Back
Home> Support> Technical Documents>

Ruijie RG-EG Implementation Cookbook (V1.0)

2020-02-15 View: 10046
Catalog
11.x项目配置指南模板

       Basic Function Configuration

        

4.1       WAN Load Balance

The load balancing function distributes the data to multiple WAN interfaces to avoid the traffic congestion and provide redundancy.

Network Topology

Configuration Key Points

 

1.      Configure IP address of the WAN ports and default routes.

2.      Enable the load balancing policy.

3.      Customize interface weight to ensure that traffic goes through the different egress according to weight.

Configuraiton Steps

Step 1: Configure WAN 0

 

 

Step 2: Change the LAN1 port to WAN port

 

Step 3: Configure WAN 1

Step 4: Enable Load Balance

Step 5: Configure the interface weight

Configuration Verfication

4.2       DHCP Configuration

Step 1-Turn on ‘DHCP’ service in ‘Network-DHCP’.

Step 2-Click ‘Add DHCP’.

Step 3-Set necessary configuration, such as ‘DHCP Pool Name’, ‘Subnet’ and so on. Then click ‘Save’.

NoteYou can also set option 43 or 138 for wireless AP getting AC’s IP address here.

Step 4-Set ‘Excluded Address Range’ to retain some IP address for servers or others if necessary.

Step 5-Test it, clear your PC IP address and change IP address getting way to automatic getting. Click ‘User List’, if your operation is effective, you will see your PC in this list.

Added StepIf you want to give some terminals designated IP addresses from DHCP pool every time, you can configure ‘Static IP Address’ for them.

 

Ø  Use CLI configure DHCP

Command is as follow

Ruijie>enable

Ruijie#configure  ter

Ruijie(config)#service dhcp ------>Set DHCP service enable.

Ruijie(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10 ------>Retain 192.168.1.1-192.168.1.10.

Ruijie(config)#ip dhcp pool Test ------>Creat a DHCP pool named ‘Test’.

Ruijie(dhcp-config)#lease 0 1 0------> Set lease time’0 1 0’ means 0 day1 hour0 minute. Default lease time is 24 hours.

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0 ------>Set IP address section for DHCP pool.

*The following is static IP distribution in DHCP.

Ruijie(dhcp-config)# hardware-address 0026.b90b.a48a    ------>Set terminal MAC address as ‘0026.b90b.a48a’.

Ruijie(dhcp-config)# host 192.168.1.150  255.255.255.0  ------>Set static IP and Mask.

*The above is static IP distribution in DHCP.

 

Ruijie(dhcp-config)#dns-server 192.168.58.110  8.8.8.8------>192.168.58.110 is major DNS server8.8.8.8 is backup.

Ruijie(dhcp-config)#default-router 192.168.1.1  ------>Set gateway IP address.   

Ruijie(dhcp-config)#end

Ruijie#write         ------>Save configuration.

 

4.3       DNS Configuration

Ø  Regular Configuration

Choose ‘Network’, choose ‘DNS Settings’, click ‘DNS Server’, add DNS server and save.

Ø  DNS Proxy

1. Working Principle

If you turn on DNS proxy, EG LAN port will intercept DNS message. Replace destination DNS server IP address with others which have been configured in WAN port. And then send the message to that new DNS server. That case, terminal will associate to the new DNS server.

2. Effect

A. Realize load balance. When a link has loaded heavily, LAN port can intercept the message which destination DNS server is in that link. And then replace destination with other DNS server not in that link.

B. Users can set DNS server in his PC freely. If a user set a wrong DHCP IP address, LAN port can intercept the message and replace it with a right destination.

C. Detect faulty actively and switch to a new available DNS sever.

3. Operation Steps

Step 1- Choose ‘Network’, choose ‘DNS Settings’, click ‘DNS Proxy’, choose ‘Basic Settings’.

Step 2-Choose your intranet gateway to intercept DNS message. (Take Gi0/0 as an example)

Step 3-Choose your extranet port (Take Gi0/6 as an example), and input correct DNS server IP address.The first one is master server, the second one is backup server. And then click ‘Save’.

Step 4-You can change DNS server IP address in your computer to test if you can succeed to access other websites.

Step 5-Add IP address into ‘DNS Whitelist’. This way, DNS proxy will not have an influence on these IP/IP range. DNS whitelist effect is as the following picture.

