SKSpruce Technologies WIA3200 Indoor Access Point User Manual JadeOS 1 x

Skspruce Technologies Inc. Indoor Access Point JadeOS 1 x

Users Manual

Download: SKSpruce Technologies WIA3200 Indoor Access Point User Manual JadeOS  1 x
Mirror Download [FCC.gov]SKSpruce Technologies WIA3200 Indoor Access Point User Manual JadeOS  1 x
Document ID2395330
Application IDzqTKtdQ3Hdv4+L0zH+LmZg==
Document DescriptionUsers Manual
Short Term ConfidentialNo
Permanent ConfidentialNo
SupercedeNo
Document TypeUser Manual
Display FormatAdobe Acrobat PDF - pdf
Filesize83.49kB (1043681 bits)
Date Submitted2014-09-19 00:00:00
Date Available2014-09-19 00:00:00
Creation Date2014-09-17 18:31:44
Producing SoftwareAcrobat Distiller 7.0.5 (Windows)
Document Lastmod2014-09-18 08:42:03
Document TitleMicrosoft Word - JadeOS User Manual_1_.docx
Document CreatorPScript5.dll Version 5.2
Document Author: Administrator

JadeOS
User Manual
SK-A2960-182
03
Copyright © 2013 Skspruce, Inc. All rights reserved.
No part of this documentation may be reproduced in any form or by any means or used to
make any derivative work (such as translation, transformation, or adaptation) without
prior, express and written permission from Skspruce, Inc.
Skspruce, Inc. reserves the right to revise this documentation and to make changes in
content from time to time without obligation on the part of Skspruce, Inc. to provide notification of such revision or changes.
Skspruce, Inc. provides this documentation without warranty of any kind, implied or expressed, including but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Skspruce may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.
UNITED STATES GOVERNMENT LEGENDS:
If you are a United States government agency, then this documentation and the software
described herein are provided to you subject to the following:
United States Government Legend: All technical data and computer software is commercial in nature and developed solely at private expense. Software is delivered as
Commercial Computer Software as defined in DFARS 252.227-7014 (June 1995) or as
a commercial item as defined in FAR 2.101(a) and as such is provided with only such
rights as are provided in Skspruce's standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov
1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove
or deface any portion of any legend provided on any licensed program or documentation
contained in, or delivered to you in conjunction with, this User Guide.
Skspruce, the Skspruce logo are registered trademarks or trademarks of Skspruce, Inc.
and its subsidiaries. Other brand and product names may be registered trademarks or
trademarks of their respective holders.
Any rights not expressly granted herein are firmly reserved.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following
two conditions: (1) this device may not cause harmful interference, and (2) this device
must accept any interference received, including interference that may cause undesired
operation.
The user manual or instruction manual for an intentional or unintentional radiator shall
caution the user that changes or modifications not expressly approved by the party
responsible for compliance could void the user's authority to operate the equipment. In
cases where the manual is provided only in a form other than paper, such as on a
computer disk or over the Internet, the information required by this section may be
included in the manual in that alternative form, provided the user can reasonably be
expected to have the capability to access information in that form.
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This
equipment generates, uses and can radiate radio frequency energy and, if not installed and
used in accordance with the instructions, may cause harmful interference to radio
communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or
television reception, which can be determined by turning the equipment off and on, the
user is encouraged to try to correct the interference by one or more of the following
measures:
—Reorient or relocate the receiving antenna.
—Increase the separation between the equipment and receiver.
—Connect the equipment into an outlet on a circuit different from that to which the
receiver is connected.
—Consult the dealer or an experienced radio/TV technician for help.
FCC Caution: Any changes or modifications not expressly approved by the party
Responsible for compliance could void the user’s authority to operate this equipment.
This equipment must be installed and operated in accordance with
provide instructions and the antenna used for this transmitter must be
installed to provide a separation distance of at least 20 cm from all
persons and must not be co‐located or operation in conjunction with
any other antenna or transmitter. End‐users and installers must be
provided with antenna installation instructions and transmitter operating
conditions for satisfying RF exposure compliance.
Important Notice on Product Safety
Elevated voltages are inevitably present at specific points in this electrical equipment.
Some of the parts may also have elevated operating temperatures.
Non-observance of these conditions and the safety instructions can result in personal injury or in
property damage.
Therefore, only trained and qualified personnel may install and maintain the system.
All equipment connected has to comply with the applicable safety standards.
Statement of compliance CE statement
The CE conformity declaration for the products is fulfilled when the system is built and cabled in
line with the information given in the manual. Deviations from the specifications or independent
modifications to the layout, such as use of cable types with lower screening values for example,
can lead to violation of the CE protection requirements. In such cases the conformity declaration is
invalidated. The responsibility for any problems which subsequently arise rests with the party responsible for deviating from the installation specifications.
VCCI statement
This is a Class A product based on the standard of the Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment,
radio disturbance may arise. When such trouble occurs, the user may be required to take corrective actions.
Content
Content..........................................................................................................................1
Chapter 1 Preface ........................................................................................................1
1.1 Intended Audience ...............................................................................................1
1.2 Structure of this Document ..................................................................................1
1.3 Symbols and Conventions....................................................................................1
1.3.1 Symbols Used ...............................................................................................2
1.3.2 Conventions Used .........................................................................................2
1.4 History of Changes ..............................................................................................2
Chapter 2 System Overview........................................................................................3
2.1 System Introductions ...........................................................................................3
2.2 Functions..............................................................................................................3
2.3 Feature Highlights................................................................................................4
2.4 Application...........................................................................................................5
Chapter 3 CLI and System Management ..................................................................7
3.1 CLI Access ...........................................................................................................7
3.1.1 CLI Access via the Local Console ................................................................7
3.1.2 CLI Access via a Remote Console................................................................8
3.2 CLI Features.........................................................................................................8
3.2.1 Command mode ............................................................................................9
3.2.2 Command Help .............................................................................................9
3.2.3 Command Completion ................................................................................10
3.2.4 Deleting Configuration Settings ................................................................. 11
3.2.5 Profile Command ........................................................................................11
3.3 Configuring the Management Port..................................................................... 11
3.3.1 Configuring IP ............................................................................................ 11
3.3.2 Configuring Routing ...................................................................................11
3.4 Configuring Management ..................................................................................12
3.4.1 Inquire Configuration .................................................................................12
3.4.2 Saving Configuration Changes ...................................................................12
3.4.3 Reset JadeOS ..............................................................................................12
3.4.4 Files Import/Export.....................................................................................12
3.5 System Update ...................................................................................................13
3.6 File Operations...................................................................................................14
3.6.1 Basic Operations .........................................................................................14
3.6.2 Files Transfer by FTP and TFTP Command ...............................................14
3.6.3 JadeOS Image Image Files Transfer ...........................................................15
3.6.5 Log Files Storage ........................................................................................15
3.7 User Management ..............................................................................................15
3.8 Configuring System Settings .............................................................................16
3.8.1 Setting Hostname ........................................................................................16
3.8.2 Setting Country Code..................................................................................16
3.8.3 Setting Administrator Password..................................................................16
3.8.4 Setting System Clock..................................................................................16
3.8.5 Clock Synchronization................................................................................17
3.8.6 Configuring NTP Authentication ................................................................17
3.9 Ping and Traceroute ...........................................................................................18
3.10 License Management .......................................................................................18
Chapter 4 Interface Configuration...........................................................................19
4.1 Naming Ethernet Port ........................................................................................19
4.2 Configuring VLAN ............................................................................................19
4.2.1 Creating VLAN...........................................................................................19
4.3 Adding Ethernet Port into VLAN ......................................................................20
4.4 Configuring VLAN Interface.............................................................................21
4.5 Configuring Port Channel ..................................................................................21
4.6 Configuring QinQ ..............................................................................................23
4.6.1 Configuring QinQ .......................................................................................23
4.7 Inquiring Interface Status and Statistics.............................................................24
Chapter 5 Layer-2 Network Service ........................................................................26
5.1 Bridge Forwarding .............................................................................................26
5.1.1 Bridge Description......................................................................................26
5.1.2 Configuring Bridge .....................................................................................26
5.1.3 Dynamic Table ............................................................................................26
5.1.4 Bridge Aging...............................................................................................27
5.1.5 Static Table..................................................................................................27
5.2 Port Mirror .........................................................................................................27
Chapter 6 Layer-3 Network Service ........................................................................28
6.1 Configuring IP Address......................................................................................28
6.1.1 Configuring IP Address...............................................................................28
6.1.2 Configuring Loopback................................................................................28
6.2 Configuring Static Routing Table ......................................................................28
6.2.2 Configuring Static Routing .........................................................................28
6.2.2 Inquiring Routing Table ..............................................................................28
6.3 Configuring ARP ...............................................................................................29
6.3.1 Configuring Static ARP Table.....................................................................29
6.3.2 Inquiring ARP Table ...................................................................................29
6.3.2 Configuring ARP Proxy ..............................................................................30
6.4 Configuring MTU and TCP MSS ......................................................................30
6.5 Configuring GRE Tunnel...................................................................................31
6.6 Configuring DHCP ............................................................................................31
6.6.1 Configuring DHCP Server ..........................................................................32
6.6.2 Inquiring DHCP Server Status ....................................................................32
6.6.3 Configuring DHCP Relay ...........................................................................34
6.6.4 DHCP Snooping..........................................................................................35
6.6.5 ARP With DHCP.........................................................................................36
6.7 Configuring OSPF .............................................................................................37
6.7.1 OSPF Implementation.................................................................................37
6.7.2 Enabling OSPF ...........................................................................................37
6.7.3 Configuring OSPF Interface Parameters ....................................................38
6.7.4 Configuring OSPF Area..............................................................................39
6.7.5 Configuring OSPF Network Type ..............................................................40
6.7.6 OSPF Point-to-point Configuration Example.............................................40
6.8 Configuring IPv6 ...............................................................................................42
6.8.1 Address Configuration ................................................................................42
6.8.2 Routing Configuration ................................................................................42
6.8.3 Ping6 ...........................................................................................................43
Chapter 7 Network Security .....................................................................................44
7.1 Access Control List (ACL) ................................................................................44
7.1.1 Standard ACL..............................................................................................44
7.1.2 Extended ACL.............................................................................................44
7.1.3 Session ACL ...............................................................................................45
7.2 Session ...............................................................................................................45
7.3 Configuring NAT ...............................................................................................46
7.3.1 Configuring SNAT......................................................................................47
7.3.2 Configuring DNAT .....................................................................................48
7.4 Configuring DoS Anti-attack .............................................................................49
7.4.1 System Pre-defined Configuration..............................................................49
7.4.2 Configuring Anti-attack ..............................................................................49
7.5 Configuring Lawful Intercept ............................................................................50
Chapter 8 Configuring HQoS ...................................................................................52
8.1 Configuring Rate Limitation on Port .................................................................52
8.2 Configuring Rate Limitation on VLAN.............................................................52
8.3 Configuring Rate Limitation on User ................................................................52
Chapter 9 Configuring AAA.....................................................................................54
9.1 The Attribute of Trust and Untrust.....................................................................54
9.2 User and User Role ............................................................................................54
9.2.1 User .............................................................................................................54
9.2.2 User Role and ACL.....................................................................................55
9.2.3 Access Policy Based on User Role .............................................................55
9.3 Connections among User, VLAN and User Role ..............................................56
9.4 Configuring AAA Profile...................................................................................56
9.4.1 Configuring ACL ........................................................................................56
9.4.2 Configuring role..........................................................................................56
9.4.3 Configuring Radius Server Group ..............................................................57
9.4.4 Configuring Authentication Way ................................................................57
9.4.5 Configuring AAA Profile............................................................................58
9.4.6 Binding VLAN............................................................................................59
9.5 MAC Authentication..........................................................................................59
9.6 802.1X Authentication .......................................................................................60
9.7 WEB Portal Authentication................................................................................60
9.7.1 Web Authentication Process........................................................................60
9.7.2 DNAT Redirect ...........................................................................................61
9.7.3 HTTP 302 Redirect .....................................................................................61
9.7.4 Configuring Portal Server...........................................................................61
9.7.5 Configuring CoA Disconnect Message.......................................................61
9.7.6 Configuring Captive-portal Authentication ................................................62
9.7.7 Customize Logout Domain .........................................................................62
9.7.8 Configuring White-list and Black-list.........................................................62
9.8 Radius Proxy......................................................................................................63
9.8.1 Configuring Radius Proxy ..........................................................................63
9.8.2 Configuring EAP-SIM................................................................................64
9.9 Rate Limit Based on User ..................................................................................65
9.10 User Accounting...............................................................................................65
9.11 Example of WEB-Portal Authentication..........................................................66
9.12 Trouble Shooting..............................................................................................68
Chapter 10 WLAN Management .............................................................................70
10.1 Wireless Network Architecture ........................................................................70
10.1.1 CAPWAP Description...............................................................................70
10.1.2 CAPWAP Control Channel.......................................................................70
10.1.3 CAPWAP Data Channel............................................................................71
10.1.4 Mirror Upgrade and Configuration Management .....................................71
10.1.5 Forwarding Mode .....................................................................................71
10.1.6 Authentication Mode.................................................................................71
10.1.7 STATION Management ............................................................................71
10.2 Forwarding Mode.............................................................................................71
10.3 Configuring Power...........................................................................................72
10.4 Configuring Radio ...........................................................................................72
10.5 DTLS and CA ..................................................................................................72
10.6 Special SSID and SSID Control ......................................................................73
10.7 ACL..................................................................................................................73
10.8 Authentication Exemption ...............................................................................75
10.9 Anti-fake and Rogue AP detect ........................................................................75
10.10 Anti-DoS ........................................................................................................75
Chapter 11 WEBUI....................................................................................................77
11.1 WEBUI Description .........................................................................................77
11.2 WEBUI Login ..................................................................................................77
Chapter 12 Configuring SNMP ................................................................................78
12.1 Configuring SNMP ..........................................................................................78
Chapter 13 Maintanence and Diagnosis ..................................................................79
13.1 Log System ......................................................................................................79
13.2 System Management........................................................................................79
13.3 Sniffer Tool ......................................................................................................81
Abbrviations ...............................................................................................................82
Chapter 1 Preface
This preface describes the audience, structure, conventions and history of changes of
JadeOS User Manual. It also provides important information about safety instructions
for the JadeOS.
