Solution Implementation Procedure

1.1 Preparation Before Implementation

1.1.1 Customer Information Collection

1.1.1.1 Confirmation of Project Progress

1. Project handover: Obtain the pre-sales solution information of the project from thepre-sales personnel, to understand the main planning of the customer network. Considerthe available project implementation solution based on the equipment list andequipment delivery status.

2. Confirmation of implementation environment: Ensure that preparation of the peripheral environment for projectimplementation is completed, including equipment room construction, power supply (UPS or mains), and cabling of opticalfibers/network cables, to guarantee the implementation progress.

1.1.1.2 Survey and Collection of Customer RequirementInformation

Beforethe implementation, it is necessary to fully understand the customer's onsiteservice application requirements and network construction/reconstructionrequirements. Collect information based on the customer's routine service usageand fully understand the customer's basic and special service requirements, toidentify risks and make plans in advance based on the demarcation andlimitation of the solution. A full understanding of information can providenecessary basis for the development of the implementation solution.

Theinformation to be collected falls into the following categories:

1. Network status:

l Network topology information: includes the actual topology of thelive network, locations of network equipment and servers, configurations oflive network equipment (for in-depth analysis of the live network), and IPaddress and route planning information of live network equipment (routeplanning and routing table details).

2. Service application status:

l The following table describes the current service application, userscale, and network system operation & maintenance (O&M).

Level-1 Directory	Level-2 Directory	Refined Service	Information to Be Collected
Service application status	Office service	OA, mail, FTP, DNS, and DHCP	Information about whether the OA, mail, and FTP applications have extranet access requirements, have traffic guarantee, and allow access to the intranet or VPN environment
	Scientific research & teaching	Scientific research websites	Routing mode of scientific research websites or resource queries
		Multimedia teaching and office	Information about whether the conventional client or virtual space system based on the cloud host is used in the multimedia classroom
		Online education	Information about whether the campus network provides online education resources, whether the traffic is transmitted over the CERNET or the networks of the three major operators, and whether the bandwidth is largely consumed
	Entertainment	Browser-based entertainment, WeChat, QQ, Taobao, games, and videos	Major online behavior of students, whether rate limiting is performed on students, and whether content-accelerated devices are deployed for high-bandwidth applications
	Campus multicast	720p/1080p	Number of video program sources in campus network multicast applications, whether the definition standard is HD or ultra HD, and whether video freezing exists at peak hours
	IPv6	Resource requirements for accessing CERNETII	Information about whether the campus network provides IPv6 resource services, whether an egress exists on CERNET II, which IPv6 resource services are available, and whether a network node exists for IPv6-based independent interworking with other campus networks.
User scale	User type	Leader, teaching staff and relative, student, and visitor	Information about whether the campus network user types are missing, how to assign IP addresses for these users, access mode, and accounting mode
	User count	Scale	Number of users in the campus network and number of online users on the authentication server at peak hours
	Client type	Smart clients, such as the computer, mobile phone, and tablet	With more access clients and more diversified client types, the number of online users at peak hours poses higher pressure on the core and egress devices. Customers are concerned about security control, authorization, authentication, IP address assignment, behavior auditing, and location of clients.
		All-in-one cards and dumb clients, such as the printer, water meter, and environment monitoring instrument
		Video monitoring and multimedia experiment equipment
Network system O&M status	Information center	Information system and network sources	Information about whether the school has an independent information center, how responsibilities are divided between the information center and network center, and major concerns of the information center and network center
	Network center	O&M system integration	Information about whether a unified network management platform is configured for routine O&M and device management, and whether there are secondary development requirements for working with other application systems in the school
	Establishment and maintenance status	Self-establishment & self-maintenance, external establishment & external maintenance, and co-establishment & co-maintenance	Campus network types and information about how to maintain campus networks

3. Basic configuration of the server: includes the server's CPU, memory, disks, network (check theprovided server hardware based on the SAM+ system environment preparations todetermine whether the SAM+ and ePortal requirements are met), operating systemand database versions (check the operating system and database versions basedon the SAM+ system environment preparations to check whether the operatingsystem and database meet the installation requirements), and SAM+ softwareversion purchased by the customer (check whether the software version matcheswith the dongle and meets the project application requirements).

4. Earlier requirements from the customer: Find out the requirements (check the function support status in thescenario based on the higher education industry solution), evaluate whether therequirements can be met ahead of time, and check whether the requirements arewithin the scope of the solution.

5. Requirements for interconnecting with livenetwork equipment: Consider compatibility forinterconnecting with the equipment of other vendors, such as the STP, APaggregation, and SAM+ system.

6. User scale in the campus network: includes the number of areas, teaching buildings, dormitorybuildings, Web authenticated users, 802.1x authenticated users, and MABauthenticated users.

7. User groups of the customer: includes the access authentication and accounting requirements fordifferent types of user groups (mainly access control and accounting policies,preparing for the subsequent access control and associated accounting policiesof user groups).

8. Operation mode of the customer: includes the user registration/deregistration process, paymentmode, and reconciliation mode, which affect the whole network operation.

9. Special service application

l Confirm the processing requirements for the all-in-one cardclients, monitoring clients, and dumb clients with the customer by checking:

l Whether the all-in-one cards are deployed in a private network,which requirements are imposed on solution deployment, whether IP addresses arefixed or automatically obtained, and whether IP address segments or VLANs areconsistent or randomly set.

l Whether the door status control system is deployed in a privatenetwork and which deployment requirements are posed in the solution scenario.

l Whether the printer application is shared at layer 2 or layer 3.

l Whether a MAC forgery scenario occurs.

1.2 Deployment Model Selection

1.2.1 Layer 2 Access Isolation

1.2.1.1 Scenario Description

Area	Deployment and Feature Description
Core area	Two RG-N18000 switches form a VSU, both connecting to the egress area in the upstream direction. One MSC-ED card is inserted into each RG-N18000 to implement user traffic accounting and control. As the user gateway and authentication NAS device on the whole network, the RG-N18000 simultaneously supports Web authentication, wired 802.1x authentication, and MAB authentication.
Server area	A SAM+ server and an ePortal server are configured. The SAM+ server collects statistics on the user traffic from the MSC based on the accounting policy.
Aggregation area	A layer-2 transparent transmission device is connected to the upstream core devices in master/slave VSU mode via dual links. A trunk interface is configured in the aggregation area, but it is only used for layer-2 transparent transmission.
Access area	A protection port is configured to implement layer-2 isolation. VLAN segments need to be independently planned for special services (such as door status control, all-in-on card, and video monitoring) to distinguish from user service VLANs.

1.2.1.2 Scenario Topology

1.3 Check After Implementation

1.3.1 Software Information Check on the RG-N18000

1.3.1.1 Checking the CPU Usage

1. Method

Run the show cpu command inprivileged EXEC mode to check the running status of the CPU:

HXJF-N18K#show cpu

===============================================

[Slot 1: M18000-24GT20SFP4XS-ED, Cpu0]

CPU Using Rate Information

CPU utilization in five seconds:9.3%

CPU utilization in one minute:9.3%

CPU utilization in five minutes:9.3%

2. Criteria

(1) In the healthystate, the value of CPU utilization in five minutes should be less than30%. Pay attention to risks if the CPU usage exceeds 60%.

(2) If a great numberof configurations are made, a great deal of information is displayed, or thedebugging command is configured on the device, the CPU usage may soar instantaneously(normal symptom). Stop the related operation or run the undebug allcommand.

1.3.1.2 Checking the Memory Usage

1. Method

HXJF-N18K#show memory

2. Criteria

p.p1 {margin: 0.0px 0.0px 0.0px0.0px; text-align: justify; font: 10.5px Helvetica} span.s1 {font-kerning:none}

Thememory usage should be less than 60%. Bearing more services may increase thememory usage. Pay attention to risks if the memory usage exceeds 80% and tendsto continuously rise.

1.3.1.3 Checking Logs

1. Method

HXJF-N18K#show log

2. Criteria

p.p1 {margin: 0.0px 0.0px 0.0px0.0px; text-align: justify; font: 10.5px Helvetica} span.s1 {font-kerning:none}

Checkwhether exceptions exist in logs, such as frequent up/down state switches ofthe interface, down state of the dynamic protocol, and alarms of higherseverity.

1.3.1.4 Checking Configuration Information

1. Method

Runthe show run command in privilege EXEC mode to check the switchconfigurations:

HXJF-N18K#show run

Pay attention to the following mandatorycommands:

auth-mode gateway //Enablethe gateway mode.

ip radius source-interface (radiusinterface) //Configure an interconnection interface for communicationbetween the RG-N18000 and server.
ip portal source-interface (portal interface)

offline-detect interval 15 threshold0 //Configure no-traffic go-offline.

aaa authorizationip-auth-mode mixed //Configure IP-based AAA authorization.

radius-server attribute nas-port-idformat qinq //Mandatory for the QinQ scenario

qinq termination pe-vlan 100-101 //Configure QinQ VLAN tag termination.

qinq termination ce-vlan 200 to 300

2. Criteria

Checkwhether the deployed functions are consistent with the implementation solution,and whether the functions can be optimized.

1.3.2 Software Information Check on the SAM+ Server

1.3.2.1 Monitoring the Management Status

1. Method

Enablethe service manager on the SAM+ server to check the running status:

2. Criteria

Fora standalone server, no error is prompted in the service manager. As shown inthe preceding figure, normal prompt information includes: the system is startedsuccessfully, the SAM+ softdog type and validity period are checked, journalsare recorded successfully, and a total of xxx users are processed.

1.3.2.2 Checking the CPU and Memory Usage

Inthe healthy state, the CPU usage should be less than 30%, and the memory usageless than 60%.

1.3.2.3 Checking O&M Logs

1. Method

(1) Enter the SAM+management page and choose Operation > Log to check O&Mlogs.

(2) Enterthe database backup directory to check sizes of backup files and disk space.

2. Criteria

(1) Ensure that thedatabase shrinks properly.

(2) Ensure thatdatabase index fragments are organized properly.

(3) Ensure that thedatabase is integral.

(4) Ensure thatdatabase parameters are normal.

(5) Ensure that theautomatic database backup is normal.

(6) Ensure thatdatabase files are properly backed up. Ensure sufficient backup disk space toavoid backup failures.

1.3.2.4 Checking Solution Functions

Checkwhether the deployed functions are consistent with the implementation solution,and whether the functions can be implemented and optimized. For example:

1. Checkwhether the number of online authenticated users meets the expectation.

2. Checkwhether accuracy of traffic control meets the expectation.

3. Checkwhether the accounting policies are correct for different user types (such asthe school director, teaching staff and their relatives, and student).

4. Checkwhether an account can log in on multiple clients.

5. Checkwhether different access modes match with different accounting policies.

6. Check whetherthe DHCP check in Web authentication succeeds.

7. Checkwhether users can log in via MAB authentication after the first Webauthentication login.

1.3.3 Overall Network Running Check

1.3.3.1 Checking the Network Running Status

Performa thorough check on the network running status, including the equipment checkperformed in the normal network running state and the function verificationafter network implementation:

1. Run the showcommand to check the running status of core device functions. For the regularoperation commands, refer to the basic information check and spot check ofaccess devices.

2. Run the traceroutecommand to check the network connectivity and whether data forwarding paths arecorrect. This check aims to test the consistency between the forward and returnpaths in the route design.

Accordingto the configured function verification solution, perform linkconnection/disconnection and switch restart to test the application services,such as the connectivity test and download speed test, so as to verify thenetwork reliability design.

3. Run the pingcommand to test the network delay and processing of large packets.

4. Checkfunctions one by one according to the solution scenarios.

5. Checkthe actual service running status of users at peak hours.

1.3.3.2 Checking the Device and System Running Statusesat Peak Hours

1. Checkthe running status of the RG-N18000 at peak hours.

Ruijie#show cpu //The average CPU usage of the switch should be less than 30% in normalcases.

Ruijie#show cpu-protect mboard

Ruijie#show cpu-protect //Check whether the protocol rate exceeds theexpectation and protocol packets are dropped, to assist in locating the causefor high CPU usage.

Ruijie#show memory //The memory usage of the switch shouldbe less than 60% in normal cases.

Ruijie#show arp counter //Check the ARP aging time and whether the number of ARPentries is normal.

Ruijie#show mac-address-table count//Check the number of MAC address tables on the network.

Ruijie#show ip route //Check the routing table scale on thelive network.

Ruijie#show web-auth user all //Display Web authenticated users.

Ruijie#show dot1x sum //Display 802.1x authenticated users.

2. Checkthe running status of the SAM+ server at peak hours.

Check the number of authenticated userson the SAM+ server, and whether the CPU usage and memory usage are normal.

1.3.4 Check Points for Important Time Guarantee

Guide for Checking Important FunctionalIndicators of the RG-N18000 on Simplistic Network for the Back-to-School Season

1.3.4.1 Regular Information Check

1.3.4.1.1 CPU

1.3.4.1.1.1 Command

show cpu

show cpu | inc postgres

1.3.4.1.1.2 Check Point

Check the CPU usage of the managementmodule and line card, which should not be greater than 50%.

Check whether the CPU usage of anindependent process approaches 12.5%. If yes, risks may exist and independentanalysis and evaluation are required.

Check the CPU usage of the postgresprocess, which should not stay high.

$mk:@MSITStore:D:\Cloud\Work\workstation\SAM+%20project\SCN%20TAC\01%20极简网络解决方案%20渠道工程师学习包\01%20培训学习包\06%20极简网络解决方案%20实施一本通\01%20极简网络解决方案一本通%20V2.9.chm::/5a34a6eb-3744-4004-92f4-d181aaa15e45_files/53170661.png$

1.3.4.1.2 Memory

1.3.4.1.2.1 Command

show memory

1.3.4.1.2.2 Check Point

Check the memory usage, which should notbe greater than 50%.

1.3.4.1.3 Interface Traffic

1.3.4.1.3.1 Command

show int counters rate up

show int usage up

1.3.4.1.3.2 Check Point

Check the port utilization, which shouldnot be greater than 80%.

1.3.4.1.4 Error Frame

1.3.4.1.4.1 Command

show interface counters errors

1.3.4.1.4.2 Check Point

Check for the types of error frames.