NoteIt is necessary to set nexthop IP address in WAN port (Except getting IP address by dialer and DHCP). For example, if Gi0/7 port needs to be set DNS proxy, you should set nethop IP address xxx.xxx.xxxx.xxx in Gi0/7.

Ø  DNS Blacklist

Add IP address into ‘DNS blacklist’. This way, DNS proxy will intercept DNS response packet, and discard it. Generally speaking, this function can prevent users from some malicious website attack.

4.4       Behavior Policies

4.4.1      Basic Settings

4.4.1.1      Enabling of All Audit Functions

Networking Requirements

1.      The EG device serves as an egress and can access the Internet by using a static IP address. The LAN user gateway is configured on the LAN port of the EG device, to implement the basic Internet access function.

2.      The WAN bandwidth is 10 Mbps, the WAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1, and the LAN is in the 192.168.1.0/24 network segment.

3.      Users in the LAN business security group (192.168.1.2 to 192.168.1.100) are prohibited from accessing the Internet.

Configuration Key Points

Enable all audit functions on Basic Settings.

Configuration Steps

Choose Flow > Behavior Policy > Basic Settings and select all audit functions.

Configuration Verification

View audit records of services in behavior reports.

4.4.1.2      User Blacklist

Networking Requirements

1.      The EG device serves as an egress and can access the Internet by using a static IP address. The LAN user gateway is configured on the LAN port of the EG device, to implement the basic Internet access function.

2.      The WAN bandwidth is 10 Mbps, the WAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1, and the LAN is in the 192.168.1.0/24 network segment.

3.      Users in the LAN business security group (192.168.1.2 to 192.168.1.100) are prohibited from accessing the Internet.

Configuration Key Points

1.      Choose User > User to add users to be prohibited from accessing the Internet.

2.      Choose Flow > Behavior Policy > Basic Settings and click User Blacklist.

Configuration Steps

Choose User > User > Common User and add the IP addresses of users to be prohibited from accessing the Internet.

Choose Flow > Behavior Policy > Basic Settings and click User Blacklist.

Click Add Blacklisted User.

Note: If the IP address of a blacklisted user is added to the audit-exempt user list, all applications of the user are limited by no policy.

4.4.1.3      Website Blacklist

Networking Requirements

1.      The EG device serves as an egress and can access the Internet by using a static IP address. The LAN user gateway is configured on the LAN port of the EG device, to implement the basic Internet access function.

2.      The WAN bandwidth is 10 Mbps, the WAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1, and the LAN is in the 192.168.1.0/24 network segment.

3.      All LAN users are prohibited from accessing the website www.baidu.com.

Configuration Key Points

1.      Choose User > User > Common User and add users to be prohibited from accessing the website www.baidu.com.

2.      Choose Flow > Behavior Policy > Basic Settings, click Website Blacklist/Whitelist, and click Blacklist Mode.

Configuration Steps

1.      Choose Flow > Behavior Policy > Basic Settings and click Website Blacklist/Whitelist.

2.      Click Blacklist Mode and add a website to the blacklist.

The URL categories displayed after clicking Select are default website classifications of the device. Alternatively, you can click Enter a URL to enter a URL.

Keyword matching is adopted here. You only need to enter the keyword of the primary domain name to be blacklisted even if there are secondary domain names or multi-level directories.

Configuration Verification

When a LAN user accesses www.baidu.com, a prompt is displayed, indicating that the user is prohibited from accessing this website and needs to contact the website administrator.

 

4.4.1.4      Website Whitelist

Networking Requirements

1.      The EG device serves as an egress and can access the Internet by using a static IP address. The LAN user gateway is configured on the LAN port of the EG device, to implement the basic Internet access function.

2.      The WAN bandwidth is 10 Mbps, the WAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1, and the LAN is in the 192.168.1.0/24 network segment.

3.      LAN users are allowed to access only the specified website www.126.com.

Configuration Key Points

1.      Choose User > User and add user IP addresses.

2.      Choose Flow > Behavior Policy > Basic Settings, click Website Blacklist/Whitelist, and click Whitelist Mode.

Configuration Steps

1.      Choose Flow > Behavior Policy > Basic Settings and click Website Blacklist/Whitelist.

2.      Click Whitelist Mode and add a website to the whitelist.

The URL categories displayed after clicking Select are default website classifications of the device. Alternatively, you can click Enter a URL to enter a URL.

