Partners
Log in
Compare Products
Hide
VS
.
l Cables
consolecable , USB to RS232 cable
l loginthe device
Openyour software Putty, set baud rate to 9600
After systemprompts "Ruijie>", you can start your configuration
I. Network Topology
II. ConfigurationSteps
1. console connect todevice and set passwords
2. set ip and gateway
ruijie(config)#interfacevlan 1
ruijie(config-if-VLAN1)#ip address 192.168.1.1 255.255.255.0
ruijie(config)#ip route0.0.0.0 0.0.0.0 192.168.1.2
3. set telnet password
ruijie(config)#line vty 0 4
ruijie(config-line)#password ruijie
4. set enable password
Ruijie(config)#enable password ruijie
III. Verification
Telnet 192.168.1.1
Input telnetpassword
Input enablepassword
I. Network Topology
II. ConfigurationSteps
1. enable SSH service
Ruijie#configure terminal
Ruijie(config)#enable service ssh-server
2. generate key
Ruijie(config)#crypto key generate dsa
Choose the size of the key modulus in the range of 360 to2048 for your Signature Keys. Choosing a key modulus greater than 512 may takea few minute
How many bits in the modulus [512]: //press enter
% Generating 512 bit DSA keys ...[ok]
3. configure IP address
Ruijie(config)#interface gigabitEthernet 0/0
Ruijie(config-if-GigabitEthernet 0/0)#ip address 192.168.1.1255.255.255.0
Ruijie(config-if-GigabitEthernet 0/0)#exit
Solution 1:password login
Ruijie(config)#line vty 04
Ruijie(config-line)#login
Ruijie(config-line)#password ruijie
Ruijie(config-line)#exit
Ruijie(config)#enable password ruijie
Ruijie(config)#end
Ruijie#write
Solution 2: username & password login
Ruijie(config)#line vty 0 4
Ruijie(config-line)#login local
Ruijie(config-line)#exit
Ruijie(config)#username admin password ruijie
Ruijie(config)#enable password ruijie
Ruijie(config)#end
Ruijie#write
III. Verification
check SSHservice
check SSHservices
show users
Creating aManagement IP Address
The SVI and routerport address can be used as the management address of the layer 3 switch.
Layer 3 Switch:
The address of alayer-3 switch can be configured for management or communication, for example,as the gateway for a user.
ConfigurationMethod 1:
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#interface vlan 10
Ruijie(config-if-VLAN 10)#ip address 192.168.1.1255.255.255.0
Ruijie(config-if-VLAN 10)#end
Ruijie#write
Note: To configure the address for VLANs otherthan VLAN 1 in interface configuration mode, create the corresponding VLANfirst; otherwise, a failure prompt is displayed.
Configuration Method2:
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#int GigabitEthernet 1/1
Ruijie(config-if-GigabitEthernet 1/1)#no switchport------>configurethe port as layer 3 port before configuring ip address
Ruijie(config-if-GigabitEthernet 1/1)#ip add 192.168.16.1255.255.255.0
Ruijie(config-if-GigabitEthernet 1/1)#end
Ruijie#write------>save configuration after checking.
Verification
Ruijie#show ip int brief
Interface IP-Address(Pri) IP-Address(Sec) Status Protocol
GigabitEthernet 1/1 192.168.16.1/24 noaddress up up
VLAN 10 192.168.1.1/24 noaddress up up
VLAN 100 192.168.100.1/24 192.168.10.1/24 up up
Configuring theDefault Gateway of a Switch
Configure thedefault gateway, that is, default route, of a layer 3 switch.
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.254------>configuredefault gateway of switch as 192.168.1.254
Ruijie(config)#end
Ruijie#write------>save configuration after checking.
Verification
Ruijie#show ip route
Codes:C - Connected, L - Local, S - Static
R - RIP, O - OSPF, B - BGP, I - IS-IS, V - Overflow route
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type2
E1 - OSPF external type 1, E2 - OSPF external type 2
SU - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
IA - Inter area, * - candidate default
Gateway of last resort is 192.168.1.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 192.168.1.254
Overview
Two upgradepackages are available to 11.X switches, namely rack package and patch package.
A rack packagecontains main installation packages of the supervisor module and all line cardsand is used to upgrade all line cards on a rack device at one time.
A hot patch packagecontains hot patches for several functional components and is generally used tofix minor bugs. The functional component package can be patched by upgradingthe hot patch package. After the upgrade, the device can immediately have newfeatures without being restarted.
Both the rackpackage and the hot patch package are upgraded with their configurations saved.
Notes(Must-Read)
The difference between an 11.X box-type switch and arack-type switch lies in that the former restarts after the upgrade command isrun while the latter restarts after the reload command is run.
Ruijie#upgrade flash:S2910_RGOS11.4(1)B1_02162700_install.bin
Upgrade the device must be auto-reset after finish, are yousure upgrading now?[Y/N]y
Upgrade in theRunning Mode
Rack PackageUpgrade Using a USB Flash Disk
Notes
1. To fix softwarebugs or get new features, upgrade the switch software version in the runningmode.
2. A USB flash diskis recommended for 11.X switch upgrade because the installation package is bigand upgrade using other methods is slow. Upgrade with a USB flash disk is easyand quick.
3. The CMsupervisor module only has a capacity of 512 MB. Therefore, the rack packagecan be directly upgraded only with a USB flash disk.
4. If the CMsupervisor module has a capacity of 1 GB, upgrade the device by copying theinstallation package from TFTP to the installation partition as well as byusing a USB flash disk. Run the dir install: command to view thecorresponding drive.
5. If the CMIIsupervisor module has a large capacity, upgrade the device by copying theinstallation package from TFTP to the data partition as well as using a USBflash disk. Run the dir flash: command to view the corresponding drive.
Patch PackageUpgrade Using a USB Flash Disk
Notes
1. To fix softwarebugs or get new features, upgrade the switch software version in the runningmode.
2. A hot patchpackage contains hot patches for several functional components and is generallyused to fix minor bugs. The functional component package can be patched byupgrading the hot patch package. After the upgrade, the device can immediatelyhave new features without being started.
3. There is abaseline version for the patch package upgrade. Upgrade the device to thecorresponding baseline version before upgrading the patch package. The devicemay be upgraded compulsively to the corresponding baseline version but it maycause version incompatibility. Therefore, compulsive upgrade is not advised.
4. To permanentlyactivate patches, run the patch active command to temporarily activatethe patch before running the patch running command.
I. Configuration Tips
Run the show version detail commandto display the current version, that is, system software number.
Verify the upgrade file used by checking Release Notes.
Copy the upgrade file from the PC to the root directoryof the USB flash drive.
Insert the USB flash drive to the USB port of thesupervisor engine. The USB flash drive is automatically identified.
Note: Before removing the USB flash drivefrom the switch, run the show usb command to check the USB ID, and then run theusb remove xx command to remove the USB flash drive.
II. ConfigurationSteps
1. On CLI, run the upgradecommand.
Ruijie#dir usb0: Checks whether the upgrade file exists onthe USB flash drive.
Ruijie#upgrade usb0: /xxxxx_install.bin (xxxx_install.bin isthe upgrade file copied to the USB flash drive)
2. Wait until the upgradeprogress reaches 100%, or run the show upgrade status command to check theupgrade progress.
Ruijie#show upgrade status
3. Wait until the upgradeprocess of all the line cards, FE cards, and supervisor engines reaches 100%and the result is success, run the reload command to restart the device. (Theentire upgrade process generally takes four to five minutes and does not affectservices. In this operation, the Flash file on the line card is upgraded, butthe earlier version still runs on the memory.) After the device is restarted,the new version runs.
4. Wait three to fiveminutes until the device is restarted.
III. Verification
Ruijie#show version detail
Run the showversion detail command to display the current version, that is, system softwarenumber.
Verify the upgradefile used by checking Release Notes.
II. ConfigurationSteps
1. Start the FTP server onthe device, and designate the root directory as the USB0 root directory. (Thespace on the built-in Flash of CMI is small, and may be insufficient forstoring the upgrade file. The CMII can be specified as the Flash root directory.),the reference commands are as follows:
Ruijie(config)#ftp-server username admin
Ruijie(config)#ftp-server password ruijie
Ruijie(config)#ftp-server topdir usb0: / //The USBflash drive must be installed in advance on the main engine.
Ruijie(config)#ftp-server timeout 300
Ruijie(config)#ftp-server enable
2. The local PC serves asthe FTP client. Start the client software (such as FLASHFTP) and connect to theFTP server (N18K). Ensure that the PC can communicate properly with the S86E.
3. Use the FTP client onthe PC to load the upgrade file to the FTP server.
4. Run the upgrade command.(The subsequent procedures and methods are the same as those in the USB upgrademode.)
The only differencebetween the FTP and USB onsite upgrade modes lies in the file transfer mode. InFTP upgrade mode, the upgrade file is transferred to the remote device throughFTP to meet the remote upgrade requirement. In USB onsite upgrade mode, theupgrade file is directly copied from a PC to the USB flash drive.
The subsequentupgrade method is the same. That is, run the upgrade command to update the fileand then restart the device to finish the upgrade.
Run the show versiondetail command to display the current version, that is, system software number.
Verify the upgrade fileused by checking Release Notes.
I. ConfigurationSteps
1. Start the TFTPserver on the PC and specify the directory of the upgrade file. Ensure that thePC communicates properly with the S86E.
2. The S86E servesas the TFTP client. The upgrade method is the same as that in the common TFTPupgrade mode. Copy the upgrade file to the USB flash drive on the CMI, or tothe built-in Flash on the CMII.
Ruijie#copy tftp://192.168.1.1/S86e_install.bin usb0://S86e_install.bin
4. Run the upgrade command.(The subsequent procedures and methods are the same as those in the USB upgrademode.)
The only differencebetween the TFTP and USB onsite upgrade modes lies in the file transfer mode.In TFTP upgrade mode, the upgrade file is transferred to the remote devicethrough TFTP to meet the remote upgrade requirement. In USB onsite upgrademode, the upgrade file is directly copied from a PC to the USB flash drive.
The subsequentupgrade method is the same. That is, run the upgrade command to update the fileand then restart the device to finish the upgrade.
The TFTPtransmission rate is lower than the FTP transmission rate. Data is transmittedusing TCP in FTP mode, and using UDP in TFTP mode. TFTP is simple and easy touse.
1. 11.X is amodular OS and the bug of a software function can be fixed by using a patch.After the patch is installed, the device can fix the bug and can run normallywithout being restarted. This OS is applicable to the scenario that imposesrigid requirements on the network interruption time during maintenance.
2. A patch is inthe uninstalled, installed, or activated state, where:
The installed stateindicates that the patch is installed on the memory of the device but the pathfunction does not take effect yet.
Only a patch in theactivated state takes effect.
I. ConfigurationSteps
1. Install a patch.
Copy the path fileto a USB flash drive, and run the upgrade command to install the path.Thereference command is as follows:
Ruijie#upgrade usb0: /N18K-octeon-cm_RGOS11.0(1b2)_20140708_patch.bin
2. Activate apatch.
The referencecommand is as follows:
Ruijie#patch active slot all
Ruijie#patch running slot all
Note: active meansthat the patch is currently effective and is ineffective after the device isrestarted. running indicates that the patch is effective permanently.
3. Display the patchstatus.
The referencecommand is as follows:
Ruijie#show patch slot all
I. Configuration Tips
1.Prepare console cable before recovering
2.Password recovery require system rebooting and network downtime
3.Improper operation may cause config file lost.
II. ConfigurationSteps
1. connect console cable tothe switch
2. Refer to chapter systemmanagement>console management
1) manually reboot the switch
2) Press Ctrl+C when systemrebooting
3) Press CTRL +Q to enter uboot CLI mode
4) then system will rebootautomatically
5) At this moment, nopassword is required to enter CLI
Note: The passwordis reset just temporarily .Once you quit privilege mode, password is requiredagain. You have to reset the password quickly.
6) Reset new password
7) Verify new password
Login with the newpassword
For Standardizationreason, we strongly suggest you to initialize every new switch following thesteps below:
1. Hostname(mandatory)
2. Access a device(mandatory , see Chapter Installation and DeviceManagement --->System Management)
2.1. Assignmanagement IP address(mandatory)
2.2. Set defaultgateway(optional for layer 3 switch,but mandatory for layer 2 switch)
2.3. Telnet(optional)
2.4. SSH(recommended)
2.5. Web Userinterface(optional)
3. Log(mandatory , and choose one)
3.1. Record log toFLASH(recommended)
3.2. Send log toserver(recommended)
4. Clock(mandatory , and choose one)
4.1. Local clock(recommended)
4.2. NTP(recommended)
5. Configuring aport(mandatory)
5.1. Portdescription(mandatory)
5.2. Speed, duplexand flowcontrol (optional)
5.3. Combo port(optional)
5.4. ACCESS orTRUNK port (mandatory)
5.5. Storm control(recommended)
6. SNMP(recommended)
6.1. SNMPV1/V2(recommended)
6.2. SNMPV3(recommended)
7. SPAN(optional)
7.1. Many to onemirror(Optional)
7.2. One to manymirror(Optional)
7.3. Flow-basedmirror(Optional)
Configuring Hostname
By default, system name is "Ruijie mostly, theexample shows how to configure the system name:
Ruijie>en
Ruijie#configure terminal
Ruijie(config)#hostname Switch ------>changename to "Switch"
Switch(config)#end
Switch#write ------>saveconfiguration
Note:We suggest you to name a switch with these information physicallocation(AA), network location(BB) ,model(CC),serial number(DD), and the formatis (AA_BB_CC_DD) , for example:
Ruijie(config)#hostname WLZX_Core_S8610_1
WLZX_Core_S8610_1(config)#
Verifying
Switch#show run
Building configuration...
Current configuration : 34129 bytes
version NOS_11.0_4_21
hostname hostname Switch
I. Requirements
1. Copy logs with a severity higher thandebugging in the flash ,then set size of each log file to 128Kbytes.
2. Set size of log buffer to 128Kbytes.
3. Record action when user logs in andoperates.
4. Add system name , sequence number andtime stamps to each log entry.
II. Network Topology
III. Configuration Tips
System doesn't copy logs from buffer to flashonce finishing configuration, andit costs about half an hour to copy logs from buffer to flash , or the log bufferexceeds.
IV. ConfigurationSteps
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#logging file flash:syslog 6 ------>setlog file name to "syslog" and system copies all logs with severityfrom 0 to 6 to flash
Ruijie(config)#logging file flash:syslog 131072 ------>setsize of each log file in flash to 128K
Ruijie(config)#logging buffered 131072 ------>setlog buffer size to 128K
Ruijie(config)#logging userinfo ------>recordactions when user logs in
Ruijie(config)#logging userinfo command-log ------>recordactions when user operates commands
Ruijie(config)#service sysname ------>addsystem name to each log entry
Ruijie(config)#service sequence-numbers ------>addsequence number to each log entry
Ruijie(config)#service timestamps ------>addtime stamps to each log entry
Ruijie#wr
Note:We suggest you to set log buffer sizeto 128K because the buffer size is too small by defaut.
If the 1st log file is full , system copieslogs to 2nd log file , then the 3th log file ……there're 16 log files at most inthe same time , and if all 16 log files are full ,the new log entry overwritesthe old one , so Log file never takes up the whole flash room.
Enter "more flash:xxx" privilegeEXEC command to display log entries and "delete flash:xxx" privilegeEXEC command to delete log file in flash.
v. Verification
1. This example shows how to display logs inbuffer
2. Enter "dir" privilege EXECcommand to check log files in flash
3. This example shows how to display logs inflash
4. Enter "clear logging" privilegeEXEC command to clear logs in buffer
I. Requirements
Copy logs with severity from 0 to 7 tosyslog server.
II. Network Topology
III. Configuration Tips
Timestamps and sequence number features must be enabledbefore system copys logs to log server
IV. ConfigurationSteps
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#service sequence-numbers ------>enablesequence number
Ruijie(config)#service timestamps ------>enabletimestamps
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0
Ruijie(config-if-VLAN 1)#exit
Ruijie(config)#logging server 192.168.1.2 ------>specifylog server IP address
Ruijie(config)#logging source ip 192.168.1.1 ------>specifyIP address on switch to communicate with log server
Ruijie(config)#logging trap 7 ------>copyall logs(severity from 0 to 7) to log server
Ruijie(config)#end
Ruijie#wr
V. Verification
This example shows how to verify the logs ina syslog server using "Kiwisyslog"
Scenario
By default, the log information generated onthe system can be output to various destinations. You can use the log filteringfunction to display required log information.
Features
1 The administrator can choose to hide some typesof log information as required.
2 Generally, log information of all modules isdisplayed on the console or terminal. You can set log filter rules to enablelog information printing on designated terminals or print only certain types oflog information on designated terminals.
3 Two types of log information filtering aresupported, including "contain only..." and "filteronly...". Only one type of filtering is supported.
Working Principles & ConfigurationDetails
Log filtering configuration mainly covers thefilter rules, filter direction, and filter mode. During the configurationprocess:
1 If only the filter direction and filter mode areconfigured, the configuration does not take effect and log information is notfiltered.
2 If only the filter rule is configured, theconfiguration takes effect. Log information in all directions is filtered andthe filter mode is filter only.
1) Filter rule: sets the rule for filteringlog information in global mode. Exact match and singular match are supported.