1.3.4.1.5 Port Up/Down

1.3.4.1.5.1 Command

show interface link-state-changestatistics

1.3.4.1.5.2 Check Point

Check whether a port becomes up and downrepeatedly for more than 100 times.

1.3.4.1.6 Loop

1.3.4.1.6.1 Command

show rldp loop-detect-log

1.3.4.1.6.2 Check Point

Check for loop logs.

1.3.4.1.7 Line Card

1.3.4.1.7.1 Command

show version slots

1.3.4.1.7.2 Check Point

Check whether the line card is normal.

1.3.4.1.8 Temperature

1.3.4.1.8.1 Command

show temperature

1.3.4.1.8.2 Check Point

Check whether the temperature is normal.

1.3.4.1.9 Fan

1.3.4.1.9.1 Command

show fan

1.3.4.1.9.2 Check Point

1.3.4.1.10 VSU

1.3.4.1.10.1 Command

show switch virtual topology

show switch virtual link port

1.3.4.1.10.2 Check Point

Check whether the VSU topology and porttraffic are normal.

$mk:@MSITStore:D:\Cloud\Work\workstation\SAM+%20project\SCN%20TAC\01%20极简网络解决方案%20渠道工程师学习包\01%20培训学习包\06%20极简网络解决方案%20实施一本通\01%20极简网络解决方案一本通%20V2.9.chm::/5a34a6eb-3744-4004-92f4-d181aaa15e45_files/53428736.png$

1.3.4.1.11 Packets Destined for the CPU

1.3.4.1.11.1 Command

show cpu-protect

1.3.4.1.11.2 Check Point

Check whether the number of packets destinedfor the CPU is normal, whether the rate of important packets is normal, andwhether packet loss occurs.

Pay attention to the following packettypes: arp, dhcp, dot1x, web-auth, web-auths, and rldp.

1.3.4.1.12 Log

1.3.4.1.12.1 Command

show logging

1.3.4.1.12.2 Check Point

Check whether logs are abnormal.

1.3.4.2 Information Check Specific to SimplisticNetwork

1.3.4.2.1 DHCP Allocation and Conflict-incurred Failure

1.3.4.2.1.1 Command

show ip dhcp binding

show ip dhcp pool

show ip dhcp conflict

1.3.4.2.1.2 Check Point

Check the total number of IP addressesallocated via DHCP and the number allocated IP addresses in each address pool.

Check the status of conflict-incurredfailures.

1.3.4.2.2 Number of ARP/MAC Addresses

1.3.4.2.2.1 Command

show arp count

debug bridge mac

show mac count

undebug all

1.3.4.2.2.2 Check Point

Check the number of static ARP/MACaddresses, which should be equal to the total number of authenticated users.

Check the number of ARP addresses, whichshould be equal to that of IP addresses allocated via DHCP (in the case withoutstatic IP addresses).

1.3.4.2.3 ND Entry

1.3.4.2.3.1 Command

show ipv6 neighbors statistics

1.3.4.2.3.2 Check Point

Check the number of ND entries:

Entries: not greater than three times the numberof ARP entries.

Probe: not greater than 1000.

Incomplete: not greater than 1000.

1.3.4.2.4 Status of RADIUS Server and Portal Server

1.3.4.2.4.1 Command

show web-auth portal

show radius server

1.3.4.2.4.2 Check Point

Check whether the status of the portalserver is Enable.

Check whether the status of the RADIUSserver is Active.

If the timeouts values of Authen/Authorare high, the authentication may take a long time or the authentication fails.

If the timeouts value of Accountis high, check whether abnormal logs exist on the SAM+ server.

1.3.4.2.5 Number of 802.1x Authenticated Users andFailure Events

1.3.4.2.5.1 Command

show dot1x

show dot1x authmng abnormal

1.3.4.2.5.2 Check Point

Check the number of 802.1x users.

Check for abnormal events in 802.1xauthentication.

1.3.4.2.6 Number of Web Authenticated Users and FailureEvents

1.3.4.2.6.1 Command

show web-auth user all

show web-auth authmng abnormal

1.3.4.2.6.2 Check Point

Check the number of Web authenticatedusers.

Check for abnormal events in Webauthentication.

1.3.4.2.7 No-traffic Go-offline

1.3.4.2.7.1 Command

show run | in off

1.3.4.2.7.2 Check Point

Check whether only the VLAN-basedno-traffic go-offline period is configured.

1.3.4.2.8 Number of Authentication-free VLANs

1.3.4.2.8.1 Command

show direct-vlan

1.3.4.2.8.2 Check Point

Check whether the number ofauthentication-free VLANs exceeds 50.

1.3.4.2.9 One-to-Many Mirroring

1.3.4.2.9.1 Command

show run | inc remote-span

show run | inc mac-loopback

show monitor

show switch virtual link port

show int usage up

1.3.4.2.9.2 Check Point

Check whether one-to-many mirroring isconfigured and whether a VSL has approximately full bandwidth.

If yes, it is necessary to takecountermeasures, for example, change the mirroring mode (one-to-one mirroringto the layer-2 switch and flooding to multiple egresses), and change the VSL to40 Gbps.

If no countermeasure is available,contact the TAC and R&D engineers.

1.3.4.2.10 AP Across Line Cards and Chassis

1.3.4.2.10.1 Command

show version slot

show agg sum

1.3.4.2.10.2 Check Point

Check whether an AP across line cards andchassis exists, and whether a VAC solution is used. If a VAC solution is usedand the CPU usage of a line card exceeds 70%, contact the TAC and R&Dengineers.

1.3.5 Network Authentication Health Check AfterProject Cutover

1.3.5.1 802.1x Authentication

DLUT-CORE-N18014#show dot1x authmngstatistic

show 802.1x authentication information:

DOT1X current onlinenumber:..................18446744073709551615.

DOT1X historical max onlinenumber:...........0.

DOT1X aggregate online number:................0.

802.1x authentication statistics:

authenticationnumber:........................2322.

authenticationsuccess:.......................0.

authentication successrate:..................0%.

aaa reject : 49

user logoff : 0

conflict account : 0

valid ip mab : 0

adjust authentication successrate:...........0%.

request id timeout :2258-------------->

request timeout :14--------------->

aaa timeout : 1------------------>

other timeout : 0-----------------> The network or server is unstable according tothe preceding four timeout items.

ipam not allowed :0---------------> AM rules are not met.

ip band width fall :0-----------------> IP/bandwidth authorization fails.

set scc fall : 0------------------> SCC setting fails due to bottom layer errors.

author vlan fail : 0

vid modify : 0

prot user limit :0--------------------> The number of users is limited due to configurationerrors.

total user limit :0------------------> The total number of users is limited due toconfiguration errors.

acct cache deny :0--------------------> Accounting results are cached slowly due to theunstable server or network.

other security type :0--------------------> Other security functions are configured generally.

close auth switch :0-------------------> 802.1x authentication is disabled globally.

deny non-rg client :0---------------------> Non-Ruijie clients are filtered out.

mab vlan deny : 0---------------------> The VLAN does not comply with MAB VLANconfigurations.

valid ip : 0--------------------> No IP address is obtained.

set acl fail : 0

port down : 0

not allow user :0

authentication success rssiavgvalue:.........0dBm.

authentication fail rssiavgvalue:............0dBm.

802.1x offline statistics:

offline_total:................................295.

user logoff : 0

server kickout user : 0

no flow : 0-------------------> The user goes offline due to notraffic.

no ip : 0-------------------> The user is forced to gooffline because it fails to obtain an IP address.

session timeout :0-------------------> The available online period times out.

flux out : 0-------------------> The traffic is used up.

svr kickout user : 0

hello timeout : 0-------------------> The client detection times out.

scc rollback : 0-------------------> SCC setting fails due to bottom layer errors.

mac rollback : 0-------------------> MAC setting fails due to bottom layer errors.

ip bandwith fail :0-------------------> Authorization fails. Check whether any configurationerror exists.

mng no port control :0------------------->

mng author change : 0

mng allow user change : 0

mng direct vlan change : 0

mng clear cli : 0

mng ipam change :0

mng staitc mac :0

mng filter mac :0

mng set mumab : 0

mng mab vlan change : 0

mng ip acct change : 0

mng ctrl mode : 0

mng vlan change :0-------------------> The preceding items indicate that configurations arechanged.

port move : 295

vlan move : 0

port-vlan move :0------------------> The preceding items indicate that migration occurs.

invalid ip : 0

port down : 0

gsn fail : 0

mab to 1x : 0-------------------> MAB authentication is replaced by802.1x authentication. Check whether 802.1x authentication is used by the user.

mab to guest vlan : 0

dhcp author fail : 0

db recover fail :0

adb author fail :0--------------------> The preceding VLAN authorization items are generallynot configured in the simplistic network environment.

recover to scc fail :0---------------------> SCC setting fails possibly due to bottom layererrors.

ha recover fail :0----------------------> Hot backup recovery fails possibly due toprocessing logic errors in 802.1x authentication.

ip mab unset ip :0

s mab change : 0

offline_by_auth:.............................0.

request idtimeout :0

request timeout :0

aaa timeout : 0

other timeout : 0

aaa reject : 0

ipam not allowed : 0

ip band widthfall : 0

set scc fall : 0

user logoff : 0

author vlan fail : 0

vid modify : 0

prot user limit :0

total user limit : 0

acct cache deny :0

other securitytype : 0

close auth switch : 0

deny non-rgclient : 0

mabvlan deny : 0

valid ip : 0

setacl fail : 0

port down : 0

not allow user :0

conflict account : 0

valid ip mab : 0-----------------> The preceding items indicate failure statisticscollected during the authentication.

1.3.5.2 MAB Authentication (Same as 802.1x Authentication)

1.3.5.3 Web Authentication

DLUT-CORE-N18014#show web-auth authmngstatistics

Show web authentication information:

current online number:..................................3087. --- Number of current online users

historical max onlinenumber:...........................5071. --- Historical maximum number ofonline users

aggregate onlinenumber:................................344156. --- Total number ofaccumulative online users

Web authentication redirect statistics:

HTTP packet processing:

number ofusers:.......................................12973993 ---Number of users whose HTTP packets are processed

number of HTTP packetsreceived:.......................1543216156 --- Number ofHTTP packets received

redirection time consumption forsuccessful users: --- Time consumption for redirection

average timeconsumption:..............................58ms.

aggregate timeconsumption:............................39285499875ms.

number of less than half onesecond:...................663809946(98.738%).

number of between half and onesecond:.................2082988(0.310%).

number of more than one second:........................6402954.

Web authentication statistic: --Statistics related to Web authentication

authentication processing:

number of authenticationrequests received:............784127.

number of reauthenticationrequests received:..........225537.

number of errorpassword:..............................391339.

number of authenticationfailures:.....................48632(6.202%).

AAAtimeout:..........................................46736(96.101%). --- AAA authentication times out due to the unstable network or server.

authentication statustimeout:........................1(0.002%). --- Authentication device timeout

fail to setSCC:......................................0(0.000%). --- SCC setting fails due to bottom layer errors.

accountingreject:....................................0(0.000%). --- Rejection from the accounting server

accounting dev timeout:...............................0(0.000%). --- Accounting device timeout

userunexist:.........................................1154(2.373%). --- The user does not exist.

portaltimeout:.......................................0(0.000%). --- Portal server timeout

DHCPreleasepkt:......................................0(0.000%). --- No statistics are collected for the following four items. Neglectthem.

stamove:.............................................0(0.000%).

clearuser:...........................................0(0.000%).

configchange:........................................0(0.000%).

other:................................................741.

Authentication time consumption forsuccessful users:

average timeconsumption:..............................94ms. ---- Timeconsumption for authentication

aggregate timeconsumption:............................32609811ms.

number of less than onesecond:........................341995(99.372%).

number of between one andthree second:................667(0.194%).

number of more than threesecond:......................1494(0.434%).

number of less than onesecond(exclude server):........344121(99.990%).

number of between one andthree second(exclude server):6(0.002%).

number of more than threesecond(exclude server):......29(0.008%).

Web authentication offlineinformation: ---- Statistics related to Web usergo-offline

number of offlinecount:................................341069.

number of abnormaloffline(rate):......................408(0.119%).

number of portaltimeout:.............................408(100.000%). --- The user goesoffline because the portal server does not respond, which is possibly resultedfrom an unstable network or server.

number of setfail:...................................0(0.000%). --- SCCsetting fails due to bottom layer errors.

number of linkchange:................................0. --- No statistics are collected.

noflow:...............................................277797. --- The user goes offline due to no traffic.

kickoff:..............................................23745. --- The user is forced to go offline by the server.

dhcprelease:..........................................8971. --- The user goes offline due to DHCP release.

STAdelete:............................................0. --- The user is forced to go offline.

STA move:..............................................0. --- The user goes offline due toclient migration.

activeoffline:........................................15817. --- The user goes offline actively.

session timeout:.......................................9975. --- The user goes offline because theavailable online period times out.

cliclear:.............................................0. --- The user goes offline because the CLI commandis cleared.

nocontrol:............................................0. --- The user goes offline because control isdisabled.

interfacedefault:.....................................0. --- The interface is the default one.

interface destroy:.....................................0. --- The interface is destroyed.

interface addap:......................................0. --- The interface is added to an AP.

delap:................................................0. --- The interface is deleted from an AP.

dhcp ipcheck:.........................................0. --- The user goes offline due to DHCP IP check.

vlanchange:...........................................0. --- The user goes offline due to VLAN changes.

intfvlanchange:.......................................0. --- The user goes offline due to layer-3 VLANconfiguration changes.

other:.................................................4356.

aggregate onlinetime:..................................444256014min

average online time ofuser:............................1304min ---Average online duration of the user

Station-move:

movecount:.............................................969637. --- Number of migrations

movefail:..............................................3550. --- Number of migration failures

Other important processstatistics: --- Timeconsumption statistics of all modules are listed below.

Auth: --- Time consumptionfor Web authentication

average timeconsumption:...............................71ms.

aggregate timeconsumption:.............................24669338ms.

number of less than onesecond:.........................342103(99.403%).

number of more than onesecond:.........................2053.