Flexible Whitelist: After Flexible Whitelist is selected, some pictures not belonging to a whitelisted website can be normally displayed when the whitelisted website is accessed. For the test process, see "Configuration Verification."

Configuration Verification

Test whether www.ruijienetworks.com can be accessed. The website can be normally accessed but other websites cannot.

The following figure shows the website displayed when Flexible Whitelist is not selected.

The access to other websites is prohibited.

 

4.4.1.5      Audit-Exempt URL

Networking Requirements

1.      The EG device serves as an egress and can access the Internet by using a static IP address. The LAN user gateway is configured on the LAN port of the EG device, to implement the basic Internet access function.

2.      The WAN bandwidth is 10 Mbps, the WAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1, and the LAN is in the 192.168.1.0/24 network segment.

3.      All LAN users can access the audit-exempt website www.google.com.

Configuration Key Points

1.      Choose User > User > Common User and add users who can access the audit-exempt website www.google.com.

2.      Choose Flow > Behavior Policy > Basic Settings, and click Audit-Exempt URL to add audit-exempt URLs.

Note: If you select Shield Invalid/Virus Websites in wizard-based setup or enable website access in default audit in Behavior Policy, the system automatically delivers one audit-exempt website policy to exempt the websites of the unknown category and system upgrade category from audit, to prevent junk data audit. The priority of the website audit exemption policy is high. If you block the websites of the preceding two categories in Behavior Policy > Advanced Settings, the blocking may fail.

For example, a customer configures a behavior policy to block www.360safe.com, which belongs to the system upgrade category by default. The website audit exemption policy has a higher priority and users can still access www.360safe.com even if this website is configured in a different category. To avoid such a case: (1) Check whether the category of the website www.360safe.com is correct. If no, contact R&D engineers. (2) Run commands on the CLI to delete the system upgrade category from the website audit exemption policy. If you still want to exempt other websites of the system upgrade category from audit, configure websites with priorities lower than that of the policy for blocking www.360safe.com on Advanced Settings.

Configuration Steps

Choose Flow > Behavior Policy > Basic Settings, and click Audit-Exempt URL.

Click Add URL to specify a required URL.

Configuration Verification

LAN users can access www.google.com successfully and there is no audit record in the behavior audit report. An audit record is generated after you delete www.google.com from audit-exempt websites and access the website again.

4.4.2      Advanced Settings

4.4.2.1      Website Access Policy

Networking Requirements

1.     The EG device serves as an egress and can access the Internet by using a static IP address. The LAN user gateway is configured on the LAN port of the EG device, to implement the basic Internet access function.

2.     The WAN bandwidth is 10 Mbps, the WAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1, and the LAN is in the 192.168.1.0/24 network segment.

3.     All LAN users are prohibited from accessing online shopping websites such as www.taobao.com.

Configuration Key Points

1.     Choose Flow > Behavior Policy and click the Advanced Settings.

2.     Configure a website access policy during policy creation.

3.     If the policy does not take effect after the configuration is complete, check whether the user objects, application time, and selected applications are correct in policy configuration.

Configuration Steps

1.      Choose Flow > Behavior Policy and click the Advanced Settings tab.

Click Add Behavior Policy.

a.      Define the name of a policy.

b.      Configure a behavior control policy.

 

c.      Select the URL category: Select the online shopping website defined previously.

d.      Select Deny and Audit from Action.

e.      Associate users.

Click Finish to generate the policy.

Note: In the external authentication server environment, select external server users as user objects.

2.      View the configured policy on Advanced Settings.

Note: A policy configured later takes effect prior to a policy configured earlier. Policies are matched from top down.

Configuration Verification

When a user accesses www.taobao.com, a prompt is displayed, indicating that the user is prohibited from accessing this website and needs to contact the website administrator.

 

If a policy does not take effect, click ? to view the cause for the failure, as shown in the figure below.

4.4.2.2      Audit Record Clearing

Networking Requirements

When considerable audit records stored on the hard disk lead to space insufficiency or some audit records need to be forcibly deleted, administrators need to clear the audit records.

Configuration Key Points

After you confirm the cleanup operation, the device needs several to dozens of minutes to clear the audit records, and automatically restarts after the clearing.

 

Configuration Steps

When you need to clear content audit records on the device, choose Flow > Behavior Policy > Advanced Settings, and click Clear Behavior Policy Record.

Configuration Verification

Check whether audit records are cleared after device restart.

