SKSpruce Technologies SAC700 Smart Access Control User Manual JadeOS 1 x

Skspruce Technologies Inc. Smart Access Control JadeOS 1 x

Contents

Users Manual Part Two

 JadeOSUserManualSK‐A2960‐18203
Copyright©2013Skspruce,Inc.Allrightsreserved.Nopartofthisdocumentationmaybereproducedinanyformorbyanymeansorusedtomakeanyderivativework(suchastranslation,transformation,oradaptation)withoutprior,expressandwrittenpermissionfromSkspruce,Inc.Skspruce,Inc.reservestherighttorevisethisdocumentationandtomakechangesincontentfromtimetotimewithoutobligationonthepartofSkspruce,Inc.toprovideno‐tificationofsuchrevisionorchanges.Skspruce,Inc.providesthisdocumentationwithoutwarrantyofanykind,impliedorex‐pressed,includingbutnotlimitedto,theimpliedwarrantiesofmerchantabilityandfit‐nessforaparticularpurpose.Sksprucemaymakeimprovementsorchangesintheproduct(s)and/ortheprogram(s)describedinthisdocumentationatanytime.UNITEDSTATESGOVERNMENTLEGENDS:IfyouareaUnitedStatesgovernmentagency,thenthisdocumentationandthesoftwaredescribedhereinareprovidedtoyousubjecttothefollowing:UnitedStatesGovernmentLegend:Alltechnicaldataandcomputersoftwareiscom‐mercialinnatureanddevelopedsolelyatprivateexpense.SoftwareisdeliveredasCommercialComputerSoftwareasdefinedinDFARS252.227‐7014(June1995)orasacommercialitemasdefinedinFAR2.101(a)andassuchisprovidedwithonlysuchrightsasareprovidedinSkspruce'sstandardcommerciallicensefortheSoftware.TechnicaldataisprovidedwithlimitedrightsonlyasprovidedinDFAR252.227‐7015(Nov1995)orFAR52.227‐14(June1987),whicheverisapplicable.Youagreenottoremoveordefaceanyportionofanylegendprovidedonanylicensedprogramordocumentationcon‐tainedin,ordeliveredtoyouinconjunctionwith,thisUserGuide.Skspruce,theSksprucelogoareregisteredtrademarksortrademarksofSkspruce,Inc.anditssubsidiaries.Otherbrandandproductnamesmayberegisteredtrademarksortrademarksoftheirrespectiveholders.Anyrightsnotexpresslygrantedhereinarefirmlyreserved.
 This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. The user manual or instruction manual for an intentional or unintentional radiator shall caution the user that changes or modifications not expressly approved by the party re-sponsible for compliance could void the user's authority to operate the equipment. In cases where the manual is provided only in a form other than paper, such as on a com-puter disk or over the Internet, the information required by this section may be included in the manual in that alternative form, provided the user can reasonably be expected to have the capability to access information in that form. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide rea-sonable protection against harmful interference in a residential installation. This equip-ment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communica-tions. However, there is no guarantee that interference will not occur in a particular in-stallation. If this equipment does cause harmful interference to radio or television recep-tion, which can be determined by turning the equipment off and on, the user is encour-aged to try to correct the interference by one or more of the following measures: -- Reorient or relocate the receiving antenna. -- Increase the separation between the equipment and receiver. -- Connect the equipment into an outlet on a circuit different from that to which the re-ceiver is connected. -- Consult the dealer or an experienced radio/TV technician for help. FCCCaution:Anychangesormodificationsnotexpresslyapprovedbythepartyresponsibleforcom‐pliancecouldvoidtheuser'sauthoritytooperatethisequipment.Thistransmittermustnotbeco‐locatedoroperatinginconjunctionwithanyotheran‐tennaortransmitter.ThemanufacturerisnotresponsibleforanyradioorTVinterferencecausedbyunau‐thorizedmodificationstothisequipment.
ImportantNoticeonProductSafetyElevatedvoltagesareinevitablypresentatspecificpointsinthiselectricalequipment.Someofthepartsmayalsohaveelevatedoperatingtemperatures.Non‐observanceoftheseconditionsandthesafetyinstructionscanresultinpersonalinjuryorinpropertydamage.Therefore,onlytrainedandqualifiedpersonnelmayinstallandmaintainthesystem.Allequipmentconnectedhastocomplywiththeapplicablesafetystandards.StatementofcomplianceCEstatementTheCEconformitydeclarationfortheproductsisfulfilledwhenthesystemisbuiltandcabledinlinewiththeinformationgiveninthemanual.Deviationsfromthespecifica‐tionsorindependentmodificationstothelayout,suchasuseofcabletypeswithlowerscreeningvaluesforexample,canleadtoviolationoftheCEprotectionrequirements.Insuchcasestheconformitydeclarationisinvalidated.Theresponsibilityforanyproblemswhichsubsequentlyariserestswiththepartyresponsiblefordeviatingfromtheinstalla‐tionspecifications.VCCIstatementThisisaClassAproductbasedonthestandardoftheVoluntaryControlCouncilforIn‐terferencebyInformationTechnologyEquipment(VCCI).Ifthisequipmentisusedinadomesticenvironment,radiodisturbancemayarise.Whensuchtroubleoccurs,theusermayberequiredtotakecorrectiveactions.
ContentContent................................................................................................................... 1Chapter1Preface ................................................................................................... 11.1IntendedAudience...............................................................................................11.2StructureofthisDocument..................................................................................11.3SymbolsandConventions ....................................................................................11.3.1SymbolsUsed................................................................................................21.3.2ConventionsUsed .........................................................................................21.4HistoryofChanges ...............................................................................................2Chapter2SystemOverview.................................................................................... 32.1SystemIntroductions ...........................................................................................32.2Functions..............................................................................................................32.3FeatureHighlights ................................................................................................52.4Application ...........................................................................................................5Chapter3CLIandSystemManagement.................................................................. 73.1CLIAccess .............................................................................................................73.1.1CLIAccessviatheLocalConsole ...................................................................73.1.2CLIAccessviaaRemoteConsole ..................................................................83.2CLIFeatures ..........................................................................................................83.2.1Commandmode ...........................................................................................93.2.2CommandHelp .............................................................................................93.2.3CommandCompletion................................................................................103.2.4DeletingConfigurationSettings ..................................................................113.2.5ProfileCommand ........................................................................................113.3ConfiguringtheManagementPort ....................................................................113.3.1ConfiguringIP..............................................................................................113.3.2ConfiguringRouting ....................................................................................113.4ConfiguringManagement ..................................................................................123.4.1InquireConfiguration..................................................................................123.4.2SavingConfigurationChanges.....................................................................12
3.4.3ResetJadeOS ...............................................................................................123.4.4FilesImport/Export.....................................................................................123.5SystemUpdate ...................................................................................................133.6FileOperations...................................................................................................143.6.1BasicOperations .........................................................................................143.6.2FilesTransferbyFTPandTFTPCommand ..................................................143.6.3JadeOSImageImageFilesTransfer.............................................................153.6.5LogFilesStorage .........................................................................................153.7UserManagement .............................................................................................153.8ConfiguringSystemSettings...............................................................................163.8.1SettingHostname........................................................................................163.8.2SettingCountryCode ..................................................................................163.8.3SettingAdministratorPassword..................................................................163.8.4SettingSystemClock ...................................................................................163.8.5ClockSynchronization .................................................................................173.8.6ConfiguringNTPAuthentication .................................................................173.9PingandTraceroute ...........................................................................................183.10LicenseManagement.......................................................................................18Chapter4InterfaceConfiguration......................................................................... 194.1NamingEthernetPort ........................................................................................194.2ConfiguringVLAN ...............................................................................................194.2.1CreatingVLAN .............................................................................................194.3AddingEthernetPortintoVLAN ........................................................................204.4ConfiguringVLANInterface................................................................................214.5ConfiguringPortChannel...................................................................................214.6ConfiguringQinQ................................................................................................234.6.1ConfiguringQinQ ........................................................................................234.7InquiringInterfaceStatusandStatistics.............................................................24Chapter5Layer‐2NetworkService ....................................................................... 265.1BridgeForwarding..............................................................................................265.1.1BridgeDescription.......................................................................................26
5.1.2ConfiguringBridge ......................................................................................265.1.3DynamicTable .............................................................................................265.1.4BridgeAging ................................................................................................275.1.5StaticTable ..................................................................................................275.2PortMirror .........................................................................................................27Chapter6Layer‐3NetworkService ....................................................................... 286.1ConfiguringIPAddress .......................................................................................286.1.1ConfiguringIPAddress ................................................................................286.1.2ConfiguringLoopback .................................................................................286.2ConfiguringStaticRoutingTable ........................................................................286.2.2ConfiguringStaticRouting ..........................................................................286.2.2InquiringRoutingTable ...............................................................................286.3ConfiguringARP .................................................................................................296.3.1ConfiguringStaticARPTable .......................................................................296.3.2InquiringARPTable .....................................................................................296.3.2ConfiguringARPProxy ................................................................................306.4ConfiguringMTUandTCPMSS ..........................................................................306.5ConfiguringGRETunnel .....................................................................................316.6ConfiguringDHCP...............................................................................................316.6.1ConfiguringDHCPServer ............................................................................326.6.2InquiringDHCPServerStatus......................................................................326.6.3ConfiguringDHCPRelay ..............................................................................346.6.4DHCPSnooping ...........................................................................................356.6.5ARPWithDHCP...........................................................................................366.7ConfiguringOSPF................................................................................................376.7.1OSPFImplementation .................................................................................376.7.2EnablingOSPF .............................................................................................376.7.3ConfiguringOSPFInterfaceParameters......................................................386.7.4ConfiguringOSPFArea ................................................................................396.7.5ConfiguringOSPFNetworkType .................................................................40
6.7.6OSPFPoint‐to‐pointConfigurationExample...............................................406.8ConfiguringIPv6 .................................................................................................426.8.1AddressConfiguration.................................................................................426.8.2RoutingConfiguration.................................................................................426.8.3Ping6 ...........................................................................................................43Chapter7NetworkSecurity .................................................................................. 447.1AccessControlList(ACL) ....................................................................................447.1.1StandardACL...............................................................................................447.1.2ExtendedACL ..............................................................................................447.1.3SessionACL .................................................................................................457.2Session................................................................................................................457.3ConfiguringNAT .................................................................................................467.3.1ConfiguringSNAT ........................................................................................477.3.2ConfiguringDNAT........................................................................................487.4ConfiguringDoSAnti‐attack...............................................................................497.4.1SystemPre‐definedConfiguration ..............................................................497.4.2ConfiguringAnti‐attack ...............................................................................497.5ConfiguringLawfulIntercept..............................................................................50Chapter8ConfiguringHQoS ................................................................................. 528.1ConfiguringRateLimitationonPort...................................................................528.2ConfiguringRateLimitationonVLAN ................................................................528.3ConfiguringRateLimitationonUser..................................................................52Chapter9ConfiguringAAA ................................................................................... 549.1TheAttributeofTrustandUntrust.....................................................................549.2UserandUserRole.............................................................................................549.2.1User .............................................................................................................549.2.2UserRoleandACL.......................................................................................559.2.3AccessPolicyBasedonUserRole ...............................................................559.3ConnectionsamongUser,VLANandUserRole.................................................569.4ConfiguringAAAProfile......................................................................................569.4.1ConfiguringACL...........................................................................................57
9.4.2Configuringrole ..........................................................................................579.4.3ConfiguringRadiusServerGroup................................................................579.4.4ConfiguringAuthenticationWay.................................................................589.4.5ConfiguringAAAProfile ..............................................................................589.4.6BindingVLAN ..............................................................................................599.5MACAuthentication...........................................................................................599.6802.1XAuthentication .......................................................................................609.7WEBPortalAuthentication ................................................................................619.7.1WebAuthenticationProcess.......................................................................619.7.2DNATRedirect .............................................................................................619.7.3HTTP302Redirect.......................................................................................619.7.4ConfiguringPortalServer............................................................................629.7.5ConfiguringCoADisconnectMessage ........................................................629.7.6ConfiguringCaptive‐portalAuthentication.................................................639.7.7CustomizeLogoutDomain ..........................................................................639.7.8ConfiguringWhite‐listandBlack‐list...........................................................639.8RadiusProxy .......................................................................................................649.8.1ConfiguringRadiusProxy ............................................................................649.8.2ConfiguringEAP‐SIM ...................................................................................649.9RateLimitBasedonUser ...................................................................................669.10UserAccounting ...............................................................................................669.11ExampleofWEB‐PortalAuthentication ...........................................................669.12TroubleShooting ..............................................................................................69Chapter10WLANManagement............................................................................ 7210.1WirelessNetworkArchitecture........................................................................7210.1.1CAPWAPDescription.................................................................................7210.1.2CAPWAPControlChannel .........................................................................7210.1.3CAPWAPDataChannel..............................................................................7310.1.4MirrorUpgradeandConfigurationManagement ....................................7310.1.5ForwardingMode......................................................................................73
10.1.6AuthenticationMode................................................................................7310.1.7STATIONManagement ..............................................................................7310.2ForwardingMode.............................................................................................7310.3ConfiguringPower............................................................................................7410.4ConfiguringRadio.............................................................................................7410.5DTLSandCA .....................................................................................................7410.6SpecialSSIDandSSIDControl ..........................................................................7510.7ACL ...................................................................................................................7610.8AuthenticationExemption ...............................................................................7710.9Anti‐fakeandRogueAPdetect ........................................................................7710.10Anti‐DoS .........................................................................................................78Chapter11WEBUI ................................................................................................ 7911.1WEBUIDescription...........................................................................................7911.2WEBUILogin.....................................................................................................79Chapter12ConfiguringSNMP............................................................................... 8012.1ConfiguringSNMP ............................................................................................80Chapter13MaintanenceandDiagnosis ................................................................ 8113.1LogSystem .......................................................................................................8113.2SystemManagement .......................................................................................8113.3SnifferTool .......................................................................................................83Abbrviations ......................................................................................................... 84
JadeOSUserManual1Chapter1 PrefaceThisprefacedescribestheaudience,structure,conventionsandhistoryofchangesofJadeOSUserManual.ItalsoprovidesimportantinformationaboutsafetyinstructionsfortheJadeOS.1.1IntendedAudienceThisdocumentisintendedtotheexperiencednetworkadministratorswhoneedtoconfigureandmaintainJadeOSMulti‐ServiceGateway.1.2StructureofthisDocumentChapter Title Subject Chapter 1 Preface This chapter provides an introduction to this document. Chapter 2 System Overview This chapter gives a general introduction to the JadeOS functionality. Chapter 3 CLI and System Management ThischapterdescribesCLIandsystemopera‐tions.Chapter 4 Interface Configura-tion Thischapterwilldescribehowtoconfigureinterface.Chapter 5 Layer-2 Network Service This chapter describes how to configure Layer-2 network service. Chapter 6 Layer-3 network service This chapter describes how to configure Layer-3 network service. Chapter 7 Network Security ThischapterwilldescribeJadeOSnetworkse‐curityfunctionandhowtoconfigureit.Chapter 8 Configuring HQoS This chapter describes how to configure HQoS. Chapter 9 Configuring AAA This chapter describes how to configure AAA. Chapter 10 WLAN ManagementThis chapter gives a general introduction to the WLAN Management. Chapter 11 WEBUI This chapter gives a general introduction to the WEBUI. Chapter 12 Configuring SNMP This chapter describes how to configure SNMP.Chapter 13 Maintenance and Diagnosis This chapter gives a general introduction to the Maintenance and Diagnosis. Table1‐1ChaptersinthisDocument1.3SymbolsandConventions
2JadeOSUserManualThefollowingsymbolsandconventionsareusedinthisdocument:1.3.1SymbolsUsedCAUTION:Meansthatthereadershouldbecareful.Inthissituation,youmightdosomethingthatcouldresultinequipmentdamageorlossofdata.WARNING:Thiswarningsymbolmeansdanger.Youareinasituationthatcouldcausebodilyinjury.Beforeyouworkonanyequipment,beawareofthehaz‐ardsinvolvedwithelectricalcircuitryandbefamiliarwithstandardpracticesforpre‐ventingaccidents.1.3.2ConventionsUsedRepresentation Meaning BoldThe CLI commands are in bold. Italic Level 2 titles are in Italic. Courier New Terminal display is in Courier New.Example: # ping -t 10.10.10.1Table1‐2ConventionsUsedinthisDocument1.4HistoryofChangesVersion Issue date Remarks Draft 2013.10.11 Draft Version 012013.11.15New functions added,upgraded to 01 Version022013.11.30New functions added,upgraded to 02 Version032014.01.15New functions added,upgraded to 03 VersionTable1‐3HistoriesofChangesforthisDocument 
JadeOSUserManual3Chapter2 SystemOverview2.1SystemIntroductionsSKG10000Plusisagatewayequipmentoftelecommunicationlevelthatintegratedwiththefunctionsofrouting,switchingandWLANcontrollerandsoon.Basedonthemulti‐coreandmulti‐threadprocessoranddesignedwithtelecomgradeATCAstandard,SKG10000Plusiswithpowerfulandextensibleperformance.Withcentralizedmanagementandconfiguration,itgivestheabilityofdeploymentforalargenetworkwithhundredsofgateways.Atthesametime,itcanbeoperatedindayandnightwithhighavailabilityandhelptheSPtomeetthehugechallengebroughtbyrapiddevelopmentofwirelessservice.Basedontheadvancedandextensiblesoftwarearchitecture,JadeOS:‐ Adoptdistributedarchitecturewithdataplaneandcontrolplaneseparated‐ ProvideWLANsolutionsthatareflexible,easymanagementandeasydeployed‐ ManagelargescaleAPswithoutconfiguration‐ Strictlycontroluserinternetaccessandbandwidthstrategywithvariousaccessauthentication‐ Support700users/sperlinecard‐ Provideforwardingrateofhighperformance‐ Supportmulti‐levelredundancybackupforsystemlevel,servicemoduleleveletc.2.2FunctionsLayer‐2z BridgeForwardingz VLAN/SuperVLANz QinQz PortChannelLayer‐3z RouteForwardingz DynamicRoutingProtocol(OSPF)z NATz GRE/EtherIPTunnelz DHCPServer,DHCPRelay,DHCPSNOOPINGz BroadcastSuppressionz VirtualRoutingRedundancyProtocol(VRRP)
4JadeOSUserManualz FragmentationandReassemblyz IPv4/IPv6SecurityandAAA(Authentication,Authorization,Accounting)z AccessControlList(Interface/Standard/SessionACL)z Role‐BasedUserPolicyz WebPortal/802.1x/PSK/MACAuthenticationz RADIUSAccountingz RADIUSProxyz Black‐listandwhit‐listauthenticationz DoSanti‐attacksz LawfulInterceptionQoSfunctionalityz RatedLimitbasedoninterface/user/ssid(HQoS)WLANControllerz CAPWAPControlTunnelandDataTunnelz APCentralizedManagementandConfigurationz APDiscoveryAC- Broadcastdiscoverymode- DNSdiscoverymode- DHCPdiscoverymodez LocalForwarding,CentralizedForwardingz IntelligentRadio/FrequencyManagementz CertificateManagementz UserAccessControlz L2Roamingz StationAnti‐fake,WLANAnti‐DoSz PerformanceMonitorandDataStatisticsNetworkManagementz ConfigurationbasedonCLI(Supportconsole,SSH,Telnet)z SupportWebUIconfigurationz SNMPv1,v2c,z Systemconfiguration,servicemodulemonitorz Trapalarmz Chassismanagementz Troubleshootingz PortMirror,Sniffer
5JadeOSUserManual2.3FeatureHighlightsExtensibleDHCPServerDHCPserveroffers700ppsusersperthreadthatcanmeetcarrier‐gradescenariosthatrequireshighperformanceandhighavailability.z Scalableperformanceandthroughout- OptimizeddatabaseBykeepingleaseinformationinamemory‐residentdatabase,DHCPserveroffersfastresponsetimesforleaseassignmentsandrenewals.- Multi‐threadedarchitectureJadeOSusesamulti‐threadedarchitecturetodeliverconsistentthroughput.- CarrierlevelbigaddresspoolJadeOSsupportsupto1,320,000addressesperchassis.BroadcastSuppressionJadeOSprovidesbroadcastsuppressionfunctiontoreducethenumberofbroadcastpacketsbyenablingbroadcastsuppressionpolicy.- Broadcastsuppressionfunctiontogreatlyeasethenumberofbroadcastmessages- DHCPsnoopingtosuppresstheDHCPbroadcastpackets.- EnableDHCPunicastreplyfunction.JadeOSreplytheDHCPofferandACKdatagramwithunicastmessagesinsteadofbroadcastmessagestoeffec‐tivelyreducethebroadcastflooding.2.4ApplicationJadeOScanbedeployedinthecorenetworkoraccessnetworktoachievetheAPcentralizedmanagementandconfiguration.Figure2‐3illustratesoneoftheapplica‐tionscenariosof
6JadeOSUserManualJadeOS.Figure2‐1ApplicationscenarioofJadeOS
JadeOSUserManual7Chapter3 CLIandSystemManagementJadeOSusesthecommandLineInterface(CLI)toimplementtheinteractionbetweenusersandtheoperatingsystem.UserscancompletearangeofsystemconfigurationandrealizethemanagementfunctionsthroughtheCLI.ThischapterdescribesCLIandsystemoperations.3.1CLIAccessTheconsoleportontheequipmentisRj45interfaceandlocatedonthefrontpanelofeachlinecard.YoucanconnecttotheCLIviathelocalconsoleorSSH/TELNETtoobtainaremoteconsole.3.1.1CLIAccessviatheLocalConsoleToconnecttotheCLIviathelocalconsoleport,completethefollowingsteps:Step1ConnecttotheconsoleportusingtheRj45cableandserialportcable.Step2Configureyourterminalemulationprogram(forexample:SecureCRT)iscon‐figuredasshowninfigure3‐1:Figure3‐1ConsoleportconnectionsettingsStep3Entertheusernameandpassword: (JadeOS) User: admin Password: admins. Thepromptwillbedisplayedasfollowsafterlogginginsuccessfully. (JadeOS) >
8JadeOSUserManualStep4Entertheglobalmodeusingthefollowingcommand: (JadeOS) > enable Password: enable Whenyouareinenablemode,the>promptchangestoapoundsign(#): (JadeOS) # Step5Entertheconfigurationmodeusingthefollowingcommand: (JadeOS) # configure terminal Whenyouareintheconfigurationmode,‘config’appearsbeforethe#prompt: (JadeOS) (config) # 3.1.2CLIAccessviaaRemoteConsoleUserscanaccessJadeOSremotelyusingTELNETfromaTCP/IPnetwork.ToaccessJadeOSviatelnetyouneedtoenabletelnetsessionsusingtelnetclicom‐mand.ToconnecttotheCLIusingTELNET,completethefollowingsteps:Step1VerifythatyourterminalemulationprogramorDOSshellinterface(forexample:SecureCRT)isconfiguredasshowninfigure3‐2:Figure3‐2TelnetconnectionsettingsStep2Enteravalidusernameandpasswordasprompt.3.2CLIFeaturesThischapterwillgiveageneralintroductionabouttheCLIcommands.