Filter rule in exact match mode: loggingfilter rule exact-match [ module module-name mnemonic mnemonic-name level level]
Filter rule in singular match mode: loggingfilter rule single-match [ level level | mnemonic mnemonic-name | modulemodule-name ]
Parameter description
exact-match Indicatesan exact-match filter based on all three filter options. In exact match mode,all three filter options, including log module name (module module-name), loglevel (level level), and mnemonic character (mnemonic mnemonic-name), must beselected.
single-match Indicatesa single-match filter based on all three filter options. In exact match mode,all three filter options, including log module name (module module-name), loglevel (level level), and mnemonic character (mnemonic mnemonic-name), must beselected.
module module-name Indicatesthe name of the module about which the log information is to be filtered.
mnemonic mnemonic-name Indicates the name of the mnemonic character for which thelog information is to be filtered.
level level Indicatesthe log level to be filtered.
Tips
1. In some scenarios, you may want to filter out certain types of loginformation. You can use the exact match mode and specify the module name,mnemonic character name, and log level in configuring the filter rule.
2. In some scenarios, you may want to filter out some types of loginformation. You can use the single match mode and specify the module name,mnemonic character name, or log level in configuring the filter rule.
3. If the configuration of the module name, mnemonic character name, orlog level in a single-match filter rule is the same as that in an exact-matchfilter rule, the single-match filter rule is assigned with higher priority thanthe exact-match filter rule.
Configuration example
1. Set the filter rule to exact match, modulename to LOGIN, log level to 5, and mnemonic character to LOGOUT.
Ruijie(config)# logging filter ruleexact-match module LOGIN mnemonic LOGOUT level 5
2. Set the filter rule to single-matchand module name to SYS.
Ruijie(config)# logging filter rulesingle-match module SYS
FAQs
1. To filter logs 046188: *Aug 13 08:36:16: 401-C1&D1-RG-N18010%SPANTREE-6-RCVDTCBPDU: (*2/M1) Received tc bpdu on port AggregatePort 256 onMST0
Command: ruijie(conifg)#logging filter ruleexact-match module SPANTREE mnemonic RCVDTCBPDU level 6
2. To filter logs *Jul 30 12:35:51: %SNMP-3-AUTHFAIL:Authentication failure for SNMP req from host 185.94.111.1
Command: ruijie(conifg)#logging filter ruleexact-match module SNMP mnemonic AUTHFAIL level 3
3. To filter logs %PARAM-6-CONFIG_SYNC: Sync'ingthe startup configuration to the standby supervisor
Command: ruijie(config)#logging filter ruleexact-match module PARAM mnemonic CONFIG_SYNC level 6
2) Filter direction: sets the direction forfiltering log information in global mode.
logging filter direction { all | buffer |file | server | terminal } //By default, the filter direction is set to all,that is, to filter log information in all directions.
default logging filterdirection // The filter direction for the log informationrestoration command is all.
Parameter description
all Indicates to filter loginformation in all directions, including the console, virtual type terminal(VTY), log buffer area, log file, and log server.
buffer Indicates to filterlogs sent to the log buffer area, that is the logs configured in the showlogging command.
file Indicates to filter the logssent to the log files.
server Indicates to filter thelogs sent to the log server.
terminal Indicates to filterlogs sent to the console and VTY (including via Telnet and SSH).
Tips
1.Generally, you may filter the logs meetingthe filter rule in all directions (including to the console, VTY terminal, logbuffer area, log file, and log server) after the log filter function isconfigured. In some cases, you may want to filter logs only for certaindestinations. For example, you may need the logs filtered out for the terminalon the log file or log server. In these cases, you need to set log filter rulesfor the terminal direction.
2. You can set the filter direction tomultiple destinations by separating each other with a vertical line"|" or only one destination.
3) Filter type: sets the log informationfilter type. The configuration takes effect globally.
logging filter type { contains-only |filter-only } //The default value is filter-only, indicating that onlyfilter is used.
Parameter description
contains-only Indicates thatonly logs containing keywords specified in the filter rule are output.
filter-only Indicates that logscontaining keywords specified in the filter rule are filtered out and notoutput.
Tips
1. In some scenarios, a module may output toomuch log information that it may causes screen downpour on the terminal withfew valuable information being displayed. In this case, you can use thefilter-only mode to filter out undesired log information.
2. In some scenarios, you may want to checkwhether a certain type of log information is generated only. In this case, youcan use the contain-only mode to output logs matching the filter rule to theterminal for observation.
3. In actual application, the two filtermodes are mutually exclusive. Choose one filter mode only.
Configuration example
[Example 1]
[Requirement]
Assume there are following log informationfiltering requirements on the live network:
1. Set the filter direction to terminaland server.
2. Set the filter mode to filter-only.
3. Set the filter rule to single-matchand module name to SYS.
2. Set the filter mode to filter-only.
3. Set the filter rule to single-matchand module name to SYS.
3. Set the filter rule to single-matchand module name to SYS.
[Configuration method]
Configure log information filter on the system.
Ruijie# configure terminal
Ruijie(config)# logging filter direction server
Ruijie(config)# logging filter direction terminal
Ruijie(config)# logging filter type filter-only
Ruijie(config)# logging filter rule single-match module SYS
[Verification method]
1. Run the show running-config | includelogging command to check the parameter configuration.
2. Check the output log information on thesystem by entering and quitting the global configuration mode
Ruijie#configure
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#exit
.
I. Requirements
System time plays a very important role fortroubleshooting and logs .We suggest you to deploy local clock to a scenario inwhich there're only a few nodes with a small maintenance.
II. ConfigurationSteps
Ruijie>enable
Ruijie#configure terminal ------>enterglobal configuration mode
Ruijie(config)#clock timezone beijing 8 ------>settimezone to UTC +8
Ruijie(config)#exit
Ruijie#clock set 18:00:00 12 3 2013 ------>setclock in format "hh:mm:ss month day year"
Ruijie(config)#end
Ruijie#write ------>doubleconfirm and save configuration
III. Verification
Ruijie#show clock
18:01:03 beijing Tue, Dec 3, 2013
Overview
Network Time Protocol (NTP) is designed for timesynchronization on network devices. A device can synchronize its clock sourceand the server. Moreover, the NTP protocol can provide precise time correction(less than one millisecond on the LAN and dozens of milliseconds on the WAN,compared with the standard time) and prevent from attacks by means ofencryption and confirmation.
To provide precise time, NTP needs precise time source,the Coordinated Universal Time (UTC). The NTP may obtain UTC from the atomclock, observatory, satellite or Internet. Thus, accurate and reliable timesource is available.
To prevent the time server from malicious destroying,an authentication mechanism is used by the NTP to check whether the request oftime correction really comes from the declared server, and check the path ofreturning data. This mechanism provides protection of anti-interference.
Ruijie switches support the NTP client and server. Thatis, the switch can not only synchronize the time of server, but also be thetime server to synchronize the time of other switches. But when the switchworks as the time server, it only support the unicast server mode.
I. Requirements
Switch synchronizes system clock to NTPServer in order to keep system clock more accurate.
II. Network Topology
III. Configuration Tips
1. Basic network routes setting
2. (Optional)Configuring a switch as NTPServer
3. Configuring a switch as NTP client
4. (Optional)Specifying a interface onswitch to communicate with NTP Server
IV. ConfigurationSteps
NTP configuration without authentication
1. Basic network routes setting
Ensure that NTP client can communicate withthe NTP server
2. (Optional) Configuring a switch as NTPServer
Note:
Mostly NTP server is a particular serverrather than a switch in production network. This example shows how to configurea switch as a NTP server:
Ruijie(config)#ntp master
3. Configuring a switch as NTP client
Ruijie(config)#ntp server 192.168.2.1 ------>setNTP server IP address
Ruijie(config)#ntp update-calendar ------>allowsystem to save clock in hardware even power interruption
4. (Optional) Specifying a interface onswitch to communicate with NTP Server
Ruijie(config)#ntp server 192.168.1.2 source loopback 0 ------>specify interface loopback 0 to communicate with NTP Server
NTP configuration with authentication
1. Basic network routes setting
Ensure that NTP client can communicate withthe NTP server
2. (Optional) Configuring a switch as NTPServer
Note:
Mostly NTP server is a particular serverrather than a switch in production network. This example shows how to configurea switch as a NTP server and how to configure NTP authentication on a switchNTP Server
Ruijie(config)#ntp master
Ruijie(config)#ntp authenticate ------>enable NTPauthentication
Ruijie(config)#ntp authentication-key 6 md5 ruijie ------>NTPkey id is "6" , and password is "ruijie"
Ruijie(config)#ntp trusted-key 6
3. Configuring a switch as NTP client
Ruijie(config)#ntp update-calendar ------>allowsystem to save clock in hardware even power interruption
Ruijie(config)#ntp authenticate ------>enableNTP authentication
Ruijie(config)#ntp authentication-key 6 md5 ruijie ------>NTPkey id is "6" , and password is "ruijie"
Ruijie(config)#ntp trusted-key 6
Ruijie(config)#ntp server 192.168.2.1 key 6 ------>applykey id 6 to corresponding NTP server 192.168.2.1
4. (Optional) Specifying a interface onswitch to communicate with NTP Server
Ruijie(config)#ntp server 192.168.1.2 source loopback 0 ------>specifyinterface loopback 0 to communicate with NTP Server
V. Verification
1. This example displays the clock on NTPserver
2. This example displays the clock on NTPclient before synchronization
3. This example displays NTP status on NTPclient before synchronization
4. System returns a message aftersynchronizing successfully:
*Mar 12 10:55:04: %SYS-6-CLOCKUPDATE: Systemclock has been updated to 10:55:04 UTC Tue Mar 12 2013.
This example displays NTP status on NTPclient before synchronization
Function Overview
Port description is very important for dailymaintenance and trouble shooting. We suggest you to use the format "Link-peername-peer port" to define port description. For example:
Ruijie(config-if-GigabitEthernet 0/1)#description Link-to-WLZX_Core_S8610_1-G1/2
I. ConfigurationSteps
Configuring port description on G0/1
Ruijie#configure terminal
Ruijie(config)#interface gigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)#descriptionLink-to-Core-S8610_1-G2/3
Ruijie(config-if-GigabitEthernet 0/1)#end
Ruijie#write
II. Verification
Ruijie#show interfaces description
Interface Status Administrative Description
------------------------ -------- -------------- -----------
GigabitEthernet 0/1 down up Link-to-Core-S8610_1-G2/3
GigabitEthernet 0/2 down up
GigabitEthernet 0/3 down up
Overview
By default, speed and duplex negotiateautomatically. You can also set speed and duplex manually to ensure that bothends of a link have the same speed and duplex .Usually we keep the defaultsetting for flow control.
I. ConfigurationSteps
In the following example, the"speed" config-interface command with the keyword 100 is used tomanually set speed on Giga0/24 to 100M
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#int gigabitEthernet 0/24
Ruijie(config-if-GigabitEthernet 0/24)#speed 100
Ruijie(config-if-GigabitEthernet 0/24)#end
Ruijie#write
In the following example, the"duplex" command config-interface with the keyword full is used tomanually set duplex on Giga0/24 to full duplex
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#int gigabitEthernet 0/24
Ruijie(config-if-GigabitEthernet 0/24)#duplex full
Ruijie(config-if-GigabitEthernet 0/24)#end
Ruijie#write
This example shows how to disable flowcontrol feature on Giga0/1
Ruijie#configure terminal
Ruijie(config)#interface gigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)#flowcontrol off
Ruijie(config-if-GigabitEthernet 0/1)#end
Ruijie#write
Note:Bydefault flow control feature is enabled, but different switches vary,and you can enter "show interface" privilege EXEC command toverify.
II. Verification
This example shows how to display interfacestatus including duplex and speed.
I. ConfigurationSteps
Following example shows how to convert combo mode onGiga0/23 to fiber
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#interface gigabitEthernet 0/23
Ruijie(config-if-GigabitEthernet 0/23)#medium-type fiber ------>convertcombo mode to fiber
Ruijie(config-if-GigabitEthernet 0/23)#end
Ruijie#write ------>confirm and save
Following example shows how to convert combo mode onGiga0/23 to copper
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#interface gigabitEthernet 0/23
Ruijie(config-if-GigabitEthernet 0/23)#medium-type copper ------>convertcombo mode to copper
Ruijie(config-if-GigabitEthernet 0/23)#end
Ruijie#write
II. Verification
1. To display combo mode status , enter"show interface status" privilege EXEC command
Ruijie#show interfaces status
Interface Status Vlan Duplex Speed Type
-------------------------------- -------- ------ ------- --------- ------
GigabitEthernet 0/22 down 1 Unknown Unknown copper
GigabitEthernet 0/23 up 1 Full 1000M fiber
GigabitEthernet 0/24 down 1 Unknown Unknown copper
2. This example shows how to display thetransceiver information of Giga0/23
Ruijie#show interfaces g0/23 transceiver
Transceiver Type : 1000BASE-LX-SFP
Connector Type : LC
Wavelength(nm) : 1310
Transfer Distance :
SMF fiber
-- 10km
50/125 um OM2 fiber
-- 550m
62.5/125 um OM1 fiber
-- 550m
Digital Diagnostic Monitoring : NO ------>Thistransceiver doesn't support DDM . DDM provides you the light intensity ofreceiving and sending direction.
Vendor Serial Number : LP201093226676
3. This example shows how to display thelight intensity of a 10G transceiver which supports DDM
Ruijie#show interfaces tenGigabitEthernet 1/25 transceiverdiagnosis
Current diagnostic parameters[AP:Average Power]:
Temp(Celsius) Voltage(V) Bias(mA) RXpower(dBm) TX power(dBm)
26(OK) 3.26(OK) 5.22(OK) -3.65(OK)[AP] -2.09(OK)
4. This example shows how to display thetransceiver alarm
Ruijie#show interfaces tenGigabitEthernet 1/25 transceiveralarm ------> if the transceivers is plugged in , but the portdoesn't come up , system returns the following warning message
RX power low
RX loss of signal
Module not ready
RX not ready
RX CDR loss of lock
Ruijie#show interfaces tenGigabitEthernet 1/25 transceiveralarm ------>if the transceivers is plugged in and the port comesup , system returens no warning message
Ruijie transceivers specification
1. MINI-GBIC transceiver:
MINI-GBIC cabling specification:
2. 10G XFP
3. 10G SFP+
Note:Bydefault , trunk port carries traffic for all vlans that is created , and westrongly recommend you to prune every trunk port to allow only the traffic ofuseful vlan pass through in case that unknown unicast ,broadcast and multicastpackets floods through the overall network ,leading to a heavier CPU burden anduseless consumption of system resource.
I. ConfigurationSteps
1. Configuring access port
The following example shows how to configureinterface F0/1 as an access port and assign interface F0/1 to VLAN 100
Ruijie>en
Ruijie#conf t
Ruijie(config)#interface fastEthernet 0/1
Ruijie(config-if)#switchport mode access
Ruijie(config-if)#switchport access vlan 100
Ruijie(config-if)#end
Ruijie#wr
Note:Bydefault, all ports are access mode and belongs to VLAN 1
Enter "show vlan" privilege EXECcommand to verify that interface F0/1 belongs to VLAN 100
Ruijie# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------------
1 VLAN0001 STATIC Fa0/3, Fa0/4,Fa0/5
Fa0/6, Fa0/7,Fa0/8, Fa0/9
Fa0/10,Fa0/11, Fa0/12, Fa0/13
Fa0/14,Fa0/15, Fa0/16, Fa0/17
Fa0/18,Fa0/19, Fa0/20, Fa0/21
Fa0/22,Fa0/23, Fa0/24, Fa0/25
Fa0/26,Fa0/27, Fa0/28, Fa0/29
Fa0/30,Fa0/31, Fa0/32, Fa0/33
Fa0/34,Fa0/35, Fa0/36, Fa0/37
Fa0/38,Fa0/39, Fa0/40, Fa0/41
Fa0/42,Fa0/43, Fa0/44, Fa0/45
Fa0/46,Fa0/47, Fa0/48, Gi0/49
Gi0/50
100 VLAN0100 STATIC Fa0/1,Fa0/2
2. Configuring trunk port
The following example shows how to configure interfaceG0/49 as a trunk port
Ruijie#configure terminal
Ruijie(config)#interface gigabitEthernet 0/49
Ruijie(config-if)#switchport mode trunk
Ruijie(config-if)#end
In the following example, "show interfacetrunk" privilege EXEC command is used to verify all trunk port status
Ruijie# show interfaces trunk
Interface Mode Native VLAN VLAN lists
------------------------ ------ ----------- ----------
FastEthernet 0/48 Off 1 ALL
GigabitEthernet 0/49 On 1 ALL
GigabitEthernet 0/50 Off 1 ALL
3. Pruning a Trunk port (Mandatory)
This example shows how to prune a trunk port to carrytraffic only for vlan 5, 10 and 20-30
Ruijie#configure terminal
Ruijie(config)#interface gigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)#switchport mode trunk
Ruijie(config-if-GigabitEthernet 0/1)#switchport trunkallowed vlan remove 1-4,6-9,11-19,31-4094
Ruijie(config-if-GigabitEthernet 0/1)#end
Ruijie#wr
Overview
1. We suggest you to apply storm-control on edge porton access switch and Don't apply storm-control on uplink port.
2. If access switch doesn't support storm-control , wesuggest you to apply storm-control on distribution switch.
3. The limitation of 100 pps to 300 pps for unknownunicast/broadcast/multicast packets is proper.
I. ConfigurationSteps
To configure storm control on a port with keywordlevel, perform this task:
Ruijie>enable
Ruijie#configure termina
Ruijie(config)#interface gigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)#storm-control broadcastlevel 1 ------>storm-control limits the number of broadcast packetsto 1% of the bandwidth that is 1G*1%=10M
Ruijie(config-if-GigabitEthernet 0/1)#storm-control unicast level1 ------>storm-control limites the number of unknown unicastpackets to 1% of the bandwidth that is 1G*1% =10M
Ruijie(config-if-GigabitEthernet 0/1)#storm-control multicastlevel 1
To configure storm control on a port with keyword pps, performthis task:
Ruijie>enable
Ruijie#configure termina
Ruijie(config)#interface gigabitEthernet 0/1
Ruijie(config-if-GigabitEthernet 0/1)#storm-control broadcastpps 200 ------>storm-control limits the number of broadcast packetsto 200 packets per seconds
Ruijie(config-if-GigabitEthernet 0/1)#storm-control unicastpps 200 ------>storm-control limits the number of unknown unicastpackets to 200 packets per seconds
Ruijie(config-if-GigabitEthernet 0/1)#storm-control multicast200
Ruijie(config-if-GigabitEthernet 0/1)#end
II. Verification
Ruijie#show storm-control
Interface Broadcast Control Multicast ControlUnicast Control Action
------------------------- ----------------- -------------------------------- --------
GigabitEthernet 0/1 1 % 1 % 1 % none
GigabitEthernet 0/2 Disabled Disabled Disabled none
GigabitEthernet 0/3 Disabled Disabled Disabled none
Overview
SNMP:As theabbreviation of Simple Network Management Protocol, SNMP has been a networkmanagement standard (RFC1157) since the August, 1988. So far, the SNMP becomesthe actual network management standard for the support from many manufacturers.It is applicable to the situation of interconnecting multiple systems fromdifferent manufacturers. Administrators can use the SNMP protocol to queryinformation, configure network, locate failure and plan capacity for the nodeson the network. Network supervision and administration are the basic functionof the SNMP protocol.