AAA authentication: --- Time consumption for AAA authentication

average timeconsumption:...............................2ms.

aggregate timeconsumption:.............................1013078ms.

number of less than onesecond:.........................344154(99.999%).

number of more than onesecond:.........................2.

Radius authentication: --- Time consumption for RADIUS authentication

average timeconsumption:...............................0ms.

aggregate timeconsumption:.............................78760ms.

number of less than onesecond:.........................344156(100.000%).

number of more than onesecond:.........................0.

Radius server authentication: --- Timeconsumption for RADIUS server authentication

average timeconsumption:...............................55ms.

aggregate timeconsumption:.............................19158014ms.

number of less than onesecond:.........................342113(99.406%).

number of more than one second:.........................2043.

SCC: --- Timeconsumption for SCC setting

average timeconsumption:...............................0ms.

aggregate timeconsumption:.............................9349ms.

number of less than onesecond:.........................344156(100.000%).

number of more than onesecond:.........................0.

Accounting: --- Time consumption for accounting

average timeconsumption:...............................23ms.

aggregate timeconsumption:.............................7930055ms.

number of less than onesecond:.........................344050(99.969%).

number of more than onesecond:.........................106.

AAA accounting: --- Time consumption for AAA accounting

average timeconsumption:...............................3ms.

aggregate timeconsumption:.............................1081861ms.

number of less than onesecond:.........................344154(99.999%).

number of more than onesecond:.........................2.

Radius accounting: --- Time consumption for RADIUS accounting

average time consumption:...............................1ms.

aggregate timeconsumption:.............................630452ms.

number of less than onesecond:.........................344127(99.992%).

number of more than onesecond:.........................29.

Radius server accounting: --- Time consumption for RADIUS server accounting

average timeconsumption:...............................2ms.

aggregate timeconsumption:.............................828579ms.

number of less than one second:.........................344081(99.978%).

number of more than onesecond:.........................75.

Portal: --- Time consumption of the portalserver

average time consumption:...............................0ms.

aggregate timeconsumption:.............................0ms.

number of less than onesecond:.........................344156(100.000%).

number of more than onesecond:.........................0.

Solution Components and Parameters

2.1 Parameters of Switch Products

2.1.1 Specifications of Core Devices

Device Type	Product Type	Product Model	Quantity of Clients Supported in Authentication
RG-N18000	Supervisor module	CM	600 for Web authentication; 3000 for 802.1x authentication
RG-N18000	Supervisor module	CM II	60000
N18007	Supervisor module	CM	600 for Web authentication; 3000 for 802.1x authentication
N18007	Supervisor module	CM II	60000
N18007	Supervisor module	CM II-LITE	15000
Device Type	Product Type	Product Model	Quantity of Supported Online Dual-stack Clients (ARP)
RG-N18000/N18007	Line card	ED card	60000
RG-N18000/N18007	Line card	DB card	30000
Device Type	Product Type	Product Model	Quantity of Inner VLANs Supported in QinQ Scenarios
RG-N18000/N18007	Line card	ED card	511
RG-N18000/N18007	Line card	DB card	61
Device Type	Product Type	Product Model	Quantity of Supported MAC Tables
RG-N18000/N18007	Line card	ED card	128000
RG-N18000/N18007	Line card	DB card	96000
Device Type	Product Type	Product Model	Supported DHCPv4 Capacity
RG-N18000	Supervisor module	CM	8000
RG-N18000	Supervisor module	CM II	90000
N18007	Supervisor module	CM	8000
N18007	Supervisor module	CM II	90000
N18007	Supervisor module	CM II-LITE	90000
Device Type	Product Type	Product Model	Supported DHCP Snooping Capacity
RG-N18000	Supervisor module	CM	8000
RG-N18000	Supervisor module	CM II	90000
N18007	Supervisor module	CM	8000
N18007	Supervisor module	CM II	90000
N18007	Supervisor module	CM II-LITE	90000
Device Type	Product Type	Product Model	Supported DHCPv6 Capacity
RG-N18000	Supervisor module	CM	8000
RG-N18000	Supervisor module	CM II	90000
N18007	Supervisor module	CM	8000
N18007	Supervisor module	CM II	90000
N18007	Supervisor module	CM II-LITE	90000

2.1.2 Specifications of Aggregation Devices

Device Type	Product Model	Whether Flexible QinQ Supported	Recommended Version	Description
Aggregation	S5750 series (hardware V1.0)	Yes	10.4(3)p4 release(161753)	Only 768 outer VIDs are supported for inner/outer VID mapping.
Aggregation	S5750 series (hardware V2.0)	Yes	10.4(3)p4 release(161753)	N/A
Aggregation	S5750E series	Yes	10.4(3b18)p2,Release(207466)	N/A
Aggregation	S29E	Yes	10.4(2b12)p2 release(180357)	N/A
Aggregation	S2910XS-E series	Yes	S2910_RGOS 11.4(1)B1	N/A
Aggregation	S6200	Yes	10.4(5b1) release(150539)	N/A
Aggregation	S5760 series	No	N/A	The device needs to be replaced.
Aggregation	S26 series	No	N/A	The device needs to be replaced.
Aggregation	S7610	No	N/A	The device needs to be replaced.
Aggregation	S7604	No	N/A	The device needs to be replaced.
Aggregation	S35	No	N/A	The device needs to be replaced.
Aggregation	NBS5526XG	No	N/A	The device needs to be replaced.

2.1.3 Capacity Specifications

Level-1 Specifications	Level-2 Specifications	Level-3 Specifications	RG-N18000 (ED)	RG-N18000 (DB)
Authentication capacity	Web authentication	Web user capacity	60,000 for dual-stack	30,000 for dual-stack
	802.1x authentication	802.1x user capacity	60,000 for dual-stack	30,000 for dual-stack
	Web MAB authentication	Web MAB authentication capacity	60,000 for dual-stack	30,000 for dual-stack
IPv4 application protocol features	DHCP server	Quantity of users supported by the DHCP server	256K	256K
	DHCP relay	Quantity of supported servers	N/A	N/A
	DHCP snooping	Capacity of software-bound database	256K	256K
Layer-2 features	MAC address	Quantity of global MAC addresses (the maximum quantity of MAC addresses supported by the MAC address table need to be learned in full mesh mode)
		Quantity of static MAC addresses	10000	10000
		Quantity of filtered MAC addresses	10000	10000
		MAC address learning rate	2000/S	2000/S
	Quantity of clients	Quantity of clients (for IPv4/IPv6 dual-stack, each client is assigned with an IPv6 address and an IPv4 address)	CM: 5000 for the case with only 802.1x authentication 1000 for the case with only Web authentication CM II: 60,000 (recommended) in default mode	CM: 5000 for the case with only 802.1x authentication 1000 for the case with only Web authentication CM II: 45,000 (recommended) in default mode.
Layer 3 Features	ARP	ARP entry capacity (the maximum quantity of ARP entries supported by the ARP table need to be learned in full mesh mode)	Default mode: 170,000 (sharing resources with ND)	Default mode: 85000 (sharing resources with ND)
	ARP	ARP learning rate	CM I: 3000/s; CM II: 10,000/s	CM I: 3000/s; CM II: 10,000/s
	ND	ND entry capacity (the maximum quantity of ND entries supported by the ND table need to be learned in full mesh mode)	CM: 5000 CM II: 75,000 in default mode (sharing resources with ARP).	CM: 5000 CM II: 60000 in default mode (sharing resources with ARP).
	ND	ND learning rate	CM I: 1500/s; CM II: 5000/s	CM I: 1500/s; CM II: 5000/s
	IPv4	Quantity of IP addresses set on each layer-3 interface	4000	4000
		Capacity of IPv4 hardware routing table (the maximum quantity of routing entries supported by the routing table need to be learned in full mesh mode)	Default mode: 12,000	Default mode: 384000
		Capacity of static routing table	The default value is 1024. A command can be used to configure a maximum of 10,000 routes.	The default value is 1024. A command can be used to configure a maximum of 10,000 routes.
		Quantity of equal-cost routes supported by each route	32	32
		Quantity of routes supporting equal-cost routing	64	64
		Quantity of weighted next-hop routes supported by each route	8 (Weight = 4) 4 (Weight = 8) Weight x Route count ≤ 32	8 (Weight = 4) 4 (Weight = 8) Weight x Route count ≤ 32
		Multicast routing table	16000	16000
	IPv6	Quantity of IPv6 addresses set on each layer-3 interface	1000 at most	1000 at most
		Capacity of IPV6 hardware routing table (network routes) (the maximum quantity of routing entries supported by the routing table need to be learned in full mesh mode)	Default mode: 6000	Default mode: 1000
		Capacity of routing table supporting the subnet mask length of 65–128 (If no description is made, the capacity is not limited by the subnet mask length and the hardware routing table capacity prevails.)	Default mode: 1000	Default mode: 4000
		Capacity of static IPv6 routing table	1000	1000
		Quantity of IPv6 tunnel interfaces	127	127
		Multicast routing table	8000	8000
	PBRv4	Quantity of supported policy-based routes	1500–7000	1500–7000
	PBRv4	Quantity of equal-cost routes supported by each policy-based route	32	32
	PBR v6	Quantity of supported policy-based routes	1500–3000	1500–3000
	PBR v6	Quantity of equal-cost routes supported by each policy-based route	32	32
ACL	ACE capacity	Maximum number of inbound ACE entries associated with the SVI	7000	7000
		Maximum number of inbound ACE entries associated with the physical port/AP	7000	7000
		Maximum number of outbound ACE entries associated with the SVI (simulated based on inbound ACE entries, limited, and with inbound entries occupied)	N/A	N/A
		Maximum number of outbound ACE entries associated with the SVI (actual outbound ACE entries)	1000	1000
		Maximum number of outbound ACE entries associated with the physical port/AP (simulated based on inbound ACE entries)	N/A	N/A
		Maximum number of outbound ACE entries associated with the physical port/AP (actual outbound ACE entries)	1000	1000

Typical Scenarios

3.1 Access Isolation Scenario

3.1.1 Overall Solution

3.1.1.1 Solution Description

Thesimplistic network access isolation solution employs one VLAN for each accessswitch, and allows locating the specific access switch according to the VLANID. In addition, this solution provides layer-2 isolation for all users,effectively preventing layer-2 broadcast packet attacks and ARP and DHCPspoofing attacks.

1. The coreRG-N18000 serves as the gateway and authentication NAS device on the whole network:

l A maximum of 60,000 online dual-stack clients are supported incoordination with ED cards, and a maximum of 30,000 online clients aresupported in coordination with DB cards or both of ED and DB cards.

l Web authentication, wired 802.1x authentication, and MABauthentication are simultaneously supported. Wireless 802.1x authentication isnot supported currently, because it needs to bedeployed on the AC.

l Wireless 802.1x VLANs, AP management VLANs, and other specialservice VLANs requiring no authentication (such as door status control,all-in-one card, and video monitoring) are configured as authentication-freeVLANs.

l As the core layer-2 gateway, the RG-N18000can support the super VLAN function to perform aggregation gatewayconfigurations for sub VLANs. One super VLAN can be deployed for each area, forexample, one super VLAN for the office area of the xx campus and one super VLANfor the student dormitory area of the xx campus.

l The ARP proxy function is enabled on the super VLAN gateway of the coredevice by default, to guarantee layer-3 communication between sub VLANs anddecrease ARP flooding traffic.

l The port protection function needs to be configured on the downlinkinterface of the core device (by running the switchport protectedcommand), to prevent layer-2 broadcast between the same VLANs in differentareas. In addition, unused VLANs need to be pruned to minimize the broadcastdomain.

l The SVI of the super VLAN gateway needs tobe set to OSPF passive if OSPF is configured.

2. Theaggregation device serves as layer-2 transparent transmission device:

l The VLAN and trunk interfaces areconfigured for layer-2 transparent transmission only.

l The SVI of the user gateway needs to be set to OSPF passive if theconventional 3-layer network is deployed and OSPF is configured on theaggregation device.

l The port protection function needs to beconfigured on the downlink interface of the aggregation device (by running the switchportprotected command), to prevent layer-2 broadcast between the same VLANs in differentareas. In addition, unused VLANs need to be pruned to minimize the broadcastdomain.

l The storm suppression function isconfigured to suppress broadcast packets at 1000 pps and multicast packets at1000 pps. In addition, this function needs to be adjusted according to the livenetwork applications. For example, if multicast services exist on the livenetwork, do not configure multicast packet suppression and suppress broadcastpackets at 1000 pps.

3. Theaccess device provides user-based layer-2 isolation:

l The same VLAN is configured on all interfaces of each accessswitch, and different VLANs are configured for different access switches.

l The port protection function needs to beconfigured on the interfaces of each switch (by running the switchport protectedcommand), to implement layer-2 VLAN isolation.

l Different VLANs need to be configured fordifferent access switches, with incremental VLAN IDs.

l VLAN segments need to be independently planned for special services(such as door status control, all-in-on card, and video monitoring) todistinguish from user service VLANs, to facilitate authentication-free VLANconfiguration on the core device for special services.

l RDLP is enabledon the interface of the access device connected to the clients, and an anti-looppolicy is configured to shut down a port upon a loop.

l The storm suppression function is enabled on the interfaces of the access deviceconnected to the clients, to suppress broadcast packets at 300 pps andmulticast packets at 300 pps. In addition, this function needs to be adjustedaccording to the live network applications. For example, if multicast servicesexist on the live network, do not configure multicast packet suppression andsuppress broadcast packets at 1000 pps.

3.1.1.2 Solution Topology

3.1.1.3 Recommended Scenario

1. In the case ofnetwork construction, an access cascading scenario exists in the live networkand flexible QinQ is not supported on the aggregation device.

Suggestionfor the wired network scenario: It is recommended to deploy access isolation,configure one VLAN for each switch, and configure one super VLAN for each area(such as the office area of the xx campus, library of the xx campus, andstudent dormitory area of the xx campus).

2. In the case of networkreconstruction, it is unclear whether devices are interconnected and whetherflexible QinQ is supported.

Suggestionfor the wired network scenario: It is recommended to deploy access isolation,configure one VLAN for each switch, and configure one super VLAN for each area(such as the office area of the xx campus, library of the xx campus, andstudent dormitory area of the xx campus).