1.1 Intended Audience
This document is intended to the experienced network administrators who need to
configure and maintain JadeOS Multi-Service Gateway.
1.2 Structure of this Document
Chapter
Title
Subject
This chapter provides an introduction to this docu-
Chapter 1
Preface
ment.
This chapter gives a general introduction to the
System Overview
JadeOS functionality.
CLI and System
tion
This chapter describes CLI and system operations.
This chapter will describe how to configure
interface.
Layer-2 Network Ser-
This chapter describes how to configure Layer-2 net-
vice
work service.
Layer-3 network ser-
This chapter describes how to configure Layer-3 net-
vice
work service.
Chapter 7
Network Security
This chapter will describe JadeOS network security function and how to configure it.
Chapter 8
Configuring HQoS
This chapter describes how to configure HQoS.
Chapter 9
Configuring AAA
This chapter describes how to configure AAA.
Chapter 2
Chapter 3
Management
Interface Configura-
Chapter 4
Chapter 5
Chapter 6
This chapter gives a general introduction to the
Chapter 10
WLAN Management
WLAN Management.
This chapter gives a general introduction to the
Chapter 11
WEBUI
WEBUI.
Chapter 12
Configuring SNMP
This chapter describes how to configure SNMP.
Maintenance and Di-
This chapter gives a general introduction to the
agnosis
Maintenance and Diagnosis.
Chapter 13
Table 1-1 Chapters in this Document
1.3 Symbols and Conventions
JadeOS User Manual
The following symbols and conventions are used in this document:
1.3.1 Symbols Used
CAUTION: Means that the reader should be careful. In this situation, you
might do something that could result in equipment damage or loss of data.
WARNING: This warning symbol means danger. You are in a situation that
could cause bodily injury. Before you work on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.
1.3.2 Conventions Used
Representation
Meaning
Bold
The CLI commands are in bold.
Italic
Level 2 titles are in Italic.
Terminal display is in Courier New.
Example: # ping -t 10.10.10.1
Courier New
Table 1- 2 Conventions Used in this Document
1.4 History of Changes
Version
Issue date
Remarks
Draft
2013.10.11
Draft Version
01
02
03
2013.11.15
2013.11.30
2014.01.15
New functions added,upgraded to 01 Version
New functions added,upgraded to 02 Version
New functions added,upgraded to 03 Version
Table 1- 3 Histories of Changes for this Document
JadeOS User Manual
Chapter 2 System Overview
2.1 System Introductions
SKG10000 Plus is a gateway equipment of telecommunication level that integrated
with the functions of routing, switching and WLAN controller and so on.
Based on the multi-core and multi-thread processor and designed with telecom grade
ATCA standard, SKG10000 Plus is with powerful and extensible performance. With
centralized management and configuration, it gives the ability of deployment for a
large network with hundreds of gateways. At the same time, it can be operated in day
and night with high availability and help the SP to meet the huge challenge brought by
rapid development of wireless service.
Based on the advanced and extensible software architecture, JadeOS:
‐ Adopt distributed architecture with data plane and control plane separated
‐ Provide WLAN solutions that are flexible, easy management and easy deployed
‐ Manage large scale APs without configuration
‐ Strictly control user internet access and bandwidth strategy with various access
authentication
‐ Support 700 users/s per line card
‐ Provide forwarding rate of high performance
‐ Support multi-level redundancy backup for system level, service module level etc.
2.2 Functions
Layer-2
Bridge Forwarding
VLAN/Super VLAN
QinQ
Port Channel
Layer-3
Route Forwarding
Dynamic Routing Protocol (OSPF)
NAT
GRE/EtherIP Tunnel
DHCP Server, DHCP Relay,DHCP SNOOPING
Broadcast Suppression
Virtual Routing Redundancy Protocol(VRRP)
Fragmentation and Reassembly
IPv4/IPv6
JadeOS User Manual
Security and AAA (Authentication, Authorization, Accounting)
Access Control List (Interface/Standard/Session ACL)
Role-Based User Policy
Web Portal/802.1x/PSK/MAC Authentication
RADIUS Accounting
RADIUS Proxy
Black-list and whit- list authentication
DoS anti-attacks
Lawful Interception
QoS functionality
Rated Limit based on interface/user/ssid (HQoS)
WLAN Controller
CAPWAP Control Tunnel and Data Tunnel
AP Centralized Management and Configuration
AP Discovery AC
- Broadcast discovery mode
- DNS discovery mode
- DHCP discovery mode
Local Forwarding, Centralized Forwarding
Intelligent Radio /Frequency Management
Certificate Management
User Access Control
L2 Roaming
Station Anti-fake, WLAN Anti-DoS
Performance Monitor and Data Statistics
Network Management
Configuration based on CLI (Support console, SSH, Telnet)
Support WebUI configuration
SNMP v1, v2c,
System configuration, service module monitor
Trap alarm
Chassis management
Trouble shooting
Port Mirror, Sniffer
2.3 Feature Highlights
Extensible DHCP Server
DHCP server offers 700 pps users per thread that can meet carrier-grade scenarios that
requires high performance and high availability.
JadeOS User Manual
z
Scalable performance and throughout
- Optimized database
By keeping lease information in a memory-resident database, DHCP server
offers fast response times for lease assignments and renewals.
- Multi-threaded architecture
JadeOS uses a multi-threaded architecture to deliver consistent throughput.
- Carrier level big address pool
JadeOS supports up to 1,320,000 addresses per chassis.
Broadcast Suppression
JadeOS provides broadcast suppression function to reduce the number of broadcast
packets by enabling broadcast suppression policy.
- Broadcast suppression function to greatly ease the number of broadcast messages
- DHCP snooping to suppress the DHCP broadcast packets.
- Enable DHCP unicast reply function. JadeOS reply the DHCP offer and ACK
datagram with unicast messages instead of broadcast messages to effectively
reduce the broadcast flooding.
2.4 Application
JadeOS can be deployed in the core network or access network to achieve the AP centralized management and configuration. Figure 2-3 illustrates one of the application
scenarios of
JadeOS User Manual
JadeOS.
Figure 2-1 Application scenario of JadeOS
JadeOS User Manual
Chapter 3 CLI and System Management
JadeOS uses the command Line Interface (CLI) to implement the interaction between
users and the operating system. Users can complete a range of system configuration
and realize the management functions through the CLI.
This chapter describes CLI and system operations.
3.1 CLI Access
The console port on the equipment is Rj45 interface and located on the front panel of
each line card. You can connect to the CLI via the local console or SSH/TELNET to
obtain a remote console.
3.1.1 CLI Access via the Local Console
To connect to the CLI via the local console port, complete the following steps:
Step 1 Connect to the console port using the Rj45 cable and serial port cable.
Step 2 Configure your terminal emulation program (for example: SecureCRT) is configured as shown in figure 3-1:
Figure 3-1 Console port connection settings
Step 3
Enter the user name and password:
(JadeOS)
User: admin
Password: admins.
The prompt will be displayed as follows after logging in successfully.
(JadeOS) >
JadeOS User Manual
Step 4
Enter the global mode using the following command:
(JadeOS) > enable
Password: enable
When you are in enable mode, the > prompt changes to a pound sign (#):
(JadeOS) #
Step 5
Enter the configuration mode using the following command:
(JadeOS) # configure terminal
When you are in the configuration mode, ‘config’ appears before the # prompt:
(JadeOS) (config) #
3.1.2 CLI Access via a Remote Console
Users can access JadeOS remotely using TELNET from a TCP/IP network.
To access JadeOS via telnet you need to enable telnet sessions using telnet cli command.
To connect to the CLI using TELNET, complete the following steps:
Step 1
Verify that your terminal emulation program or DOS shell interface (for
example: SecureCRT) is configured as shown in figure 3-2:
Figure 3-2 Telnet connection settings
Step 2
Enter a valid username and password as prompt.
3.2 CLI Features
This chapter will give a general introduction about the CLI commands.
JadeOS User Manual
3.2.1 Command mode
The CLI is divided into many different modes. The commands available to you at any
given time depend on the mode that you are currently in. Entering a question mark (?)
at the CLI prompt allows you to obtain a list of commands available for each command mode.
When you log in to the CLI, you are in user mode. User mode contains only a limited
subset of commands.
To have access to all commands, you must enter enable mode normally by using a
password. From enable mode, you can issue any enable mode command.
You can enter global configuration mode by entering configure terminal command.
Configuration modes allow you to make changes to the running configuration. If you
later save the running configuration to the startup configuration, these changed commands are stored when the software is rebooted. To enter specific configuration
modes, you must start at global configuration mode. From global configuration mode,
you can enter interface configuration mode and a variety of other modes.
Table 3-1 describes how to access and exit various common command modes on
JadeOS. It also shows examples of the prompts displayed for each mode.
Command Mode
Access Method
Prompt
Exit Method
User Mode
Log in
(JadeOS)>
Use the exit command
To return to User Mode
Enter enable and
Enable Mode
password
(JadeOS)#
use exit command
To return to Enable Mode
from global configuration
Global Configura-
Enter configure
tion Mode
terminal
Interface Configuration
Mode
mode, use exit com(JadeOS)(config)#
mand
Specify an interface
To return to the global
using
configuration mode, use
interface
command
(JadeOS)(config-if)#
exit command.
Table 3- 1 Command Modes on JadeOS
3.2.2 Command Help
You can use the question mark (?) to view various types of command help.
When typed at the beginning of a line, the question mark lists all the commands
available in your current mode or sub-mode. A brief explanation follows each com9
JadeOS User Manual
mand. For example:
(JadeOS) > ?
enable
Turn on Privileged commands
exit
Exit this session. Any unsaved changes are lost.
help
Help on CLI command line processing and a
Description of the interactive help system
logout
Exit this session. Any unsaved changes are lost.
ping
Send ICMP echo packets to specified ip address.
traceroute
Trace route to the specified ip address.
When typed at the end of a possible command or abbreviation, the question mark lists
the commands that match (if any). For example:
(JadeOS) #a?
aaa
Authentication commands
ap
Instruct AP
ap-leds
Control AP LED behavior (11n APs only)
ap-regroup
Move AP into a group
ap-rename
Change an AP's name
apboot
Instruct AP to reboot itself
apconnect
Instruct Mesh-Point to connect new parent
apdisconnect
Instruct Mesh-Point to disconnect from its parent
apflash
Instruct AP to reflash itself
If more than one item is shown, type more of the keyword characters to distinguish
your choice.
However, if only one item is listed, the keyword or abbreviation is valid and you can
press tab or the spacebar to advance to the next keyword.
When typed in place of a parameter, the question mark lists the available options. For
example:
(JadeOS) #write ?
erase
erase configuration from NV memory
file
Write to file
memory
Write to NV memory

3.2.3 Command Completion
To make command input easier, as you type, you can press the spacebar or tab to
move to the next keyword. The system then attempts to expand the abbreviation for
you. If there is only one command keyword that matches the abbreviation, it is filled
10
JadeOS User Manual
in for you automatically. If the abbreviation is too vague (too few characters), the
cursor does not advance and you must type more characters or use the help feature to
list the matching commands.
3.2.4 Deleting Configuration Settings
Use the no command to delete or negate previously-entered configurations or parameters. To view a list of no commands, type no at the enable or ‘config’ prompt
followed by the question mark.
(JadeOS) (config) # no?
3.2.5 Profile Command
JadeOS uses Profile to design some complex commands. JadeOS encapsulates a set of
configurations in Profile, and then apply the Profile to other configured object. This
will make configuration more logical.
3.3 Configuring the Management Port
3.3.1 Configuring IP
Management port is used for the network administrator to operate the equipment in
remote. To configure management port, you need to configure IP address first so that
to access the equipment in remote:
Step 1
Access management port mode:
interface mgmt 
step 2
Configuring Ip address:
ip address A.B.C.D/MASK-Length
Parameter
Description
id
Range: 1-2
Table 3-2 parameter description
Example as follows:
(JadeOS)(config)#interface mgmt 1
(JadeOS)(config)#ip address 192.168.1.254/24
3.3.2 Configuring Routing
You need to configure a static routing to access local PC of remote administrator.
To Configure static routing table, use the following command in Config mode:
ip route  
11
JadeOS User Manual
For example, we configure a route to administrator subnet 192.168.0.0/24 through
next hop 192.168.1.1.
(JadeOS)(config)#ip route 192.168.0.0/24 192.168.1.1
3.4 Configuring Management
3.4.1 Inquire Configuration
To view present configuration, use the command:
(JadeOS) # show running-config
3.4.2 Saving Configuration Changes
When you make configuration changes via the CLI, those changes affect the current
running configuration only. If the changes are not saved, they will be lost after the
SKG10000 Plus reboots. To save your configuration changes, use the following
command in enable mode:
(JadeOS) # write memory
After performing the command write memory, two configuration files will be saved
in the flash:
•
startup-config:Containing the startup configuration options
•
running-config:Containing the configuration options during system running.
3.4.3 Reset JadeOS
You can return JadeOS to its original configuration by resetting the JadeOS to factory-default settings.
Step 1
Enter the write erase command. A prompt ‘Do you really want to delete
all the configuration(y/n):‘, write erase successful’ will be displayed.
(JadeOS) (config) #write erase
Do you really want to delete all the configuration(y/n):
Write Erase successful
Step 2
Reload the JadeOS by entering reload command. The prompt ‘do you
really want to restart the system (y/n)’ will be displayed. Enter ‘y’, the JadeOS will
reboot.