SNMP versions:
SNMPv1 :The first formal versionof the Simple Network Management Protocol, which is defined in RFC1157
SNMPv2C: Community-basedAdministrative Framework for SNMPv2, an experimental Internet protocol definedin RFC1901.
SNMPv3: Offers the followingsecurity features by authenticating and encrypting packets:
1. Ensure that the data are not tampered duringtransmission;
2. Ensure that the data come from a valid data source;
3. Encrypt packets to ensure the data confidentiality;
Both the SNMPv1 and SNMPv2C use acommunity-based security framework. They restrict administrator’s operations onthe MIB by defining the host IP addresses and community string. With the GetBulk retrieval mechanism, SNMPv2C sends more detailed error information type tothe management station. Get Bulk allows you to obtain all the information or agreat volume of data from the table at a time, and thus reducing the times ofrequest and response. Moreover, SNMPv2C improves the capability of handingerrors, including expanding error codes to distinguish different kinds oferrors, which are represented by one error code in SNMPv1. Now, error types canbe distinguished by error codes. Since there may be the management workstationssupporting SNMPv1 and SNMPv2C in a network, the SNMP agent must be able torecognize both SNMPv1 and SNMPv2C messages, and return the correspondingversion of messages.
I. Requirements
1. Only SNMP network manager(IP:192.168.1.2/24) can access switch SNMP service with community string"ruijie"
2. SNMP agent on switch sends SNMP trap toSNMP manager actively
3. SNMP manager can get basic information ofswitch ---location, contact method and chassis id
II. Network Topology
III. Configuration Tips
1. Set Read-Only community string andRead-Write community string on switch independently
2. Define ACL to allow authorized SNMPmanager to access SNMP agent of switch only
3. Enable SNMP trap
4. Configure SNMP manager
IV. ConfigurationSteps
1. Define an access-list named "abc"and an entry to permit IP address of SNMP manager
Ruijie(config)#ip access-list standard abc
Ruijie(config-std-nacl)#permit host 192.168.1.2
Ruijie(config-std-nacl)#exit
2. Set read-write community string to"ruijie" and read-only community string to "public" , thenassociate both community strings with ACL to allow only the SNMP manager toaccess SNMP agent of switchonly
Ruijie(config)#snmp-server community ruijie rw abc
Ruijie(config)#snmp-server community public ro abc
3. SNMP agent on switch actively sends trap to SNMP network manager
Ruijie(config)#snmp-server host 192.168.1.2 traps ruijie ------>bydefault , SNMP trap version is version 1
Ruijie(config)#snmp-server host 1.1.1.1 version 2c ruijie ------>setSNMP trap version to version 2c
4. Enable trap feature
Ruijie(config)#snmp-server enable traps
5. Set SNMP optional parameters
Set location
Ruijie(config)#snmp-server location fuzhou
Set contact method
Ruijie(config)#snmp-server contact ruijie.com.cn
Set chassis-id
Ruijie(config)#snmp-server chassis-id 1234567890
6. Assign a management IP address to SVI 1
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0
7. Save configuration
Ruijie(config-if-VLAN 1)#end
Ruijie#wr
V. Verification
1. This example shows how to verify SNMPagent status
Following example provides how to disableSNMP agent if snmp agent issue leads to heavy load of CPU :
Ruijie(config)#no enable service snmp-agent
2. This examples shows how to display SNMPhost information
3. This example shows how to access the SNMPagent in a SNMP manager using "Mib-Browser"
4. Other SNMP manager except for 192.168.1.2cannot access SNMP agent at the same time.
I. Requirements
1) The SNMP manager can access the SNMP agent on switch byapplying user-based security model. The user name is "admin",authentication mode is MD5, authentication key is "ruijie",encryption algorithm is DES56, and the encryption key is "123"
2) User "admin" can read the MIB objects underSystem (1.3.6.1.2.1.1) node, and can only write MIB objects under SysContact(1.3.6.1.2.1.1.4.0) node.
3) The switch can actively send authentication andencryption messages to the SNMP manager
II. Network Topology
III. Configuration Tips
1. Create MIB view and specify the includedor excluded MIB objects.
2. Create SNMP group and set the version to"v3"; specify the security level of this group, and configure theread-write permission of the view corresponding to this group.
3. Create user name and associate thecorresponding SNMP group name in order to further configure the user'spermission to access MIB objects; meanwhile, configure the version number to"v3" and the corresponding authentication mode, authentication key,encryption algorithm and encryption key.
4. Configure the address of SNMP manager,configure the version "3" and configure the security level to beadopted.
IV. Configuration Steps
Configuring switch:
Ruijie#configure terminal
Ruijie(config)#snmp-server view view1 1.3.6.1.2.1.1include ------> Create a MIB view of"view1" and include the MIB object of 1.3.6.1.2.1.1
Ruijie(config)#snmp-server view view2 1.3.6.1.2.1.1.4.0include ------> Create a MIB view of "view2" and includethe MIB object of 1.3.6.1.2.1.1.4.0
Ruijie(config)#snmp-server group group1 v3 priv read view1write view2 ------>Create a group named "g1" ,using SNMPv3 ;configure security level to "priv" ,and can read "view1" and write "view2"
Ruijie(config)#snmp-server user admin group1 v3 auth md5ruijie priv des56 ruijie123 ------>Create a user named"admin", which belongs to group "group1"; using SNMPv3 andauthentication mode is "md5", authentication key is"ruijie", encryption mode is "DES56" and encryption key is"123".
Ruijie(config)#snmp-server host 192.168.1.2 traps version 3priv admin ------>Configure the SNMP server address as 192.168.1.2 ,using SNMPv3,then configure security level to "priv" and associatethe corresponding user name of "admin"
Ruijie(config)#snmp-server enabletraps ------>Enablethe Agent to actively send traps to NMS
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.1.1 255.255.255.0
Ruijie(config-if-VLAN 1)#end
Set SNMP optional parameters
Ruijie(config)#snmp-server location fuzhou
Ruijie(config)#snmp-server contact ruijie.com.cn
Ruijie(config)#snmp-server chassis-id 1234567890
Note: Ifyou don't create a new SNMP view, Ruijie switch uses the default SNMP viewnamed "default" ,including MIB object of 1
Minimun SNMPv3 configuration example:
snmp-server group group1 v3 priv read default writedefault
snmp-server user admin group1 v3 auth md5 ruijie priv des56ruijie123
snmp-server host 192.168.1.2 traps version 3 priv admin
snmp-server enable traps
V. Verification
1. This example shows how to verify SNMPagent status
Following example provides how to disableSNMP agent if snmp agent issue leads to heavy load of CPU :
Ruijie(config)#no enable service snmp-agent
2. Following examples show how to displaysnmp view, snmp group and snmp user individually
Overview
With SPAN, you can analyze thecommunications between ports by copying a frame from one port to another portconnected with a network analysis device or RMON analyzer. The SPAN mirrors allthe packets sent/received at a port to a physical port for analysis.SPAN doesnot affect the exchange of packets between the source and destination ports.Instead, it copies the frames incoming/outgoing the source port to thedestination port. However, the frames may be discarded on an overfloweddestination port, for example, when a 100Mbps port monitors an 1000Mbps port.
I. Requirements
Core switch copies traffic of G0/1 and G0/2on both directions to Monitor Server and Monitor Server can also visit Internetat the same time
II. Network Topology
III. Configuration Tips
Enter "monitor session" globalconfiguration command with "switch" keyword to allow mirrordestination port to forward additional traffic more than mirroring traffic
IV. ConfigurationSteps
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#monitor session 1 source interfacegigabitEthernet 0/1 both ------>define G0/1 as source port inmonitor session , and both traffic directions are monitored. If you want tomonitor income or outcome traffic only , you can use keyword rx or tx insteadof both , such as "monitor session 1 source interface gigabitEthernet 0/1rx"
Ruijie(config)#monitor session 1 source interfacegigabitEthernet 0/2 both
Ruijie(config)#monitor session 1 destination interfacegigabitEthernet 0/24 switch
Ruijie(config)#end
Ruijie#wr
V. Verification
1. This example shows how to verify status ofmonitor session
2. This examples verifies that the MonitorServer can visit Internet while monitoring
Note:Only S8600E and N18000 seriesswitch support one to many (or many to many) SPAN so far.
Tips: For those switches that do not supportone to many SPAN, you can apply another fallback method as below:
1. Configure the ordinary many to one SPAN
2. Connect a HUB to the mirror destinationport, so packets floods through the HUB
3. Connect your Monitor Server to the HUB.
HUB can also be a default setting switch.You must assign ports to the remote-vlan and disable the mac-learning feature(enter "no mac-address-learning" config-interface command) andstorm-control feature.
I. Requirements
Core switch copies traffic of G4/1 and G4/2on both directions to Monitor Server 1 connected to port G4/21 and MonitorServer 2 connected to port G4/22
II. Network Topology
III. Configuration Tips
1) Create VLAN 100 as remote-vlan on switch
2) Define G4/1 and G4/2 as source port inmonitor session, and both traffic directions are monitored
3) Create a mac-loopback port, assign thismac-loopback port to Remote vlan and define it as destination port in monitorsession
4) Assign ports G4/21 and G4/22 to Remotevlan 100
Note:
1) Utilize an unused port as mac-loopbackport .You cannot connect cable to this port, even so switch puts link status ofmac-loopback port to up status and port LED is green
2) Don't configure any other commands to themac-loopback port and Don't specify "switch"keyword when configuring monitor session (monitor session 1 destination remotevlan 100 interface gigabitEthernet 4/23 no switch keyword)
IV. ConfigurationSteps
1. Create VLAN 100 as remote-vlan on switch
Ruijie#configure terminal
Ruijie(config)#vlan 100 ------> VLan 100 mustbe dedicated for mirroring
Ruijie(config-vlan)#remote-span
Ruijie(config-vlan)#exit
2. Define G4/1 and G4/2 as source port inmonitor session, and both traffic directions are monitored
Ruijie(config)#monitor session 1 remote-source
Ruijie(config)#monitor session 1 source interfacegigabitEthernet 4/1 both
Ruijie(config)#monitor session 1 source interfacegigabitEthernet 4/2 both
3. Configure G4/23 as mac-loopback port,assign this mac-loopback port to Remote vlan and define it as destination portin monitor session
Ruijie(config)#interface gigabitEthernet 4/23
Ruijie(config-if-GigabitEthernet 4/23)#switchport access vlan100
Ruijie(config-if-GigabitEthernet 4/23)#mac-loopback ------>Don'tconfigure any other commands or connect cable to this port
Ruijie(config-if-GigabitEthernet 4/23)#end
Ruijie(config)#monitor session 1 destination remote vlan 100interface gigabitEthernet 4/23 switch
Ruijie# clear mac-address-table dynamic interfacegigabitEthernet 4/23 ------> clear mac-address-table of this port when finishconfiguring
4. Assign ports G4/21 and G4/22 to Remotevlan 100
Ruijie(config)#interface range gigabitEthernet 4/21-22
Ruijie(config-if-range)#switchport access vlan 100
Ruijie(config-if-range)#end
Ruijie#wr
V. Verification
1. This example shows how to verify statusof monitor session
2. This example shows how to displayconfiguration of port G4/23
VI. Script
conft
vlan100
remote-span
exit
monitorsession 1 remote-source
monitorsession 1 source interface gigabitEthernet 4/1 both
monitorsession 1 source interface gigabitEthernet 4/2 both
monitorsession 1 destination remote vlan 100 interface gigabitEthernet 4/23 switch
interfacegigabitEthernet 4/23
switchportaccess vlan 100
mac-loopback
interfacerange gigabitEthernet 4/21-22
switchportaccess vlan 100
Scenario
Flow-based mirroring: During network troubleshooting, when the traffic on the port ishigh, a common mirroring analysis solution may lead to analysis failure due tolimited PC performance, and it would be difficult for the system to capturerequired traffic packets (for example, a traffic packet of a certain MACaddress, or a traffic packet originated by a designated IP address and destinedfor another designated IP address). In this case, you can use the flow-basedmirroring analysis function. If the traffic on the port is too high for themonitoring server or log auditing server deployed on the network to carry outall the data analysis tasks, you can choose to capture specified trafficpackets only.
Function Overview
Port mirroring: You can use the switched port analyzer (SPAN) to replicate packetson a specified port to the port that connects a network surveillance device onthe switch for network monitoring and traffic analysis. You can monitor packetsflow in and out of a source port through SPAN for fast and packet replication.
The SPAN does not change packet informationor affect packet transmission. In addition, the SPAN does not have requirementon the media type for the source and destination ports. Port mirroring can beoptical ports to electrical ports or electrical ports to optical ports. TheSPAN has no requirement on the property of the source and destination ports. Itsupports mirroring from an access port to a trunk port or a trunk port to anaccess port.
Flow-based mirroring: You can define the desired types of traffic packets (for example,PPPOE packets, IP packets on a specified network segment, and HTTP packets onTCP 80) using the ACL. Ruijie switches provide rich ACL functions, and supporttraffic packet matching by L2 frame types, MAC addresses, IP addresses, TCP/UDPports, and ACL80 (the first 80 bytes of a packet). The SPAN captures trafficpackets on the source port according to the defined ACL, and mirrors thetraffic packets to the destination port. Traffic packets not matching thedefined ACL are not mirrored.
Note: The switch supportsflow-based mirroring in the RX direction (inbound on the port) only. Monitoringon the TX (outbound on the port) direction or bi-direction are not supported.
I. Networking Requirements
1. The monitoring server monitors trafficconsumption on the core server by users on the 192.168.10.0/24 network segment.
2. The monitoring server monitors the trafficfrom the core server to the access server.
II. Network Topology
III. Configuration Tips
1. On the core server, configure the ACL toallow users on the network segment 192.168.10.0/24.
2. On the core server, configure the portmirroring function. Set the g1/1 port that connects the access server as thesource port of port mirroring and enable the ACL association.
3. Set the port connecting the monitoringserver (port g1/24) as the destination port of port mirroring.
IV. Configuration Steps
Configure the core server.
Ruijie#configure terminal
Ruijie(config)#ip access-list extended ruijie ------>CreateACL, named as ruijie
Ruijie(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any
Ruijie(config-ext-nacl)#exit
Ruijie(config)#monitor session 1 source interfacegigabitEthernet 1/1 tx
Ruijie(config)#monitor session 1 source interfacegigabitEthernet 1/1 rx acl ruijie ------> Set the g1/1 port thatconnects the access server as the source port of port mirroring and enable theACL association.
Ruijie(config)#monitor session 1 destination interfacegigabitEthernet 1/24 switch ------> Set the port connectingthe monitoring server (port g1/24) as the destination port of port mirroringand enable switching on the mirroring destination port.
Ruijie(config)#end
Ruijie#wr
V. Verification
1. Check the port mirroring state.
Ruijie(config)#show monitor
sess-num: 1
span-type: LOCAL_SPAN
src-intf:
GigabitEthernet 1/1 frame-type Both
rx acl id 2900
acl name ruijie
dest-intf:
GigabitEthernet 1/24
mtp_switch on ------> Allow mirroring portforwarding data stream
2. Check the ACL.
3.Capture
1. switchport trunkallowed vlan only x-x
Previously in 10.xversion, all vlans are able to pass through trunk port by default. Engineershave to remove all vlans first, then permit vlan one by one.
By command"switchport trunk allowed vlan only x-x", only allowed vlans are ableto pass through trunk port, you don't need to remove all vlan anymore.
For example:
Ruijie(config-if-GigabitEthernet1/1)#show this
Buildingconfiguration...
switchportmode trunk
switchporttrunk allowed vlan only 1-2
end
2. show this
Previously in 10.xversion, engineers have to execute commands "show run " or "showrun | include xxx" to check configurations.By command "showthis", you can display configurations under current mode directly:
For example :
Ruijie(config)#intmgmt 0
Ruijie(config-if-Mgmt0)#show this
Buildingconfiguration...
!
ipaddress 172.18.10.62 255.255.255.0
gateway172.18.10.1
3. show upgradehistory
Previously in 10.xversion, engineers have to rename firmware as "rgos.bin" beforeupgrading. In addition, there is no historical upgrade records.
Currently, you cangive any name to firmware for convenient management purpose and system mightrecord historical upgrade.
