SKSpruce Technologies SAC700 Smart Access Control User Manual JadeOS 1 x
Skspruce Technologies Inc. Smart Access Control JadeOS 1 x
Contents
- 1. Users Manual Part One
- 2. Users Manual Part Two
Users Manual Part Two
![](/img.php?id=2465570&img=bg1.png)
JadeOS
UserManual
SK‐A2960‐18203
Copyright©2013Skspruce,Inc.Allrightsreserved.
Nopartofthisdocumentationmaybereproducedinanyformorbyanymeansorused
tomakeanyderivativework(suchastranslation,transformation,oradaptation)without
prior,expressandwrittenpermissionfromSkspruce,Inc.
Skspruce,Inc.reservestherighttorevisethisdocumentationandtomakechangesin
contentfromtimetotimewithoutobligationonthepartofSkspruce,Inc.toprovideno‐
tificationofsuchrevisionorchanges.
Skspruce,Inc.providesthisdocumentationwithoutwarrantyofanykind,impliedorex‐
pressed,includingbutnotlimitedto,theimpliedwarrantiesofmerchantabilityandfit‐
nessforaparticularpurpose.Sksprucemaymakeimprovementsorchangesinthe
product(s)and/ortheprogram(s)describedinthisdocumentationatanytime.
UNITEDSTATESGOVERNMENTLEGENDS:
IfyouareaUnitedStatesgovernmentagency,thenthisdocumentationandthesoftware
describedhereinareprovidedtoyousubjecttothefollowing:
UnitedStatesGovernmentLegend:Alltechnicaldataandcomputersoftwareiscom‐
mercialinnatureanddevelopedsolelyatprivateexpense.Softwareisdeliveredas
CommercialComputerSoftwareasdefinedinDFARS252.227‐7014(June1995)orasa
commercialitemasdefinedinFAR2.101(a)andassuchisprovidedwithonlysuchrights
asareprovidedinSkspruce'sstandardcommerciallicensefortheSoftware.Technical
dataisprovidedwithlimitedrightsonlyasprovidedinDFAR252.227‐7015(Nov1995)or
FAR52.227‐14(June1987),whicheverisapplicable.Youagreenottoremoveordeface
anyportionofanylegendprovidedonanylicensedprogramordocumentationcon‐
tainedin,ordeliveredtoyouinconjunctionwith,thisUserGuide.
Skspruce,theSksprucelogoareregisteredtrademarksortrademarksofSkspruce,Inc.
anditssubsidiaries.Otherbrandandproductnamesmayberegisteredtrademarksor
trademarksoftheirrespectiveholders.
Anyrightsnotexpresslygrantedhereinarefirmlyreserved.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following
two conditions: (1) this device may not cause harmful interference, and (2) this device
must accept any interference received, including interference that may cause undesired
operation.
The user manual or instruction manual for an intentional or unintentional radiator shall
caution the user that changes or modifications not expressly approved by the party re-
sponsible for compliance could void the user's authority to operate the equipment. In
cases where the manual is provided only in a form other than paper, such as on a com-
puter disk or over the Internet, the information required by this section may be included
in the manual in that alternative form, provided the user can reasonably be expected to
have the capability to access information in that form.
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide rea-
sonable protection against harmful interference in a residential installation. This equip-
ment generates, uses and can radiate radio frequency energy and, if not installed and used
in accordance with the instructions, may cause harmful interference to radio communica-
tions. However, there is no guarantee that interference will not occur in a particular in-
stallation. If this equipment does cause harmful interference to radio or television recep-
tion, which can be determined by turning the equipment off and on, the user is encour-
aged to try to correct the interference by one or more of the following measures:
-- Reorient or relocate the receiving antenna.
-- Increase the separation between the equipment and receiver.
-- Connect the equipment into an outlet on a circuit different from that to which the re-
ceiver is connected.
-- Consult the dealer or an experienced radio/TV technician for help.
FCCCaution:
Anychangesormodificationsnotexpresslyapprovedbythepartyresponsibleforcom‐
pliancecouldvoidtheuser'sauthoritytooperatethisequipment.
Thistransmittermustnotbeco‐locatedoroperatinginconjunctionwithanyotheran‐
tennaortransmitter.
ThemanufacturerisnotresponsibleforanyradioorTVinterferencecausedbyunau‐
thorizedmodificationstothisequipment.
ImportantNoticeonProductSafety
Elevatedvoltagesareinevitablypresentatspecificpointsinthiselectricalequipment.
Someofthepartsmayalsohaveelevatedoperatingtemperatures.
Non‐observanceoftheseconditionsandthesafetyinstructionscanresultinpersonal
injuryorinpropertydamage.
Therefore,onlytrainedandqualifiedpersonnelmayinstallandmaintainthesystem.
Allequipmentconnectedhastocomplywiththeapplicablesafetystandards.
Statementofcompliance
CEstatement
TheCEconformitydeclarationfortheproductsisfulfilledwhenthesystemisbuiltand
cabledinlinewiththeinformationgiveninthemanual.Deviationsfromthespecifica‐
tionsorindependentmodificationstothelayout,suchasuseofcabletypeswithlower
screeningvaluesforexample,canleadtoviolationoftheCEprotectionrequirements.In
suchcasestheconformitydeclarationisinvalidated.Theresponsibilityforanyproblems
whichsubsequentlyariserestswiththepartyresponsiblefordeviatingfromtheinstalla‐
tionspecifications.
VCCIstatement
ThisisaClassAproductbasedonthestandardoftheVoluntaryControlCouncilforIn‐
terferencebyInformationTechnologyEquipment(VCCI).Ifthisequipmentisusedina
domesticenvironment,radiodisturbancemayarise.Whensuchtroubleoccurs,theuser
mayberequiredtotakecorrectiveactions.
Content
Content................................................................................................................... 1
Chapter1Preface ................................................................................................... 1
1.1IntendedAudience...............................................................................................1
1.2StructureofthisDocument..................................................................................1
1.3SymbolsandConventions ....................................................................................1
1.3.1SymbolsUsed................................................................................................2
1.3.2ConventionsUsed .........................................................................................2
1.4HistoryofChanges ...............................................................................................2
Chapter2SystemOverview.................................................................................... 3
2.1SystemIntroductions ...........................................................................................3
2.2Functions..............................................................................................................3
2.3FeatureHighlights ................................................................................................5
2.4Application ...........................................................................................................5
Chapter3CLIandSystemManagement.................................................................. 7
3.1CLIAccess .............................................................................................................7
3.1.1CLIAccessviatheLocalConsole ...................................................................7
3.1.2CLIAccessviaaRemoteConsole ..................................................................8
3.2CLIFeatures ..........................................................................................................8
3.2.1Commandmode ...........................................................................................9
3.2.2CommandHelp .............................................................................................9
3.2.3CommandCompletion................................................................................10
3.2.4DeletingConfigurationSettings ..................................................................11
3.2.5ProfileCommand ........................................................................................11
3.3ConfiguringtheManagementPort ....................................................................11
3.3.1ConfiguringIP..............................................................................................11
3.3.2ConfiguringRouting ....................................................................................11
3.4ConfiguringManagement ..................................................................................12
3.4.1InquireConfiguration..................................................................................12
3.4.2SavingConfigurationChanges.....................................................................12
3.4.3ResetJadeOS ...............................................................................................12
3.4.4FilesImport/Export.....................................................................................12
3.5SystemUpdate ...................................................................................................13
3.6FileOperations...................................................................................................14
3.6.1BasicOperations .........................................................................................14
3.6.2FilesTransferbyFTPandTFTPCommand ..................................................14
3.6.3JadeOSImageImageFilesTransfer.............................................................15
3.6.5LogFilesStorage .........................................................................................15
3.7UserManagement .............................................................................................15
3.8ConfiguringSystemSettings...............................................................................16
3.8.1SettingHostname........................................................................................16
3.8.2SettingCountryCode ..................................................................................16
3.8.3SettingAdministratorPassword..................................................................16
3.8.4SettingSystemClock ...................................................................................16
3.8.5ClockSynchronization .................................................................................17
3.8.6ConfiguringNTPAuthentication .................................................................17
3.9PingandTraceroute ...........................................................................................18
3.10LicenseManagement.......................................................................................18
Chapter4InterfaceConfiguration......................................................................... 19
4.1NamingEthernetPort ........................................................................................19
4.2ConfiguringVLAN ...............................................................................................19
4.2.1CreatingVLAN .............................................................................................19
4.3AddingEthernetPortintoVLAN ........................................................................20
4.4ConfiguringVLANInterface................................................................................21
4.5ConfiguringPortChannel...................................................................................21
4.6ConfiguringQinQ................................................................................................23
4.6.1ConfiguringQinQ ........................................................................................23
4.7InquiringInterfaceStatusandStatistics.............................................................24
Chapter5Layer‐2NetworkService ....................................................................... 26
5.1BridgeForwarding..............................................................................................26
5.1.1BridgeDescription.......................................................................................26
5.1.2ConfiguringBridge ......................................................................................26
5.1.3DynamicTable .............................................................................................26
5.1.4BridgeAging ................................................................................................27
5.1.5StaticTable ..................................................................................................27
5.2PortMirror .........................................................................................................27
Chapter6Layer‐3NetworkService ....................................................................... 28
6.1ConfiguringIPAddress .......................................................................................28
6.1.1ConfiguringIPAddress ................................................................................28
6.1.2ConfiguringLoopback .................................................................................28
6.2ConfiguringStaticRoutingTable ........................................................................28
6.2.2ConfiguringStaticRouting ..........................................................................28
6.2.2InquiringRoutingTable ...............................................................................28
6.3ConfiguringARP .................................................................................................29
6.3.1ConfiguringStaticARPTable .......................................................................29
6.3.2InquiringARPTable .....................................................................................29
6.3.2ConfiguringARPProxy ................................................................................30
6.4ConfiguringMTUandTCPMSS ..........................................................................30
6.5ConfiguringGRETunnel .....................................................................................31
6.6ConfiguringDHCP...............................................................................................31
6.6.1ConfiguringDHCPServer ............................................................................32
6.6.2InquiringDHCPServerStatus......................................................................32
6.6.3ConfiguringDHCPRelay ..............................................................................34
6.6.4DHCPSnooping ...........................................................................................35
6.6.5ARPWithDHCP...........................................................................................36
6.7ConfiguringOSPF................................................................................................37
6.7.1OSPFImplementation .................................................................................37
6.7.2EnablingOSPF .............................................................................................37
6.7.3ConfiguringOSPFInterfaceParameters......................................................38
6.7.4ConfiguringOSPFArea ................................................................................39
6.7.5ConfiguringOSPFNetworkType .................................................................40
6.7.6OSPFPoint‐to‐pointConfigurationExample...............................................40
6.8ConfiguringIPv6 .................................................................................................42
6.8.1AddressConfiguration.................................................................................42
6.8.2RoutingConfiguration.................................................................................42
6.8.3Ping6 ...........................................................................................................43
Chapter7NetworkSecurity .................................................................................. 44
7.1AccessControlList(ACL) ....................................................................................44
7.1.1StandardACL...............................................................................................44
7.1.2ExtendedACL ..............................................................................................44
7.1.3SessionACL .................................................................................................45
7.2Session................................................................................................................45
7.3ConfiguringNAT .................................................................................................46
7.3.1ConfiguringSNAT ........................................................................................47
7.3.2ConfiguringDNAT........................................................................................48
7.4ConfiguringDoSAnti‐attack...............................................................................49
7.4.1SystemPre‐definedConfiguration ..............................................................49
7.4.2ConfiguringAnti‐attack ...............................................................................49
7.5ConfiguringLawfulIntercept..............................................................................50
Chapter8ConfiguringHQoS ................................................................................. 52
8.1ConfiguringRateLimitationonPort...................................................................52
8.2ConfiguringRateLimitationonVLAN ................................................................52
8.3ConfiguringRateLimitationonUser..................................................................52
Chapter9ConfiguringAAA ................................................................................... 54
9.1TheAttributeofTrustandUntrust.....................................................................54
9.2UserandUserRole.............................................................................................54
9.2.1User .............................................................................................................54
9.2.2UserRoleandACL.......................................................................................55
9.2.3AccessPolicyBasedonUserRole ...............................................................55
9.3ConnectionsamongUser,VLANandUserRole.................................................56
9.4ConfiguringAAAProfile......................................................................................56
9.4.1ConfiguringACL...........................................................................................57
9.4.2Configuringrole ..........................................................................................57
9.4.3ConfiguringRadiusServerGroup................................................................57
9.4.4ConfiguringAuthenticationWay.................................................................58
9.4.5ConfiguringAAAProfile ..............................................................................58
9.4.6BindingVLAN ..............................................................................................59
9.5MACAuthentication...........................................................................................59
9.6802.1XAuthentication .......................................................................................60
9.7WEBPortalAuthentication ................................................................................61
9.7.1WebAuthenticationProcess.......................................................................61
9.7.2DNATRedirect .............................................................................................61
9.7.3HTTP302Redirect.......................................................................................61
9.7.4ConfiguringPortalServer............................................................................62
9.7.5ConfiguringCoADisconnectMessage ........................................................62
9.7.6ConfiguringCaptive‐portalAuthentication.................................................63
9.7.7CustomizeLogoutDomain ..........................................................................63
9.7.8ConfiguringWhite‐listandBlack‐list...........................................................63
9.8RadiusProxy .......................................................................................................64
9.8.1ConfiguringRadiusProxy ............................................................................64
9.8.2ConfiguringEAP‐SIM ...................................................................................64
9.9RateLimitBasedonUser ...................................................................................66
9.10UserAccounting ...............................................................................................66
9.11ExampleofWEB‐PortalAuthentication ...........................................................66
9.12TroubleShooting ..............................................................................................69
Chapter10WLANManagement............................................................................ 72
10.1WirelessNetworkArchitecture........................................................................72
10.1.1CAPWAPDescription.................................................................................72
10.1.2CAPWAPControlChannel .........................................................................72
10.1.3CAPWAPDataChannel..............................................................................73
10.1.4MirrorUpgradeandConfigurationManagement ....................................73
10.1.5ForwardingMode......................................................................................73
10.1.6AuthenticationMode................................................................................73
10.1.7STATIONManagement ..............................................................................73
10.2ForwardingMode.............................................................................................73
10.3ConfiguringPower............................................................................................74
10.4ConfiguringRadio.............................................................................................74
10.5DTLSandCA .....................................................................................................74
10.6SpecialSSIDandSSIDControl ..........................................................................75
10.7ACL ...................................................................................................................76
10.8AuthenticationExemption ...............................................................................77
10.9Anti‐fakeandRogueAPdetect ........................................................................77
10.10Anti‐DoS .........................................................................................................78
Chapter11WEBUI ................................................................................................ 79
11.1WEBUIDescription...........................................................................................79
11.2WEBUILogin.....................................................................................................79
Chapter12ConfiguringSNMP............................................................................... 80
12.1ConfiguringSNMP ............................................................................................80
Chapter13MaintanenceandDiagnosis ................................................................ 81
13.1LogSystem .......................................................................................................81
13.2SystemManagement .......................................................................................81
13.3SnifferTool .......................................................................................................83
Abbrviations ......................................................................................................... 84
![](/img.php?id=2465570&img=bgd.png)
JadeOSUserManual1
Chapter1 Preface
Thisprefacedescribestheaudience,structure,conventionsandhistoryofchangesof
JadeOSUserManual.Italsoprovidesimportantinformationaboutsafetyinstructions
fortheJadeOS.
1.1IntendedAudience
Thisdocumentisintendedtotheexperiencednetworkadministratorswhoneedto
configureandmaintainJadeOSMulti‐ServiceGateway.
1.2StructureofthisDocument
Chapter Title Subject
Chapter 1 Preface
This chapter provides an introduction to this
document.
Chapter 2 System Overview
This chapter gives a general introduction to the
JadeOS functionality.
Chapter 3
CLI and System
Management
ThischapterdescribesCLIandsystemopera‐
tions.
Chapter 4
Interface Configura-
tion
Thischapterwilldescribehowtoconfigure
interface.
Chapter 5
Layer-2 Network
Service
This chapter describes how to configure Layer-2
network service.
Chapter 6
Layer-3 network
service
This chapter describes how to configure Layer-3
network service.
Chapter 7 Network Security
ThischapterwilldescribeJadeOSnetworkse‐
curityfunctionandhowtoconfigureit.
Chapter 8 Configuring HQoS This chapter describes how to configure HQoS.
Chapter 9 Configuring AAA This chapter describes how to configure AAA.
Chapter 10 WLAN Management
This chapter gives a general introduction to the
WLAN Management.
Chapter 11 WEBUI
This chapter gives a general introduction to the
WEBUI.
Chapter 12 Configuring SNMP This chapter describes how to configure SNMP.
Chapter 13
Maintenance and
Diagnosis
This chapter gives a general introduction to the
Maintenance and Diagnosis.
Table1‐1ChaptersinthisDocument
1.3SymbolsandConventions
![](/img.php?id=2465570&img=bge.png)
2JadeOSUserManual
Thefollowingsymbolsandconventionsareusedinthisdocument:
1.3.1SymbolsUsed
CAUTION:Meansthatthereadershouldbecareful.Inthissituation,you
mightdosomethingthatcouldresultinequipmentdamageorlossofdata.
WARNING:Thiswarningsymbolmeansdanger.Youareinasituationthat
couldcausebodilyinjury.Beforeyouworkonanyequipment,beawareofthehaz‐
ardsinvolvedwithelectricalcircuitryandbefamiliarwithstandardpracticesforpre‐
ventingaccidents.
1.3.2ConventionsUsed
Representation Meaning
BoldThe CLI commands are in bold.
Italic Level 2 titles are in Italic.
Courier New
Terminal display is in Courier New.
Example: # ping -t 10.10.10.1
Table1‐2ConventionsUsedinthisDocument
1.4HistoryofChanges
Version Issue date Remarks
Draft 2013.10.11 Draft Version
012013.11.15New functions added,upgraded to 01 Version
022013.11.30New functions added,upgraded to 02 Version
032014.01.15New functions added,upgraded to 03 Version
Table1‐3HistoriesofChangesforthisDocument
![](/img.php?id=2465570&img=bgf.png)
JadeOSUserManual3
Chapter2 SystemOverview
2.1SystemIntroductions
SKG10000Plusisagatewayequipmentoftelecommunicationlevelthatintegrated
withthefunctionsofrouting,switchingandWLANcontrollerandsoon.
Basedonthemulti‐coreandmulti‐threadprocessoranddesignedwithtelecom
gradeATCAstandard,SKG10000Plusiswithpowerfulandextensibleperformance.
Withcentralizedmanagementandconfiguration,itgivestheabilityofdeployment
foralargenetworkwithhundredsofgateways.Atthesametime,itcanbeoperated
indayandnightwithhighavailabilityandhelptheSPtomeetthehugechallenge
broughtbyrapiddevelopmentofwirelessservice.
Basedontheadvancedandextensiblesoftwarearchitecture,JadeOS:
‐ Adoptdistributedarchitecturewithdataplaneandcontrolplaneseparated
‐ ProvideWLANsolutionsthatareflexible,easymanagementandeasydeployed
‐ ManagelargescaleAPswithoutconfiguration
‐ Strictlycontroluserinternetaccessandbandwidthstrategywithvariousaccess
authentication
‐ Support700users/sperlinecard
‐ Provideforwardingrateofhighperformance
‐ Supportmulti‐levelredundancybackupforsystemlevel,servicemoduleleveletc.