9JadeOSUserManual3.2.1CommandmodeTheCLIisdividedintomanydifferentmodes.Thecommandsavailabletoyouatanygiventimedependonthemodethatyouarecurrentlyin.Enteringaquestionmark(?)attheCLIpromptallowsyoutoobtainalistofcommandsavailableforeachcommandmode.WhenyoulogintotheCLI,youareinusermode.Usermodecontainsonlyalimitedsubsetofcommands.Tohaveaccesstoallcommands,youmustenterenablemodenormallybyusingapassword.Fromenablemode,youcanissueanyenablemodecommand.Youcanenterglobalconfigurationmodebyenteringconfigureterminalcommand.Configurationmodesallowyoutomakechangestotherunningconfiguration.Ifyoulatersavetherunningconfigurationtothestartupconfiguration,thesechangedcommandsarestoredwhenthesoftwareisrebooted.Toenterspecificconfigurationmodes,youmuststartatglobalconfigurationmode.Fromglobalconfigurationmode,youcanenterinterfaceconfigurationmodeandavarietyofothermodes.Table3‐1describeshowtoaccessandexitvariouscommoncommandmodesonJadeOS.Italsoshowsexamplesofthepromptsdisplayedforeachmode.Command Mode Access Method Prompt Exit Method User Mode Log in (JadeOS)> Use the exit command Enable Mode Enter enable and password (JadeOS)# To return to User Mode use exit command Global Configura-tion Mode Enter configure terminal (JadeOS)(config)# To return to Enable Mode from global con-figuration mode, use exit command Interface Con-figuration Mode Specify an inter-face using in-terface command (JadeOS)(config-if)#To return to the global configuration mode, use exit command. Table3‐1CommandModesonJadeOS3.2.2CommandHelpYoucanusethequestionmark(?)toviewvarioustypesofcommandhelp.Whentypedatthebeginningofaline,thequestionmarklistsallthecommandsavailableinyourcurrentmodeorsub‐mode.Abriefexplanationfollowseachcom‐
10JadeOSUserManualmand.Forexample: (JadeOS) > ? enable Turn on Privileged commands exit Exit this session. Any unsaved changes are lost. help Help on CLI command line processing and a Description of the interactive help system logout Exit this session. Any unsaved changes are lost. ping Send ICMP echo packets to specified ip address. traceroute Trace route to the specified ip address. Whentypedattheendofapossiblecommandorabbreviation,thequestionmarkliststhecommandsthatmatch(ifany).Forexample: (JadeOS) #a? aaa Authentication commands ap Instruct AP ap-leds Control AP LED behavior (11n APs only) ap-regroup Move AP into a group ap-rename Change an AP's name apboot Instruct AP to reboot itself apconnect Instruct Mesh-Point to connect new parent apdisconnect Instruct Mesh-Point to disconnect from its parent apflash Instruct AP to reflash itself Ifmorethanoneitemisshown,typemoreofthekeywordcharacterstodistinguishyourchoice.However,ifonlyoneitemislisted,thekeywordorabbreviationisvalidandyoucanpresstaborthespacebartoadvancetothenextkeyword.Whentypedinplaceofaparameter,thequestionmarkliststheavailableoptions.Forexample: (JadeOS) #write ? erase erase configuration from NV memory file Write to file memory Write to NV memory <cr> 3.2.3CommandCompletionTomakecommandinputeasier,asyoutype,youcanpressthespacebarortabtomovetothenextkeyword.Thesystemthenattemptstoexpandtheabbreviationforyou.Ifthereisonlyonecommandkeywordthatmatchestheabbreviation,itisfilled
11JadeOSUserManualinforyouautomatically.Iftheabbreviationistoovague(toofewcharacters),thecursordoesnotadvanceandyoumusttypemorecharactersorusethehelpfeaturetolistthematchingcommands.3.2.4DeletingConfigurationSettingsUsethenocommandtodeleteornegatepreviously‐enteredconfigurationsorpa‐rameters.Toviewalistofnocommands,typenoattheenableor‘config’promptfollowedbythequestionmark. (JadeOS) (config) # no? 3.2.5ProfileCommandJadeOSusesProfiletodesignsomecomplexcommands.JadeOSencapsulatesasetofconfigurationsinProfile,andthenapplytheProfiletootherconfiguredobject.Thiswillmakeconfigurationmorelogical.3.3ConfiguringtheManagementPort3.3.1ConfiguringIPManagementportisusedforthenetworkadministratortooperatetheequipmentinremote.Toconfiguremanagementport,youneedtoconfigureIPaddressfirstsothattoaccesstheequipmentinremote:Step1Accessmanagementportmode:interface mgmt <id> step2ConfiguringIpaddress: ip address A.B.C.D/MASK-Length Parameter Description id Range: 1-2 Table3‐2parameterdescriptionExampleasfollows:(JadeOS)(config)#interface mgmt 1 (JadeOS)(config)#ip address 192.168.1.254/24 3.3.2ConfiguringRoutingYouneedtoconfigureastaticroutingtoaccesslocalPCofremoteadministrator.ToConfigurestaticroutingtable,usethefollowingcommandinConfigmode: ip route <dest-subnet> <gateway>
12JadeOSUserManualForexample,weconfigurearoutetoadministratorsubnet192.168.0.0/24throughnexthop192.168.1.1.(JadeOS)(config)#ip route 192.168.0.0/24 192.168.1.1 3.4ConfiguringManagement3.4.1InquireConfigurationToviewpresentconfiguration,usethecommand:(JadeOS) # show running-config 3.4.2SavingConfigurationChangesWhenyoumakeconfigurationchangesviatheCLI,thosechangesaffectthecurrentrunningconfigurationonly.Ifthechangesarenotsaved,theywillbelostaftertheSKG10000Plusreboots.Tosaveyourconfigurationchanges,usethefollowingcom‐mandinenablemode: (JadeOS) # write memory Afterperformingthecommandwritememory,twoconfigurationfileswillbesavedintheflash:• startup‐config:Containingthestartupconfigurationoptions• running‐config:Containingtheconfigurationoptionsduringsystemrun‐ning.3.4.3ResetJadeOSYoucanreturnJadeOStoitsoriginalconfigurationbyresettingtheJadeOStofac‐tory‐defaultsettings.Step1Enterthewriteerasecommand.Aprompt‘Doyoureallywanttodeletealltheconfiguration(y/n):‘,writeerasesuccessful’willbedisplayed.(JadeOS) (config) #write erase Do you really want to delete all the configuration(y/n): Write Erase successful Step2ReloadtheJadeOSbyenteringreloadcommand.Theprompt‘doyoureallywanttorestartthesystem(y/n)’willbedisplayed.Enter‘y’,theJadeOSwillreboot.(JadeOS) (config) #reload Do you really want to restart the system(y/n): n 3.4.4FilesImport/Export
13JadeOSUserManualYoucansaveconfigurationfilesintoJadeOSandcopytoanexternalserver.copy startup-config flash: <filename> copy startup-config tftp: <tftphost> <filename> copy running-config flash: <filename> copy running-config ftp: <ftphost> <user> <password> <filename> [<remote-dir>] copy running-config startup-config copy running-config tftp: <tftphost> <filename> 3.5SystemUpdateThesystemimagefileisstoredintheCompactFlash(CF)oneachlinecard.Everytimeyoustartthesystem,bootloaderwillautomaticallydownloadtheimagetosys‐temRAM.TheCFcardisdividedintotwopartitionswhichbothcontainthesystemimagefiles.Atthefactorydefaultsetting,bootloaderwilldownloadimagefilesfrompartition0.Aftersystemupdating,JadeOSwillautomaticallystartfromthepartitionwhichcontainstheupdatedimagefiles.Youcanalsospiffywhichpartitiontostartfrommanually.Toupdatethesystemimagefile,completethefollowingsteps:Step1InputtheusernameandpasswordafterconnectingtheJadeOSthroughSSH,telnetorconsole.Step2Turnintotheglobalconfigurationmodebyenteringthecommandconfig‐ureterminal.Step3Turnintotheinterfaceconfigurationmodebyenteringthecommandin‐terfacemgmt.Step4SetmgmtinterfaceIPaddressandmakesurethetftporftpserverisok.Step5Copytheimagefiletopartition0/1onCFcard.Thesystemwillrebootaftertheupdatecomplete.Note:It’srecommendedthatyouupdatethesystemimagefilesfromthepartitionwhichthesystemisnotworkingontoavoidthatthecurrentimagefilesareerased.Forexample:ifthesystemisworkingonpartition0,pleaseupdatethesystemimagefilesfrompartition1.Tochangebootpartition,usefollowingcommandinConfigmode: (JadeOS) (config)#boot system partition 0 Toviewimageinformationaboutbootpartition,usefollowingcommandinenablemode:
14JadeOSUserManual (JadeOS) #show image version ---------------------------------- Partition : 0:0 (/dev/sda1) Software Version : JadeOS 2.3.2.0 Built on : SMP Thu Dec 19 18:01:40 CST 2013 ---------------------------------- Partition : 0:1 (/dev/sda2) Software Version : JadeOS 2.2.6.0 Built on : SMP Mon Nov 18 14:58:24 CST 2013 3.6FileOperations3.6.1BasicOperationsJadeOSprovidebasicoperationsaboutfilessuchasdir、copy、rename、deleteandsoon,thecommandisasfollowing:Dirfiles: (JadeOS) #dir Copyfiles: (JadeOS) #copy flash: <srcfilename> {flash: <destfilename> | tftp: <tftphost> <destfilename> | ftp:<ftphost> <user> <filename>} | ftp: <ftphost> <user> <filename> {system: partition {0|1} |flash: <filename> }| running-config {flash: <filename> | ftp: <ftphost> <user> <password> <filename> | tftp: <tftphost> <filename>} | startup-config {flash: <filename> | tftp: <tftphost> <filename>} | system: partition {<srcpartition> 0|1}| tftp: <tftphost> <filename> {flash: <destfilename>}| Renamefiles:(JadeOS) #rename <old> <new> Deletefiles:(JadeOS) #delete filename <file> 3.6.2FilesTransferbyFTPandTFTPCommandYoucantransferthefollowingfilesbetweenJadeOSandanexternalserverorhost:• JadeOSimagefiles• AspecifiedfileinJadeOSflashfilesystem,oracompressedarchivethatcontainstheflashfile• Configurationfile,eithertherunningconfigurationorastartupconfigura‐
15JadeOSUserManualtion• LogfilesYoucanusethefollowingprotocolstotransferfilesbetweenJadeOSandexternalserverorhost:• FileTransferProtocol(FTP)• TrivialFileTransferProtocol(TFTP)Sever Type Configuration Trivial File Transfer Proto-col(TFTP) IP address of the server Filename File Transfer Protocol(FTP) IP address of the server Username and password to log into server Filename Table3‐3ParametersofTFTPandFTPConfiguration3.6.3JadeOSImageImageFilesTransferYoucancopyJadeOSimagefilestoJadeOSorequipmentbyTFTPorFTPserver.WhenyoutransferaJadeOSimagefiletoequipment,youmustspecifythepartitionwhichthefileiscopiedto.YouhavetheoptionofrebootingJadeOSwiththetrans‐ferredimagefile.copy tftp: <tftphost> <filename> system: partition {0|1} copy ftp: <ftphost> <user> <filename> system: partition {0|1} copy scp: <scphost> <username> <filename> system: partition [0|1] 3.6.5LogFilesStorageYoucansavelogfilesintoacompressedarchiveandcopytoanexternalTFTPserver.tar logs copy flash: logs.tar tftp: <tftphost> <destfilename> copy flash: logs.tar scp: <scphost> <username> <destfilename> 3.7UserManagementTocreateusers,youcanusethecommand:mgmt‐user<user><password>Forexample,createauseraccount“test”andpassword“123456”: (JadeOS) (config)#mgmt-user test 123456
16JadeOSUserManualToinquireusersinthesystem,youcanusethecommand: (JadeOS) #who vty[0] connected from 192.168.16.21 vty[1] connected from 192.168.16.22 vty[2] connected from 192.168.16.19 vty[3] connected from 192.168.16.19 3.8ConfiguringSystemSettings3.8.1SettingHostnameThefactorydefaulthostnameisJadeOS.Youcanchangethehostnameusingthefol‐lowingcommand:hostname <hostname> Forexample:(JadeOS) (config) #hostname Gate (Gate) (config) # 3.8.2SettingCountryCodeJadeOSaredesignedtomanagetheaccesspointswhicharelocatedinmanycoun‐trieswithdifferentrequirements.Theradioswithintheaccesspointsareassignedtoaspecificregulatorydomainatthefactory.Youcanspecifyaparticularcountrycodeforeachcountry(suchasFRforFranceorESforSpain).Configuringacountrycodeensuresthateachradio’sbroadcastfrequencybands,interfaces,channels,andtransmitpowerlevelswhicharecompliantwithcountry‐specificregulations.WhentheJadeOSstartforthefirsttime,thesystemwillpromptyoutoenterthecountrycodewhichcountrytheJadeOSislocatedandyouneedtoconfirmthecoun‐trycodebyentering‘yes’.3.8.3SettingAdministratorPasswordTologinJadeOS,youmustentertheadministratoruseraccountandpassword.Thefactorydefaultuseraccountis‘admin’andthepasswordis“admins”.Aprompt‘Enterpasswordforadminlogin’willbedisplayedafteryouenterthead‐ministratoruseraccount‘admin’.Youcanenterthepasswordthatyouwanttosetandretypeittoconfirm.Exceptfortheadministratoruser,youcanset9users.3.8.4SettingSystemClockYoucansettheJadeOSsystemdateandtimemanuallyusingtheconfigurationwiz‐ardwhenyoustarttheJadeOSsystemforthefirsttime.GreenwichMeanTime(GMT)
17JadeOSUserManualisusedasthestandardforsettingthetimezone.¾ SettingtheSystemClockManuallyTosetthedateandtime,enterthefollowingcommandinprivilegedmode:clock set <year><month><date><hour><minutes><seconds> Tosetthetimezoneanddaylightsavingstimeadjustment,enterthefollowingcom‐mandsinconfiguremode:clock timezone<WORD><-23 - 23> clock summer-time <zone> [recurring] <1-4><start day><start month><hh:mm> first<start day><start month><hh:mm> last<start day><start month><hh:mm> <1-4><end day><end month><hh:mm> first<end day><end month><hh:mm> last<end day><end month><hh:mm> [<-23 - 23>] ¾ SettingtheSystemClockwithNTPYoucanuseNTP(NetworkTimeProtocol)tosynchronizeJadeOStoacentraltimesource.3.8.5ClockSynchronizationForeachNTPserver,youcanoptionallyspecifytheNTPiburstmodeforfasterclocksynchronization.TheiburstmodesendsuptenquerieswithinthefirstminutetotheNTPserver.(Wheniburstmodeisnotenabled,onlyonequeryissentwithinthefirstminutetotheNTPserver.)Afterthefirstminute,theiburstmodetypicallysynchro‐nizestheclocksothatqueriesneedtobesentatintervalsof64secondsormore.YoucanaddaNTPserverusingthefollowingcommand:ntp server <ipaddr> [iburst] 3.8.6ConfiguringNTPAuthenticationTheNTPaddssecuritytoanNTPclientbyauthenticatingtheserverbeforesynchro‐nizingthelocalclock.NTPauthenticationworksbyusingasymmetrickeywhichisconfiguredbytheuser.ThesecretkeyissharedbybothJadeOSandanexternalNTPserver.Thishelpsidentifysecureserversfromfraudulentservers.ThisexampleenablesNTPauthentication,addauthenticationsecretkeysintothedatabase,andspecifiesasubsetofkeyswhicharetrusted.Italsoenablestheiburstoption.