For example:
Ruijie#showupgrade history
LastUpgrade Information:
Time: 2015-04-20 03:02:05
Method: LCOAL
Package Name: N18000_RGOS11.0(2)B1_CM_install.bin
Package Type: Distribution
4. debug sysloglimit
Previously in 10.xversion, at worst, massive system logs printing might crash device after debugis enable.
By command"debug syslog limit time seconds numbers numbers ", system logs printingis limited,
For example:
Ruijie#debugsyslog limit ?
numbers Syslog limited by numbers
reset Syslog reset limit statistics
time Syslog limited by time
5. one keycollection
Previously in 10.xversion, usually engineers have to collect information multiple times whiletrouble shooting which might miss the best opportunity.
By one keycollection, system collects all relevant information in one time.
For example :
Ruijie#debugsupport
Ruijie(support)#tech-support?
console Tech-support information to terminal
package Tech-support information to package
Overview
VSU expands the Port Numbers
As figure shown below, when port number on aswitch runs out, you can add one more switch to the VSU to expand port numbers
VSU expands Forwarding Capacity
As figure shown below, you can add one moreswitch to the VSU to expand the global forwarding capacity. For example,forwarding capacity of one switch is 128M pps, and the global forwardingcapacity expands up to 256 M pps when two switches join in a VSU.
VSU expands Uplink Bandwidth
As figure shown below , you can add one moreswitch to VSU to expand uplink bandwidth to the core switch with the minimumimpact for network topology and configuration.
VSU simplifies the Network Topology
As the first figure shown below, this is acommon scenario consisted of MSTP and VRRP features to ensure high available,and redundant ports are blocked to prevent loops.
As the second figure shown below, VSUreduces the complexity of network and enhance the utilization ratio of networkresources. All ports are occupied in the same time.
Note:
In thetraditional network, in order to strengthen network reliability, the core layeror distribution layer will generally configure two devices into the dual-coresystem to allow redundant standby, with neighboring devices connecting twolinks to reach the dual-core redundant system. Such typical traditional networkarchitecture is shown in the following figure. The redundant networkarchitecture increases the complexity of network design and operations, whilethe enormous standby links also reduce the utilization ratio of networkresources and decrease the rate of return on investment.
VSU (VirtualSwitching Unit) is a common network virtualization technology combining twoswitches into a single virtual switch, thus reducing the complexity of networkand enhancing the utilization ratio of network resources.
Role of Chassis:
Each switch in aVSU are called VSU member and there're three VSU roles for VSU member based ondifferent features:
1) Active:The active chassis controls the entire VSU system
2) Standby: The standby chassis take charge of the control if themain chassis fails
VSU Domain ID:
VSU Domain IDranges from 1 to 255, and the default value is 100. Only VSU members with thesame Domain ID can establish a VSU.
VSU Chassis ID:
The value ofChassis id can be 1 or 2.The default value is 1.
In standalonemode, port number takes 2-dimension format (for example, GigabitEthernet 2/3) ;In VSU mode , port number takes 3-dimension format (for example ,GigabitEthernet 1/2/3).
The firstnumber(GigabitEthernet1/2/3) indicatesthe chassis ID and the last two numbers (GigabitEthernet1/2/3)indicate the slot number and port number. So chassis ID of each VSU member mustbe different.
In addition, iftwo VSU chassises have the same chassis ID, VSU system recalculates a newchassis ID for them.
VSU Chassis Priority:
The value ofchassis priority ranges from 1 to 255, and the default value is 100. A higherpriority indicates a higher priority to become the active chassis.
In addition,chassis priority consists of configuring priority and running priority. Runningpriority doesn't change when administrator changes the configuring prioritywhen VSU is running .Running priority changes when administrator savesconfiguration and reloads the VSU.
VSL
Since two chassisjointly forms a network entity in VSU system, they need to share controlinformation and partial data streams. VSL (Virtual switching link) is a speciallink between two chassis for transmitting control information and data streams
The VSL acts asan aggregation port. Its member port count is unlimited, and these member portscan reside on line cards in different slots. For the VSLtransferred traffic,load balancing is performed among these member ports according to the trafficbalancing algorithm.
Currently, 10-GBor 40-GB ports can become member ports of the VSL, while 1-GB ports cannot.Besides, a line card can hold physical member ports of the VSL as well ascommon data service ports.
VSL Interruption:
As figure shownbelow, VSL Interruption occurs when the VSL fails and both VSU membersdisconnect
VSU Combination:
As figure shownbelow, VSU Combination occurs when both VSU members with the same Domain IDestablish a VSU
Swtich Working Mode:
Switch workingmode includes: standalone mode and VSU mode, and the default mode is standalonemode
VSU VSL Connection medium:
Different switchvaries.
For example, youcan only configure VSL on S8600E series switches on 10G/40G optical ports.
VSL Detection:
VSL detectionstarts to detect peer chassis once VSU members boot and after VSL links comeup, Topology Discovery begins.
Topology Discovery:
VSU membersacquire global VSU network topology by flooding VSU hello packets through VSL.VSU Hello packets carry topology information including chassis ID, priority,MAC, VSL port etc.
VSU Role Electionstarts when Topology Discovery completes.
VSU Role Election:
The activechassis election mechanism operates as below:
Current hostfirst
The higherpriority first
The lower MACaddress first
The slave chassiselection mechanism is as follows:
The nearest tomain first
The higherpriority first
The lower MACaddress first
After finishingelection, active chassis floods Convergence packets to the overall VSU, thenVSU establishment completes.
Dual ActiveDetection:
When VSL is disconnected, the slavechassis will be switched to main chassis. If the former main chassis is stillrunning, then the existing two chassis will both become the main chassis. Sincethe configurations are completely same, a series of problems such IP addressconflict will arise in the LAN. VSU must detect dual main chassis and takerestoration measures.
As shown in the figure above, whendeploying the VSU system, you need to configure an independent physical linkbetween chassis in addition to the VSL. The physical link is sued to transferdual-main-chassis packets when the VSL is disconnected. It is calleddual-main-chassis detection link. Ports connecting this link can be used totransfer only dual-main-chassis detection packets. You can run a CLI command tospecify certain ports as the dual-main-chassis detection ports.
After dual main chassis are detected,generally, one chassis enters the recovery mode to avoid network abnormity. TheVSU system supports the Bidirectional Forwarding Detection (BFD) and AP-baseddetection.
1) BFD basedDetection:A port of BFD for dual main chassis must bea L3 physical port. Ports of other modes will not do. When you transform theport of BFD for dual main chassis from a L3 port into a port of other modes,the detection is automatically cleared and a prompt is displayed. Here, theextended BFD is used. That is, existing BFD configuration and display commandscannot be used to configure dual-main-chassis detection ports.
2) AP basedDetection:The AP-based mechanism of detecting dualmain chassis is similar as that based on BFD. When the VSL is disconnected andtwo main chassis occur, the two main chassis send private protocol packets toeach other for detecting dual main chassis. The difference from BFD baseddetection is AP-based Detection configures on the AP links between VSU and onerelay equipment as figure shown below, and this relay equipment shall supportforward private detection packets.
Recovery mode:
When the main chassis is in the recoverymode, all services ports except the following ports must be disabled:
VSL port: when the main chassis in therecovery mode detects that the VSL is UP again, the chassis resets itself, andjoins the VSU system in the hot standby mode, becoming the new slave chassis.
MGMT port: You can use this port toperform remote management no matter the main chassis is in the recovery mode ornot.
Exception port: You can specify certainports as exception ports, which will not be disabled when the main chassisenters the recovery mode. Exception port: You can specify certain ports asexception ports, which will not be disabled when the main chassis enters therecovery mode. To configure exception ports, run the dual-active excludeinterface interface-name command.
In the dual-main-chassis mode or when amain chassis enters the recovery mode, the simplest recovery
Solution is to reconnect the VSL. If VSL isnot reconnected, but the main chassis in the recovery mode is manuallyrestarted, the system enters dual-main-chassis state again when after therestart succeeds.
1. Configuring active and standby VSU members
Active switch:
Switch1#configure terminal
Enterconfiguration commands, one per line. End with CNTL/Z.
Switch1(config)#switch virtual domain 1
Switch1(config-vs-domain)#switch 1
Switch1(config-vs-domain)#switch 1 priority 200 ------>Priority is 100 by default , switch with the higherpriority becomes the active chassis
Switch1(config-vs-domain)#exit
Switch1(config)#vsl-aggregateport 1 ------>VSL is the heartbeat and traffic channel between 2 VSUmembers. You must configure at least 2 pair of VSL
Switch1(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/1
Switch1(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/2
Switch1(config-vsl-ap-1)#exit
Standby switch:
Switch2#configure terminal
Enterconfiguration commands, one per line. End with CNTL/Z.
Switch2(config)#switch virtual domain 1 ------>domain ID must be the same to that of active chassis
Switch2(config-vs-domain)#switch 2 ------>switch ID must be different from that of activechassis
Switch2(config-vs-domain)#switch 2 priority 150
Switch2(config-vs-domain)#exit
Switch2(config)#vsl-aggregateport 1
Switch2(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/1
Switch2(config-vsl-ap-1)#port-member interface TenGigabitEthernet 2/2
Switch2(config-vsl-ap-1)#exit
2. Connect VSL cable and confirm that linkscome up
3. Save configuration and convert both VSUmembers to virtual mode at the same time
Active switch
Switch1#wr
Switch1#switch convert mode virtual ------>convert switch working mode fromstandalone mode to virtual mode
Areyou sure to convert switch to virtual mode[yes/no]:yes
Doyou want to recovery“config.text”from“virtual_switch.text”[yes/no]:no
Standby switch
Switch2#wr
Switch2# switch convertmode virtual
Areyou sure to convert switch to virtual mode[yes/no]:yes
Doyou want to recovery“config.text”from“virtual_switch.text”[yes/no]:no
Both VSU members reloads automatically
Attention: Be patient and it costsabout 10 minutes to finish building VSU.
System prints logs continuouslyduring next 10 minutes as below if VSL links failed or peer switch doesn'treload yet:
*Aug 6 13:17:17:%VSU-5-RRP_TOPO_INIT: Topology initializing, please wait for a moment
*Aug 6 13:18:17:%VSU-5-RRP_TOPO_INIT: Topology initializing, please wait for a moment.
4. Verification
1. When VSUcompletes, you can manage VSU on active chassis.
2. You canidentify the active switch by viewing the Primary LED on the front main boardwhich is solid green
3. When VSUcompletes, you can no longer manage VSU on standby chassis through console portby default.
Ruijie#show switch virtual
Switch_id Domain_id Priority Position Status Role
--------------------- ---------- ---------- -------- ---------
1(1) 1(1) 200(200) LOCAL OK ACTIVE------>active
2(2) 1(1) 150(150) REMOTE OK STANDBY------>standby
Ruijie#shversion slot
DevSlot Configured Module Online Module User Status Software Status --- ---- ----------------- ----- --------------
11 none none
12 M8606-24SFP/12GT M8606-24SFP/12GT installed none
13 M8606-2XFP M8606-2XFP uninstalled cannot startup
14 M8606-24GT/12SFP M8606-24GT/12SFP installed ok
1M1 M8606-CM M8606-CM master
1 M2
Overview
1. When VSL is disconnected, the standbychassis will be switched to active chassis. If the former active chassis isstill running, then the existing two chassis will both become the activechassis. Since the configurations are completely same, a series of problemssuch IP address conflict will arise in the LAN. VSU must detect dual-active chassisand take restoration measures.
2. After enable dual-active detection , systemdetects dual-active via control packets between BFD dedicated link and puts onechassis which has lower priority into recovery mode ,all port ,except for VSLport, MGMT port and exception port that administrator specifies (reserved fortelnet), are mandatory shutdown
When dual-active occurs, dual-active detection ensuresthe stability and high availability of your network. (youmust use redundant connection to connect other switches to VSU . In addition,you must connect one link to the active chassis, the other to standby chassis)
I. ConfigurationSteps
1. Configuring Dual-active Detections
Ruijie(config)#interface gi2/4/2
Ruijie(config-if)#no switchport ------>BFD detection must be applid on a Layer 3 port
Ruijie(config-if)#exit
Ruijie(config)#interface gi1/4/2
Ruijie(config-if)#no switchport
Ruijie(config-if)# exit
Ruijie(config)# switch virtual domain 1
Ruijie(config-vs-domain)#dual-active detection bfd ------>enable BFD feature
Ruijie(config-vs-domain)#dual-active pair interface gi1/4/2 interface gi2/4/2 ------>configurea pair of BFD detection ports
Ruijie(config-vs-domain)#dual-active exclude interface ten1/1/2 ------>configure theexception port
Ruijie(config-vs-domain)#dual-active exclude interface ten2/1/2
Overview
Inter-chassis aggregate port (AP) groupincludes member ports of two VSU chassis. Inter-chassis AP can connect to alldevices (such as server, switch and router) supporting port aggregationfunction.
Inter-chassis AP allows load balancing ofinter-chassis data streams. For example, when data streams enter from mainchassis into VSU system, VSU will give preference to member ports located inthe main chassis. This feature guarantees that some unnecessary data streamsare not transmitted over VSL, thus reducing the load pressure of VSL.
The following figure shows the typicalapplication of AP in a VSU.
I. ConfigurationSteps
1. Configuring layer 3 AP on VSU:
Ruijie(config)#interfaceaggregateport 2
Ruijie(config-if-AggregatePort2)#no switchport
Ruijie(config-if-AggregatePort2)#description link-to-xxxx
Ruijie(config-if-AggregatePort2)#ip add 172.16.1.6 255.255.255.252
Ruijie(config-if-AggregatePort2)#exit
Ruijie(config)#interfaceten 1/3/1
Ruijie(config-if-TengabitEthernet1/3/1)#no switchport
Ruijie(config-if-TengabitEthernet1/3/1)#description linktoyyyy
Ruijie(config-if-TengabitEthernet1/3/1)#port-group 2
Ruijie(config-if-TengabitEthernet1/3/1)#exit
Ruijie(config)#interfaceten 2/3/1
Ruijie(config-if-TengabitEthernet2/3/1)#no switchport
Ruijie(config-if-TengabitEthernet2/3/1)#description link-to-yyyy
Ruijie(config-if-TengabitEthernet2/3/1)#port-group 2
Ruijie(config-if-TengabitEthernet2/3/1)#exit
2. Configuring layer 2 AP on VSU:
Ruijie(config)#interfaceaggregateport 4
Ruijie(config-if-AggregatePort4)#switchport mode trunk
Ruijie(config-if-AggregatePort4)#switchport trunk allowed vlan remove xxxx ----->prune trunk portbased on requirement
Ruijie(config-if-AggregatePort4)#description linktoxxxx
Ruijie(config-if-AggregatePort4)#exit
Ruijie(config)#interfacegigabitEthernet 1/4/1
Ruijie(config-if-GigabitEthernet1/4/1)#port-group 4
Ruijie(config-if-GigabitEthernet1/4/1)#description link-to-yyyy
Ruijie(config-if-GigabitEthernet1/4/1)#exit
Ruijie(config)#interfacegigabitEthernet 2/4/1
Ruijie(config-if-GigabitEthernet2/4/1)#port-group 4
Ruijie(config-if-GigabitEthernet2/4/1)#description link-to-yyyy
Ruijie(config-if-GigabitEthernet2/4/1)#exit
Features
Secure channel: Generally, after 1Xauthentication is deployed, data packets from unauthenticated user ports arediscarded. The secure channel allows users access designated websitesunauthenticated. It can be deployed to facilitate client distribution, backdoorreservation for leaders and terminals that do not support authentication (forexample, printers and all-purpose terminals).
Emergency channel: In an 1X authenticationscenario with only one Radius server, all users fail to access the Internetonce the Radius server fails, services will be seriously affected. In thatcase, authentication configuration must be cancelled on all the ports one byone to recover services. If an emergency channel is deployed, the switch allowsusers access the Internet without authentication when authentication failsmultiple times or the Radius server is considered dead.
I. NetworkingRequirements
1. The 1X function is enabled on the coreserver for resource access authentication on managed users.
2. Authenticated users can access allresources while unauthenticated users can access only certain Intranetresources.
3. Authentication-free access to intranetresources is enabled for some users (PC2).
4. When the active Radius server fails tofunction normally, user authentication is switched to the backup Radius server.When both active and standby Radius servers fail, managed users can accessresources without authentication (through an emergency channel).
II. Network Topology
III. ConfigurationTips
1. On the core server, enable AAA andconfigure the Radius server and key associated parameters.
2. On the Radius server, configure therelated parameters. (In this example, the SAM is used as the Radius server.)
3. Configure a professional ACL to implementserver access before user authentication.
4. The core switch, managed users, and theRadius server can be on different network segments, so long as the core switchcan properly communicate with the Radius server and the clients can reach thecontrolled ports on the core switch via the access switch.
5. Configure the parameters for thecommunication between the switch and the Radius server to deploy an emergencychannel.
IV. ConfigurationSteps
Configure the core server.
1. Basic dot1x configuration
Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#aaa new-model ------>trun on aaaswitch
Ruijie(config)#radius-server host 192.168.33.244 ------>configureradius server
Ruijie(config)#radius-server host 192.168.33.245 ------>configurebackup radius server
Ruijie(config)#radius-server key ruijie ------>configureradius key
Ruijie(config)#aaa authentication dot1x ruijie group radius none ------> Define an IEEE802.1x authentication method list.
Ruijie(config)#aaa accounting network ruijie start-stop groupradius ------> Define the AAA network accounting method list.
Ruijie(config)#aaa accounting update periodic 15 ------> Setthe account update function.