2.2Functions
Layer‐2
z BridgeForwarding
z VLAN/SuperVLAN
z QinQ
z PortChannel
Layer‐3
z RouteForwarding
z DynamicRoutingProtocol(OSPF)
z NAT
z GRE/EtherIPTunnel
z DHCPServer,DHCPRelay,DHCPSNOOPING
z BroadcastSuppression
z VirtualRoutingRedundancyProtocol(VRRP)
![](/img.php?id=2465570&img=bg10.png)
4JadeOSUserManual
z FragmentationandReassembly
z IPv4/IPv6
SecurityandAAA(Authentication,Authorization,Accounting)
z AccessControlList(Interface/Standard/SessionACL)
z Role‐BasedUserPolicy
z WebPortal/802.1x/PSK/MACAuthentication
z RADIUSAccounting
z RADIUSProxy
z Black‐listandwhit‐listauthentication
z DoSanti‐attacks
z LawfulInterception
QoSfunctionality
z RatedLimitbasedoninterface/user/ssid(HQoS)
WLANController
z CAPWAPControlTunnelandDataTunnel
z APCentralizedManagementandConfiguration
z APDiscoveryAC
- Broadcastdiscoverymode
- DNSdiscoverymode
- DHCPdiscoverymode
z LocalForwarding,CentralizedForwarding
z IntelligentRadio/FrequencyManagement
z CertificateManagement
z UserAccessControl
z L2Roaming
z StationAnti‐fake,WLANAnti‐DoS
z PerformanceMonitorandDataStatistics
NetworkManagement
z ConfigurationbasedonCLI(Supportconsole,SSH,Telnet)
z SupportWebUIconfiguration
z SNMPv1,v2c,
z Systemconfiguration,servicemodulemonitor
z Trapalarm
z Chassismanagement
z Troubleshooting
z PortMirror,Sniffer
![](/img.php?id=2465570&img=bg11.png)
5JadeOSUserManual
2.3FeatureHighlights
ExtensibleDHCPServer
DHCPserveroffers700ppsusersperthreadthatcanmeetcarrier‐gradescenarios
thatrequireshighperformanceandhighavailability.
z Scalableperformanceandthroughout
- Optimizeddatabase
Bykeepingleaseinformationinamemory‐residentdatabase,DHCPserver
offersfastresponsetimesforleaseassignmentsandrenewals.
- Multi‐threadedarchitecture
JadeOSusesamulti‐threadedarchitecturetodeliverconsistentthroughput.
- Carrierlevelbigaddresspool
JadeOSsupportsupto1,320,000addressesperchassis.
BroadcastSuppression
JadeOSprovidesbroadcastsuppressionfunctiontoreducethenumberofbroadcast
packetsbyenablingbroadcastsuppressionpolicy.
- Broadcastsuppressionfunctiontogreatlyeasethenumberofbroadcast
messages
- DHCPsnoopingtosuppresstheDHCPbroadcastpackets.
- EnableDHCPunicastreplyfunction.JadeOSreplytheDHCPofferandACK
datagramwithunicastmessagesinsteadofbroadcastmessagestoeffec‐
tivelyreducethebroadcastflooding.
2.4Application
JadeOScanbedeployedinthecorenetworkoraccessnetworktoachievetheAP
centralizedmanagementandconfiguration.Figure2‐3illustratesoneoftheapplica‐
tionscenariosof
![](/img.php?id=2465570&img=bg12.png)
6JadeOSUserManual
JadeOS.
Figure2‐1ApplicationscenarioofJadeOS
![](/img.php?id=2465570&img=bg13.png)
JadeOSUserManual7
Chapter3 CLIandSystemManagement
JadeOSusesthecommandLineInterface(CLI)toimplementtheinteractionbetween
usersandtheoperatingsystem.Userscancompletearangeofsystemconfiguration
andrealizethemanagementfunctionsthroughtheCLI.
ThischapterdescribesCLIandsystemoperations.
3.1CLIAccess
TheconsoleportontheequipmentisRj45interfaceandlocatedonthefrontpanel
ofeachlinecard.YoucanconnecttotheCLIviathelocalconsoleorSSH/TELNETto
obtainaremoteconsole.
3.1.1CLIAccessviatheLocalConsole
ToconnecttotheCLIviathelocalconsoleport,completethefollowingsteps:
Step1ConnecttotheconsoleportusingtheRj45cableandserialportcable.
Step2Configureyourterminalemulationprogram(forexample:SecureCRT)iscon‐
figuredasshowninfigure3‐1:
Figure3‐1Consoleportconnectionsettings
Step3Entertheusernameandpassword:
(JadeOS)
User: admin
Password: admins.
Thepromptwillbedisplayedasfollowsafterlogginginsuccessfully.
(JadeOS) >
![](/img.php?id=2465570&img=bg14.png)
8JadeOSUserManual
Step4Entertheglobalmodeusingthefollowingcommand:
(JadeOS) > enable
Password: enable
Whenyouareinenablemode,the>promptchangestoapoundsign(#):
(JadeOS) #
Step5Entertheconfigurationmodeusingthefollowingcommand:
(JadeOS) # configure terminal
Whenyouareintheconfigurationmode,‘config’appearsbeforethe#prompt:
(JadeOS) (config) #
3.1.2CLIAccessviaaRemoteConsole
UserscanaccessJadeOSremotelyusingTELNETfromaTCP/IPnetwork.
ToaccessJadeOSviatelnetyouneedtoenabletelnetsessionsusingtelnetclicom‐
mand.
ToconnecttotheCLIusingTELNET,completethefollowingsteps:
Step1VerifythatyourterminalemulationprogramorDOSshellinterface(for
example:SecureCRT)isconfiguredasshowninfigure3‐2:
Figure3‐2Telnetconnectionsettings
Step2Enteravalidusernameandpasswordasprompt.
3.2CLIFeatures
ThischapterwillgiveageneralintroductionabouttheCLIcommands.
![](/img.php?id=2465570&img=bg15.png)
9JadeOSUserManual
3.2.1Commandmode
TheCLIisdividedintomanydifferentmodes.Thecommandsavailabletoyouatany
giventimedependonthemodethatyouarecurrentlyin.Enteringaquestionmark
(?)attheCLIpromptallowsyoutoobtainalistofcommandsavailableforeach
commandmode.
WhenyoulogintotheCLI,youareinusermode.Usermodecontainsonlyalimited
subsetofcommands.
Tohaveaccesstoallcommands,youmustenterenablemodenormallybyusinga
password.Fromenablemode,youcanissueanyenablemodecommand.
Youcanenterglobalconfigurationmodebyenteringconfigureterminalcommand.
Configurationmodesallowyoutomakechangestotherunningconfiguration.Ifyou
latersavetherunningconfigurationtothestartupconfiguration,thesechanged
commandsarestoredwhenthesoftwareisrebooted.Toenterspecificconfiguration
modes,youmuststartatglobalconfigurationmode.Fromglobalconfigurationmode,
youcanenterinterfaceconfigurationmodeandavarietyofothermodes.
Table3‐1describeshowtoaccessandexitvariouscommoncommandmodeson
JadeOS.Italsoshowsexamplesofthepromptsdisplayedforeachmode.
Command Mode Access Method Prompt Exit Method
User Mode Log in (JadeOS)> Use the exit command
Enable Mode
Enter enable and
password (JadeOS)#
To return to User Mode
use exit command
Global Configura-
tion Mode
Enter configure
terminal (JadeOS)(config)#
To return to Enable
Mode from global con-
figuration mode, use
exit command
Interface Con-
figuration
Mode
Specify an inter-
face using in-
terface command (JadeOS)(config-if)#
To return to the global
configuration mode, use
exit command.
Table3‐1CommandModesonJadeOS
3.2.2CommandHelp
Youcanusethequestionmark(?)toviewvarioustypesofcommandhelp.
Whentypedatthebeginningofaline,thequestionmarklistsallthecommands
availableinyourcurrentmodeorsub‐mode.Abriefexplanationfollowseachcom‐
![](/img.php?id=2465570&img=bg16.png)
10JadeOSUserManual
mand.Forexample:
(JadeOS) > ?
enable Turn on Privileged commands
exit Exit this session. Any unsaved changes are lost.
help Help on CLI command line processing and a
Description of the interactive help system
logout Exit this session. Any unsaved changes are lost.
ping Send ICMP echo packets to specified ip address.
traceroute Trace route to the specified ip address.
Whentypedattheendofapossiblecommandorabbreviation,thequestionmark
liststhecommandsthatmatch(ifany).Forexample:
(JadeOS) #a?
aaa Authentication commands
ap Instruct AP
ap-leds Control AP LED behavior (11n APs only)
ap-regroup Move AP into a group
ap-rename Change an AP's name
apboot Instruct AP to reboot itself
apconnect Instruct Mesh-Point to connect new parent
apdisconnect Instruct Mesh-Point to disconnect from its parent
apflash Instruct AP to reflash itself
Ifmorethanoneitemisshown,typemoreofthekeywordcharacterstodistinguish
yourchoice.
However,ifonlyoneitemislisted,thekeywordorabbreviationisvalidandyoucan
presstaborthespacebartoadvancetothenextkeyword.
Whentypedinplaceofaparameter,thequestionmarkliststheavailableoptions.
Forexample:
(JadeOS) #write ?
erase erase configuration from NV memory
file Write to file
memory Write to NV memory
<cr>
3.2.3CommandCompletion
Tomakecommandinputeasier,asyoutype,youcanpressthespacebarortabto
movetothenextkeyword.Thesystemthenattemptstoexpandtheabbreviationfor
you.Ifthereisonlyonecommandkeywordthatmatchestheabbreviation,itisfilled
![](/img.php?id=2465570&img=bg17.png)
11JadeOSUserManual
inforyouautomatically.Iftheabbreviationistoovague(toofewcharacters),the
cursordoesnotadvanceandyoumusttypemorecharactersorusethehelpfeature
tolistthematchingcommands.
3.2.4DeletingConfigurationSettings
Usethenocommandtodeleteornegatepreviously‐enteredconfigurationsorpa‐
rameters.Toviewalistofnocommands,typenoattheenableor‘config’prompt
followedbythequestionmark.
(JadeOS) (config) # no?
3.2.5ProfileCommand
JadeOSusesProfiletodesignsomecomplexcommands.JadeOSencapsulatesasetof
configurationsinProfile,andthenapplytheProfiletootherconfiguredobject.This
willmakeconfigurationmorelogical.
3.3ConfiguringtheManagementPort
3.3.1ConfiguringIP
Managementportisusedforthenetworkadministratortooperatetheequipmentin
remote.Toconfiguremanagementport,youneedtoconfigureIPaddressfirstsothat
toaccesstheequipmentinremote:
Step1Accessmanagementportmode:
interface mgmt <id>
step2ConfiguringIpaddress:
ip address A.B.C.D/MASK-Length
Parameter Description
id Range: 1-2
Table3‐2parameterdescription
Exampleasfollows:
(JadeOS)(config)#interface mgmt 1
(JadeOS)(config)#ip address 192.168.1.254/24
3.3.2ConfiguringRouting
YouneedtoconfigureastaticroutingtoaccesslocalPCofremoteadministrator.
ToConfigurestaticroutingtable,usethefollowingcommandinConfigmode:
ip route <dest-subnet> <gateway>
![](/img.php?id=2465570&img=bg18.png)
12JadeOSUserManual
Forexample,weconfigurearoutetoadministratorsubnet192.168.0.0/24through
nexthop192.168.1.1.
(JadeOS)(config)#ip route 192.168.0.0/24 192.168.1.1
3.4ConfiguringManagement
3.4.1InquireConfiguration
Toviewpresentconfiguration,usethecommand:
(JadeOS) # show running-config
3.4.2SavingConfigurationChanges
WhenyoumakeconfigurationchangesviatheCLI,thosechangesaffectthecurrent
runningconfigurationonly.Ifthechangesarenotsaved,theywillbelostafterthe
SKG10000Plusreboots.Tosaveyourconfigurationchanges,usethefollowingcom‐
mandinenablemode:
(JadeOS) # write memory
Afterperformingthecommandwritememory,twoconfigurationfileswillbesaved
intheflash:
• startup‐config:Containingthestartupconfigurationoptions
• running‐config:Containingtheconfigurationoptionsduringsystemrun‐
ning.
3.4.3ResetJadeOS
YoucanreturnJadeOStoitsoriginalconfigurationbyresettingtheJadeOStofac‐
tory‐defaultsettings.
Step1Enterthewriteerasecommand.Aprompt‘Doyoureallywanttodelete
alltheconfiguration(y/n):‘,writeerasesuccessful’willbedisplayed.
(JadeOS) (config) #write erase
Do you really want to delete all the configuration(y/n):
Write Erase successful
Step2ReloadtheJadeOSbyenteringreloadcommand.Theprompt‘doyou
reallywanttorestartthesystem(y/n)’willbedisplayed.Enter‘y’,theJadeOSwill
reboot.
(JadeOS) (config) #reload
Do you really want to restart the system(y/n): n
3.4.4FilesImport/Export
![](/img.php?id=2465570&img=bg19.png)
13JadeOSUserManual
YoucansaveconfigurationfilesintoJadeOSandcopytoanexternalserver.
copy startup-config flash: <filename>
copy startup-config tftp: <tftphost> <filename>
copy running-config flash: <filename>
copy running-config ftp: <ftphost> <user> <password> <filename>
[<remote-dir>]
copy running-config startup-config
copy running-config tftp: <tftphost> <filename>
3.5SystemUpdate
ThesystemimagefileisstoredintheCompactFlash(CF)oneachlinecard.Every
timeyoustartthesystem,bootloaderwillautomaticallydownloadtheimagetosys‐
temRAM.TheCFcardisdividedintotwopartitionswhichbothcontainthesystem
imagefiles.Atthefactorydefaultsetting,bootloaderwilldownloadimagefilesfrom
partition0.Aftersystemupdating,JadeOSwillautomaticallystartfromthepartition
whichcontainstheupdatedimagefiles.Youcanalsospiffywhichpartitiontostart
frommanually.Toupdatethesystemimagefile,completethefollowingsteps:
Step1InputtheusernameandpasswordafterconnectingtheJadeOSthrough
SSH,telnetorconsole.
Step2Turnintotheglobalconfigurationmodebyenteringthecommandconfig‐
ureterminal.
Step3Turnintotheinterfaceconfigurationmodebyenteringthecommandin‐
terfacemgmt.
Step4SetmgmtinterfaceIPaddressandmakesurethetftporftpserverisok.
Step5Copytheimagefiletopartition0/1onCFcard.
Thesystemwillrebootaftertheupdatecomplete.
Note:It’srecommendedthatyouupdatethesystemimagefilesfromthepartition
whichthesystemisnotworkingontoavoidthatthecurrentimagefilesare
erased.Forexample:ifthesystemisworkingonpartition0,pleaseupdate
thesystemimagefilesfrompartition1.
Tochangebootpartition,usefollowingcommandinConfigmode:
(JadeOS) (config)#boot system partition 0
Toviewimageinformationaboutbootpartition,usefollowingcommandinenable
mode:
![](/img.php?id=2465570&img=bg1a.png)
14JadeOSUserManual
(JadeOS) #show image version
----------------------------------
Partition : 0:0 (/dev/sda1)
Software Version : JadeOS 2.3.2.0
Built on : SMP Thu Dec 19 18:01:40 CST 2013
----------------------------------
Partition : 0:1 (/dev/sda2)
Software Version : JadeOS 2.2.6.0
Built on : SMP Mon Nov 18 14:58:24 CST 2013
3.6FileOperations
3.6.1BasicOperations
JadeOSprovidebasicoperationsaboutfilessuchasdir、copy、rename、deleteandso
on,thecommandisasfollowing:
Dirfiles:
(JadeOS) #dir
Copyfiles:
(JadeOS) #copy
flash: <srcfilename> {flash: <destfilename> | tftp: <tftphost>
<destfilename> | ftp:<ftphost> <user> <filename>} |
ftp: <ftphost> <user> <filename> {system: partition {0|1} |flash:
<filename> }|
running-config {flash: <filename> | ftp: <ftphost> <user> <password>
<filename> | tftp: <tftphost> <filename>} |
startup-config {flash: <filename> | tftp: <tftphost> <filename>} |
system: partition {<srcpartition> 0|1}|
tftp: <tftphost> <filename> {flash: <destfilename>}|
Renamefiles:
(JadeOS) #rename <old> <new>
Deletefiles:
(JadeOS) #delete filename <file>
3.6.2FilesTransferbyFTPandTFTPCommand
YoucantransferthefollowingfilesbetweenJadeOSandanexternalserverorhost:
• JadeOSimagefiles
• AspecifiedfileinJadeOSflashfilesystem,oracompressedarchivethat
containstheflashfile
• Configurationfile,eithertherunningconfigurationorastartupconfigura‐
![](/img.php?id=2465570&img=bg1b.png)
15JadeOSUserManual
tion
• Logfiles
YoucanusethefollowingprotocolstotransferfilesbetweenJadeOSandexternal
serverorhost:
• FileTransferProtocol(FTP)
• TrivialFileTransferProtocol(TFTP)
Sever Type Configuration
Trivial File Transfer Proto-
col(TFTP)
IP address of the server
Filename
File Transfer Protocol(FTP)
IP address of the server
Username and password to log into server
Filename
Table3‐3ParametersofTFTPandFTPConfiguration
3.6.3JadeOSImageImageFilesTransfer
YoucancopyJadeOSimagefilestoJadeOSorequipmentbyTFTPorFTPserver.
WhenyoutransferaJadeOSimagefiletoequipment,youmustspecifythepartition
whichthefileiscopiedto.YouhavetheoptionofrebootingJadeOSwiththetrans‐
ferredimagefile.
copy tftp: <tftphost> <filename> system: partition {0|1}
copy ftp: <ftphost> <user> <filename> system: partition {0|1}
copy scp: <scphost> <username> <filename> system: partition [0|1]
3.6.5LogFilesStorage
YoucansavelogfilesintoacompressedarchiveandcopytoanexternalTFTPserver.
tar logs
copy flash: logs.tar tftp: <tftphost> <destfilename>
copy flash: logs.tar scp: <scphost> <username> <destfilename>
3.7UserManagement
Tocreateusers,youcanusethecommand:
mgmt‐user<user><password>
Forexample,createauseraccount“test”andpassword“123456”:
(JadeOS) (config)#mgmt-user test 123456
![](/img.php?id=2465570&img=bg1c.png)
16JadeOSUserManual
Toinquireusersinthesystem,youcanusethecommand:
(JadeOS) #who
vty[0] connected from 192.168.16.21
vty[1] connected from 192.168.16.22
vty[2] connected from 192.168.16.19
vty[3] connected from 192.168.16.19
3.8ConfiguringSystemSettings
3.8.1SettingHostname
ThefactorydefaulthostnameisJadeOS.Youcanchangethehostnameusingthefol‐
lowingcommand:
hostname <hostname>
Forexample:
(JadeOS) (config) #hostname Gate
(Gate) (config) #
3.8.2SettingCountryCode
JadeOSaredesignedtomanagetheaccesspointswhicharelocatedinmanycoun‐
trieswithdifferentrequirements.Theradioswithintheaccesspointsareassignedto
aspecificregulatorydomainatthefactory.Youcanspecifyaparticularcountrycode
foreachcountry(suchasFRforFranceorESforSpain).Configuringacountrycode
ensuresthateachradio’sbroadcastfrequencybands,interfaces,channels,and
transmitpowerlevelswhicharecompliantwithcountry‐specificregulations.
WhentheJadeOSstartforthefirsttime,thesystemwillpromptyoutoenterthe
countrycodewhichcountrytheJadeOSislocatedandyouneedtoconfirmthecoun‐
trycodebyentering‘yes’.