3.1.2 VLAN/IP Planning

3.1.2.1 Planning Idea

Configure one VLAN (sub VLAN) for theaccess switch of each floor, and one super VLAN for each area (such as thestudent dormitory area of the xx campus).

Reserve VLANs (30% or more) for each areafor further network change or expansion.

Reference templates:

Wired network VLAN/IP planning for thestudent dormitory area:

Device Model	Device Type	Location	Management Address	Sub VLAN	Super VLAN	Network Segment (planned according to rules, with the actual subnet mask length being /16)	Gateway	Network Management VLAN	Video Monitoring VLAN	All-in-one Card VLAN	Door Status Control VLAN
S2928G	Floor access switch	1/F, building 1, student dormitory area	192.168.132.1	1001	4000	172.16.0.0/24	172.16.15.254/16	100	101	102	103
S2928G	Floor access switch	2/F, building 1, student dormitory area	192.168.132.2	1002
S2928G	Floor access switch	1/F, building 2, student dormitory area	192.168.132.3	1003		172.16.1.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 2, student dormitory area	192.168.132.4	1004
S2928G	Floor access switch	1/F, building 3, student dormitory area	192.168.132.5	1005		172.16.2.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 3, student dormitory area	192.168.132.6	1006
S2928G	Floor access switch	1/F, building 4, student dormitory area	192.168.132.7	1007		172.16.3.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 4, student dormitory area	192.168.132.8	1008
S2928G	Floor access switch	1/F, building 5, student dormitory area	192.168.132.9	1009		172.16.4.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 5, student dormitory area	192.168.132.10	1010
S2928G	Floor access switch	1/F, building 6, student dormitory area	192.168.132.11	1011		172.16.5.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 6, student dormitory area	192.168.132.12	1012
S2928G	Floor access switch	1/F, building 7, student dormitory area	192.168.132.13	1013		172.16.6.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 7, student dormitory area	192.168.132.14	1014
S2928G	Floor access switch	1/F, building 8, student dormitory area	192.168.132.15	1015		172.16.7.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 8, student dormitory area	192.168.132.16	1016
S2928G	Floor access switch	1/F, building 9, student dormitory area	192.168.132.17	1017		172.16.8.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 9, student dormitory area	192.168.132.18	1018
S2928G	Floor access switch	1/F, building 10, student dormitory area	192.168.132.19	1019		172.16.9.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 10, student dormitory area	192.168.132.20	1020
S2928G	Floor access switch	1/F, building 11, student dormitory area	192.168.132.21	1021		172.16.10.0/24	172.16.15.254/16
S2928G	Floor access switch	2/F, building 11, student dormitory area	192.168.132.22	1022

3.2 Wireless Isolation Scenario

3.2.1 Overall Solution

3.2.1.1 Solution Description

1. The simplisticnetwork wireless isolation solution employs one super VLAN for each area (forexample, a super VLAN for the office area of the xx campus), and two sub VLANsfor each building in the area (one for wireless Web authentication and theother for wireless 802.1x authentication). This solution helps you locatewireless users to a specific building based on the VLAN, and enables wirelessuser isolation to prevent layer-2 broadcast packet attacks and ARP and DHCPspoofing attacks.

2. Thissolution also supports super VLANs based on the SSID, for example, one superVLAN separately for 802.1x authenticated student users, 802.1x authenticatedteacher users, Web authenticated student users, and Web authenticated teacherusers. This solution employs sub VLANs based on the area, building, and floorto control the scope of the broadcast domain.

1. Thecore RG-N18000 serves as the gateway and authentication NAS device on the wholenetwork:

l A maximum of 60,000 online dual-stack clients (a maximum of 90,000 onlineclients in theory) are supported in coordination with ED cards, and a maximumof 30,000 online clients are supported in coordination with DB cards or both ofED and DB cards.

l Web authentication, wired 802.1x authentication, and MABauthentication are simultaneously supported. Wireless 802.1x authentication isnot supported currently, because it needs to be deployed on the AC.

l Wireless 802.1x VLANs and AP management VLANs are configured asauthentication-free VLANs.

l As the core layer-2 gateway, the RG-N18000 can support the superVLAN function to perform aggregation gateway configurations for sub VLANs. Onesuper VLAN can be deployed for each area, for example, one super VLAN for theoffice area of the xx campus and one super VLAN for the student dormitory areaof the xx campus.

l The ARP proxy function is enabled on the super VLAN gateway of thecore device by default, to guarantee layer-3 communication between sub VLANsand decrease ARP flooding traffic.

l The port isolation function needs to be configured on the downlinkinterface of the core device, to prevent layer-2 broadcast between the sameVLANs in different areas. In addition, unused VLANs need to be pruned tominimize the broadcast domain.

2. The ACserves as wireless controller in fit mode to perform the basic wirelessconfigurations and simplistic network planning configurations:

l The basic wireless configuration mode is set to support centralizedforwarding or local forwarding.

l Wireless user isolation is configured to prevent an overlargewireless user broadcast domain in a VLAN.

l The ARP proxy function is disabled on the AC, so that the RG-N18000serves as the ARP proxy, to prevent failures in migration of wirelessauthenticated users.

l One super VLAN is configured for each area, for example, one superVLAN for the office area of the xx campus.

l Two sub VLANs are configured for the AP of each building, one forwireless Web authentication and the other for wireless 802.1x authentication.

l SSIDs are set based on the operator and authentication mode, forexample, SSID 1 for operator A - Web authentication, SSID 2 for operator A -802.1x authentication, SSID 3 for operator B - Web authentication, and SSID 4for operator B - 802.1x authentication.

3.2.1.2 Solution Topology

3.2.1.3 Recommended Scenario

The wireless simplistic network uses thewireless isolation solution.

3.2.2 VLAN/IP Planning

3.2.2.1 Planning Idea

l Configure one super VLAN for each area, for example, one super VLANfor the office area of the xx campus.

l Configure two sub VLANs for the AP of each building, one forwireless Web authentication and the other for wireless 802.1x authentication.

l Set SSIDs based on the operator and authentication mode, forexample, SSID 1 for operator A - Web authentication,SSID 2 for operator A - 802.1x authentication, SSID 3 for operator B - Webauthentication, and SSID 4 for operator B - 802.1x authentication.

l Reserve VLANs (30% or more) for each areafor further network change or expansion.

Reference templates:

Wired network VLAN/IP planning for thestudent dormitory area:

Location	AP Management VLAN	AP Management Segment	Gateway	Web Authentication Sub VLAN	802.1x Authentication Sub VALN	Super VLAN	Network Segment	Gateway	Web Authentication SSID	802.1x Authentication SSID
Building 1, student dormitory area	900	192.168.16.0/20	192.168.31.254	3001	3501	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 2, student dormitory area	900	192.168.16.0/20	192.168.31.254	3002	3502	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 3, student dormitory area	900	192.168.16.0/20	192.168.31.254	3003	3503	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 4, student dormitory area	900	192.168.16.0/20	192.168.31.254	3004	3504	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 5, student dormitory area	900	192.168.16.0/20	192.168.31.254	3005	3505	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 6, student dormitory area	900	192.168.16.0/20	192.168.31.254	3006	3506	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 7, student dormitory area	900	192.168.16.0/20	192.168.31.254	3007	3507	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 8, student dormitory area	900	192.168.16.0/20	192.168.31.254	3008	3508	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 9, student dormitory area	900	192.168.16.0/20	192.168.31.254	3009	3509	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 10, student dormitory area	900	192.168.16.0/20	192.168.31.254	3010	3510	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth
Building 10, student dormitory area	900	192.168.16.0/20	192.168.31.254	3011	3511	4201	172.16.64.0/20	172.16.79.254/20	web-auth	802.1x-auth

Configuration of Important Functions

4.1 RG-N18000 Configuration

4.1.1 Common Scenario — Gateway

4.1.1.1 [Mandatory] Gateway Mode

Principles:

Inthe simplistic network solution, the core device acts as the gateway of theentire network, and controls access authentication. Users can be normallyauthenticated and go online only after the authentication mode is set togateway authentication mode and dot1x or Web authentication is enabled.

Otherwise, when the number of 802.1x/Webauthenticated users reach about 2000, the system prompts that the TCAM table isfull and 802.1x/Web authentication is abnormal.

Incomparison to the conventional network, the simplistic network in gateway modehas the following features:

1. Anauthenticated client is automatically bound with a static ARP address on theRG-N18000.

2. TheRG-N18000 automatically enables the ARP proxy function on the SVI interface ofa super VLAN. The ARP proxy can be disabled on a sub VLAN. (Valid toauthenticated users)

3. TheRG-N18000 does not actively send ARP requests to a sub VLAN of a super VLANconfigured on an interface with authentication under control. Instead, theRG-N18000 actively sends ARP requests to authentication-free VLANs and commonVLANs.

4. Ingateway mode of the simplistic network, the ip source-guard command doesnot take effect.

Configuration commands:

auth-modegateway //Configured in global configuration mode.

Precautions:

Thiscommand takes effect only after it is configured and saved and the device isrestarted. After the device is restarted, run the show run command tocheck whether the configuration takes effect.

Configuration example

Configuration Steps	Set the authentication mode to the gateway authentication mode on the core gateway Switch A.
Switch A	SwitchA(config)#auth-mode gateway Please save config and reload system. SwitchA(config)#exit *Nov 7 10:13:27: %SYS-5-CONFIG_I: Configured from console by console SwitchA#reload Reload system?(Y/N)y SwitchA#
Verification	Run the show running command to check whether the configuration takes effect.
Switch A	SwitchA(config)#show running-config \| include auth-mode auth-mode gateway SwitchA#debug scc st ================== sccd server info ================= rdnd role : 2/2. ready notify : CLI LSM BRIDGE SS ACLK BRIDGE-READY TCPIP VFW aclk-socket info: async - 8, sync - 9, alive - 7. snd_cnt:692. rcv_cnt:692 data sync info : depend/ready(0x201e/0x201e) aclk(req:0) ss(req:0) mac(req:0) current scc mode: GATE MODE, new mode(GATE MODE). ability: 0x3f. offline-status : open, interval:6 min, threshold:0 bytes. station move : close. dot1x cpp : set. author mode:D1xAuthorMixed. proc status : svrid:75 todo-cnt:0 ret-cnt:0. max wait : client:9, cost:16(ms) max proc : client:11, svrid:72, tlvtype:105, ss-cnt:0, aclk-cnt:0 rv:0. cost:748(ms). cnt-stat : web-query-add-arp:[0], web-query-del-arp:[0]. : add-arp:[2], del-arp:[1]. : add-mac:[2], del-mac:[1].

4.1.1.2 [Mandatory] super VLAN

Principles:

The super VLAN technology is used toimplement flat layer 2 networks for gateways. Super VLAN is also called VLANaggregation. The aggregated VLAN range is called sub VLAN of the super VLAN. Asuper VLAN has the following features:

Each sub VLAN has the same functions ascommon VLANs. Different sub VLANs belong to different broadcast domains, andcannot access each other due to layer-2 isolation.

The SVI address of a super VLAN serves asthe gateway address of the sub VLAN of the super VLAN.

When a sub VLAN requires layer-3communication, the IP address of the virtual interface of the super VLAN isused as the gateway address for addressing and forwarding.

When sub VLANs need to access each other,the ARP proxy and ND proxy of the super VLAN need to be configured.

Note: When super VLANs and sub VLANs areconfigured in the simplistic network solution, super VLAN IDs are used only onSVIs, while sub VLAN IDs are used for AM rules, QinQ VLAN tag termination, anddirect VLANs that need the VLAN ID range.

Configuration commands:

vlan(supervlan) //Createa VLAN.

supervlan //Definethe VLAN as a super VLAN.

subvlan(subvlan-list) //Definethe sub VLAN range for the super VLAN.

name(supervlan-name) //Namethe super VLAN.

intvlan (supervlan) //Createthe gateway SVI for the super VLAN.

ipaddress (ip/netmask) //Definethe gateway address and mask.



Precautions:

An SVIand an IP gateway need to be configured for a super VLAN. Otherwise,communication is not supported between sub VLANs or between sub VLANs and otherVLANs.

The ARPproxy is enabled by default. If the ARP proxy is disabled on a super VLAN orsub VLAN, users of sub VLANs cannot perform inter-VLAN communication.

Configuration example

Configuration Steps	Configure a super VLAN on the core switch. (Omitted) On the access switch, configure common VLANs corresponding to sub VLANs of the core switch.
A	SwitchA#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SwitchA(config)#vlan 2 SwitchA(config-vlan)#exit SwitchA(config)#vlan 10 SwitchA(config-vlan)#exit SwitchA(config)#vlan 20 SwitchA(config-vlan)#exit SwitchA(config)#vlan 30 SwitchA(config-vlan)#exit SwitchA(config)#vlan 2 SwitchA(config-vlan)#supervlan SwitchA(config-vlan)#subvlan 10,20,30 SwitchA(config-vlan)#exit SwitchA(config)#interface vlan 2 SwitchA(config-if-VLAN 2)#ip address 192.168.1.1 255.255.255.0 SwitchA(config)#interface range gigabitEthernet 0/1,0/5,0/9 SwitchA(config-if-range)#switchport mode trunk

Verification	Check whether the source device (192.168.1.10) and the destination device (192.168.1.60) can ping each other successfully.
A	SwitchA(config-if-range)# show supervlan supervlan id supervlan arp-proxy subvlan id subvlan arp-proxy subvlan ip range ------------ ------------------- ---------- ----------------- --------- 2 ON 10 ON 192.168.1.10 - 192.168.1.50 20 ON 192.168.1.60 - 192.168.1.100 30 ON 192.168.1.110 - 192.168.1.150

4.1.1.3 [Mandatory] Protected Port Isolation

Principles:

Thesimplistic network solution implements layer-2 user isolation by usingprotected ports. A protected port can prevent layer-2 forwarding within oneVLAN of the same switch. When ports are configured as protected ports,protected ports of the same VLAN cannot communicate with each other but aprotected port can normally communicate with a non-protected port.

Configuration commands:

switchportprotected //Configured in interface configuration mode.