Ruijie(config)#dot1x authentication ruijie ------>802.1X to select the authentication method list
Ruijie(config)#dot1x accounting ruijie ------>802.1X to select the accounting method list
Ruijie(config)#interface gigabitEthernet 1/2
Ruijie(config-if-GigabitEthernet 1/2)#switchport mode trunk
Ruijie(config-if-GigabitEthernet 1/2)#dot1x port-controlauto ------> Enable 802.1X authentication on the interface
Ruijie(config-if-GigabitEthernet 1/2)#ip add 192.168.33.161255.255.255.0 ------> configure switch ip address
Ruijie(config-if-GigabitEthernet 1/2)#end
Ruijie#write ------> save configuration
2. Enable the secure channel function
Ruijie(config)#expert access-list extended ruijie
Ruijie(config-exp-nacl)#permit arp any any any any any ------>makethe ip and arp packets free authentication
Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.61any ------> To allow access to the home page of the site beforeauthentication
Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.62any ------> To allow access to the home page of the site beforeauthentication
Ruijie(config-exp-nacl)#permit ip any any host 192.168.33.244any------> To allow access to the home page of the site before authentication
Ruijie(config-exp-nacl)#permit host 192.168.33.163 host001a.a9c4.062f any any------> This host implements authentication free
Ruijie(config-exp-nacl)#exit
Ruijie(config)#security global access-group ruijie
1x free authentication description
There are two ways to achieve user authentication: (1)configure the security channel to put the IP or MAC address; 2, configure thefree VLAN authentication will be the corresponding VLAN users free ofauthentication
Plan 1:Configure security channel,there are three methods:
Method 1:permit host ip address
expert access-list extended no1x
10 permit arp any any any any any
20 permit ip host 192.168.1.23 any anyany ------->permithost ip address
security global access-group no1x
method 2:permit host mac address
expert access-list extended no1x
10 permit arp any any any any any
30 permit ip any host 0010.123c.513d any any ------->permithots mac address
security global access-group no1x
method 3:permit ip+mac
expert access-list extended no1x
10 permit arp any any any any any
40 permit ip host 192.168.1.23 host 0010.123c.513d any any ------->permitip and mac address
security global access-group no1x
Plan 2:Configure direct-vlan
Configuration command:direct-vlan 1-20// direct-vlan can take effect on both 1xauthentication and web authentication
Notes:
If the secure channel (inpriority over 1x authentication) is enabled, user ARP packets must be allowedto pass. In this way, users can communicate with the gateway. As the securechannel has higher priority, the anti ARP spoofing function will becomeinvalid.
Solution: Do not permit allARP packets. Permit only ARP packets destined for the gateway. In this way, ARPcheck is implemented and ARP spoofing among users are prevented. However, ARPspoofing is not completely prevented, because users can still spoof anotheruser on the gateway.
Ruijie(config)#expert access-list extended permit1x
Ruijie(config-exp-nacl)#permit ip any any host 192.168.1.254any ------> To allow access to the home page of the site beforeauthentication
Ruijie(config-exp-nacl)#permit arp any any any any any ------>Allow ARP message interaction between a user and a gateway
Ruijie(config)#security global access-group permit1x
Ruijie(config-exp-nacl)#permit arp any any any any host192.168.33.1
3. You can change the time parameterbetween the switch and the Radius server to switch the authentication method.For example, the configuration "aaa authentication dot1x ruijie groupradius none" indicates that authentication by the active Radius server isimplemented first, is switched to the backup Radius server if the active Radiusserver does not respond in a specified period, and is switched to noneauthentication mode if both the active and backup Radius servers fail torespond.
Ruijie(config)#radius-server timeout 2 ------>Specify the waiting time before the router resend request (2 s by default)
Ruijie(config)#radius-server retransmit 2 ------>Specify the times of sending requests before the router confirms Radius invalid(3 by default)
Ruijie(config)#radius-server dead-criteria time 6 tries 3 ------>definethe dead-criteria time and tries of the server
Ruijie(config)#radius-server deadtime 5 ------>Specify the waiting time before the server is considered dead in case of noresponse to the request sent by the device (5 minutes by default).
Ruijie(config)#dot1x timeout server-timeout 20
dot1x timeout indicatesthe timeout period of 1x authentication. The parameter is independent from theRadius timeout period (radius timeout*). However, radius timeout*(retransmit+1) must be smaller than dot1x timeout server-timeout.Otherwise, the emergency channel does not take effect. In this example,2*(2+1)=6s, which is smaller than 20s, and therefore, the emergency channel iseffective.
V. Verification
1. Before authentication, users can accessthe resources inside the secure channel, but can not access the resourcesinside the non secure channel
The same can also be verified, the securitychannel is free to authenticate users of IP and MAC, the user can alsocommunicate properly.
2、When the radius server hangs, the user can achieve escape function
Check the user info.
3. open debug radius event, you can see theentire process of an escape function:
Ruijie#debug radius event
Ruijie#*Mar 16 18:07:20: %7: [radius] aaa req authenticationto group radius
*Mar 16 18:07:20: %7: __rds_add_attr type = 24 len = 0
*Mar 16 18:07:20: %7: [radius] 16 send
*Mar 16 18:07:20: %7: pkt len 676 code 1 id 16
*Mar 16 18:07:20: %7: calcu msg auth ok
*Mar 16 18:07:20: %7: [radius] radius access requests(12). ------>sent access-request for the first time
*Mar 16 18:07:22: %7: [radius] user 16 retry
*Mar 16 18:07:22: %7: [radius] 16 send
*Mar 16 18:07:22: %7: pkt len 676 code 1 id 16
*Mar 16 18:07:22: %7: calcu msg auth ok
*Mar 16 18:07:22: %7: [radius] radius access requestsretransmissions(18) timeout(18). ------>timeout for the first time after 2seconds
*Mar 16 18:07:24: %7: [radius] user 16 retry
*Mar 16 18:07:24: %7: [radius] 16 send
*Mar 16 18:07:24: %7: pkt len 676 code 1 id 16
*Mar 16 18:07:24: %7: calcu msg auth ok
*Mar 16 18:07:24: %7: [radius] radius access requestsretransmissions(19) timeout(19). ------> timeout for the second time after4 seconds
*Mar 16 18:07:26: %7: [radius] user 16 retry
*Mar 16 18:07:26: %7: [rds_user] rds delete user, state 2,atype 0
*Mar 16 18:07:26: %7: [rds_user] rds free user id 7, pkid16 ------> timeout for the third time after 6 seconds
*Mar 16 18:07:26: %AAA-7-FAILOVER: Failing over from 'dot1x'for client 0021.cccf.6f70 on Interface GigabitEthernet 0/1.
*Mar 16 18:07:26: %7: [radius] aaa req accounting to groupradius
*Mar 16 18:07:26: %7: [accounting] acct len 116
*Mar 16 18:07:26: %7: __rds_add_attr type = 25 len = 0
*Mar 16 18:07:26: %7: [radius] 17 send
*Mar 16 18:07:26: %7: [radius] radius acc requests(5) andpending(3).
*Mar 16 18:07:28: %7: [radius] user 17 retry
*Mar 16 18:07:28: %7: [radius] 17 send
*Mar 16 18:07:28: %7: [radius] radius acc retransmissions(5)timeout(5).
*Mar 16 18:07:30: %7: [radius] user 17 retry
*Mar 16 18:07:30: %7: [radius] 17 send
*Mar 16 18:07:30: %7: [radius] radius acc retransmissions(6)timeout(6).
*Mar 16 18:07:32: %7: [radius] user 17 retry
*Mar 16 18:07:32: %7: [rds_user] rds delete user, state 2,atype 2
*Mar 16 18:07:32: %7: [rds_user] rds free user id 7, pkid 17
Two common deployment patterns ofMSTP+VRRP
1. MSTP with single instance:
As figure shown below, SW1 is the root bridge for MSTPinstance 0 to which all vlans are mapped and master VRRP gateway for all vlans.This deployment patterns of MSTP is almost the same to RSTP.
Merit: Easier maintenance andimplementation
Demerit:SW2 is the second root andbackup VRRP gateway which doesn't forward any traffic .It is a waste of networkresource.
2. MSTP with Multiple instances:
As figure shown below, SW1 is the root bridge for MSTPinstance 1 and secondary root for instance
2. SW2 is Root Bridge for MSTP instance 2 and secondaryroot for instance 1. MSTP instance 1 includes VLAN 10, 60 and 80 and instance 2includes VLAN 20, 30 and 70.
SW1 is the master VRRP gateway for VLAN 10, 60 and 80and the backup VRRP gateway for VLAN 20, 30 and 70. SW2 is the master VRRPgateway for VLAN 20, 30 and 70 and the backup gateway for VLAN 10, 60 and 80.
Merit:Fully occupy networkresource
Demerit:More complicatedconfiguration and maintenance than MSTP with single instance
Note:
The deployment pattern of "MSTP +VRRP" is replaced by deployment pattern of VSU day by day and we suggestyou to apply VSU if possible. Even so, deployment pattern of "MSTP +VRRP" is still a fallback method to ensure a redundant and reliablenetwork if core and distribution switches don't support VSU
We suggest you to remove someinterconnection links first to avoid a Layer 2 loop
I. Network Topology
SW1 is the master VRRP gateway for users on all vlans,and SW2 is the backup VRRP gateway for users on all vlans. Connect SW1 and SW2through an Aggregate port to ensure reliability and configure this AP as Trunkport.
The IP address of SW1 on VLANs from 10 to 80 are192.168.10.1 to 192.168.80.1 , and IP address of SW2 on VLANs from 10 to 80 are192.168.10.2 to 192.168.80.2 , and VRRP IP address are 192.168.10.254 to192.168.80.254.
II. ConfigurationSteps
Configuring SW1
Ruijie#configterminal
Ruijie(config)#spanning-treemst 0 priority 0 ------>instance id=0 , priority=0(The lower the number, themore likely the switch will be chosen as the root bridge) by default , allvlans are mapped to instance 0 .
Ruijie(config)#spanning-tree ------>enable STP feature and the default STP mode is MSTP
Ruijie(config)#e xit
Configure MSTP
Configuring AP
Ruijie#configterminal
Ruijie(config)#interfaceaggregateport 1
Ruijie(config-if-AggregatePort1)#switchport mode trunk
Ruijie(config-if-AggregatePort1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/1
Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/2
Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/2)#exit
Ruijie(config)#interfacerange gigabitEthernet 1/1-5
Ruijie(config-if-range)#switchportmode trunk ----->don't forget to prune trunk port
Configuring VRRP
Ruijie(config)#vlan10
Ruijie(config)#intervlan 10
Ruijie(config-if-VLAN10)#ip address 192.168.10.1 255.255.255.0
Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254
Ruijie(config-if-VLAN10)#vrrp 10 priority 120 ------> vrrp group id=10 , priorityvalue=120 (the bigger the number , the more likely the switch will be chosen asthe master ,and default value is 100)
Ruijie(config-if-VLAN10)#exit
Ruijie(config)#vlan20
Ruijie(config)#intervlan 20
Ruijie(config-if-VLAN20)#ip address 192.168.20.1 255.255.255.0
Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254
Ruijie(config-if-VLAN20)#vrrp 20 priority 120
Ruijie(config-if-VLAN20)#exit
...........configurationof VLAN 30 ~ VLAN 70 are omitted............
Ruijie(config)#vlan80
Ruijie(config)#intervlan 80
Ruijie(config-if-VLAN80)#ip address 192.168.80.1 255.255.255.0
Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254
Ruijie(config-if-VLAN80)#vrrp 80 priority 120
Ruijie(config-if-VLAN80)#exit
Configuring SW2
Ruijie#configterminal
Ruijie(config)#spanning-treemst 0 priority 4096 ------>instance id=0 , priority=4096(The lower the number,the more likely the switch will be chosen as the root bridge) by default , allvlans are mapped to instance 0
Ruijie(config)#spanning-tree ------>enable STP feature and default mode is MSTP
Ruijie(config)#exit
Configuring AP
Ruijie#configterminal
Ruijie(config)#interfaceaggregateport 1
Ruijie(config-if-AggregatePort1)#switchport mode trunk
Ruijie(config-if-AggregatePort1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/1
Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/2
Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/2)#exit
Ruijie(config)#interfacerange gigabitEthernet 1/1-5
Ruijie(config-if-range)#switchportmode trunk ----->don't forget to prune trunk port
Configuring VRRP
Ruijie(config)#vlan10
Ruijie(config)#intervlan 10
Ruijie(config-if-VLAN10)#ip address 192.168.10.2 255.255.255.0
Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254 ------>vrrp groupid=10 , priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the master ,and default value is 100)
Ruijie(config-if-VLAN10)#exit
Ruijie(config)#vlan20
Ruijie(config)#intervlan 20
Ruijie(config-if-VLAN20)#ip address 192.168.20.2 255.255.255.0
Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254
Ruijie(config-if-VLAN20)#exit
...........configurationof VLAN 30 ~ VLAN 70 are omitted............
Ruijie(config)#vlan80
Ruijie(config)#intervlan 80
Ruijie(config-if-VLAN80)#ip address 192.168.80.2 255.255.255.0
Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254
Ruijie(config-if-VLAN80)#exit
Configuring SW11,SW12,S13,S14,S15,S16
Ruijie#configterminal
Ruijie(config)#interfacerange gigabitEthernet 0/25-26
Ruijie(config-if-range)#switchportmode trunk
Ruijie(config-if-range)#exit
Ruijie(config)#spanning-tree ------>enableSTP feature and default mode is MSTP
Ruijie(config)#exit
Ifwe want to manully conduct MSTP to put G0/25 on SW11 and SW12 in forwardingstate , we can assign a higher cost value to G0/26 , then MSTP blocks G0/26.(If a loop occurs, MST uses the path cost when selecting an interface to placeinto the forwarding state. A lower path cost represents higher-speedtransmission)
Ruijie(config)#interfacegi0/26
Ruijie(config-if-GiagaEthernet0/26)#spanning-tree cost 200000 ------>the default value is derived fromthe media speed of the interface , and the cost value of an 1000M port is 20000
Ruijie(config-if-GiagaEthernet0/26)#exit
Connectting cable and verifying status ofSTP and VRRP
1. This example displays that SW1 is theroot bridge
SW1:
Ruijie#showspanning-tree
StpVersion: MSTP
SysStpStatus: ENABLED
MaxAge: 20
HelloTime: 2
ForwardDelay: 15
BridgeMaxAge: 20
BridgeHelloTime: 2
BridgeForwardDelay: 15
MaxHops:20
TxHoldCount: 3
PathCostMethod: Long
BPDUGuard: Disabled
BPDUFilter: Disabled
LoopGuardDef : Disabled
######mst 0 vlans map : ALL
BridgeAddr: 1414.4b19.ecc0 ------>local MAC address
Priority:0
TimeSinceTopologyChange: 12d:0h:19m:46s
TopologyChanges: 0
DesignatedRoot: 0.1414.4b19.ecc0 ------>root MAC address
RootCost: 0
RootPort: 0
CistRegionRoot: 0.1414.4b19.ecc0
CistPathCost: 0
2. This example displays that SW1 is theVRRP master
Ruijie#showvrrp 10
VLAN10 - Group 10
State is Master
Virtual IP address is 192.168.10.254 configured
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1 sec
Preemption is enabled
min delay is 0 sec
Priority is 120
Master Router is 192.168.10.1 (local), priority is 120
Master Advertisement interval is 1 sec
Master Down interval is 3.53 sec
Ruijie#showvrrp brief
Interface Grp Pri timer Own Pre State Master addr Group addr
VLAN10 10 120 3.53 - P Master 192.168.10.1 192.168.10.254
VLAN20 20 120 3.53 - P Master 192.168.20.1 192.168.20.254
VLAN30 30 120 3.53 - P Master 192.168.30.1 192.168.30.254
VLAN40 40 120 3.53 - P Master 192.168.40.1 192.168.40.254
VLAN50 50 120 3.53 - P Master 192.168.50.1 192.168.50.254
VLAN60 60 120 3.53 - P Master 192.168.60.1 192.168.60.254
VLAN70 70 120 3.53 - P Master 192.168.70.1 192.168.70.254
VLAN80 80 120 3.53 - P Master 192.168.80.1 192.168.80.254
3. This example displays that SW1 is theroot bridge on SW2
SW2:
Ruijie#showspanning-tree
StpVersion: MSTP
SysStpStatus: ENABLED
MaxAge: 20
HelloTime: 2
ForwardDelay: 15
BridgeMaxAge: 20
BridgeHelloTime: 2
BridgeForwardDelay: 15
MaxHops:20
TxHoldCount: 3
PathCostMethod: Long
BPDUGuard: Disabled
BPDUFilter: Disabled
LoopGuardDef : Disabled
######mst 0 vlans map : ALL
BridgeAddr: 00d0.f834.ea70 ------>SW2 MAC address
Priority:4096
TimeSinceTopologyChange: 0d:0h:9m:2s
TopologyChanges: 6
DesignatedRoot: 0000.1414.4b19.ecc0 ------> root MAC address(SW1)
RootCost: 0
RootPort: 3
CistRegionRoot: 0000.1414.4b19.ecc0
CistPathCost: 20000
4. This example displays that SW2 is theVRRP Backup
CistPathCost: 20000 Ruijie#show vrrp 10
VLAN10 - Group 10
State is Backup
Virtual IP address is 192.168.10.254 configured
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1 sec
Preemption is enabled
min delay is 0 sec
Priority is 100
Master Router is 192.168.10.1 , priority is 120
Master Advertisement interval is 1 sec
Master Down interval is 3 sec
5. This exmaple displays how to verify rootbridge on SW11 and SW12 and whether MSTP has blocked G0/26 as per design.
Ruijie#showspanning-tree summary
Spanningtree enabled protocol mstp
MST0 vlans map : ALL
Root ID Priority 0
Address 1414.4b19.ecc0 ------>root bridge MAC address
this bridge is root
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Bridge ID Priority 32768
Address 00d0.f8b5.0a0b ------>local MAC address
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Interface Role Sts Cost Prio Type OperEdge
-------------------- --- ---------- -------- ----- ---------------
Gi0/25 Root FWD 200000 128 P2p False ------>root port
Gi0/26 Altn BLK 200000 128 P2p ------>blocked port
When you connect Ruijie switch toother vendors, pay attention to spanning-tree compatibility:
1. When youconnect Ruijie to Cisco, you must double confirm whether Cisco firmwaresupports standard MSTP . So far, Cisco switch with firmware 12.25(SE) and abovesupports standard MSTP , but any other older firmware doesn't ,so the oldfirmware that runs nonstandard MSTP has compatibility issue .So you mustupgrade switch to version 12.25(SE) and above.If Cisco switch is too old toupgrade to version 12.25(SE) and above, you can disable STP and enable BPDUbridge mode to bypass all bpdu packets. To enable BPDU bridge mode, performthis task:
Ruijie(config)#no spanning-tree
Ruijie(config)#bridge-frameforwarding protocol bpdu
2. We suggest you to configurecompletely the same MSTP name, revision, instance mapping when you enable MSTPon Ruijie and other vendors switch to prevent STP compatibility issue. You canalso enable RSTP because RSTP has better compatibility.