3.8.3SettingAdministratorPassword
TologinJadeOS,youmustentertheadministratoruseraccountandpassword.The
factorydefaultuseraccountis‘admin’andthepasswordis“admins”.
Aprompt‘Enterpasswordforadminlogin’willbedisplayedafteryouenterthead‐
ministratoruseraccount‘admin’.Youcanenterthepasswordthatyouwanttoset
andretypeittoconfirm.Exceptfortheadministratoruser,youcanset9users.
3.8.4SettingSystemClock
YoucansettheJadeOSsystemdateandtimemanuallyusingtheconfigurationwiz‐
ardwhenyoustarttheJadeOSsystemforthefirsttime.GreenwichMeanTime(GMT)
![](/img.php?id=2465570&img=bg1d.png)
17JadeOSUserManual
isusedasthestandardforsettingthetimezone.
¾ SettingtheSystemClockManually
Tosetthedateandtime,enterthefollowingcommandinprivilegedmode:
clock set <year><month><date><hour><minutes><seconds>
Tosetthetimezoneanddaylightsavingstimeadjustment,enterthefollowingcom‐
mandsinconfiguremode:
clock timezone<WORD><-23 - 23>
clock summer-time <zone> [recurring]
<1-4><start day><start month><hh:mm>
first<start day><start month><hh:mm>
last<start day><start month><hh:mm>
<1-4><end day><end month><hh:mm>
first<end day><end month><hh:mm>
last<end day><end month><hh:mm>
[<-23 - 23>]
¾ SettingtheSystemClockwithNTP
YoucanuseNTP(NetworkTimeProtocol)tosynchronizeJadeOStoacentraltime
source.
3.8.5ClockSynchronization
ForeachNTPserver,youcanoptionallyspecifytheNTPiburstmodeforfasterclock
synchronization.Theiburstmodesendsuptenquerieswithinthefirstminutetothe
NTPserver.(Wheniburstmodeisnotenabled,onlyonequeryissentwithinthefirst
minutetotheNTPserver.)Afterthefirstminute,theiburstmodetypicallysynchro‐
nizestheclocksothatqueriesneedtobesentatintervalsof64secondsormore.
YoucanaddaNTPserverusingthefollowingcommand:
ntp server <ipaddr> [iburst]
3.8.6ConfiguringNTPAuthentication
TheNTPaddssecuritytoanNTPclientbyauthenticatingtheserverbeforesynchro‐
nizingthelocalclock.NTPauthenticationworksbyusingasymmetrickeywhichis
configuredbytheuser.ThesecretkeyissharedbybothJadeOSandanexternalNTP
server.Thishelpsidentifysecureserversfromfraudulentservers.
ThisexampleenablesNTPauthentication,addauthenticationsecretkeysintothe
database,andspecifiesasubsetofkeyswhicharetrusted.Italsoenablestheiburst
option.
![](/img.php?id=2465570&img=bg1e.png)
18JadeOSUserManual
(JadeOS)(config)#ntp authenticate
(JadeOS)(config)#ntp authentication-key <key-id> md5 <key-secret>
(JadeOS)(config)#ntp trusted-key <key-id>
(JadeOS)(config)#ntp server <IP> iburst
ExampleofconfiguringNTPauthentication:
(JadeOS)(config)#ntp authenticate
(JadeOS)(config)#ntp authentication-key 1 md5 123
(JadeOS)(config)#ntp trusted-key 1
(JadeOS)(config)#ntp server 1.1.1.1 iburst
3.9PingandTraceroute
Commandpingandtraceroutecanhelptodiagnosenetworkconnectionstatus.
Commandformat:
ping A.B.C.D
traceroute A.B.C.D
Forexample,usecommandpinginenablemodetojudgewhethertheinternetcon‐
nectiontoIPaddress‘192.168.20.1’ornot.
(JadeOS) #ping 192.168.20.1
Sending..., 100-byte ICMP Echos to 192.168.20.1, press 'q' or ESC to
exit:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
0.686/0.7134/0.808 ms
3.10LicenseManagement
Licenseismainlyusedtoprotectthelawfulrightsofauthorizedusers.Youcanobtain
theauthorizationbyinputLicenseActivationKey.
Note:pleasecontactthevendorsifyouneedtoaddAPsafterlicenseisineffective.
ToaddLicensekey,youcanusefollowingcommandinconfigmode:
license add <key>
Note:Keyisprovidedbyvendors,andthelengthis192characters.
Afterlicensekeyisineffective,youcaninquirythelimitnumberofAPandstationby
thefollowingcommand:
show license limit
Todisplaylicensekey,youcanusefollowingcommand:
show license
![](/img.php?id=2465570&img=bg1f.png)
19JadeOSUserManual
Chapter4 InterfaceConfiguration
Thischapterwilldescribehowtoconfigureinterface.
4.1NamingEthernetPort
GigabitEthernet<word>isGEport,andparameter‘word’formatis<slot/port>.‘slot’
meansslotnumber,‘port’meansportnumber.Bothstartwithvalue0andrange
dependsontherealnumberofEthernet.
Forexample,gigabitEthernet1/0 , gigabitEthernet1/1 andgigabitethernet1/2 means
thefirstEthernetport,thesecondEthernetportandthethirdEthernetportofthe
firstslot.
Tengigabitethernet<word>is10Gport,andparameter‘word’formatisthesameas
GEport.
Toinquirypresentslotnumber,useshowslotcommand:
(JadeOS) #show slot
Slot12
‘slot12’meanspresentslotnumberis12.
4.2ConfiguringVLAN
JadeOSoperatesasalayer‐2switchthatusesaVLANasabroadcastdomain.Asa
layer‐2switch,JadeOSrequiresalayer‐3routertoroutetrafficbetweenVLANs.
4.2.1CreatingVLAN
YoucanconfigureVlaninvlanmode:
Step1Entervlanmodebyusingfollowingcommandinconfigmode:
vlan database
Step2Creatingvlan
vlan <id>
Note:Deletevlanbyusingnovlan<id>command.
Forexample:
(JadeOS)(config)#vlan database
(JadeOS)(config-vlan)#vlan 2
(JadeOS)(config-vlan)#vlan 3 name "VLAN3"
(JadeOS)(config-vlan)#no vlan 2
![](/img.php?id=2465570&img=bg20.png)
20JadeOSUserManual
Command Description
Vlan 2 Create vlan 2
vlan3name"VLAN3" Create vlan 3,and name as“vlan 3”
Novlan2delete vlan 2
Table4‐1commanddescriptions
4.3AddingEthernetPortintoVLAN
TheEthernetportcanbesetinaccessmodeortrunkmode,andthenaddedintoa
VLAN.TheEthernetportisinaccessmodebydefault.Ifitissetintrunkmode,the
portcancarrydataofmultiVLANTag.
Theportchannelcanbesetinaccessmodeortrunkmode.Bydefault,aportchan‐
nelisinaccessmodeandcarriestrafficonlyfortheVLANthatisassigned.Intrunk
mode,aportchannelcancarrytrafficformultipleVLANs.
¾ ConfigurePortinaccessmode
Step1Enterphysicalinterfacemode
interface gigaethernet <slot/port>
step2Configurelayer‐2interfacemode
switchport mode access
step3Addintothecorrespondingvlan
switch access vlan <vlan-id>
Forexample,addgigabitethernet1/2 intoaccessvlan2
(JadeOS)(config) #interface gigabitethernet 1/2
(JadeOS)(config-if)#switchport mode access
(JadeOS)(config-if)#switchport access vlan 2
¾ ConfigurePortinTrunkMode
Step1Enteringphysicalinterfacemode
Interface gigaethernet 1/0
Step2Configurelayer‐2interfacemode
switchport mode trunk
Step3Specifythenativevlanidandavailablevlantagnumberrespectively
switch trunk native vlan <vlan-id>
switchport trunk allowed vlan add <vlan-id-list>
Parameter Description
Vlan-id Specify native vlan id
Vlan‐id‐listSpecify available vlan tag
Table4‐2parameterDescriptions
![](/img.php?id=2465570&img=bg21.png)
21JadeOSUserManual
Forexample,addgigabitethernet1/2 intoaccessvlan2
(JadeOS)(config) #interface gigabitethernet 1/2
(JadeOS)(config-if)#switchport mode trunk
(JadeOS)(config-if)#switchport trunk native vlan 4
(JadeOS)(config-if)#switchport trunk allowed vlan add 5-10,11,12
4.4ConfiguringVLANInterface
CommandtoconfigureVLANInterface:
interface vlan <1-4094>
Note:youneedtocreateVLANfirstbeforeconfiguringVlanInterface.
Forexample:
(JadeOS) (config)#interface vlan 2
(JadeOS) (config-if)#ip address 10.0.0.1/24
4.5ConfiguringPortChannel
Linkaggregationprovideshighertotalbandwidth,auto‐negotiation,andrecoveryby
combiningparallelnetworklinksbetweendevicesasasinglelink.
Port‐ChannelsprovideamechanismforaggregatingmultiplephysicalEthernetlinks
toasinglelogicalEthernetlink.Port‐Channelsaretypicallyusedtoincreaseavailabilit
yandbandwidth,whilesimplifyingthenetworktopology.
Step1Configureport‐channelinconfigmode:
Interface port-channel <id>
Step2AddEthernetportintoaggregationgroupinport‐channelinterfacemode:
add [gigabitethernet <slot>/<port> | tengigabitethernet <slot>/<port>]
Note:Todeleteoneport,usefollowingcommand:
del[gigabitethernet<slot>/<port>|tengigabitethernet<slot>/<port>]
Step3Configurebalancearithmetic,nowitsupportsarithmeticofactive‐standby
andload‐balance:
(JadeOS)(config-if)#balance arithmetic active-stanby
(JadeOS)(config-if)#balance arithmetic load-balance
Examples:
(JadeOS)(config)#interface port-channel 1
(JadeOS)(config-if)#add gigabitethernet 2/1
(JadeOS)(config-if)#balance arithmetic active-stanby
(JadeOS)(config-if)#balance arithmetic load-balance
![](/img.php?id=2465570&img=bg22.png)
22JadeOSUserManual
InquireLAGbyusingshowInterfaceport‐channel<id>command:
(JadeOS)#show interface port-channel 2
Port-Channel 2 is administratively up
Hardware is Port-Channel, address is 04:8B:42:10:0D:0B (bia
04:8B:42:10:0D:0B)
Description: Link Aggregate (LACP)
Spanning Tree is disabled
VLAN membership: 190
Switchport priority: 0
Member port:
GE 4/3, Admin is up, line protocol is up
GE 4/4, Admin is up, line protocol is up
link status last changed 0 day 0 hr 16 min 46 sec
106198 packets input, 21374111 bytes
Received 124 broadcasts, 0 runts, 7483 giants, 0 throttles
11936475 input error bytes, 545 CRC, 0 frame
82048 multicast, 24026 unicast
14148 packets output, 432640 bytes
0 output errors bytes, 0 deferred
0 collisions, 0 late collisions, 0 throttles
Port-Channel 2 is TRUSTED
DeleteLAGbyusingnointerfaceport‐channel<id>command:
(JadeOS)(config)# no interface port-channel 0
Theportchannelcanbesetinaccessmodeortrunkmode.Bydefault,aportchan‐
nelisinaccessmodeandcarriestrafficonlyfortheVLANthatisassigned.Intrunk
mode,aportchannelcancarrytrafficformultipleVLANs.
¾ ConfigurePortChannelinaccessmode
(JadeOS)(config)#interface port-channel 1
(JadeOS)(config-if)#switchport mode access
(JadeOS)(config-if)#switchport access vlan 2
¾ ConfigurePortchannelintrunkmode
(JadeOS)(config) #interface port-channel 2
(JadeOS)(config-if)#description Portchannel2
(JadeOS)(config-if)#switchport mode trunk
(JadeOS)(config-if)#switchport trunk native vlan 5
(JadeOS)(config-if)#switchport trunk allowed vlan 6-9,10
![](/img.php?id=2465570&img=bg23.png)
23JadeOSUserManual
4.6ConfiguringQinQ
4.6.1ConfiguringQinQ
DefinedinIEEE802.1Q,VLANTagdomainonlyuses12bytestoindicateVLANID,so
equipmentcansupportupto4094VLANs.Somescenarios,especiallyinmetropoli‐
tanareanetwork,requireaseparateVLANforcustomers.Therefore,4094VLAN
cannotmeettherequirement.The802.1QinQexpandsVLANspacebyusinga
VLAN‐in‐VLANhierarchyandtaggingthetaggedpackets.Atthesametime,QinQ
makesSPuseoneVLANsupportstheentirecustomer'sVLANs.SPprovidesdifferent
servicefordifferentcustomersbydecapsulatinginnerandoutervlantagofusers’
message.
ConfiguringQinQbyusingfollowingcommand:
Step1CreateQinQsub‐interfaceinphysicalinterface:
interface gigabitethernet/tengigabitethernet <slot>/<port>.<subif>
parameter description
slot Slot number,range: 1-13
port Port number
subifSub interface,range: 1-16760836
table4‐3ParameterDescription
Forexample,createQinQsub‐interfacegigabitethernet1/0 . 1 inEthernetinterface
gigabitethernet1/0 :
interface gigabitethernet 1/0.1
step2SpecifyQinQinnerandoutertag
encapsulation dot1q <outer-vlan-id> second-dot1q <vlan-id|[begin-end]>
Parameter Description
out‐vlan‐id Singletagnumber,range:1‐4094
vlan‐id|[begin‐end] Singletagnumber,range:1‐4094;orrange,forexample:100‐200
table4‐4ParameterDescription
Forexample:createaQinQinterfacethatoutertagis1000andinnertagrangeis
100‐200,andconfigureIPaddressasalayer‐3interface.
(JadeOS)(config)#interface gigabitethernet 10/0.1
(JadeOS)(config-subif)# encapsulation dot1q 1000 second-dot1q 100-200
(JadeOS)(config-subif)#ip address 1.1.1.1/32
Thesub‐interfacecanbeusedasalayer‐3routingsub‐interface.YoucanconfigureIP
![](/img.php?id=2465570&img=bg24.png)
24JadeOSUserManual
addressandroutinginit.2QinQTagwillbepeeledwhenreceivingdata,and2QinQ
Tagwillbeencapsulatedwhensendingdata.
Youcanconfiguredifferentservices(forexample,differentauthenticationpoliciesor
bandwidthcontrolpolicies)ondifferentinnertagwhendatareceivedinQinQ
sub‐interface.
4.7InquiringInterfaceStatusandStatistics
Toviewinterfaceinformation,useshowinterfacegigabitethernet<Slot/Port>
command:
(JadeOS) #show interface gigabitethernet 12/0
Interface gigabitethernet 12/0
Hardware is Ethernet
Current HW addr: 04:8b:42:10:5c:00
Physical:04:8b:42:10:0c:18
index 23 metric 1 mtu 1500 duplex-half arp ageing timeout 300
tcp4mss disable tcp6mss disable
proxy_arp disable local_proxy_arp disable
(UP,BROADCAST,RUNNING,MULTICAST,TRUST)
VRF Binding: Not bound
inet 119.6.100.5/24 broadcast 119.6.100.255
inet6 fe80::68b:42ff:fe10:5c00/64
input packets 1779, bytes 117400, dropped 0, multicast packets 0
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 8, bytes 837, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
Toviewallinterfacesinformation,useshowipinterfacebriefcommand:
(JadeOS) #show ip interface brief
Interface IP-Address / IP-Netmask Status Protocol
loopback 0 unassigned / unassigned up down
Te 12/0 unassigned / unassigned up down
vlan 1 unassigned / unassigned up down
mgmt 1 192.168.20.95 / 255.255.255.0 up up
Gi 12/0 119.6.100.5 / 255.255.255.0 up up
Gi 12/2 172.50.3.1 / 255.255.255.0 up up
Gi 12/4 unassigned / unassigned down down
Gi 12/6 unassigned / unassigned down down
Gi 12/8 unassigned / unassigned up up
Gi 12/10 unassigned / unassigned down down
![](/img.php?id=2465570&img=bg25.png)
25JadeOSUserManual
Gi 12/12 unassigned / unassigned down down
Gi 12/14 unassigned / unassigned down down
Gi 12/16 unassigned / unassigned down down
Gi 12/18 unassigned / unassigned down down
![](/img.php?id=2465570&img=bg26.png)
26JadeOSUserManual
Chapter5 Layer‐2NetworkService
JadeOSprovideslayer‐2networkservice.Thischapterwilldescribebridgeforwarding
andportmirror.
5.1BridgeForwarding
5.1.1BridgeDescription
BridgeisusedfortheinterconnectionamongtwoormoreLayer‐2networkanddata
frameforwardingbasedonMACaddressofLayer‐2network.
BridgesupportsMACaddresslearning.Bridgewillcreateonebridgetablebasedon
sourceMACaddresswhenonedataframefromoneMACaddressfirstgoingthrough
bridge.BridgetableisindexedbyMACaddress,anditwillrecordthephysicalinter‐
faceconnectedtothishost.Thereafter,whendataframefromthesameMACad‐
dresscometothishostagain,itwillbesenttothisphysicalinterfacesothattoavoid
sendingbroadcastmessagetoallinterfaces.
Bridgeforwardingisbasedonbridgetable,eachMACaddressiscorrespondingto
onetable.Bridgetablewillbeautomaticallydeletedifthereisnodataframefrom
thesameMACaddressgoingthroughthisbridgetableforawhile.Whenthereis
dataframecomingtothisbridgeafterawhile,bridgewilllearnMACaddressagain.
Besidesdynamiclearning,bridgetablesupportsstaticconfiguration,whichiscalled
statictable.
5.1.2ConfiguringBridge
BridgeconfigurationistoaddseveralphysicalinterfacestothesameVLAN.Inthe
sameVLAN,severalinterfacesformabridge,thecommunicationamongtheinter‐
facesisbridgeforwarding.
Pleaserefertochapter4.2andchapter4.3formoreinformation.
5.1.3DynamicTable
Dynamictableisgeneratedbysystemlearning.Systemwilllookupbridgetable
whenreceivingmessage.Ifnobridgetableisavailable,systemwillautomatically
generateabridgetablebasedonthesourceMACaddress,VLANID,andtheinter‐
faceofmessage.
Toinquirybridgetable,useshowdatapathbridgetablecommand.
Forexample:
(JadeOS) #show datapath bridge table
![](/img.php?id=2465570&img=bg27.png)
27JadeOSUserManual
Datapath Bridge Table Entries
-----------------------------
Flags: P - Permanent, D - Deny, M - Mobile, L - Local
MAC VLAN Assigned VLAN Destination Flags Aging-time
-------------- ---- ------------- --------- ----- -------
04:8B:42:12:00:81 5 5 Local PL
04:8B:42:12:0A:81 85 85 Local PL
04:8B:42:12:0A:A1 86 86 Local PL
04:8B:42:12:0A:C1 87 87 Local PL
04:8B:42:12:0A:E1 88 88 Local PL
5.1.4BridgeAging
Thebridgeagingtimeis15minutesbydefault.Ifnotrafficin15minutes,bridgeta‐
blewillbeaging.
5.1.5StaticTable
Staticbridgetablewillnotbeaging.
Toconfigurestatictable,usefollowingcommandinconfigmode:
mac-address-table static <mac address> [discard/forward] giga-
bitethernet <slot/port> Vlan <vlan-id>
Forexample:
(JadeOS)(config)#mac-address-table static 04:8b:42:22:05:6f discard
gigabitethernet 1/0 vlan 2
Note: To delete bridge table, use following command in config mode:
nomac‐address‐tablestatic<macaddress><discard/forward><gigabitethernet><vlan>
5.2PortMirror
Mirrormodeenablesyoutoduplicatetoanotherportallofthetrafficoriginating
fromorterminatingatasingleclientdeviceoraccesspoint.Itisusefulindiagnosing
specificnetworkproblems.Mirrormodeshouldbeenabledonlyonanunusedport
asanyconnectionstothisportbecomeunresponsive.
