192.168.20.254                         

 

VLAN30               30   100   3.60    -    P     Backup 192.168.30.1                              192.168.30.254                          

 

VLAN40               40   100   3.60    -    P     Backup 192.168.40.1                             192.168.40.254                         

 

VLAN50               50   120   3.53    -    P     Master 192.168.50.2                              192.168.50.254      

 

VLAN60               60   100   3.60    -    P     Backup 192.168.60.1                             192.168.60.254                         

 

VLAN70               70   100   3.60    -    P     Backup 192.168.70.1                             192.168.70.254                         

 

VLAN80               80   120   3.53    -    P     Master 192.168.80.2                              192.168.80.254

 

 

3. This exmaple displays how to verify rootbridge on access switches and whether MSTP has blocked some ports to prevent aloop.

Ruijie#showspanning-tree summary

Spanningtree enabled protocol mstp

MST0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094

 Root ID    Priority    0

            Address     1414.4b5a.198c

            this bridge is root

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

 

 Bridge ID  Priority    32768

            Address     001a.a9c4.05f2

            Hello Time   2 sec  Forward Delay 15 sec  Max Age 20 sec

Interface       Role Sts Cost       Prio     Type  OperEdge

-------------------- --- ---------- -------- ----- ---------------

Gi0/24          Altn BLK 20000      128      P2p   False          ------>one Blocked port

Gi0/23          Root FWD 20000      128      P2p   False          ------>one Root port

 

MST1 vlans map : 10, 20, 30, 40, 60, 70

 Region Root Priority   0

            Address     1414.4b5a.198c ------>MAC address of Root bridge which is SW1 ininstance 1

            this bridge is region root

 Bridge ID  Priority    32768

            Address     001a.a9c4.05f2

    Interface        Role Sts Cost       Prio     Type  OperEdge

-------------------- --- ---------- -------- ----- ---------------

Gi0/24          Altn BLK 20000      128      P2p   False          ------>one Blocked port

Gi0/23          Root FWD 20000      128      P2p   False          ------>one Root port

 

MST2 vlans map : 50, 80

  RegionRoot Priority   0

            Address     1414.4b5a.18d4            ------>MAC address of Root bridgewhich is SW2 in instance 2

 

            this bridge is region root

 Bridge ID  Priority    32768

            Address     001a.a9c4.05f2

Interface       Role Sts Cost       Prio     Type  OperEdge

-------------------- --- ---------- -------- ----- ---------------

Gi0/24          Root FWD 20000      128      P2p   False          ------>one Blocked port

Gi0/23          Altn BLK 20000      128      P2p   False          ------>one Root port

 

When you connect Ruijie switch toother vendors, pay attention to spanning-tree compatibility:

1.    When youconnect Ruijie to Cisco, you must double confirm whether Cisco firmwaresupports standard MSTP.  So far, Cisco switch with firmware 12.25(SE) and abovesupports standard MSTP , but any other older firmware doesn't  ,so the oldfirmware that runs nonstandard MSTP has capatibility issue .So you must upgradeswitch to version 12.25(SE) and above.If Cisco switch is too old to upgrade toversion 12.25(SE) and above, you can disable STP and enable BPDU bridge mode tobypass all bpdu packets.To enable BPDU bridge mode, perform this task:

Ruijie(config)#no spanning-tree

Ruijie(config)#bridge-frameforwarding protocol bpdu

 

2.     We suggest you to configure completelythe same MSTP name , revision , instance mapping when you enable MSTP on Ruijieand other vendors switch to prevent STP compatibility issue. You can alsoenable RSTP because RSTP has better compatibility.

 

2.8.3.4         Configuring Spanningtree optimization

I. Network Topology

2.8.3.5         Verifying MSTP+VRRP

I. Network Topology

2.8.4         ARPSpoofing Protection

Overview

ARPAddress ResolutionProtocol) provides IP communication within a Layer 2 broadcast domain bymapping an IP address to a MAC address. For example, host B wants to sendinformation to host A but does not have the MAC address of host A in its ARPcache. In ARP terms, host B is the sender and host A is the target.

To get the MAC address of host A, host B generates abroadcast message for all hosts within the broadcast domain to obtain the MACaddress associated with the IP address of host A. All hosts within thebroadcast domain receive the ARP request, and host A responds with its MACaddress.

 

 

Feature

ARP itself does not check the validity of incoming ARPpackets, a drawback of ARP. In this way, attackers can launch ARP spoofingattacks easily by exploiting the drawback of the protocol. The most typical oneis the man in the middle attack, which is described as follows:

As shown in the diagram, devices A, B and C areconnected to Ruijie device and located in the same subnet. Their IP and MACaddresses are respectively represented by (IPA, MACA), (IPB, MACB) and (IPC,MACC). When device A needs to communicate with device B in the network layer,device A broadcasts an ARP request in the subnet to query the MAC value ofdevice B. Upon receiving this ARP request packet, device B updates its ARPbuffer using IPA and MACA, and sends an ARP response. Upon receiving thisresponse, device A updates its ARP buffer using IPB and MACB.