4.4.2.3      HTTPS Domain Name Filtering and Audit

Networking Requirements

1.      The EG device serves as an egress and can access the Internet by using a static IP address. The LAN user gateway is configured on the LAN port of the EG device, to implement the basic Internet access function.

2.      The access of LAN users to HTTPS websites can be audited and blocked.

Note: The EG device of version 11.1(6)B4 and later versions support HTTPS website domain name filtering and audit.

Network Topology

Configuration Key Points

1.      On Basic Settings, use the default audit policy to audit the domain names of HTTPS websites.

2.      On Basic Settings, select the blacklist mode to block specified websites.

3.      On Basic Settings, select the whitelist mode to restrict accessible websites.

4.      On Advanced Settings, configure the website blocking/allowing and audit/audit exemption functions.

Configuration steps

Method 1: Enable the HTTPS domain name audit on Basic Settings.

Log in to the Web page of the gateway, choose Flow > Behavior Policy > Basic Settings and select Website and HTTPS Audit in Enable Audit to enable the HTTPS domain name audit.

Method 2: Blacklist websites on Basic Settings.

(1)    Choose Flow > Behavior Policy > Basic Settings and select HTTPS Audit in Enable Audit to enable the HTTPS website audit.

(2)    Choose Flow > Behavior Policy > Basic Settings, click Website Blacklist/Whitelist, and click Blacklist Mode.

 

(3)    Click Select, click the entry box, and select websites to be blocked.

(4)    Click Enter a URL and enter the website to be blocked in the entry box.

Method 3: Whitelist websites on Basic Settings.

(1)    Choose Flow > Behavior Policy > Basic Settings and select HTTPS Audit in Enable Audit to enable the HTTPS website audit.

(2)   Choose Flow > Behavior Policy > Basic Settings, click Website Blacklist/Whitelist and click Whitelist Mode.

(3)    Click Select, click the entry box, and select websites that are allowed.

(4)    Click Enter a URL and enter an allowed website in the entry box.

Method 4: Configure the HTTPS website blocking/allowing and audit/audit exemption functions on Advanced Settings.

(1)    Choose Flow > Behavior Policy > Basic Settings and select HTTPS Audit in Enable Audit to enable the HTTPS website audit.

(2)    Choose Flow > Behavior Policy > Advanced Settings and click Add Behavior Policy to create a behavior policy.

Alternatively, click an existing behavior policy in the list for modification.

(3)    Click Policy Group to set the name of a policy group.

(4)    Click Behavior Policy to add a behavior control policy.

(5)    Click User to apply the policy group to users or a user group.

Configuration Verification

1.      Test procedure:

(1)    Bind a static IP address to the test PC or enable the test PC to succeed in real-time authentication for Internet access.

(2)    Use the test PC to access a specified website from a browser.

(3)    Choose Flow > Audit Report > Access Audit Report > Website Access Details on the EG device to view audit content.

2.      Test results:

(1)    After HTTPS domain name audit is enabled on Basic Settings, the domain names of HTTPS websites accessed by the user are all audited.

(2)    HTTPS websites configured in blacklist mode on Basic Settings cannot be accessed.

(3)    Only HTTPS websites configured in whitelist mode on Basic Settings can be accessed.

(4)    HTTPS websites blocked on Advanced Settings cannot be accessed.

(5)    The behavior audit report displays the access records.

4.5       Rate Limit

Rate limit is used to control the rate of traffic sent or received by a network interface controller.

Network Topology

Configuration Steps

Step 1Enable Flow Control

Step 2: Add a flow control policy:

Configuration Verification

Use Speed test tool to verify the rate limit setting:

4.6       Port Mapping

Application Scenario

A customer deploys a server on the LAN and enables the HTTP or other services. The server address is a private address. WAN users can neither access this address directly nor use services provided by the server. In this case, you can enable the port mapping function to allow WAN users to access the LAN server.

For example, the server address is 192.168.1.20 and HTTP is enabled. As the server address is a private address, WAN users cannot directly access the HTTP service provided by the server. In this case, you can map the server address and server ports to a public network address on the EG device so that WAN users can access the HTTP service provided by the server.

Networking Requirements

1.     The WAN line is a single 10 Mbps fixed fiber line of China Telecom. The address is 192.168.33.56, subnet mask is 255.255.255.0, WAN gateway is 192.168.33.1, and DNS address is 218.85.157.99.