Youcanconfigureportmirroringusingthefollowingcommands:
(config)#interface{tengigabitethernet|gigabitethernet}
<slot>/<port>
(config-if)#mirror interface vlan <VLAN ID> direction {both | receive
| transmit}
![](/img.php?id=2465570&img=bg28.png)
28JadeOSUserManual
Chapter6 Layer‐3NetworkService
JadeOSprovideslayer‐3networkservice.Thischapterwilldescribehowtoconfigure
IPaddress,staticrouting,GREtunnel,DHCP,OSPF,andIPv6andsoon.
6.1ConfiguringIPAddress
6.1.1ConfiguringIPAddress
UsethefollowingcommandstoassignastaticIPaddresstoaportonJadeOS:
interface gigabitethernet <slot>/<port>
no switchport
ip address <address><netmask>
6.1.2ConfiguringLoopback
TheloopbackIPaddressisalogicalIPinterfacethatisusedbyJadeOStocommuni‐
catewithAPs.TheloopbackaddressisusedasJadeOS’sIPaddressforterminating
VPNandGREtunnels,originatingrequeststoRADIUSserversandacceptingadminis‐
trativecommunications.Youconfiguretheloopbackaddressasahostaddresswitha
32‐bitnetmask.Theloopbackaddressisnotboundtoanyspecificinterfaceandis
operationalatalltimes.Tousethisinterface,ensurethattheIPaddressisreachable
throughoneoftheVLANinterfaces.Itshouldberoutablefromallexternalnetworks.
ToconfiguretheloopbackIPaddress,usethefollowingcommands:
interface loopback <id>
ip address <address><mask>
6.2ConfiguringStaticRoutingTable
6.2.2ConfiguringStaticRouting
Toconfigurestaticrouting,usefollowingcommand:
ip route <subnet>/<prefix-length> <gateway>
Forexample:
(JadeOS) (config)#ip route 10.0.0.0/24 192.168.10.1
6.2.2InquiringRoutingTable
Toinquirysystemroutingtable,includingdirectroutingandstaticconfiguringrout‐
ing,useshowiproutecommand.
(JadeOS) #show ip route
![](/img.php?id=2465570&img=bg29.png)
29JadeOSUserManual
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter
area
* - candidate default
S 10.2.20.0/24 [1/0] via 192.168.20.1, mgmt 1
S 18.0.0.0/8 [1/0] via 192.168.20.1, mgmt 1
C 80.1.0.0/16 is directly connected, vlan 80
C 119.6.100.0/24 is directly connected, Gi 12/0
S 119.6.200.0/24 [1/0] via 119.6.100.1, Gi 12/0
C 172.50.3.0/24 is directly connected, Gi 12/2
S 192.168.0.0/16 [1/0] via 192.168.20.1, mgmt 1
C 192.168.20.0/24 is directly connected, mgmt 1
6.3ConfiguringARP
JadeOSsupportsconfiguringstaticARPtable.
AddressResolutionProtocol(ARP)isaTCP/IPprotocolusedforresolutionofnetwork
layerIPaddressintolinklayerMACaddress,acriticalfunctioninmultiple‐access
networks.ARPwasdefinedbyRFC826in1982.
BesidesthebasicARPfunction,JadeOSalsosupportlocalproxyARPandDHCPau‐
thorizedARP.ItiseffectivelyavoidedARPcheatandattackbyDHCPSnooping,which
enhancesthesecurityofpublicwirelessLANscommunication.
6.3.1ConfiguringStaticARPTable
DynamicARPlearningisenablinginJadeOSportbydefault.
ToaddstaticARPtable,usefollowingcommand:
arp <ipaddr> <macaddr>
TodeleteARPcacheentry,usenoarpcommand:
no arp <ipaddr> <macaddr>
Forexample:
(JadeOS) (config) #arp 10.1.2.23 00:19:87:0D:5C:2C
6.3.2InquiringARPTable
ToviewARPtable,useshowarpcommand:
(JadeOS) #show arp
![](/img.php?id=2465570&img=bg2a.png)
30JadeOSUserManual
Address HWaddress Interface Type
192.168.20.1 00:13:1A:A5:CC:80 mgmt 1 Dynamic
192.168.20.15 00:15:C5:F3:35:B2 mgmt 1 Dynamic
192.168.20.152 00:14:22:19:FC:C4 mgmt 1 Dynamic
119.6.100.1 C4:64:13:D1:9A:EA Gi 12/0 Dynamic
192.168.20.226 04:8B:42:10:6C:1C mgmt 1 Dynamic
172.50.3.2 04:8B:42:20:00:F5 Gi 12/2 Dynamic
6.3.2ConfiguringARPProxy
ProxyARPincludeslocalproxyARPandproxyARP.TheybothreplyARPre‐
questwithinterfaceMACaddress,nomattertherequestaddressisinexistenceor
not.Buttheyhavedifferencestoo.ProxyARPwillreplyARPrequestnomatterthe
requestaddressisinthesamenetworksegmentwithinterfaceornot.Localproxy
ARPwillreplywhenARPrequest’soriginaladdress,destinationaddressandinterface
addressareinthesamenetworksegment.
IncaseoftheTUNNELbroadcastmessagesuppressionandDHCPsnoopingisopen,
clientneedtocommunicatewithanotherclientthatinthesamenetworksegment
butdifferenttunnel,soweneedtocontinuouslybroadcastARPmessagetolookup
anotherclient.Intheabovesituation,wecanopenthelocalproxyARPfunctionin
JadeOS.Inthisway,JadeOSwillactasARPproxytoensuretheclient’sdatacommu‐
nicationindifferenttunnel,andthesametime,avoidalotofuselessbroadcastmes‐
sagecausedbyrepeatbroadcast.
6.4ConfiguringMTUandTCPMSS
Mtuandtcpmssistheattributeofinterface.
Whenthedatapacketislargerthanmtuvalue,systemwillfragmentdatapacketac‐
cordingtomtuvalue.Fragmentationwillaffectdataperformance,soyoushouldtry
toavoidfragmentation.
Iftheinterfaceistheattributeoftcpmssandthetcpmssoptionofsynmessageis
largerthanthetcpmssvalueofinterface,systemwillmodifythetcpmssoptionof
thissynmessageandupdatetcpchecksumwhentcpsynmessagegoesthroughin‐
sideinterfaceandoutsideinterface.Youshouldtrytoavoidfragmentationforfrag‐
mentationwillaffectdataperformance
Toconfiguremtu,usemtu<68‐9216>commandinconfigmode:
Toconfiguretcpmss,usetcp4mss<4‐65535>commandininterfacemode:
Forexample,configurethemtuandtcp4mssofinterfacegigaethernet1/0 is1460and
1440respectively:
(JadeOS) (config)#interface gigabitethernet 10/1
![](/img.php?id=2465570&img=bg2b.png)
31JadeOSUserManual
(JadeOS) (config-if)#mtu 1460
(JadeOS) (config-if)#tcp4mss 1440
6.5ConfiguringGRETunnel
GRE(GenericRoutingEncapsulation)specifiesaprotocolforencapsulationofanar‐
bitraryprotocoloveranotherarbitrarynetworklayerprotocol.
GREdefinedinRFC2784andupdatedbyRFC2890.
TocreateaGREtunnelinterfaceandenterinterfaceconfigurationmodeonJadeOS,
usethefollowingcommand:
interface tunnel <id>
tunnel mode gre
Figure6‐3GREtunnel
TocreateaGREtunnelonJadeOS,usethefollowingsteps:
(JadeOS)(config) #interface tunnel 1
(JadeOS)(config-if) #tunnel mode gre
(JadeOS)(config-if) #ip address x.x.x.x/x
(JadeOS)(config-if) #tunnel source x.x.x.x
(JadeOS)(config-if) #tunnel destination x.x.x.x
(JadeOS)(config-if) #tunnel key <0-4294967295>
(JadeOS)(config-if) #tunnel checksum
6.6ConfiguringDHCP
TheDynamicHostConfigurationProtocol(DHCP)isanetworkconfigurationprotocol
forhostsonInternetProtocol(IP)networks.UDPprotocolmainlyhastwousages:
- Reduceclient’sconfigurationburden,usedinthechangeofoffice.
- Reducenetworkadministrator’sconfigurationburden.UDPachievesaddress
unifieddistribution,centralizedmanagementandDHCPSnoopingrational
using,whichisgoodforavoidingnetworkattackandensuringresourcera‐
tionallyinuse.
Becauseoftheterminalmobility,wirelessnetworkarchitecturehasahighstandard
onDHCPprotocol.Itstillhashighstandardonthescaleofaddresspoolandaddress
distributionrateinSPenvironment.
![](/img.php?id=2465570&img=bg2c.png)
32JadeOSUserManual
6.6.1ConfiguringDHCPServer
ToconfigureDHCPserver,usefollowingcommand:
Step1CreateoneormoreDHCPaddresspool:
ip dhcp pool <pool-name>
Step2SpecifythegatewayofDHCPclient
default-router A.B.C.D
Step3SpecifytheDNSserverofDHCPclient
dns-server A.B.C.D
Step4Specifytheleasetime
Lease <days> <hours> <minites> <seconds>
Step5Specifytherangeofaddresspool
network <subnet> <mask>
Step6(optional)DHCPissueARPtablethatcombinedwithIPandMACaddressof
clienttothesystem.
update arp
Step7(optional)SpecifythereservedIPaddressorIPrange,whichistheIPaddress
notassignedtotheclient.
ip dhcp excluded-address <start-address> [<end-address>]
Step8EnableDHCPservice
service dhcp
6.6.2InquiringDHCPServerStatus
1InquireDHCPConfiguration
(JadeOS) #show ip dhcp database
DHCP enabled
ping-check false;
broadcast;
# vlan409
subnet 172.40.9.0 netmask 255.255.255.0 {
lease-time 1 days,0 hours, 0 minutes, 0 seconds;
option routers 172.40.9.1;
range 172.40.9.2 172.40.9.254;
}
2InquireDHCPleasestatistics
(JadeOS) #show ip dhcp statistics
Network Name 13.0.0.0/16
Total leases 65533
![](/img.php?id=2465570&img=bg2d.png)
33JadeOSUserManual
Free leases 64532
Active leases 1001
Abandoned leases 0
Reserved leases 0
3InquireDHCPleaseinformation
(JadeOS) #show ip dhcp binding
lease 13.0.6.202 {
starts Mon Dec 23 10:41:30 2013
ends Mon Dec 23 10:42:30 2013
binding state active;
next binding state free;
hardware ethernet 00:50:ba:50:73:2b;
uid "\001\000P\272Ps+";
}
lease 13.0.6.238 {
starts Mon Dec 23 10:41:33 2013
ends Mon Dec 23 10:42:33 2013
binding state active;
next binding state free;
hardware ethernet 00:50:ba:50:75:2b;
uid "\001\000P\272Pu+";
}
lease 13.0.7.19 {
starts Mon Dec 23 10:41:28 2013
ends Mon Dec 23 10:42:28 2013
binding state active;
next binding state free;
hardware ethernet 00:50:ba:50:74:e9;
uid "\001\000P\272Pt\351";
}
lease 13.0.7.61 {
starts Mon Dec 23 10:41:33 2013
ends Mon Dec 23 10:42:33 2013
binding state active;
next binding state free;
hardware ethernet 00:50:ba:50:76:5c;
uid "\001\000P\272Pv\\";
}
4InquireDHCPServerrunningstatus
(JadeOS) #show ip dhcp server statistics
![](/img.php?id=2465570&img=bg2e.png)
34JadeOSUserManual
Dhcp Server Packet Statistics:
Receive packet:
Discover 0
Request 0
Release 0
Decline 0
Inform 0
Leasequery 0
Unkown 0
Send packet:
Offer 0
Ack 0
Nak 0
Other packet:
Bootp 0
Boopreply 0
Speed:
Offer Speed 0 client/sec
6.6.3 Configuring DHCP Relay
JadeOSprovidesDHCPRelayfunctionthatenhancestheDHCPfunction. ADHCPrelay
agentisanyhostthatforwardsDHCPpacketsbetweenclientsandservers.Relay
agentsareusedtoforwardrequestsandrepliesbetweenclientsandserverswhen
theyarenotonthesamephysicalsubnet.Relayagentforwardingisdistinctfromthe
normalforwardingofanIProuter,whereIPdatagramareswitchedbetweennet‐
workssomewhattransparently.Bycontrast,relayagentsreceiveDHCPmessagesand
thengenerateanewDHCPmessagetosendonanotherinterface.
DHCPRelayconfigurationasbelow:
Step1Enter“ipdhcprelay”
(JadeOS)(config)# ip dhcp relay
Step2SpecifytheinterfaceofDHCPClient
(JadeOS)(config-dhcp-relay)# client-interface <interface-name>
Step3SpecifytheIPaddressofDHCPServer
(JadeOS)(config-dhcp-relay)# server address A.B.C.D
![](/img.php?id=2465570&img=bg2f.png)
35JadeOSUserManual
Step4SpecifytheinterfaceofDHCPServer
(JadeOS)(config-dhcp-relay)# server-interface <interface-name>
Step5EnableRelay
(JadeOS)(config-dhcp-relay)# enable
6.6.4 DHCP Snooping
DHCPSnoopingactsasthefirewallbetweenuntrusthostandDHCPserver,which
avoidinterfereandattacktothelegaluser.ThroughDHCPsnooping,youcanview
thefilteredillegalDHCPmessage.
BecauseDHCPmessagecarriesMACaddressandIPaddressofuserterminal,youcan
obtainandrecordDHCPmessagethroughcontinuouslytrack,whichcanbeusedto
indentifyotherillegalDHCPmessage.
ThroughbuildingandmaintainingDHCPsnoopingtable(IP‐MACbinding),systemcan
detectwhetherthefollowedcommunicationislegal,andthenrejecttheunmatched
databetweenIPandMAC.
ToenableDHCPsnooping,usethefollowingcommand:
ip dhcp snooping enable
TodisplayDHCPsnoopingbindingtable,usethefollowingcommand:
(JadeOS) #show ip dhcp snooping binding counter
Datapath Bind Table Statistics
-------------------------------
Current Entries 1001
High Water Mark 1001
Maximum Entries 262144
Total Entries 4001
Allocation Failures 0
(JadeOS) #show ip dhcp snooping binding
DHCP Snooping State is disable
DHCP Snooping verify MAC State is disable
Datapath Binding Table Entries
-------------------------------------------------------------------
Type: D - Dynamic, S - Statically-configured
MacAddress IpAddress Lease(sec) Type Interface
------------- --------------- --------- ------ ------------
00:50:ba:50:77:06 13.0.7.20 300 D Gi 6/10
00:50:ba:50:76:DA 13.0.6.242 300 D Gi 6/10
![](/img.php?id=2465570&img=bg30.png)
36JadeOSUserManual
00:50:ba:50:76:D8 13.0.6.237 300 D Gi 6/10
00:50:ba:50:76:D4 13.0.6.227 300 D Gi 6/10
SecurityCheck
Throughbindingtable,DHCPsnoopingmoduledeterminewhethertheDHCPmes‐
sagesentbyuserislegalornot,andthenrejectillegalDHCPrequestifillegal.
EnablingMACaddressdetection,DHCPsnoopingcanavoidattackbychecking
whethertheMACaddressofDHCPprotocolmatchwiththesourceMACaddressof
Ethernet.
ToenableMACaddressdetectionofDHCPsnooping,usethefollowingcommandin
configmode:
ip dhcp snooping verify mac-address enable
BroadcastSuppression
JadeOScanautomaticallyrecordDHCPrequestinformationintoDHCPsnoopingses‐
siontablebyenablingDHCPsnooping.WhenreceivedbroadcastmessagefromDHCP
server,JadeOScanlookupthecorrespondinghostandexitportintheDHCPsnoop‐
ingtable,thenchangethebroadcastintounicast.Therefore,JadeOSachievesbroad‐
castsuppression.
ToconfigurethebroadcastsuppressioninQinQinterface,usethefollowingcom‐
mand:
ip dhcp snooping enable
TodisplaytheDHCPsnoopingsessiontable,usethefollowingcommand:
show ip dhcp snooping session
6.6.5ARPWithDHCP
EnablingARPwithDHCP,DHCPwillissueARPtablethatcombineddistributedIPad‐
dressandMACaddressinclienttothesystem,atthesametime,disablethefunction
ofARPlearninginthespecifiedinterface.Therefore,ARPtableisstrictlycheckedby
DHCPsnooping,whichensuresthelegalityandavoidtheARPcheatandinterfereto
theuseronlineandcommunication.
Forexample:
¾ EnableARPwithDHCPfunction:
Step1Configureupdatearpinaddresspool
(JadeOS) (config)#ip dhcp pool ABC
(JadeOS) (config-dhcp)#update arp
Step2ConfigureARPauthorizedintheinterfaceofdistributedIP,disableARP
learningfunction:
(JadeOS) (config)#interface vlan 6
![](/img.php?id=2465570&img=bg31.png)
37JadeOSUserManual
(JadeOS) (config-if)#arp authorized
Note:ARPlearningwillbedisabledafterenablingARPwithDHCP.
¾ DisableARPwithDHCPfunction:
Step1TosaveclientARPinformation,usenoupdatearpcommandtodisableARP
function:
(JadeOS) (config)#ip dhcp pool ABC
(JadeOS) (config-dhcp)#no update arp
Step2EnableARPlearningfunction
(JadeOS) (config)#interface vlan 6
(JadeOS) (config-if)#no arp authorized
YoucaninquiryclientARPinformationbyshowarpcommand.
6.7ConfiguringOSPF
OpenShortestPathFirst(OSPF)isanadaptiveroutingprotocolforInternetProtocol
(IP)networks.Itusesalinkstateroutingalgorithmandfallsintothegroupofinterior
routingprotocols,operatingwithinasingleautonomoussystem(AS).Thisallowsthe
JadeOStodeployeffectivelyinaLayer3topology.TheJadeOScanactasdefault
gatewayforallclientsandforwarduserpacketstotheupstreamrouter.
6.7.1OSPFImplementation
JadeOSOSPFimplementationconformstotheOSPFVersion2specificationsdetailed
intheInternetRFC2328.ThelistthatfollowsoutlineskeyOSPFfeaturessupported
onJadeOS:
z NSSAareas(RFC3101)supported.
z Routeredistribution—RouteslearnedviaanyIPprotocolcanberedistributedin
toanyotherIProutingprotocol.
z Authentication—Plaintextauthenticationamongneighboringrouterswithinan
areaissupported.
z Routinginterfaceparameters—Configurableparameterssupportedincludein‐
terfaceoutputcost,retransmissioninterval,interfacetransmitdelay,routerpri‐
ority,router“dead”and“hello”intervals,andmessagedigestkey.
6.7.2EnablingOSPF
OSPFisdisabledbydefault.ToenabletheOSPFfunctiononJadeOS,usethefollowing
commandintheconfigurationmode:
(JadeOS)(config)# router ospf
![](/img.php?id=2465570&img=bg32.png)
38JadeOSUserManual
EnablingOSPFrequiresthatyoucreateanOSPFrouterIDwhichistheonlyidentifier
inanASsystemandareaIDwhichspecifytherangeofroutingprocess.
IftherouterIDisnotconfigured,theloopbackinterfaceIPwillbetakenasrouterID.