18JadeOSUserManual (JadeOS)(config)#ntp authenticate (JadeOS)(config)#ntp authentication-key <key-id> md5 <key-secret> (JadeOS)(config)#ntp trusted-key <key-id> (JadeOS)(config)#ntp server <IP> iburst ExampleofconfiguringNTPauthentication:(JadeOS)(config)#ntp authenticate (JadeOS)(config)#ntp authentication-key 1 md5 123 (JadeOS)(config)#ntp trusted-key 1 (JadeOS)(config)#ntp server 1.1.1.1 iburst 3.9PingandTracerouteCommandpingandtraceroutecanhelptodiagnosenetworkconnectionstatus.Commandformat:ping A.B.C.D traceroute A.B.C.D Forexample,usecommandpinginenablemodetojudgewhethertheinternetcon‐nectiontoIPaddress‘192.168.20.1’ornot. (JadeOS) #ping 192.168.20.1 Sending..., 100-byte ICMP Echos to 192.168.20.1, press 'q' or ESC to exit: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0.686/0.7134/0.808 ms 3.10LicenseManagementLicenseismainlyusedtoprotectthelawfulrightsofauthorizedusers.YoucanobtaintheauthorizationbyinputLicenseActivationKey.Note:pleasecontactthevendorsifyouneedtoaddAPsafterlicenseisineffective.ToaddLicensekey,youcanusefollowingcommandinconfigmode:license add <key> Note:Keyisprovidedbyvendors,andthelengthis192characters.Afterlicensekeyisineffective,youcaninquirythelimitnumberofAPandstationbythefollowingcommand:show license limit Todisplaylicensekey,youcanusefollowingcommand:show license
19JadeOSUserManualChapter4 InterfaceConfiguration Thischapterwilldescribehowtoconfigureinterface.4.1NamingEthernetPortGigabitEthernet<word>isGEport,andparameter‘word’formatis<slot/port>.‘slot’meansslotnumber,‘port’meansportnumber.Bothstartwithvalue0andrangedependsontherealnumberofEthernet.Forexample,gigabitEthernet1/0 , gigabitEthernet1/1 andgigabitethernet1/2 meansthefirstEthernetport,thesecondEthernetportandthethirdEthernetportofthefirstslot.Tengigabitethernet<word>is10Gport,andparameter‘word’formatisthesameasGEport.Toinquirypresentslotnumber,useshowslotcommand:(JadeOS) #show slot Slot12 ‘slot12’meanspresentslotnumberis12.4.2ConfiguringVLANJadeOSoperatesasalayer‐2switchthatusesaVLANasabroadcastdomain.Asalayer‐2switch,JadeOSrequiresalayer‐3routertoroutetrafficbetweenVLANs.4.2.1CreatingVLANYoucanconfigureVlaninvlanmode:Step1Entervlanmodebyusingfollowingcommandinconfigmode:vlan database Step2Creatingvlanvlan <id> Note:Deletevlanbyusingnovlan<id>command.Forexample:(JadeOS)(config)#vlan database (JadeOS)(config-vlan)#vlan 2 (JadeOS)(config-vlan)#vlan 3 name "VLAN3" (JadeOS)(config-vlan)#no vlan 2
20JadeOSUserManualCommand Description Vlan 2 Create vlan 2 vlan3name"VLAN3" Create vlan 3,and name as“vlan 3” Novlan2delete vlan 2 Table4‐1commanddescriptions4.3AddingEthernetPortintoVLANTheEthernetportcanbesetinaccessmodeortrunkmode,andthenaddedintoaVLAN.TheEthernetportisinaccessmodebydefault.Ifitissetintrunkmode,theportcancarrydataofmultiVLANTag.Theportchannelcanbesetinaccessmodeortrunkmode.Bydefault,aportchan‐nelisinaccessmodeandcarriestrafficonlyfortheVLANthatisassigned.Intrunkmode,aportchannelcancarrytrafficformultipleVLANs.¾ ConfigurePortinaccessmodeStep1Enterphysicalinterfacemodeinterface gigaethernet <slot/port> step2Configurelayer‐2interfacemodeswitchport mode access step3Addintothecorrespondingvlanswitch access vlan <vlan-id> Forexample,addgigabitethernet1/2 intoaccessvlan2(JadeOS)(config) #interface gigabitethernet 1/2 (JadeOS)(config-if)#switchport mode access (JadeOS)(config-if)#switchport access vlan 2 ¾ ConfigurePortinTrunkModeStep1EnteringphysicalinterfacemodeInterface gigaethernet 1/0 Step2Configurelayer‐2interfacemodeswitchport mode trunk Step3Specifythenativevlanidandavailablevlantagnumberrespectivelyswitch trunk native vlan <vlan-id> switchport trunk allowed vlan add <vlan-id-list> Parameter Description Vlan-id Specify native vlan id Vlan‐id‐listSpecify available vlan tag Table4‐2parameterDescriptions
21JadeOSUserManualForexample,addgigabitethernet1/2 intoaccessvlan2(JadeOS)(config) #interface gigabitethernet 1/2 (JadeOS)(config-if)#switchport mode trunk (JadeOS)(config-if)#switchport trunk native vlan 4 (JadeOS)(config-if)#switchport trunk allowed vlan add 5-10,11,12 4.4ConfiguringVLANInterfaceCommandtoconfigureVLANInterface:interface vlan <1-4094> Note:youneedtocreateVLANfirstbeforeconfiguringVlanInterface.Forexample:(JadeOS) (config)#interface vlan 2 (JadeOS) (config-if)#ip address 10.0.0.1/24 4.5ConfiguringPortChannelLinkaggregationprovideshighertotalbandwidth,auto‐negotiation,andrecoverybycombiningparallelnetworklinksbetweendevicesasasinglelink.Port‐ChannelsprovideamechanismforaggregatingmultiplephysicalEthernetlinkstoasinglelogicalEthernetlink.Port‐Channelsaretypicallyusedtoincreaseavailabilityandbandwidth,whilesimplifyingthenetworktopology.Step1Configureport‐channelinconfigmode:Interface port-channel <id> Step2AddEthernetportintoaggregationgroupinport‐channelinterfacemode:add [gigabitethernet <slot>/<port> | tengigabitethernet <slot>/<port>] Note:Todeleteoneport,usefollowingcommand:del[gigabitethernet<slot>/<port>|tengigabitethernet<slot>/<port>]Step3Configurebalancearithmetic,nowitsupportsarithmeticofactive‐standbyandload‐balance:(JadeOS)(config-if)#balance arithmetic active-stanby (JadeOS)(config-if)#balance arithmetic load-balance Examples: (JadeOS)(config)#interface port-channel 1 (JadeOS)(config-if)#add gigabitethernet 2/1 (JadeOS)(config-if)#balance arithmetic active-stanby (JadeOS)(config-if)#balance arithmetic load-balance
22JadeOSUserManualInquireLAGbyusingshowInterfaceport‐channel<id>command:(JadeOS)#show interface port-channel 2 Port-Channel 2 is administratively up Hardware is Port-Channel, address is 04:8B:42:10:0D:0B (bia 04:8B:42:10:0D:0B) Description: Link Aggregate (LACP) Spanning Tree is disabled VLAN membership: 190 Switchport priority: 0 Member port: GE 4/3, Admin is up, line protocol is up GE 4/4, Admin is up, line protocol is up link status last changed 0 day 0 hr 16 min 46 sec 106198 packets input, 21374111 bytes Received 124 broadcasts, 0 runts, 7483 giants, 0 throttles 11936475 input error bytes, 545 CRC, 0 frame 82048 multicast, 24026 unicast 14148 packets output, 432640 bytes 0 output errors bytes, 0 deferred 0 collisions, 0 late collisions, 0 throttles Port-Channel 2 is TRUSTED DeleteLAGbyusingnointerfaceport‐channel<id>command: (JadeOS)(config)# no interface port-channel 0 Theportchannelcanbesetinaccessmodeortrunkmode.Bydefault,aportchan‐nelisinaccessmodeandcarriestrafficonlyfortheVLANthatisassigned.Intrunkmode,aportchannelcancarrytrafficformultipleVLANs.¾ ConfigurePortChannelinaccessmode (JadeOS)(config)#interface port-channel 1 (JadeOS)(config-if)#switchport mode access (JadeOS)(config-if)#switchport access vlan 2 ¾ ConfigurePortchannelintrunkmode(JadeOS)(config) #interface port-channel 2 (JadeOS)(config-if)#description Portchannel2 (JadeOS)(config-if)#switchport mode trunk (JadeOS)(config-if)#switchport trunk native vlan 5 (JadeOS)(config-if)#switchport trunk allowed vlan 6-9,10
23JadeOSUserManual4.6ConfiguringQinQ4.6.1ConfiguringQinQDefinedinIEEE802.1Q,VLANTagdomainonlyuses12bytestoindicateVLANID,soequipmentcansupportupto4094VLANs.Somescenarios,especiallyinmetropoli‐tanareanetwork,requireaseparateVLANforcustomers.Therefore,4094VLANcannotmeettherequirement.The802.1QinQexpandsVLANspacebyusingaVLAN‐in‐VLANhierarchyandtaggingthetaggedpackets.Atthesametime,QinQmakesSPuseoneVLANsupportstheentirecustomer'sVLANs.SPprovidesdifferentservicefordifferentcustomersbydecapsulatinginnerandoutervlantagofusers’message.ConfiguringQinQbyusingfollowingcommand:Step1CreateQinQsub‐interfaceinphysicalinterface:interface gigabitethernet/tengigabitethernet <slot>/<port>.<subif> parameter description slot Slot number,range: 1-13 port Port number subifSub interface,range: 1-16760836 table4‐3ParameterDescriptionForexample,createQinQsub‐interfacegigabitethernet1/0 . 1 inEthernetinterfacegigabitethernet1/0 : interface gigabitethernet 1/0.1 step2SpecifyQinQinnerandoutertagencapsulation dot1q <outer-vlan-id> second-dot1q <vlan-id|[begin-end]> Parameter Description out‐vlan‐id Singletagnumber,range:1‐4094vlan‐id|[begin‐end] Singletagnumber,range:1‐4094;orrange,forexample:100‐200 table4‐4ParameterDescriptionForexample:createaQinQinterfacethatoutertagis1000andinnertagrangeis100‐200,andconfigureIPaddressasalayer‐3interface.(JadeOS)(config)#interface gigabitethernet 10/0.1 (JadeOS)(config-subif)# encapsulation dot1q 1000 second-dot1q 100-200 (JadeOS)(config-subif)#ip address 1.1.1.1/32 Thesub‐interfacecanbeusedasalayer‐3routingsub‐interface.YoucanconfigureIP
24JadeOSUserManualaddressandroutinginit.2QinQTagwillbepeeledwhenreceivingdata,and2QinQTagwillbeencapsulatedwhensendingdata.Youcanconfiguredifferentservices(forexample,differentauthenticationpoliciesorbandwidthcontrolpolicies)ondifferentinnertagwhendatareceivedinQinQsub‐interface.4.7InquiringInterfaceStatusandStatisticsToviewinterfaceinformation,useshowinterfacegigabitethernet<Slot/Port>command:(JadeOS) #show interface gigabitethernet 12/0 Interface gigabitethernet 12/0 Hardware is Ethernet Current HW addr: 04:8b:42:10:5c:00 Physical:04:8b:42:10:0c:18 index 23 metric 1 mtu 1500 duplex-half arp ageing timeout 300 tcp4mss disable tcp6mss disable proxy_arp disable local_proxy_arp disable (UP,BROADCAST,RUNNING,MULTICAST,TRUST) VRF Binding: Not bound inet 119.6.100.5/24 broadcast 119.6.100.255 inet6 fe80::68b:42ff:fe10:5c00/64 input packets 1779, bytes 117400, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 8, bytes 837, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0 Toviewallinterfacesinformation,useshowipinterfacebriefcommand:(JadeOS) #show ip interface brief Interface IP-Address / IP-Netmask Status Protocol loopback 0 unassigned / unassigned up down Te 12/0 unassigned / unassigned up down vlan 1 unassigned / unassigned up down mgmt 1 192.168.20.95 / 255.255.255.0 up up Gi 12/0 119.6.100.5 / 255.255.255.0 up up Gi 12/2 172.50.3.1 / 255.255.255.0 up up Gi 12/4 unassigned / unassigned down down Gi 12/6 unassigned / unassigned down down Gi 12/8 unassigned / unassigned up up Gi 12/10 unassigned / unassigned down down
25JadeOSUserManualGi 12/12 unassigned / unassigned down down Gi 12/14 unassigned / unassigned down down Gi 12/16 unassigned / unassigned down down Gi 12/18 unassigned / unassigned down down
26JadeOSUserManualChapter5 Layer‐2NetworkServiceJadeOSprovideslayer‐2networkservice.Thischapterwilldescribebridgeforwardingandportmirror.5.1BridgeForwarding5.1.1BridgeDescriptionBridgeisusedfortheinterconnectionamongtwoormoreLayer‐2networkanddataframeforwardingbasedonMACaddressofLayer‐2network.BridgesupportsMACaddresslearning.BridgewillcreateonebridgetablebasedonsourceMACaddresswhenonedataframefromoneMACaddressfirstgoingthroughbridge.BridgetableisindexedbyMACaddress,anditwillrecordthephysicalinter‐faceconnectedtothishost.Thereafter,whendataframefromthesameMACad‐dresscometothishostagain,itwillbesenttothisphysicalinterfacesothattoavoidsendingbroadcastmessagetoallinterfaces.Bridgeforwardingisbasedonbridgetable,eachMACaddressiscorrespondingtoonetable.BridgetablewillbeautomaticallydeletedifthereisnodataframefromthesameMACaddressgoingthroughthisbridgetableforawhile.Whenthereisdataframecomingtothisbridgeafterawhile,bridgewilllearnMACaddressagain.Besidesdynamiclearning,bridgetablesupportsstaticconfiguration,whichiscalledstatictable.5.1.2ConfiguringBridgeBridgeconfigurationistoaddseveralphysicalinterfacestothesameVLAN.InthesameVLAN,severalinterfacesformabridge,thecommunicationamongtheinter‐facesisbridgeforwarding.Pleaserefertochapter4.2andchapter4.3formoreinformation.5.1.3DynamicTableDynamictableisgeneratedbysystemlearning.Systemwilllookupbridgetablewhenreceivingmessage.Ifnobridgetableisavailable,systemwillautomaticallygenerateabridgetablebasedonthesourceMACaddress,VLANID,andtheinter‐faceofmessage. Toinquirybridgetable,useshowdatapathbridgetablecommand.Forexample:(JadeOS) #show datapath bridge table
27JadeOSUserManualDatapath Bridge Table Entries ----------------------------- Flags: P - Permanent, D - Deny, M - Mobile, L - Local MAC VLAN Assigned VLAN Destination Flags Aging-time -------------- ---- ------------- --------- ----- ------- 04:8B:42:12:00:81 5 5 Local PL 04:8B:42:12:0A:81 85 85 Local PL 04:8B:42:12:0A:A1 86 86 Local PL 04:8B:42:12:0A:C1 87 87 Local PL 04:8B:42:12:0A:E1 88 88 Local PL 5.1.4BridgeAgingThebridgeagingtimeis15minutesbydefault.Ifnotrafficin15minutes,bridgeta‐blewillbeaging.5.1.5StaticTableStaticbridgetablewillnotbeaging.Toconfigurestatictable,usefollowingcommandinconfigmode:mac-address-table static <mac address> [discard/forward] giga-bitethernet <slot/port> Vlan <vlan-id> Forexample:(JadeOS)(config)#mac-address-table static 04:8b:42:22:05:6f discard gigabitethernet 1/0 vlan 2 Note: To delete bridge table, use following command in config mode: nomac‐address‐tablestatic<macaddress><discard/forward><gigabitethernet><vlan> 5.2PortMirrorMirrormodeenablesyoutoduplicatetoanotherportallofthetrafficoriginatingfromorterminatingatasingleclientdeviceoraccesspoint.Itisusefulindiagnosingspecificnetworkproblems.Mirrormodeshouldbeenabledonlyonanunusedportasanyconnectionstothisportbecomeunresponsive.Youcanconfigureportmirroringusingthefollowingcommands: (config)#interface{tengigabitethernet|gigabitethernet} <slot>/<port> (config-if)#mirror interface vlan <VLAN ID> direction {both | receive | transmit} 
28JadeOSUserManualChapter6 Layer‐3NetworkServiceJadeOSprovideslayer‐3networkservice.ThischapterwilldescribehowtoconfigureIPaddress,staticrouting,GREtunnel,DHCP,OSPF,andIPv6andsoon.6.1ConfiguringIPAddress6.1.1ConfiguringIPAddressUsethefollowingcommandstoassignastaticIPaddresstoaportonJadeOS:interface gigabitethernet <slot>/<port> no switchport ip address <address><netmask> 6.1.2ConfiguringLoopbackTheloopbackIPaddressisalogicalIPinterfacethatisusedbyJadeOStocommuni‐catewithAPs.TheloopbackaddressisusedasJadeOS’sIPaddressforterminatingVPNandGREtunnels,originatingrequeststoRADIUSserversandacceptingadminis‐trativecommunications.Youconfiguretheloopbackaddressasahostaddresswitha32‐bitnetmask.Theloopbackaddressisnotboundtoanyspecificinterfaceandisoperationalatalltimes.Tousethisinterface,ensurethattheIPaddressisreachablethroughoneoftheVLANinterfaces.Itshouldberoutablefromallexternalnetworks.ToconfiguretheloopbackIPaddress,usethefollowingcommands:interface loopback <id> ip address <address><mask> 6.2ConfiguringStaticRoutingTable6.2.2ConfiguringStaticRoutingToconfigurestaticrouting,usefollowingcommand:ip route <subnet>/<prefix-length> <gateway> Forexample: (JadeOS) (config)#ip route 10.0.0.0/24 192.168.10.1 6.2.2InquiringRoutingTableToinquirysystemroutingtable,includingdirectroutingandstaticconfiguringrout‐ing,useshowiproutecommand. (JadeOS) #show ip route
29JadeOSUserManualCodes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S 10.2.20.0/24 [1/0] via 192.168.20.1, mgmt 1 S 18.0.0.0/8 [1/0] via 192.168.20.1, mgmt 1 C 80.1.0.0/16 is directly connected, vlan 80 C 119.6.100.0/24 is directly connected, Gi 12/0 S 119.6.200.0/24 [1/0] via 119.6.100.1, Gi 12/0 C 172.50.3.0/24 is directly connected, Gi 12/2 S 192.168.0.0/16 [1/0] via 192.168.20.1, mgmt 1 C 192.168.20.0/24 is directly connected, mgmt 1 6.3ConfiguringARPJadeOSsupportsconfiguringstaticARPtable.AddressResolutionProtocol(ARP)isaTCP/IPprotocolusedforresolutionofnetworklayerIPaddressintolinklayerMACaddress,acriticalfunctioninmultiple‐accessnetworks.ARPwasdefinedbyRFC826in1982.BesidesthebasicARPfunction,JadeOSalsosupportlocalproxyARPandDHCPau‐thorizedARP.ItiseffectivelyavoidedARPcheatandattackbyDHCPSnooping,whichenhancesthesecurityofpublicwirelessLANscommunication.6.3.1ConfiguringStaticARPTableDynamicARPlearningisenablinginJadeOSportbydefault.ToaddstaticARPtable,usefollowingcommand:arp <ipaddr> <macaddr> TodeleteARPcacheentry,usenoarpcommand:no arp <ipaddr> <macaddr> Forexample:(JadeOS) (config) #arp 10.1.2.23 00:19:87:0D:5C:2C 6.3.2InquiringARPTableToviewARPtable,useshowarpcommand: (JadeOS) #show arp