(JadeOS) (config) #reload
Do you really want to restart the system(y/n): n
3.4.4 Files Import/Export
12
JadeOS User Manual
You can save configuration files into JadeOS and copy to an external server.
copy startup-config flash: 
copy startup-config tftp:  
copy running-config flash: 
copy running-config ftp:    
[]
copy running-config startup-config
copy running-config tftp:  
3.5 System Update
The system image file is stored in the Compact Flash (CF) on each line card. Every
time you start the system, bootloader will automatically download the image to system RAM. The CF card is divided into two partitions which both contain the system
image files. At the factory default setting, bootloader will download image files from
partition 0. After system updating, JadeOS will automatically start from the partition
which contains the updated image files. You can also spiffy which partition to start
from manually. To update the system image file, complete the following steps:
Step 1
Input the user name and password after connecting the JadeOS through
SSH, telnet or console.
Step 2
Turn into the global configuration mode by entering the command config-
ure terminal.
Step 3
Turn into the interface configuration mode by entering the command inter-
face mgmt.
Step 4
Set mgmt interface IP address and make sure the tftp or ftp server is ok.
Step 5
Copy the image file to partition 0/1 on CF card.
The system will reboot after the update complete.
Note: It’s recommended that you update the system image files from the partition
which the system is not working on to avoid that the current image files are
erased. For example: if the system is working on partition 0, please update
the system image files from partition 1.
To change boot partition, use following command in Config mode:
(JadeOS) (config)#boot system partition 0
To view image information about boot partition, use following command in enable
mode:
13
JadeOS User Manual
(JadeOS) #show image version
---------------------------------Partition
: 0:0 (/dev/sda1)
Software Version
: JadeOS 2.3.2.0
Built on
: SMP Thu Dec 19 18:01:40 CST 2013
---------------------------------Partition
: 0:1 (/dev/sda2)
Software Version
: JadeOS 2.2.6.0
Built on
: SMP Mon Nov 18 14:58:24 CST 2013
3.6 File Operations
3.6.1 Basic Operations
JadeOS provide basic operations about files such as dir、copy、rename、delete and so
on, the command is as following:
Dir files:
(JadeOS) #dir
Copy files:
(JadeOS) #copy
flash:  {flash:  | tftp:   | ftp: 
} |
ftp:    {system: partition {0|1} |flash:  }|
running-config {flash:  | ftp:     | tftp: 
} |
startup-config {flash:  | tftp:  } |
system: partition { 0|1}|
tftp:   {flash: }|
Rename files:
(JadeOS) #rename  
Delete files:
(JadeOS) #delete filename 
3.6.2 Files Transfer by FTP and TFTP Command
You can transfer the following files between JadeOS and an external server or host:
14
•
JadeOS image files
•
A specified file in JadeOS flash file system, or a compressed archive that
contains the flash file
•
Configuration file, either the running configuration or a startup configuration
JadeOS User Manual
Log files
•
You can use the following protocols to transfer files between JadeOS and external
server or host:
•
File Transfer Protocol (FTP)
•
Trivial File Transfer Protocol (TFTP)
Sever Type
Configuration
Trivial File Transfer Proto-
IP address of the server
col(TFTP)
Filename
IP address of the server
Username and password to log into server
File Transfer Protocol(FTP)
Filename
Table 3- 3 Parameters of TFTP and FTP Configuration
3.6.3 JadeOS Image Image Files Transfer
You can copy JadeOS image files to JadeOS or equipment by TFTP or FTP server.
When you transfer a JadeOS image file to equipment, you must specify the partition
which the file is copied to. You have the option of rebooting JadeOS with the transferred image file.
copy tftp:   system: partition {0|1}
copy ftp:    system: partition {0|1}
copy scp:    system: partition [0|1]
3.6.5 Log Files Storage
You can save log files into a compressed archive and copy to an external TFTP server.
tar logs
copy flash: logs.tar tftp:  
copy flash: logs.tar scp:   
3.7 User Management
To create users, you can use the command:
mgmt-user  
For example, create a user account “test” and password “123456”:
(JadeOS) (config)#mgmt-user test 123456
To inquire users in the system, you can use the command:
15
JadeOS User Manual
(JadeOS) #who
vty[0] connected from 192.168.16.21
vty[1] connected from 192.168.16.22
vty[2] connected from 192.168.16.19
vty[3] connected from 192.168.16.19
3.8 Configuring System Settings
3.8.1 Setting Hostname
The factory default hostname is JadeOS. You can change the hostname using the following command:
hostname 
For example:
(JadeOS) (config) #hostname Gate
(Gate) (config) #
3.8.2 Setting Country Code
JadeOS are designed to manage the access points which are located in many countries
with different requirements. The radios within the access points are assigned to a specific regulatory domain at the factory. You can specify a particular country code for
each country (such as FR for France or ES for Spain). Configuring a country code
ensures that each radio’s broadcast frequency bands, interfaces, channels, and transmit
power levels which are compliant with country-specific regulations.
When the JadeOS start for the first time, the system will prompt you to enter the
country code which country the JadeOS is located and you need to confirm the country code by entering ‘yes’.
3.8.3 Setting Administrator Password
To log in JadeOS, you must enter the administrator user account and password. The
factory default user account is ‘admin’ and the password is “admins”.
A prompt ‘Enter password for admin login’ will be displayed after you enter the administrator user account ‘admin’. You can enter the password that you want to set and
retype it to confirm. Except for the administrator user, you can set 9 users.
3.8.4 Setting System Clock
You can set the JadeOS system date and time manually using the configuration wizard
when you start the JadeOS system for the first time. Greenwich Mean Time (GMT) is
used as the standard for setting the time zone.
16
JadeOS User Manual
¾ Setting the System Clock Manually
To set the date and time, enter the following command in privileged mode:
clock set 
To set the time zone and daylight savings time adjustment, enter the following commands in configure mode:
clock timezone<-23 - 23>
clock summer-time  [recurring]
<1-4>
first
last
<1-4>
first
last
[<-23 - 23>]
¾ Setting the System Clock with NTP
You can use NTP (Network Time Protocol) to synchronize JadeOS to a central time
source.
3.8.5 Clock Synchronization
For each NTP server, you can optionally specify the NTP iburst mode for faster clock
synchronization. The iburst mode sends up ten queries within the first minute to the
NTP server. (When iburst mode is not enabled, only one query is sent within the first
minute to the NTP server.) After the first minute, the iburst mode typically synchronizes the clock so that queries need to be sent at intervals of 64 seconds or more.
You can add a NTP server using the following command:
ntp server  [iburst]
3.8.6 Configuring NTP Authentication
The NTP adds security to an NTP client by authenticating the server before synchronizing the local clock. NTP authentication works by using a symmetric key which is
configured by the user. The secret key is shared by both JadeOS and an external NTP
server. This helps identify secure servers from fraudulent servers.
This example enables NTP authentication, add authentication secret keys into the database, and specifies a subset of keys which are trusted. It also enables the iburst option.
(JadeOS)(config)#ntp authenticate
(JadeOS)(config)#ntp authentication-key  md5 
17
JadeOS User Manual
(JadeOS)(config)#ntp trusted-key 
(JadeOS)(config)#ntp server  iburst
Example of configuring NTP authentication:
(JadeOS)(config)#ntp authenticate
(JadeOS)(config)#ntp authentication-key 1 md5 123
(JadeOS)(config)#ntp trusted-key 1
(JadeOS)(config)#ntp server 1.1.1.1 iburst
3.9 Ping and Traceroute
Command ping and traceroute can help to diagnose network connection status.
Command format:
ping A.B.C.D
traceroute A.B.C.D
For example, use command ping in enable mode to judge whether the internet connection to IP address ‘192.168.20.1’ or not.
(JadeOS) #ping 192.168.20.1
Sending..., 100-byte ICMP Echos to 192.168.20.1, press 'q' or ESC to exit:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.686/0.7134/0.808 ms
3.10 License Management
License is mainly used to protect the lawful rights of authorized users. You can obtain
the authorization by input License Activation Key.
Note: please contact the vendors if you need to add APs after license is in effective.
To add License key, you can use following command in config mode:
license add 
Note: Key is provided by vendors, and the length is 192 characters.
After license key is in effective, you can inquiry the limit number of AP and station by
the following command:
show license limit
To display license key, you can use following command:
show license
18
JadeOS User Manual
Chapter 4 Interface Configuration
This chapter will describe how to configure interface.
4.1 Naming Ethernet Port
GigabitEthernet  is GE port, and parameter ‘word’ format is . ‘slot’
means slot number, ‘port’ means port number. Both start with value 0 and range depends on the real number of Ethernet.
For example, gigabitEthernet 1/0, gigabitEthernet 1/1 and gigabitethernet 1/2 means
the first Ethernet port, the second Ethernet port and the third Ethernet port of the first
slot.
Ten gigabitethernet is 10G port, and parameter ‘word’ format is the same as
GE port.
To inquiry present slot number, use show slot command:
(JadeOS) #show slot
Slot12
‘slot 12’ means present slot number is 12.
4.2 Configuring VLAN
JadeOS operates as a layer-2 switch that uses a VLAN as a broadcast domain. As a
layer-2 switch, JadeOS requires a layer-3 router to route traffic between VLANs.
4.2.1 Creating VLAN
You can configure Vlan in vlan mode:
Step 1 Enter vlan mode by using following command in config mode:
vlan database
Step 2
Creating vlan
vlan 
Note: Delete vlan by using no vlan  command.
For example:
(JadeOS)(config)#vlan database
(JadeOS)(config-vlan)#vlan 2
(JadeOS)(config-vlan)#vlan 3 name "VLAN3"
(JadeOS)(config-vlan)#no vlan 2
19
JadeOS User Manual
Command
Description
Vlan 2
Create vlan 2
vlan 3 name "VLAN3"
No vlan 2
Create vlan 3,and name as“vlan 3”
delete vlan 2
Table 4-1 command descriptions
4.3 Adding Ethernet Port into VLAN
The Ethernet port can be set in access mode or trunk mode, and then added into a
VLAN. The Ethernet port is in access mode by default. If it is set in trunk mode, the
port can carry data of multi VLAN Tag.
The port channel can be set in access mode or trunk mode. By default, a port channel
is in access mode and carries traffic only for the VLAN that is assigned. In trunk
mode, a port channel can carry traffic for multiple VLANs.
¾ Configure Port in access mode
Step 1
Enter physical interface mode
interface gigaethernet 
step 2
Configure layer-2 interface mode
switchport mode access
step 3
Add into the corresponding vlan
switch access vlan 
For example, add gigabitethernet 1/2 into access vlan 2
(JadeOS)(config) #interface gigabitethernet 1/2
(JadeOS)(config-if)#switchport mode access
(JadeOS)(config-if)#switchport access vlan 2
¾ Configure Port in Trunk Mode
Step 1 Entering physical interface mode
Interface gigaethernet 1/0
Step 2 Configure layer-2 interface mode
switchport mode trunk
Step 3
Specify the native vlan id and available vlan tag number respectively
switch trunk native vlan 
switchport trunk allowed vlan add 
Parameter
Description
Vlan-id
Specify native vlan id
Vlan-id-list
Specify available vlan tag
Table 4-2 parameter Descriptions
20
JadeOS User Manual
For example,add gigabitethernet 1/2 into access vlan 2
(JadeOS)(config) #interface gigabitethernet 1/2
(JadeOS)(config-if)#switchport mode trunk
(JadeOS)(config-if)#switchport trunk native vlan 4
(JadeOS)(config-if)#switchport trunk allowed vlan
add 5-10,11,12
4.4 Configuring VLAN Interface
Command to configure VLAN Interface:
interface vlan <1-4094>
Note: you need to create VLAN first before configuring Vlan Interface.
For example:
(JadeOS) (config)#interface vlan 2
(JadeOS) (config-if)#ip address 10.0.0.1/24
4.5 Configuring Port Channel
Link aggregation provides higher total bandwidth, auto-negotiation, and recovery by
combining parallel network links between devices as a single link.
Port-Channels provide a mechanism for aggregating multiple physical Ethernet links
to a single logical Ethernet link. Port-Channels are typically used to increase availabili
ty and bandwidth, while simplifying the network topology.
Step 1 Configure port-channel in config mode:
Interface port-channel 
Step 2 Add Ethernet port into aggregation group in port-channel interface mode:
add [gigabitethernet / | tengigabitethernet /]
Note: To delete one port, use following command:
del [gigabitethernet / | tengigabitethernet /]
Step 3 Configure balance arithmetic, now it supports arithmetic of active-standby and
load-balance:
(JadeOS)(config-if)#balance arithmetic active-stanby
(JadeOS)(config-if)#balance arithmetic load-balance
Examples :
(JadeOS)(config)#interface port-channel 1
(JadeOS)(config-if)#add gigabitethernet 2/1
(JadeOS)(config-if)#balance arithmetic active-stanby
(JadeOS)(config-if)#balance arithmetic load-balance
21
JadeOS User Manual
Inquire LAG by using show Interface port-channel  command:
(JadeOS)#show interface port-channel 2
Port-Channel 2 is administratively up
Hardware is Port-Channel, address is 04:8B:42:10:0D:0B (bia 04:8B:42:10:0D:0B)
Description: Link Aggregate (LACP)
Spanning Tree is disabled
VLAN membership:
190
Switchport priority: 0
Member port:
GE 4/3, Admin is up, line protocol is up
GE 4/4, Admin is up, line protocol is up
link status last changed 0 day 0 hr 16 min 46 sec
106198 packets input, 21374111 bytes
Received 124 broadcasts, 0 runts, 7483 giants, 0 throttles
11936475 input error bytes, 545 CRC, 0 frame
82048 multicast, 24026 unicast
14148 packets output, 432640 bytes
0 output errors bytes, 0 deferred
0 collisions, 0 late collisions, 0 throttles
Port-Channel 2 is TRUSTED
Delete LAG by using no interface port-channel  command:
(JadeOS)(config)# no interface port-channel 0
The port channel can be set in access mode or trunk mode. By default, a port channel
is in access mode and carries traffic only for the VLAN that is assigned. In trunk
mode, a port channel can carry traffic for multiple VLANs.