Note:
The deployment pattern of "MSTP +VRRP" is replaced by deployment pattern of VSU day by day and we suggestyou to apply VSU if possible. Even so, deployment pattern of "MSTP +VRRP" is still a fallback method to ensure a redundant and reliablenetwork if core and distribution switches don't support VSU
We suggest you to remove someinterconnection links first to avoid a Layer 2 loop
I. Network Topology
SW1 is the master VRRP gateway for users on vlan10,20,30,40,60,and 70,and backup VRRP for servers on vlan 50 and 80.SW2 is themaster VRRP gateway for servers on vlans 50 and 80 , and backup VRRP for userson vlan 10,20,30,40,60 and 70. Connect SW1 and SW2 through an Aggregate port toensure reliability and configure this AP as Trunk port.
The IP address of SW1 on VLANs from 10 to 80 are192.168.10.1 to 192.168.80.1 , and IP address of SW2 on VLANs from 10 to 80 are192.168.10.2 to 192.168.80.2 , and VRRP IP address are 192.168.10.254 to192.168.80.254.
II. ConfigurationSteps
Configuring SW1
Configuring MSTP
Ruijie#configterminal
Ruijie(config)#vlanrange 10,20,30,40,50,60,70,80
Ruijie(config-vlan-range)#exit
Ruijie(config)#spanning-treemst configuration ------>enter mst configuration mode
Ruijie(config-mst)#nameruijie ------>switches in a same MSTP area must have the sameinstance name
Ruijie(config-mst)#instance1 vlan 10,20,30,40,60,70 ----->map vlan 10,20,30,40,60,70 to instance 1 , andswitches in a same MSTP area must have the same mapping
Ruijie(config-mst)#instance2 vlan 50,80 -----> map vlan 50,80 to instance 2 , and switches in a sameMSTP area must have the same mapping
Ruijie(config-mst)#exit
Ruijie(config)#spanning-treemst 0 priority 0 ----->By default , instance 0 exists ,and any other vlansthat haven't mapped to an instance are mapped to instance 0. SW1 is the rootbridge for instance 0
Ruijie(config)#spanning-treemst 1 priority 0 ----->SW1 is the root bridge in instance 1
Ruijie(config)#spanning-treemst 2 priority 4096 ----->SW1 is the secondary bridge in instance 2
Ruijie(config)#spanning-tree ------>enableSTP feature
Configuring AP
Ruijie#configterminal
Ruijie(config)#interfaceaggregateport 1
Ruijie(config-if-AggregatePort1)#switchport mode trunk
Ruijie(config-if-AggregatePort1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/1
Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/2
Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/2)#exit
Ruijie(config)#interfacerange gigabitEthernet 1/1-5
Ruijie(config-if-range)#switchportmode trunk ----->don't forget to prune trunk port
Configuring VRRP
Ruijie(config)#vlan10
Ruijie(config)#intervlan 10
Ruijie(config-if-VLAN10)#ip address 192.168.10.1 255.255.255.0
Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254
Ruijie(config-if-VLAN10)#vrrp 10 priority 120 ------>vrrp group id=10 , priority value=120(the bigger the number , the more likely the switch will be chosen as the master ,and default value is 100)
Ruijie(config-if-VLAN10)#exit
Ruijie(config)#vlan20
Ruijie(config)#intervlan 20
Ruijie(config-if-VLAN20)#ip address 192.168.20.1 255.255.255.0
Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254
Ruijie(config-if-VLAN20)#vrrp 20 priority 120
Ruijie(config-if-VLAN20)#exit
...........Configurationof VLAN 30,40,60,70 are omitted............
VRRPprimary gateway of VLAN 50,80 is SW2 which is the root bridge of instance 2
Ruijie(config)#vlan50
Ruijie(config)#intervlan 50
Ruijie(config-if-VLAN50)#ip address 192.168.50.1 255.255.255.0
Ruijie(config-if-VLAN50)#vrrp 50 ip 192.168.50.254 ------>vrrp group id=50, priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the master ,and default value is 100)
Ruijie(config-if-VLAN50)#exit
Ruijie(config)#vlan80
Ruijie(config)#intervlan 80
Ruijie(config-if-VLAN80)#ip address 192.168.80.1 255.255.255.0
Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254 ------>vrrp groupid=80 , priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the master ,and default value is 100)
Ruijie(config-if-VLAN80)#exit
Configuring SW2
Configuring MSTP
Ruijie#configterminal
Ruijie(config)#vlanrange 10,20,30,40,50,60,70,80
Ruijie(config-vlan-range)#exit
Ruijie(config)#spanning-treemst configuration ------>enter mst configuration mode
Ruijie(config-mst)#nameruijie ------>switches in a same MSTP area must have the sameinstance name
Ruijie(config-mst)#instance1 vlan 10,20,30,40,60,70 ----->map vlan 10,20,30,40,60,70 toinstance 1 , and switches in a same MSTP area must have the same mapping
Ruijie(config-mst)#instance2 vlan 50,80 ----->map vlan 50,80 to instance 2 , and switches in a sameMSTP area must have the same mapping
Ruijie(config-mst)#exit
Ruijie(config)#spanning-treemst 0 priority 4096 ----->By default , instance 0 exists ,and any other vlansthat haven't mapped to an instance are mapped to instance 0. SW2 is thesecondary root bridge in instance 0
Ruijie(config)#spanning-treemst 1 priority 4096----->SW2 is the secondary root bridge in instance 1
Ruijie(config)#spanning-treemst 2 priority 0 ----->SW2 is the root bridge in instance 2
Ruijie(config)#spanning-tree ------>enable STP feature
Configuring AP
Ruijie#configterminal
Ruijie(config)#interfaceaggregateport 1
Ruijie(config-if-AggregatePort1)#switchport mode trunk
Ruijie(config-if-AggregatePort1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/1
Ruijie(config-if-TenGigabitEthernet3/1)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/1)#exit
Ruijie(config)#interfacetengigabitEthernet 3/2
Ruijie(config-if-TenGigabitEthernet3/2)#port-group 1
Ruijie(config-if-TenGigabitEthernet3/2)#exit
Ruijie(config)#interfacerange gigabitEthernet 1/1-5
Ruijie(config-if-range)#switchportmode trunk ----->don't forget to prune trunk port
Configuring VRRP
VRRP backup gateway of VLAN10,20,30,40,60,70 is SW2 which is the backup bridge of instance 1
Ruijie(config)#vlan10
Ruijie(config)#intervlan 10
Ruijie(config-if-VLAN10)#ip address 192.168.10.2 255.255.255.0
Ruijie(config-if-VLAN10)#vrrp 10 ip 192.168.10.254 ------>vrrp groupid=10 , priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the master ,and default value is 100) .
Ruijie(config-if-VLAN10)#exit
Ruijie(config)#vlan20
Ruijie(config)#intervlan 20
Ruijie(config-if-VLAN20)#ip address 192.168.20.2 255.255.255.0
Ruijie(config-if-VLAN20)#vrrp 20 ip 192.168.20.254 ------>vrrp group id=20, priority value remains default setting(the bigger the number , the morelikely the switch will be chosen as the master ,and default value is 100) .
Ruijie(config-if-VLAN20)#exit
...........Configurationof VLAN 30,40,60,70 are omitted............
Ruijie(config)#vlan50
Ruijie(config)#intervlan 50
Ruijie(config-if-VLAN50)#ip address 192.168.50.2 255.255.255.0
Ruijie(config-if-VLAN50)#vrrp 50 ip 192.168.50.254
Ruijie(config-if-VLAN50)#vrrp 50 priority 120 ------>vrrp group id=50 , priority value=120(the bigger the number , the more likely the switch will be chosen as the master ,and default value is 100)
Ruijie(config-if-VLAN50)#exit
Ruijie(config)#vlan80
Ruijie(config)#intervlan 80
Ruijie(config-if-VLAN80)#ip address 192.168.80.2 255.255.255.0
Ruijie(config-if-VLAN80)#vrrp 80 ip 192.168.80.254
Ruijie(config-if-VLAN80)#vrrp 80 priority 120 ------>vrrp group id=80, priority value =120(the bigger the number , the more likely the switch willbe chosen as the master ,and default value is 100)
Ruijie(config-if-VLAN80)#exit
Configuring SW11,SW12,S13,S14,S15,S16 :
Ruijie#configterminal
Ruijie(config)#interfacerange gigabitEthernet 0/25-26
Ruijie(config-if-range)#switchportmode trunk
Ruijie(config-if-range)#exit
Ruijie(config)#vlanrange 10,20,30,40,50,60,70,80
Ruijie(config-vlan-range)#exit
Ruijie(config)#spanning-treemst configuration
Ruijie(config-mst)#nameruijie
Ruijie(config-mst)#instance1 vlan 10,20,30,40,60,70
Ruijie(config-mst)#instance2 vlan 50,80
Ruijie(config-mst)#exit
Ruijie(config)#spanning-tree
Connectting cables and verifying status ofMSTP and VRRP
1. This example displays that SW1 is theroot bridge in instance 0 and 1, and SW2 is the root bridge in instance 2.
SW1:
RuijieSW1#showspanning-tree summary
Spanningtree enabled protocol mstp
MST0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094
Root ID Priority 0
Address 1414.4b5a.198c ------> MAC address of Root bridge in instance0
this bridge is root
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Bridge ID Priority 0
Address 1414.4b5a.198c ------>local MAC address
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Interface Role Sts Cost Prio OperEdge Type
-------------------- --- ---------- -------- -------- ----------------
Ag1 Desg FWD 19000 128 False P2p
Gi0/1 Desg FWD 20000 128 False P2p
MST1 vlans map : 10, 20, 30, 40, 60, 70
Region Root Priority 0
Address 1414.4b5a.198c ------>MAC address of Root bridge in instance 1
this bridge is region root
Bridge ID Priority 0
Address 1414.4b5a.198c ------>local MAC address
Interface Role Sts Cost Prio OperEdge Type
-------------------- --- ---------- -------- -------- ----------------
Ag1 Desg FWD 19000 128 False P2p
Gi0/1 Desg FWD 20000 128 False P2p
MST2 vlans map : 50, 80
Region Root Priority 0
Address 1414.4b5a.18d4 ------>MAC address of Root bridge ininstance 2
this bridge is region root
Bridge ID Priority 4096
Address 1414.4b5a.198c
Interface Role Sts Cost Prio OperEdge Type
-------------------- --- ---------- -------- -------- ----------------
Ag1 Root FWD 19000 128 False P2p
Gi0/1 Desg FWD 20000 128 False P2p
SW2:
Ruijie#showspanning-tree summary
Spanningtree enabled protocol mstp
MST0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094
Root ID Priority 0
Address 1414.4b5a.198c ------>MAC address of Root bridge which isSW1 in instance 0
this bridge is root
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Bridge ID Priority 4096
Address 1414.4b5a.18d4 ------>local MAC address
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Interface Role Sts Cost Prio OperEdge Type
-------------------- --- ---------- -------- -------- ----------------
Ag1 Root FWD 19000 128 False P2p
Gi2/0/1 Desg FWD 20000 128 False P2p
MST1 vlans map : 10, 20, 30, 40, 60, 70
Region Root Priority 0
Address 1414.4b5a.198c ------>MAC address of Root bridge in instance 1
this bridge is region root
Bridge ID Priority 4096
Address 1414.4b5a.18d4 ------>local MAC address
Interface Role Sts Cost Prio OperEdge Type
-------------------- --- ---------- -------- -------- ----------------
Ag1 Root FWD 19000 128 False P2p
Gi2/0/1 Desg FWD 20000 128 False P2p
MST2 vlans map : 50, 80
Region Root Priority 0
Address 1414.4b5a.18d4 ------>MAC address of Root bridge ininstance 2
this bridge is region root
Bridge ID Priority 0
Address 1414.4b5a.18d4 ------>local MAC address
Interface Role Sts Cost Prio OperEdge Type
-------------------- --- ---------- -------- -------- ----------------
Ag1 Desg FWD 19000 128 False P2p
Gi2/0/1 Desg FWD 20000 128 False P2p
2. This example displays that SW1 is themaster on vlan 10,20,30,40,60 and 70 , and the backup on vlan 50 and 80. SW2 isthe master on vlan 50 and 80, and the backup on vlan 10,20,30,40,60 and 70.
SW1:
Ruijie#showvrrp brief
Interface Grp Pri timer Own Pre State Master addr Group addr
VLAN10 10 120 3.53 - P Master 192.168.10.1 192.168.10.254
VLAN20 20 120 3.53 - P Master 192.168.20.1 192.168.20.254
VLAN30 30 120 3.53 - P Master 192.168.30.1 192.168.30.254
VLAN40 40 120 3.53 - P Master 192.168.40.1 192.168.40.254
VLAN50 50 100 3.60 - P Backup 192.168.50.2 192.168.50.254
VLAN60 60 120 3.53 - P Master 192.168.60.1 192.168.60.254
VLAN70 70 120 3.53 - P Master 192.168.70.1 192.168.70.254
VLAN80 80 100 3.60 - P Backup 192.168.80.2 192.168.80.254
SW2:
RuijieSW2#showvrrp brief
Interface Grp Pri timer Own Pre State Master addr Group addr
VLAN10 10 100 3.60 - P Backup 192.168.10.1 192.168.10.254
VLAN20 20 100 3.60 - P Backup 192.168.20.1 192.168.20.254
VLAN30 30 100 3.60 - P Backup 192.168.30.1 192.168.30.254
VLAN40 40 100 3.60 - P Backup 192.168.40.1 192.168.40.254
VLAN50 50 120 3.53 - P Master 192.168.50.2 192.168.50.254
VLAN60 60 100 3.60 - P Backup 192.168.60.1 192.168.60.254
VLAN70 70 100 3.60 - P Backup 192.168.70.1 192.168.70.254
VLAN80 80 120 3.53 - P Master 192.168.80.2 192.168.80.254
3. This exmaple displays how to verify rootbridge on access switches and whether MSTP has blocked some ports to prevent aloop.
Ruijie#showspanning-tree summary
Spanningtree enabled protocol mstp
MST0 vlans map : 1-9, 11-19, 21-29, 31-39, 41-49, 51-59, 61-69, 71-79, 81-4094
Root ID Priority 0
Address 1414.4b5a.198c
this bridge is root
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Bridge ID Priority 32768
Address 001a.a9c4.05f2
Hello Time 2 sec Forward Delay 15 sec Max Age 20 sec
Interface Role Sts Cost Prio Type OperEdge
-------------------- --- ---------- -------- ----- ---------------
Gi0/24 Altn BLK 20000 128 P2p False ------>one Blocked port
Gi0/23 Root FWD 20000 128 P2p False ------>one Root port
MST1 vlans map : 10, 20, 30, 40, 60, 70
Region Root Priority 0
Address 1414.4b5a.198c ------>MAC address of Root bridge which is SW1 ininstance 1
this bridge is region root
Bridge ID Priority 32768
Address 001a.a9c4.05f2
Interface Role Sts Cost Prio Type OperEdge
-------------------- --- ---------- -------- ----- ---------------
Gi0/24 Altn BLK 20000 128 P2p False ------>one Blocked port
Gi0/23 Root FWD 20000 128 P2p False ------>one Root port
MST2 vlans map : 50, 80
RegionRoot Priority 0
Address 1414.4b5a.18d4 ------>MAC address of Root bridgewhich is SW2 in instance 2
this bridge is region root
Bridge ID Priority 32768
Address 001a.a9c4.05f2
Interface Role Sts Cost Prio Type OperEdge
-------------------- --- ---------- -------- ----- ---------------
Gi0/24 Root FWD 20000 128 P2p False ------>one Blocked port
Gi0/23 Altn BLK 20000 128 P2p False ------>one Root port
When you connect Ruijie switch toother vendors, pay attention to spanning-tree compatibility:
1. When youconnect Ruijie to Cisco, you must double confirm whether Cisco firmwaresupports standard MSTP. So far, Cisco switch with firmware 12.25(SE) and abovesupports standard MSTP , but any other older firmware doesn't ,so the oldfirmware that runs nonstandard MSTP has capatibility issue .So you must upgradeswitch to version 12.25(SE) and above.If Cisco switch is too old to upgrade toversion 12.25(SE) and above, you can disable STP and enable BPDU bridge mode tobypass all bpdu packets.To enable BPDU bridge mode, perform this task:
Ruijie(config)#no spanning-tree
Ruijie(config)#bridge-frameforwarding protocol bpdu
2. We suggest you to configure completelythe same MSTP name , revision , instance mapping when you enable MSTP on Ruijieand other vendors switch to prevent STP compatibility issue. You can alsoenable RSTP because RSTP has better compatibility.