30JadeOSUserManualAddress HWaddress Interface Type 192.168.20.1 00:13:1A:A5:CC:80 mgmt 1 Dynamic 192.168.20.15 00:15:C5:F3:35:B2 mgmt 1 Dynamic 192.168.20.152 00:14:22:19:FC:C4 mgmt 1 Dynamic 119.6.100.1 C4:64:13:D1:9A:EA Gi 12/0 Dynamic 192.168.20.226 04:8B:42:10:6C:1C mgmt 1 Dynamic 172.50.3.2 04:8B:42:20:00:F5 Gi 12/2 Dynamic 6.3.2ConfiguringARPProxyProxyARPincludeslocalproxyARPandproxyARP.TheybothreplyARPre‐questwithinterfaceMACaddress,nomattertherequestaddressisinexistenceornot.Buttheyhavedifferencestoo.ProxyARPwillreplyARPrequestnomattertherequestaddressisinthesamenetworksegmentwithinterfaceornot.LocalproxyARPwillreplywhenARPrequest’soriginaladdress,destinationaddressandinterfaceaddressareinthesamenetworksegment.IncaseoftheTUNNELbroadcastmessagesuppressionandDHCPsnoopingisopen,clientneedtocommunicatewithanotherclientthatinthesamenetworksegmentbutdifferenttunnel,soweneedtocontinuouslybroadcastARPmessagetolookupanotherclient.Intheabovesituation,wecanopenthelocalproxyARPfunctioninJadeOS.Inthisway,JadeOSwillactasARPproxytoensuretheclient’sdatacommu‐nicationindifferenttunnel,andthesametime,avoidalotofuselessbroadcastmes‐sagecausedbyrepeatbroadcast.6.4ConfiguringMTUandTCPMSSMtuandtcpmssistheattributeofinterface.Whenthedatapacketislargerthanmtuvalue,systemwillfragmentdatapacketac‐cordingtomtuvalue.Fragmentationwillaffectdataperformance,soyoushouldtrytoavoidfragmentation.Iftheinterfaceistheattributeoftcpmssandthetcpmssoptionofsynmessageislargerthanthetcpmssvalueofinterface,systemwillmodifythetcpmssoptionofthissynmessageandupdatetcpchecksumwhentcpsynmessagegoesthroughin‐sideinterfaceandoutsideinterface.Youshouldtrytoavoidfragmentationforfrag‐mentationwillaffectdataperformanceToconfiguremtu,usemtu<68‐9216>commandinconfigmode:Toconfiguretcpmss,usetcp4mss<4‐65535>commandininterfacemode:Forexample,configurethemtuandtcp4mssofinterfacegigaethernet1/0 is1460and1440respectively:(JadeOS) (config)#interface gigabitethernet 10/1
31JadeOSUserManual(JadeOS) (config-if)#mtu 1460 (JadeOS) (config-if)#tcp4mss 1440 6.5ConfiguringGRETunnelGRE(GenericRoutingEncapsulation)specifiesaprotocolforencapsulationofanar‐bitraryprotocoloveranotherarbitrarynetworklayerprotocol.GREdefinedinRFC2784andupdatedbyRFC2890.TocreateaGREtunnelinterfaceandenterinterfaceconfigurationmodeonJadeOS,usethefollowingcommand:interface tunnel <id> tunnel mode gre Figure6‐3GREtunnelTocreateaGREtunnelonJadeOS,usethefollowingsteps:(JadeOS)(config) #interface tunnel 1 (JadeOS)(config-if) #tunnel mode gre (JadeOS)(config-if) #ip address x.x.x.x/x (JadeOS)(config-if) #tunnel source x.x.x.x (JadeOS)(config-if) #tunnel destination x.x.x.x (JadeOS)(config-if) #tunnel key <0-4294967295> (JadeOS)(config-if) #tunnel checksum 6.6ConfiguringDHCPTheDynamicHostConfigurationProtocol(DHCP)isanetworkconfigurationprotocolforhostsonInternetProtocol(IP)networks.UDPprotocolmainlyhastwousages:- Reduceclient’sconfigurationburden,usedinthechangeofoffice.- Reducenetworkadministrator’sconfigurationburden.UDPachievesaddressunifieddistribution,centralizedmanagementandDHCPSnoopingrationalusing,whichisgoodforavoidingnetworkattackandensuringresourcera‐tionallyinuse.Becauseoftheterminalmobility,wirelessnetworkarchitecturehasahighstandardonDHCPprotocol.ItstillhashighstandardonthescaleofaddresspoolandaddressdistributionrateinSPenvironment.
32JadeOSUserManual6.6.1ConfiguringDHCPServerToconfigureDHCPserver,usefollowingcommand:Step1CreateoneormoreDHCPaddresspool:ip dhcp pool <pool-name> Step2SpecifythegatewayofDHCPclientdefault-router A.B.C.D Step3SpecifytheDNSserverofDHCPclientdns-server A.B.C.D Step4SpecifytheleasetimeLease <days> <hours> <minites> <seconds> Step5Specifytherangeofaddresspoolnetwork <subnet> <mask> Step6(optional)DHCPissueARPtablethatcombinedwithIPandMACaddressofclienttothesystem.update arp Step7(optional)SpecifythereservedIPaddressorIPrange,whichistheIPaddressnotassignedtotheclient.ip dhcp excluded-address <start-address> [<end-address>] Step8EnableDHCPserviceservice dhcp 6.6.2InquiringDHCPServerStatus1InquireDHCPConfiguration (JadeOS) #show ip dhcp database DHCP enabled ping-check false; broadcast; # vlan409 subnet 172.40.9.0 netmask 255.255.255.0 { lease-time 1 days,0 hours, 0 minutes, 0 seconds; option routers 172.40.9.1; range 172.40.9.2 172.40.9.254; } 2InquireDHCPleasestatistics (JadeOS) #show ip dhcp statistics Network Name 13.0.0.0/16 Total leases 65533
33JadeOSUserManual Free leases 64532 Active leases 1001 Abandoned leases 0 Reserved leases 0 3InquireDHCPleaseinformation (JadeOS) #show ip dhcp binding lease 13.0.6.202 { starts Mon Dec 23 10:41:30 2013 ends Mon Dec 23 10:42:30 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:73:2b; uid "\001\000P\272Ps+"; } lease 13.0.6.238 { starts Mon Dec 23 10:41:33 2013 ends Mon Dec 23 10:42:33 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:75:2b; uid "\001\000P\272Pu+"; } lease 13.0.7.19 { starts Mon Dec 23 10:41:28 2013 ends Mon Dec 23 10:42:28 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:74:e9; uid "\001\000P\272Pt\351"; } lease 13.0.7.61 { starts Mon Dec 23 10:41:33 2013 ends Mon Dec 23 10:42:33 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:76:5c; uid "\001\000P\272Pv\\"; } 4InquireDHCPServerrunningstatus (JadeOS) #show ip dhcp server statistics
34JadeOSUserManualDhcp Server Packet Statistics: Receive packet: Discover 0 Request 0 Release 0 Decline 0 Inform 0 Leasequery 0 Unkown 0 Send packet: Offer 0 Ack 0 Nak 0 Other packet: Bootp 0 Boopreply 0 Speed: Offer Speed 0 client/sec 6.6.3 Configuring DHCP Relay JadeOSprovidesDHCPRelayfunctionthatenhancestheDHCPfunction. ADHCPrelayagentisanyhostthatforwardsDHCPpacketsbetweenclientsandservers.Relayagentsareusedtoforwardrequestsandrepliesbetweenclientsandserverswhentheyarenotonthesamephysicalsubnet.RelayagentforwardingisdistinctfromthenormalforwardingofanIProuter,whereIPdatagramareswitchedbetweennet‐workssomewhattransparently.Bycontrast,relayagentsreceiveDHCPmessagesandthengenerateanewDHCPmessagetosendonanotherinterface.DHCPRelayconfigurationasbelow:Step1Enter“ipdhcprelay”(JadeOS)(config)# ip dhcp relay Step2SpecifytheinterfaceofDHCPClient(JadeOS)(config-dhcp-relay)# client-interface <interface-name> Step3SpecifytheIPaddressofDHCPServer(JadeOS)(config-dhcp-relay)# server address A.B.C.D
35JadeOSUserManualStep4SpecifytheinterfaceofDHCPServer(JadeOS)(config-dhcp-relay)# server-interface <interface-name> Step5EnableRelay  (JadeOS)(config-dhcp-relay)# enable 6.6.4 DHCP Snooping DHCPSnoopingactsasthefirewallbetweenuntrusthostandDHCPserver,whichavoidinterfereandattacktothelegaluser.ThroughDHCPsnooping,youcanviewthefilteredillegalDHCPmessage.BecauseDHCPmessagecarriesMACaddressandIPaddressofuserterminal,youcanobtainandrecordDHCPmessagethroughcontinuouslytrack,whichcanbeusedtoindentifyotherillegalDHCPmessage.ThroughbuildingandmaintainingDHCPsnoopingtable(IP‐MACbinding),systemcandetectwhetherthefollowedcommunicationislegal,andthenrejecttheunmatcheddatabetweenIPandMAC.ToenableDHCPsnooping,usethefollowingcommand:ip dhcp snooping enable TodisplayDHCPsnoopingbindingtable,usethefollowingcommand: (JadeOS) #show ip dhcp snooping binding counter Datapath Bind Table Statistics ------------------------------- Current Entries 1001 High Water Mark 1001 Maximum Entries 262144 Total Entries 4001 Allocation Failures 0 (JadeOS) #show ip dhcp snooping binding DHCP Snooping State is disable DHCP Snooping verify MAC State is disable Datapath Binding Table Entries ------------------------------------------------------------------- Type: D - Dynamic, S - Statically-configured MacAddress IpAddress Lease(sec) Type Interface ------------- --------------- --------- ------ ------------ 00:50:ba:50:77:06 13.0.7.20 300 D Gi 6/10 00:50:ba:50:76:DA 13.0.6.242 300 D Gi 6/10
36JadeOSUserManual00:50:ba:50:76:D8 13.0.6.237 300 D Gi 6/10 00:50:ba:50:76:D4 13.0.6.227 300 D Gi 6/10 SecurityCheckThroughbindingtable,DHCPsnoopingmoduledeterminewhethertheDHCPmes‐sagesentbyuserislegalornot,andthenrejectillegalDHCPrequestifillegal.EnablingMACaddressdetection,DHCPsnoopingcanavoidattackbycheckingwhethertheMACaddressofDHCPprotocolmatchwiththesourceMACaddressofEthernet.ToenableMACaddressdetectionofDHCPsnooping,usethefollowingcommandinconfigmode:ip dhcp snooping verify mac-address enable BroadcastSuppressionJadeOScanautomaticallyrecordDHCPrequestinformationintoDHCPsnoopingses‐siontablebyenablingDHCPsnooping.WhenreceivedbroadcastmessagefromDHCPserver,JadeOScanlookupthecorrespondinghostandexitportintheDHCPsnoop‐ingtable,thenchangethebroadcastintounicast.Therefore,JadeOSachievesbroad‐castsuppression.ToconfigurethebroadcastsuppressioninQinQinterface,usethefollowingcom‐mand:ip dhcp snooping enable TodisplaytheDHCPsnoopingsessiontable,usethefollowingcommand:show ip dhcp snooping session 6.6.5ARPWithDHCPEnablingARPwithDHCP,DHCPwillissueARPtablethatcombineddistributedIPad‐dressandMACaddressinclienttothesystem,atthesametime,disablethefunctionofARPlearninginthespecifiedinterface.Therefore,ARPtableisstrictlycheckedbyDHCPsnooping,whichensuresthelegalityandavoidtheARPcheatandinterferetotheuseronlineandcommunication.Forexample:¾ EnableARPwithDHCPfunction:Step1Configureupdatearpinaddresspool(JadeOS) (config)#ip dhcp pool ABC (JadeOS) (config-dhcp)#update arp Step2ConfigureARPauthorizedintheinterfaceofdistributedIP,disableARPlearningfunction: (JadeOS) (config)#interface vlan 6
37JadeOSUserManual(JadeOS) (config-if)#arp authorized Note:ARPlearningwillbedisabledafterenablingARPwithDHCP.¾ DisableARPwithDHCPfunction:Step1TosaveclientARPinformation,usenoupdatearpcommandtodisableARPfunction: (JadeOS) (config)#ip dhcp pool ABC (JadeOS) (config-dhcp)#no update arp Step2EnableARPlearningfunction (JadeOS) (config)#interface vlan 6 (JadeOS) (config-if)#no arp authorized YoucaninquiryclientARPinformationbyshowarpcommand.6.7ConfiguringOSPFOpenShortestPathFirst(OSPF)isanadaptiveroutingprotocolforInternetProtocol(IP)networks.Itusesalinkstateroutingalgorithmandfallsintothegroupofinteriorroutingprotocols,operatingwithinasingleautonomoussystem(AS).ThisallowstheJadeOStodeployeffectivelyinaLayer3topology.TheJadeOScanactasdefaultgatewayforallclientsandforwarduserpacketstotheupstreamrouter.6.7.1OSPFImplementationJadeOSOSPFimplementationconformstotheOSPFVersion2specificationsdetailedintheInternetRFC2328.ThelistthatfollowsoutlineskeyOSPFfeaturessupportedonJadeOS:z NSSAareas(RFC3101)supported.z Routeredistribution—RouteslearnedviaanyIPprotocolcanberedistributedintoanyotherIProutingprotocol.z Authentication—Plaintextauthenticationamongneighboringrouterswithinanareaissupported.z Routinginterfaceparameters—Configurableparameterssupportedincludein‐terfaceoutputcost,retransmissioninterval,interfacetransmitdelay,routerpri‐ority,router“dead”and“hello”intervals,andmessagedigestkey.6.7.2EnablingOSPFOSPFisdisabledbydefault.ToenabletheOSPFfunctiononJadeOS,usethefollowingcommandintheconfigurationmode:(JadeOS)(config)# router ospf
38JadeOSUserManualEnablingOSPFrequiresthatyoucreateanOSPFrouterIDwhichistheonlyidentifierinanASsystemandareaIDwhichspecifytherangeofroutingprocess.IftherouterIDisnotconfigured,theloopbackinterfaceIPwillbetakenasrouterID.Ifthereisnoloopbackinterface,systemwillselectamaximumIPaddressfromallofinterfaceIPs.ToconfigurearouterID,completethefollowingcommand: (JadeOS) (config)#router ospf (JadeOS) (config-router)#ospf router-id <IP> ToconfigureaareaID,usethefollowingcommand:(JadeOS)(config)# router ospf (JadeOS)(config-router)# area <area id> <parameter> Note:PleaserefertoJadeOSCommandManualformoreareaconfigurationparameter.6.7.3ConfiguringOSPFInterfaceParametersJadeOSallowsyoutoaltercertaininterface‐specificOSPFparametersasneeded.Youarenotrequiredtoalteranyoftheseparameters,butsomeinterfaceparametersmustbeconsistentacrossallroutersinanattachednetwork.Therefore,besurethatifyoudoconfigureanyoftheseparameters,theconfigurationsforallroutersonyournetworkhavecompatiblevalues.Tospecifyinterfaceparametersasneededforyournetwork,usetheanyofthecommandslistedintable6‐1:Command Purpose ip ospf cost <value> ExplicitlyspecifythecostofsendingapacketonanOSPFinterface. ip ospf dead-interval<value> Setthenumberofsecondsthatadevice'shellopacketsmustnothavebeenseenbeforeitsneighborsdeclaretheOSPFrouterdown.ip ospf hello-interval<value> Specifythelengthoftimebetweenthehellopack‐etsthattheCiscoIOSsoftwaresendsonanOSPFinterface. ip ospf message-digest-key <value> <passwd> EnableOSPFMD5authentication.ip ospf priority <value> SetprioritytohelpdeterminetheOSPFdesignatedrouterforanetwork. ip ospf retransmit-interval <value> Specifythenumberofsecondsbetweenlinkstateadvertisementretransmissionsforadjacenciesbe‐longingtoanOSPFinterface.ip ospf trans- Settheestimatednumberofsecondsittakesto
39JadeOSUserManualmit-delay<value>transmitalinkstateupdatepacketonanOSPFin‐terface.Table6‐1OSPFInterfaceParameter6.7.4ConfiguringOSPFAreaJadeOSOSPFsupportsthefollowingtypesofarea:z StubareaStubareasareareasintowhichinformationonexternalroutesisnotsent.Instead,thereisadefaultexternalroutegeneratedbytheareaborderrouter,intothestubareafordestinationsoutsidetheautonomoussystem.TotakeadvantageoftheOSPFstubareasupport,defaultroutingmustbeinthestubarea,youcanconfigureno‐summaryontheABRtopreventitfromsendingsummarylinkadvertisementintothestubarea.ToconfigureastubareaonJadeOS,usethefollowingcommand:area <area-id> stub [no-summary] Forexample,configurearea1.1.1.1asstubareaonJadeOS:(JadeOS) (config) #router ospf (JadeOS) (config-router) # area 2 stub no-summaryz NSSA(NotSoStubbyArea)areaNSSAareaissimilartoOSPFstubarea.NSSAdoesnotfloodType5(ExternalLinkStateAdvertisements)LSAformthecoreintothearea,butithastheabilityofim‐portingASexternalroutesinalimitedfashionwithinthearea.NSSAallowsimportingofType7ASexternalrouteswithinNSSAareabyredistribution.TheseType7LSAsaretranslatedintoType5LSAsbyNSSAABRwhicharefloodedthroughoutthewholeroutingdomain.ToconfigureaNSSAareaonJadeOS,usethefollowingcommand:area <area-id> nssa [ no-redistribution ] [no-summary ] [de-fault-information-originate] Example1,configurearea1.1.1.1astotallyNSSAareaonJadeOS:(JadeOS)(config)# router ospf (JadeOS) (config-router) # area 1 nssa no-summary Example2,configurearea1.1.1.1asnon‐totallyNSSAarea,notimportingtype‐7ex‐ternalroutestothearea:(JadeOS)(config)# router ospf area 1.1.1.1 (JadeOS)(config-router) # nssa no-redistribution Example3,configurearea1.1.1.1asnon‐totallyNSSAarea,importingadefaultroutetothearea:
40JadeOSUserManual(JadeOS)(config)# router ospf (JadeOS)(config-router) # area 1 nssa default-information-originate 6.7.5ConfiguringOSPFNetworkTypeJadeOSsupportsthefollowingtypesofOSPFnetwork:• Point‐to‐pointnetworks(HDLC,TokenRing,FDDI)Onepoint‐to‐pointlinkssuchasHDLCandPPP,OSPFrunsasapoint‐to‐pointnetworktype.ToconfigureanOSPFpoint‐to‐pointnetworkonJadeOS,usethefollowingcommand:(JadeOS)(config-if)#ip ospf network point-to-point • Broadcastnetworks(Ethernet,TokenRing,FDDI)OnthebroadcastmediumsuchasEthernetandTokenRing,OSPFrunsasabroadcastnetworktype.ToconfigureanOSPFbroadcastnetworkonJadeOS,usethefollowingcommand:(JadeOS)(config-if)#ip ospf network broadcast Note:Thenetworktypeisbroadcastbydefaultinfactory.6.7.6OSPFPoint‐to‐pointConfigurationExampleInthefollowingOSPFnetwork,theautonomoussystemisdividedinto3areas.JadeOSAandJadeOSBistheABRwhichisresponsibletoannouncetheroutesbe‐tweenOSPFareas.