¾ Configure Port Channel in access mode
(JadeOS)(config)#interface port-channel 1
(JadeOS)(config-if)#switchport mode access
(JadeOS)(config-if)#switchport access vlan 2
¾ Configure Port channel in trunk mode
(JadeOS)(config) #interface port-channel 2
(JadeOS)(config-if)#description Portchannel2
(JadeOS)(config-if)#switchport mode trunk
(JadeOS)(config-if)#switchport trunk native vlan 5
(JadeOS)(config-if)#switchport trunk allowed vlan 6-9,10
22
JadeOS User Manual
4.6 Configuring QinQ
4.6.1 Configuring QinQ
Defined in IEEE802.1Q, VLAN Tag domain only uses 12 bytes to indicate VLAN ID,
so equipment can support up to 4094 VLANs. Some scenarios, especially in metropolitan area network, require a separate VLAN for customers. Therefore, 4094 VLAN
cannot meet the requirement. The 802.1QinQ expands VLAN space by using a
VLAN-in-VLAN hierarchy and tagging the tagged packets. At the same time, QinQ
makes SP use one VLAN supports the entire customer's VLANs. SP provides different service for different customers by decapsulating inner and outer vlan tag of users’
message.
Configuring QinQ by using following command:
Step 1
Create QinQ sub-interface in physical interface:
interface gigabitethernet/tengigabitethernet /.
parameter
description
slot
Slot number,range: 1-13
port
Port number
subif
Sub interface,range: 1-16760836
table 4-3 Parameter Description
For example, create QinQ sub-interface gigabitethernet 1/0.1 in Ethernet interface gigabitethernet 1/0:
interface gigabitethernet 1/0.1
step 2
Specify QinQ inner and outer tag
encapsulation dot1q  second-dot1q 
Parameter
Description
out-vlan-id
Single tag number,range: 1-4094
vlan-id|[begin-end]
Single tag number, range: 1-4094; or range, for example: 100-200
table 4-4 Parameter Description
For example: create a QinQ interface that outer tag is 1000 and inner tag range is
100-200, and configure IP address as a layer-3 interface.
(JadeOS)(config)#interface gigabitethernet 10/0.1
(JadeOS)(config-subif)# encapsulation dot1q 1000 second-dot1q 100-200
(JadeOS)(config-subif)#ip address 1.1.1.1/32
The sub-interface can be used as a layer-3 routing sub-interface. You can configure IP
address and routing in it. 2 QinQ Tag will be peeled when receiving data, and 2 QinQ
23
JadeOS User Manual
Tag will be encapsulated when sending data.
You can configure different services (for example, different authentication policies or
bandwidth control policies) on different inner tag when data received in QinQ
sub-interface.
4.7 Inquiring Interface Status and Statistics
To view interface information, use show interface gigabitethernet 
command:
(JadeOS) #show interface gigabitethernet 12/0
Interface gigabitethernet 12/0
Hardware is Ethernet
Current HW addr: 04:8b:42:10:5c:00
Physical:04:8b:42:10:0c:18
index 23 metric 1 mtu 1500 duplex-half arp ageing timeout 300
tcp4mss disable tcp6mss disable
proxy_arp disable local_proxy_arp disable
(UP,BROADCAST,RUNNING,MULTICAST,TRUST)
VRF Binding: Not bound
inet 119.6.100.5/24 broadcast 119.6.100.255
inet6 fe80::68b:42ff:fe10:5c00/64
input packets 1779, bytes 117400, dropped 0, multicast packets 0
input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0
output packets 8, bytes 837, dropped 0
output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0
collisions 0
To view all interfaces information, use show ip interface brief command:
(JadeOS) #show ip interface brief
Interface
loopback 0
24
IP-Address / IP-Netmask
Status
unassigned / unassigned
up
Protocol
down
Te 12/0
unassigned / unassigned
up
down
vlan 1
unassigned / unassigned
up
down
mgmt 1
192.168.20.95 / 255.255.255.0
up
up
Gi 12/0
119.6.100.5 / 255.255.255.0
up
up
Gi 12/2
172.50.3.1 / 255.255.255.0
up
up
Gi 12/4
unassigned / unassigned
down
down
Gi 12/6
unassigned / unassigned
down
down
Gi 12/8
unassigned / unassigned
up
up
Gi 12/10
unassigned / unassigned
down
Gi 12/12
unassigned / unassigned
down
down
down
JadeOS User Manual
25
Gi 12/14
unassigned / unassigned
down
down
Gi 12/16
unassigned / unassigned
down
down
Gi 12/18
unassigned / unassigned
down
down
JadeOS User Manual
Chapter 5 Layer-2 Network Service
JadeOS provides layer-2 network service. This chapter will describe bridge forwarding and port mirror.
5.1 Bridge Forwarding
5.1.1 Bridge Description
Bridge is used for the interconnection among two or more Layer-2 network and data
frame forwarding based on MAC address of Layer-2 network.
Bridge supports MAC address learning. Bridge will create one bridge table based on
source MAC address when one data frame from one MAC address first going through
bridge. Bridge table is indexed by MAC address, and it will record the physical interface connected to this host. Thereafter, when data frame from the same MAC address
come to this host again, it will be sent to this physical interface so that to avoid sending broadcast message to all interfaces.
Bridge forwarding is based on bridge table, each MAC address is corresponding to
one table. Bridge table will be automatically deleted if there is no data frame from the
same MAC address going through this bridge table for a while. When there is data
frame coming to this bridge after a while, bridge will learn MAC address again.
Besides dynamic learning, bridge table supports static configuration, which is called
static table.
5.1.2 Configuring Bridge
Bridge configuration is to add several physical interfaces to the same VLAN. In the
same VLAN, several interfaces form a bridge, the communication among the interfaces is bridge forwarding.
Please refer to chapter 4.2 and chapter 4.3 for more information.
5.1.3 Dynamic Table
Dynamic table is generated by system learning. System will look up bridge table
when receiving message. If no bridge table is available, system will automatically
generate a bridge table based on the source MAC address, VLAN ID, and the interface of message.
To inquiry bridge table, use show datapath bridge table command.
For example:
(JadeOS) #show datapath bridge table
26
JadeOS User Manual
Datapath Bridge Table Entries
----------------------------Flags: P - Permanent, D - Deny, M - Mobile, L - Local
MAC
--------------
VLAN
----
-------------
Assigned VLAN Destination
---------
-----
Flags Aging-time
-------
04:8B:42:12:00:81
Local
PL
04:8B:42:12:0A:81
85
85
Local
PL
04:8B:42:12:0A:A1
86
86
Local
PL
04:8B:42:12:0A:C1
87
87
Local
PL
04:8B:42:12:0A:E1
88
88
Local
PL
5.1.4 Bridge Aging
The bridge aging time is 15 minutes by default. If no traffic in 15 minutes, bridge table will be aging.
5.1.5 Static Table
Static bridge table will not be aging.
To configure static table, use following command in config mode:
mac-address-table static
 [discard/forward] gigabitethernet  Vlan

For example:
(JadeOS)(config)#mac-address-table static 04:8b:42:22:05:6f discard gigabitethernet 1/0 vlan 2
Note: To delete bridge table, use following command in config mode:
no mac-address-table static
   
5.2 Port Mirror
Mirror mode enables you to duplicate to another port all of the traffic originating from
or terminating at a single client device or access point. It is useful in diagnosing specific network problems. Mirror mode should be enabled only on an unused port as any
connections to this port become unresponsive.
You can configure port mirroring using the following commands:
(config)#interface{tengigabitethernet|gigabitethernet} /
(config-if)#mirror interface vlan  direction {both | receive | transmit}
27
JadeOS User Manual
Chapter 6 Layer-3 Network Service
JadeOS provides layer-3 network service. This chapter will describe how to configure
IP address, static routing, GRE tunnel, DHCP, OSPF, and IPv6 and so on.
6.1 Configuring IP Address
6.1.1 Configuring IP Address
Use the following commands to assign a static IP address to a port on JadeOS:
interface gigabitethernet /
no switchport
ip address 
6.1.2 Configuring Loopback The loopback IP address is a logical IP interface that is used by JadeOS to communicate with APs. The loopback address is used as JadeOS’s IP address for terminating VPN and GRE tunnels, originating requests to RADIUS servers and accepting administrative communications. You configure the loopback address as a host address with a 32-bit netmask. The loopback address is not bound to any specific interface and is operational at all times. To use this interface, ensure that the IP address is reachable through one of the VLAN interfaces. It should be routable from all external networks. To configure the loopback IP address, use the following commands: interface loopback ip address
6.2 Configuring Static Routing Table 6.2.2 Configuring Static Routing To configure static routing, use following command: ip route / For example: (JadeOS) (config)#ip route 10.0.0.0/24 192.168.10.1 6.2.2 Inquiring Routing Table 28 JadeOS User Manual To inquiry system routing table, including direct routing and static configuring routing, use show ip route command. (JadeOS) #show ip route Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default 10.2.20.0/24 [1/0] via 192.168.20.1, mgmt 1 18.0.0.0/8 [1/0] via 192.168.20.1, mgmt 1 80.1.0.0/16 is directly connected, vlan 80 119.6.100.0/24 is directly connected, Gi 12/0 119.6.200.0/24 [1/0] via 119.6.100.1, Gi 12/0 172.50.3.0/24 is directly connected, Gi 12/2 192.168.0.0/16 [1/0] via 192.168.20.1, mgmt 1 192.168.20.0/24 is directly connected, mgmt 1 6.3 Configuring ARP JadeOS supports configuring static ARP table. Address Resolution Protocol (ARP) is a TCP/IP protocol used for resolution of network layer IP address into link layer MAC address, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. Besides the basic ARP function, JadeOS also support local proxy ARP and DHCP authorized ARP. It is effectively avoided ARP cheat and attack by DHCP Snooping, which enhances the security of public wireless LANs communication. 6.3.1 Configuring Static ARP Table Dynamic ARP learning is enabling in JadeOS port by default. To add static ARP table, use following command: arp To delete ARP cache entry, use no arp command: no arp For example: (JadeOS) (config) #arp 10.1.2.23 00:19:87:0D:5C:2C 6.3.2 Inquiring ARP Table 29 JadeOS User Manual To view ARP table, use show arp command: (JadeOS) #show arp Address HWaddress Interface Type 192.168.20.1 00:13:1A:A5:CC:80 mgmt 1 Dynamic 192.168.20.15 00:15:C5:F3:35:B2 mgmt 1 Dynamic 192.168.20.152 00:14:22:19:FC:C4 mgmt 1 Dynamic 119.6.100.1 C4:64:13:D1:9A:EA 192.168.20.226 172.50.3.2 Gi 12/0 Dynamic 04:8B:42:10:6C:1C mgmt 1 Dynamic 04:8B:42:20:00:F5 Gi 12/2 Dynamic 6.3.2 Configuring ARP Proxy Proxy ARP includes local proxy ARP and proxy ARP. They both reply ARP request with interface MAC address, no matter the request address is in existence or not. But they have differences too. Proxy ARP will reply ARP request no matter the request address is in the same network segment with interface or not. Local proxy ARP will reply when ARP request’s original address, destination address and interface address are in the same network segment. In case of the TUNNEL broadcast message suppression and DHCP snooping is open, client need to communicate with another client that in the same network segment but different tunnel, so we need to continuously broadcast ARP message to look up another client. In the above situation, we can open the local proxy ARP function in JadeOS. In this way, JadeOS will act as ARP proxy to ensure the client’s data communication in different tunnel, and the same time, avoid a lot of useless broadcast message caused by repeat broadcast. 6.4 Configuring MTU and TCP MSS Mtu and tcp mss is the attribute of interface. When the data packet is larger than mtu value, system will fragment data packet according to mtu value. Fragmentation will affect data performance, so you should try to avoid fragmentation. If the interface is the attribute of tcp mss and the tcp mss option of syn message is larger than the tcp mss value of interface, system will modify the tcp mss option of this syn message and update tcp checksum when tcp syn message goes through inside interface and outside interface. You should try to avoid fragmentation for fragmentation will affect data performance To configure mtu, use mtu <68-9216> command in config mode: To configure tcp mss, use tcp4mss <4-65535> command in interface mode: For example, configure the mtu and tcp4mss of interface gigaethernet 1/0 is 1460 and 30 JadeOS User Manual 1440 respectively: (JadeOS) (config)#interface gigabitethernet 10/1 (JadeOS) (config-if)#mtu 1460 (JadeOS) (config-if)#tcp4mss 1440 6.5 Configuring GRE Tunnel GRE (Generic Routing Encapsulation) specifies a protocol for encapsulation of an arbitrary protocol over another arbitrary network layer protocol. GRE defined in RFC 2784 and updated by RFC 2890. To create a GRE tunnel interface and enter interface configuration mode on JadeOS, use the following command: interface tunnel tunnel mode gre Figure 6-3 GRE tunnel To create a GRE tunnel on JadeOS, use the following steps: (JadeOS)(config) #interface tunnel 1 (JadeOS)(config-if) #tunnel mode gre (JadeOS)(config-if) #ip address x.x.x.x/x (JadeOS)(config-if) #tunnel source x.x.x.x (JadeOS)(config-if) #tunnel destination x.x.x.x (JadeOS)(config-if) #tunnel key <0-4294967295> (JadeOS)(config-if) #tunnel checksum 6.6 Configuring DHCP The Dynamic Host Configuration Protocol (DHCP) is a network configuration protocol for hosts on Internet Protocol (IP) networks. UDP protocol mainly has two usages: Reduce client’s configuration burden, used in the change of office. Reduce network administrator’s configuration burden. UDP achieves address unified distribution, centralized management and DHCP Snooping rational using, which is good for avoiding network attack and ensuring resource rationally in use. Because of the terminal mobility, wireless network architecture has a high standard on 31 JadeOS User Manual DHCP protocol. It still has high standard on the scale of address pool and address distribution rate in SP environment. 