With this model, device C will cause the correspondingrelationship of ARP entries in device A and device B incorrect. The policy isto broadcast ARP response to the network continuously. The IP address in thisresponse is IPA/IPB, and the MAC address is MACC. Then, ARP entries (IPB andMACC) will exist in device A, and ARP entries (IPA and MACC) exist in device B.Communication between device A and device B is changed to communication withdevice C, which is unknown to devices A and B. Device C acts as an intermediaryand it just modifies the received packets appropriately and forwards to anotherdevice. This is the well-known man in the middle attack.

2.8.4.1         Scenario of static IPaddress assignment

Scenario

Port IP&MAC binding + ARP-checkIn a network without 802.1x authentication, you canmanually bind IP&MAC address of users to a security entry on each port on aswitch and enable ARP-check feature globablly to prevent ARP spoofing.Users connectedto a switch port can pass through the port verification and have access tonetwork only when IP&MAC address of the users are totally the same to thesecurity entry on the port.

 

Merit:  This is a very strict method to control allusers in your network and switches verify each ARP packet in hardware withoutconsuming CPU resource

 

Demerit:  You must collectIP&MAC address of each users and the port numbers to which every usersconnect on each switch, so this method cost you plenty of time tocollect information and configure switches and it is also not flexible if usersmove their physical location very often.

     

I. Requirements

Administrator assign IP address to users manually, andconfigure "port-security + ARP-check" method on switches to defendagainst ARP spoofing.

 

II. Network Topology

 

III. ConfigurationTips

1. You must enable port-security on portconnected to users, not uplink port

2. You must enable ARP-check on portconnected to users, not uplink port

 

IV. ConfigurationSteps

Configuring core switch

Assign IP address to vlan 10 which is usergateway

Ruijie(config)#interfacevlan 10

Ruijie(config-if-VLAN10)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN10)#end

Ruijie#wr

 

Configuring access switch

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#interfacefastEthernet 0/1                                   

Ruijie(config-if-FastEthernet0/1)#switchport port-security binding 0021.CCCF.6F70 vlan 10 192.168.1.1  

------> bind static IP address 192.168.1.1 and MAC address0021.CCCF.6F70 on VLAN 10 to security entry on F0/1

Ruijie(config-if-FastEthernet0/1)#switchport port-security   ------>enable port-security

Ruijie(config-if-FastEthernet0/1)#arp-check                        ------>enablearp-check

Ruijie(config-if-FastEthernet0/1)#exit

 

Ruijie(config)#interfacfastEthernet 0/2

Ruijie(config-if-FastEthernet0/2)# switchport port-security binding 0023.5abd.1975 vlan 10 192.168.1.2 

 ------>bind static IP address 192.168.1.2 and MAC address0023.5abd.1975  on  VLAN 10 to security entry on F0/2

Ruijie(config-if-FastEthernet0/2)#switchport port-security   ------>enable port-security

Ruijie(config-if-FastEthernet0/2)#arp-check                         ------>enablearp-check

Ruijie#write                  

 

Ruijie(config)#interfacfastEthernet 0/3

Ruijie(config-if-FastEthernet0/3)# switchport port-security binding 192.168.1.3 

------>you can also bind onlly static IP address 192.168.1.3to security entry on F0/3 in order to be more flexible but lower security

Ruijie(config-if-FastEthernet0/3)#switchport port-security  

Ruijie(config-if-FastEthernet0/3)#arp-check                         

Ruijie#write      

 

V.Verification

1) How to display security entry on eachport

2) How to display status of ARP-check

 

Scenario

Global IP&MAC binding+ ARP-checkIn a network without 802.1x authentication, you canmanually bind IP&MAC address of users to global security table on a switchand enable ARP-check feature globablly to prevent ARP spoofing.Users connectedto a switch port can pass through the global verification and have access tonetwork only when IP&MAC address of the users are totally the same to theglobal security table on the switch

 

Merit: This is a less strict method to control allusers in your network than solution 1, and switches verify each ARP packet inhardware without consuming CPU resource

 

Demerit:  You must collect IP&MAC address of eachusers on each switch, so this method cost you plenty of time to collectinformation and configure switches.

 

I. Requirements

Administrator assign static IP address to users, andconfigures "port-security + ARP-check" method on switches to preventARP spoofing

 

II. Network Topology

 

III. ConfigurationTips

1. Bind IP&MAC address of users to global securitytable

2. Configure uplink port as trusted port on which allpackets can pass through without validation

3. Enable address-bind feature globally

4. Enable arp-check feature globally

 

IV. ConfigurationSteps

Configuring core switch

Manually assign IP address to Vlan 10 whichis user gateway

Ruijie(config)#interfacevlan 10

Ruijie(config-if-VLAN10)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN10)#end

Ruijie#wr   

 

Configuring access switch

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#address-bind192.168.1.1 0021.cccf.6f70  ------>bind IP 192.168.1.1 and MAC address 0021.cccf.6f70 toglobal security table 

Ruijie(config)#address-bind192.168.1.2 0023.5abd.1975 ------>bind IP 192.168.1.2 and MAC address 0023.5abd.1975 toglobal security table 

Ruijie(config)#address-binduplink gigabitEthernet 0/25   ------>configure uplink port G0/25 astrusted port on which all packets can pass through without validation