I. Network Topology
I. Network Topology
Overview
ARP(Address ResolutionProtocol) provides IP communication within a Layer 2 broadcast domain bymapping an IP address to a MAC address. For example, host B wants to sendinformation to host A but does not have the MAC address of host A in its ARPcache. In ARP terms, host B is the sender and host A is the target.
To get the MAC address of host A, host B generates abroadcast message for all hosts within the broadcast domain to obtain the MACaddress associated with the IP address of host A. All hosts within thebroadcast domain receive the ARP request, and host A responds with its MACaddress.
Feature
ARP itself does not check the validity of incoming ARPpackets, a drawback of ARP. In this way, attackers can launch ARP spoofingattacks easily by exploiting the drawback of the protocol. The most typical oneis the man in the middle attack, which is described as follows:
As shown in the diagram, devices A, B and C areconnected to Ruijie device and located in the same subnet. Their IP and MACaddresses are respectively represented by (IPA, MACA), (IPB, MACB) and (IPC,MACC). When device A needs to communicate with device B in the network layer,device A broadcasts an ARP request in the subnet to query the MAC value ofdevice B. Upon receiving this ARP request packet, device B updates its ARPbuffer using IPA and MACA, and sends an ARP response. Upon receiving thisresponse, device A updates its ARP buffer using IPB and MACB.
With this model, device C will cause the correspondingrelationship of ARP entries in device A and device B incorrect. The policy isto broadcast ARP response to the network continuously. The IP address in thisresponse is IPA/IPB, and the MAC address is MACC. Then, ARP entries (IPB andMACC) will exist in device A, and ARP entries (IPA and MACC) exist in device B.Communication between device A and device B is changed to communication withdevice C, which is unknown to devices A and B. Device C acts as an intermediaryand it just modifies the received packets appropriately and forwards to anotherdevice. This is the well-known man in the middle attack.
Scenario
Port IP&MAC binding + ARP-check:In a network without 802.1x authentication, you canmanually bind IP&MAC address of users to a security entry on each port on aswitch and enable ARP-check feature globablly to prevent ARP spoofing.Users connectedto a switch port can pass through the port verification and have access tonetwork only when IP&MAC address of the users are totally the same to thesecurity entry on the port.
Merit: This is a very strict method to control allusers in your network and switches verify each ARP packet in hardware withoutconsuming CPU resource
Demerit: You must collectIP&MAC address of each users and the port numbers to which every usersconnect on each switch, so this method cost you plenty of time tocollect information and configure switches and it is also not flexible if usersmove their physical location very often.
I. Requirements
Administrator assign IP address to users manually, andconfigure "port-security + ARP-check" method on switches to defendagainst ARP spoofing.
II. Network Topology
III. ConfigurationTips
1. You must enable port-security on portconnected to users, not uplink port
2. You must enable ARP-check on portconnected to users, not uplink port
IV. ConfigurationSteps
Configuring core switch:
Assign IP address to vlan 10 which is usergateway
Ruijie(config)#interfacevlan 10
Ruijie(config-if-VLAN10)#ip address 192.168.1.254 255.255.255.0
Ruijie(config-if-VLAN10)#end
Ruijie#wr
Configuring access switch:
Ruijie>enable
Ruijie#configureterminal
Ruijie(config)#interfacefastEthernet 0/1
Ruijie(config-if-FastEthernet0/1)#switchport port-security binding 0021.CCCF.6F70 vlan 10 192.168.1.1
------> bind static IP address 192.168.1.1 and MAC address0021.CCCF.6F70 on VLAN 10 to security entry on F0/1
Ruijie(config-if-FastEthernet0/1)#switchport port-security ------>enable port-security
Ruijie(config-if-FastEthernet0/1)#arp-check ------>enablearp-check
Ruijie(config-if-FastEthernet0/1)#exit
Ruijie(config)#interfacfastEthernet 0/2
Ruijie(config-if-FastEthernet0/2)# switchport port-security binding 0023.5abd.1975 vlan 10 192.168.1.2
------>bind static IP address 192.168.1.2 and MAC address0023.5abd.1975 on VLAN 10 to security entry on F0/2
Ruijie(config-if-FastEthernet0/2)#switchport port-security ------>enable port-security
Ruijie(config-if-FastEthernet0/2)#arp-check ------>enablearp-check
Ruijie#write
Ruijie(config)#interfacfastEthernet 0/3
Ruijie(config-if-FastEthernet0/3)# switchport port-security binding 192.168.1.3
------>you can also bind onlly static IP address 192.168.1.3to security entry on F0/3 in order to be more flexible but lower security
Ruijie(config-if-FastEthernet0/3)#switchport port-security
Ruijie(config-if-FastEthernet0/3)#arp-check
Ruijie#write
V.Verification
1) How to display security entry on eachport
2) How to display status of ARP-check
Scenario
Global IP&MAC binding+ ARP-check:In a network without 802.1x authentication, you canmanually bind IP&MAC address of users to global security table on a switchand enable ARP-check feature globablly to prevent ARP spoofing.Users connectedto a switch port can pass through the global verification and have access tonetwork only when IP&MAC address of the users are totally the same to theglobal security table on the switch
Merit: This is a less strict method to control allusers in your network than solution 1, and switches verify each ARP packet inhardware without consuming CPU resource
Demerit: You must collect IP&MAC address of eachusers on each switch, so this method cost you plenty of time to collectinformation and configure switches.
I. Requirements
Administrator assign static IP address to users, andconfigures "port-security + ARP-check" method on switches to preventARP spoofing
II. Network Topology
III. ConfigurationTips
1. Bind IP&MAC address of users to global securitytable
2. Configure uplink port as trusted port on which allpackets can pass through without validation
3. Enable address-bind feature globally
4. Enable arp-check feature globally
IV. ConfigurationSteps
Configuring core switch:
Manually assign IP address to Vlan 10 whichis user gateway
Ruijie(config)#interfacevlan 10
Ruijie(config-if-VLAN10)#ip address 192.168.1.254 255.255.255.0
Ruijie(config-if-VLAN10)#end
Ruijie#wr
Configuring access switch:
Ruijie>enable
Ruijie#configureterminal
Ruijie(config)#address-bind192.168.1.1 0021.cccf.6f70 ------>bind IP 192.168.1.1 and MAC address 0021.cccf.6f70 toglobal security table
Ruijie(config)#address-bind192.168.1.2 0023.5abd.1975 ------>bind IP 192.168.1.2 and MAC address 0023.5abd.1975 toglobal security table
Ruijie(config)#address-binduplink gigabitEthernet 0/25 ------>configure uplink port G0/25 astrusted port on which all packets can pass through without validation
Ruijie(config)#address-bindinstall ------>enable address-bind
Ruijie(config)#interfacerange fastEthernet 0/1-2
Ruijie(config-if-range)#arp-check------>enablearp-check
Ruijie(config-if-range)#end
Ruijie#write
Note:
If users want to use IPv6 address to visitnetwork, you must enable IPv6 capatible mode on switch that have address-bindenabled. Perform this task:
Ruijie(config)#address-bindipv6-mode ?
compatible IPV6 compatible mode ------>campatible mode ,allow bindingusers to visit network via IPv6 address
loose IPV6 loose mode ------>loose mode ,allow all IPv6 users to visit network unlimitedly
strict IPV6 strict mode (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode
Ruijie(config)#address-bindipv6-mode compatible
V.Verification
1. How to display global security table
2. How to display trusted port
3. How to verify ARP-check table
Scenario
802.1X authentication+ ARP-check:In a network that have 802.1x authenticationenabled,users must be running 802.1X-compliant client software ,such as Ruijiesupplicant SU and SA . Switch collects IP&MAC address when communicateswith 802.1X-compliant client software and write these information into global securitytable.ARP-check validate each users based on thie global security table toprevent ARP spoofing.
Merit: This is the simplest method for you to configureswitch and maintenance
Demerit : You must build your network with Ruijie802.1X-compliant client software SU/SA and a Radius Server (for example ,RuijieSAM),and it consumes more hardware resourcebecause it costs switch one more security entry in hardware when a user passthe authentication .
I. Requirements
Administrator assigns static IP address to user andenable 802.1x authentication through the overall network with Ruijie SU/SA andSAM to prevent ARP spoofing.
II. Network Topology
III. ConfigurationTips
1. Enable basic dot1x authenticationfunction on access switch
2. Modify authorization mode to"supplicant mode"
3. Enable arp-check on port connected tousers
IV. ConfigurationSteps
Configuring access switch
1) Configure dot1x authentication on switch
For complete information about 802.1xconfiguration ,see switch configuration guide , such as 《RG-S8600E Series Switches RGOS Configuration Guide》
2) Configure authorization mode in"supplicant mode"
Ruijie(config)#aaaauthorization ip-auth-mode supplicant
Note: Ifusers want to use IPv6 address to visit network, you must enable IPv6 capatiblemode on switch that have address-bind enabled. Perform this task:
Ruijie(config)#address-bindipv6-mode ?
compatible IPV6 compatible mode ------>campatible mode ,allow bindingusers to visit network via IPv6 address
loose IPV6 loose mode ------>loose mode ,allow all IPv6 users to visit network unlimitedly
strict IPV6 strict mode (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode
Ruijie(config)#address-bindipv6-mode compatible
3) Enable arp-check
Ruijie(config)#interfacerange g0/1-2
Ruijie(config-if-range)#arp-check
Ruijie(config-if-range)#end
Ruijie#write
V.Verification
Ruijie(config)#showinterfaces gigabitEthernet 0/1 arp-check list
Scenario
DHCP Snooping with ARP-check:This solution can prevents ARP spoofing inthe network in which DHCP server assign IP address to users .You can alsoenable 802.1x authentication or web authentication or you can disable anyauthentications in your network.
Merit: Very simple configuration and easy maintenance.
Demerit: DHCP snooping and ARP-check are enforced inhardware , so this method is is not applied if there are insufficient hardwareresources available on switch.How many users the switch can carry depend on itsspecification.
When switch hardware recources are insufficient , systemreturns the following syslog :
%SECURITY-3-TCAM_RESOURCE_LIMIT: TCAM resource istemporary not available.
I. Requirements
DHCP server assigns IP address to users ,andadministrator uses "DHCP Snooping with ARP-check" to prevent ARPspoofing.
II. Network Topology
III. ConfigurationTips
1. Core switch acts as DHCP server
2. Enable DHCP Snooping on access switch and configureuplink port as DHCP Snooping trusted port.
3. Enable ARP-check on ports connected touser
IV. ConfigurationSteps
Configuring core switch:
1. Enable DHCP service
Ruijie(config)#servicedhcp
2. Manually Assign IP address to vlan 1which is user gateway
Ruijie(config)#interfacevlan 1
Ruijie(config-if-VLAN1)#ip address 192.168.1.254 255.255.255.0
Ruijie(config-if-VLAN1)#exit
3. Create DHCP IP address pool
Ruijie(config)#ipdhcp pool vlan1
Ruijie(dhcp-config)#network192.168.1.0 255.255.255.0 ------>network subnet
Ruijie(dhcp-config)#dns-server218.85.157.99 ------>DNS Server
Ruijie(dhcp-config)#default-router192.168.1.254 ------>specify user gateway
Ruijie(dhcp-config)#end
Ruijie#wr
Configuring access switch:
1. Enable DHCP Snooping
Ruijie>enable
Ruijie#configureterminal
Ruijie(config)#ipdhcp snooping
2. Configure the port connected to DHCP server as DHCPSnooping trusted port.
Ruijie(config)#interfacegigabitEthernet 0/49
Ruijie(config-GigabitEthernet0/49)#ip dhcp snooping trust ------>By default , all ports are DHCPSnooping untrusted port. Only trusted port can forward DHCP Offer and Ackpackets
Note:
If users want to use IPv6 address to visitnetwork, you must enable IPv6 capatible mode on switch that have address-bindenabled. Perform this task
Ruijie(config)#address-bindipv6-mode ?
compatible IPV6 compatible mode ------>campatible mode ,allow bindingusers to visit network via IPv6 address
loose IPV6 loose mode ------>loose mode ,allow all IPv6 users to visit network unlimitedly
strict IPV6 strict mode (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode
Ruijie(config)#address-bindipv6-mode compatible
3. Enable arp-check
Ruijie(config)#interfacerange fastEthernet 0/1-2
Ruijie(config-if-range)#arp-check
V.Verification
2. How to display NIC information on astation, click " Start -> Run -> cmd -> ipconfig/all "
3. How to display DHCP snooping table on aaccess switch
4. How to display ARP-Check table
Scenario
DHCP Snooping with DAI(Dynamic ARPinspection): This solutioncan prevents ARP spoofing in the network in which DHCP server assign IP addressto users .You can also enable 802.1x authentication or web authentication oryou can disable any authentications in your network.
Merit: Very simple configuration and easy maintenance.DAI is enfored in CPU, but ARP-check is enforced in hardware.
Demerit: When a access switch carries more than 50users, we recommend you to use solution 1 in case CPU resources isinsufficient.
I. Requirements
DHCP server assigns IP address to users ,andadministrator uses "DHCP Snooping with DAI" to prevent ARP spoofing.
II. Network Topology
III. ConfigurationTips
1. Core switch acts as DHCP server
2. Enable DHCP Snooping on access switch and configureuplink port as DHCP Snooping trusted port.
3. Enable DAI on access switch and configure uplinkport as DAI trusted port.
4. Fine tune CPP and NFPP parameters andprune trunk port
IV. ConfigurationSteps
Configuring core switch:
1. Enable DHCP service
Ruijie(config)#servicedhcp
2. Manually Assign IP address to vlan 1which is user gateway
Ruijie(config)#interfacevlan 1
Ruijie(config-if-VLAN1)#ip address 192.168.1.254 255.255.255.0
Ruijie(config-if-VLAN1)#exit
3. Create DHCP IP address pool
Ruijie(config)#ipdhcp pool vlan1
Ruijie(dhcp-config)#network192.168.1.0 255.255.255.0 ------>network segment
Ruijie(dhcp-config)#dns-server218.85.157.99 ------>DNS server
Ruijie(dhcp-config)#default-router192.168.1.254 ------>specify user gateway
Ruijie(dhcp-config)#end
Ruijie#wr
Configuring access switch:
1. Enable DHCP Snooping
Ruijie>enable
Ruijie#configureterminal
Ruijie(config)#ipdhcp snooping
2. Configure the port connected to DHCP server as DHCPSnooping trusted port
Ruijie(config)#interfacegigabitEthernet 0/49
Ruijie(config-GigabitEthernet0/49)#ip dhcp snooping trust ------>By default , all ports are DHCPsnooping untrust ports. Only trusted port can forward DHCP Offer and Ackpackets
3. Enable DAI in VLAN 1
Ruijie(config)#iparp inspection vlan 1 ------>DAI inspectsVLAN 1
4 . Configure the uplink port as DAI trusted port
Ruijie(config)#intgigabitEthernet 0/25
Ruijie(config-if-GigabitEthernet0/25)#ip arp inspection trust
Configuring DAI optimization(Mandatory)
When DAI is enabled, switch forwards all ARPpackets to CPU to validate, and you must configure the following optimization.
1. Prune trunk port on uplink port on accessswitch
This example shows how to prune trunk portG0/25 and this port can carry traffic for VLAN 1 and VLAN 9 only:
Ruijie(config-if-GigabitEthernet0/25)#switchport trunk allowed vlan remove 2-8,10-4094
For complete information, see Initialization --->Configuring a Layer 2 Port --->Access or Trunk port
2. Disable NFPP on the uplink port on accessswitch, otherwise if the number of ARP packets sent from Core switch to accessswitch exceeds the default NFPP rate-limit threshold, NFPP will drop theexceeding arp packets which would be users'
Ruijie(config)#intg0/25
Ruijie(config-if-GigabitEthernet0/25)#no nfpp arp-guard enable
Ruijie(config-if-GigabitEthernet0/25)#no nfpp dhcp-guard enable
Ruijie(config-if-GigabitEthernet0/25)#no nfpp dhcpv6-guard enable
Ruijie(config-if-GigabitEthernet0/25)#no nfpp icmp-guard enable
Ruijie(config-if-GigabitEthernet0/25)#no nfpp ip-guard enable
Ruijie(config-if-GigabitEthernet0/25)#no nfpp nd-guard enable
Ruijie(config-if-GigabitEthernet0/25)#exit
Ruijie(config)#
3. Increase CPP arp rate-limit threshold to500PPS (180PPS by default) in case that CPP drops the exceeding packets.
Ruijie(config)#cpu-protecttype arp pps 500
V.Verification
1. How to display DAI status
2. How to display DHCP Snooping bindingtable
Scenario
802.1X authentication with ARP-check:In a network that have 802.1x authenticationenabled,users must be running 802.1X-compliant client software ,such as Ruijiesupplicant SU and SA and DHCP server assigns IP address to users beforeauthentication.
Merit:This is the simplestmethod for you to configure switch and maintenance
Demerit : You must build your network with Ruijie802.1X-compliant client software SU/SA and a Radius Server (for example ,RuijieSAM),and it consumes more hardware resourcebecause it costs switch one more security entry in hardware when a user passthe authentication .In addition , you must configure a global security tunnelto bypass DHCP packets because users must acquire IP address before 802.1Xauthentication
I. Requirements
DHCP Server assigns IP address to users ,thenadministrator uses "802.1X authentication+ ARP-check" to prevent ARPspoofing.