6.6.1 Configuring DHCP Server To configure DHCP server, use following command: Step 1 Create one or more DHCP address pool: ip dhcp pool Step 2 Specify the gateway of DHCP client default-router A.B.C.D Step 3 Specify the DNS server of DHCP client dns-server A.B.C.D Step 4 Specify the lease time Lease Step 5 Specify the range of address pool network Step 6 (optional) DHCP issue ARP table that combined with IP and MAC address of client to the system. update arp Step 7 (optional) Specify the reserved IP address or IP range, which is the IP address not assigned to the client. ip dhcp excluded-address [] Step 8 Enable DHCP service service dhcp 6.6.2 Inquiring DHCP Server Status 1 Inquire DHCP Configuration (JadeOS) #show ip dhcp database DHCP enabled ping-check false; broadcast; # vlan409 subnet 172.40.9.0 netmask 255.255.255.0 { lease-time 1 days,0 hours, 0 minutes, 0 seconds; option routers 172.40.9.1; range 172.40.9.2 172.40.9.254; Inquire DHCP lease statistics (JadeOS) #show ip dhcp statistics 32 JadeOS User Manual Network Name 13.0.0.0/16 Total leases 65533 Free leases 64532 Active leases 1001 Abandoned leases Reserved leases Inquire DHCP lease information (JadeOS) #show ip dhcp binding lease 13.0.6.202 { starts Mon Dec 23 10:41:30 2013 ends Mon Dec 23 10:42:30 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:73:2b; uid "\001\000P\272Ps+"; lease 13.0.6.238 { starts Mon Dec 23 10:41:33 2013 ends Mon Dec 23 10:42:33 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:75:2b; uid "\001\000P\272Pu+"; lease 13.0.7.19 { starts Mon Dec 23 10:41:28 2013 ends Mon Dec 23 10:42:28 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:74:e9; uid "\001\000P\272Pt\351"; lease 13.0.7.61 { starts Mon Dec 23 10:41:33 2013 ends Mon Dec 23 10:42:33 2013 binding state active; next binding state free; hardware ethernet 00:50:ba:50:76:5c; uid "\001\000P\272Pv\\"; 33 JadeOS User Manual 4 Inquire DHCP Server running status (JadeOS) #show ip dhcp server statistics Dhcp Server Packet Statistics: Receive packet: Discover Request Release Decline Inform Leasequery Unkown Send packet: Offer Ack Nak Other packet: Bootp Boopreply Speed: Offer Speed 0 client/sec 6.6.3 Configuring DHCP Relay JadeOS provides DHCP Relay function that enhances the DHCP function. A DHCP relay agent is any host that forwards DHCP packets between clients and servers. Relay agents are used to forward requests and replies between clients and servers when they are not on the same physical subnet. Relay agent forwarding is distinct from the normal forwarding of an IP router, where IP datagram are switched between networks somewhat transparently. By contrast, relay agents receive DHCP messages and then generate a new DHCP message to send on another interface. DHCP Relay configuration as below: Step 1 Enter “ip dhcp relay” (JadeOS)(config)# ip dhcp relay Step 2 Specify the interface of DHCP Client (JadeOS)(config-dhcp-relay)# client-interface 34 JadeOS User Manual Step 3 Specify the IP address of DHCP Server (JadeOS)(config-dhcp-relay)# server address A.B.C.D Step 4 Specify the interface of DHCP Server (JadeOS)(config-dhcp-relay)# server-interface Step 5 Enable Relay (JadeOS)(config-dhcp-relay)# enable 6.6.4 DHCP Snooping DHCP Snooping acts as the firewall between untrust host and DHCP server, which avoid interfere and attack to the legal user. Through DHCP snooping, you can view the filtered illegal DHCP message. Because DHCP message carries MAC address and IP address of user terminal, you can obtain and record DHCP message through continuously track, which can be used to indentify other illegal DHCP message. Through building and maintaining DHCP snooping table (IP-MAC binding), system can detect whether the followed communication is legal, and then reject the unmatched data between IP and MAC. To enable DHCP snooping, use the following command: ip dhcp snooping enable To display DHCP snooping binding table, use the following command: (JadeOS) #show ip dhcp snooping binding counter Datapath Bind Table Statistics ------------------------------Current Entries 1001 High Water Mark 1001 Maximum Entries 262144 Total Entries 4001 Allocation Failures 0 (JadeOS) #show ip dhcp snooping binding DHCP Snooping State is disable DHCP Snooping verify MAC State is disable Datapath Binding Table Entries ------------------------------------------------------------------Type: D - Dynamic, S - Statically-configured MacAddress ------------- 35 IpAddress --------------- --------- Lease(sec) ------ Type Interface ------------ JadeOS User Manual 00:50:ba:50:77:06 13.0.7.20 300 Gi 6/10 00:50:ba:50:76:DA 13.0.6.242 300 Gi 6/10 00:50:ba:50:76:D8 13.0.6.237 300 Gi 6/10 00:50:ba:50:76:D4 13.0.6.227 300 Gi 6/10 Security Check Through binding table, DHCP snooping module determine whether the DHCP message sent by user is legal or not, and then reject illegal DHCP request if illegal. Enabling MAC address detection, DHCP snooping can avoid attack by checking whether the MAC address of DHCP protocol match with the source MAC address of Ethernet. To enable MAC address detection of DHCP snooping, use the following command in config mode: ip dhcp snooping verify mac-address enable Broadcast Suppression JadeOS can automatically record DHCP request information into DHCP snooping session table by enabling DHCP snooping. When received broadcast message from DHCP server, JadeOS can look up the corresponding host and exit port in the DHCP snooping table, then change the broadcast into unicast. Therefore, JadeOS achieves broadcast suppression. To configure the broadcast suppression in QinQ interface, use the following command: ip dhcp snooping enable To display the DHCP snooping session table, use the following command: show ip dhcp snooping session 6.6.5 ARP With DHCP Enabling ARP with DHCP, DHCP will issue ARP table that combined distributed IP address and MAC address in client to the system, at the same time, disable the function of ARP learning in the specified interface. Therefore, ARP table is strictly checked by DHCP snooping, which ensures the legality and avoid the ARP cheat and interfere to the user online and communication. For example: ¾ Enable ARP with DHCP function: Step 1 Configure update arp in address pool (JadeOS) (config)#ip dhcp pool ABC (JadeOS) (config-dhcp)#update arp Step 2 Configure ARP authorized in the interface of distributed IP, disable ARP learning function: (JadeOS) (config)#interface vlan 6 36 JadeOS User Manual (JadeOS) (config-if)#arp authorized Note: ARP learning will be disabled after enabling ARP with DHCP. ¾ Disable ARP with DHCP function: Step 1 To save client ARP information, use no update arp command to disable ARP function: (JadeOS) (config)#ip dhcp pool ABC (JadeOS) (config-dhcp)#no update arp Step 2 Enable ARP learning function (JadeOS) (config)#interface vlan 6 (JadeOS) (config-if)#no arp authorized You can inquiry client ARP information by show arp command. 6.7 Configuring OSPF Open Shortest Path First (OSPF) is an adaptive routing protocol for Internet Protocol (IP) networks. It uses a link state routing algorithm and falls into the group of interior routing protocols, operating within a single autonomous system (AS). This allows the JadeOS to deploy effectively in a Layer 3 topology. The JadeOS can act as default gateway for all clients and forward user packets to the upstream router. 6.7.1 OSPF Implementation JadeOS OSPF implementation conforms to the OSPF Version 2 specifications detailed in the Internet RFC 2328. The list that follows outlines key OSPF features supported on JadeOS: NSSA areas (RFC3101) supported. Route redistribution—Routes learned via any IP protocol can be redistributed in to any other IP routing protocol. Authentication—Plain text authentication among neighboring routers within an area is supported. Routing interface parameters—Configurable parameters supported include interface output cost, retransmission interval, interface transmit delay, router priority, router “dead” and “hello” intervals, and message digest key. 6.7.2 Enabling OSPF OSPF is disabled by default. To enable the OSPF function on JadeOS, use the following command in the configuration mode: (JadeOS)(config)# router ospf 37 JadeOS User Manual Enabling OSPF requires that you create an OSPF router ID which is the only identifier in an AS system and area ID which specify the range of routing process. If the router ID is not configured, the loopback interface IP will be taken as router ID. If there is no loopback interface, system will select a maximum IP address from all of interface IPs. To configure a router ID, complete the following command: (JadeOS) (config)#router ospf (JadeOS) (config-router)#ospf router-id To configure a area ID, use the following command: (JadeOS)(config)# router ospf (JadeOS)(config-router)# area Note: Please refer to JadeOS Command Manual for more area configuration parameter. 6.7.3 Configuring OSPF Interface Parameters JadeOS allows you to alter certain interface-specific OSPF parameters as needed. You are not required to alter any of these parameters, but some interface parameters must be consistent across all routers in an attached network. Therefore, be sure that if you do configure any of these parameters, the configurations for all routers on your network have compatible values. To specify interface parameters as needed for your network, use the any of the commands listed in table 6-1: Command Purpose ip ospf cost Explicitly specify the cost of sending a packet on an OSPF interface. Set the number of seconds that a device's hello packets must not have been seen before its neighbors declare the OSPF router down. Specify the length of time between the hello packets that the Cisco IOS software sends on an OSPF interface. Enable OSPF MD5 authentication. ip ospf dead-interval ip ospf hello-interval ip ospf message-digest-key ip ospf priority ip ospf retransmit-interval ip ospf transmit-delay 38 Set priority to help determine the OSPF designated router for a network. Specify the number of seconds between link state advertisement retransmissions for adjacencies belonging to an OSPF interface. Set the estimated number of seconds it takes to JadeOS User Manual transmit a link state update packet on an OSPF interface. Table 6-1 OSPF Interface Parameter 6.7.4 Configuring OSPF Area JadeOS OSPF supports the following types of area: Stub area Stub areas are areas in to which information on external routes is not sent. Instead, there is a default external route generated by the area border router, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be in the stub area, you can configure no-summary on the ABR to prevent it from sending summary link advertisement into the stub area. To configure a stub area on JadeOS, use the following command: area stub [no-summary] For example, configure area 1.1.1.1 as stub area on JadeOS: (JadeOS) (config) #router ospf (JadeOS) (config-router) # area 2 stub no-summary NSSA(Not So Stubby Area) area NSSA area is similar to OSPF stub area. NSSA does not flood Type 5 (External Link State Advertisements)LSA form the core into the area, but it has the ability of importing AS external routes in a limited fashion within the area. NSSA allows importing of Type 7 AS external routes within NSSA area by redistribution. These Type 7 LSAs are translated into Type 5 LSAs by NSSA ABR which are flooded throughout the whole routing domain. To configure a NSSA area on JadeOS, use the following command: area nssa [ no-redistribution ] [no-summary ] [default-information-originate] Example 1, configure area 1.1.1.1 as totally NSSA area on JadeOS: (JadeOS)(config)# router ospf (JadeOS) (config-router) # area 1 nssa no-summary Example 2, configure area 1.1.1.1 as non-totally NSSA area, not importing type-7 external routes to the area: (JadeOS)(config)# router ospf area 1.1.1.1 (JadeOS)(config-router) # nssa no-redistribution Example 3, configure area 1.1.1.1as non-totally NSSA area, importing a default route to the area: (JadeOS)(config)# router ospf (JadeOS)(config-router) # area 1 nssa default-information-originate 39 JadeOS User Manual 6.7.5 Configuring OSPF Network Type JadeOS supports the following types of OSPF network: • Point-to-point networks(HDLC, Token Ring, FDDI) One point-to-point links such as HDLC and PPP, OSPF runs as a point-to-point network type. To configure an OSPF point-to-point network on JadeOS, use the following command: (JadeOS)(config-if)#ip ospf network point-to-point Broadcast networks (Ethernet, Token Ring, FDDI) On the broadcast medium such as Ethernet and Token Ring, OSPF runs as a broadcast network type. To configure an OSPF broadcast network on JadeOS, use the following command: (JadeOS)(config-if)#ip ospf network broadcast • Note: The network type is broadcast by default in factory. 6.7.6 OSPF Point-to-point Configuration Example In the following OSPF network, the autonomous system is divided into 3 areas. JadeOS A and JadeOS B is the ABR which is responsible to announce the routes between OSPF areas. 40 JadeOS User Manual Figure 6-1 OSPF configuration example Step 1 Create VLAN and add interfaces to VLAN (Refer to chapter 4 for VLAN configuration) Step 2 Configure OSPF on JadeOS A (JadeOS-A) (config) #router ospf (JadeOS-A) (config-router) #ospf router-id 1.1.1.1 (JadeOS-A) (config-router) #network 192.168.10.0/24 area 0 (JadeOS-A) (config-router) #network 192.168.20.0/24 area 1 (JadeOS-A) (config) #interface vlan 10 (JadeOS-A) (config-if) #ip address 192.168.10.1/24 (JadeOS-A) (config-if) #ip ospf network point-to-point (JadeOS-A) (config) #interface vlan 20 (JadeOS-A) (config-if) #ip address 192.168.20.1/24 (JadeOS-A) (config-if) #ip ospf network point-to-point Step 3 Configure OSPF on JadeOS B (JadeOS-B) (config) #router ospf (JadeOS-B) (config-router) #ospf router-id 1.1.1.2 (JadeOS-B) (config-router) #network 192.168.10.0/24 area 0 (JadeOS-B) (config-router) #network 192.168.30.0/24 area 2 (JadeOS-B) (config) #interface vlan 10 41 JadeOS User Manual (JadeOS-B) (config-if) #ip address 192.168.10.2/24 (JadeOS-A) (config-if) #ip ospf network point-to-point (JadeOS-B) (config) #interface vlan 30 (JadeOS-B) (config-if) #ip address 192.168.30.1/24 (JadeOS-A) (config-if) #ip ospf network point-to-point Step 4 Configure OSPF on JadeOS C (JadeOS-C) (config) #router ospf (JadeOS-C) (config-router) #ospf router-id 1.1.1.3 (JadeOS-C) (config-router) #network 192.168.20.0/24 area 1 (JadeOS-C) (config) #interface vlan 20 (JadeOS-A) (config-if) #ip ospf network point-to-point (JadeOS-C) (config-subif) #ip address 192.168.20.2/24 Step 5 Configure OSPF on JadeOS D (JadeOS-D) (config) #router ospf (JadeOS-D) (config-router) #ospf router-id 1.1.1.4 (JadeOS-D) (config-router) #network 192.168.30.0/24 area 2 (JadeOS-D) (config) #interface vlan 30 (JadeOS-D) (config-subif) #ip ospf network point-to-point (JadeOS-D) (config-subif) #ip address 192.168.30.2/24 Note: Routing management supports OSPF dynamic routing management and static routing management. To add static routing, use ip route A.B.C.D/ command. To delete routing, use no ip route A.B.C.D/ command. To display routing, use show ip route command. 