Precautions:

N/A

Configuration example

Ruijie(config)#interfaceGigabitEthernet 0/1

Ruijie(config-if-GigabitEthernet0/1)# switchport protected

4.1.1.4 [Mandatory] Interface Index Uniqueness

Principles:

Theinterface index of each port is unique. You can run the show interfacecommand to display the Index field. After the device restarts, theinterface index of the device may change. As a result, the area divisionfunction of SAM+ will fail. It is recommended to enable the interface indexuniqueness function. After this function is configured, interface indexes arepermanently recorded by the device. They do not change even if the device isrestarted or a line card is removed and then inserted.

Configuration commands:

Ruijie(config)#snmp-server if-indexpersist //Enableinterface index uniqueness.

Precautions:

N/A

Configuration example

N/A

4.1.1.5 [Mandatory] Regular User Synchronization

Principles:

Some users on SAM+ may fail to go offlinenormally due to exceptions. For this, SAM+ automatically checks online userswith the NAS at 02:00 A.M. every day, to delete information about fake onlineusers.

Configuration commands:

snmp-server host (radiusip) informs version 2c (key) //ConfigureSNMP for communicating with SAM+.

Precautions:

Configurerelated information on SAM+.

Configuration example

N/A

4.1.2 Common Scenario — Address Management

4.1.2.1 [Mandatory] DHCP Snooping

Principles:

The DHCP snooping feature provides thefollowing functions in simplistic networks:

1. A simplistic networkadopts the flat layer-2 gateway architecture. DHCP snooping can prevent DHCPspoofing within the same VLAN of the DHCP downlink interface. (In theory, DHCPspoofing does not exist in the simplistic network solution and DHCP snoopingmainly provides layer-2 protection. In simplistic networks, port protectionneeds to be enabled on interfaces of the same VLAN on core devices and accessdevices, to isolate layer-2 broadcast domains and prevent DHCP spoofing.)

2. DHCP snooping provides IPaddress authorization for 802.1x authentication or MAC Address Bypass (MAB)Authentication by using a DHCP snooping table, provided that the AAA IPauthorization function is enabled, the dot1x valid-ip-acct enable and dot1xmac-auth-bypass valid-ip-auth commands are executed, and DHCP is configuredto dynamically assign IP addresses to authenticated users.

Configuration commands:

ip dhcpsnooping //Mandatory.The command is used for DHCP snooping and IP authorization for 802.1xauthentication.

ip dhcp snoopingcheck-giaddr //Mandatory. It is configured toprevent the RG-N18000 with DHCP snooping enabled from discarding DHCP relaypackets from aggregation devices.

ip dhcp snooping arp-detect //Optional.Enable fast ARP address reclaiming of DHCP snooping. The ARP address reclaimingis performed once per second during ARP aging and can be performed five timesat most.

interface gi2/3/8 //Optional.It is configured in scenarios in which the DHCP server is not deployed on theRG-N18000 and the DHCP server communicates with the RG-N18000 at layer 2.

description link-to-dhcpserver

ip dhcp snoopingtrust //Configure a DHCP trusted porton the layer-2 port of the interconnected DHCP server.

Precautions:

When the IP DHCP snooping feature isconfigured, the ip dhcp snooping check-giaddr command must be executed,so that the RG-N18000 with DHCP snooping enabled can process DHCP relay packetsfrom aggregation devices. The ip dhcp snooping check-giaddr command hasno drawbacks. Therefore, it is recommended to enable the command by default.

Configuration example

N/A

4.1.2.2 [Mandatory] Fast Address Reclaiming of DHCPSnooping

Principles:

Fast address reclaiming reclaims addressesof DHCP snooping entries rapidly, to prevent an overlarge DHCP snooping bindingtable caused by generation of multiple address entries by the same clientduring wireless user migration.

This function can be associated with the ARPmodule. When an ARP entry corresponding to an IP address in the DHCP snoopingtable is about to age, ARP detection is started. If no response is receivedwithin the detection count, the DHCP snooping entry of the IP address isdeleted.

Configuration commands:

ip dhcp snooingarp-detect //Optional. Enablefast ARP address reclaiming of DHCP snooping. The ARP address reclaiming isperformed once per second during ARP aging and can be performed five times atmost.

Precautions:

N/A

Configuration example

N/A

4.1.2.3 [Optional] DHCP Server

Principles:

Principles of a DHCP server in asimplistic network scenario are similar to those in a universal scenario.Identical parts of the principles are not described here.

Differences are as follows:

1. The recommended DHCPlease time is 2 hours. The purpose is to rapidly reclaim DHCP address resourcesthat are not in use, to prevent IP address resources of the gateway from beingfully occupied in areas with heavy traffic.

2. When the DHCP leaseperiod of the client expires or the RG-N18000 receives a DHCP release packet,the RG-N18000 kicks the client offline during authentication.

This prevents a problem that, when the DHCPserver assigns the IP address originally obtained by the client to a newclient, the IP address is still corresponding to the original client in theauthentication entry and stays in the online state, and the new client cannotbe authenticated.

Configuration commands:

DSW-18KX_LX(config)#ip dhcp pool4000 //Setthe DHCP address pool for the wired network in the dormitory area.

DSW-18KX_LX(dhcp-config)#lease 0 20 //Mandatory.Set the lease time to 2 hours.

DSW-18KX_LX(dhcp-config)#network172.16.0.0 255.255.240.0

DSW-18KX_LX(dhcp-config)#dns-server202.115.32.39 202.115.32.36

DSW-18KX_LX(dhcp-config)#default-router172.16.15.254

Precautions:

It is recommended to set the DHCP serverlease period to 2 hours.

When the DHCP lease period of the clientexpires or the RG-N18000 receives a DHCP release packet, the RG-N18000 kicksthe client offline during authentication.

It is recommended to set the period forno-traffic go-offline detection to be shorter than the lease period of DHCPserver.

Configuration example

N/A

4.1.2.4 [Optional] Fast Address Reclaiming ofDHCP Server

Principles:

Fast address reclaiming is configured toenable the DHCP server to detect whether a user is offline. If a user goesoffline and does not go online again within a period of time, the DHCP serverreclaims the IP address assigned to the user.

The principles are described as follows: TheDHCP server, based on IP addresses in the DHCP server table, conducts keepalivedetection via the ARP module. If identifying that a user goes offline and doesnot go online again within a period of time (5 minutes by default), the DHCP serverreclaims the IP address assigned to the user.

If the DHCP server function is configured onthe RG-N18000, the fast address reclaiming function is mandatory.

Configuration commands:

ip dhcp serverarp-detect //Enable fast address reclaimingof the DHCP server. If identifying that a user goes offline and does not goonline again within a period of time (5 minutes by default), the DHCP serverreclaims the IP address assigned to the user.

Precautions:

N/A

Configuration example

N/A

4.1.2.5 [Optional] AM Rules

Principles:

AM rules can be used to divide the DHCPaddress segment based on the VLAN+port of the RG-N18000, but the DHCP addresssegment must exist in the DHCP address pool. The address segment assigned byusing AM rules must be smaller than or equal to the DHCP address pool. Example:

DHCP address pool: network 192.168.0.0255.255.0.0

AM rule: match ip 192.168.1.0 255.255.255.0Gi5/3 vlan 1005

In the simplistic network environment, thegateway is deployed via super VLAN. Generally, the gateway is deployed in thefollowing manners:

Scenario 1 (AM rules not required): Sub VLANof each dormitory building or sub VLANs of some dormitory buildings form onesuper VLAN. The network segment corresponding to the gateway of the super VLANis small (for example, several type C addresses). Each super VLAN iscorresponding to one DHCP address pool. The network segments corresponding tothe IP addresses obtained by students are refined and easily managed.

Scenario 2 (AM rules not required): SubVLANs of the entire campus network form one super VLAN. The network segmentcorresponding to the gateway of the super VLAN is relatively large (forexample, several type B addresses). Each super VLAN is corresponding to oneDHCP address pool. The network segments corresponding to the IP addressesobtained by students are scattered and disordered and hard to manage. Theschool does not raise a requirement on provision of different policies on SAM+or egress based on source IP addresses, for example, Internet access areacontrol and PBR.

Scenario 3 (AM rules required): Sub VLANs ofthe entire campus network form one super VLAN. The network segmentcorresponding to the gateway of the super VLAN is relatively large (forexample, several type B addresses). Each super VLAN is corresponding to oneDHCP address pool. The network segments corresponding to the IP addressesobtained by students are scattered and disordered and hard to manage. Theschool requires refined management, and requires precise identification on userareas based on IP addresses, to implement requirements, for example, Internetaccess area control and PBR.

Scenario 4 (AM rules required): sub VLANs ofthe entire campus network form one super VLAN, and multiple secondary addressesare configured for the gateway of the super VLAN. In this scenario, AM rulesmust be configured. Otherwise, DHCP addresses cannot be assigned according tosecondary addresses. (By default, the DHCP software assigns only the networksegment to which the main gateway address belongs.)

Note 1: AMrules support the DHCP server and DHCP relay modes. In DHCP relay mode, the AMrules can be used only in scenario 4. The gateway has multiple secondaryaddresses. The AM rules are used to notify the DHCP server of the addresssegment to be used. In this scenario, the DHCP server must configure an addresspool for each secondary address of the RG-N18000. Otherwise, the AM rules donot take effect. Example:

Configuration of the RG-N18000: iphelper-address 1.1.1.1 (Configure the DHCP relay on the RG-N18000.)

int vlan 4000

ip add 192.168.1.1 255.255.255.0

ip add 192.168.2.1 255.255.255.0secondary

ip add 192.168.3.1 255.255.255.0secondary

AM rules: address-manage

match ip 192.168.1.0 255.255.255.0Gi5/3 vlan 1005

match ip 192.168.2.0 255.255.255.0Gi5/3 vlan 1006

match ip 192.168.3.0 255.255.255.0Gi5/3 vlan 1007

DHCP server: network 192.168.1.0255.255.255.0 //Multiple small address poolsare configured. The network segment of each address pool is corresponding tothe gateway address of one super VLAN.

network 192.168.2.0 255.255.255.0

network 192.168.3.0 255.255.255.0

Note 2:

1. AM rulesare in strict mode by default when enabled. AM rules are described as follows:

After an AM rule is created, when a clientrequests an IP address via the RG-N18000, the client whose DHCP packets do notmatch the AM rule will not be assigned an IP address. Pay attention to thiscase during network reconstruction.

When Internet access packets from a clienthaving a static IP address pass through the RG-N18000, if the static IP addressdoes not match the created AM rule, the packets are allowed to pass. When thestatic IP address matches the AM rule but does not match the specified networksegment, the client will fail the authentication and the Internet access willbe rejected.

If a network segment is divided intoexcessively small network segments according to the created AM rule in wirelessscenarios, IP addresses may not match the AM rule after wireless migration, andpackets are discarded, causing migration failures. For example, the IP addresssegment for wireless super VLAN 3000 is 172.18.0.0/16. Two AM rules areconfigured: 172.18.1.0/24 for sub VLAN 2001, and 172.18.2.0/24 for sub VLAN2002. When a client obtains an IP address in sub VLAN 2001 and then is migratedto sub VLAN 2002, because the original IP address does not match the AM rule ofsub VLAN 2002, the client needs to obtain a new IP address and be authenticatedbefore it can access the network.

2. (Optional)AM rules can be configured in loose mode, and are described as follows(recommended):

For DHCP packets matching an AM rule, IPaddresses in an address segment configured in the AM rule are assigned toclients. DHCP packets that match no AM rule can apply for addresses accordingto the conventional logic of the DHCP address pool. The DHCP packets are notdiscarded.

Packets from static IP addresses are notdiscarded.

Packets from user IP addresses that do notmatch the AM rules are not discarded during wireless migration.

Note3: The AMrule matching sequence is as follows:

More detailed AM rules are preferential formatching. In code implementation, AM rules containing the port parameters arematched with a higher priority. For example:

address-manage

match ip 192.168.1.0 255.255.255.0 vlan400

match ip 192.168.2.0 255.255.255.0Gi1/3 vlan 400(preferential for matching)

Configuration commands:

AM rules support VLAN-based andVLAN+port-based IP address assignment.

address-manage//Enable the addressmanagement function.

match ip 10.1.5.0 255.255.255.0 gi5/3vlan 1005//Configure VLAN+port-based IP address assignment.

match ip 10.1.6.0 255.255.255.0 vlan1006//Configure VLAN-based IP address assignment.

match ip default 172.16.128.0255.255.128.0//Assign IP addresses from the default address segment to clientsthat do not match the AM rule.

match ip loose//Configure the loosemode for the AM rule (recommended). For details, see the above-mentioned Note 2.

address-manage //Enableaddress management.

clear match ip//Access the addressmanagement configuration mode to disable AM rules globally.

Precautions:

When both the DHCP relay and AM rules areenabled, multiple small address pools must be configured on the DHCP server.

The strict mode is adopted by default afterAM rules are enabled on the RG-N18000. In this mode, no IP address is assignedto areas that do not match AM rules in the live network. Pay attention to thiscase during network reconstruction. It is recommended to configure the loosemode for AM rules.

VLANs configured in AM rules map to outersub VLANs in QinQ solutions and map to sub VLANs in access isolation solutions.

Configuration example

N/A

4.1.2.6 [Optional] Stateless IPv6 Address Acquisition

Scenario

The stateless IPv6 address acquisition ismainly applied on the layer-3 switch serving as the LAN user gateway. It isused when the IPv4/IPv6 dual-stack service needs to be enabled and users ofdownlink hosts need to access IPv6 resources. An IPv6 address contains up to128 bits, and therefore the configuration is complex, and errors are prone tooccur. It is expected that hosts can obtain IPv6 prefixes and gatewayinformation without configuration, and IPv6 plug-and-play can be implemented.In this case, the stateless IPv6 address assignment function can be enabled onthe user gateway, to assign IPv6 address prefixes and gateway information todownlink hosts.

In another case, a DHCPv6 server is deployedin a network, and IPv6 addresses and parameter information are assigned todownlink hosts in stateful mode. However, DHCPv6 is incapable of assigninggateway address information, lifetime, and other parameters. Therefore, thestateless IPv6 address assignment function needs to be enabled on the switch.