Ruijie(config)#address-bindinstall ------>enable address-bind

Ruijie(config)#interfacerange fastEthernet 0/1-2

Ruijie(config-if-range)#arp-check------>enablearp-check

Ruijie(config-if-range)#end

Ruijie#write        

 

Note

If users want to use IPv6 address to visitnetwork, you must enable IPv6 capatible mode on switch that have address-bindenabled. Perform this task:

Ruijie(config)#address-bindipv6-mode ?

 compatible  IPV6 compatible mode  ------>campatible mode ,allow bindingusers to visit network via IPv6 address

 loose       IPV6 loose mode               ------>loose mode ,allow all IPv6 users to visit network unlimitedly

 strict      IPV6 strict mode      (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode

Ruijie(config)#address-bindipv6-mode compatible   

 

V.Verification

1. How to display global security table 

2. How to display trusted port 

3. How to verify ARP-check table

 

Scenario

802.1X authentication+ ARP-checkIn a network that have 802.1x authenticationenabled,users must be running 802.1X-compliant client software ,such as Ruijiesupplicant SU and SA . Switch collects IP&MAC address when communicateswith 802.1X-compliant client software and write these information into global securitytable.ARP-check validate each users based on thie global security table toprevent ARP spoofing.

 

Merit: This is the simplest method for you to configureswitch and maintenance

 

Demerit : You must build your network with Ruijie802.1X-compliant client software SU/SA and a Radius Server (for example ,RuijieSAM)and it consumes more hardware resourcebecause it costs switch one more security entry in hardware when a user passthe authentication .

      

I. Requirements

Administrator assigns static IP address to user andenable 802.1x authentication through the overall network with Ruijie SU/SA andSAM to prevent ARP spoofing.

 

II. Network Topology

 

 

III. ConfigurationTips

1. Enable basic dot1x authenticationfunction on access switch

2. Modify authorization mode to"supplicant mode"

3. Enable arp-check on port connected tousers

 

IV. ConfigurationSteps

Configuring access switch

1) Configure dot1x authentication on switch

For complete information about 802.1xconfiguration ,see switch configuration guide , such as RG-S8600E Series Switches RGOS Configuration Guide

 

2) Configure authorization mode in"supplicant mode"

Ruijie(config)#aaaauthorization ip-auth-mode supplicant

 

Note       Ifusers want to use IPv6 address to visit network, you must enable IPv6 capatiblemode on switch that have address-bind enabled. Perform this task:

Ruijie(config)#address-bindipv6-mode ?

 compatible  IPV6 compatible mode  ------>campatible mode ,allow bindingusers to visit network via IPv6 address

 loose       IPV6 loose mode               ------>loose mode ,allow all IPv6 users to visit network unlimitedly

 strict      IPV6 strict mode      (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode

Ruijie(config)#address-bindipv6-mode compatible

 

3)      Enable arp-check

Ruijie(config)#interfacerange g0/1-2

Ruijie(config-if-range)#arp-check      

Ruijie(config-if-range)#end

Ruijie#write

 

V.Verification

Ruijie(config)#showinterfaces gigabitEthernet 0/1 arp-check list

 

2.8.4.2         Scenarioof dynamic IP address assignment(DHCP)

Scenario

DHCP Snooping with ARP-check:This solution can prevents ARP spoofing inthe network in which DHCP server assign IP address to users .You can alsoenable 802.1x authentication or web authentication or you can disable anyauthentications in your network.

Merit: Very simple configuration and easy maintenance.

Demerit: DHCP snooping and ARP-check are enforced inhardware , so this method is is not applied if there are insufficient hardwareresources available on switch.How many users the switch can carry depend on itsspecification.

 

When switch hardware recources are insufficient , systemreturns the following syslog :      

%SECURITY-3-TCAM_RESOURCE_LIMIT: TCAM resource istemporary not available.

 

I. Requirements

DHCP server assigns IP address to users ,andadministrator uses "DHCP Snooping with ARP-check" to prevent ARPspoofing.

 

II. Network Topology

 

 

III. ConfigurationTips

1. Core switch acts as DHCP server

2. Enable DHCP Snooping on access switch and configureuplink port as DHCP Snooping trusted port.

3. Enable ARP-check on ports connected touser

 

IV. ConfigurationSteps

Configuring core switch

1. Enable DHCP service

Ruijie(config)#servicedhcp

 

2. Manually Assign IP address to vlan 1which is user gateway

Ruijie(config)#interfacevlan 1

Ruijie(config-if-VLAN1)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN1)#exit

 

3. Create DHCP IP address pool

Ruijie(config)#ipdhcp pool vlan1

Ruijie(dhcp-config)#network192.168.1.0 255.255.255.0      ------>network subnet

Ruijie(dhcp-config)#dns-server218.85.157.99                     ------>DNS Server

Ruijie(dhcp-config)#default-router192.168.1.254                ------>specify user gateway

Ruijie(dhcp-config)#end

Ruijie#wr

 

Configuring access switch

1. Enable DHCP Snooping

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#ipdhcp snooping    

 