6.8 Configuring IPv6 JadeOS supports IPv4/IPv6 configuration and IPv6 forwarding. IPv6 address and routing configuration is similar to IPv4. 6.8.1 Address Configuration To configure IPv6 address, use following command in interface mode: (JadeOS) (config)#interface vlan 333 (JadeOS) (config-if)#ipv6 address 2011::6:31/64 6.8.2 Routing Configuration 42 JadeOS User Manual To configure IPv6 routing, use following command: ipv6 route / 6.8.3 Ping6 To configure ping6, use following command: ping6 43 JadeOS User Manual Chapter 7 Network Security JadeOS is always deployed in gateway, which much data goes through it. The network environment of equipment is very complex and faces network security threat. This chapter will describe JadeOS network security and how to configure it. 7.1 Access Control List (ACL) Access Control List (ACL) defines the network access.ACL is the combination of rules; each rule can specify one matched rule and one operation. Matched rule is based on IP address or port number; operation is ‘permit’ or ‘deny’. The ACL is to match rules in sequence. JadeOS have an implicit rule of ‘deny’ for each ACL, so you should add the corresponding rule and specify the operation is ‘permit’ if you want to allow one type of traffic go through it. Through ACL, we can control users’ traffic exactly so that to ensure network security. 7.1.1 Standard ACL Standard ACL rule can specify the operation is ‘deny’ or ‘permit’; the matched rule is any, ip address and network segment. Step 1 Create a standard ACL named test-standard (JadeOS) (config)#ip access-list standard test-standard Step 2 Deny all the traffic in network segment 192.168.1.0/255.255.255.0 (JadeOS) (config-std-test-standard)#deny 192.168.1.0 255.255.255.0 Step 3 Allow all the traffic in network segment 192.168.0.0/255.255.0.0 (JadeOS) (config-std-test-standard)#permit 192.168.0.0 255.255.0.0 Step 4 Deny all the other traffic. (JadeOS) (config-std-test-standard)#deny any 7.1.2 Extended ACL Extended ACL can specify the operation is ‘deny’ or ‘permit’; the matched rule can specify the protocol number(any, tcp, udp, icmp, igmp), source IP address or network segment, destination IP address or network segment, range of port number. Step 1 Create extended ACL named test-extended (JadeOS) (config)#ip access-list standard test-extended 44 JadeOS User Manual Step 2 Deny tcp traffic from 60.0.0.0/255.255.255.0 to 192.168.10.0/255.255.255.0 with port range 1-1023. (JadeOS) (config-std-test-extended)# deny tcp 60.0.0.0 255.255.255.0 192.168.10.0 255.255.255.0 range 1 1023 Step 3 Permit all the tcp port 80 traffic to 192.168.10.0/255.255.255.0. (JadeOS) (config-std-test-extended)# permit tcp any 192.168.10.0 255.255.255.0 eq 7.1.3 Session ACL Session ACL can specify the operation is ‘deny’ or ‘drop’; the matched rule are protocol number, source IP address or network segment, destination IP address or network segment and range of port number. Based on five elements (protocol, source IP address, source port number, destination IP address), session ACL can track all the data of this session to achieve the complex function, such as SNAT, DNAT. Session ACL is used to control user authentication. Please refer to Chapter 9 for more information. Step 1 Create a session ACL named test-session (JadeOS) (config)#ip access-list standard test-session Step 2 All the traffic from 192.168.20.0/255.255.255.0 will be translated by SNAT function. NAT-POOL is used by NAT pool. (Please refer to chanter 7.3 for how to create NAT pool) (JadeOS) (config-std-test-extended)# network 192.168.20.0 255.255.255.0 any any src-nat pool NAT_POOL Step 3: All the traffic from 192.168.30.0/255.255.255.0 will be translated to address 10.10.10.134 by DNAT function. (JadeOS) (config-std-test-extended)# network 192.168.30.0 255.255.255.0 any any dst-nat ip 10.10.10.134 7.2 Session JadeOS will maintain a session table for each session. The session table is based on five elements (protocol, source IP address, source port number, destination IP address). When the system receives the first data packet of the session, it will create a session table for the session. Based on this session, the following data packet will be uniformly handled by JadeOS, for example, SNAT will be transferred to the same address by NAT function. When the session is terminated (for example, monitor tcp fin message) or timeout (no traffic for a long time), session table will be deleted. 45 JadeOS User Manual To inquire the number of present session, use show datapath session counters command. (JadeOS) #show datapath session counters Datapath Session Table Statistics --------------------------------Current Entries: 2 High Water Mark: 10 Maximum Entries: 524287 Total Entries: 185 Duplicate Entries: 0 Cross linked Entries: 0 Max link Length: 1 To view present session table, use show datapath session table command: (JadeOS) #show datapath session table Datapath Session Table Entries ------------------------------ Flags: F - fast age, S - src NAT, N - dest NAT D - deny, R - redirect, Y - no syn H - high prio, P - set prio, T - set ToS C - client, M - mirror, V - VOIP Q - Real-Time Quality analysis I - Deep inspect, U - Locally destined E - Media Deep Inspect, G - media signal Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags -------------172.50.3.2 -------------- ---- ----- ----- ---- ---- --- --- ----------- ---------- ----- 172.50.3.1 17 49419 5246 0/0 00 172.50.3.2 17 5246 0/0 00 FC 172.50.3.1 49419 7.3 Configuring NAT Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, 46 JadeOS User Manual before packets are forwarded to another network. As part of this capability, NAT can be configured to advertise only one address for the entire network to the outside world. This provides additional security by effectively hiding the entire internal network behind that address. NAT offers the dual functions of security and address conservation and is typically implemented in remote-access environments. Basically, NAT allows a single device, such as a router, to act as an agent between the Internet (or public network) and a local network (or private network), which means that only a single unique IP address is required to represent an entire group of computers to anything outside their network. 7.3.1 Configuring SNAT Figure 7-1 source address transfer To create NAT pool, use the following command in config mode: ip nat pool To create SNAT rule in session ACL, use the following command: network any any src-nat pool Using figure 7-1 as an example, step 1 and step 2 show how to specify the user policy in VLAN 100. Let the traffic from users on 200.0.0.0/24 subnet be SNATed when they access public internet server 155.0.0.150. Step 1 Create NAT address pool (JadeOS)(config)# ip nat pool nat_pool 150.0.0.1 150.0.0.1 160.0.0.1 Step 2 Configure session ACL, add a SNAT rules specifying what traffic is to be translated and NAT pool (JadeOS)(config)#ip access-list session tacl (JadeOS)(config-sess-tacl)# network 200.0.0.0 255.255.255.0 any any src-nat pool nat_pool Step 3 and Step 4 show how to apply ACL to VLAN 100, please refer to chapter 9.4 for more information. 47 JadeOS User Manual Step 3 Configure user role and apply ACl (JadeOS)(config)#user-role trole (JadeOS)(config-trole)#access-list session tacl Step 4 Configure AAA Profile, and specify user role (JadeOS)(config)#aaa profile test (JadeOS)(AAA profile “test”)#initial-role trole Step 5 Apply AAA profile to VLAN 100 (JadeOS)(config)#vlan 100 aaa profile test 7.3.2 Configuring DNAT Figure 7-2 Destination address transfer To configure DNAT address transfer in session ACl, use following command: dst-nat ip Using figure 7-2 as an example, JadeOS achieves to make user that failed authentication redirect to portal server (150.0.0.150) by DNAT function. Please refer to chapter 9.4 for more information. Step 1 To create session ACL and specify DNAT IP address and DNAT destination IP address, use the following command: (JadeOS) (config) #ip access-list session tacl (JadeOS) (config-sess-tacl) # any host 150.0.0.1 any dst-nat ip 200.0.0.200 Step 2 To create user role and apply it to ACL, use the following command: (JadeOS) (config) #user-role trole (JadeOS) (config-trole) #access-list session tacl Step 3 To create AAA profile and apply it to user role and authentication group, use the following command: (JadeOS) (config) #aaa profile test (JadeOS) (AAA profile “test”) #http-redirection enable (JadeOS) (AAA profile “test”) #initial-role trole 48 JadeOS User Manual Step 4 Apply AAA profile to VLAN 100 (JadeOS) (config) #vlan 100 aaa profile test 7.4 Configuring DoS Anti-attack The main function of DoS anti-attack is to protect the operation system of control plane, which can make JadeOS work normally in malicious attack. DoS anti-attack will classify based on protocol first, and then limit the rate of each protocol according to the configuration. JadeOS configure different rate limit policy for each protocol; rate limit policy is based on traffic per second or the number of data packet. 7.4.1 System Pre-defined Configuration Pre-defined configuration is the best deployment configuration of JadeOS, which is based on the hardware performance and design specification of the product. To view system predefined configuration, use show firewall command. (JadeOS) #show firewall Firewall bandwidth-contract: Firewall Rate limit Enable/Disable Rate Rate limit CP Capwap traffic Disable 2MBps0KBps Rate limit CP Dhcp traffic Disable 8MBps0KBps Rate limit CP Hostapd traffic Rate limit CP Ospf traffic Disable 20MBps0KBps Disable 2MBps0KBps Rate limit CP trusted-mcast packet traffic Disable Rate limit CP trusted-ucast packet traffic Disable 40MBps0KBps Rate limit CP untrusted-mcast packet traffic Disable 10MBps0KBps Rate limit CP untrusted-ucast packet traffic Disable 10MBps0KBps Rate limit CP VRRP packet traffic 20MBps0KBps Disable 2MBps0KBps Rate limit SP session miss packet traffic Disable 50000pps Rate limit SP user miss packet traffic Disable 1000pps Rate limit SP other excepion packet traffic Disable 2MBps0KBps 7.4.2 Configuring Anti-attack JadeOS supports anti-attack configuration, which is convenient for configuration adjustment in various network scenarios. Two configuration commands in config mode: firewall cp-bandwidth-contract firewall sp-bandwidth-contract 49 JadeOS User Manual For example: To configure the rate limit of session creation is 50000 per second: (JadeOS) (config)#firewall sp-bandwidth-contract session pps 50000 To configure the rate limit of new online user is 700 per second: (JadeOS) (config)#firewall sp-bandwidth-contract user pps 700 To configure the rate of receiving DHCP message is 2000 per second: (JadeOS) (config)#firewall cp-bandwidth-contract dhcp pps 2000 To configure the rate of receiving ARP message is 2000 per second: (JadeOS) (config)#firewall cp-bandwidth-contract arp pps 2000 To configure the rate of receiving unicast message that failed authentication is 10Mbps: (JadeOS) (config)#firewall cp-bandwidth-contract untrusted-ucast 10 0 7.5 Configuring Lawful Intercept Lawful intercept is a process that enables a Law Enforcement Agency (LEA) to perform electronic surveillance on an individual (a target) as authorized by a judicial or administrative order. To facilitate the lawful intercept process, certain legislation and regulations require service providers (SPs) and Internet service providers (ISPs) to implement their networks to explicitly support authorized electronic surveillance. The surveillance is performed through the use of wiretaps on traditional telecommunications and Internet services in voice, data, and multiservice networks. The LEA delivers a request for a wiretap to the target's service provider, who is responsible for intercepting data communication to and from the individual. The service provider uses the target's IP address or session to determine which of its edge routers handles the target's traffic (data communication). The service provider then intercepts the target's traffic as it passes through the router, and sends a copy of the intercepted traffic to the LEA without the target's knowledge. Configuration Steps: Step 1 To create LIG (LI gateway), and specify the encapsulation way of traffic sent to LIG, use the following command in LI mode: lig add [mirror|udp][interface|id] Step 2 To add LI rule, and specify LI name (based on ACL, IP, MAC, network segment) and LIG which receives the LI traffic, use the following command: rule [acl-filter | host-filter | mac-filter | net-filter] send acl-filter add lawful intercept rule, intercept data streams host-filter add lawful intercept rule, intercept host data streams mac-filter net-filter 50 add lawful intercept rule, intercept ethernet data streams add lawful intercept rule, intercept host data streams JadeOS User Manual Figure 6-4 Lawful interception To create Lawful interception gateway interface and rules on JadeOS, complete the following steps: Step 1 Enter the LI configuration mode. (JadeOS)(config) #li Step 2 Configure the LI gateway on JadeOS. (JadeOS)(config-li) #lig add test123 mirror gigabitethernet 2/1 Step 3 Configure the LI rule and enable the lawful intercept on JadeOS. (JadeOS)(config-li) #rule host-filter 1 gigabitethernet 2/1 