41JadeOSUserManualFigure6‐1OSPFconfigurationexampleStep1CreateVLANandaddinterfacestoVLAN(Refertochapter4forVLANconfiguration)Step2ConfigureOSPFonJadeOSA (JadeOS-A) (config) #router ospf (JadeOS-A) (config-router) #ospf router-id 1.1.1.1 (JadeOS-A) (config-router) #network 192.168.10.0/24 area 0 (JadeOS-A) (config-router) #network 192.168.20.0/24 area 1 (JadeOS-A) (config) #interface vlan 10 (JadeOS-A) (config-if) #ip address 192.168.10.1/24 (JadeOS-A) (config-if) #ip ospf network point-to-point (JadeOS-A) (config) #interface vlan 20 (JadeOS-A) (config-if) #ip address 192.168.20.1/24 (JadeOS-A) (config-if) #ip ospf network point-to-point Step3ConfigureOSPFonJadeOSB (JadeOS-B) (config) #router ospf (JadeOS-B) (config-router) #ospf router-id 1.1.1.2 (JadeOS-B) (config-router) #network 192.168.10.0/24 area 0 (JadeOS-B) (config-router) #network 192.168.30.0/24 area 2 (JadeOS-B) (config) #interface vlan 10
42JadeOSUserManual(JadeOS-B) (config-if) #ip address 192.168.10.2/24 (JadeOS-A) (config-if) #ip ospf network point-to-point (JadeOS-B) (config) #interface vlan 30 (JadeOS-B) (config-if) #ip address 192.168.30.1/24 (JadeOS-A) (config-if) #ip ospf network point-to-point Step4ConfigureOSPF on JadeOSC (JadeOS-C) (config) #router ospf (JadeOS-C) (config-router) #ospf router-id 1.1.1.3 (JadeOS-C) (config-router) #network 192.168.20.0/24 area 1 (JadeOS-C) (config) #interface vlan 20 (JadeOS-A) (config-if) #ip ospf network point-to-point (JadeOS-C) (config-subif) #ip address 192.168.20.2/24 Step5ConfigureOSPFonJadeOSD (JadeOS-D) (config) #router ospf (JadeOS-D) (config-router) #ospf router-id 1.1.1.4 (JadeOS-D) (config-router) #network 192.168.30.0/24 area 2 (JadeOS-D) (config) #interface vlan 30 (JadeOS-D) (config-subif) #ip ospf network point-to-point (JadeOS-D) (config-subif) #ip address 192.168.30.2/24 Note:RoutingmanagementsupportsOSPFdynamicroutingmanagementandstaticroutingmanagement.Toaddstaticrouting,useiprouteA.B.C.D/<destmask>command.Todeleterouting,usenoiprouteA.B.C.D/<destmask>command.Todisplayrouting,useshowiproutecommand.6.8ConfiguringIPv6JadeOSsupportsIPv4/IPv6configurationandIPv6forwarding.IPv6addressandrout‐ingconfigurationissimilartoIPv4.6.8.1AddressConfigurationToconfigureIPv6address,usefollowingcommandininterfacemode: (JadeOS) (config)#interface vlan 333 (JadeOS) (config-if)#ipv6 address 2011::6:31/64 6.8.2RoutingConfiguration
43JadeOSUserManualToconfigureIPv6routing,usefollowingcommand:ipv6 route <subnet>/<prefix-length> <gateway> 6.8.3Ping6Toconfigureping6,usefollowingcommand:ping6 <ipv6-address>
44JadeOSUserManualChapter7 NetworkSecurityJadeOSisalwaysdeployedingateway,whichmuchdatagoesthroughit.Thenetworkenvironmentofequipmentisverycomplexandfacesnetworksecuritythreat.ThischapterwilldescribeJadeOSnetworksecurityandhowtoconfigureit.7.1AccessControlList(ACL)AccessControlList(ACL)definesthenetworkaccess.ACListhecombinationofrules;eachrulecanspecifyonematchedruleandoneoperation.MatchedruleisbasedonIPaddressorportnumber;operationis‘permit’or‘deny’.TheACListomatchrulesinsequence.JadeOShaveanimplicitruleof‘deny’foreachACL,soyoushouldaddthecorre‐spondingruleandspecifytheoperationis‘permit’ifyouwanttoallowonetypeoftrafficgothroughit.ThroughACL,wecancontrolusers’trafficexactlysothattoen‐surenetworksecurity.7.1.1StandardACLStandardACLrulecanspecifytheoperationis‘deny’or‘permit’;thematchedruleisany,ipaddressandnetworksegment.Step1CreateastandardACLnamedtest‐standard(JadeOS) (config)#ip access-list standard test-standard Step2Denyallthetrafficinnetworksegment192.168.1.0/255.255.255.0(JadeOS) (config-std-test-standard)#deny 192.168.1.0 255.255.255.0 Step3Allowallthetrafficinnetworksegment192.168.0.0/255.255.0.0(JadeOS) (config-std-test-standard)#permit 192.168.0.0 255.255.0.0 Step4Denyalltheothertraffic.(JadeOS) (config-std-test-standard)#deny any 7.1.2ExtendedACLExtendedACLcanspecifytheoperationis‘deny’or‘permit’;thematchedrulecanspecifytheprotocolnumber(any,tcp,udp,icmp,igmp),sourceIPaddressornetworksegment,destinationIPaddressornetworksegment,rangeofportnumber.Step1CreateextendedACLnamedtest‐extended(JadeOS) (config)#ip access-list standard test-extended 
45JadeOSUserManualStep2Denytcptrafficfrom60.0.0.0/255.255.255.0to192.168.10.0/255.255.255.0withportrange1‐1023. (JadeOS) (config-std-test-extended)# deny tcp 60.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0 range 1 1023 Step3Permitallthetcpport80trafficto192.168.10.0/255.255.255.0. (JadeOS) (config-std-test-extended)# permit tcp any 192.168.10.0 255.255.255.0 eq 7.1.3SessionACLSessionACLcanspecifytheoperationis‘deny’or‘drop’;thematchedrulearepro‐tocolnumber,sourceIPaddressornetworksegment,destinationIPaddressornet‐worksegmentandrangeofportnumber.Basedonfiveelements(protocol,sourceIPaddress,sourceportnumber,destinationIPaddress),sessionACLcantrackallthedataofthissessiontoachievethecomplexfunction,suchasSNAT,DNAT.SessionACLisusedtocontroluserauthentication.PleaserefertoChapter9formoreinformation.Step1CreateasessionACLnamedtest‐session(JadeOS) (config)#ip access-list standard test-session Step2Allthetrafficfrom192.168.20.0/255.255.255.0willbetranslatedbySNATfunction.NAT‐POOLisusedbyNATpool.(Pleaserefertochanter7.3forhowtocre‐ateNATpool) (JadeOS) (config-std-test-extended)# network 192.168.20.0 255.255.255.0 any any src-nat pool NAT_POOL Step3:Allthetrafficfrom192.168.30.0/255.255.255.0willbetranslatedtoaddress10.10.10.134byDNATfunction. (JadeOS) (config-std-test-extended)# network 192.168.30.0 255.255.255.0 any any dst-nat ip 10.10.10.134 7.2SessionJadeOSwillmaintainasessiontableforeachsession.Thesessiontableisbasedonfiveelements(protocol,sourceIPaddress,sourceportnumber,destinationIPad‐dress).Whenthesystemreceivesthefirstdatapacketofthesession,itwillcreateasessiontableforthesession.Basedonthissession,thefollowingdatapacketwillbeuniformlyhandledbyJadeOS,forexample,SNATwillbetransferredtothesamead‐dressbyNATfunction.Whenthesessionisterminated(forexample,monitortcpfinmessage)ortimeout(notrafficforalongtime),sessiontablewillbedeleted.
46JadeOSUserManualToinquirethenumberofpresentsession,useshowdatapathsessioncounterscommand.(JadeOS) #show datapath session counters Datapath Session Table Statistics --------------------------------- Current Entries: 2 High Water Mark: 10 Maximum Entries: 524287 Total Entries: 185 Duplicate Entries: 0 Cross linked Entries: 0 Max link Length: 1 Toviewpresentsessiontable,useshowdatapathsessiontablecommand: (JadeOS) #show datapath session table Datapath Session Table Entries ------------------------------ Flags: F - fast age, S - src NAT, N - dest NAT D - deny, R - redirect, Y - no syn H - high prio, P - set prio, T - set ToS C - client, M - mirror, V - VOIP Q - Real-Time Quality analysis I - Deep inspect, U - Locally destined E - Media Deep Inspect, G - media signal Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags -------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---------- ----- 172.50.3.2 172.50.3.1 17 49419 5246 0/0 0 0 0 0 0 FC 172.50.3.1 172.50.3.2 17 5246 49419 0/0 0 0 1 0 0 F 7.3ConfiguringNAT NetworkAddressTranslation(NAT)isdesignedforIPaddressconservation.Iten‐ablesprivateIPnetworksthatuseunregisteredIPaddressestoconnecttotheInter‐net.NAToperatesonarouter,usuallyconnectingtwonetworkstogether,andtrans‐
47JadeOSUserManuallatestheprivate(notgloballyunique)addressesintheinternalnetworkintolegaladdresses,beforepacketsareforwardedtoanothernetwork.Aspartofthiscapability,NATcanbeconfiguredtoadvertiseonlyoneaddressfortheentirenetworktotheoutsideworld.Thisprovidesadditionalsecuritybyeffectivelyhidingtheentireinternalnetworkbehindthataddress.NAToffersthedualfunctionsofsecurityandaddressconservationandistypicallyimplementedinremote‐accessenvironments.Basically,NATallowsasingledevice,suchasarouter,toactasanagentbetweentheInternet(orpublicnetwork)andalocalnetwork(orprivatenetwork),whichmeansthatonlyasingleuniqueIPaddressisrequiredtorepresentanentiregroupofcom‐puterstoanythingoutsidetheirnetwork.7.3.1ConfiguringSNAT Figure7‐1sourceaddresstransfer TocreateNATpool,usethefollowingcommandinconfigmode:ip nat pool <pool-name> <start-ip> <end-ip> <dest-ip> TocreateSNATruleinsessionACL,usethefollowingcommand:network <subnet> <mask> any any src-nat pool <pool-name> Usingfigure7‐1asanexample,step1andstep2showhowtospecifytheuserpolicyinVLAN100.Letthetrafficfromuserson200.0.0.0/24subnetbeSNATedwhentheyaccesspublicinternetserver155.0.0.150.Step1CreateNATaddresspool(JadeOS)(config)# ip nat pool nat_pool 150.0.0.1 150.0.0.1 160.0.0.1 Step2ConfiguresessionACL,addaSNATrulesspecifyingwhattrafficistobetranslatedandNATpool (JadeOS)(config)#ip access-list session tacl (JadeOS)(config-sess-tacl)# network 200.0.0.0 255.255.255.0 any any src-nat pool nat_pool
48JadeOSUserManualStep3andStep4showhowtoapplyACLtoVLAN100,pleaserefertochapter9.4formoreinformation.Step3ConfigureuserroleandapplyACl(JadeOS)(config)#user-role trole (JadeOS)(config-trole)#access-list session tacl Step4ConfigureAAAProfile,andspecifyuserrole(JadeOS)(config)#aaa profile test (JadeOS)(AAA profile “test”)#initial-role trole Step5ApplyAAAprofiletoVLAN100(JadeOS)(config)#vlan 100 aaa profile test 7.3.2ConfiguringDNAT Figure7‐2DestinationaddresstransferToconfigureDNATaddresstransferinsessionACl,usefollowingcommand:<src-subnet> <dest-subnet> <protocol> dst-nat ip <ip-address> Usingfigure7‐2asanexample,JadeOSachievestomakeuserthatfailedauthentica‐tionredirecttoportalserver(150.0.0.150)byDNATfunction.Pleaserefertochapter9.4formoreinformation.Step1TocreatesessionACLandspecifyDNATIPaddressandDNATdestinationIPaddress,usethefollowingcommand: (JadeOS) (config) #ip access-list session tacl (JadeOS) (config-sess-tacl) # any host 150.0.0.1 any dst-nat ip 200.0.0.200 Step2TocreateuserroleandapplyittoACL,usethefollowingcommand: (JadeOS) (config) #user-role trole (JadeOS) (config-trole) #access-list session tacl Step3TocreateAAAprofileandapplyittouserroleandauthenticationgroup,usethefollowingcommand:
49JadeOSUserManual (JadeOS) (config) #aaa profile test (JadeOS) (AAA profile “test”) #http-redirection enable (JadeOS) (AAA profile “test”) #initial-role trole Step4ApplyAAAprofiletoVLAN100(JadeOS) (config) #vlan 100 aaa profile test 7.4ConfiguringDoSAnti‐attackThemainfunctionofDoSanti‐attackistoprotecttheoperationsystemofcontrolplane,whichcanmakeJadeOSworknormallyinmaliciousattack.DoSanti‐attackwillclassifybasedonprotocolfirst,andthenlimittherateofeachprotocolaccordingtotheconfiguration.JadeOSconfiguredifferentratelimitpolicyforeachprotocol;ratelimitpolicyisbasedontrafficpersecondorthenumberofdatapacket.7.4.1SystemPre‐definedConfigurationPre‐definedconfigurationisthebestdeploymentconfigurationofJadeOS,whichisbasedonthehardwareperformanceanddesignspecificationoftheproduct.Toviewsystempredefinedconfiguration,useshowfirewallcommand. (JadeOS) #show firewall Firewall bandwidth-contract: Firewall Rate limit Enable/Disable Rate Rate limit CP Capwap traffic Disable 2MBps0KBps Rate limit CP Dhcp traffic Disable 8MBps0KBps Rate limit CP Hostapd traffic Disable 20MBps0KBps Rate limit CP Ospf traffic Disable 2MBps0KBps Rate limit CP trusted-mcast packet traffic Disable 20MBps0KBps Rate limit CP trusted-ucast packet traffic Disable 40MBps0KBps Rate limit CP untrusted-mcast packet traffic Disable 10MBps0KBps Rate limit CP untrusted-ucast packet traffic Disable 10MBps0KBps Rate limit CP VRRP packet traffic Disable 2MBps0KBps Rate limit SP session miss packet traffic Disable 50000pps Rate limit SP user miss packet traffic Disable 1000pps Rate limit SP other excepion packet traffic Disable 2MBps0KBps 7.4.2ConfiguringAnti‐attackJadeOSsupportsanti‐attackconfiguration,whichisconvenientforconfigurationad‐justmentinvariousnetworkscenarios.