2. Configure the port connected to DHCP server as DHCPSnooping trusted port.

Ruijie(config)#interfacegigabitEthernet 0/49

Ruijie(config-GigabitEthernet0/49)#ip dhcp snooping trust    ------>By default , all ports are DHCPSnooping untrusted port. Only trusted port can forward DHCP Offer and Ackpackets

 

Note

If users want to use IPv6 address to visitnetwork, you must enable IPv6 capatible mode on switch that have address-bindenabled. Perform this task

Ruijie(config)#address-bindipv6-mode ?

 compatible  IPV6 compatible mode  ------>campatible mode ,allow bindingusers to visit network via IPv6 address

 loose       IPV6 loose mode               ------>loose mode ,allow all IPv6 users to visit network unlimitedly

 strict      IPV6 strict mode      (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode

Ruijie(config)#address-bindipv6-mode compatible

 

3.  Enable arp-check

Ruijie(config)#interfacerange fastEthernet 0/1-2                     

Ruijie(config-if-range)#arp-check                                             

 

V.Verification

 

2.  How to display NIC information on astation, click " Start -> Run -> cmd -> ipconfig/all " 

 

3. How to display DHCP snooping table on aaccess switch

 

4. How to display ARP-Check table

 

Scenario

DHCP Snooping with DAI(Dynamic ARPinspection): This solutioncan prevents ARP spoofing in the network in which DHCP server assign IP addressto users .You can also enable 802.1x authentication or web authentication oryou can disable any authentications in your network.

 

Merit: Very simple configuration and easy maintenance.DAI is enfored in CPU, but ARP-check is enforced in hardware.

 

Demerit: When a access switch carries more than 50users, we recommend you to use solution 1 in case CPU resources isinsufficient.

 

I. Requirements

DHCP server assigns IP address to users ,andadministrator uses "DHCP Snooping with DAI" to prevent ARP spoofing.

 

II. Network Topology

III. ConfigurationTips

1. Core switch acts as DHCP server

2. Enable DHCP Snooping on access switch and configureuplink port as DHCP Snooping trusted port.

3. Enable DAI on access switch and configure uplinkport as DAI trusted port.

4. Fine tune CPP and NFPP parameters andprune trunk port

 

IV. ConfigurationSteps

Configuring core switch

1. Enable DHCP service

Ruijie(config)#servicedhcp                                           

 

2. Manually Assign IP address to vlan 1which is user gateway

Ruijie(config)#interfacevlan 1

Ruijie(config-if-VLAN1)#ip address 192.168.1.254 255.255.255.0

Ruijie(config-if-VLAN1)#exit                                      

 

3. Create DHCP IP address pool

Ruijie(config)#ipdhcp pool vlan1

Ruijie(dhcp-config)#network192.168.1.0 255.255.255.0      ------>network segment

Ruijie(dhcp-config)#dns-server218.85.157.99                     ------>DNS server

Ruijie(dhcp-config)#default-router192.168.1.254                ------>specify user gateway

Ruijie(dhcp-config)#end

Ruijie#wr                                

 

Configuring access switch

1. Enable DHCP Snooping

Ruijie>enable 

Ruijie#configureterminal

Ruijie(config)#ipdhcp snooping                            

 

2.  Configure the port connected to DHCP server as DHCPSnooping trusted port

Ruijie(config)#interfacegigabitEthernet 0/49

Ruijie(config-GigabitEthernet0/49)#ip dhcp snooping trust    ------>By default , all ports are DHCPsnooping untrust ports. Only trusted port can forward DHCP Offer and Ackpackets

 

3. Enable DAI in VLAN 1

Ruijie(config)#iparp inspection vlan 1                      ------>DAI inspectsVLAN 1

 

4 . Configure the uplink port as DAI trusted port

Ruijie(config)#intgigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet0/25)#ip arp inspection trust    

 

Configuring DAI optimization(Mandatory)

When DAI is enabled, switch forwards all ARPpackets to CPU to validate, and you must configure the following optimization.

1. Prune trunk port on uplink port on accessswitch

This example shows how to prune trunk portG0/25 and this port can carry traffic for VLAN 1 and VLAN 9 only:

Ruijie(config-if-GigabitEthernet0/25)#switchport trunk  allowed vlan remove 2-8,10-4094    

For complete information, see Initialization --->Configuring a Layer 2 Port --->Access or Trunk port

 

2. Disable NFPP on the uplink port on accessswitch, otherwise if the number of ARP packets sent from Core switch to accessswitch exceeds the default NFPP rate-limit threshold, NFPP will drop theexceeding arp packets which would be users'

Ruijie(config)#intg0/25

Ruijie(config-if-GigabitEthernet0/25)#no nfpp arp-guard enable   

Ruijie(config-if-GigabitEthernet0/25)#no nfpp dhcp-guard enable

Ruijie(config-if-GigabitEthernet0/25)#no nfpp dhcpv6-guard enable 

 Ruijie(config-if-GigabitEthernet0/25)#no nfpp icmp-guard enable    

Ruijie(config-if-GigabitEthernet0/25)#no nfpp ip-guard  enable        

Ruijie(config-if-GigabitEthernet0/25)#no nfpp nd-guard  enable        

Ruijie(config-if-GigabitEthernet0/25)#exit

Ruijie(config)# 

 

3. Increase CPP arp rate-limit threshold to500PPS (180PPS by default) in case that CPP drops the exceeding packets.

Ruijie(config)#cpu-protecttype arp pps 500

 

V.Verification

1. How to display DAI status

2. How to display DHCP Snooping bindingtable

 

Scenario

802.1X authentication with ARP-checkIn a network that have 802.1x authenticationenabled,users must be running 802.1X-compliant client software ,such as Ruijiesupplicant SU and SA and DHCP server assigns IP address to users beforeauthentication.