10.1.10.2 send test123 (JadeOS)(config-li) #li enable 51 JadeOS User Manual Chapter 8 Configuring HQoS With the rapid development of the computer network, services such as bandwidth, delay, jitter sensitive voice and video are transferred through IP network tunnel. JadeOS support HQoS (hierarchical QoS) technology which can classify the type of service traffic; it can also uniformly manage and hierarchically schedule the transfer objects, such as several users, multi-service, and several types of traffic and so on, which ensure the quality for different data service. To enable or disable HQoS function in JadeOS, use following command in config mode: hqos-switch [on|off] 8.1 Configuring Rate Limitation on Port To configure the rate limitation for port on JadeOS, using following command: rate-limit [down|up] (0-10240) [bps|kbps|mbps] For example, to configure the rate limit of in direction is 200 Mbps and the rate of out direction is 300 Mbps: (JadeOS)(config)#interface gigabitethernet 1/0 (JadeOS)(config-if)#rate-limit up 200 mbps (JadeOS)(config-if)#rate-limit down 300 mbps 8.2 Configuring Rate Limitation on VLAN To configure the rate limitation for VLAN on JadeOS, using following command: (JadeOS)(config)#interface vlan 100 (JadeOS)(config-if)#rate-limit up 200 mbps (JadeOS)(config-if)#rate-limit down 1 mbps 8.3 Configuring Rate Limitation on User To configure the rate limitation for user on JadeOS, using following steps: Step 1 To configure bandwidth named ‘BW-8M’ and ‘BW-2M’, using following command: (JadeOS) (config)#aaa bandwidth-contract BW-8M mbits 8 (JadeOS) (config)#aaa bandwidth-contract BW-2M mbits 2 Step 2 To configure the downstream bandwidth named ‘BW-8M’ and the upstream bandwidth named ‘BW-2M’ in user role, using following command: (JadeOS) (config)#user-role postauth 52 JadeOS User Manual (JadeOS) (config-role)#bandwidth-contract BW-8M downstream (JadeOS) (config-role)#bandwidth-contract BW-2M upstream 53 JadeOS User Manual Chapter 9 Configuring AAA This chapter describes AAA configuration, including user network access, bandwidth control policy and so on. 9.1 The Attribute of Trust and Untrust Interface means the inside interface of data packet; when the interface is the attribute of trust, JadeOS will disable authentication function in this interface; when the interface is the attribute of untrust, JadeOS will enable authentication function in this interface. To configure the attribute of trust and untrust in the interface, use the following steps: Step 1 Enter interface config mode: (JadeOS) (config)#interface gigabitethernet 10/1 Step 2 Configure the interface is the attribute of trust (JadeOS) (config-if)#trusted Step 3 Configure the interface is the attribute of untrust (JadeOS) (config-if)#no trusted All the layer-2 interface and layer-3 interface is with the attribute of trust and untrust; when the data packet goes through several interfaces, JadeOS will decide whether to authenticate according to the last interface’s attribute. For example, add the interface gigaethernet 1/0 into vlan 10; gigaethernet 1/0 is the attribute of trust, interface vlan 10 is the attribute of untrust; data packet will authenticate according to the attribute of the last interface vlan 10 based on the above rule. 9.2 User and User Role 9.2.1 User In order to flexibly control the network access and traffic bandwidth in different IP address, JadeOS will create a user table for each IP address that goes through untrust interface. User table has its own life cycle. Create User: when traffic of one IP address goes into system from untrust interface, JadeOS will look up the IP address in the system; if it is not in existence, JadeOS will trigger the authentication process and generate a user table; user table is indexed by IP address. Delete User: when user offline or no traffic for a long time, JadeOS will delete this 54 JadeOS User Manual user table. 9.2.2 User Role and ACL User role defines the network access. JadeOS specifies the network access of user by ACL. To create a user role in JadeOS, you need to create a session ACL, and then apply the ACL to the user role. To create user role, use the following steps: Step 1 Configure a session ACL named pre-auth-acl (JadeOS) (config) #ip access-list session pre-auth-acl Step 2 Configure network access. (JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit Step 3 (JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.2 443 Create a user role named ‘pre-auth’ (JadeOS) (config) #user-role preauth Step 4 Apply user rule to ACL (JadeOS) (config-role) #session-acl pre-auth-acl Attribute Description access-list Apply access list to user role bandwidth-contract Set the maximum bandwidth max-sessions reauthentication-interval Set the datapath session limit, 64k by default session-acl Apply session ACL Config the intervals of re-authentication vlan Distribute VLAN The attribute list supported by user role 9.2.3 Access Policy Based on User Role Before a user successfully authenticate, JadeOS specifies an initial role to user (role before authentication); after the user is successfully authenticate, JadeOS will specify a new role to the user (role after authentication).Network administrators can flexibly control network access through configuring ACL. For example, configure a user role named pre-auth that permit DNS traffic, but redirect all other traffic to port 443 to perform authentications by DNAT; configure a user role named post-auth that allow all the traffic; use the following steps: 55 JadeOS User Manual (JadeOS) (config) #ip access-list session pre-auth-acl (JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit (JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#exit (JadeOS) (config) #ip access-list session post-auth-acl (JadeOS) (config-sess-post-auth-acl)#any any any permit (JadeOS) (config-sess-pre-auth-acl)#exit (JadeOS) (config)#user-role preauth (JadeOS) (config-role)#access-list session pre-auth-acl (JadeOS) (config)#user-role postauth (JadeOS) (config-role)#access-list session post-auth-acl 9.3 Connections among User, VLAN and User Role Each user has its own VLAN ID in JadeOS. Several ways to specify VLAN for each user, for example: - If a user access from one VLAN interface, user’s VLAN is the interface’s VLAN ID; - Specify a VLAN for SSID; if a user access from this SSID, user’s VLAN is the specified VLAN; Each VLAN has an AAA policy; please refer to chapter 9.4 for more information. Each AAA policy defines the user role before authentication and after authentication (including network access and bandwidth control). User will switch user role after authentication. 9.4 Configuring AAA Profile AAA profile is a profile about authentication configuration. Profile specifies the authentication ways (web portal, 802.1x, and MAC authentication), initial role (role before authentication), default role (role after authentication), Radius Server and so on. Apply AAA profile to one VLAN, and then all the user in the VLAN can use AAA profile. Before configuration, you need to configure ACL, Role, Radius server group, authentication ways, and then apply them to the AAA profile. 9.4.1 Configuring ACL ACL is used to specify user’s network access. Please refer to chapter 9.2 and 9.3 for more information. 9.4.2 Configuring role 56 JadeOS User Manual Configuring AAA profile need to configure user role before authentication and after authentication. Please refer to chapter 9.3 for more information. 9.4.3 Configuring Radius Server Group Step 1 Configure Radius server RS1, including IP address of radius server, authentication key and local IP address: (JadeOS) (config)#aaa authentication-server radius RS1 (JadeOS) (RADIUS Server "RS1")#host 119.6.200.245 (JadeOS) (RADIUS Server "RS1")#key 123456 (JadeOS) (RADIUS Server "RS1")#ip 119.6.200.33 (JadeOS) (RADIUS Server "RS1")#exit Step2 Configure Radius server group SG1,including several Radius Server. (JadeOS) (config)#aaa server-group SG1 (JadeOS) (Server Group "SG1")#auth-server RS1 Commands supported by Radius Server Attribute Description acctport port number using to accounting; range: 1-65535; default value: 1813 authport Port number using to authentication; range: 1-65535; default value: 1812 host ip IP address and host name of Radius server key Pre-shared key nas-identifier nas-ip retransmit timeout use-md5 nas-identifier used in RADIUS data packet nas-ip of RADIUS data packet Maximum number of request; range: 0-3; default value: 3 Request timeout; range: 1-30s; default value: 5s Encryption using MD5s Source address of radius request Commands supported by Radius Server Group Attribute Description allow-fail-through Allow traffic that failed authentication auth-server Distribute authentication server set Set Role/Vlan rule 9.4.4 Configuring Authentication Way Authentications supported by JadeOS are captive-portal, dot1x, mac, open, psk, wep, 57 JadeOS User Manual and radius-proxy; usually the authentication way will specify default-role, which is the user role after successfully authentication. This chapter will describe the configuration for authentication way by using web portal as an example. In portal authentication, you need to define a rfc-3576-client, then a profile that at least include radius server group、default-role、rfc-3576-client. Please refer to chapter 9.7 for more information. For example: (JadeOS) (config)#aaa rfc-3576-client 119.6.200.203 (JadeOS) (RFC 3576 Client "119.6.200.203")#key 1234 (JadeOS) (RFC 3576 Client "119.6.200.203")#exit (JadeOS) (config)#aaa authentication captive-portal web-portal (JadeOS) (Portal Authentication Profile "web-portal)#server-group SG1 (JadeOS) (Portal Authentication Profile "web-portal)#default-role postauth (JadeOS) (Portal Authentication Profile "web-portal")#rfc-3576-client 119.6.200.203 Commands supported by Portal: Attribute Description default-role Distribute default role rfc-3576-client RFC-3576 client server-group web radius server group name welcome-page-url-id The url ID of welcome page 9.4.5 Configuring AAA Profile To configure AAA profile, use the following steps: Step 1 Create a aaa profile named ‘aaa’ (JadeOS) (config)#aaa profile aaa Step 2 Specify the authentication way (JadeOS) (AAA profile "aaa")#authentication-portal web-portal Step 3 Specify use role before authentication (JadeOS) (AAA profile "aaa")#initial-role preauth Step 4 Specify the Radius Server Group, and enable accounting function (JadeOS) (AAA profile "aaa")#radius-accounting SG1 (JadeOS) (AAA profile "aaa")#radius-accounting enable Commands supported by AAA profile Attribute Description authentication-dot1x Configure 802.1X authentication profile authentication-mac Configure MAC authentication profile authentication-open Configure open authentication profile 58 JadeOS User Manual authentication-portal authentication-psk Configure Portal authentication profile Configure PSK authentication profile authentication-radius-proxy Configure radius proxy profile authentication-wep Configure WEP authentication profile Configure disconnect message client disconnect-message-client http-redir-url-id Configure http redirection url ID http-redirection Configure http-redirection initial-role post-auth Role that is assigned to a user before authentication takes place Post-auth Timer pre-auth Pre-auth Timer radius-accounting Configure radius accounting 9.4.6 Binding VLAN Bind the AAA profile to VLAN 100, all the user in VLAN 100 will use this AAA profile. Configuration commands as follows: (JadeOS) (config)#vlan 100 aaa-profile aaa 9.5 MAC Authentication Authentication Description MAC address authentication is an authentication way to control user network access based on MAC address; it need not to install any client software. MAC authentication encapsulates the MAC address into RADIUS message according to configuration, and then authenticate in the specified RADIUS server. Therefore, MAC authentication will be used together with other authentication ways (WPA, web-auth) in usual, also it can be used independently. After detecting MAC address in the first time, JadeOS will enable authentication for this user. Configuration Management To configure MAC address, use the following steps: Step 1:Configure MAC authentication profile (JadeOS) (config)#aaa authentication mac mac1 (JadeOS) (MAC Authentication Profile "mac1")#server-group sg (JadeOS) (MAC Authentication Profile "mac1")#default-role post-auth (JadeOS) (MAC Authentication Profile "mac1")#exit 59 JadeOS User Manual Step 2:Apply MAC authentication in AAA profile (JadeOS) (MAC Authentication Profile "mac1")#aaa profile aaa (JadeOS) (AAA profile "aaa")#authentication-mac mac1 9.6 802.1X Authentication Authentication Description 802.1 x authentication is an authentication policy based on port. The purpose of 802.1x authentication is to decide whether a port is available; if successfully authenticate, the port will allow all the message; if unsuccessfully authenticate, the port only allow 802.1x message. Configuring Steps 802.1x authentication need to specify radius server and default-role, examples as follows: Step 1 Configure radius server (JadeOS) (config)#aaa authentication dot1x dot1x1 (JadeOS) (802.1X Authentication Profile "dot1x1")#default-role post-auth (JadeOS) (802.1X Authentication Profile "dot1x1")#server-group SG1 (JadeOS) (802.1X Authentication Profile "dot1x")#server-group SG1 (JadeOS) (802.1X Authentication Profile "dot1x")#default-role postauth Step 2 Apply 802.1x authentication in AAA profile (JadeOS) (MAC Authentication Profile "mac1")#aaa profile aaa (JadeOS) (AAA profile "aaa")#authentication-dot1x dot1x1 9.7 WEB Portal Authentication Web authentication is an authentication scheme based on browser. User that failed authentication will redirect to a login page, and require to input user name and password; user can access the network only after successfully authentication. WEB redirect supports DNAT redirect and HTTP 302 redirect. 