Ifthereisnoloopbackinterface,systemwillselectamaximumIPaddressfromallof
interfaceIPs.
ToconfigurearouterID,completethefollowingcommand:
(JadeOS) (config)#router ospf
(JadeOS) (config-router)#ospf router-id <IP>
ToconfigureaareaID,usethefollowingcommand:
(JadeOS)(config)# router ospf
(JadeOS)(config-router)# area <area id> <parameter>
Note:PleaserefertoJadeOSCommandManualformoreareaconfigurationparameter.
6.7.3ConfiguringOSPFInterfaceParameters
JadeOSallowsyoutoaltercertaininterface‐specificOSPFparametersasneeded.You
arenotrequiredtoalteranyoftheseparameters,butsomeinterfaceparameters
mustbeconsistentacrossallroutersinanattachednetwork.Therefore,besurethat
ifyoudoconfigureanyoftheseparameters,theconfigurationsforallroutersonyour
networkhavecompatiblevalues.
Tospecifyinterfaceparametersasneededforyournetwork,usetheanyofthe
commandslistedintable6‐1:
Command Purpose
ip ospf cost <value> Explicitlyspecifythecostofsendingapacketonan
OSPFinterface.
ip ospf dead-interval<value> Setthenumberofsecondsthatadevice'shello
packetsmustnothavebeenseenbeforeits
neighborsdeclaretheOSPFrouterdown.
ip ospf
hello-interval<value>
Specifythelengthoftimebetweenthehellopack‐
etsthattheCiscoIOSsoftwaresendsonanOSPF
interface.
ip ospf message-digest-key
<value> <passwd>
EnableOSPFMD5authentication.
ip ospf priority <value> SetprioritytohelpdeterminetheOSPFdesignated
routerforanetwork.
ip ospf retransmit-interval
<value>
Specifythenumberofsecondsbetweenlinkstate
advertisementretransmissionsforadjacenciesbe‐
longingtoanOSPFinterface.
ip ospf trans- Settheestimatednumberofsecondsittakesto
![](/img.php?id=2465570&img=bg33.png)
39JadeOSUserManual
mit-delay<value>transmitalinkstateupdatepacketonanOSPFin‐
terface.
Table6‐1OSPFInterfaceParameter
6.7.4ConfiguringOSPFArea
JadeOSOSPFsupportsthefollowingtypesofarea:
z Stubarea
Stubareasareareasintowhichinformationonexternalroutesisnotsent.Instead,
thereisadefaultexternalroutegeneratedbytheareaborderrouter,intothestub
areafordestinationsoutsidetheautonomoussystem.TotakeadvantageoftheOSPF
stubareasupport,defaultroutingmustbeinthestubarea,youcanconfigure
no‐summaryontheABRtopreventitfromsendingsummarylinkadvertisementinto
thestubarea.
ToconfigureastubareaonJadeOS,usethefollowingcommand:
area <area-id> stub [no-summary]
Forexample,configurearea1.1.1.1asstubareaonJadeOS:
(JadeOS) (config) #router ospf
(JadeOS) (config-router) # area 2 stub no-summary
z NSSA(NotSoStubbyArea)area
NSSAareaissimilartoOSPFstubarea.NSSAdoesnotfloodType5(ExternalLink
StateAdvertisements)LSAformthecoreintothearea,butithastheabilityofim‐
portingASexternalroutesinalimitedfashionwithinthearea.NSSAallowsimporting
ofType7ASexternalrouteswithinNSSAareabyredistribution.TheseType7LSAs
aretranslatedintoType5LSAsbyNSSAABRwhicharefloodedthroughoutthewhole
routingdomain.
ToconfigureaNSSAareaonJadeOS,usethefollowingcommand:
area <area-id> nssa [ no-redistribution ] [no-summary ] [de-
fault-information-originate]
Example1,configurearea1.1.1.1astotallyNSSAareaonJadeOS:
(JadeOS)(config)# router ospf
(JadeOS) (config-router) # area 1 nssa no-summary
Example2,configurearea1.1.1.1asnon‐totallyNSSAarea,notimportingtype‐7ex‐
ternalroutestothearea:
(JadeOS)(config)# router ospf area 1.1.1.1
(JadeOS)(config-router) # nssa no-redistribution
Example3,configurearea1.1.1.1asnon‐totallyNSSAarea,importingadefaultroute
tothearea:
![](/img.php?id=2465570&img=bg34.png)
40JadeOSUserManual
(JadeOS)(config)# router ospf
(JadeOS)(config-router) # area 1 nssa default-information-originate
6.7.5ConfiguringOSPFNetworkType
JadeOSsupportsthefollowingtypesofOSPFnetwork:
• Point‐to‐pointnetworks(HDLC,TokenRing,FDDI)
Onepoint‐to‐pointlinkssuchasHDLCandPPP,OSPFrunsasapoint‐to‐pointnetwork
type.
ToconfigureanOSPFpoint‐to‐pointnetworkonJadeOS,usethefollowingcommand:
(JadeOS)(config-if)#ip ospf network point-to-point
• Broadcastnetworks(Ethernet,TokenRing,FDDI)
OnthebroadcastmediumsuchasEthernetandTokenRing,OSPFrunsasabroadcast
networktype.
ToconfigureanOSPFbroadcastnetworkonJadeOS,usethefollowingcommand:
(JadeOS)(config-if)#ip ospf network broadcast
Note:Thenetworktypeisbroadcastbydefaultinfactory.
6.7.6OSPFPoint‐to‐pointConfigurationExample
InthefollowingOSPFnetwork,theautonomoussystemisdividedinto3areas.
JadeOSAandJadeOSBistheABRwhichisresponsibletoannouncetheroutesbe‐
tweenOSPFareas.
![](/img.php?id=2465570&img=bg35.png)
41JadeOSUserManual
Figure6‐1OSPFconfigurationexample
Step1CreateVLANandaddinterfacestoVLAN(Refertochapter4forVLAN
configuration)
Step2ConfigureOSPFonJadeOSA
(JadeOS-A) (config) #router ospf
(JadeOS-A) (config-router) #ospf router-id 1.1.1.1
(JadeOS-A) (config-router) #network 192.168.10.0/24 area 0
(JadeOS-A) (config-router) #network 192.168.20.0/24 area 1
(JadeOS-A) (config) #interface vlan 10
(JadeOS-A) (config-if) #ip address 192.168.10.1/24
(JadeOS-A) (config-if) #ip ospf network point-to-point
(JadeOS-A) (config) #interface vlan 20
(JadeOS-A) (config-if) #ip address 192.168.20.1/24
(JadeOS-A) (config-if) #ip ospf network point-to-point
Step3ConfigureOSPFonJadeOSB
(JadeOS-B) (config) #router ospf
(JadeOS-B) (config-router) #ospf router-id 1.1.1.2
(JadeOS-B) (config-router) #network 192.168.10.0/24 area 0
(JadeOS-B) (config-router) #network 192.168.30.0/24 area 2
(JadeOS-B) (config) #interface vlan 10
![](/img.php?id=2465570&img=bg36.png)
42JadeOSUserManual
(JadeOS-B) (config-if) #ip address 192.168.10.2/24
(JadeOS-A) (config-if) #ip ospf network point-to-point
(JadeOS-B) (config) #interface vlan 30
(JadeOS-B) (config-if) #ip address 192.168.30.1/24
(JadeOS-A) (config-if) #ip ospf network point-to-point
Step4ConfigureOSPF on JadeOSC
(JadeOS-C) (config) #router ospf
(JadeOS-C) (config-router) #ospf router-id 1.1.1.3
(JadeOS-C) (config-router) #network 192.168.20.0/24 area 1
(JadeOS-C) (config) #interface vlan 20
(JadeOS-A) (config-if) #ip ospf network point-to-point
(JadeOS-C) (config-subif) #ip address 192.168.20.2/24
Step5ConfigureOSPFonJadeOSD
(JadeOS-D) (config) #router ospf
(JadeOS-D) (config-router) #ospf router-id 1.1.1.4
(JadeOS-D) (config-router) #network 192.168.30.0/24 area 2
(JadeOS-D) (config) #interface vlan 30
(JadeOS-D) (config-subif) #ip ospf network point-to-point
(JadeOS-D) (config-subif) #ip address 192.168.30.2/24
Note:RoutingmanagementsupportsOSPFdynamicroutingmanagementandstaticrouting
management.
Toaddstaticrouting,useiprouteA.B.C.D/<destmask>command.
Todeleterouting,usenoiprouteA.B.C.D/<destmask>command.
Todisplayrouting,useshowiproutecommand.
6.8ConfiguringIPv6
JadeOSsupportsIPv4/IPv6configurationandIPv6forwarding.IPv6addressandrout‐
ingconfigurationissimilartoIPv4.
6.8.1AddressConfiguration
ToconfigureIPv6address,usefollowingcommandininterfacemode:
(JadeOS) (config)#interface vlan 333
(JadeOS) (config-if)#ipv6 address 2011::6:31/64
6.8.2RoutingConfiguration
![](/img.php?id=2465570&img=bg37.png)
43JadeOSUserManual
ToconfigureIPv6routing,usefollowingcommand:
ipv6 route <subnet>/<prefix-length> <gateway>
6.8.3Ping6
Toconfigureping6,usefollowingcommand:
ping6 <ipv6-address>
![](/img.php?id=2465570&img=bg38.png)
44JadeOSUserManual
Chapter7 NetworkSecurity
JadeOSisalwaysdeployedingateway,whichmuchdatagoesthroughit.Thenetwork
environmentofequipmentisverycomplexandfacesnetworksecuritythreat.This
chapterwilldescribeJadeOSnetworksecurityandhowtoconfigureit.
7.1AccessControlList(ACL)
AccessControlList(ACL)definesthenetworkaccess.ACListhecombinationofrules;
eachrulecanspecifyonematchedruleandoneoperation.Matchedruleisbasedon
IPaddressorportnumber;operationis‘permit’or‘deny’.TheACListomatchrules
insequence.
JadeOShaveanimplicitruleof‘deny’foreachACL,soyoushouldaddthecorre‐
spondingruleandspecifytheoperationis‘permit’ifyouwanttoallowonetypeof
trafficgothroughit.ThroughACL,wecancontrolusers’trafficexactlysothattoen‐
surenetworksecurity.
7.1.1StandardACL
StandardACLrulecanspecifytheoperationis‘deny’or‘permit’;thematchedruleis
any,ipaddressandnetworksegment.
Step1CreateastandardACLnamedtest‐standard
(JadeOS) (config)#ip access-list standard test-standard
Step2Denyallthetrafficinnetworksegment192.168.1.0/255.255.255.0
(JadeOS) (config-std-test-standard)#deny 192.168.1.0 255.255.255.0
Step3Allowallthetrafficinnetworksegment192.168.0.0/255.255.0.0
(JadeOS) (config-std-test-standard)#permit 192.168.0.0 255.255.0.0
Step4Denyalltheothertraffic.
(JadeOS) (config-std-test-standard)#deny any
7.1.2ExtendedACL
ExtendedACLcanspecifytheoperationis‘deny’or‘permit’;thematchedrulecan
specifytheprotocolnumber(any,tcp,udp,icmp,igmp),sourceIPaddressornetwork
segment,destinationIPaddressornetworksegment,rangeofportnumber.
Step1CreateextendedACLnamedtest‐extended
(JadeOS) (config)#ip access-list standard test-extended
![](/img.php?id=2465570&img=bg39.png)
45JadeOSUserManual
Step2Denytcptrafficfrom60.0.0.0/255.255.255.0to192.168.10.0/255.255.255.0
withportrange1‐1023.
(JadeOS) (config-std-test-extended)# deny tcp 60.0.0.0 255.255.255.0
192.168.10.0 255.255.255.0 range 1 1023
Step3Permitallthetcpport80trafficto192.168.10.0/255.255.255.0.
(JadeOS) (config-std-test-extended)# permit tcp any 192.168.10.0
255.255.255.0 eq
7.1.3SessionACL
SessionACLcanspecifytheoperationis‘deny’or‘drop’;thematchedrulearepro‐
tocolnumber,sourceIPaddressornetworksegment,destinationIPaddressornet‐
worksegmentandrangeofportnumber.Basedonfiveelements(protocol,sourceIP
address,sourceportnumber,destinationIPaddress),sessionACLcantrackallthe
dataofthissessiontoachievethecomplexfunction,suchasSNAT,DNAT.
SessionACLisusedtocontroluserauthentication.PleaserefertoChapter9formore
information.
Step1CreateasessionACLnamedtest‐session
(JadeOS) (config)#ip access-list standard test-session
Step2Allthetrafficfrom192.168.20.0/255.255.255.0willbetranslatedbySNAT
function.NAT‐POOLisusedbyNATpool.(Pleaserefertochanter7.3forhowtocre‐
ateNATpool)
(JadeOS) (config-std-test-extended)# network 192.168.20.0
255.255.255.0 any any src-nat pool NAT_POOL
Step3:Allthetrafficfrom192.168.30.0/255.255.255.0willbetranslatedtoaddress
10.10.10.134byDNATfunction.
(JadeOS) (config-std-test-extended)# network 192.168.30.0
255.255.255.0 any any dst-nat ip 10.10.10.134
7.2Session
JadeOSwillmaintainasessiontableforeachsession.Thesessiontableisbasedon
fiveelements(protocol,sourceIPaddress,sourceportnumber,destinationIPad‐
dress).Whenthesystemreceivesthefirstdatapacketofthesession,itwillcreatea
sessiontableforthesession.Basedonthissession,thefollowingdatapacketwillbe
uniformlyhandledbyJadeOS,forexample,SNATwillbetransferredtothesamead‐
dressbyNATfunction.Whenthesessionisterminated(forexample,monitortcpfin
message)ortimeout(notrafficforalongtime),sessiontablewillbedeleted.
![](/img.php?id=2465570&img=bg3a.png)
46JadeOSUserManual
Toinquirethenumberofpresentsession,useshowdatapathsessioncounters
command.
(JadeOS) #show datapath session counters
Datapath Session Table Statistics
---------------------------------
Current Entries: 2
High Water Mark: 10
Maximum Entries: 524287
Total Entries: 185
Duplicate Entries: 0
Cross linked Entries: 0
Max link Length: 1
Toviewpresentsessiontable,useshowdatapathsessiontablecommand:
(JadeOS) #show datapath session table
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age
Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- ---
----------- ---------- -----
172.50.3.2 172.50.3.1 17 49419 5246 0/0 0 0 0 0
0 FC
172.50.3.1 172.50.3.2 17 5246 49419 0/0 0 0 1 0
0 F
7.3ConfiguringNAT
NetworkAddressTranslation(NAT)isdesignedforIPaddressconservation.Iten‐
ablesprivateIPnetworksthatuseunregisteredIPaddressestoconnecttotheInter‐
net.NAToperatesonarouter,usuallyconnectingtwonetworkstogether,andtrans‐
![](/img.php?id=2465570&img=bg3b.png)
47JadeOSUserManual
latestheprivate(notgloballyunique)addressesintheinternalnetworkintolegal
addresses,beforepacketsareforwardedtoanothernetwork.
Aspartofthiscapability,NATcanbeconfiguredtoadvertiseonlyoneaddressforthe
entirenetworktotheoutsideworld.Thisprovidesadditionalsecuritybyeffectively
hidingtheentireinternalnetworkbehindthataddress.NAToffersthedualfunctions
ofsecurityandaddressconservationandistypicallyimplementedinremote‐access
environments.
Basically,NATallowsasingledevice,suchasarouter,toactasanagentbetweenthe
Internet(orpublicnetwork)andalocalnetwork(orprivatenetwork),whichmeans
thatonlyasingleuniqueIPaddressisrequiredtorepresentanentiregroupofcom‐
puterstoanythingoutsidetheirnetwork.
7.3.1ConfiguringSNAT
Figure7‐1sourceaddresstransfer
TocreateNATpool,usethefollowingcommandinconfigmode:
ip nat pool <pool-name> <start-ip> <end-ip> <dest-ip>
TocreateSNATruleinsessionACL,usethefollowingcommand:
network <subnet> <mask> any any src-nat pool <pool-name>
Usingfigure7‐1asanexample,step1andstep2showhowtospecifytheuserpolicy
inVLAN100.Letthetrafficfromuserson200.0.0.0/24subnetbeSNATedwhenthey
accesspublicinternetserver155.0.0.150.
Step1CreateNATaddresspool
(JadeOS)(config)# ip nat pool nat_pool 150.0.0.1 150.0.0.1 160.0.0.1
Step2ConfiguresessionACL,addaSNATrulesspecifyingwhattrafficistobe
translatedandNATpool
(JadeOS)(config)#ip access-list session tacl
(JadeOS)(config-sess-tacl)# network 200.0.0.0 255.255.255.0 any any
src-nat pool nat_pool
![](/img.php?id=2465570&img=bg3c.png)
48JadeOSUserManual
Step3andStep4showhowtoapplyACLtoVLAN100,pleaserefertochapter9.4for
moreinformation.
Step3ConfigureuserroleandapplyACl
(JadeOS)(config)#user-role trole
(JadeOS)(config-trole)#access-list session tacl
Step4ConfigureAAAProfile,andspecifyuserrole
(JadeOS)(config)#aaa profile test
(JadeOS)(AAA profile “test”)#initial-role trole
Step5ApplyAAAprofiletoVLAN100
(JadeOS)(config)#vlan 100 aaa profile test
7.3.2ConfiguringDNAT
Figure7‐2Destinationaddresstransfer
ToconfigureDNATaddresstransferinsessionACl,usefollowingcommand:
<src-subnet> <dest-subnet> <protocol> dst-nat ip <ip-address>
Usingfigure7‐2asanexample,JadeOSachievestomakeuserthatfailedauthentica‐
tionredirecttoportalserver(150.0.0.150)byDNATfunction.Pleaserefertochapter
9.4formoreinformation.
Step1TocreatesessionACLandspecifyDNATIPaddressandDNATdestinationIP
address,usethefollowingcommand:
(JadeOS) (config) #ip access-list session tacl
(JadeOS) (config-sess-tacl) # any host 150.0.0.1 any dst-nat ip
200.0.0.200
Step2TocreateuserroleandapplyittoACL,usethefollowingcommand:
(JadeOS) (config) #user-role trole
(JadeOS) (config-trole) #access-list session tacl
Step3TocreateAAAprofileandapplyittouserroleandauthenticationgroup,use
thefollowingcommand:
![](/img.php?id=2465570&img=bg3d.png)
49JadeOSUserManual
(JadeOS) (config) #aaa profile test
(JadeOS) (AAA profile “test”) #http-redirection enable
(JadeOS) (AAA profile “test”) #initial-role trole
Step4ApplyAAAprofiletoVLAN100
(JadeOS) (config) #vlan 100 aaa profile test
7.4ConfiguringDoSAnti‐attack
ThemainfunctionofDoSanti‐attackistoprotecttheoperationsystemofcontrol
plane,whichcanmakeJadeOSworknormallyinmaliciousattack.
DoSanti‐attackwillclassifybasedonprotocolfirst,andthenlimittherateofeach
protocolaccordingtotheconfiguration.JadeOSconfiguredifferentratelimitpolicy
foreachprotocol;ratelimitpolicyisbasedontrafficpersecondorthenumberof
datapacket.
7.4.1SystemPre‐definedConfiguration
Pre‐definedconfigurationisthebestdeploymentconfigurationofJadeOS,whichis
basedonthehardwareperformanceanddesignspecificationoftheproduct.Toview
systempredefinedconfiguration,useshowfirewallcommand.