2.     There is a remote desktop server on the LAN. The IP address of the server is 192.168.1.150. If the LAN server needs to be accessed from the WAN, port mapping is required to map the interfaces of the LAN server to the public network.

Network Topology

Configuration Key Points

1.     Ensure that LAN terminals can access the server normally.

2.     The server IP address and gateway are configured, and the server can access the Internet normally.

3.     Determine the ports to be mapped on the server, and whether UDP or TCP is required.

4.     If there are multiple WAN egresses in the real network environment of a customer (see the topology in Figure 2 above), for example, lines of China Telecom + China Netcom or China Telecom lines, dual-line port mapping needs to be configured on the LAN server. Then, WAN users of different carriers can access the server through their WAN line IP addresses. It is recommended to enable the RPL function on the WAN interfaces.

Configuration Steps

1.      Determine that only TCP port 3389 of the server needs to be mapped.

Choose Network > NAT/Port Mapping > Port Mapping.

a.     Mapping Type: Select Port Mapping from the drop-down list, indicating that a port of the LAN server needs to be mapped.

b.     Internal IP: Indicates the IP address of the server.

c.     Internal Port Range: Indicates the port for the server that is to provide external services.

d.     External IP: Indicates the IP address of a WAN port (IP Address is selected when a WAN line is used in a dynamic environment).

e.     External Port Range: Indicates the target WAN service port of port mapping.

f.     Protocol Type: Indicates the protocol used by the server to provide services.

Note: EG_RGOS 11.1(6)B9 and later versions support adding continuous ports in batches. See the figure below.

2.      Command generated on the CLI:

ip nat inside source static tcp 192.168.1.150 3389 192.168.33.56 3389 permit-inside

3.     For multi-egress network environments of customers, it is recommended to enable the RPL function on the WAN interface.

Select Reverse Path Limited.

Commands generated on the CLI:

interface GigabitEthernet 0/1

ip nat outside

ip address 192.168.33.57 255.255.255.0

reverse-path-----RPL

nexthop 192.168.33.1

Configuration Verification

1.      Click Start and choose Remote Desktop Connection to open the Remote Desktop Connection dialog box. Enter the IP address of the WAN port.

Click Connect. The server login page is displayed.

 

4.7       DMZ Host Mapping

Application Scenario

A customer deploys a server on the LAN and enables multiples services. The server address is a private IP address. WAN users cannot access services provided by the server by using the server address. If port mapping is enabled, numerous ports will be involved because many services are enabled. In this case, IP mapping can be configured to meet customer requirements.

For example, the server address is 192.168.1.20, and services such as HTTP, FTP, and video streaming media are enabled. WAN users cannot directly access services provided by the server because the server address is a private IP address. In this case, the server IP address can be mapped to a private IP address in IP mapping mode on the EG device, so that WAN users can access the server.

Networking Requirements

1.     The WAN line is a single 10 Mbps fixed fiber line of China Telecom. The address is 192.168.33.56, subnet mask is 255.255.255.0, WAN gateway is 192.168.33.1, and DNS address is 218.85.157.99.

2.     There is a remote desktop server on the LAN. The IP address of the server is 192.168.1.150. WAN users can access all services provided by the LAN server.

Network Topology

Configuration Key Points

1.     Ensure that LAN terminals can access the server normally.

2.     The server IP address and gateway are configured, and LAN users can access the Internet normally through this server.

Note: The EG device does not support the mapping from one private IP address to two different public IP addresses..Only the mapping from one private IP address to one public IP address is supported on one line, and the other line uses port mapping.

Configuration Steps

1.      Confirm that the TCP port 3389 of the server needs to be mapped.

Choose Network > NAT/Port Mapping > Port Mapping.

a.     Mapping Type: Select DMZ Host from the drop-down list, indicating that all ports of the LAN server need to be mapped.

b.     Internal IP: Indicates the IP address of the server.

c.     External IP: Indicates the IP address of a WAN port (IP Address is selected when a WAN line is used in a dynamic environment).

2.      Commands generated on the CLI:

ip nat inside source static 192.168.1.150 192.168.33.56 permit-inside

Configuration Verification

1.     Click Start and choose Remote Desktop Connection to open the Remote Desktop Connection dialog box. Enter the IP address of the WAN port.

Click Connect. The server login page is displayed.

4.8       IPsecVPN

4.8.1      The Branch Router Accesses the HQ Router at a Static IP Address in Dialup Mode

Networking Requirements

The HQ and branch routers use static IP addresses. The HQ router needs to verify the IP address of the branch router.