Currently, IPv6 addresses are mainly appliedto campus networks on a large scale, and are seldom used in other sectors.

Description

An IPv6 address consists of a prefix and a64-bit interface ID that is automatically generated from a 48-bit MAC addressand is usually called EUI-64 address.

The prefix of an IPv6 address identifies thenetwork between a host and a router. The prefix required by a host is actuallythe gateway prefix. A protocol can be run between the gateway switch and a hostto automatically obtain the prefix. The Router Solicitation and RouterAdvertisement (RA) of the Neighbor Discovery Protocol (NDP) can be used, wherethe former is used to discover a gateway and urge the gateway to send the RAcontaining the prefix to the host.

The RA contains the prefix, lifetime,default gateway, and other information. It cannot deliver the IPv6 address ofthe DNS server.

The RA function is disabled by default. Youcan run the no ipv6 nd suppress-ra command in interface configurationmode to enable it.

æ Network requirements

A customer requests that IPv6 prefixes beobtained in stateless mode and interface addresses be obtained according to theEUI-64, to form IPv6 addresses.

Obtaining IPv6 addresses in stateless modecan be easily configured.

The IPv6 protocol stack is enabled onWindows 7 clients by default. For Windows XP clients, run the IPv6 installcommand in the Run window to enable the IPv6 protocol and restart theclients.

æ Network topology

æ Configuration key points

1. Configure an IPv6 address on the core switch.

2. Enable the RA and O-bit flag on the user gateway.

3. Configure a DHCPv6 server and call it in interface configurationmode.

æ Configuration steps

1. Configurean IPv6 address for an interface and enable IPv6 on the interface.

Ruijie#conf t

Ruijie(config)#interfacegigabitEthernet 1/1

Ruijie(config-if-GigabitEthernet1/1)#no switchport

Ruijie(config-if-GigabitEthernet1/1)#ipv6 enable

Ruijie(config-if-GigabitEthernet1/1)#ipv6 address 2001:250:2003:2000::1/64 ------>Configurean IPv6 address for the interface.

2. Enablethe RA function on the interface, set the O-bit flag to enable the host toobtain DNS, domain name, and other information, and call the address pool.

Ruijie(config-if-GigabitEthernet1/1)#no ipv6 nd suppress-ra ------>Enable theRA function.

Ruijie(config-if-GigabitEthernet1/1)#ipv6 nd other-config-flag ----->Set the O-bit flag to enable thehost to obtain other information.

Ruijie(config-if-GigabitEthernet1/1)# ipv6 dhcp pool ruijie ----->Call the address pool in interfaceconfiguration mode.

3. Configurean IPv6 server, including the domain name, prefix, and DNS server.

Ruijie(config)#ipv6 dhcp poolruijie ----->Create an IPv6 address pool.

Ruijie(dhcp-config)#domain-name www.example.com.cn ----->Configurethe domain name to be assigned to the client.

Ruijie(dhcp-config)#dns-server2003::1 ----->Configurethe DNS server to be assigned to the client.

Ruijie(dhcp-config)#exit

æ Verification

Check the IPv6 address obtained by a client.

Note: In the figure above, another IPv6address is a temporary address automatically generated by the system. Theinterface address of the temporary address is randomly generated.

The probability of reconnecting to the localaddress by using the randomly derivative interface ID is very low. Therefore,clients running Windows Vista or Windows Server 2008 can send router requestsby using the derivative local address, without waiting for completion of theDuplicate Address Detection (DAD). This is called optimistic DAD. The routerdiscovery and DAD are performed simultaneously, which reduces time required forthe interface initialization process. In the generation of this temporaryaddress, however, data packets are sent to the network, which occupies networkresources, affects the network health, and hinders IPv6 user uniquenesscontrol. Therefore, it is recommended to disable this function. To do so, clickStart > Run. In the Run window, enter netsh, intipv6 and set privacy state=disable in sequence, as shown in thefigure below.

For more information about temporaryaddresses, see http://technet.microsoft.com/zh-cn/magazine/2007.08.cableguy.aspx.

4.1.2.7 [Optional] Stateful IPv6 Address AutomaticAcquisition

Network requirements

A switch is used as a DHCPv6 client, toobtain an IPv6 address from the DHCPv6 server, as well as the DNS serveraddress, domain name, and other network parameters.

Note: If a PC expects to obtain a dynamicIPv6 address, the host must has a DHCPv6 client.

Windows 7, Windows Vista, and Windows Server2008 each have a built-in DHCPv6 client.

Windows XP and Windows Server 2003 have nobuilt-in DHCPv6 client. Users need to install the DHCPv6 client or enable theIPv6 protocol stack.

Network topology

Configuration key points

1. Configure the RG-N18000 switch as the DHCPv6 server and set itsaddress to 2001::1/64.

2. Enable the DHCPv6 server to assign 2001::X/64 to the DHCPv6 client.

3. Set the address of the DNS server to 2003::1/64.

4. The domain name of the DHCPv6 client is www.example.com.cn.

Configuration steps

DHCPv6 server configuration:

1. Enablethe IPv6 routing function.

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#ipv6unicast-routing----->Enable the IPv6 routing function.

Ruijie(config)#end

2. Configure an IPv6 address for an interface and enable the IPv6function on the interface.

Ruijie#conf t

Ruijie(config)#

Ruijie(config)#interfacegigabitEthernet 1/24

Ruijie(config-if-GigabitEthernet1/24)#no switchport

Ruijie(config-if-GigabitEthernet1/24)#ipv6 address 2001::1/64 ----->Configure an IPv6address for the interface.

Ruijie(config-if-GigabitEthernet1/24)#ipv6 enable ----->Enablethe IPv6 function on the interface.

Ruijie(config-if-GigabitEthernet1/24)#end

3. Enablethe RA function and set the M-bit flag and O-bit flag.

a. The DHCPv6server does not assign a gateway address to the client. The RA function needsto be enabled on the device.

b. Set the managedaddress configuration flag bit in the RA packet to 1. This flag bitdetermines whether the host receiving the RA packet uses the stateful automaticconfiguration to obtain an IP address. By default, the flag bit is not set to 1in the RA packet.

c. Set the otherstateful configuration flag bit in the RA packet. This flag bit determineswhether the host receiving the RA packet uses the stateful automaticconfiguration to obtain information other than addresses. By default, the flagbit is not set to 1 in the RA packet.

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#interfacegigabitEthernet 1/24

Ruijie(config-if-GigabitEthernet1/24)#no ipv6 nd suppress-ra ----->Enable theRA function.

Ruijie(config-if-GigabitEthernet1/24)#ipv6 nd managed-config-flag----->Set the M-bit flag of the RA.

Ruijie(config-if-GigabitEthernet1/24)#ipv6 nd other-config-flag----->Set the O-bit flag of the RA.

Ruijie(config-if-GigabitEthernet1/24)#ipv6 nd prefix 2001::/64 no-autoconfig ----->Specify thatthe RA prefix cannot be used for stateless automatic configuration.

Ruijie(config-if-GigabitEthernet1/24)#end

4. Configurean IPv6 server, including the domain name, prefix, and DNS server.

Ruijie(config)#ipv6 dhcp poolruijie ----->Create an IPv6 address pool.

Ruijie(dhcp-config)#domain-namewww.example.com.cn ----->Configurethe domain name to be assigned to the client.

Ruijie(dhcp-config)#dns-server2003::1 ----->Configurethe DNS server to be assigned to the client.

Ruijie(dhcp-config)#iana-addressprefix 2001::/64 ----->Apply the IPv6prefix pool.

Ruijie(dhcp-config)#exit

5. Enable the DHCPv6 server function on the interface.

Ruijie(config)#interfacegigabitEthernet 1/24

Ruijie(config-if-GigabitEthernet1/24)#ipv6 dhcp server ruijie ----->Enable the IPv6 function onthe interface.

Ruijie(config-if-GigabitEthernet1/24)#end

Verification

1. Check information about the address pool of the DHCPv6 server.

Ruijie #show ipv6 dhcp pool

DHCPv6 pool: ruijie

IANA addressrange: 2001::1/64 -> 2001::FFFF:FFFF:FFFF:FFFF/64

preferredlifetime 3600, valid lifetime 3600

DNS server:2003::1

Domain name: www.example.com.cn

Information about the address pool of theDHCPv6 server shows the name of the DHCPv6 address pool, name of the prefix pool,DNS, and domain name.

2. Check the binding table on the DHCPv6 server.

Ruijie #sho ipv6 dhcp binding

Client DUID:00:03:00:01:00:1a:a9:15:46:e2

IANA: iaid100001, T1 1800, T2 2880

Address:2001::2

preferredlifetime 3600, valid lifetime 3600

expires atAug 25 2014 16:35 (3571 seconds)

The binding table shows the clientDUID and prefix.

3. Check information obtained from the DHCPv6 server.

Ruijie #show ipv6 dhcp interfacegigabitEthernet 5/1

GigabitEthernet 5/1 is in client mode

State is IDLE

next packet will be send in : 1744 seconds

List of known servers:

DUID: 00:03:00:01:14:14:4b:1b:54:6c

Reachable via address: FE80::1614:4BFF:FE1B:546D

Preference: 0

Configuration parameters:

IA NA: IA ID 0x186a1, T1 1800, T2 2880

Address: 2001::2

preferred lifetime 3600, valid lifetime 3600

expires at Jan 1 1970 7:38 (3544 seconds)

DNS server: 2003::1

Domain name: www.example.com.cn

Rapid-Commit:disable

4. Check the status of the IP address obtained by the interface.

Ruijie #show ipv6 int g5/1

interface GigabitEthernet 5/1 is Up,ifindex: 1

address(es):

Mac Address:00:1a:a9:15:46:e3

INET6:FE80::21A:A9FF:FE15:46E3, subnet is FE80::/64

INET6:2001::2 [ DEPRECATED ], subnet is 2001::/64

validlifetime 3526 sec

Joined group address(es):

FF01::1

FF02::1

FF02::2

FF02::1:FF00:2

FF02::1:FF15:46E3

MTU is1500 bytes

ICMP error messages limited toone every 100 milliseconds

ICMP redirects are enabled

ND DAD is enabled, number ofDAD attempts: 1

ND reachable time is 30000milliseconds

ND advertised reachable timeis 0 milliseconds

ND retransmit interval is 1000milliseconds

ND advertised retransmit intervalis 0 milliseconds

ND router advertisements aresent every 200 seconds<160--240>

ND router advertisements livefor 1800 seconds

4.1.2.8 [Optional] DHCPv6 Relay

Scenario

A dedicated DHCPv6 server running Windows2003 or 2008 is deployed in the network center to assign IPv6 address prefixesand network parameters to hosts in the campus network, to implement centralizedmanagement and maintenance. The DHCP relay function needs to be enabled on allIPv4/v6 dual-stack layer-3 switches, to forward packets between DHCPv6 clientsand the DHCPv6 server. In this way, DHCPv6 clients can obtain IPv6 addressesand configuration parameters even if the DHCPv6 clients and the DHCPv6 serverare not connected through local links.

In another case, a DHCPv6 server is deployedin the network, and IPv6 addresses and parameter information are assigned toclients in stateful mode. However, DHCPv6 is incapable of assigning gatewayinformation, lifetime, and other parameters. Therefore, the stateless IPv6address assignment function needs to be enabled on the switch, so that hostscan obtain gateway information.

Description

The DHCPv6 application model consists of theserver, client, and relay. The client and server obtain configurationparameters in request-response mode. The relay can transparently bridge clientsand the server that are not connected through local links. The packetinteraction and parameter maintenance of DHCPv6 are basically the same as thoseof DHCPv4, but DHCPv6 adjusts the packet structure and processing based on newnetworks.

æ Network requirements

User PCs are used as DHCPv6 clients toobtain IPv6 addresses from the DHCPv6 server running Windows 2008. After IPv6addresses are obtained, the PCs can ping the DHCPv6 server successfully. TheRG-N18000 serves as the DHCPv6 relay.

æ Network topology

æ Configuration key points

Complete the following configuration on theDHCPv6 server:

1. Configure an IPv6 address and gateway for the DHCPv6 server.

2. Configure scope information.

3. Configure log information.

4. Enable the IPv6 routing function on the DHCPv6 relay, create anIPv6 address, and configure the DHCPv6 relay.

æ Configuration steps

DHCP agent configuration:

1. Enable the IPv6 routing function.

Ruijie>enable

Ruijie#configure terminal

Ruijie(config)#ipv6 unicast-routing ----->Enablethe IPv6 routing function.

Ruijie(config)#end

2. Configure an IPv6 address for an interface of the DHCPv6 server andenable the IPv6 function on the interface.

Ruijie(config)#int g0/13

Ruijie(config-if-GigabitEthernet0/13)#no switchport

Ruijie(config-if-GigabitEthernet0/13)#ipv6enable ----->Enablethe IPv6 function on the interface.

Ruijie(config-if-GigabitEthernet0/13)#ipv6 address 2001::2/64 ----->Configure an IPv6 addressfor the interface.

Ruijie(config-if-GigabitEthernet0/13)#end

3. Create a VLAN for the DHCPv6 client and configure the VLAN on aninterface.

Ruijie(config)#vlan2

Ruijie(config-vlan)#exit

Ruijie(config)#int g0/14

Ruijie(config-if-GigabitEthernet0/14)#switchport mode access

Ruijie(config-if-GigabitEthernet0/14)#switchport access vlan 2

Ruijie(config-if-GigabitEthernet0/14)#end

Ruijie#

4. Configure the gateway IPv6 address for the DHCPv6 client and enablethe DHCPv6 relay function.

Ruijie#conf t

Ruijie(config)#interface vlan 2

Ruijie(config-if-VLAN 2)# ipv6address 2001:1::1/64

Ruijie(config-if-VLAN 2)# ipv6 enable

Ruijie(config-if-VLAN 2)#ipv6 ndprefix 2001:1::/64 no-autoconfig ----->Specify that the RAprefix cannot be used for stateless automatic configuration.

Ruijie(config-if-VLAN 2)# ipv6 dhcprelay destination 2001::1 ----->Configure the DHCPv6 relay and set itsnext hop to the interface of the server that is connected to the RG-N18000.