50JadeOSUserManualTwoconfigurationcommandsinconfigmode: firewall cp-bandwidth-contract <service type> <pps number | traffic limit> firewall sp-bandwidth-contract <service type> <pps number | traffic limit> Forexample:Toconfiguretheratelimitofsessioncreationis50000persecond:(JadeOS) (config)#firewall sp-bandwidth-contract session pps 50000 Toconfiguretheratelimitofnewonlineuseris700persecond: (JadeOS) (config)#firewall sp-bandwidth-contract user pps 700 ToconfiguretherateofreceivingDHCPmessageis2000persecond: (JadeOS) (config)#firewall cp-bandwidth-contract dhcp pps 2000 ToconfiguretherateofreceivingARPmessageis2000persecond: (JadeOS) (config)#firewall cp-bandwidth-contract arp pps 2000 Toconfiguretherateofreceivingunicastmessagethatfailedauthenticationis10Mbps: (JadeOS) (config)#firewall cp-bandwidth-contract untrusted-ucast 10 0 7.5ConfiguringLawfulInterceptLawfulinterceptisaprocessthatenablesaLawEnforcementAgency(LEA)toper‐formelectronicsurveillanceonanindividual(atarget)asauthorizedbyajudicialoradministrativeorder.Tofacilitatethelawfulinterceptprocess,certainlegislationandregulationsrequireserviceproviders(SPs)andInternetserviceproviders(ISPs)toimplementtheirnetworkstoexplicitlysupportauthorizedelectronicsurveillance.Thesurveillanceisperformedthroughtheuseofwiretapsontraditionaltelecommu‐nicationsandInternetservicesinvoice,data,andmultiservicenetworks.TheLEAde‐liversarequestforawiretaptothetarget'sserviceprovider,whoisresponsibleforinterceptingdatacommunicationtoandfromtheindividual.Theserviceproviderusesthetarget'sIPaddressorsessiontodeterminewhichofitsedgeroutershandlesthetarget'straffic(datacommunication).Theserviceprovidertheninterceptsthetarget'strafficasitpassesthroughtherouter,andsendsacopyoftheinterceptedtraffictotheLEAwithoutthetarget'sknowledge.ConfigurationSteps:Step1TocreateLIG(LIgateway),andspecifytheencapsulationwayoftrafficsenttoLIG,usethefollowingcommandinLImode:lig add <li-gateway-name> [mirror|udp][interface|id] Step2ToaddLIrule,andspecifyLIname(basedonACL,IP,MAC,networksegment)andLIGwhichreceivestheLItraffic,usethefollowingcommand:
51JadeOSUserManualrule [acl-filter | host-filter | mac-filter | net-filter] send <lig-name> acl-filter add lawful intercept rule, intercept data streams host-filter add lawful intercept rule, intercept host data streams mac-filter add lawful intercept rule, intercept ethernet data streams net-filter add lawful intercept rule, intercept host data streams Figure6‐4LawfulinterceptionTocreateLawfulinterceptiongatewayinterfaceandrulesonJadeOS,completethefollowingsteps:Step1EntertheLIconfigurationmode. (JadeOS)(config) #li Step2ConfiguretheLIgatewayonJadeOS. (JadeOS)(config-li) #lig add test123 mirror gigabitethernet 2/1 Step3ConfiguretheLIruleandenablethelawfulinterceptonJadeOS. (JadeOS)(config-li) #rule host-filter 1 gigabitethernet 2/1 10.1.10.2 send test123 (JadeOS)(config-li) #li enable
52JadeOSUserManualChapter8 ConfiguringHQoSWiththerapiddevelopmentofthecomputernetwork,servicessuchasbandwidth,delay,jittersensitivevoiceandvideoaretransferredthroughIPnetworktunnel.JadeOSsupportHQoS(hierarchicalQoS)technologywhichcanclassifythetypeofservicetraffic;itcanalsouniformlymanageandhierarchicallyschedulethetransferobjects,suchasseveralusers,multi‐service,andseveraltypesoftrafficandsoon,whichensurethequalityfordifferentdataservice.ToenableordisableHQoSfunctioninJadeOS,usefollowingcommandinconfigmode:hqos-switch [on|off] 8.1ConfiguringRateLimitationonPortToconfiguretheratelimitationforportonJadeOS,usingfollowingcommand:rate-limit [down|up] (0-10240) [bps|kbps|mbps] Forexample,toconfiguretheratelimitofindirectionis200Mbpsandtherateofoutdirectionis300Mbps: (JadeOS)(config)#interface gigabitethernet 1/0 (JadeOS)(config-if)#rate-limit up 200 mbps (JadeOS)(config-if)#rate-limit down 300 mbps 8.2ConfiguringRateLimitationonVLANToconfiguretheratelimitationforVLANonJadeOS,usingfollowingcommand: (JadeOS)(config)#interface vlan 100 (JadeOS)(config-if)#rate-limit up 200 mbps (JadeOS)(config-if)#rate-limit down 1 mbps 8.3ConfiguringRateLimitationonUserToconfiguretheratelimitationforuseronJadeOS,usingfollowingsteps:Step1Toconfigurebandwidthnamed‘BW‐8M’and‘BW‐2M’,usingfollowingcom‐mand:(JadeOS) (config)#aaa bandwidth-contract BW-8M mbits 8 (JadeOS) (config)#aaa bandwidth-contract BW-2M mbits 2 Step2Toconfigurethedownstreambandwidthnamed‘BW‐8M’andtheupstreambandwidthnamed‘BW‐2M’inuserrole,usingfollowingcommand: (JadeOS) (config)#user-role postauth
53JadeOSUserManual(JadeOS) (config-role)#bandwidth-contract BW-8M downstream (JadeOS) (config-role)#bandwidth-contract BW-2M upstream
54JadeOSUserManualChapter9 ConfiguringAAAThischapterdescribesAAAconfiguration,includingusernetworkaccess,bandwidthcontrolpolicyandsoon.9.1TheAttributeofTrustandUntrustInterfacemeanstheinsideinterfaceofdatapacket;whentheinterfaceistheattrib‐uteoftrust,JadeOSwilldisableauthenticationfunctioninthisinterface;whentheinterfaceistheattributeofuntrust,JadeOSwillenableauthenticationfunctioninthisinterface.Toconfiguretheattributeoftrustanduntrustintheinterface,usethefollowingsteps:Step1Enterinterfaceconfigmode:(JadeOS) (config)#interface gigabitethernet 10/1 Step2Configuretheinterfaceistheattributeoftrust(JadeOS) (config-if)#trusted Step3Configuretheinterfaceistheattributeofuntrust(JadeOS) (config-if)#no trusted Allthelayer‐2interfaceandlayer‐3interfaceiswiththeattributeoftrustandun‐trust;whenthedatapacketgoesthroughseveralinterfaces,JadeOSwilldecidewhethertoauthenticateaccordingtothelastinterface’sattribute.Forexample,addtheinterfacegigaethernet1/0intovlan10;gigaethernet1/0istheattributeoftrust,interfacevlan10istheattributeofuntrust;datapacketwillauthenticateaccordingtotheattributeofthelastinterfacevlan10basedontheaboverule.9.2UserandUserRole9.2.1UserInordertoflexiblycontrolthenetworkaccessandtrafficbandwidthindifferentIPaddress,JadeOSwillcreateausertableforeachIPaddressthatgoesthroughun‐trustinterface.Usertablehasitsownlifecycle.CreateUser:whentrafficofoneIPaddressgoesintosystemfromuntrustinterface,JadeOSwilllookuptheIPaddressinthesystem;ifitisnotinexistence,JadeOSwilltriggertheauthenticationprocessandgenerateausertable;usertableisindexedbyIPaddress.
55JadeOSUserManualDeleteUser:whenuserofflineornotrafficforalongtime,JadeOSwilldeletethisusertable.9.2.2UserRoleandACLUserroledefinesthenetworkaccess.JadeOSspecifiesthenetworkaccessofuserbyACL.TocreateauserroleinJadeOS,youneedtocreateasessionACL,andthenap‐plytheACLtotheuserrole.Tocreateuserrole,usethefollowingsteps:Step1ConfigureasessionACLnamedpre‐auth‐acl (JadeOS) (config) #ip access-list session pre-auth-acl Step2Configurenetworkaccess. (JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit (JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.2 443 Step3Createauserrolenamed‘pre‐auth’(JadeOS) (config) #user-role preauth Step4ApplyuserruletoACL(JadeOS) (config-role) #session-acl pre-auth-acl Attribute Description access‐list Applyaccesslisttouserrole bandwidth‐contract Setthemaximumbandwidthmax‐sessions Setthedatapathsessionlimit,64kbydefault reauthentication‐interval Configtheintervalsofre‐authenticationsession‐acl ApplysessionACL vlan DistributeVLANTheattributelistsupportedbyuserrole9.2.3AccessPolicyBasedonUserRoleBeforeausersuccessfullyauthenticate,JadeOSspecifiesaninitialroletouser(rolebeforeauthentication);aftertheuserissuccessfullyauthenticate,JadeOSwillspecifyanewroletotheuser(roleafterauthentication).NetworkadministratorscanflexiblycontrolnetworkaccessthroughconfiguringACL.
56JadeOSUserManualForexample,configureauserrolenamedpre‐auththatpermitDNStraffic,butredi‐rectallothertraffictoport443toperformauthenticationsbyDNAT;configureauserrolenamedpost‐auththatallowallthetraffic;usethefollowingsteps: (JadeOS) (config) #ip access-list session pre-auth-acl (JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit (JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#exit (JadeOS) (config) #ip access-list session post-auth-acl (JadeOS) (config-sess-post-auth-acl)#any any any permit (JadeOS) (config-sess-pre-auth-acl)#exit (JadeOS) (config)#user-role preauth (JadeOS) (config-role)#access-list session pre-auth-acl (JadeOS) (config)#user-role postauth (JadeOS) (config-role)#access-list session post-auth-acl 9.3ConnectionsamongUser,VLANandUserRoleEachuserhasitsownVLANIDinJadeOS.SeveralwaystospecifyVLANforeachuser,forexample:- IfauseraccessfromoneVLANinterface,user’sVLANistheinterface’sVLANID;- SpecifyaVLANforSSID;ifauseraccessfromthisSSID,user’sVLANisthespecifiedVLAN;EachVLANhasanAAApolicy;pleaserefertochapter9.4formoreinformation.EachAAApolicydefinestheuserrolebeforeauthenticationandafterauthentication(includingnetworkaccessandbandwidthcontrol).Userwillswitchuserroleafterauthentication.9.4ConfiguringAAAProfileAAAprofileisaprofileaboutauthenticationconfiguration.Profilespecifiestheauthenticationways(webportal,802.1x,andMACauthentication),initialrole(rolebeforeauthentication),defaultrole(roleafterauthentication),RadiusServerandsoon.ApplyAAAprofiletooneVLAN,andthenalltheuserintheVLANcanuseAAAprofile.Beforeconfiguration,youneedtoconfigureACL,Role,Radiusservergroup,authen‐ticationways,andthenapplythemtotheAAAprofile.
57JadeOSUserManual9.4.1ConfiguringACLACLisusedtospecifyuser’snetworkaccess.Pleaserefertochapter9.2and9.3formoreinformation.9.4.2ConfiguringroleConfiguringAAAprofileneedtoconfigureuserrolebeforeauthenticationandafterauthentication.Pleaserefertochapter9.3formoreinformation.9.4.3ConfiguringRadiusServerGroupStep1ConfigureRadiusserverRS1,includingIPaddressofradiusserver,authen‐ticationkeyandlocalIPaddress: (JadeOS) (config)#aaa authentication-server radius RS1 (JadeOS) (RADIUS Server "RS1")#host 119.6.200.245 (JadeOS) (RADIUS Server "RS1")#key 123456 (JadeOS) (RADIUS Server "RS1")#ip 119.6.200.33 (JadeOS) (RADIUS Server "RS1")#exit Step2ConfigureRadiusservergroupSG1,includingseveralRadiusServer.(JadeOS) (config)#aaa server-group SG1 (JadeOS) (Server Group "SG1")#auth-server RS1 CommandssupportedbyRadiusServerAttribute Description acctport portnumberusingtoaccounting;range:1-65535; default value: 1813 authport Portnumberusingtoauthentication;range:1-65535; default value: 1812host IPaddressandhostnameofRadiusserver ip Sourceaddressofradiusrequestkey Pre‐sharedkey nas‐identifier nas‐identifierusedinRADIUSdatapacketnas‐ipnas‐ipofRADIUSdatapacketretransmitMaximumnumberofrequest;range:0‐3;defaultvalue:3timeoutRequesttimeout;range:1‐30s;defaultvalue:5suse‐md5EncryptionusingMD5sCommandssupportedbyRadiusServerGroupAttribute Description
58JadeOSUserManualallow‐fail‐through Allowtrafficthatfailedauthentication auth‐server Distributeauthenticationserver set Set Role/Vlan rule 9.4.4ConfiguringAuthenticationWayAuthenticationssupportedbyJadeOSarecaptive‐portal,dot1x,mac,open,psk,wep,andradius‐proxy;usuallytheauthenticationwaywillspecifydefault‐role,whichistheuserroleaftersuccessfullyauthentication.Thischapterwilldescribethecon‐figurationforauthenticationwaybyusingwebportalasanexample.Inportalauthentication,youneedtodefinearfc‐3576‐client,thenaprofilethatatleastincluderadiusservergroup、default‐role、rfc‐3576‐client.Pleaserefertochapter9.7formoreinformation.Forexample:(JadeOS) (config)#aaa rfc-3576-client 119.6.200.203 (JadeOS) (RFC 3576 Client "119.6.200.203")#key 1234 (JadeOS) (RFC 3576 Client "119.6.200.203")#exit (JadeOS) (config)#aaa authentication captive-portal web-portal (JadeOS) (Portal Authentication Profile "web-portal)#server-group SG1 (JadeOS) (Portal Authentication Profile "web-portal)#default-role postauth (JadeOS) (Portal Authentication Profile "web-portal")#rfc-3576-client 119.6.200.203 CommandssupportedbyPortal:Attribute Description default‐role Distributedefaultrolerfc‐3576‐client RFC‐3576clientserver‐group webradiusservergroupnamewelcome‐page‐url‐idTheurlIDofwelcomepage9.4.5ConfiguringAAAProfileToconfigureAAAprofile,usethefollowingsteps:Step1Createaaaaprofilenamed‘aaa’(JadeOS) (config)#aaa profile aaa Step2Specifytheauthenticationway(JadeOS) (AAA profile "aaa")#authentication-portal web-portal Step3Specifyuserolebeforeauthentication(JadeOS) (AAA profile "aaa")#initial-role preauth
59JadeOSUserManualStep4SpecifytheRadiusServerGroup,andenableaccountingfunction(JadeOS) (AAA profile "aaa")#radius-accounting SG1 (JadeOS) (AAA profile "aaa")#radius-accounting enable CommandssupportedbyAAAprofileAttribute Description authentication‐dot1x Configure802.1Xauthenticationprofileauthentication‐mac ConfigureMACauthenticationprofileauthentication‐open Configureopenauthenticationprofileauthentication‐portal ConfigurePortalauthenticationprofileauthentication‐psk ConfigurePSKauthenticationprofileauthentication‐radius‐proxy Configureradiusproxyprofileauthentication‐wep ConfigureWEPauthenticationprofiledisconnect‐message‐client Configuredisconnectmessageclienthttp‐redir‐url‐id ConfigurehttpredirectionurlIDhttp‐redirectionConfigurehttp‐redirectioninitial‐roleRolethatisassignedtoauserbeforeauthenticationtakesplacepost‐authPost‐authTimerpre‐authPre‐authTimerradius‐accountingConfigureradiusaccounting 9.4.6BindingVLANBindtheAAAprofiletoVLAN100,alltheuserinVLAN100willusethisAAAprofile.Configurationcommandsasfollows: (JadeOS) (config)#vlan 100 aaa-profile aaa 9.5MACAuthenticationAuthenticationDescriptionMACaddressauthenticationisanauthenticationwaytocontrolusernetworkaccessbasedonMACaddress;itneednottoinstallanyclientsoftware.MACauthenticationencapsulatestheMACaddressintoRADIUSmessageaccordingtoconfiguration,andthenauthenticateinthespecifiedRADIUSserver.Therefore,
60JadeOSUserManualMACauthenticationwillbeusedtogetherwithotherauthenticationways(WPA,web‐auth)inusual,alsoitcanbeusedindependently.AfterdetectingMACaddressinthefirsttime,JadeOSwillenableauthenticationforthisuser.ConfigurationManagementToconfigureMACaddress,usethefollowingsteps:Step1:ConfigureMACauthenticationprofile(JadeOS) (config)#aaa authentication mac mac1 (JadeOS) (MAC Authentication Profile "mac1")#server-group sg (JadeOS) (MAC Authentication Profile "mac1")#default-role post-auth (JadeOS) (MAC Authentication Profile "mac1")#exit Step2:ApplyMACauthenticationinAAAprofile(JadeOS) (MAC Authentication Profile "mac1")#aaa profile aaa (JadeOS) (AAA profile "aaa")#authentication-mac mac1 9.6802.1XAuthenticationAuthenticationDescription802.1xauthenticationisanauthenticationpolicybasedonport.Thepurposeof802.1xauthenticationistodecidewhetheraportisavailable;ifsuccessfullyauthen‐ticate,theportwillallowallthemessage;ifunsuccessfullyauthenticate,theportonlyallow802.1xmessage.ConfiguringSteps802.1xauthenticationneedtospecifyradiusserveranddefault‐role,examplesasfollows:Step1Configureradiusserver(JadeOS) (config)#aaa authentication dot1x dot1x1 (JadeOS) (802.1X Authentication Profile "dot1x1")#default-role post-auth (JadeOS) (802.1X Authentication Profile "dot1x1")#server-group SG1 (JadeOS) (802.1X Authentication Profile "dot1x")#server-group SG1 (JadeOS) (802.1X Authentication Profile "dot1x")#default-role postauth Step2Apply802.1xauthenticationinAAAprofile (JadeOS) (MAC Authentication Profile "mac1")#aaa profile aaa (JadeOS) (AAA profile "aaa")#authentication-dot1x dot1x1