 

MeritThis is the simplestmethod for you to configure switch and maintenance

Demerit : You must build your network with Ruijie802.1X-compliant client software SU/SA and a Radius Server (for example ,RuijieSAM)and it consumes more hardware resourcebecause it costs switch one more security entry in hardware when a user passthe authentication .In addition , you must configure a global security tunnelto bypass DHCP packets because users must acquire IP address before 802.1Xauthentication

 

I. Requirements

DHCP Server assigns IP address to users ,thenadministrator uses "802.1X authentication+ ARP-check" to prevent ARPspoofing.

 

II. Network Topology

 

 

III. ConfigurationTips

1. Enable basic dot1x authentication onaccess switch

2. Configure a global security tunnel tobypass DHCP packets

3. Modify authorization mode to"supplicant mode"

4. Enable arp-check on port connected tousers

 

IV. ConfigurationSteps

Configuring access switch

1. Configure dot1x authentication on switch

 For complete information about 802.1x configuration,see switch configuration guide , such as RG-S8600ESeries Switches RGOS Configuration Guide

 

2. Configure a global security tunnel tobypass DHCP packets

Ruijie(config)#expertaccess-list extended dhcp

Ruijie(config-exp-nacl)#permitudp any any any any eq bootps      ------>bypass DHCP packets

Ruijie(config-exp-nacl)#

Ruijie(config)#securityglobal access-group dhcp

 

3. Modify authorization mode to"supplicant mode"

Ruijie(config)#aaaauthorization ip-auth-mode supplicant  

 

Note

If users want to use IPv6 address to visitnetwork, you must enable IPv6 capatible mode on switch that have address-bind enabled.Perform this task:

Ruijie(config)#address-bindipv6-mode ?

 compatible  IPV6 compatible mode  ------>campatible mode ,allow bindingusers to visit network via IPv6 address

 loose       IPV6 loose mode               ------>loose mode ,allow all IPv6 users to visit network unlimitedly

 strict      IPV6 strict mode      (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode

Ruijie(config)#address-bindipv6-mode compatible

 

4. Enable arp-check

Ruijie(config)#interfacerange g0/1-2

Ruijie(config-if-range)#arp-check     

Ruijie(config-if-range)#end

Ruijie#write

 

V.Verification

Ruijie(config)#showinterfaces gigabitEthernet 0/1 arp-check list

2.8.5      VSD

Scenario

As the data center network expands, the service type isvaried, and network management becomes more complicated, higher requirementsare raised on service isolation, safety, and reliability of the network. Withthe rapid development of hardware and maturity of the multi-frame, clustered,and distributed routing and switching system, the service processing capabilityof a single physical network device has reached a new level. It is urgent tomake full use of the powerful service processing capability of a singlephysical device, adapt to the current service requirements, and realize smoothevolution of future expansion. Network device virtualization is a perfectmethod. It provides an easier virtualization means for network users. It is notlimited to specific services or channels but serves to provide virtualizationof the entire device.

Function Overview

The Virtual Switch Device (VSD) is a network systemvirtualization technology which divides a physical device into multiple logicaldevices. Each logical device is called a VSD. Each VSD has independent hardwareand software resources, including independent interface resources, CPUresources, independently-maintained routing table and forwarding table, and itsown administrator and configuration file. For users, each VSD is an independentdevice.

By VSDx technology, a physical device can bevirtualized to multiple logical devices, as shown in the following figure. Aphysical device can carry multiple network nodes in the logical topology tomaximize utilization of available resources and reduce network operation costs.Different VSs can be deployed with different services to isolate services fromfailures, improving safety and reliability of the network.

 

 

VSD Management

Out-of-band management is management through the mgmtinterface. Inband management is management through an Ethernet physicalinterface.

 

 

I. Requirements

To carry multiple users on a network device, isolatemanagement, simplify operation and maintenance, and isolate services, a networkdevice with good performance is virtualized to multiple logical devices, makingfull use of device resources and ensuring strong scalability of the network.Services of virtual devices are managed independently of each other.

 

II. Network Topology

 

 

III. Configuration Tips

Install a VSD license.

Ruijie#configure terminal

Enterconfiguration commands, one per line.  End with CNTL/Z.

Ruijie(config)#license install usb0:/LIC-VSD00000002328406.lic----> VSD function needlicense

Successto install license file, service name: LIC-N18000-VSD.

 

Create VSD A.

Ruijie#configure terminal

Enterconfiguration commands, one per line.  End with CNTL/Z.