Network Topology

Configuration Key Points

1.     Configure router A in the HQ as the IPsec server.

2.     Configure router B in the branch as the IPsec client.

3.     Keep parameter settings at both ends consistent. The parameter settings in this case are as follows:

Authentication mode: preshared key, with the key set to ruijie.

IKE algorithm: 3DES-MD5, DH2

IPsec negotiation scheme: ESP(3DES-MD5)

Configuration Steps

1.     Configure router B in the branch.

(1)   Complete wizard-based setup to meet basic Internet access requirements of users in the HQ and branch. If the users can access the Internet, check whether the next hop address is configured for the WAN interface.

(2)    Configure IPsec for router B in the branch.

Choose Network > VPN and click Configure. Select Branch, and click Next.

Configure basic branch information.

Note: Only interfaces configured with the nexthop x.x.x.x command are displayed in the interface list (after the wizard-based setup is completed on the Web page, this command is configured on the WAN interface of the CLI by default).

The dialer interface can be configured on the Web page.

IKE algorithm: 3DES-MD5, DH2

IPsec negotiation scheme: ESP(3DES-MD5)

2.      Configure router A in the HQ.

(1)    Complete wizard-based setup to implement basic Internet access service of the HQ router.

(2)    Configure IPsec for router A in the HQ.

Choose Network > VPN and click Configure. Select Headquarter, and click Next.

Select Branch, and click Next.

Select IPsec, and click Next.

Configure the IPsec VPN, and click Next.

The IPsec VPN configuration is complete.

Configuration Verification

Choose Network > VPN, and click the Topo tab to view the configuration.

Configuration of the HQ router:

Configuration of the branch router:

Check whether the routers in the HQ and branch can access each other.

 

Notes

1.     When the Internet access service is configured via wizard-based setup on the Web of the EG device, IPsec VPN can be configured only after the next hop address is configured on the interface configuration page in the wizard-based setup. If no next hop address is configured for an interface, the interface cannot be selected during VPN configuration.

2.     After a VPN is configured, the device automatically delivers AAA configuration (the system prompts you to enter the username and password during device login, and the telnet password needs to be reconfigured).

3.     Close the browser after clearing the VPN configuration for the clearing operation to take effect. Otherwise, the system retains the previous VPN configuration.

4.     When a WAN port receives an IPsec request but no traffic of interest is configured on the device, the error "Failed to find map" may occur. This error is generated because packets from IPsec port 500 are sent to the CPU when the IPsec map does not exist, and this does not affect network data forwarding and management, but instead is beneficial to network management. An ACL can be configured to filter out requests from undesired IPsec-compliant device that is connected to the EG device.

5.     Some Web modules use specific ACLs. For example, the VPN module uses ACL 110 and ACL 199, the ARP guard module uses ACL 197 and ACL 2397, and the VWAN module uses ACL 198. Therefore, do not use these ACLs on the CLI, especially ACL 199, which prohibits policy configuration on the CLI. Otherwise, ACEs required by the VPN module fail to be configured on the Web page.

4.8.2      The Branch Router Accesses the HQ Router at a Dynamic IP Address in Dialup Mode

Networking Requirements

The HQ router uses a dynamic IP address and the branch router accesses the HQ router by using the domain name in dialup mode.

Network Topology

Configuration Key Points

1.     Configure router A in the HQ as the IPsec server.

2.     Configure router B in the branch as the IPsec client.

3.     Keep parameter settings at both ends consistent. The parameter settings in this case are as follows:

Authentication mode: preshared key, with the key set to ruijie.

IKE algorithm: 3DES-MD5, DH2

IPsec negotiation scheme: ESP(3DES-MD5)

Configuration Steps

1.     Configure router B in the branch.

The Web page does not support dynamic domain names. Therefore, complete configuration on the Web page and then perform modification on the CLI.

(1)   Complete wizard-based setup to meet basic Internet access requirements of users in the HQ and branch. If the users can access the Internet, check whether the next hop address is configured for the WAN interface.

(2)   Choose Network > VPN and click Configure. Select Branch, and click Next.

(3)    Configure basic IPsec information, and click Next.

(4)    Click Finish.