61JadeOSUserManual9.7WEBPortalAuthenticationWebauthenticationisanauthenticationschemebasedonbrowser.Userthatfailedauthenticationwillredirecttoaloginpage,andrequiretoinputusernameandpassword;usercanaccessthenetworkonlyaftersuccessfullyauthentication.WEBredirectsupportsDNATredirectandHTTP302redirect.9.7.1WebAuthenticationProcessWebauthenticationisbasedonHTTPprotocol;authenticationwillnotpopupforci‐blyunlessusersendHTTPrequest.TheauthenticationprocessofWEBauthenticationisasfollows:• AuserthatunauthenticatedbegintobrowsernetworkpageandsendHTTPre‐quest• HTTPrequestisredirecttoanexternalportalserver• Portserversendanauthenticationpageforsecurelogin• Userinputusernameandpassword;browserwilltransferittothewebportal(authenticationmoduleinJadeOS),andthenwebportalsendauthenticationrequesttotheradiusserver• JadeOSwilldecidewhetherauthenticatesuccessfullythroughuserdatabaseinradiusserver;ifsuccessfullyauthenticate,radiusserverwillinformJadeOS,atthesametime,JadeOSinformportalserver• Portalserverpopsupwelcomepage;theuserauthenticationisover9.7.2DNATRedirectTheredirectoperationofJadeOSisbasedonDNATbydefault.Beforeauthentication,sessionACLwillredirectHTTPrequesttoportalserver.Theconfigurationcommandisasfollows: (JadeOS) (config) #ip access-list session pre-auth-acl (JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.2 443 9.7.3HTTP302RedirectToconfigureHTTP302redirect,usethefollowingsteps:Step1ConfigureURLlistinconfigmode:(JadeOS) (config)# aaa http-redirection-url 1 ip 10.0.0.1 url http://10.0.0.1/wlan/index.php Step2SpecifyURLID
62JadeOSUserManual(JadeOS) (AAA profile "aaa")#http-redir-url-id 1 Step3Enablehttp302redirect(JadeOS) (AAA profile "aaa")#http-redirection enable 9.7.4ConfiguringPortalServerJadeOSwebauthenticationwillcustomizetheloginpagethroughexternalportalserver.PortalserverwillconfigureaclientaccordingtoRFC3576definition;theclientisusedforsendingusers’disconnectionandauthorizationchangeinformationtoJadeOS.ToconfigureRFCclient,usethefollowingcommand: (JadeOS) (config)#aaa rfc-3576-client 119.6.200.203 (JadeOS) (RFC 3576 Client "119.6.200.203")#key 1234 TOconfigurethesourceportaccordingtoRFC3576server,usethefollowingcom‐mand:ip rfc-3576-server ip <IP> port <1-65535> 9.7.5ConfiguringCoADisconnectMessageDisconnectmessage(DM)isuserdisconnectmessage.TheAAAServiceFrameworkusesCoAmessagestodynamicallymodifyactivesubscribersessions.ForexampleRADIUSattributesinCoAmessagesmightinstructtheframeworktocreatemodifyorterminateasubscriberservice.CoAMessagesDynamicrequestsupportenablestheroutertoreceiveandprocessunsolicitedCoAmessagesfromexternalRADIUSservers.RADIUS‐initiatedCoAmessagesusethefol‐lowingcodesinrequestandresponsemessages:■CoA‐Request(43)■CoA‐ACK(44)■CoA‐NAK(45)ToconfigureCoADMserver,usethefollowingcommand:ip disconnect-message-server <IP> port <1~65535> ToconfigureCoADMclient,usethefollowingcommand: (JadeOS) (config) #aaa profile aaa
63JadeOSUserManual(JadeOS) (AAA profile "aaa") #disconnect-message-client <IP> 9.7.6ConfiguringCaptive‐portalAuthenticationStep1Configureauthenticationway(JadeOS) (config)#aaa authentication captive-portal web-portal (JadeOS) (Portal Authentication Profile "web-portal)#server-group SG1 (JadeOS) (Portal Authentication Profile "web-portal)#default-role postauth (JadeOS) (Portal Authentication Profile "web-portal")#rfc-3576-client 119.6.200.203 Step2Applycaptive‐portalauthenticationinAAAprofile(JadeOS) (AAA profile "aaa")#authentication-portal web-portal 9.7.7CustomizeLogoutDomainUsercanusecustomizedlogoutdomain,suchaslogout.wifi;usercaninputlog‐out.wifiinthebrowser,andthenloginlogoutpage.Toconfigurelogout.wifiinJadeOS,usethefollowingcommand: (JadeOS) (config)#ip domain-name logout.wifi http-redirect-url <word> 9.7.8ConfiguringWhite‐listandBlack‐listWhite‐listandblack‐listauthenticationisagroupofURL.Threecasesaboutwhite‐listandblack‐listauthenticationasfollows:• Usercanaccesswhite‐listURLandnoneedtoauthenticate• Usercannotaccessblack‐listURL,eventhoughsuccessfullyauthenticate• UsercanaccessURLthatneitherwhite‐listnorblack‐listaftersuccessfullyau‐thenticateToconfiguredomaininJadeOS,usethefollowingcommand: (JadeOS) (config) # netdestnation black-list|white-list name WORD ConfiguringWhite‐listToconfigurewhite‐listinJadeOS,usethefollowingcommand:(JadeOS) (config) #netdestination white-list name www.sina.com (JadeOS) (config) # ip access-list session pre (JadeOS) (config-sess-pre) # any host <DNS> any permit position 1 (JadeOS) (config-sess-pre) #any alias 123 any permit position 2 ConfiguringBlack‐list
64JadeOSUserManualToconfigureblack‐listinJadeOS,usethefollowingcommand: (JadeOS) (config) #netdestination black-list name www.sina.com (JadeOS) (config) # ip access-list session post (JadeOS)(config-sess-post) #any alias 123 any deny send-deny-response position 2 9.8RadiusProxyJadeOSsupportsradiusproxy.WithproxyRADIUS,oneRADIUSserverreceivesanauthentication(oraccounting)requestfromaRADIUSclient(suchasaNAS),for‐wardstherequesttoaremoteRADIUSserver,receivesthereplyfromtheremoteserver,andsendsthatreplytotheclient,possiblywithchangestoreflectlocalad‐ministrativepolicy.AcommonuseforproxyRADIUSisroaming.Roamingpermitstwoormoreadministrativeentitiestoalloweachother'suserstodialintoeitheren‐tity'snetworkforservice.9.8.1ConfiguringRadiusProxyStep1Createaaaauthenticationradius‐proxyRP(JadeOS) (config)#aaa authentication radius-proxy RP (JadeOS) (Radius Proxy Profile "RP")#default-role postauth (JadeOS) (Radius Proxy Profile "RP")#server-group SG1 Step2ConfigaaaprofileAAA,andspecifytheauthenticationwayofRadiusProxyisRP(JadeOS) (AAA profile "AAA")#authentication-radius-proxy RP Step3Specifytheaaaprofileinconfigmode(JadeOS) (AAA profile "AAA")#aaa radius-proxy aaa profile AAA Step4EnableRadiusproxyinconfigmode(JadeOS) (AAA profile "AAA")#aaa radius-proxy enable 9.8.2ConfiguringEAP‐SIMEAP‐SIMisoneoftheEAPauthenticationprotocolbasedon2GSIMcardthroughwhichusersaccesstoWLANnetwork.Differedfromotherauthenticationprotocol,EAM‐SIMtakesuseoftheuserdataandoriginalauthenticationmessagebestoredinSIMcardtoauthenticateuserandgen‐eratesessionkeytoaccessWLAN.AtthesametimethedatawillbestoredintheISP’sHLRtoavoidtheauthenticationmessagetransferonInternettopreventuserdatafromnetworkattack.EAP‐SIMistheauthenticationprotocolappliedin2GnetworksandEAP‐AKAisap‐
65JadeOSUserManualpliedin3Gnetwork.EAP‐SIMauthenticationisperformedwhenusersuseSIMcardandEAP‐AKAauthenticationisperformedwhenusersuseUSIMcard.EAP‐SIMandEAP‐AKAisspecifiedinRFC4186andRFC4187respectively.Figure9‐1EAP‐SIMauthenticationToconfigureEAP‐SIMauthenticationonJadeOS,followingthesteps:Step1ConfigureRadiusServerandServerGroup(JadeOS) (config) # aaa authentication-server radius r1 (JadeOS) (RADIUS Server "r1") #host 1.1.1.1 (JadeOS) (RADIUS Server "r1") #key 123 (JadeOS) (RADIUS Server "r1") #ip 10.1.1.10 (JadeOS) (config) #aaa server-group sg (JadeOS) (Server Group "sg")#auth-server r1 Step2Configure802.1xauthenticationprofile(JadeOS) (config)#aaa authentication dot1x dot1x (JadeOS) (802.1X Authentication Profile "dot1x")#default-role postauth (JadeOS) (802.1X Authentication Profile "dot1x")#server-group g1 Step3ConfigureAAAProfile(JadeOS) (config)#aaa profile default (JadeOS) (AAA profile "default")#authentication-dot1x dot1x (JadeOS) (AAA profile "default")#radius-accounting sg (JadeOS) (AAA profile "default")#initial-role preauth Step4Configuressid‐profile (JadeOS) (config)#wlan ssid-profile default (JadeOS) (SSID Profile "default")#auth-mode wpa-aes Step5Configurevap‐profile (JadeOS) (config)#wlan vap-profile default (JadeOS) (VAP Profile "default")#aaa-profile default
66JadeOSUserManual (JadeOS) (VAP Profile "default")#ssid-profile default Step6Configureap‐template(JadeOS) (config)#ap-template default (JadeOS) (AP template "default")#vap-profile default 9.9RateLimitBasedonUserStep1Configurebandwidthnamed”BW‐8M”and”BW‐2M”inconfigmode (JadeOS) (config)#aaa bandwidth-contract BW-8M mbits 8 (JadeOS) (config)#aaa bandwidth-contract BW-2M mbits 2 Step2SpecifythedownstreamisBW‐8Mandtheupstreamis BW‐2M(JadeOS) (config)#user-role postauth (JadeOS) (config-role)#bandwidth-contract BW-8M downstream (JadeOS) (config-role)#bandwidth-contract BW-2M upstream 9.10UserAccountingToconfigureuseraccounting,youneedtoconfigurearadiusservergroupfirst,andenableradiusaccountinginAAAprofile.Toenableuseraccounting,usetheRa‐dius‐accounting<server‐group>command.Forexample:(JadeOS) (AAA profile "aaa")#radius-accounting SG1 9.11ExampleofWEB‐PortalAuthenticationThefollowingtopologyistakenforawebauthenticationconfigurationexample:
67JadeOSUserManual Figure9‐2WebauthenticationconfigurationexampleStep1ConfigureVLANandIP(JadeOS) (config) #vlan database (JadeOS) (config-vlan) #vlan range 11,30 (JadeOS) (config) #interface gigabitethernet 4/1 (JadeOS) (config-if)#switchport access vlan 30 (JadeOS) (config-if)#exit (JadeOS) (config) #interface gigabitethernet 4/4 (JadeOS) (config-if)#switchport access vlan 11 (JadeOS) (config-if)#exit (JadeOS) (config) #interface vlan 30 (JadeOS) (config-subif)#ip address 119.6.200.71/24 (JadeOS) (config-subif)#exit (JadeOS) (config) #interface vlan 11 (JadeOS) (config-subif)#ip address 11.11.11.76/24 (JadeOS) (config-subif)#exit (JadeOS) (config) # ip route 0.0.0.0 0.0.0.0 119.6.200.1 (JadeOS) (config-subif)#end Step2CreateDHCPServer(JadeOS) (config) #ip dhcp pool 119
68JadeOSUserManual(JadeOS) (config-dhcp)#network 119.6.200.0 255.255.255.0 (JadeOS) (config-dhcp)#default-router 119.6.200.1 (JadeOS) (config-dhcp)#dns-server 119.6.6.6 (JadeOS) (config-dhcp)#exit (JadeOS) (config) #ip dhcp excluded-address 119.6.200.1 119.6.200.115 (JadeOS) (config) #ip dhcp excluded-address 119.6.200.117 119.6.200.254 (JadeOS) (config) #service dhcp Step3ConfigureACLsession(JadeOS) (config) #ip access-list session pre-auth-ctrl (JadeOS) (config-sess-pre-auth-ctrl)# host 119.6.200.116 any tcp 80 dst-nat 8189 ip 210.151.12.118 (JadeOS) (config-sess-pre-auth-ctrl)#any any svc-dhcp permit (JadeOS) (config-sess-pre-auth-ctrl)#any any udp 53 permit (JadeOS) (config-sess-pre-auth-ctrl)#any host 210.151.12.118 tcp 443 permit (JadeOS) (config-sess-pre-auth-ctrl)#exit (JadeOS) (config) #ip access-list session post-auth-ctrl (JadeOS) (config-sess-post-auth-ctrl)#any any any permit (JadeOS) (config-sess-post-auth-ctrl)#exit Step4Configureuserrole(JadeOS) (config) #user-role pre-auth (JadeOS) (config-role) #session-acl pre-auth-ctrl (JadeOS) (config-role) #exit (JadeOS) (config) #user-role role (JadeOS) (config-role) #session-acl post-auth-ctrl (JadeOS) (config-role) #exit Step5Configuretimers(JadeOS) (config) # aaa timers dead-time 10 Step6ConfigureRFC‐35756serverandRFC‐3576client(JadeOS) (config) #ip rfc-3576-server source-interface vlan 30 port 1700 (JadeOS) (config) #aaa rfc-3576-client 210.151.12.118 (JadeOS) (RFC 3576 Client "210.151.12.118") #key ******** Step7Configureradiusserverandaddittoservergroup(JadeOS) (config) #aaa authentication-server radius r1 (JadeOS) (RADIUS Server "r1") #host 210.151.12.115 (JadeOS) (RADIUS Server "r1") #key ******** (JadeOS) (RADIUS Server "r1") #nas-ip 119.6.200.71 (JadeOS) (RADIUS Server "r1") #source-interface vlan 30
69JadeOSUserManual(JadeOS) (config) #aaa server-group g1 (JadeOS) (Server Group "g1") #auth-server r1 Step8Configureaaaprofile(JadeOS) (config) #aaa profile ABC (JadeOS) (AAA Profile "ABC") #web-auth-server-group g1 (JadeOS) (AAA Profile "ABC") #rfc-3576-client 210.151.12.118 (JadeOS) (AAA Profile "ABC") #initial-role pre-auth (JadeOS) (AAA Profile "ABC")#web-auth-default-role post-auth (JadeOS) (AAA Profile "ABC")#post-auth idle-time 300 (JadeOS) (AAA Profile "ABC")#post-auth lifetime 300 (JadeOS) (AAA Profile "ABC")#pre-auth idle-time 300 (JadeOS) (AAA Profile "ABC")#pre-auth lifetime 300 Step9ApplyprofiletoVLAN (JadeOS) (config) #vlan 30 aaa-profile ABC 9.12TroubleShootingWhenJadeOSisintrouble,usercanlocateproblembyviewinguserlist.Toviewuserlist,useshowuser‐tablecommand.Forexample:(JadeOS) #show user-table Auth User Table Entries ----------------------- Flags: O - Post-auth, E - Pre-auth, W - Web-auth, P - RADIUS proxy, C - Accounting, m - Pre-MAC-auth, M - Post-MAC-auth, R - L3 roaming, o - Open, w - WEP, c - CCMP, t - TKIP, a - WPA, n - RSN, x - 802.1X, L - Station leave No. IP-addr MAC-addr Type Flags Age(d:h:m) User-name --- ------- -------- ---- ----- ---------- --------- (JadeOS) #show user-table (JadeOS) #show datapath user table Datapath User Table Entries --------------------------- Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
70JadeOSUserManual N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable, S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user IP MAC ACLs Contract Location Sessions Flags --------------- ----------------- ------- --------- -------- --------- ----- (JadeOS) #show datapath user coun (JadeOS) #show datapath user counters Datapath User Table Count is: 0
71JadeOSUserManual
72JadeOSUserManualChapter10 WLANManagementJadeOSprovidessolutionsofwirelesscontrollerandFITAP.Wirelesscontrolleruniformlyconfigure,manageandmaintainalargequantityofAPs,whichgreatlyreducesthemaintenanceofwirelessnetwork.JadeOSsupportsAPwithoutconfiguration,whichisconvenienttoexpandFITAPandwirelessnetwork.JadeOSalsosupportscentralizedauthentication,whichisconvenienttouniformlyaccessandauthenticate.Atthesametime,itisbettertodothefunctionofwirelessroaming,RFmanagementandloadbalanceofAPaccessforAPcentralizedmanage‐ment.WiththestandardCAPWAPprotocol,ACmanagesandcontrolsAPthroughCAPWAPcontrolchannel;thedataforwardingbetweenAPandACisthroughCAPWAPdatachannel.ForCAPWAPistransferredbasedonLayer‐3network,itsupportsflexiblenetworkdeploymentinmultinetwork;withthestandardprotocol,itraisesthepos‐sibilityofinterconnectionbetweendifferentproductsfromdifferentmanufacturers.ForwardingmodesupportsACcentralizedforwardingandAPlocalforwarding.Au‐thenticationmodesupportsACcentralizedauthenticationandAPlocalauthentica‐tion.10.1WirelessNetworkArchitecture10.1.1CAPWAPDescriptionControlandprovisioningofwirelessaccesspoints(CAPWAP)protocolisbelongingtoIETF.ItrulestheinterconnectionbetweenWTPandAC,whichachievethemanage‐mentanddataforwardingforalltheWTPscontrolledbyAC.NowCAPWAPisclassi‐fiedintotwotypes:• CAPWAPcontrolchannel• CAPWAPdatachannel10.1.2CAPWAPControlChannelCAPWAPcontrolchannelisclassifiedintotwotypes:Staticdiscovery:specifytheIPaddressofACinAPDynamicdiscovery:configurebroadcastdiscovery,DHCPdiscoveryandDNSdiscov‐eryandsooninAPMore,APwillactivelyrequireupdateversionandconfiguration,whichreducethe