Ruijie(config-if-VLAN 2)# no ipv6 ndsuppress-ra ----->Enable the RAfunction.

Ruijie(config-if-VLAN 2)# ipv6 ndmanaged-config-flag ----->Set the M-bit flag of the RA.

Ruijie(config-if-VLAN 2)# ipv6 ndother-config-flag ----->Set the O-bitflag of the RA.

Ruijie(config-if-VLAN 2)# end

Enablingthe RA function and setting the M-bit flag and O-bit flag:

a. TheDHCPv6 server does not assign a gateway address to the client. The RA functionneeds to be enabled on the device.

b. Setthe managed address configuration flag bit in the RA packet to 1. Thisflag bit determines whether the host receiving the RA packet uses the statefulautomatic configuration to obtain an IP address. By default, the flag bit isnot set to 1 in the RA packet.

c. Set the otherstateful configuration flag bit in the RA packet. This flag bit determineswhether the host receiving the RA packet uses the stateful automaticconfiguration to obtain information other than addresses. By default, the flagbit is not set to 1 in the RA packet.

4.1.3 Common Scenario — Authentication-free Access

4.1.3.1 [Optional] Authentication-free VLAN

Principles:

Authentication-free VLANs enable users inthe specified VLANs to access the Internet without authentication.

The number of authentication-free VLANsis limited. Pay attention to the limit.

The number of authentication-free VLANscannot exceed 100 in consideration that performance resources are greatlyexhausted due to broadcast packet duplication in sub VLANs or in PE-CE VLANs.Countermeasures need to be taken to prevent the RG-N18000 from sendingexcessive ARP requests, which affects the CPU usage of the device and causesprotocol flapping (such as OSPF flapping), packet loss, and networkinterruption at a high probability. When the number of authentication-freeVLANs cannot meet service requirements, security channels are recommended. In asimplistic network, the ARP proxy function is enabled on the RG-N18000 servingas the network-wide gateway by default. Once ARP request scanning attacksoccur, the RG-N18000 acts a proxy to flood ARP packets to authentication-freeVLANs, resulting in great overhead in the CPU of the RG-N18000.

In a simplistic network, the following VLANsare usually configured as authentication-free VLANs (for reference only):

1. Special serviceVLANs (such as VLANs for all-in-one cards, video monitoring, and door statuscontrol systems, server VLANs, and other non-user VLANs)

2. NMS VLANs (switchNMS VLANs and wireless NMS VLANs)

3. VLANscorresponding to AC 802.1x authentication. Wireless 802.1x authentication mustbe carried out on the AC, and authentication exemption is required to avoidre-authentication.

4. Privilege userVLANs (such as VLANs for school principals and other directors).

If dumb clients (which do not activelysend ARP packets) exist on the network, such as printers of some types and doorstatus control systems, only authentication-free VLANs can be used to exemptauthentication. This is because the RG-N18000 does not actively send ARPrequest packets to sub VLANs and therefore cannot learn the ARP information ofthe dumb clients.

Configuration commands:

direct-vlan 400, 600,800-820 //Configure VLANs 400,600, and 800–820 as authentication-free VLANs. Users in these VLANs can accessthe network without authentication.

Note: The VLAN IDs used in the direct-vlancommand are IDs of sub VLANs.

Precautions:

Authentication-free VLANs are exempted onlyfrom checks related to access authentication, but still need to undergo checksspecified in security ACLs. If a specific user or VLAN is disallowed in asecurity ACL, the specific user or users in the specific VLAN cannot access thenetwork. For users in authentication-free VLANs to access the network withoutauthentication, ensure that the VLANs or users in the VLANs are not blocked byACLs.

The number of authentication-free VLANscannot exceed 100. Otherwise, the ARP proxy function may enable the RG-N18000to send excessive ARP packets, resulting in CPU overload of the RG-N18000.

Configuration example

N/A

4.1.3.2 [Optional] Authentication-free sites

Principles:

Beforeusers are authenticated, provide some site resources for users to log in ordownload data. This is called destination IP-based authentication exemption. Inthe simplistic network solution, this feature can be usually applied to:

1. Downloadthe SU client and exempt the download server from authentication.

2. Providepublic authentication-free resources in a campus network.

3. Allowunauthenticated users to access the portal server and enable the portal serverto direct to the authentication page. (In the current version, users candirectly access the portal server without authentication after the Webauthentication template is configured.)

Configuration commands:

http redirectdirect-site x.x.x.x [Mask is optionally configured.] //Configuredin global configuration mode. The server with the address x.x.x.x. isconfigured as an authentication-free site.

Precautions:

Amaximum of 50 authentication-free site entries can be configured.

Configuration example

N/A

4.1.3.3 [Optional] Source IP-based authenticationexemption

Principles:

Authentication-freesource IP addresses can be configured, so that users with the specified sourceIP addresses can access the Internet without authentication.

Theapplication scenario is similar to that of authentication-free VLANs. Thedifference lies in that authentication is exempted based on differentdimensions, and can be performed as required.

Configuration commands:

web-authdirect-host x.x.x.x [The mask isoptional.] //Configured in globalconfiguration mode. The source IP address of x.x.x.x. is used as anauthentication-free site.

Precautions:

Amaximum of 1000 authentication-free entries can be configured (the totalmaximum number of entries that can be configured for both authentication-freesource addresses and security channels is 1000).

Configuration example

N/A

4.1.3.4 [Optional] Security channels

Principles:

1. Thesecurity channel can invoke ACLs and is configured globally or based on ports,enabling ACL-based authentication exemption. ACLs support flexible ACEs.Therefore, the security channel can be used to accurately controlauthentication-free user groups by allowing packets with the specifiedsource/destination MAC address, source/destination IP address, or the protocolID above layer 4 without authentication. The security channel further avoidsexcessive CPU usage caused by ARP packets as in the authentication-free VLANfeature, and therefore is recommended.

2. Thesecurity channel must be configured on an interface or globally. If it isconfigured on both the interface and globally, the priority sequence is asfollows: interface > global.

3. Anexcluded interface of the security channel is optional. After an excludedinterface is configured, the global security channel is invalid to thisexcluded interface.

5. Themaximum number of entries that can be configured is 1000 for ED and EF cardsand 100 for DB cards (the total maximum number of entries that can beconfigured for both authentication-free source addresses and security channelsis 1000). If the ED and DB cards are both used, the entry capacity may bereduced to 100.

Configuration commands:

ACL-relatedconfiguration is omitted here.

security global access-group {acl-id | acl-name } //Applya security channel in global configuration mode.

security access-group {acl-id | acl-name } //Applya security channel in interface configuration mode.

security uplink enable//Configure asecurity channel excluded port in interface configuration mode. The globalsecurity channel does not take effect on this interface.

Precautions:

An ACLuses the permit statement to set the authentication-free entry, and uses thedeny statement to block an entry.

Ifthe security channel is configured on both an interface and globally, thepriority sequence is as follows: interface > global.

Inan environment with only 802.1x authentication, this command is required toallow critical protocol packets such as ARP and DHCP packets.

Ruijie(config)# expert access-listextended 2700

Ruijie(config-exp-nacl)#10 permit arpany any any any any

Ruijie(config-exp-nacl)#20 permit udpany any any any eq bootpc

Ruijie(config-exp-nacl)#30 permit udpany any any any eq bootps

Ruijie(config)# security globalaccess-group 2700

Configuration example

æ Scenario

Configuration Steps:

Configure an Expert extended ACL namedexp_ext_esc.

Add an ACE to the ACL to allow thedestination host 10.1.1.2.

Add an ACE to the ACL to allow DHCP packets.

Add an ACE to the ACL to allow ARP packets.

On the interface of the 802.1xauthentication controlled area, configure the ACL exp_ext_esc as a securitychannel.

Runthe following commands on SW1:

sw1(config)#expert access-listextended exp_ext_esc

sw1(config-exp-nacl)# permit ip anyany host 10.1.1.2 any

sw1(config-exp-nacl)# permit 0x0806any any any any any

sw1(config-exp-nacl)# permit udp anyany any any eq 67

sw1(config-exp-nacl)# permit udp anyany any any eq 68

sw1(config)#int gigabitEthernet 0/1

sw1(config-if-GigabitEthernet 0/1)#security access-group exp_ext_esc

Verification:

Ona client of the Sales Department, ping the server of the Sales Department andcheck whether the ping operation is successful.

Onclients of R&D Department 1 and R&D Department 2, ping the server of theSales Department and check whether the ping operations are successful.

sw1#show access-lists

expert access-list extendedexp_ext_esc

10 permit ip any any host 10.1.1.2any

20 permit arp any any any any any

30 permit tcp any any any any eq 67

40 permit tcp any any any any eq 68……

sw1#show running-config interfacegigabitEthernet 0/1

Building configuration...

Current configuration : 59 bytes

interface GigabitEthernet 0/1

security access-group exp_ext_esc

4.1.3.5 [Optional] Free-DNS (Fee Evasion Prevention)

Principles:

Aftercontrol of Web authentication and 802.1x authentication is enabled oninterfaces of the RG-N18000, all DNS packets are allowed to pass before userauthentication by default (Web authentication allows DNS packets as specified inthe protocol while 802.1x authentication allows DNS packets by using securechannels). Based on the vulnerability of allowing DNS packets prior toauthentication, the fee evasion software in the market encapsulates all packetsinto DNS packets, to implement Internet access without paying fees. Thefree-DNS mode can be configured to select DNS packets that are allowed to passprior to authentication, so as to prevent user fee evasion.

Configuration commands:

1. Configurethe free-DNS mode.

free-dns ip-address ip-mask
2. Deletethe free-DNS mode.

no free-dns ip-address ip-mask
3. Precautions:

Free-DNSis valid only before user authentication. All DNS packets are allowed to passafter user authentication.

4. Configurationexample

N/A

4.1.4 Common Scenario — Authentication

4.1.4.1 [Optional] 802.1x Authentication

Principles:

Authenticationroles are described as follows:

Client:Ruijie SU client or an open-source client.

NAS:controls the network connection status of a client based on its currentauthentication status. The device serves as an agent between clients and thesever. It request usernames from clients, checks the authentication informationfrom the server, and forwards the information to the clients.

RADIUSserver: corresponding to Ruijie SAM+ system, which provides the authenticationservice for users.

Thefigure below shows the authentication flow.

Configuration commands:

aaa new-model//Enable the AAAfunction.

aaa accounting network (listname) start-stop group(group name) //AAAreference configuration. The actual service deployment prevails.

aaa authentication dot1x (listname) group (group name)//802.1x template reference configuration forAAA. The actual service deployment prevails.

aaa authentication login default local //Usethe local username/password to log in to the AAA device.

aaa group server radius (groupname) //Configurean AAA server group, which is applicable to multi-RADIUS scenarios.

server (radiusip)//Configure an AAA server group, which is applicable to multi-RADIUSscenarios.

radius-server host (radiusip) key 7 (radius key) //Configure the IP address and key forthe AAA server, which are applicable to single-RADIUS scenarios.

aaa accounting update periodic30 //Set the interval forAAA accounting update to 30s.

aaa accountingupdate //Configure AAA accounting update.

aaa authorization ip-auth-modemixed //Set the IP address authorization mode of 802.1xclients to the mixed mode. The IP addresses can be obtained via polling inmultiple ways (DHCP/RADIUS).

no aaa logenable //Disable the AAA log function.

dot1x valid-ip-acctenable//Mandatory. The accounting update packets are used to upload the user IPaddress to SAM+. If the 802.1x authentication module does not have IP entriesof the user, the user is forced to go offline 5 minutes later, to preventusers at the IP address 0.0.0.0 on SAM+. The configuration of this command willdrop users out of the network. It is not recommended to run this command in servicepeak hours.

dot1x accounting (listname) //Optional. This command is required whenthe 802.1x accounting list name for AAA is not set to default.

dot1x authentication (listname) //Optional. This command is required whenthe 802.1x authentication list name for AAA is not set to default.

interface range GigabitEthernet0/2-3 //Configure the interface for enabling 802.1xauthentication.

dot1xport-control auto//Enable 802.1x authentication on the interface.

snmp-server host x.x.x.x(server IPaddress) informs version 2c xx(community name)

snmp-server community xx(communityname) rw

Precautions:

Thelist name configured in aaa authentication dot1x (list name) group(group name) should be consistent with that in dot1x authentication(list name).

Whenonly 802.1x authentication is enabled on an interface, security channels mustbe configured to allow DHCP packets to pass. Otherwise, users cannot obtain IPaddresses. For specific configuration, see the security channel configuration.

Configuration example

Scenario

Configuration Steps	Register the IP address of the device with the RADIUS server and configure the key for the device to communicate with the server. Create an account on the RADIUS server. Enable AAA on the device. Configure RADIUS parameters on the device. Enable 802.1x authentication on interfaces of the device. The following shows relevant configurations on the device. For the configurations of the server, see the server configuration guide.
	ruijie# configure terminal ruijie (config)# aaa new-model ruijie (config)# aaa accounting network radius start-stop group default ruijie (config)# aaa authentication dot1x radius group default ruijie (config)# aaa authentication login default local ruijie (config)# aaa accounting update periodic 30 ruijie (config)# aaa accounting update ruijie (config)# aaa authorization ip-auth-mode mixed ruijie (config)# no aaa log enable ruijie (config)# radius-server host 192.168.32.120 key 7 ruijie ruijie (config)# interface FastEthernet 0/1 ruijie (config-if)# dot1x port-control auto

Verification	Test whether authentication can be performed normally and whether network access behavior changes after authentication. Create an account on the server, for example, username:test,password:test. An unauthenticated client fails to ping 192.168.32.120. Start Supplicant on the client and enter the username for authentication. After the client is authenticated, it can ping 192.168.32.120 successfully.

4.1.4.2 [Mandatory] Web Authentication

Principles:

Auser opens the Internet Explorer (IE) and accesses a website to initiate anHTTP request.

TheNAS intercepts the HTTP request from the client, and forcibly forwards the HTTPrequest to the portal server. It also adds some relevant parameters to theportal URL. For the parameters, see CHAP authentication.