(JadeOS) #show firewall
Firewall bandwidth-contract:
Firewall Rate limit Enable/Disable Rate
Rate limit CP Capwap traffic Disable 2MBps0KBps
Rate limit CP Dhcp traffic Disable 8MBps0KBps
Rate limit CP Hostapd traffic Disable 20MBps0KBps
Rate limit CP Ospf traffic Disable 2MBps0KBps
Rate limit CP trusted-mcast packet traffic Disable 20MBps0KBps
Rate limit CP trusted-ucast packet traffic Disable 40MBps0KBps
Rate limit CP untrusted-mcast packet traffic Disable 10MBps0KBps
Rate limit CP untrusted-ucast packet traffic Disable 10MBps0KBps
Rate limit CP VRRP packet traffic Disable 2MBps0KBps
Rate limit SP session miss packet traffic Disable 50000pps
Rate limit SP user miss packet traffic Disable 1000pps
Rate limit SP other excepion packet traffic Disable 2MBps0KBps
7.4.2ConfiguringAnti‐attack
JadeOSsupportsanti‐attackconfiguration,whichisconvenientforconfigurationad‐
justmentinvariousnetworkscenarios.
![](/img.php?id=2465570&img=bg3e.png)
50JadeOSUserManual
Twoconfigurationcommandsinconfigmode:
firewall cp-bandwidth-contract <service type> <pps number | traffic
limit>
firewall sp-bandwidth-contract <service type> <pps number | traffic
limit>
Forexample:
Toconfiguretheratelimitofsessioncreationis50000persecond:
(JadeOS) (config)#firewall sp-bandwidth-contract session pps 50000
Toconfiguretheratelimitofnewonlineuseris700persecond:
(JadeOS) (config)#firewall sp-bandwidth-contract user pps 700
ToconfiguretherateofreceivingDHCPmessageis2000persecond:
(JadeOS) (config)#firewall cp-bandwidth-contract dhcp pps 2000
ToconfiguretherateofreceivingARPmessageis2000persecond:
(JadeOS) (config)#firewall cp-bandwidth-contract arp pps 2000
Toconfiguretherateofreceivingunicastmessagethatfailedauthenticationis
10Mbps:
(JadeOS) (config)#firewall cp-bandwidth-contract untrusted-ucast 10 0
7.5ConfiguringLawfulIntercept
LawfulinterceptisaprocessthatenablesaLawEnforcementAgency(LEA)toper‐
formelectronicsurveillanceonanindividual(atarget)asauthorizedbyajudicialor
administrativeorder.Tofacilitatethelawfulinterceptprocess,certainlegislationand
regulationsrequireserviceproviders(SPs)andInternetserviceproviders(ISPs)to
implementtheirnetworkstoexplicitlysupportauthorizedelectronicsurveillance.
Thesurveillanceisperformedthroughtheuseofwiretapsontraditionaltelecommu‐
nicationsandInternetservicesinvoice,data,andmultiservicenetworks.TheLEAde‐
liversarequestforawiretaptothetarget'sserviceprovider,whoisresponsiblefor
interceptingdatacommunicationtoandfromtheindividual.Theserviceprovider
usesthetarget'sIPaddressorsessiontodeterminewhichofitsedgeroutershandles
thetarget'straffic(datacommunication).Theserviceprovidertheninterceptsthe
target'strafficasitpassesthroughtherouter,andsendsacopyoftheintercepted
traffictotheLEAwithoutthetarget'sknowledge.
ConfigurationSteps:
Step1TocreateLIG(LIgateway),andspecifytheencapsulationwayoftrafficsent
toLIG,usethefollowingcommandinLImode:
lig add <li-gateway-name> [mirror|udp][interface|id]
Step2ToaddLIrule,andspecifyLIname(basedonACL,IP,MAC,networksegment)
andLIGwhichreceivestheLItraffic,usethefollowingcommand:
![](/img.php?id=2465570&img=bg3f.png)
51JadeOSUserManual
rule [acl-filter | host-filter | mac-filter | net-filter] send <lig-name>
acl-filter add lawful intercept rule, intercept data streams
host-filter add lawful intercept rule, intercept host data streams
mac-filter add lawful intercept rule, intercept ethernet data streams
net-filter add lawful intercept rule, intercept host data streams
Figure6‐4Lawfulinterception
TocreateLawfulinterceptiongatewayinterfaceandrulesonJadeOS,completethe
followingsteps:
Step1EntertheLIconfigurationmode.
(JadeOS)(config) #li
Step2ConfiguretheLIgatewayonJadeOS.
(JadeOS)(config-li) #lig add test123 mirror gigabitethernet 2/1
Step3ConfiguretheLIruleandenablethelawfulinterceptonJadeOS.
(JadeOS)(config-li) #rule host-filter 1 gigabitethernet 2/1 10.1.10.2
send test123
(JadeOS)(config-li) #li enable
![](/img.php?id=2465570&img=bg40.png)
52JadeOSUserManual
Chapter8 ConfiguringHQoS
Withtherapiddevelopmentofthecomputernetwork,servicessuchasbandwidth,
delay,jittersensitivevoiceandvideoaretransferredthroughIPnetworktunnel.
JadeOSsupportHQoS(hierarchicalQoS)technologywhichcanclassifythetypeof
servicetraffic;itcanalsouniformlymanageandhierarchicallyschedulethetransfer
objects,suchasseveralusers,multi‐service,andseveraltypesoftrafficandsoon,
whichensurethequalityfordifferentdataservice.
ToenableordisableHQoSfunctioninJadeOS,usefollowingcommandinconfig
mode:
hqos-switch [on|off]
8.1ConfiguringRateLimitationonPort
ToconfiguretheratelimitationforportonJadeOS,usingfollowingcommand:
rate-limit [down|up] (0-10240) [bps|kbps|mbps]
Forexample,toconfiguretheratelimitofindirectionis200Mbpsandtherateof
outdirectionis300Mbps:
(JadeOS)(config)#interface gigabitethernet 1/0
(JadeOS)(config-if)#rate-limit up 200 mbps
(JadeOS)(config-if)#rate-limit down 300 mbps
8.2ConfiguringRateLimitationonVLAN
ToconfiguretheratelimitationforVLANonJadeOS,usingfollowingcommand:
(JadeOS)(config)#interface vlan 100
(JadeOS)(config-if)#rate-limit up 200 mbps
(JadeOS)(config-if)#rate-limit down 1 mbps
8.3ConfiguringRateLimitationonUser
ToconfiguretheratelimitationforuseronJadeOS,usingfollowingsteps:
Step1Toconfigurebandwidthnamed‘BW‐8M’and‘BW‐2M’,usingfollowingcom‐
mand:
(JadeOS) (config)#aaa bandwidth-contract BW-8M mbits 8
(JadeOS) (config)#aaa bandwidth-contract BW-2M mbits 2
Step2Toconfigurethedownstreambandwidthnamed‘BW‐8M’andtheupstream
bandwidthnamed‘BW‐2M’inuserrole,usingfollowingcommand:
(JadeOS) (config)#user-role postauth
![](/img.php?id=2465570&img=bg41.png)
53JadeOSUserManual
(JadeOS) (config-role)#bandwidth-contract BW-8M downstream
(JadeOS) (config-role)#bandwidth-contract BW-2M upstream
![](/img.php?id=2465570&img=bg42.png)
54JadeOSUserManual
Chapter9 ConfiguringAAA
ThischapterdescribesAAAconfiguration,includingusernetworkaccess,bandwidth
controlpolicyandsoon.
9.1TheAttributeofTrustandUntrust
Interfacemeanstheinsideinterfaceofdatapacket;whentheinterfaceistheattrib‐
uteoftrust,JadeOSwilldisableauthenticationfunctioninthisinterface;whenthe
interfaceistheattributeofuntrust,JadeOSwillenableauthenticationfunctionin
thisinterface.
Toconfiguretheattributeoftrustanduntrustintheinterface,usethefollowing
steps:
Step1Enterinterfaceconfigmode:
(JadeOS) (config)#interface gigabitethernet 10/1
Step2Configuretheinterfaceistheattributeoftrust
(JadeOS) (config-if)#trusted
Step3Configuretheinterfaceistheattributeofuntrust
(JadeOS) (config-if)#no trusted
Allthelayer‐2interfaceandlayer‐3interfaceiswiththeattributeoftrustandun‐
trust;whenthedatapacketgoesthroughseveralinterfaces,JadeOSwilldecide
whethertoauthenticateaccordingtothelastinterface’sattribute.Forexample,add
theinterfacegigaethernet1/0intovlan10;gigaethernet1/0istheattributeoftrust,
interfacevlan10istheattributeofuntrust;datapacketwillauthenticateaccording
totheattributeofthelastinterfacevlan10basedontheaboverule.
9.2UserandUserRole
9.2.1User
InordertoflexiblycontrolthenetworkaccessandtrafficbandwidthindifferentIP
address,JadeOSwillcreateausertableforeachIPaddressthatgoesthroughun‐
trustinterface.Usertablehasitsownlifecycle.
CreateUser:whentrafficofoneIPaddressgoesintosystemfromuntrustinterface,
JadeOSwilllookuptheIPaddressinthesystem;ifitisnotinexistence,JadeOSwill
triggertheauthenticationprocessandgenerateausertable;usertableisindexedby
IPaddress.
![](/img.php?id=2465570&img=bg43.png)
55JadeOSUserManual
DeleteUser:whenuserofflineornotrafficforalongtime,JadeOSwilldeletethis
usertable.
9.2.2UserRoleandACL
Userroledefinesthenetworkaccess.JadeOSspecifiesthenetworkaccessofuserby
ACL.TocreateauserroleinJadeOS,youneedtocreateasessionACL,andthenap‐
plytheACLtotheuserrole.
Tocreateuserrole,usethefollowingsteps:
Step1ConfigureasessionACLnamedpre‐auth‐acl
(JadeOS) (config) #ip access-list session pre-auth-acl
Step2Configurenetworkaccess.
(JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit
(JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip
10.0.0.2 443
(JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip
10.0.0.2 443
Step3Createauserrolenamed‘pre‐auth’
(JadeOS) (config) #user-role preauth
Step4ApplyuserruletoACL
(JadeOS) (config-role) #session-acl pre-auth-acl
Attribute Description
access‐list Applyaccesslisttouserrole
bandwidth‐contract Setthemaximumbandwidth
max‐sessions Setthedatapathsessionlimit,64kbydefault
reauthentication‐interval Configtheintervalsofre‐authentication
session‐acl ApplysessionACL
vlan DistributeVLAN
Theattributelistsupportedbyuserrole
9.2.3AccessPolicyBasedonUserRole
Beforeausersuccessfullyauthenticate,JadeOSspecifiesaninitialroletouser(role
beforeauthentication);aftertheuserissuccessfullyauthenticate,JadeOSwillspecify
anewroletotheuser(roleafterauthentication).Networkadministratorscanflexibly
controlnetworkaccessthroughconfiguringACL.
![](/img.php?id=2465570&img=bg44.png)
56JadeOSUserManual
Forexample,configureauserrolenamedpre‐auththatpermitDNStraffic,butredi‐
rectallothertraffictoport443toperformauthenticationsbyDNAT;configurea
userrolenamedpost‐auththatallowallthetraffic;usethefollowingsteps:
(JadeOS) (config) #ip access-list session pre-auth-acl
(JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit
(JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip
10.0.0.2 443
(JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip
10.0.0.2 443
(JadeOS) (config-sess-pre-auth-acl)#exit
(JadeOS) (config) #ip access-list session post-auth-acl
(JadeOS) (config-sess-post-auth-acl)#any any any permit
(JadeOS) (config-sess-pre-auth-acl)#exit
(JadeOS) (config)#user-role preauth
(JadeOS) (config-role)#access-list session pre-auth-acl
(JadeOS) (config)#user-role postauth
(JadeOS) (config-role)#access-list session post-auth-acl
9.3ConnectionsamongUser,VLANandUserRole
EachuserhasitsownVLANIDinJadeOS.
SeveralwaystospecifyVLANforeachuser,forexample:
- IfauseraccessfromoneVLANinterface,user’sVLANistheinterface’sVLAN
ID;
- SpecifyaVLANforSSID;ifauseraccessfromthisSSID,user’sVLANisthe
specifiedVLAN;
EachVLANhasanAAApolicy;pleaserefertochapter9.4formoreinformation.
EachAAApolicydefinestheuserrolebeforeauthenticationandafterauthentication
(includingnetworkaccessandbandwidthcontrol).Userwillswitchuserroleafter
authentication.
9.4ConfiguringAAAProfile
AAAprofileisaprofileaboutauthenticationconfiguration.Profilespecifiesthe
authenticationways(webportal,802.1x,andMACauthentication),initialrole(role
beforeauthentication),defaultrole(roleafterauthentication),RadiusServerandso
on.
ApplyAAAprofiletooneVLAN,andthenalltheuserintheVLANcanuseAAAprofile.
Beforeconfiguration,youneedtoconfigureACL,Role,Radiusservergroup,authen‐
ticationways,andthenapplythemtotheAAAprofile.
![](/img.php?id=2465570&img=bg45.png)
57JadeOSUserManual
9.4.1ConfiguringACL
ACLisusedtospecifyuser’snetworkaccess.Pleaserefertochapter9.2and9.3for
moreinformation.
9.4.2Configuringrole
ConfiguringAAAprofileneedtoconfigureuserrolebeforeauthenticationandafter
authentication.Pleaserefertochapter9.3formoreinformation.
9.4.3ConfiguringRadiusServerGroup
Step1ConfigureRadiusserverRS1,includingIPaddressofradiusserver,authen‐
ticationkeyandlocalIPaddress:
(JadeOS) (config)#aaa authentication-server radius RS1
(JadeOS) (RADIUS Server "RS1")#host 119.6.200.245
(JadeOS) (RADIUS Server "RS1")#key 123456
(JadeOS) (RADIUS Server "RS1")#ip 119.6.200.33
(JadeOS) (RADIUS Server "RS1")#exit
Step2ConfigureRadiusservergroupSG1,includingseveralRadiusServer.
(JadeOS) (config)#aaa server-group SG1
(JadeOS) (Server Group "SG1")#auth-server RS1
CommandssupportedbyRadiusServer
Attribute Description
acctport portnumberusingtoaccounting;range:1-65535; default value:
1813
authport Portnumberusingtoauthentication;range:1-65535; default
value: 1812
host IPaddressandhostnameofRadiusserver
ip Sourceaddressofradiusrequest
key Pre‐sharedkey
nas‐identifier nas‐identifierusedinRADIUSdatapacket
nas‐ipnas‐ipofRADIUSdatapacket
retransmitMaximumnumberofrequest;range:0‐3;defaultvalue:3
timeoutRequesttimeout;range:1‐30s;defaultvalue:5s
use‐md5EncryptionusingMD5s
CommandssupportedbyRadiusServerGroup
Attribute Description
![](/img.php?id=2465570&img=bg46.png)
58JadeOSUserManual
allow‐fail‐through Allowtrafficthatfailedauthentication
auth‐server Distributeauthenticationserver
set Set Role/Vlan rule
9.4.4ConfiguringAuthenticationWay
AuthenticationssupportedbyJadeOSarecaptive‐portal,dot1x,mac,open,psk,wep,
andradius‐proxy;usuallytheauthenticationwaywillspecifydefault‐role,whichis
theuserroleaftersuccessfullyauthentication.Thischapterwilldescribethecon‐
figurationforauthenticationwaybyusingwebportalasanexample.
Inportalauthentication,youneedtodefinearfc‐3576‐client,thenaprofilethatat
leastincluderadiusservergroup、default‐role、rfc‐3576‐client.Pleasereferto
chapter9.7formoreinformation.
Forexample:
(JadeOS) (config)#aaa rfc-3576-client 119.6.200.203
(JadeOS) (RFC 3576 Client "119.6.200.203")#key 1234
(JadeOS) (RFC 3576 Client "119.6.200.203")#exit
(JadeOS) (config)#aaa authentication captive-portal web-portal
(JadeOS) (Portal Authentication Profile "web-portal)#server-group SG1
(JadeOS) (Portal Authentication Profile "web-portal)#default-role
postauth
(JadeOS) (Portal Authentication Profile "web-portal")#rfc-3576-client
119.6.200.203
CommandssupportedbyPortal:
Attribute Description
default‐role Distributedefaultrole
rfc‐3576‐client RFC‐3576client
server‐group webradiusservergroupname
welcome‐page‐url‐idTheurlIDofwelcomepage
9.4.5ConfiguringAAAProfile
ToconfigureAAAprofile,usethefollowingsteps:
Step1Createaaaaprofilenamed‘aaa’
(JadeOS) (config)#aaa profile aaa
Step2Specifytheauthenticationway
(JadeOS) (AAA profile "aaa")#authentication-portal web-portal
Step3Specifyuserolebeforeauthentication
(JadeOS) (AAA profile "aaa")#initial-role preauth
![](/img.php?id=2465570&img=bg47.png)
59JadeOSUserManual
Step4SpecifytheRadiusServerGroup,andenableaccountingfunction
(JadeOS) (AAA profile "aaa")#radius-accounting SG1
(JadeOS) (AAA profile "aaa")#radius-accounting enable
CommandssupportedbyAAAprofile
Attribute Description
authentication‐dot1x Configure802.1Xauthenticationprofile
authentication‐mac ConfigureMACauthenticationprofile
authentication‐open Configureopenauthenticationprofile
authentication‐portal ConfigurePortalauthenticationprofile
authentication‐psk ConfigurePSKauthenticationprofile
authentication‐radius‐proxy Configureradiusproxyprofile
authentication‐wep ConfigureWEPauthenticationprofile
disconnect‐message‐client Configuredisconnectmessageclient
http‐redir‐url‐id ConfigurehttpredirectionurlID
http‐redirectionConfigurehttp‐redirection
initial‐roleRolethatisassignedtoauserbeforeauthentication
takesplace
post‐authPost‐authTimer
pre‐authPre‐authTimer
radius‐accountingConfigureradiusaccounting
9.4.6BindingVLAN
BindtheAAAprofiletoVLAN100,alltheuserinVLAN100willusethisAAAprofile.
Configurationcommandsasfollows:
(JadeOS) (config)#vlan 100 aaa-profile aaa
9.5MACAuthentication
AuthenticationDescription
MACaddressauthenticationisanauthenticationwaytocontrolusernetworkaccess
basedonMACaddress;itneednottoinstallanyclientsoftware.
MACauthenticationencapsulatestheMACaddressintoRADIUSmessageaccording
toconfiguration,andthenauthenticateinthespecifiedRADIUSserver.Therefore,
![](/img.php?id=2465570&img=bg48.png)
60JadeOSUserManual
MACauthenticationwillbeusedtogetherwithotherauthenticationways(WPA,
web‐auth)inusual,alsoitcanbeusedindependently.AfterdetectingMACaddressin
thefirsttime,JadeOSwillenableauthenticationforthisuser.
ConfigurationManagement
ToconfigureMACaddress,usethefollowingsteps:
Step1:ConfigureMACauthenticationprofile
(JadeOS) (config)#aaa authentication mac mac1
(JadeOS) (MAC Authentication Profile "mac1")#server-group sg
(JadeOS) (MAC Authentication Profile "mac1")#default-role post-auth
(JadeOS) (MAC Authentication Profile "mac1")#exit
Step2:ApplyMACauthenticationinAAAprofile
(JadeOS) (MAC Authentication Profile "mac1")#aaa profile aaa
(JadeOS) (AAA profile "aaa")#authentication-mac mac1
9.6802.1XAuthentication
AuthenticationDescription
802.1xauthenticationisanauthenticationpolicybasedonport.Thepurposeof
802.1xauthenticationistodecidewhetheraportisavailable;ifsuccessfullyauthen‐
ticate,theportwillallowallthemessage;ifunsuccessfullyauthenticate,theport
onlyallow802.1xmessage.