Ruijie(config)#vsd VSDA

Ruijie(config-vsd)#allocate int gi 1/1

Movingports will cause all config associated to them in source vsd to be removed. Areyou sure

tomove the ports? [yes] yes

Entireport-group is not present in the command. Missing ports will be includedautomatically

Ruijie(config-vsd)#

Create VSD B.

Ruijie#configure terminal

Enterconfiguration commands, one per line. End with CNTL/Z.

Ruijie(config)#vsd VSDB

Ruijie(config-vsd)#allocate int gi 2/1

Movingports will cause all config associated to them in source vsd to be removed. Areyou sure

tomove the ports? [yes] yes

Entireport-group is not present in the command. Missing ports will be includedautomatically

Ruijie(config-vsd)#

 

 

Create VSD C.

Ruijie#configure terminal

Enterconfiguration commands, one per line.  End with CNTL/Z.

Ruijie(config)#vsd VSDC

Ruijie(config-vsd)#allocate int gi 3/1

Movingports will cause all config associated to them in source vsd to be removed. Areyou sure

tomove the ports? [yes] yes

Entireport-group is not present in the command. Missing ports will be includedautomatically

Ruijie(config-vsd)#

ManageVSDs.

ConfigureVSD functions based on actual service planning requirements. (Omitted)

 

IV. ConfigurationSteps

Install a VSD license.

Create VSD A.

 

V. Verification

View division details of line cards on the VSDinterface.

Ruijie-N18K#showvsd all

vsd_id:0

vsd_name:Ruijie

vsdmac address: 00d0.f876.9888

interface:

interface:

GigabitEthernet4/1                            GigabitEthernet 4/2                          

GigabitEthernet4/3                            GigabitEthernet 4/4                           

GigabitEthernet4/5                            GigabitEthernet 4/6                          

GigabitEthernet4/7                            GigabitEthernet 4/8                          

GigabitEthernet4/9                            GigabitEthernet 4/10                          

GigabitEthernet4/11                           GigabitEthernet 4/12                         

GigabitEthernet4/13                           GigabitEthernet 4/14                         

GigabitEthernet4/15                           GigabitEthernet 4/16                         

GigabitEthernet4/17                           GigabitEthernet 4/18                         

GigabitEthernet4/19                           GigabitEthernet 4/20                         

GigabitEthernet4/21                           GigabitEthernet 4/22                         

GigabitEthernet4/23                           GigabitEthernet 4/24                          

GigabitEthernet4/25                           GigabitEthernet 4/26                         

GigabitEthernet4/27                           GigabitEthernet 4/28                         

GigabitEthernet4/29                           GigabitEthernet 4/30                          

GigabitEthernet4/31                           GigabitEthernet 4/32                         

GigabitEthernet4/33                           GigabitEthernet 4/34                          

GigabitEthernet4/35                           GigabitEthernet 4/36                         

GigabitEthernet4/37                           GigabitEthernet 4/38                         

GigabitEthernet4/39                           GigabitEthernet 4/40                         

GigabitEthernet4/41                           GigabitEthernet 4/42                         

GigabitEthernet4/43                           GigabitEthernet 4/44

GigabitEthernet4/45                           GigabitEthernet 4/46                         

GigabitEthernet4/47                           GigabitEthernet 4/48                       

slot:

slot4

vsd_id:1

vsd_name:VSDA

vsdmac address: 00d0.f876.988a

interface:

GigabitEthernet1/1                            GigabitEthernet 1/2                          

GigabitEthernet1/3                            GigabitEthernet 1/4                           

GigabitEthernet1/5                            GigabitEthernet 1/6                          

GigabitEthernet1/7                            GigabitEthernet 1/8                           

GigabitEthernet1/9                            GigabitEthernet 1/10                         

GigabitEthernet1/11                           GigabitEthernet 1/12                         

GigabitEthernet1/13                           GigabitEthernet 1/14                         

GigabitEthernet1/15                           GigabitEthernet 1/16                         

GigabitEthernet1/17                           GigabitEthernet 1/18                         

GigabitEthernet1/19                           GigabitEthernet 1/20                         

GigabitEthernet1/21                           GigabitEthernet 1/22                         

GigabitEthernet1/23                           GigabitEthernet 1/24                         

GigabitEthernet1/25                           GigabitEthernet 1/26                         

GigabitEthernet1/27                           GigabitEthernet 1/28                           

GigabitEthernet1/29                           GigabitEthernet 1/30                         

GigabitEthernet1/31                           GigabitEthernet 1/32                         

GigabitEthernet1/33                           GigabitEthernet 1/34                         

GigabitEthernet1/35                           GigabitEthernet 1/36                         

GigabitEthernet1/37                           GigabitEthernet 1/38                         

GigabitEthernet1/39                           GigabitEthernet 1/40                         

GigabitEthernet1/41                           GigabitEthernet 1/42                         

GigabitEthernet1/43                           GigabitEthernet 1/44

GigabitEthernet1/45                           GigabitEthernet 1/46                         

GigabitEthernet1/47                           GigabitEthernet 1/48

slot:

slot1

vsd_id:2

vsd_name:VSDB

vsdmac address: 00d0.f876.988c

interface:

GigabitEthernet2/1                            GigabitEthernet 2/2                           

GigabitEthernet2/3                            GigabitEthernet 2/4                          

GigabitEthernet2/5                            GigabitEthernet 2/6                          

GigabitEthernet2/7                            GigabitEthernet 2/8                          

GigabitEthernet2/9                            GigabitEthernet 2/10                         

GigabitEthernet2/11                           GigabitEthernet 2/12                          

GigabitEthernet2/13                           GigabitEthernet 2/14                         

GigabitEthernet2/15                           GigabitEthernet 2/16                         

GigabitEthernet2/17                           GigabitEthernet 2/18                         

GigabitEthernet2/19                           GigabitEthernet 2/20                         

GigabitEthernet2/21                           GigabitEthernet 2/22                          

GigabitEthernet2/23                           GigabitEthernet 2/24                         

GigabitEthernet2/25                           GigabitEthernet 2/26                          

GigabitEthernet2/27                           GigabitEthernet 2/28                         

GigabitEthernet2/29                           GigabitEthernet 2/30                         

GigabitEthernet2/31                           GigabitEthernet 2/32                         

GigabitEthernet2/33                           GigabitEthernet 2/34                         

GigabitEthernet2/35                           GigabitEthernet 2/36                          

GigabitEthernet2/37                           GigabitEthernet 2/38                          

GigabitEthernet2/39                           GigabitEthernet 2/40                         

GigabitEthernet2/41                           GigabitEthernet 2/42                         

GigabitEthernet2/43                           GigabitEthernet 2/44

GigabitEthernet2/45                           GigabitEthernet 2/46                          

GigabitEthernet2/47                           GigabitEthernet 2/48

slot:

slot2

vsd_id:3

vsd_name:VSDC

vsdmac address: 00d0.f876.988d

interface:

GigabitEthernet3/1                            GigabitEthernet 3/2                          

GigabitEthernet3/3                            GigabitEthernet 3/4                          

GigabitEthernet3/5                            GigabitEthernet 3/6                           

GigabitEthernet3/7                            GigabitEthernet 3/8                          

GigabitEthernet3/9                            GigabitEthernet 3/10                          

GigabitEthernet3/11                           GigabitEthernet 3/12                         

GigabitEthernet3/13                           GigabitEthernet 3/14                         

GigabitEthernet3/15                           GigabitEthernet 3/16                         

GigabitEthernet3/17                           GigabitEthernet 3/18                         

GigabitEthernet3/19                           GigabitEthernet 3/20                          

GigabitEthernet3/21                           GigabitEthernet 3/22                         

GigabitEthernet3/23                           GigabitEthernet 3/24                         

GigabitEthernet3/25                           GigabitEthernet 3/26                         

GigabitEthernet3/27                           GigabitEthernet 3/28                         

GigabitEthernet3/29                           GigabitEthernet 3/30                         

GigabitEthernet3/31                           GigabitEthernet 3/32                         

GigabitEthernet3/33                           GigabitEthernet 3/34                         

GigabitEthernet3/35                           GigabitEthernet 3/36                         

GigabitEthernet3/37                           GigabitEthernet 3/38                          

GigabitEthernet3/39                           GigabitEthernet 3/40                         

GigabitEthernet3/41                           GigabitEthernet 3/42                         

GigabitEthernet3/43                           GigabitEthernet 3/44

GigabitEthernet3/45                           GigabitEthernet 3/46                         

GigabitEthernet3/47                           GigabitEthernet 3/48

slot:

slot3

 

 

Verify VSD login and management modes.

Ruijie#switchto vsd VSDA

***********************************************************************

RuijieGeneral Operating System Software

Copyright(c) 1998-2013s by Ruijie Networks.

AllRights Reserved.

NeitherDecompiling Nor Reverse Engineering Shall Be Allowed.

***********************************************************************

Ruijie-VSDA>enable

Ruijie-VSDA#conf

Enterconfiguration commands, one per line.  End with CNTL/Z.

Ruijie-VSDA(config)#intmgmt 0

Ruijie-VSDA(config-if-Mgmt0)#ip address 10.1.1.10 255.255.255.0

Ruijie-VSDA(config-if-Mgmt0)#end   

Ruijie-VSDA#switchback

 

Ruijie#switchto vsd VSDB

***********************************************************************

RuijieGeneral Operating System Software

Copyright(c) 1998-2013s by Ruijie Networks.

AllRights Reserved.

NeitherDecompiling Nor Reverse Engineering Shall Be Allowed.

***********************************************************************

Ruijie-VSDB>enable

Ruijie-VSDB#conf

Enterconfiguration commands, one per line.  End with CNTL/Z.

Ruijie-VSDB(config)#intmgm

Ruijie-VSDB(config)#intmgmt 0

Ruijie-VSDB(config-if-Mgmt0)#ip address 10.1.1.20 255.255.255.0

Ruijie-VSDB(config-if-Mgmt0)#end

Ruijie-VSDB#switchback

 

Ruijie#switchto vsd VSDC

***********************************************************************

RuijieGeneral Operating System Software

Copyright(c) 1998-2013s by Ruijie Networks.

AllRights Reserved.

NeitherDecompiling Nor Reverse Engineering Shall Be Allowed.