On the CLI, change the public IP address of the HQ router to a dynamic domain name:

branch(config)#no crypto isakmp key 0 ruijie address 192.168.2.1

branch(config)#crypto isakmp key 0 ruijie hostnameruijie.xicp.net

branch(config)#crypto map Gi0/6 20 ipsec-isakmp

branch(config-crypto-map)#no set peer 192.168.2.1

branch(config-crypto-map)#set peer ruijie.xicp.net

2.      Configure router A in the HQ.

On the interface configuration page, click a WAN interface to configure it. Dynamic IP addresses can be allocated in DHCP mode or obtained in dialup mode.

Choose Network > VPN and click Configure. Select Headquarter, and click Next.

Select Branch, and click Next.

Select IPsec, and click Next.

Configure IPsec basic information, and click Next.

Click Finish.

Configuration Verification

Choose Network > VPN, and click the Topo tab to view the configuration.

Configuration of the HQ router:

Configuration of the branch router:

Check whether the HQ router and branch router can access each other.

 

Notes (Optional)

1.     On the Web page, IPsec supports only peer IP addresses and does not support domain names. IPsec using domain names needs to be configured on the CLI.

2.     When a WAN port receives an IPsec request but no traffic of interest is configured on the device, the error "Failed to find map" may occur. This error is generated because packets from IPsec port 500 are sent to the CPU when the IPsec map does not exist. The error does not affect network data forwarding and management, which is beneficial to network management. An ACL can be configured to filter out requests from undesired IPsec-compliant device that is connected to the EG device.

3.     Some Web modules use specific ACLs. For example, the VPN module uses ACL 110 and ACL 199, the ARP guard module uses the ACL 197 and ACL 2397, and the VWAN module uses ACL 198. Therefore, do not use these ACLs on the CLI. especially ACL 199, which prohibits policy configuration on the CLI. Otherwise, ACEs required by the VPN module fail to be configured on the Web page.

4.8.3      The Branch Router Accesses the HQ Router on the LAN in Dialup Mode

Networking Requirements

The HQ router is deployed on the LAN, mapping is configured on the egress of the LAN, and users in the branch access the HQ router in dialup mode.

Network Topology

Configuration Key Points

1.     Configure the LAN gateway router A in the HQ as the IPsec server.

2.     Configure router B in the branch as the IPsec client.

3.     Keep parameter settings at both ends consistent. The parameter settings in this case are as follows:

Authentication mode: preshared key, with the key set to ruijie.

IKE algorithm: 3DES-MD5, DH2

IPsec negotiation scheme: ESP(3DES-MD5)

4.     Configure NAT mapping on the outermost egress of the HQ and establish an IPsec connection on the LAN gateway.

Configuration Steps

1.     Ensure that basic configuration on the EG device and routers in both the HQ and branch are normal, and LANs users at both ends can access the WAN.

2.     Configure router B in the branch.

Choose Network > VPN and click Configure. Select Branch, and click Next.

Configure an IPsec policy, set the public IP address of the HQ router to the IP address obtained after NAT, and click Next.

Click Finish.

3.      Configure router A in the HQ.

Configure IPsec on the LAN EG device.

(1)    Choose Network > VPN and click Configure. Select Headquarter, and click Next.

(2)    Select Branch, and click Next.

(3)    Select IPsec, and click Next.

(4)    Configure IPsec basic information, and click Next.

(5)    Click Finish.

4.     IPsec uses UDP ports 500 and 4500. Map UDP ports 500 and 4500 on the egress of the HQ respectively to UDP ports 500 and 4500 of the LAN EG device.

(1)    Map UDP port 500.

ip nat inside source static udp 10.0.0.1 500 1.1.1.1 500

(2)    Map UDP port 4500.

ip nat inside source static udp 10.0.0.1 4500 1.1.1.1 4500

Configuration Verification

Choose Network > VPN, and click the Topo tab to view the configuration.

Configuration of the HQ router:

Configuration of the branch router:

Check whether the HQ router and branch router can access each other.

 

 

4.9       Local Web Authenticaiton

Networking Requirements

1.      LAN users access the Internet through the EG device.

2.      The WAN bandwidth is 10 Mbps, the address of the WAN port is 192.168.33.56/24, the address of the WAN gateway is 192.168.33.1, and the addresses of LAN ports are in the 192.168.1.1/24 network segment.

3.      LAN users can access the WAN only after succeeding in identity authentication.

4.      The EG device of RGOS10.3 (4B8) and later versions support subinterface Web authentication. The configuration method is the same as that of common Web authentication.