ConfiguringSteps
802.1xauthenticationneedtospecifyradiusserveranddefault‐role,examplesas
follows:
Step1Configureradiusserver
(JadeOS) (config)#aaa authentication dot1x dot1x1
(JadeOS) (802.1X Authentication Profile "dot1x1")#default-role
post-auth
(JadeOS) (802.1X Authentication Profile "dot1x1")#server-group SG1
(JadeOS) (802.1X Authentication Profile "dot1x")#server-group SG1
(JadeOS) (802.1X Authentication Profile "dot1x")#default-role postauth
Step2Apply802.1xauthenticationinAAAprofile
(JadeOS) (MAC Authentication Profile "mac1")#aaa profile aaa
(JadeOS) (AAA profile "aaa")#authentication-dot1x dot1x1
![](/img.php?id=2465570&img=bg49.png)
61JadeOSUserManual
9.7WEBPortalAuthentication
Webauthenticationisanauthenticationschemebasedonbrowser.Userthatfailed
authenticationwillredirecttoaloginpage,andrequiretoinputusernameand
password;usercanaccessthenetworkonlyaftersuccessfullyauthentication.WEB
redirectsupportsDNATredirectandHTTP302redirect.
9.7.1WebAuthenticationProcess
WebauthenticationisbasedonHTTPprotocol;authenticationwillnotpopupforci‐
blyunlessusersendHTTPrequest.
TheauthenticationprocessofWEBauthenticationisasfollows:
• AuserthatunauthenticatedbegintobrowsernetworkpageandsendHTTPre‐
quest
• HTTPrequestisredirecttoanexternalportalserver
• Portserversendanauthenticationpageforsecurelogin
• Userinputusernameandpassword;browserwilltransferittothewebportal
(authenticationmoduleinJadeOS),andthenwebportalsendauthentication
requesttotheradiusserver
• JadeOSwilldecidewhetherauthenticatesuccessfullythroughuserdatabasein
radiusserver;ifsuccessfullyauthenticate,radiusserverwillinformJadeOS,at
thesametime,JadeOSinformportalserver
• Portalserverpopsupwelcomepage;theuserauthenticationisover
9.7.2DNATRedirect
TheredirectoperationofJadeOSisbasedonDNATbydefault.
Beforeauthentication,sessionACLwillredirectHTTPrequesttoportalserver.
Theconfigurationcommandisasfollows:
(JadeOS) (config) #ip access-list session pre-auth-acl
(JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip
10.0.0.2 443
(JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip
10.0.0.2 443
9.7.3HTTP302Redirect
ToconfigureHTTP302redirect,usethefollowingsteps:
Step1ConfigureURLlistinconfigmode:
(JadeOS) (config)# aaa http-redirection-url 1 ip 10.0.0.1 url
http://10.0.0.1/wlan/index.php
Step2SpecifyURLID
![](/img.php?id=2465570&img=bg4a.png)
62JadeOSUserManual
(JadeOS) (AAA profile "aaa")#http-redir-url-id 1
Step3Enablehttp302redirect
(JadeOS) (AAA profile "aaa")#http-redirection enable
9.7.4ConfiguringPortalServer
JadeOSwebauthenticationwillcustomizetheloginpagethroughexternalportal
server.PortalserverwillconfigureaclientaccordingtoRFC3576definition;theclient
isusedforsendingusers’disconnectionandauthorizationchangeinformationto
JadeOS.
ToconfigureRFCclient,usethefollowingcommand:
(JadeOS) (config)#aaa rfc-3576-client 119.6.200.203
(JadeOS) (RFC 3576 Client "119.6.200.203")#key 1234
TOconfigurethesourceportaccordingtoRFC3576server,usethefollowingcom‐
mand:
ip rfc-3576-server ip <IP> port <1-65535>
9.7.5ConfiguringCoADisconnectMessage
Disconnectmessage(DM)isuserdisconnectmessage.TheAAAServiceFramework
usesCoAmessagestodynamicallymodifyactivesubscribersessions.Forexample
RADIUSattributesinCoAmessagesmightinstructtheframeworktocreatemodifyor
terminateasubscriberservice.
CoAMessages
DynamicrequestsupportenablestheroutertoreceiveandprocessunsolicitedCoA
messagesfromexternalRADIUSservers.RADIUS‐initiatedCoAmessagesusethefol‐
lowingcodesinrequestandresponsemessages:
■CoA‐Request(43)
■CoA‐ACK(44)
■CoA‐NAK(45)
ToconfigureCoADMserver,usethefollowingcommand:
ip disconnect-message-server <IP> port <1~65535>
ToconfigureCoADMclient,usethefollowingcommand:
(JadeOS) (config) #aaa profile aaa
![](/img.php?id=2465570&img=bg4b.png)
63JadeOSUserManual
(JadeOS) (AAA profile "aaa") #disconnect-message-client <IP>
9.7.6ConfiguringCaptive‐portalAuthentication
Step1Configureauthenticationway
(JadeOS) (config)#aaa authentication captive-portal web-portal
(JadeOS) (Portal Authentication Profile "web-portal)#server-group SG1
(JadeOS) (Portal Authentication Profile "web-portal)#default-role
postauth
(JadeOS) (Portal Authentication Profile "web-portal")#rfc-3576-client
119.6.200.203
Step2Applycaptive‐portalauthenticationinAAAprofile
(JadeOS) (AAA profile "aaa")#authentication-portal web-portal
9.7.7CustomizeLogoutDomain
Usercanusecustomizedlogoutdomain,suchaslogout.wifi;usercaninputlog‐
out.wifiinthebrowser,andthenloginlogoutpage.
Toconfigurelogout.wifiinJadeOS,usethefollowingcommand:
(JadeOS) (config)#ip domain-name logout.wifi http-redirect-url <word>
9.7.8ConfiguringWhite‐listandBlack‐list
White‐listandblack‐listauthenticationisagroupofURL.
Threecasesaboutwhite‐listandblack‐listauthenticationasfollows:
• Usercanaccesswhite‐listURLandnoneedtoauthenticate
• Usercannotaccessblack‐listURL,eventhoughsuccessfullyauthenticate
• UsercanaccessURLthatneitherwhite‐listnorblack‐listaftersuccessfullyau‐
thenticate
ToconfiguredomaininJadeOS,usethefollowingcommand:
(JadeOS) (config) # netdestnation black-list|white-list name WORD
ConfiguringWhite‐list
Toconfigurewhite‐listinJadeOS,usethefollowingcommand:
(JadeOS) (config) #netdestination white-list name www.sina.com
(JadeOS) (config) # ip access-list session pre
(JadeOS) (config-sess-pre) # any host <DNS> any permit position 1
(JadeOS) (config-sess-pre) #any alias 123 any permit position 2
ConfiguringBlack‐list
![](/img.php?id=2465570&img=bg4c.png)
64JadeOSUserManual
Toconfigureblack‐listinJadeOS,usethefollowingcommand:
(JadeOS) (config) #netdestination black-list name www.sina.com
(JadeOS) (config) # ip access-list session post
(JadeOS)(config-sess-post) #any alias 123 any deny send-deny-response
position 2
9.8RadiusProxy
JadeOSsupportsradiusproxy.WithproxyRADIUS,oneRADIUSserverreceivesan
authentication(oraccounting)requestfromaRADIUSclient(suchasaNAS),for‐
wardstherequesttoaremoteRADIUSserver,receivesthereplyfromtheremote
server,andsendsthatreplytotheclient,possiblywithchangestoreflectlocalad‐
ministrativepolicy.AcommonuseforproxyRADIUSisroaming.Roamingpermits
twoormoreadministrativeentitiestoalloweachother'suserstodialintoeitheren‐
tity'snetworkforservice.
9.8.1ConfiguringRadiusProxy
Step1Createaaaauthenticationradius‐proxyRP
(JadeOS) (config)#aaa authentication radius-proxy RP
(JadeOS) (Radius Proxy Profile "RP")#default-role postauth
(JadeOS) (Radius Proxy Profile "RP")#server-group SG1
Step2ConfigaaaprofileAAA,andspecifytheauthenticationwayofRadiusProxyis
RP
(JadeOS) (AAA profile "AAA")#authentication-radius-proxy RP
Step3Specifytheaaaprofileinconfigmode
(JadeOS) (AAA profile "AAA")#aaa radius-proxy aaa profile AAA
Step4EnableRadiusproxyinconfigmode
(JadeOS) (AAA profile "AAA")#aaa radius-proxy enable
9.8.2ConfiguringEAP‐SIM
EAP‐SIMisoneoftheEAPauthenticationprotocolbasedon2GSIMcardthrough
whichusersaccesstoWLANnetwork.
Differedfromotherauthenticationprotocol,EAM‐SIMtakesuseoftheuserdataand
originalauthenticationmessagebestoredinSIMcardtoauthenticateuserandgen‐
eratesessionkeytoaccessWLAN.Atthesametimethedatawillbestoredinthe
ISP’sHLRtoavoidtheauthenticationmessagetransferonInternettopreventuser
datafromnetworkattack.
EAP‐SIMistheauthenticationprotocolappliedin2GnetworksandEAP‐AKAisap‐
![](/img.php?id=2465570&img=bg4d.png)
65JadeOSUserManual
pliedin3Gnetwork.EAP‐SIMauthenticationisperformedwhenusersuseSIMcard
andEAP‐AKAauthenticationisperformedwhenusersuseUSIMcard.EAP‐SIMand
EAP‐AKAisspecifiedinRFC4186andRFC4187respectively.
Figure9‐1EAP‐SIMauthentication
ToconfigureEAP‐SIMauthenticationonJadeOS,followingthesteps:
Step1ConfigureRadiusServerandServerGroup
(JadeOS) (config) # aaa authentication-server radius r1
(JadeOS) (RADIUS Server "r1") #host 1.1.1.1
(JadeOS) (RADIUS Server "r1") #key 123
(JadeOS) (RADIUS Server "r1") #ip 10.1.1.10
(JadeOS) (config) #aaa server-group sg
(JadeOS) (Server Group "sg")#auth-server r1
Step2Configure802.1xauthenticationprofile
(JadeOS) (config)#aaa authentication dot1x dot1x
(JadeOS) (802.1X Authentication Profile "dot1x")#default-role postauth
(JadeOS) (802.1X Authentication Profile "dot1x")#server-group g1
Step3ConfigureAAAProfile
(JadeOS) (config)#aaa profile default
(JadeOS) (AAA profile "default")#authentication-dot1x dot1x
(JadeOS) (AAA profile "default")#radius-accounting sg
(JadeOS) (AAA profile "default")#initial-role preauth
Step4Configuressid‐profile
(JadeOS) (config)#wlan ssid-profile default
(JadeOS) (SSID Profile "default")#auth-mode wpa-aes
Step5Configurevap‐profile
(JadeOS) (config)#wlan vap-profile default
(JadeOS) (VAP Profile "default")#aaa-profile default
![](/img.php?id=2465570&img=bg4e.png)
66JadeOSUserManual
(JadeOS) (VAP Profile "default")#ssid-profile default
Step6Configureap‐template
(JadeOS) (config)#ap-template default
(JadeOS) (AP template "default")#vap-profile default
9.9RateLimitBasedonUser
Step1Configurebandwidthnamed”BW‐8M”and”BW‐2M”inconfigmode
(JadeOS) (config)#aaa bandwidth-contract BW-8M mbits 8
(JadeOS) (config)#aaa bandwidth-contract BW-2M mbits 2
Step2SpecifythedownstreamisBW‐8Mandtheupstreamis BW‐2M
(JadeOS) (config)#user-role postauth
(JadeOS) (config-role)#bandwidth-contract BW-8M downstream
(JadeOS) (config-role)#bandwidth-contract BW-2M upstream
9.10UserAccounting
Toconfigureuseraccounting,youneedtoconfigurearadiusservergroupfirst,and
enableradiusaccountinginAAAprofile.Toenableuseraccounting,usetheRa‐
dius‐accounting<server‐group>command.Forexample:
(JadeOS) (AAA profile "aaa")#radius-accounting SG1
9.11ExampleofWEB‐PortalAuthentication
Thefollowingtopologyistakenforawebauthenticationconfigurationexample:
![](/img.php?id=2465570&img=bg4f.png)
67JadeOSUserManual
Figure9‐2Webauthenticationconfigurationexample
Step1ConfigureVLANandIP
(JadeOS) (config) #vlan database
(JadeOS) (config-vlan) #vlan range 11,30
(JadeOS) (config) #interface gigabitethernet 4/1
(JadeOS) (config-if)#switchport access vlan 30
(JadeOS) (config-if)#exit
(JadeOS) (config) #interface gigabitethernet 4/4
(JadeOS) (config-if)#switchport access vlan 11
(JadeOS) (config-if)#exit
(JadeOS) (config) #interface vlan 30
(JadeOS) (config-subif)#ip address 119.6.200.71/24
(JadeOS) (config-subif)#exit
(JadeOS) (config) #interface vlan 11
(JadeOS) (config-subif)#ip address 11.11.11.76/24
(JadeOS) (config-subif)#exit
(JadeOS) (config) # ip route 0.0.0.0 0.0.0.0 119.6.200.1
(JadeOS) (config-subif)#end
Step2CreateDHCPServer
(JadeOS) (config) #ip dhcp pool 119
![](/img.php?id=2465570&img=bg50.png)
68JadeOSUserManual
(JadeOS) (config-dhcp)#network 119.6.200.0 255.255.255.0
(JadeOS) (config-dhcp)#default-router 119.6.200.1
(JadeOS) (config-dhcp)#dns-server 119.6.6.6
(JadeOS) (config-dhcp)#exit
(JadeOS) (config) #ip dhcp excluded-address 119.6.200.1 119.6.200.115
(JadeOS) (config) #ip dhcp excluded-address 119.6.200.117 119.6.200.254
(JadeOS) (config) #service dhcp
Step3ConfigureACLsession
(JadeOS) (config) #ip access-list session pre-auth-ctrl
(JadeOS) (config-sess-pre-auth-ctrl)# host 119.6.200.116 any tcp 80
dst-nat 8189 ip 210.151.12.118
(JadeOS) (config-sess-pre-auth-ctrl)#any any svc-dhcp permit
(JadeOS) (config-sess-pre-auth-ctrl)#any any udp 53 permit
(JadeOS) (config-sess-pre-auth-ctrl)#any host 210.151.12.118 tcp 443
permit
(JadeOS) (config-sess-pre-auth-ctrl)#exit
(JadeOS) (config) #ip access-list session post-auth-ctrl
(JadeOS) (config-sess-post-auth-ctrl)#any any any permit
(JadeOS) (config-sess-post-auth-ctrl)#exit
Step4Configureuserrole
(JadeOS) (config) #user-role pre-auth
(JadeOS) (config-role) #session-acl pre-auth-ctrl
(JadeOS) (config-role) #exit
(JadeOS) (config) #user-role role
(JadeOS) (config-role) #session-acl post-auth-ctrl
(JadeOS) (config-role) #exit
Step5Configuretimers
(JadeOS) (config) # aaa timers dead-time 10
Step6ConfigureRFC‐35756serverandRFC‐3576client
(JadeOS) (config) #ip rfc-3576-server source-interface vlan 30 port 1700
(JadeOS) (config) #aaa rfc-3576-client 210.151.12.118
(JadeOS) (RFC 3576 Client "210.151.12.118") #key ********
Step7Configureradiusserverandaddittoservergroup
(JadeOS) (config) #aaa authentication-server radius r1
(JadeOS) (RADIUS Server "r1") #host 210.151.12.115
(JadeOS) (RADIUS Server "r1") #key ********
(JadeOS) (RADIUS Server "r1") #nas-ip 119.6.200.71
(JadeOS) (RADIUS Server "r1") #source-interface vlan 30
![](/img.php?id=2465570&img=bg51.png)
69JadeOSUserManual
(JadeOS) (config) #aaa server-group g1
(JadeOS) (Server Group "g1") #auth-server r1
Step8Configureaaaprofile
(JadeOS) (config) #aaa profile ABC
(JadeOS) (AAA Profile "ABC") #web-auth-server-group g1
(JadeOS) (AAA Profile "ABC") #rfc-3576-client 210.151.12.118
(JadeOS) (AAA Profile "ABC") #initial-role pre-auth
(JadeOS) (AAA Profile "ABC")#web-auth-default-role post-auth
(JadeOS) (AAA Profile "ABC")#post-auth idle-time 300
(JadeOS) (AAA Profile "ABC")#post-auth lifetime 300
(JadeOS) (AAA Profile "ABC")#pre-auth idle-time 300
(JadeOS) (AAA Profile "ABC")#pre-auth lifetime 300
Step9ApplyprofiletoVLAN
(JadeOS) (config) #vlan 30 aaa-profile ABC
9.12TroubleShooting
WhenJadeOSisintrouble,usercanlocateproblembyviewinguserlist.Toviewuser
list,useshowuser‐tablecommand.Forexample:
(JadeOS) #show user-table
Auth User Table Entries
-----------------------
Flags: O - Post-auth, E - Pre-auth, W - Web-auth, P - RADIUS proxy,
C - Accounting, m - Pre-MAC-auth, M - Post-MAC-auth, R - L3 roaming,
o - Open, w - WEP, c - CCMP, t - TKIP, a - WPA, n - RSN, x - 802.1X,
L - Station leave
No. IP-addr MAC-addr Type Flags
Age(d:h:m) User-name
--- ------- -------- ---- -----
---------- ---------
(JadeOS) #show user-table
(JadeOS) #show datapath user table
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp
to/for MN(Visitor),
![](/img.php?id=2465570&img=bg52.png)
70JadeOSUserManual
N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media
Capable,
S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete,
O - VOIP user
IP MAC ACLs Contract Location Sessions
Flags
--------------- ----------------- ------- --------- --------
--------- -----
(JadeOS) #show datapath user coun
(JadeOS) #show datapath user counters
Datapath User Table Count is: 0
![](/img.php?id=2465570&img=bg53.png)
71JadeOSUserManual
![](/img.php?id=2465570&img=bg54.png)
72JadeOSUserManual
Chapter10 WLANManagement
JadeOSprovidessolutionsofwirelesscontrollerandFITAP.
Wirelesscontrolleruniformlyconfigure,manageandmaintainalargequantityofAPs,
whichgreatlyreducesthemaintenanceofwirelessnetwork.JadeOSsupportsAP
withoutconfiguration,whichisconvenienttoexpandFITAPandwirelessnetwork.
JadeOSalsosupportscentralizedauthentication,whichisconvenienttouniformly
accessandauthenticate.Atthesametime,itisbettertodothefunctionofwireless
roaming,RFmanagementandloadbalanceofAPaccessforAPcentralizedmanage‐
ment.
WiththestandardCAPWAPprotocol,ACmanagesandcontrolsAPthroughCAPWAP
controlchannel;thedataforwardingbetweenAPandACisthroughCAPWAPdata
channel.ForCAPWAPistransferredbasedonLayer‐3network,itsupportsflexible
networkdeploymentinmultinetwork;withthestandardprotocol,itraisesthepos‐
sibilityofinterconnectionbetweendifferentproductsfromdifferentmanufacturers.
ForwardingmodesupportsACcentralizedforwardingandAPlocalforwarding.Au‐
thenticationmodesupportsACcentralizedauthenticationandAPlocalauthentica‐
tion.