73JadeOSUserManualmaintenance.10.1.3CAPWAPDataChannelAfterconfigurationrequestbyAP,ACwillconsultwithAPtoenabledatachannel.Incentralizedforwardingmode,up‐linkmessagewillbeencapsulatedwithCAPWAPinAP,decapsulatedinAC,andthenforwarding;down‐linkmessagewillbeencapsu‐latedwithCAPWAPinAC,andthenarriveAPthroughCAPWAPtunnel;thedown‐linkmessagewillbedecapsulatedinAP,andthenarriveuserterminalsthrough802.11protocols.10.1.4MirrorUpgradeandConfigurationManagementAPwillautomaticallycheckforversionupgrade.YoujustneedtoconfigureinACforconfigurationmanagement,noneedtoconfigurealargequantityofAPs.Thecon‐figurationwillbeineffectivewhenACreceivesAPrequest.Theconfigurationcom‐mandisasbelow:copy ap-image primary-image ftp 192.168.50.222 admin AmOS-1.4.1.2 41724 WIA3200-10 A1 AmOS-1.4.1.2 10.1.5ForwardingModeJadeOSachieveACcentralizedforwardingandAPlocalforwardinginCAPWAPstan‐dard.Youcanspecifytheforwardingmodethroughconfiguration.10.1.6AuthenticationModeJadeOSachieveAPcentralizedauthenticationandAPlocalauthentication.EachSSIDcanspecifyaVLAN,andthenlookforAAAprofileaccordingtoVLAN;pleaserefertochapter9.3formoreinformation.10.1.7STATIONManagementTheauthenticationofStationwillbehandledinAC.ACwillrecordtheauthenticationprocessofAPandtheinformationconnectedAP,whichisthebasisofchoosingCAPWAPdatachannelandroaming.Stationmanagementincludes802.11manage‐ment,STAinformationinquiry,logbackupandrecovery.10.2ForwardingModeForwardingmodeisclassifiedinto802.11tunnelcentralizedforwarding,802.3tunnel
74JadeOSUserManualcentralizedforwarding,ACauthenticationlocalforwardingandlocalauthenticationlocalforwarding.10.3ConfiguringPowerYoucanconfiguretoautomaticallychoosethepowerofAPandstationinAC,theconfiguringcommandisasfollows:transmit-power 0 ConfiguringRadioFrequencyYoucanmanuallyconfigureradiofrequencyofAP,atthesametime,APcankeeptheoriginalradiofrequencyinformationwhenAPonlineagainafterAPofflinenormally.Forexample: (JadeOS) (config)#radio dot11g-profile default (JadeOS) (802.11g radio Profile "default")#channel 149 ConfiguringRadioPower• JadeOSsupportsmanuallypowerregulation.Forexample(JadeOS) (config)#radio dot11a-profile default (JadeOS) (802.11a radio Profile "default")#transmit-power 10 (JadeOS) (802.11a radio Profile "default")#transmit-power 20 • JadeOSsupportsautomaticallypowerregulation.(JadeOS) (802.11a radio Profile "default")#transmit-power 0 10.4ConfiguringRadioYoucanautomaticallychoosetheworkingchannelofAPandstation.Forexample:channel 0 10.5DTLSandCADatagramTransportLayerSecurity(DTLS)isbasedonthestandardIETFprotocolinTLS.CAPWAPcontrolmessageandpartofCAPWAPdatamessageareusingDTLSencryptionmechanismofUDPlayer.Theconfigurationcommandisasfollows:dtls ImportCA
75JadeOSUserManualImportCAinserverintoAC,whichmeanstransferringtheCAformatintoanotherformatthatcanberecognizedbyDTLScontrolchannelandremovethepassword.Forexample: (JadeOS) #copy ftp 1.2.3.4 user cert_file flash sc-file-1 (JadeOS) #Cert import pem serverCert sc-1 sc-file-1 10.6SpecialSSIDandSSIDControlInEDUmode,inordertoavoidAPdisablesalltheSSIDswhenAPdisconnectswithAC,ACwillspecifyaspecialSSIDwhenAPconnectswithAC;whenCAPWAPisdis‐connected,APwillenablethisSSIDtoensurethenormalservice.Theconfiguringcommandisasfollows:(JadeOS) (config)#wlan ssid-profile SSID (JadeOS) (SSID Profile "SSID")#special-ssid TimingShutdownTimingshutdownsupportsthefollowingfunctions:¾ SupportACtimingshutdownthefunctionofradiofrequencyinspecifiedAP¾ SupportACtimingshutdownthespecifiedfunctionsofSSIDTheconfiguringcommand:time-range default Example: (JadeOS) (config)#time-range-profile default (JadeOS) (Time Range Profile "default")#range weekday 17:00 18:00 (JadeOS) (Time Range Profile "default")#range weekend 17:00 18:00 (JadeOS) (Time Range Profile "default")#range daily 17:00 18:00 (JadeOS) (Time Range Profile "default")#exit (JadeOS) (config)#wlan vap default (JadeOS) (Virtual AP Profile "default")#time-range default (JadeOS) (Virtual AP Profile "default")#exit (JadeOS) (config)#radio dot11a-profile default (JadeOS) (802.11a radio Profile "default")#time-range default (JadeOS) (802.11a radio Profile "default")#exit Note: Shutdown the frequency will make the whole radio disable; shutdown SSID just disable one SSID in radio.
76JadeOSUserManual10.7ACLUseraccessismainlytoissueACLbasedonSSID,MAC,flowthreshold,bandwidthcontrol.ACLisimportantinbuildingsecurenetwork,andmainlysupportsthefol‐lowingfunctions:¾ ACLbasedonMACaddressConfigureACLbasedonMACaddressinAC,whichachievetheblack‐listandwhite‐listbasedonMACaddress.Forexample:Addmac11:22:33:44:55:6intoblack‐list:(JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#list-type deny (JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#mac 11:22:33:44:55:66 Addmac11:22:33:44:55:6intowhite‐list:(JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#list-type accept (JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#mac 11:22:33:44:55:66 ¾ Supporttodisconnectnetworkautomaticallybasedonidletrafficmonitor;youcanconfiguretimeandthedefaultvalueis300s.theconfiguringcommandisasfollows:idle-timeout <300-15300> ¾ SupportACLbasedontrafficthresholdandthedefaultvalueis1KB:idle-threshold <0-1048576> ConfiguringACLConfiguringACLbasedonIPaddressinACachievesuseraccesscontrol.ConfiguringdifferentAClsinACcancontroldifferentuseraccess,forexample:youcanmakeuserinthespecifiedIPsegmentaccessthespecifiednetworksegment.ForACLbasedonIPaddressisaccordingtoSSID,youcanconfiguredifferentACLsindifferentSSID. FunctionssupportedbyACL:¾ MatchsourceIPaddressandnetworksegment¾ MatchdestinationIPaddressandnetworksegment¾ MatchspecifiedIPprotocolandrange¾ MatchsourceportanddestinationportofUDP/TCPprotocol¾ Supporttheoperationof‘permit’and‘deny’accordingtotheaboverules Configurationcommand:anyanyanydeny/permit
77JadeOSUserManualForexample:(JadeOS) (config)#ip access-list session acl1 (JadeOS) (config-sess-acl1)#host 1.1.1.1 any tcp 1 100 deny (JadeOS) (config-sess-acl1)#exit (JadeOS) (config)#user-role role1 (JadeOS) (config-role)#access-list session acl1 (JadeOS) (config-role)#exit (JadeOS) (config)#aaa profile aaa1 (JadeOS) (AAA profile "aaa1")#initial-role role1 (JadeOS) (AAA profile "aaa1")#exit (JadeOS) (config)#wlan virtual-ap default (JadeOS) (Virtual AP Profile "default")#aaa-profile aaa1 (JadeOS) (Virtual AP Profile "default")#exit 10.8AuthenticationExemptionForthespecialuserthataccountingexemptionsuchasadministratorandsoon,JadeOSsupportsauthenticationexemption,forexample:Step1ConfigureAAAprofile,disableradius‐accounting(JadeOS) (config)#aaa profile a1 (JadeOS) (AAA profile "a1")#no radius-accounting enable (JadeOS) (AAA profile "a1")#exit Step2ApplyAAAprofiletotheVLAN (JadeOS) (config)#vlan 10 aaa profile a1 10.9Anti‐fakeandRogueAPdetectAnti‐fakeToenableanti‐fakefunction,usethefollowingcommand:validate-sta-enable Todisable anti‐fakefunction,usethefollowingcommand:no validate-sta-enable RogueAPDetectACwillconfiguredetectruleaccordingtothemessagesentbyAP,thatistomakeadetectpolicyforrogueequipment;thenACwillclassifytheAPsaccordingtothede‐tectrule.
78JadeOSUserManualForexample:(JadeOS) (config)#wids ap-classification-rule (JadeOS) (IDS AP Classification Rule )# enable (JadeOS) (IDS AP Classification Rule )# ssid test encription open (JadeOS) (IDS AP Classification Rule )# ap-oui 11:22:33 Note:Todisplayrogueap,useshowrogue‐apcommand.10.10Anti‐DoSThefunctionofWLANDosistopreventDoSattack.Forexample:(JadeOS) (config)#wids dos-profile default (JadeOS) (IDS DOS-Profile "default")#dos-prevention (JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-interval 10 (JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-limit 100 TodisplaytheattackinalltheAps,useshowwlandoscommand.TodisplaytheattackinspecifiedMAC,useshowwlandosap<ap_ip>command.
79JadeOSUserManualChapter11 WEBUI11.1WEBUIDescriptionJadeOSsupportsWEBUIconfiguration.11.2WEBUILoginStep1OpenIEbrowserandinputIPaddress,thenJadeOSwillpopupthefollowingdialogbox:Figure12‐1LoginDialogBoxStep2Inputuseraccount‘admin’andpassword‘admins’andclickLoginbutton,thenJadeOSwillredirecttothefollowingloginpage:Figure12‐2webUIpage
80JadeOSUserManualChapter12 ConfiguringSNMP12.1ConfiguringSNMPSimpleNetworkManagementProtocol(SNMP)isanInternet‐standardprotocolformanagingdevicesonIPnetworks.Itisusedmostlyinnetworkmanagementsystemstomonitornetwork‐attacheddevicesforconditionsthatwarrantadministrativeat‐tention.JadeOSsupportversions1,2c,and3ofSNMP.YoucanconfigureSNMPusingthefollowingcommands:snmp-server community rw|ro <WORD> snmp-server traphost <IP> <WORD> {udp-port portno} Parameter Description WORD Name of Community udp‐portportno (optional) port number, default value: 162 IP IP address Table13‐1BasicParametersofSNMPForexample: (JadeOS)#configure terminal (JadeOS)(config)#snmp-server community ro ww 1.1.1.1
81JadeOSUserManualChapter13 MaintanenceandDiagnosis13.1LogSystemLogsystemisusedtorecordsystemrunningstatus,whichcanbesavedinlocalorremotelogserver.Logisclassifiedto8levelsfromemergtodebug,andthedefaultleveliserror.Tosetloglevel,usethefollowingcommandinconfigmode:logging level <level> <all|category> [process app] logging <IP> [severity level] [type category] Note:loglevel:emerg,alert,crit,err,warning,notice,info,debug.Tosetthelogsizeinlocalserver,usethecommandinconfigmode:log size <100-102400> (unit:KB) Torecoverytheloglevelinlocaltothedefault,usethecommandinconfigmode:no logging level <level> <all|category> [process app] no logging <IP> [severity level] [type category] Forexample:(JadeOS)(config)#logging level err all (JadeOS)(config)#logging 192.168.16.84 (JadeOS)(config)#log size 102400 (JadeOS)(config)#end Toinquirythelocallog,usethecommandinenablemode:show log <all|category [app]> [line] (JadeOS) #show log all 13.2SystemManagementJadeOSisaunifiedmulti‐levelscalabletechnology.Itusestheactive‐standbymodeincontrolplaneandactive‐activemodeindataplanetoachievethehighperformanceandhighavailability.Thedistributedarchitecturehasbeenextendedtomeetre‐quirementsofhighperformanceequipment.Youcanhaveageneralviewforthesystemmanagementandtelecommunicationsamongallmodulesinfigure14‐1.
82JadeOSUserManualFigure14‐1  ModulesDiagramfortheSystemManagementWhensystempoweringup,a“master”systemmanagerwillbeelectedamongalllinecardsexistinginthechassistocontrolthewholeequipment.Theshelfmanagercon‐trolboardsends/receivesmessagesfromthecardsandmodulesoverI2Cbus.Theelected“master”systemmanageronthelinecardgetinformationfromtheshelfmanagercontrolboardacrosstheswitchboardbyTCP/IPtocontrolandmonitorthewholesystem.InformationInquireTorestartthesystemwhenJadeOSisintrouble,usethefollowingcommand:reload ToinquirethesysteminformationsuchasJadeOSversion,gatewayuptime,andsoon,usethefollowingcommand:show version Toinquirechassiscomponentsstatussuchaspowermoduleconnectionstatus,fanspeed,linecardtemperatureandsoon,usethefollowingcommand:show inventory Toinquirethefactorydefaultinformationaboutchassis,usethefollowingcommand:show chassis_info Toinquiretheenvironmenttemperatureaboutthechassis,usethefollowingcom‐mand:show temperature chassis
83JadeOSUserManualToinquiretheCPUusagepercentage,usethefollowingcommand:show cpuload ToinquiretheCPUmemoryusageinformation,usethefollowingcommand:show memory Toinquiresystemlog,usethefollowingcommand:show log all Toinquiretheprocessstatus,usethefollowingcommand:show process monitor statistics AlarmThehardwarerunningstatusonJadeOScanbemonitoredandreportedtosystemmanager.Iftheworkingstateoneachcardormodule,forexampletemperature,isbeyondthethreshold,thealarmswillariseandtheLEDsonthecardormodulewillturnon.Thethresholdscanbesetmanuallyusingthefollowingcommand:alarmthresholdNOTE:ThealarmLEDonSADcardwillnotturnoffautomaticallywhenthealarmisrelieveduntilyouclearthealarmmanually.ToclearthealarmLEDonSADcard,usethefollowingcommandonthemasterlinecard:turn-off-led 13.3SnifferToolJadeOSprovidesthesniffertoolsfornetworkdiagnosis;itcancapturethedatapacketinnetworkinterfaceandfilterbasedoninterface,IPaddressandtcp/udpportnumber.Theoperationstepsareasfollowing:Step1Configurefilterconditions,andspecifythecapturetrafficis10Minmaximum.(JadeOS) #packet capture interface gigaethernet 1/0 datatype all maxsize 10 Step2Startcapture(JadeOS) #packet capture start Step3Stopcapture(JadeOS) #packet capture stop Step4Displaythepacketcapture(JadeOS) # show packet capture
84JadeOSUserManualAbbrviationsAACAlternatingCurrentACCAutomaticCurrentControlACLAccessControlListASAutonomousSystemATCAAdvancedTelecomComputingArchitectureAPAccessPointBBCMCBroadcastandMulticastCCAPWAPControlAndProvisioningofWirelessAccessPointsCDPCiscoDiscoveryProtocolCECommunicationEdgeCLICommandLineInterfaceDDESDataEncryptionStandardDHCPDynamicHostConfigurationProtocolDNSDomainNameServerDOSDisk Operating SystemEEAPEnterpriseApplicationPlatformEAPOLExtensibleAuthenticationProtocolECNEngineeringChangeNoticeFFRUFieldReplaceableUnitFTPFileTransferProtocolGGREGenericRoutingEncapsulationGMTGreenwichMeanTimeIIDSIntrusionDetectionSystemIDPSIntrusionDetectionandPreventionSystem
85JadeOSUserManualIETFInternetEngineeringTaskForceIGPInteriorGatewayProtocolIPInternetProtocolIPMBIntelligentPlatformManagementBusIPMCIntelligentPlatformManagementControllerIPMIIntelligentPlatformManagementInterfaceIPSIntrusionPreventionSystemLLACPLinkAggregationControlProtocolLAGLinkAggregationGroupLDAPLightweightDirectoryAccessProtocolLEDLightEmittingDiodeMMACMulti‐AccessComputerMLVDSMultipointLow‐VoltageDifferentialSignalingNNATNetworkAddressTranslationNTPNetworkTimeProtocolOOSPFOpenShortestPathFirstPPCBPrintedCircuitBoardPEMPowerEntryModulePPCPVSTPerVlanSpanningTreeOOSOperationSoftwareOSPFOpenShortestPathFirstOUIOrganizationallyuniqueidentifierQQOS QualityOfServiceRRAMRandomAccessMemory
86JadeOSUserManualRFCRequestForCommentsRSTPRapidSpanningTreeProtocolRTCRealTimeClockRTMRearTransmissionModuleSSADShelfAlarmDisplaySAPShelfAlarmPanelSHASecureHashAlgorithmSNMPSimpleNetworkManagementProtocolSSIDServiceSetIdentifierSSLSecureSocketsLayerSSHSecureShellSTPSpanningTreeProtocolTTCATelecommunicationsComputingArchitectureTCP/IPTransmissionControlProtocol/InternetProtocolTFTPTrivialFileTransferProtocolTKIPTemporalKeyIntegrityProtocolUUDPUserDatagramProtocolVVCCIVoluntaryControlCouncilforInterferenceVLANVirtualLocalAreaNetworkVPNVirtualPrivateNetworkVRIDVirtualRouterIDVRRPVirtualRouterRedundancyProtocolVTPVirtualTrunkProtocolWWEPWiredEquivalentPrivacyWPAWi‐FiProtectedAccess

Navigation menu