II. Network Topology
III. ConfigurationTips
1. Enable basic dot1x authentication onaccess switch
2. Configure a global security tunnel tobypass DHCP packets
3. Modify authorization mode to"supplicant mode"
4. Enable arp-check on port connected tousers
IV. ConfigurationSteps
Configuring access switch
1. Configure dot1x authentication on switch
For complete information about 802.1x configuration,see switch configuration guide , such as 《RG-S8600ESeries Switches RGOS Configuration Guide》
2. Configure a global security tunnel tobypass DHCP packets
Ruijie(config)#expertaccess-list extended dhcp
Ruijie(config-exp-nacl)#permitudp any any any any eq bootps ------>bypass DHCP packets
Ruijie(config-exp-nacl)#
Ruijie(config)#securityglobal access-group dhcp
3. Modify authorization mode to"supplicant mode"
Ruijie(config)#aaaauthorization ip-auth-mode supplicant
Note:
If users want to use IPv6 address to visitnetwork, you must enable IPv6 capatible mode on switch that have address-bind enabled.Perform this task:
Ruijie(config)#address-bindipv6-mode ?
compatible IPV6 compatible mode ------>campatible mode ,allow bindingusers to visit network via IPv6 address
loose IPV6 loose mode ------>loose mode ,allow all IPv6 users to visit network unlimitedly
strict IPV6 strict mode (default: strict)------>strict mode ,even binding users can't visit network via IPv6 address, this is the defaultmode
Ruijie(config)#address-bindipv6-mode compatible
4. Enable arp-check
Ruijie(config)#interfacerange g0/1-2
Ruijie(config-if-range)#arp-check
Ruijie(config-if-range)#end
Ruijie#write
V.Verification
Ruijie(config)#showinterfaces gigabitEthernet 0/1 arp-check list
Scenario
As the data center network expands, the service type isvaried, and network management becomes more complicated, higher requirementsare raised on service isolation, safety, and reliability of the network. Withthe rapid development of hardware and maturity of the multi-frame, clustered,and distributed routing and switching system, the service processing capabilityof a single physical network device has reached a new level. It is urgent tomake full use of the powerful service processing capability of a singlephysical device, adapt to the current service requirements, and realize smoothevolution of future expansion. Network device virtualization is a perfectmethod. It provides an easier virtualization means for network users. It is notlimited to specific services or channels but serves to provide virtualizationof the entire device.
Function Overview
The Virtual Switch Device (VSD) is a network systemvirtualization technology which divides a physical device into multiple logicaldevices. Each logical device is called a VSD. Each VSD has independent hardwareand software resources, including independent interface resources, CPUresources, independently-maintained routing table and forwarding table, and itsown administrator and configuration file. For users, each VSD is an independentdevice.
By VSDx technology, a physical device can bevirtualized to multiple logical devices, as shown in the following figure. Aphysical device can carry multiple network nodes in the logical topology tomaximize utilization of available resources and reduce network operation costs.Different VSs can be deployed with different services to isolate services fromfailures, improving safety and reliability of the network.
VSD Management
Out-of-band management is management through the mgmtinterface. Inband management is management through an Ethernet physicalinterface.
I. Requirements
To carry multiple users on a network device, isolatemanagement, simplify operation and maintenance, and isolate services, a networkdevice with good performance is virtualized to multiple logical devices, makingfull use of device resources and ensuring strong scalability of the network.Services of virtual devices are managed independently of each other.
II. Network Topology
III. Configuration Tips
Install a VSD license.
Ruijie#configure terminal
Enterconfiguration commands, one per line. End with CNTL/Z.
Ruijie(config)#license install usb0:/LIC-VSD00000002328406.lic----> VSD function needlicense
Successto install license file, service name: LIC-N18000-VSD.
Create VSD A.
Ruijie#configure terminal
Enterconfiguration commands, one per line. End with CNTL/Z.
Ruijie(config)#vsd VSDA
Ruijie(config-vsd)#allocate int gi 1/1
Movingports will cause all config associated to them in source vsd to be removed. Areyou sure
tomove the ports? [yes] yes
Entireport-group is not present in the command. Missing ports will be includedautomatically
Ruijie(config-vsd)#
Create VSD B.
Ruijie#configure terminal
Enterconfiguration commands, one per line. End with CNTL/Z.
Ruijie(config)#vsd VSDB
Ruijie(config-vsd)#allocate int gi 2/1
Movingports will cause all config associated to them in source vsd to be removed. Areyou sure
tomove the ports? [yes] yes
Entireport-group is not present in the command. Missing ports will be includedautomatically
Ruijie(config-vsd)#
Create VSD C.
Ruijie#configure terminal
Enterconfiguration commands, one per line. End with CNTL/Z.
Ruijie(config)#vsd VSDC
Ruijie(config-vsd)#allocate int gi 3/1
Movingports will cause all config associated to them in source vsd to be removed. Areyou sure
tomove the ports? [yes] yes
Entireport-group is not present in the command. Missing ports will be includedautomatically
Ruijie(config-vsd)#
ManageVSDs.
ConfigureVSD functions based on actual service planning requirements. (Omitted)
IV. ConfigurationSteps
Install a VSD license.
Create VSD A.
V. Verification
View division details of line cards on the VSDinterface.
Ruijie-N18K#showvsd all
vsd_id:0
vsd_name:Ruijie
vsdmac address: 00d0.f876.9888
interface:
interface:
GigabitEthernet4/1 GigabitEthernet 4/2
GigabitEthernet4/3 GigabitEthernet 4/4
GigabitEthernet4/5 GigabitEthernet 4/6
GigabitEthernet4/7 GigabitEthernet 4/8
GigabitEthernet4/9 GigabitEthernet 4/10
GigabitEthernet4/11 GigabitEthernet 4/12
GigabitEthernet4/13 GigabitEthernet 4/14
GigabitEthernet4/15 GigabitEthernet 4/16
GigabitEthernet4/17 GigabitEthernet 4/18
GigabitEthernet4/19 GigabitEthernet 4/20
GigabitEthernet4/21 GigabitEthernet 4/22
GigabitEthernet4/23 GigabitEthernet 4/24
GigabitEthernet4/25 GigabitEthernet 4/26
GigabitEthernet4/27 GigabitEthernet 4/28
GigabitEthernet4/29 GigabitEthernet 4/30
GigabitEthernet4/31 GigabitEthernet 4/32
GigabitEthernet4/33 GigabitEthernet 4/34
GigabitEthernet4/35 GigabitEthernet 4/36
GigabitEthernet4/37 GigabitEthernet 4/38
GigabitEthernet4/39 GigabitEthernet 4/40
GigabitEthernet4/41 GigabitEthernet 4/42
GigabitEthernet4/43 GigabitEthernet 4/44
GigabitEthernet4/45 GigabitEthernet 4/46
GigabitEthernet4/47 GigabitEthernet 4/48
slot:
slot4
vsd_id:1
vsd_name:VSDA
vsdmac address: 00d0.f876.988a
interface:
GigabitEthernet1/1 GigabitEthernet 1/2
GigabitEthernet1/3 GigabitEthernet 1/4
GigabitEthernet1/5 GigabitEthernet 1/6
GigabitEthernet1/7 GigabitEthernet 1/8
GigabitEthernet1/9 GigabitEthernet 1/10
GigabitEthernet1/11 GigabitEthernet 1/12
GigabitEthernet1/13 GigabitEthernet 1/14
GigabitEthernet1/15 GigabitEthernet 1/16
GigabitEthernet1/17 GigabitEthernet 1/18
GigabitEthernet1/19 GigabitEthernet 1/20
GigabitEthernet1/21 GigabitEthernet 1/22
GigabitEthernet1/23 GigabitEthernet 1/24
GigabitEthernet1/25 GigabitEthernet 1/26
GigabitEthernet1/27 GigabitEthernet 1/28
GigabitEthernet1/29 GigabitEthernet 1/30
GigabitEthernet1/31 GigabitEthernet 1/32
GigabitEthernet1/33 GigabitEthernet 1/34
GigabitEthernet1/35 GigabitEthernet 1/36
GigabitEthernet1/37 GigabitEthernet 1/38
GigabitEthernet1/39 GigabitEthernet 1/40
GigabitEthernet1/41 GigabitEthernet 1/42
GigabitEthernet1/43 GigabitEthernet 1/44
GigabitEthernet1/45 GigabitEthernet 1/46
GigabitEthernet1/47 GigabitEthernet 1/48
slot:
slot1
vsd_id:2
vsd_name:VSDB
vsdmac address: 00d0.f876.988c
interface:
GigabitEthernet2/1 GigabitEthernet 2/2
GigabitEthernet2/3 GigabitEthernet 2/4
GigabitEthernet2/5 GigabitEthernet 2/6
GigabitEthernet2/7 GigabitEthernet 2/8
GigabitEthernet2/9 GigabitEthernet 2/10
GigabitEthernet2/11 GigabitEthernet 2/12
GigabitEthernet2/13 GigabitEthernet 2/14
GigabitEthernet2/15 GigabitEthernet 2/16
GigabitEthernet2/17 GigabitEthernet 2/18
GigabitEthernet2/19 GigabitEthernet 2/20
GigabitEthernet2/21 GigabitEthernet 2/22
GigabitEthernet2/23 GigabitEthernet 2/24
GigabitEthernet2/25 GigabitEthernet 2/26
GigabitEthernet2/27 GigabitEthernet 2/28
GigabitEthernet2/29 GigabitEthernet 2/30
GigabitEthernet2/31 GigabitEthernet 2/32
GigabitEthernet2/33 GigabitEthernet 2/34
GigabitEthernet2/35 GigabitEthernet 2/36
GigabitEthernet2/37 GigabitEthernet 2/38
GigabitEthernet2/39 GigabitEthernet 2/40
GigabitEthernet2/41 GigabitEthernet 2/42
GigabitEthernet2/43 GigabitEthernet 2/44
GigabitEthernet2/45 GigabitEthernet 2/46
GigabitEthernet2/47 GigabitEthernet 2/48
slot:
slot2
vsd_id:3
vsd_name:VSDC
vsdmac address: 00d0.f876.988d
interface:
GigabitEthernet3/1 GigabitEthernet 3/2
GigabitEthernet3/3 GigabitEthernet 3/4
GigabitEthernet3/5 GigabitEthernet 3/6
GigabitEthernet3/7 GigabitEthernet 3/8
GigabitEthernet3/9 GigabitEthernet 3/10
GigabitEthernet3/11 GigabitEthernet 3/12
GigabitEthernet3/13 GigabitEthernet 3/14
GigabitEthernet3/15 GigabitEthernet 3/16
GigabitEthernet3/17 GigabitEthernet 3/18
GigabitEthernet3/19 GigabitEthernet 3/20
GigabitEthernet3/21 GigabitEthernet 3/22
GigabitEthernet3/23 GigabitEthernet 3/24
GigabitEthernet3/25 GigabitEthernet 3/26
GigabitEthernet3/27 GigabitEthernet 3/28
GigabitEthernet3/29 GigabitEthernet 3/30
GigabitEthernet3/31 GigabitEthernet 3/32
GigabitEthernet3/33 GigabitEthernet 3/34
GigabitEthernet3/35 GigabitEthernet 3/36
GigabitEthernet3/37 GigabitEthernet 3/38
GigabitEthernet3/39 GigabitEthernet 3/40
GigabitEthernet3/41 GigabitEthernet 3/42
GigabitEthernet3/43 GigabitEthernet 3/44
GigabitEthernet3/45 GigabitEthernet 3/46
GigabitEthernet3/47 GigabitEthernet 3/48
slot:
slot3
Verify VSD login and management modes.
Ruijie#switchto vsd VSDA
***********************************************************************
RuijieGeneral Operating System Software
Copyright(c) 1998-2013s by Ruijie Networks.
AllRights Reserved.
NeitherDecompiling Nor Reverse Engineering Shall Be Allowed.
***********************************************************************
Ruijie-VSDA>enable
Ruijie-VSDA#conf
Enterconfiguration commands, one per line. End with CNTL/Z.
Ruijie-VSDA(config)#intmgmt 0
Ruijie-VSDA(config-if-Mgmt0)#ip address 10.1.1.10 255.255.255.0
Ruijie-VSDA(config-if-Mgmt0)#end
Ruijie-VSDA#switchback
Ruijie#switchto vsd VSDB
***********************************************************************
RuijieGeneral Operating System Software
Copyright(c) 1998-2013s by Ruijie Networks.
AllRights Reserved.
NeitherDecompiling Nor Reverse Engineering Shall Be Allowed.
***********************************************************************
Ruijie-VSDB>enable
Ruijie-VSDB#conf
Enterconfiguration commands, one per line. End with CNTL/Z.
Ruijie-VSDB(config)#intmgm
Ruijie-VSDB(config)#intmgmt 0
Ruijie-VSDB(config-if-Mgmt0)#ip address 10.1.1.20 255.255.255.0
Ruijie-VSDB(config-if-Mgmt0)#end
Ruijie-VSDB#switchback
Ruijie#switchto vsd VSDC
***********************************************************************
RuijieGeneral Operating System Software
Copyright(c) 1998-2013s by Ruijie Networks.
AllRights Reserved.
NeitherDecompiling Nor Reverse Engineering Shall Be Allowed.
***********************************************************************
Ruijie-VSDC>enable
Ruijie-VSDC#conf
Enterconfiguration commands, one per line. End with CNTL/Z.
Ruijie-VSDC(config)#intmgm
Ruijie-VSDC(config)#intmgmt 0
Ruijie-VSDC(config-if-Mgmt0)#ip address 10.1.1.30 255.255.255.0
Ruijie-VSDC(config-if-Mgmt0)#end
Ruijie-VSDC#switchback
Scenario
Multiple physicallinks can be bound into a logical link, called an aggregate port (herein afterreferred to as AP).Ruijie devices provide the AP function that complies withthe IEEE802.3ad standard. This function can be used to expand link bandwidthand improve reliability. AP function supports traffic balancing that evenlyallocating the traffic toevery member link. AP function also supports linkbackup. When a link member in an AP is disconnected, the system willautomatically allocate the traffic of the member link to other active memberlinks in the AP, except for the broadcast or multicast packets it received.
Dynamic mode and Static mode
1) If you configure aggregate port mode to static on aport,the port is converted to aggregate port without negotiating.
2) If you configure aggregate port mode to dynamic withLACP (Link Aggregation Control Protocol), the port negotiates with the theother end of the link whether to be a aggregate port.
Aggregate portsconsists of three modes: Active, Passive and Static.
The port in activemode sends the LACP packets actively to the peer
The port in passivemode only responds when it receives LACP packets from the peer.
The port in staticmode is converted to aggregate port without sending any LACP packets.
The following tabledescribes the matching of different modes
Aggregate Port Load Balancing
Traffic can be evenly distributed on the member linksof an AP according to the features such as source MAC address, destination MACaddress, combination of source MAC address and destination MAC address, sourceIP address, destination IP address, and combination of source IP address anddestination IP address.
Note:By default , the load balancing method is src-dst-mac.
This example shows how to configure load balance:
Ruijie(config)#aggregateportload-balance ?
dst-ip Destination IP address
dst-mac Destination MAC address
help Help information
mpls-label Mpls label
src-dst-ip Source and destination IP address
src-dst-ip-l4port Source and destination IP address, source and
destination L4port
src-dst-mac Source and destination MAC address
src-ip Source IP address
src-mac Source MAC address
src-port Source port
Ruijie(config)#aggregateportload-balance src-dst-ip ------>recommended
Attention:
1. You must configure the same speed,duplexand media-type on both ends of AP.You cannot put a copper port and a opticalport in the same AP.
2. You can only put L2 port in a L2 AP andL3 port in a L3 AP. You cannot change the port from L2 to L3 , or from L3 to L2after you put the ports in a AP.
3. Ruijie switch supports to put 8 ports ina AP at most
5. When you finish configuring AP , you canenter "interface aggregateport x/x" command to manage the AP.You canno longer manage the AP member independently.
Layer2 Aggregate Port (Static and Dynamic)
I. Requirements
Enable Layer 2 AP on the ports between twoCore switches to expand inter-connection bandwidth and ensure a high availablenetwork. Use src-mac load balance method.
II. Network Topology
III. Configuration Tips
1. Put AP members ports in a specified AP
2. Configure AP as Trunk
3. Modify load balance method
IV. ConfigurationSteps
Static mode:
SW1:
SW1>enable
SW1#configureterminal
SW1(config)#interfacerange gigabitEthernet 0/1-2 ------>configure a range of interfaceswith the same command
SW1(config-if-range)#port-group1 ------>put G0/1 and G0/2 in AP 1 instatic mode
SW1(config-if-range)#exit
SW1(config)#interfaceaggregateport 1
SW1(config-if-AggregatePort1)#switchport mode trunk ------>configure AP 1 as Trunk
SW1(config-if-AggregatePort1)#exit
SW1(config)#aggregateportload-balance src-mac ------>modify load balance method to Src-MAC. By default, itis Src-Dst-MAC.
SW1(config)#exit
SW1#wr
SW2:
SW2>enable
SW2#configureterminal
SW2(config)#interfacerange gigabitEthernet 0/1-2
SW2(config-if-range)#port-group1
SW2(config-if-range)#exit
SW2(config)#interfaceaggregateport 1
SW2(config-if-AggregatePort1)#switchport mode trunk
SW2(config-if-AggregatePort1)#exit
SW2(config)#aggregateportload-balance src-mac
SW2(config)#exit
SW2#wr
Dynamic mode:
SW1(config)#interfacerange gigabitEthernet 0/1-2
SW1(config-if-range)#port-group1 mode active ------>put G0/1 andG0/2 in AP 1 in dynamic mode
SW1(config-if-range)#exit
SW1(config)#interfaceaggregateport 1
SW1(config-if-AggregatePort1)#switchport mode trunk ------>configure AP 1as Trunk
SW1(config-if-AggregatePort1)#exit
SW2is the same.
3. This example shows how to configure L2 APin static mode when connect Ruijie a switch to a Cisco switch
Global / EN