10.1WirelessNetworkArchitecture
10.1.1CAPWAPDescription
Controlandprovisioningofwirelessaccesspoints(CAPWAP)protocolisbelongingto
IETF.ItrulestheinterconnectionbetweenWTPandAC,whichachievethemanage‐
mentanddataforwardingforalltheWTPscontrolledbyAC.NowCAPWAPisclassi‐
fiedintotwotypes:
• CAPWAPcontrolchannel
• CAPWAPdatachannel
10.1.2CAPWAPControlChannel
CAPWAPcontrolchannelisclassifiedintotwotypes:
Staticdiscovery:specifytheIPaddressofACinAP
Dynamicdiscovery:configurebroadcastdiscovery,DHCPdiscoveryandDNSdiscov‐
eryandsooninAP
More,APwillactivelyrequireupdateversionandconfiguration,whichreducethe
![](/img.php?id=2465570&img=bg55.png)
73JadeOSUserManual
maintenance.
10.1.3CAPWAPDataChannel
AfterconfigurationrequestbyAP,ACwillconsultwithAPtoenabledatachannel.
Incentralizedforwardingmode,up‐linkmessagewillbeencapsulatedwithCAPWAP
inAP,decapsulatedinAC,andthenforwarding;down‐linkmessagewillbeencapsu‐
latedwithCAPWAPinAC,andthenarriveAPthroughCAPWAPtunnel;thedown‐link
messagewillbedecapsulatedinAP,andthenarriveuserterminalsthrough802.11
protocols.
10.1.4MirrorUpgradeandConfigurationManagement
APwillautomaticallycheckforversionupgrade.YoujustneedtoconfigureinACfor
configurationmanagement,noneedtoconfigurealargequantityofAPs.Thecon‐
figurationwillbeineffectivewhenACreceivesAPrequest.Theconfigurationcom‐
mandisasbelow:
copy ap-image primary-image ftp 192.168.50.222 admin AmOS-1.4.1.2 41724
WIA3200-10 A1 AmOS-1.4.1.2
10.1.5ForwardingMode
JadeOSachieveACcentralizedforwardingandAPlocalforwardinginCAPWAPstan‐
dard.Youcanspecifytheforwardingmodethroughconfiguration.
10.1.6AuthenticationMode
JadeOSachieveAPcentralizedauthenticationandAPlocalauthentication.EachSSID
canspecifyaVLAN,andthenlookforAAAprofileaccordingtoVLAN;pleasereferto
chapter9.3formoreinformation.
10.1.7STATIONManagement
TheauthenticationofStationwillbehandledinAC.ACwillrecordtheauthentication
processofAPandtheinformationconnectedAP,whichisthebasisofchoosing
CAPWAPdatachannelandroaming.Stationmanagementincludes802.11manage‐
ment,STAinformationinquiry,logbackupandrecovery.
10.2ForwardingMode
Forwardingmodeisclassifiedinto802.11tunnelcentralizedforwarding,802.3tunnel
![](/img.php?id=2465570&img=bg56.png)
74JadeOSUserManual
centralizedforwarding,ACauthenticationlocalforwardingandlocalauthentication
localforwarding.
10.3ConfiguringPower
YoucanconfiguretoautomaticallychoosethepowerofAPandstationinAC,the
configuringcommandisasfollows:
transmit-power 0
ConfiguringRadioFrequency
YoucanmanuallyconfigureradiofrequencyofAP,atthesametime,APcankeepthe
originalradiofrequencyinformationwhenAPonlineagainafterAPofflinenormally.
Forexample:
(JadeOS) (config)#radio dot11g-profile default
(JadeOS) (802.11g radio Profile "default")#channel 149
ConfiguringRadioPower
• JadeOSsupportsmanuallypowerregulation.Forexample
(JadeOS) (config)#radio dot11a-profile default
(JadeOS) (802.11a radio Profile "default")#transmit-power 10
(JadeOS) (802.11a radio Profile "default")#transmit-power 20
• JadeOSsupportsautomaticallypowerregulation.
(JadeOS) (802.11a radio Profile "default")#transmit-power 0
10.4ConfiguringRadio
YoucanautomaticallychoosetheworkingchannelofAPandstation.Forexample:
channel 0
10.5DTLSandCA
DatagramTransportLayerSecurity(DTLS)isbasedonthestandardIETFprotocolin
TLS.CAPWAPcontrolmessageandpartofCAPWAPdatamessageareusingDTLS
encryptionmechanismofUDPlayer.Theconfigurationcommandisasfollows:
dtls
ImportCA
![](/img.php?id=2465570&img=bg57.png)
75JadeOSUserManual
ImportCAinserverintoAC,whichmeanstransferringtheCAformatintoanother
formatthatcanberecognizedbyDTLScontrolchannelandremovethepassword.
Forexample:
(JadeOS) #copy ftp 1.2.3.4 user cert_file flash sc-file-1
(JadeOS) #Cert import pem serverCert sc-1 sc-file-1
10.6SpecialSSIDandSSIDControl
InEDUmode,inordertoavoidAPdisablesalltheSSIDswhenAPdisconnectswith
AC,ACwillspecifyaspecialSSIDwhenAPconnectswithAC;whenCAPWAPisdis‐
connected,APwillenablethisSSIDtoensurethenormalservice.Theconfiguring
commandisasfollows:
(JadeOS) (config)#wlan ssid-profile SSID
(JadeOS) (SSID Profile "SSID")#special-ssid
TimingShutdown
Timingshutdownsupportsthefollowingfunctions:
¾ SupportACtimingshutdownthefunctionofradiofrequencyinspecifiedAP
¾ SupportACtimingshutdownthespecifiedfunctionsofSSID
Theconfiguringcommand:
time-range default
Example:
(JadeOS) (config)#time-range-profile default
(JadeOS) (Time Range Profile "default")#range weekday 17:00 18:00
(JadeOS) (Time Range Profile "default")#range weekend 17:00 18:00
(JadeOS) (Time Range Profile "default")#range daily 17:00 18:00
(JadeOS) (Time Range Profile "default")#exit
(JadeOS) (config)#wlan vap default
(JadeOS) (Virtual AP Profile "default")#time-range default
(JadeOS) (Virtual AP Profile "default")#exit
(JadeOS) (config)#radio dot11a-profile default
(JadeOS) (802.11a radio Profile "default")#time-range default
(JadeOS) (802.11a radio Profile "default")#exit
Note: Shutdown the frequency will make the whole radio disable; shutdown SSID just disable
one SSID in radio.
![](/img.php?id=2465570&img=bg58.png)
76JadeOSUserManual
10.7ACL
UseraccessismainlytoissueACLbasedonSSID,MAC,flowthreshold,bandwidth
control.ACLisimportantinbuildingsecurenetwork,andmainlysupportsthefol‐
lowingfunctions:
¾ ACLbasedonMACaddress
ConfigureACLbasedonMACaddressinAC,whichachievetheblack‐listand
white‐listbasedonMACaddress.
Forexample:
Addmac11:22:33:44:55:6intoblack‐list:
(JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#list-type deny
(JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#mac 11:22:33:44:55:66
Addmac11:22:33:44:55:6intowhite‐list:
(JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#list-type accept
(JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#mac 11:22:33:44:55:66
¾ Supporttodisconnectnetworkautomaticallybasedonidletrafficmonitor;you
canconfiguretimeandthedefaultvalueis300s.theconfiguringcommandisas
follows:
idle-timeout <300-15300>
¾ SupportACLbasedontrafficthresholdandthedefaultvalueis1KB:
idle-threshold <0-1048576>
ConfiguringACL
ConfiguringACLbasedonIPaddressinACachievesuseraccesscontrol.Configuring
differentAClsinACcancontroldifferentuseraccess,forexample:youcanmakeuser
inthespecifiedIPsegmentaccessthespecifiednetworksegment.ForACLbasedon
IPaddressisaccordingtoSSID,youcanconfiguredifferentACLsindifferentSSID.
FunctionssupportedbyACL:
¾ MatchsourceIPaddressandnetworksegment
¾ MatchdestinationIPaddressandnetworksegment
¾ MatchspecifiedIPprotocolandrange
¾ MatchsourceportanddestinationportofUDP/TCPprotocol
¾ Supporttheoperationof‘permit’and‘deny’accordingtotheaboverules
Configurationcommand:
anyanyanydeny/permit
![](/img.php?id=2465570&img=bg59.png)
77JadeOSUserManual
Forexample:
(JadeOS) (config)#ip access-list session acl1
(JadeOS) (config-sess-acl1)#host 1.1.1.1 any tcp 1 100 deny
(JadeOS) (config-sess-acl1)#exit
(JadeOS) (config)#user-role role1
(JadeOS) (config-role)#access-list session acl1
(JadeOS) (config-role)#exit
(JadeOS) (config)#aaa profile aaa1
(JadeOS) (AAA profile "aaa1")#initial-role role1
(JadeOS) (AAA profile "aaa1")#exit
(JadeOS) (config)#wlan virtual-ap default
(JadeOS) (Virtual AP Profile "default")#aaa-profile aaa1
(JadeOS) (Virtual AP Profile "default")#exit
10.8AuthenticationExemption
Forthespecialuserthataccountingexemptionsuchasadministratorandsoon,
JadeOSsupportsauthenticationexemption,forexample:
Step1ConfigureAAAprofile,disableradius‐accounting
(JadeOS) (config)#aaa profile a1
(JadeOS) (AAA profile "a1")#no radius-accounting enable
(JadeOS) (AAA profile "a1")#exit
Step2ApplyAAAprofiletotheVLAN
(JadeOS) (config)#vlan 10 aaa profile a1
10.9Anti‐fakeandRogueAPdetect
Anti‐fake
Toenableanti‐fakefunction,usethefollowingcommand:
validate-sta-enable
Todisable anti‐fakefunction,usethefollowingcommand:
no validate-sta-enable
RogueAPDetect
ACwillconfiguredetectruleaccordingtothemessagesentbyAP,thatistomakea
detectpolicyforrogueequipment;thenACwillclassifytheAPsaccordingtothede‐
tectrule.
![](/img.php?id=2465570&img=bg5a.png)
78JadeOSUserManual
Forexample:
(JadeOS) (config)#wids ap-classification-rule
(JadeOS) (IDS AP Classification Rule )# enable
(JadeOS) (IDS AP Classification Rule )# ssid test encription open
(JadeOS) (IDS AP Classification Rule )# ap-oui 11:22:33
Note:Todisplayrogueap,useshowrogue‐apcommand.
10.10Anti‐DoS
ThefunctionofWLANDosistopreventDoSattack.
Forexample:
(JadeOS) (config)#wids dos-profile default
(JadeOS) (IDS DOS-Profile "default")#dos-prevention
(JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-interval 10
(JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-limit 100
TodisplaytheattackinalltheAps,useshowwlandoscommand.
TodisplaytheattackinspecifiedMAC,useshowwlandosap<ap_ip>command.
![](/img.php?id=2465570&img=bg5b.png)
79JadeOSUserManual
Chapter11 WEBUI
11.1WEBUIDescription
JadeOSsupportsWEBUIconfiguration.
11.2WEBUILogin
Step1OpenIEbrowserandinputIPaddress,thenJadeOSwillpopupthefollowing
dialogbox:
Figure12‐1LoginDialogBox
Step2Inputuseraccount‘admin’andpassword‘admins’andclickLoginbutton,
thenJadeOSwillredirecttothefollowingloginpage:
Figure12‐2webUIpage
![](/img.php?id=2465570&img=bg5c.png)
80JadeOSUserManual
Chapter12 ConfiguringSNMP
12.1ConfiguringSNMP
SimpleNetworkManagementProtocol(SNMP)isanInternet‐standardprotocolfor
managingdevicesonIPnetworks.Itisusedmostlyinnetworkmanagementsystems
tomonitornetwork‐attacheddevicesforconditionsthatwarrantadministrativeat‐
tention.JadeOSsupportversions1,2c,and3ofSNMP.YoucanconfigureSNMPusing
thefollowingcommands:
snmp-server community rw|ro <WORD>
snmp-server traphost <IP> <WORD> {udp-port portno}
Parameter Description
WORD Name of Community
udp‐portportno (optional) port number, default value: 162
IP IP address
Table13‐1BasicParametersofSNMP
Forexample:
(JadeOS)#configure terminal
(JadeOS)(config)#snmp-server community ro ww 1.1.1.1
![](/img.php?id=2465570&img=bg5d.png)
81JadeOSUserManual
Chapter13 MaintanenceandDiagnosis
13.1LogSystem
Logsystemisusedtorecordsystemrunningstatus,whichcanbesavedinlocalor
remotelogserver.Logisclassifiedto8levelsfromemergtodebug,andthedefault
leveliserror.
Tosetloglevel,usethefollowingcommandinconfigmode:
logging level <level> <all|category> [process app]
logging <IP> [severity level] [type category]
Note:loglevel:emerg,alert,crit,err,warning,notice,info,debug.
Tosetthelogsizeinlocalserver,usethecommandinconfigmode:
log size <100-102400> (unit:KB)
Torecoverytheloglevelinlocaltothedefault,usethecommandinconfigmode:
no logging level <level> <all|category> [process app]
no logging <IP> [severity level] [type category]
Forexample:
(JadeOS)(config)#logging level err all
(JadeOS)(config)#logging 192.168.16.84
(JadeOS)(config)#log size 102400
(JadeOS)(config)#end
Toinquirythelocallog,usethecommandinenablemode:
show log <all|category [app]> [line]
(JadeOS) #show log all
13.2SystemManagement
JadeOSisaunifiedmulti‐levelscalabletechnology.Itusestheactive‐standbymodein
controlplaneandactive‐activemodeindataplanetoachievethehighperformance
andhighavailability.Thedistributedarchitecturehasbeenextendedtomeetre‐
quirementsofhighperformanceequipment.
Youcanhaveageneralviewforthesystemmanagementandtelecommunications
amongallmodulesinfigure14‐1.
![](/img.php?id=2465570&img=bg5e.png)
82JadeOSUserManual
Figure14‐1 ModulesDiagramfortheSystemManagement
Whensystempoweringup,a“master”systemmanagerwillbeelectedamongallline
cardsexistinginthechassistocontrolthewholeequipment.Theshelfmanagercon‐
trolboardsends/receivesmessagesfromthecardsandmodulesoverI2Cbus.The
elected“master”systemmanageronthelinecardgetinformationfromtheshelf
managercontrolboardacrosstheswitchboardbyTCP/IPtocontrolandmonitorthe
wholesystem.
InformationInquire
TorestartthesystemwhenJadeOSisintrouble,usethefollowingcommand:
reload
ToinquirethesysteminformationsuchasJadeOSversion,gatewayuptime,andsoon,
usethefollowingcommand:
show version
Toinquirechassiscomponentsstatussuchaspowermoduleconnectionstatus,fan
speed,linecardtemperatureandsoon,usethefollowingcommand:
show inventory
Toinquirethefactorydefaultinformationaboutchassis,usethefollowingcommand:
show chassis_info
Toinquiretheenvironmenttemperatureaboutthechassis,usethefollowingcom‐
mand:
show temperature chassis
![](/img.php?id=2465570&img=bg5f.png)
83JadeOSUserManual
ToinquiretheCPUusagepercentage,usethefollowingcommand:
show cpuload
ToinquiretheCPUmemoryusageinformation,usethefollowingcommand:
show memory
Toinquiresystemlog,usethefollowingcommand:
show log all
Toinquiretheprocessstatus,usethefollowingcommand:
show process monitor statistics
Alarm
ThehardwarerunningstatusonJadeOScanbemonitoredandreportedtosystem
manager.Iftheworkingstateoneachcardormodule,forexampletemperature,is
beyondthethreshold,thealarmswillariseandtheLEDsonthecardormodulewill
turnon.
Thethresholdscanbesetmanuallyusingthefollowingcommand:
alarmthreshold
NOTE:ThealarmLEDonSADcardwillnotturnoffautomaticallywhenthealarmisrelieveduntil
youclearthealarmmanually.ToclearthealarmLEDonSADcard,usethefollowing
commandonthemasterlinecard:
turn-off-led
13.3SnifferTool
JadeOSprovidesthesniffertoolsfornetworkdiagnosis;itcancapturethedata
packetinnetworkinterfaceandfilterbasedoninterface,IPaddressandtcp/udp
portnumber.Theoperationstepsareasfollowing:
Step1Configurefilterconditions,andspecifythecapturetrafficis10Min
maximum.
(JadeOS) #packet capture interface gigaethernet 1/0 datatype all maxsize
10
Step2Startcapture
(JadeOS) #packet capture start
Step3Stopcapture
(JadeOS) #packet capture stop
Step4Displaythepacketcapture
(JadeOS) # show packet capture
![](/img.php?id=2465570&img=bg60.png)
84JadeOSUserManual
Abbrviations
A
ACAlternatingCurrent
ACCAutomaticCurrentControl
ACLAccessControlList
ASAutonomousSystem
ATCAAdvancedTelecomComputingArchitecture
APAccessPoint
B
BCMCBroadcastandMulticast
C
CAPWAPControlAndProvisioningofWirelessAccessPoints
CDPCiscoDiscoveryProtocol
CECommunicationEdge
CLICommandLineInterface
D
DESDataEncryptionStandard
DHCPDynamicHostConfigurationProtocol
DNSDomainNameServer
DOSDisk Operating System
E
EAPEnterpriseApplicationPlatform
EAPOLExtensibleAuthenticationProtocol
ECNEngineeringChangeNotice
F
FRUFieldReplaceableUnit
FTPFileTransferProtocol
G
GREGenericRoutingEncapsulation
GMTGreenwichMeanTime
I
IDSIntrusionDetectionSystem
IDPSIntrusionDetectionandPreventionSystem
![](/img.php?id=2465570&img=bg61.png)
85JadeOSUserManual
IETFInternetEngineeringTaskForce
IGPInteriorGatewayProtocol
IPInternetProtocol
IPMBIntelligentPlatformManagementBus
IPMCIntelligentPlatformManagementController
IPMIIntelligentPlatformManagementInterface
IPSIntrusionPreventionSystem
L
LACPLinkAggregationControlProtocol
LAGLinkAggregationGroup
LDAPLightweightDirectoryAccessProtocol
LEDLightEmittingDiode
M
MACMulti‐AccessComputer
MLVDSMultipointLow‐VoltageDifferentialSignaling
N
NATNetworkAddressTranslation
NTPNetworkTimeProtocol
O
OSPFOpenShortestPathFirst
P
PCBPrintedCircuitBoard
PEMPowerEntryModule
PPC
PVSTPerVlanSpanningTree
O
OSOperationSoftware
OSPFOpenShortestPathFirst
OUIOrganizationallyuniqueidentifier
Q
QOS QualityOfService
R
RAMRandomAccessMemory
![](/img.php?id=2465570&img=bg62.png)
86JadeOSUserManual
RFCRequestForComments
RSTPRapidSpanningTreeProtocol
RTCRealTimeClock
RTMRearTransmissionModule
S
SADShelfAlarmDisplay
SAPShelfAlarmPanel
SHASecureHashAlgorithm
SNMPSimpleNetworkManagementProtocol
SSIDServiceSetIdentifier
SSLSecureSocketsLayer
SSHSecureShell
STPSpanningTreeProtocol
T
TCATelecommunicationsComputingArchitecture
TCP/IPTransmissionControlProtocol/InternetProtocol
TFTPTrivialFileTransferProtocol
TKIPTemporalKeyIntegrityProtocol
U
UDPUserDatagramProtocol
V
VCCIVoluntaryControlCouncilforInterference
VLANVirtualLocalAreaNetwork
VPNVirtualPrivateNetwork
VRIDVirtualRouterID
VRRPVirtualRouterRedundancyProtocol
VTPVirtualTrunkProtocol
W
WEPWiredEquivalentPrivacy
WPAWi‐FiProtectedAccess