***********************************************************************

Ruijie-VSDC>enable

Ruijie-VSDC#conf

Enterconfiguration commands, one per line.  End with CNTL/Z.

Ruijie-VSDC(config)#intmgm

Ruijie-VSDC(config)#intmgmt 0

Ruijie-VSDC(config-if-Mgmt0)#ip address 10.1.1.30 255.255.255.0

Ruijie-VSDC(config-if-Mgmt0)#end

Ruijie-VSDC#switchback

 

2.9       Common Feature

2.9.1      Ethernet Switching

2.9.1.1     Aggregate Port

Scenario

Multiple physicallinks can be bound into a logical link, called an aggregate port (herein afterreferred to as AP).Ruijie devices provide the AP function that complies withthe IEEE802.3ad standard. This function can be used to expand link bandwidthand improve reliability. AP function supports traffic balancing that evenlyallocating the traffic toevery member link. AP function also supports linkbackup. When a link member in an AP is disconnected, the system willautomatically allocate the traffic of the member link to other active memberlinks in the AP, except for the broadcast or multicast packets it received.

 

Dynamic mode and Static mode

1) If you configure aggregate port mode to static on aport,the port is converted to aggregate port without negotiating.

2) If you configure aggregate port mode to dynamic withLACP (Link Aggregation Control Protocol), the port negotiates with the theother end of the link whether to be a aggregate port.

 

Aggregate portsconsists of three modes:  Active, Passive and Static.

The port in activemode sends the LACP packets actively to the peer

The port in passivemode only responds when it receives LACP packets from the peer.

The port in staticmode is converted to aggregate port without sending any LACP packets.

 

The following tabledescribes the matching of different modes

 

Aggregate Port Load Balancing

Traffic can be evenly distributed on the member linksof an AP according to the features such as source MAC address, destination MACaddress, combination of source MAC address and destination MAC address, sourceIP address, destination IP address, and combination of source IP address anddestination IP address.

NoteBy default , the load balancing method is src-dst-mac.

 

This example shows how to configure load balance

Ruijie(config)#aggregateportload-balance ?

 dst-ip             Destination IP address

 dst-mac            Destination MAC address

 help               Help information

 mpls-label         Mpls label

 src-dst-ip         Source and destination IP address

 src-dst-ip-l4port  Source and destination IP address, source and

                    destination L4port

 src-dst-mac        Source and destination MAC address

 src-ip             Source IP address

 src-mac            Source MAC address

 src-port           Source port

  Ruijie(config)#aggregateportload-balance   src-dst-ip  ------>recommended

 

Attention:

1. You must configure the same speed,duplexand media-type on both ends of AP.You cannot put a copper port and a opticalport in the same AP.

2. You can only put L2 port in a L2 AP andL3 port in a L3 AP. You cannot change the port from L2 to L3 , or from L3 to L2after you put the ports in a AP.

3. Ruijie switch supports to put 8 ports ina AP at most

5. When you finish configuring AP , you canenter "interface aggregateport x/x" command to manage the AP.You canno longer manage the AP member independently.

Layer2 Aggregate Port (Static and Dynamic)

I. Requirements

Enable Layer 2 AP on the ports between twoCore switches to expand inter-connection bandwidth and ensure a high availablenetwork. Use src-mac load balance method.

 

II. Network Topology

 

III. Configuration Tips

1. Put AP members ports in a specified AP

2. Configure AP as Trunk

3. Modify load balance method

 

IV. ConfigurationSteps

Static mode:

SW1

SW1>enable

SW1#configureterminal

SW1(config)#interfacerange gigabitEthernet 0/1-2     ------>configure a range of interfaceswith the same command

SW1(config-if-range)#port-group1                             ------>put G0/1 and G0/2 in AP 1 instatic mode

SW1(config-if-range)#exit

SW1(config)#interfaceaggregateport 1                       

SW1(config-if-AggregatePort1)#switchport mode trunk  ------>configure AP 1 as Trunk

SW1(config-if-AggregatePort1)#exit

SW1(config)#aggregateportload-balance src-mac        ------>modify load balance method to Src-MAC. By default, itis Src-Dst-MAC.

SW1(config)#exit

SW1#wr

 

SW2

SW2>enable

SW2#configureterminal

SW2(config)#interfacerange gigabitEthernet 0/1-2

SW2(config-if-range)#port-group1

SW2(config-if-range)#exit

SW2(config)#interfaceaggregateport 1

SW2(config-if-AggregatePort1)#switchport mode trunk

SW2(config-if-AggregatePort1)#exit

SW2(config)#aggregateportload-balance src-mac

SW2(config)#exit

SW2#wr

 

Dynamic mode:

SW1(config)#interfacerange gigabitEthernet 0/1-2    

SW1(config-if-range)#port-group1 mode active                            ------>put G0/1 andG0/2 in AP 1 in dynamic mode

SW1(config-if-range)#exit

SW1(config)#interfaceaggregateport 1                       

SW1(config-if-AggregatePort1)#switchport mode trunk                ------>configure AP 1as Trunk

SW1(config-if-AggregatePort1)#exit

SW2is the same.

 

3. This example shows how to configure L2 APin static mode when connect Ruijie a switch to a Cisco switch