Theportal server pushes the Web authentication page to the client.

Theuser enters the username and password on the authentication page and submitsthem to the portal server.

Theportal server sends the username and password to the NAS to initiateauthentication.

TheNAS sends the username and password to the RADIUS server, which checks whetherthe user is valid and returns the Radius access-accept/reject message to theNAS.

TheNAS returns the authentication result to the portal server.

Theportal server pushes the authentication result page to the user based on theauthentication result.

Theportal server notifies the NAS that the authentication result packet has beenreceived.

TheNAS sends the accounting start packet.

Note:Web authentication acceleration supports direct access to the portal page forauthentication, without redirection.

Differencefrom the 1st-generation portal: The authentication is completed by the NAS andRADIUS server, which greatly reduces the load of the portal server.

Insimplistic network environments, static ARP addresses are automatically boundafter Web authentication succeeds, which is different from that in conventionalsolutions.

Configuration commands:

aaanew-model //Enable the AAA function.

aaa accounting network (listname) start-stop group(groupname) //AAA reference configuration. Theactual service deployment prevails.

aaa authentication web-auth (listname) group(groupname) //Webauthentication template reference configuration for AAA. The actual servicedeployment prevails.

aaa authentication login defaultlocal //Use the local username/password tolog in to the AAA device.

aaa group server radius (groupname) //Configurean AAA server group, which is applicable to multi-RADIUS scenarios.

server (radiusip) //Configurean AAA server group, which is applicable to multi-RADIUS scenarios.

radius-server host (radiusip) key 7 (radiuskey) //Configure the IP address andkey for the AAA server, which are applicable to single-RADIUS scenarios.

aaa accounting update periodic30 //Set the interval forAAA accounting update to 30s.

aaa accountingupdate //ConfigureAAA accounting update.

aaa authorization ip-auth-modemixed //Set the IP address authorization mode of 802.1xclients to the mixed mode. The IP addresses can be obtained via polling inmultiple ways (DHCP/RADIUS).

no aaa logenable //Disable the AAA log function.

web-auth templateeportalv2 //Create a Webauthentication template.

ip 202.204.193.32 //Setthe IP address of the portal server.

url http://202.204.193.32/eportal/index.jsp //Setthe URL of the portal server.

authentication (listname) //Optional. This command is required whenthe authentication list name for AAA is not set to default.

accounting (listname) //Optional. This command isrequired when the accounting list name for AAA is not set to default.

web-auth portal keyuniversity //Optional. Configure the key.

interface range GigabitEthernet0/2-3 //Configure the interface for enabling Webauthentication.

web-authenableeportalv2 //Enable Web authentication on the interface.

web-authvlan-control 2000-3000 //Enable VLAN-basedWeb authentication control. This command is used in a scenario in which both802.1x authentication and Web authentication are enabled on the same port ofthe RG-N18000, and some VLANs need to support only 802.1x authenticationcontrol. Such VLANs can be excluded from the Web authentication VLAN range.

snmp-server host x.x.x.x(server IP address) informsversion 2c xx(community name)

snmp-server community xx(communityname) rw

Precautions:

TheAAA method list must be consistent with the Web authentication method list.

Configuration example

Scenario

Configuration Steps	Register the IP address of the device with the RADIUS server and configure the key for the device to communicate with the server. Create an account on the RADIUS server. Enable AAA on the device. Configure RADIUS parameters on the device. Enable Web authentication on interfaces of the device. The following shows relevant configurations on the device. For the configurations of the server, see the server configuration guide.
	ruijie# configure terminal ruijie (config)# aaa new-model ruijie (config)# aaa accounting network radius start-stop group default ruijie (config)# aaa authentication web-auth radius group default ruijie (config)# aaa authentication login default local ruijie (config)# aaa accounting update periodic 30 ruijie (config)# aaa accounting update ruijie (config)# no aaa log enable ruijie (config)# radius-server host 192.168.32.120 key 7 ruijie ruijie (config)# web-auth template eportalv2 ruijie (config)# ip 202.204.193.32 ruijie (config)# urlhttp://202.204.193.32/eportal/index.jsp ruijie (config)# interface FastEthernet 0/1 ruijie (config-if)# web-auth enable eportalv2 snmp-server host 192.168.21.120 informs version 2c xx (community name) snmp-server community XX(community name) rw

Verification	Test whether authentication can be performed normally and whether network access behavior changes after authentication. Create an account on the server, for example, username:test,password:test. An unauthenticated client fails to ping 192.168.32.120. The client browser automatically redirects to the Web authentication page. Enter the username for authentication. After the client is authenticated, it can ping 192.168.32.120successfully.

4.1.4.3 [Mandatory] AAA IP Authorization

Principles:

802.1xauthentication and MAB authentication do not support IP address identification.Ruijie extends the authentication application, which supports MAC+IP binding.This function is called IP authorization. There are four IP authorizationmodes:

SUauthorization: IP addresses are provided by the Supplicant. This mode needs tobe used in combination with Ruijie Supplicant.

RADIUSauthorization: IP addresses are delivered to the device by the RADIUS serverafter clients are authenticated.

DHCP-serverauthorization: An authenticated client initiates a DHCP request to obtain an IPaddress. After an IP address is obtained, the system binds the IP address withthe MAC address of the client. This mode is applicable to dynamic IP environments.

Mixedauthorization: The system performs MAC+IP binding for authenticated clients inthe sequence of Supplicant authorization, RADIUS authorization, and DHCP-serverauthorization. If the Supplicant provides an IP address, the authenticatedclient uses it preferentially; if the Supplicant does not provide an IPaddress, the IP address provided by the RADIUS server is used; if the RADIUSserver does not provide an IP address, the IP address provided by the DHCPserver is used.

Note:Mixed authorization is recommended to all scenarios.

Configuration commands:

aaa authorizationip-auth-mode mixed//Configured in global configuration mode.

Precautions:

The configuration of this command is irrelevant to whether IPaddresses can be uploaded to SAM+. The functions of this command are asfollows: If no IP address is authorized to a user, there is no entry of the IPaddress and the user cannot be charged or brought offline upon no traffic. Thiscommand can be used in combination with valid ip acct to bring users whodo not meet authorization configuration requirements offline.

Configuration example

N/A

4.1.4.4 [Optional] MAB Authentication

Principles:

MABauthentication, one of the main authentication modes in the simplistic networksolution, is applicable to wireless users in office areas of campus networks.With the MAB authentication model and high-performance authenticationprocessing capacity of the RG-N18000, MAB authentication enables the RG-N18000to learn the MAC address of a client when the client accesses the network, sothat teachers do not need to repeatedly entering their usernames and passwordswhen using wireless clients for Web authentication, to prevent deterioratinguser experience. The RG-N18000 uses the MAC address of the client as theusername and password to send an authentication request to SAM+ to complete theauthentication as a proxy. The user cannot perceive the authentication in thisprocess.

Thefollowing is the MAB authentication process:

Enablethe client MAB authentication on SAM+ by accessing the access controldirectory.

AfterWeb authentication succeeds for the first time, a user can select MABauthentication on the authentication success page.

Whenthe user chooses to enable MAB authentication, the MAC address of the userclient is registered with SAM+.

Afterthe client connects to the network, the RG-N18000 serving as a NAS, identifiesthe MAC address of the client, and uses the MAC address as the username andpassword to initiate authentication to SAM+.

SAM+determines validity of the MAC address and returns the authenticationsuccess/failure message to the NAS.

Ifthe authentication is successful, the NAS sends the accounting start packet.

Configuration commands:

Note:MAB authentication takes effect only after each user is WEB authenticated forthe first time. In addition, MAB authentication belongs to the 802.1xauthentication system. Therefore, both Web authentication and 802.1x authenticationneed to be configured for MAB authentication.

æ Configuring global AAA parameters

aaanew-model //Enable the AAA function.

aaa accounting network (listname) start-stop group(groupname) //AAA reference configuration. Theactual service deployment prevails.

aaa authentication dot1x (listname) group (groupname) //802.1xtemplate reference configuration for AAA. The actual service deploymentprevails.

aaa authenticationweb-auth (list name) group(groupname) //Webauthentication template reference configuration for AAA. The actual servicedeployment prevails.

aaa authentication login defaultlocal //Use the local username/password tolog in to the AAA device.

aaa group server radius (groupname) //Configurean AAA server group, which is applicable to multi-RADIUS scenarios.

server (radiusip) //Configurean AAA server group, which is applicable to multi-RADIUS scenarios.

radius-server host (radiusip) key 7 (radius key) //Configurethe IP address and key for the AAA server, which are applicable tosingle-RADIUS scenarios.

aaa accounting update periodic30 //Set the interval forAAA accounting update to 30s.

aaa accounting update //ConfigureAAA accounting update.

no aaa logenable //Disable the AAA log function.

æ Configuring 802.1x parameters and enabling 802.1x authentication onthe interface

dot1x accounting (listname) //Optional. This command is required whenthe 802.1x accounting list name for AAA is not set to default.

dot1x authentication (listname) //Optional. This command is required whenthe 802.1x authentication list name for AAA is not set to default.

interface range GigabitEthernet 0/2-3 //Configurethe interface for enabling 802.1x authentication.

dot1x port-control auto//Enable802.1x authentication on the interface.

æ Configuring Web authentication parameters and enabling Webauthentication on the interface

web-auth template eportalv2

ip 202.204.193.32 //Setthe IP address of the portal server.

url http://202.204.193.32/eportal/index.jsp //Setthe URL of the portal server.

authentication (listname) //Optional. This command is required whenthe authentication list name for AAA is not set to default.

accounting (listname) //Optional. This command isrequired when the accounting list name for AAA is not set to default.

web-auth portal key university //Optional.Configure the key.

interface range GigabitEthernet0/2-3 //Configure the interface for enabling Webauthentication.

web-auth enable eportalv2////EnableWeb authentication on the interface.

æ Configuring MAB authentication parameters and enabling MABauthentication on the interface

aaa authorization ip-auth-modemixed //Mandatory. Set the IP address authorization modeof 802.1x clients to the mixed mode. The IP addresses can be obtained viapolling in multiple ways (DHCP/RADIUS).

ip dhcpsnooping //Mandatory.An IP address needs to be obtained via the DHCP snooping module for MABauthentication. Otherwise, a user with the IP address of 0.0.0.0 appears onSAM.

dot1x mac-auth-bypassvalid-ip-auth //Mandatory.The DHCP module instructs the MAB module to start authentication. Clients mustobtain IP addresses before starting MAB authentication. Otherwise, the MABauthentication is blocked to prevent clients with the IP address of 0.0.0.0 onSAM+. The configuration of this command will drop users out of the network. Itis not recommended to run this command in service peak hours.

dot1x valid-ip-acctenable //Mandatory.The accounting update packets are used to upload the user IP address to SAM+.If the 802.1x authentication module does not have an IP entry of the user, theuser is kicked offline 5 minutes later, to prevent users at the IPaddress 0.0.0.0 on SAM+. The configuration of this command will drop users outof the network. It is not recommended to run this command in service peakhours.

dot1x mac-auth-bypassmulti-user //Mandatory.Enable MAB authentication on the interface.

dot1x mac-auth-bypassvlan (vlan-list) //Optional.Configure this command in interface configuration mode to enable VLAN-based MABauthentication.

dot1x multi-mab quiet-period0 //Optional.Configure the quiet period for MAB authentication. In this period, after aclient fails the authentication, MAB authentication cannot be restarted beforethe MAC entry of the client ages on the RG-N18000. In this way, SAM+ does notgenerate logs of users who are not registered with SAM+. However, after failingthe MAB authentication at the first time, the client needs to wait for its MACentry on the RG-N18000 to age before it can trigger MAB authentication again.Configure this function as required.

Precautions:

MABauthentication takes effect only after relevant configurations are completed onSAM+. For details, see MAB authentication configuration in "SAM+Configuration".

MABauthentication takes effect only after it is selected on the authenticationpage.

MABauthentication takes effect after a client is MAB authenticated for the firsttime.

MABauthentication supports only dynamic DHCP users. It does not support static IPusers. The RG-N18000 transfers IP addresses from the DHCP snooping module toSAM+, and therefore information about static IP users does not exist in theDHCP snooping module.

802.1xauthentication has a higher priority than MAB authentication. Therefore, if aclient is MAB authenticated and then uses the client software to perform 802.1xauthentication, the MAB authentication entry will be deleted.

AfterMAB authentication is enabled, avoid configuring User Preemption orsetting Concurrent Logins Limit to 1. Otherwise, two clientsusing the same username will preempt a MAB authentication resource and bedropped out of the network.

Configuration example

Seedescription about the configuration commands.

4.1.4.5 [Optional] MAB Authentication

Principles:

MABauthentication, one of the main authentication modes in the simplistic networksolution, is applicable to wireless users in office areas of campus networks.With the MAB authentication model and high-performance authenticationprocessing capacity of the RG-N18000, MAB authentication enables the RG-N18000to learn the MAC address of a client when the client accesses the network, sothat teachers do not need to repeatedly entering their usernames and passwordswhen using wireless clients for Web authentication, to prevent deterioratinguser experience. The RG-N18000 uses the MAC address of the client as theusername and password to send an authentication request to SAM+ to complete theauthentication as a proxy. The user cannot perceive the authentication in thisprocess.

Thefollowing is the MAB authentication process:

Enablethe client MAB authentication on SAM+ by accessing the access controldirectory.

AfterWeb authentication succeeds for the first time, a user can select MABauthentication on the authentication success page.

Whenthe user chooses to enable MAB authentication, the MAC address of the userclient is registered with SAM+.

Afterthe client connects to the network, the RG-N18000 serving as a NAS, identifiesthe MAC address of the client, and uses the MAC address as the username andpassword to initiate authentication to SAM+.

SAM+determines validity of the MAC address and returns the authenticationsuccess/failure message to the NAS.

Ifthe authentication is successful, the NAS sends the accounting start packet.

Configuration commands:

Note:MAB authentication takes effect only after each user is WEB authenticated forthe first time. In addition, MAB authentication belongs to the 802.1xauthentication system. Therefore, both Web authentication and 802.1xauthentication need to be configured for MAB authentication.