5.      Internal Web authentication allows users to proactively add the go-offline page to favorites and modify passwords. It also supports the following functions: forbidding users from accessing the Internet (blocking user accounts) and kicking users offline.

Note: The IP addresses above are used in a simulated environment and are not provided by carriers.

Network Topology

Configuration Key Points

1.      Perform wizard-based setup to ensure that LAN users can successfully access the WAN.

2.      Select the internal Web authentication server function in the real-name Internet access policy.

Notes:

1.      If advertisement push is enabled, the entered advertisement address cannot contain the character "?".

2.      If Web authentication is enabled and port mapping is configured, the LAN server IP address used for port mapping needs to be added to the authentication-exempt IP address list. Otherwise, port mapping will fail.

3.      After Web authentication is enabled, the remote login password (that is, telnet password) needs to be changed.

Auxiliary information:

1.      The Web authentication function of the EG device allows the Dynamic Host Configuration Protocol (DHCP), DNS, and Address Resolution Protocol (ARP) traffic to pass by default, without a need of additional settings.

2.      When you log in to the EG device in telnet mode with Web authentication enabled, if you enter a wrong username or password for more than 3 consecutive times for the EG device of RGOS4B8 or 50 consecutive times for the EG device of RGOS4B10, the account will be locked. The account will be unlocked after 15 hours by default and then you can log in with the account again. You are recommended to run the following commands to modified two parameters after configuring Web authentication:

Ruijie(config)#aaa local authentication lockout-time 1   //Unlocking an account 1 hour after the account is locked

Ruijie(config)#aaa local authentication attempts 10   //Setting the allowable login attempts to 10.

Configuration Steps

Choose User > Auth and click Internal Portal Auth on the Web Auth tab page to enable the internal authentication function, as shown in the figure below.

a.      Internal Portal Auth: Refers to the internal authentication server of the EG device.

b.      Auth Mode: A users needs to be authenticated before accessing the Internet. Specify the server matching priority for authentication information here.

c.      Advertising Mode: Ruijie EG device provides the advertisement push function, for example, a hotel can use this function to push the hotel homepage to guests and promote the hotel brand. You can also set the mode to No AD, Display AD Before Auth, or Display AD After Auth.

Add a user to be authenticated: Click a user group in the user organization structure on the left, add a user (IP range) to the user group, and configure the username and password, as shown in the figure below.

 

A user added successfully is displayed in the user list, as shown in the figure below.

The user configuration method on the CLI is as follows:

#Add a user named ruijie under the root directory, set the password to 111, and configure the account to use only Web authentication.

Ruijie(config)# subscriber static name "ruijie" parent "/" password 111

Ruijie(config)# subscriber allow "ruijie" privilege webauth

If you select Allow Internal Web Auth User Password Change when configuring a username and password. The Change Password option is displayed after Web authentication is successful.

Configuration Verification

After the configuration is complete, the authentication page is displayed when a user browses a Web page for the first time.

Enter the correct username and password and click Login. The authentication success page is displayed.

 

4.10   Voucher Authentication Acceleration

Voucher authentication on Ruijie Cloud allows you to charge users for wireless network access using access codes. Concurrent users, time period and data quota limit can be customized and offered to your guests.

 

With EG and Ruijie Could integration, the voucher data can be synchronized from Cloud to local EG device. The authentication process will be accelerated significantly. 

Network Topology

 

 

Configuration Steps

Step 1: Login to Ruijie Cloud and create the voucher package.

 

Step 2: Print voucher on Ruijie cloud.

Step 3: Enable the open authentication on AP connected to EG.

 

Step 4: Enable the local authentication on EG.

 

Step 5: Enable the authentication integration with Cloud on EG.

Step 6: Add the authentication IP range for voucher authentication on EG.

Configuration Verfication

Connect to the SSID and the authentication page will pop up.

 

4.11   Resource Cache

Resource cache refers to synchronizing resource from the specified server to a device. Afterwards, users can get the resource directly from the device without crossing WAN.

 

Resource cache can reduce bandwidth usage and save users from waiting for access.

 

Network Topology

Configuration Steps:

Step 1: Enable the cache function, the device will be restarted:

Step 2: Enable resource cache:

Step 3: Paste the download link of the resource to the “Resources Address1”:

Step 4: Check the cache file:

Configuration Verification

Download the file via browser:

The file is downloaded within the LAN.

Ruijie Networks