9.7.1 Web Authentication Process Web authentication is based on HTTP protocol; authentication will not pop up forcibly unless user send HTTP request. The authentication process of WEB authentication is as follows: • • • 60 A user that unauthenticated begin to browser network page and send HTTP request HTTP request is redirect to an external portal server Port server send an authentication page for secure login JadeOS User Manual • • • User input user name and password; browser will transfer it to the web portal (authentication module in JadeOS), and then web portal send authentication request to the radius server JadeOS will decide whether authenticate successfully through user database in radius server; if successfully authenticate, radius server will inform JadeOS, at the same time, JadeOS inform portal server Portal server pops up welcome page; the user authentication is over 9.7.2 DNAT Redirect The redirect operation of JadeOS is based on DNAT by default. Before authentication, session ACL will redirect HTTP request to portal server. The configuration command is as follows: (JadeOS) (config) #ip access-list session pre-auth-acl (JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip 10.0.0.2 443 (JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip 10.0.0.2 443 9.7.3 HTTP 302 Redirect To configure HTTP 302 redirect, use the following steps: Step 1 Configure URL list in config mode: (JadeOS) (config)# aaa http-redirection-url 1 ip 10.0.0.1 url http://10.0.0.1/wlan/index.php Step 2 Specify URL ID (JadeOS) (AAA profile "aaa")#http-redir-url-id 1 Step 3 Enable http 302 redirect (JadeOS) (AAA profile "aaa")#http-redirection enable 9.7.4 Configuring Portal Server JadeOS web authentication will customize the login page through external portal server. Portal server will configure a client according to RFC3576 definition; the client is used for sending users’ disconnection and authorization change information to JadeOS. To configure RFC client, use the following command: (JadeOS) (config)#aaa rfc-3576-client 119.6.200.203 (JadeOS) (RFC 3576 Client "119.6.200.203")#key 1234 TO configure the source port according to RFC3576 server, use the following command: ip rfc-3576-server ip port <1-65535> 9.7.5 Configuring CoA Disconnect Message 61 JadeOS User Manual Disconnect message (DM) is user disconnect message. The AAA Service Framework uses CoA messages to dynamically modify active subscriber sessions. For example RADIUS attributes in CoA messages might instruct the framework to create modify or terminate a subscriber service. CoA Messages Dynamic request support enables the router to receive and process unsolicited CoA messages from external RADIUS servers. RADIUS-initiated CoA messages use the following codes in request and response messages: ■CoA-Request (43) ■CoA-ACK (44) ■CoA-NAK (45) To configure CoA DM server, use the following command: ip disconnect-message-server port <1~65535> To configure CoA DM client, use the following command: (JadeOS) (config) #aaa profile aaa (JadeOS) (AAA profile "aaa") #disconnect-message-client 9.7.6 Configuring Captive-portal Authentication Step 1 Configure authentication way (JadeOS) (config)#aaa authentication captive-portal web-portal (JadeOS) (Portal Authentication Profile "web-portal)#server-group SG1 (JadeOS) (Portal Authentication Profile "web-portal)#default-role postauth (JadeOS) (Portal Authentication Profile "web-portal")#rfc-3576-client 119.6.200.203 Step 2 Apply captive-portal authentication in AAA profile (JadeOS) (AAA profile "aaa")#authentication-portal web-portal 9.7.7 Customize Logout Domain User can use customized logout domain, such as logout.wifi; user can input logout.wifi in the browser, and then login logout page. To configure logout.wifi in JadeOS, use the following command: (JadeOS) (config)#ip domain-name logout.wifi http-redirect-url 9.7.8 Configuring White-list and Black-list 62 JadeOS User Manual White-list and black-list authentication is a group of URL. Three cases about white-list and black-list authentication as follows: • User can access white-list URL and no need to authenticate • User can not access black-list URL, even though successfully authenticate • User can access URL that neither white-list nor black-list after successfully authenticate To configure domain in JadeOS, use the following command: (JadeOS) (config) # netdestnation black-list|white-list name WORD Configuring White-list To configure white-list in JadeOS, use the following command: (JadeOS) (config) #netdestination white-list name www.sina.com (JadeOS) (config) # ip access-list session pre (JadeOS) (config-sess-pre) # any host any permit position 1 (JadeOS) (config-sess-pre) #any alias 123 any permit position 2 Configuring Black-list To configure black-list in JadeOS, use the following command: (JadeOS) (config) #netdestination black-list name www.sina.com (JadeOS) (config) # ip access-list session post (JadeOS)(config-sess-post) #any alias 123 any deny send-deny-response position 2 9.8 Radius Proxy JadeOS supports radius proxy. With proxy RADIUS, one RADIUS server receives an authentication (or accounting) request from a RADIUS client (such as a NAS), forwards the request to a remote RADIUS server, receives the reply from the remote server, and sends that reply to the client, possibly with changes to reflect local administrative policy. A common use for proxy RADIUS is roaming. Roaming permits two or more administrative entities to allow each other's users to dial in to either entity's network for service. 9.8.1 Configuring Radius Proxy Step 1 Create aaa authentication radius-proxy RP (JadeOS) (config)#aaa authentication radius-proxy RP (JadeOS) (Radius Proxy Profile "RP")#default-role postauth (JadeOS) (Radius Proxy Profile "RP")#server-group SG1 Step 2 Config aaa profile AAA, and specify the authentication way of Radius Proxy 63 JadeOS User Manual is RP (JadeOS) (AAA profile "AAA")#authentication-radius-proxy RP Step 3 Specify the aaa profile in config mode (JadeOS) (AAA profile "AAA")#aaa radius-proxy aaa profile AAA Step 4 Enable Radius proxy in config mode (JadeOS) (AAA profile "AAA")#aaa radius-proxy enable 9.8.2 Configuring EAP-SIM EAP-SIM is one of the EAP authentication protocol based on 2G SIM card through which users access to WLAN network. Differed from other authentication protocol, EAM-SIM takes use of the user data and original authentication message be stored in SIM card to authenticate user and generate session key to access WLAN. At the same time the data will be stored in the ISP’s HLR to avoid the authentication message transfer on Internet to prevent user data from network attack. EAP-SIM is the authentication protocol applied in 2G networks and EAP-AKA is applied in 3G network. EAP-SIM authentication is performed when users use SIM card and EAP-AKA authentication is performed when users use USIM card. EAP-SIM and EAP-AKA is specified in RFC 4186 and RFC 4187 respectively. Figure 9-1 EAP-SIM authentication To configure EAP-SIM authentication on JadeOS, following the steps: Step 1 Configure Radius Server and Server Group (JadeOS) (config) # aaa authentication-server radius r1 (JadeOS) (RADIUS Server "r1") #host 1.1.1.1 (JadeOS) (RADIUS Server "r1") #key 123 64 JadeOS User Manual (JadeOS) (RADIUS Server "r1") #ip 10.1.1.10 (JadeOS) (config) #aaa server-group sg (JadeOS) (Server Group "sg")#auth-server r1 Step 2 Configure 802.1x authentication profile (JadeOS) (config)#aaa authentication dot1x dot1x (JadeOS) (802.1X Authentication Profile "dot1x")#default-role postauth (JadeOS) (802.1X Authentication Profile "dot1x")#server-group g1 Step 3 Configure AAA Profile (JadeOS) (config)#aaa profile default (JadeOS) (AAA profile "default")#authentication-dot1x dot1x (JadeOS) (AAA profile "default")#radius-accounting sg (JadeOS) (AAA profile "default")#initial-role preauth Step 4 Configure ssid-profile (JadeOS) (config)#wlan ssid-profile default (JadeOS) (SSID Profile "default")#auth-mode wpa-aes Step 5 Configure vap-profile (JadeOS) (config)#wlan vap-profile default (JadeOS) (VAP Profile "default")#aaa-profile default (JadeOS) (VAP Profile "default")#ssid-profile default Step 6 Configure ap-template (JadeOS) (config)#ap-template default (JadeOS) (AP template "default")#vap-profile default 9.9 Rate Limit Based on User Step 1 Configure bandwidth named ”BW-8M” and ”BW-2M” in config mode (JadeOS) (config)#aaa bandwidth-contract BW-8M mbits 8 (JadeOS) (config)#aaa bandwidth-contract BW-2M mbits 2 Step 2 Specify the downstream is BW-8M and the upstream is BW-2M (JadeOS) (config)#user-role postauth (JadeOS) (config-role)#bandwidth-contract BW-8M downstream (JadeOS) (config-role)#bandwidth-contract BW-2M upstream 9.10 User Accounting To configure user accounting, you need to configure a radius server group first, and enable radius accounting in AAA profile. To enable user accounting, use the Radius-accounting command. For example: (JadeOS) (AAA profile "aaa")#radius-accounting SG1 65 JadeOS User Manual 9.11 Example of WEB-Portal Authentication The following topology is taken for a web authentication configuration example: Figure 9-2 Web authentication configuration example Step 1 Configure VLAN and IP (JadeOS) (config) #vlan database (JadeOS) (config-vlan) #vlan range 11,30 (JadeOS) (config) #interface gigabitethernet 4/1 (JadeOS) (config-if)#switchport access vlan 30 (JadeOS) (config-if)#exit (JadeOS) (config) #interface gigabitethernet 4/4 (JadeOS) (config-if)#switchport access vlan 11 (JadeOS) (config-if)#exit (JadeOS) (config) #interface vlan 30 (JadeOS) (config-subif)#ip address 119.6.200.71/24 (JadeOS) (config-subif)#exit (JadeOS) (config) #interface vlan 11 (JadeOS) (config-subif)#ip address 11.11.11.76/24 (JadeOS) (config-subif)#exit (JadeOS) (config) # ip route 0.0.0.0 0.0.0.0 119.6.200.1 66 JadeOS User Manual (JadeOS) (config-subif)#end Step 2 Create DHCP Server (JadeOS) (config) #ip dhcp pool 119 (JadeOS) (config-dhcp)#network 119.6.200.0 255.255.255.0 (JadeOS) (config-dhcp)#default-router 119.6.200.1 (JadeOS) (config-dhcp)#dns-server 119.6.6.6 (JadeOS) (config-dhcp)#exit (JadeOS) (config) #ip dhcp excluded-address 119.6.200.1 119.6.200.115 (JadeOS) (config) #ip dhcp excluded-address 119.6.200.117 119.6.200.254 (JadeOS) (config) #service dhcp Step 3 Configure ACL session (JadeOS) (config) #ip access-list session pre-auth-ctrl (JadeOS) (config-sess-pre-auth-ctrl)# host 119.6.200.116 any tcp 80 dst-nat 8189 ip 210.151.12.118 (JadeOS) (config-sess-pre-auth-ctrl)#any any svc-dhcp permit (JadeOS) (config-sess-pre-auth-ctrl)#any any udp 53 permit (JadeOS) (config-sess-pre-auth-ctrl)#any host 210.151.12.118 tcp 443 permit (JadeOS) (config-sess-pre-auth-ctrl)#exit (JadeOS) (config) #ip access-list session post-auth-ctrl (JadeOS) (config-sess-post-auth-ctrl)#any any any permit (JadeOS) (config-sess-post-auth-ctrl)#exit Step 4 Configure user role (JadeOS) (config) #user-role pre-auth (JadeOS) (config-role) #session-acl pre-auth-ctrl (JadeOS) (config-role) #exit (JadeOS) (config) #user-role role (JadeOS) (config-role) #session-acl post-auth-ctrl (JadeOS) (config-role) #exit Step 5 Configure timers (JadeOS) (config) # aaa timers dead-time 10 Step 6 Configure RFC-35756 server and RFC-3576 client (JadeOS) (config) #ip rfc-3576-server source-interface vlan 30 port 1700 (JadeOS) (config) #aaa rfc-3576-client 210.151.12.118 (JadeOS) (RFC 3576 Client "210.151.12.118") #key ******** Step 7 Configure radius server and add it to server group (JadeOS) (config) #aaa authentication-server radius r1 (JadeOS) (RADIUS Server "r1") #host 210.151.12.115 (JadeOS) (RADIUS Server "r1") #key ******** (JadeOS) (RADIUS Server "r1") #nas-ip 119.6.200.71 67 JadeOS User Manual (JadeOS) (RADIUS Server "r1") #source-interface vlan 30 (JadeOS) (config) #aaa server-group g1 (JadeOS) (Server Group "g1") #auth-server r1 Step 8 Configure aaa profile (JadeOS) (config) #aaa profile ABC (JadeOS) (AAA Profile "ABC") #web-auth-server-group g1 (JadeOS) (AAA Profile "ABC") #rfc-3576-client 210.151.12.118 (JadeOS) (AAA Profile "ABC") #initial-role pre-auth (JadeOS) (AAA Profile "ABC")#web-auth-default-role post-auth (JadeOS) (AAA Profile "ABC")#post-auth idle-time 300 (JadeOS) (AAA Profile "ABC")#post-auth lifetime 300 (JadeOS) (AAA Profile "ABC")#pre-auth idle-time 300 (JadeOS) (AAA Profile "ABC")#pre-auth lifetime 300 Step 9 Apply profile to VLAN (JadeOS) (config) #vlan 30 aaa-profile ABC 9.12 Trouble Shooting When JadeOS is in trouble, user can locate problem by viewing user list. To view user list, use show user-table command. For example: (JadeOS) #show user-table Auth User Table Entries ----------------------- Flags: O - Post-auth, E - Pre-auth, W - Web-auth, P - RADIUS proxy, C - Accounting, m - Pre-MAC-auth, M - Post-MAC-auth, R - L3 roaming, o - Open, w - WEP, c - CCMP, t - TKIP, a - WPA, n - RSN, x - 802.1X, L - Station leave No. IP-addr MAC-addr ------- -------- Type Flags Age(d:h:m) ---- ----- ---------- User-name ----------(JadeOS) #show user-table (JadeOS) #show datapath user table Datapath User Table Entries --------------------------- Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor), N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable, 68 JadeOS User Manual S - Src NAT with VLAN IP, E - L2 Enforced, F - IPIP Force Delete, O - VOIP user IP --------------- MAC ----------------- ------- ACLs --------- -------- Contract Location Sessions Flags --------- ----- (JadeOS) #show datapath user coun (JadeOS) #show datapath user counters Datapath User Table Count is: 0 69 JadeOS User Manual WLAN Management JadeOS provides solutions of wireless controller and FIT AP. Wireless controller uniformly configure, manage and maintain a large quantity of APs, which greatly reduces the maintenance of wireless network. JadeOS supports AP without configuration, which is convenient to expand FIT AP and wireless network. JadeOS also supports centralized authentication, which is convenient to uniformly access and authenticate. At the same time, it is better to do the function of wireless roaming, RF management and load balance of AP access for AP centralized management. With the standard CAPWAP protocol, AC manages and controls AP through CAPWAP control channel; the data forwarding between AP and AC is through CAPWAP data channel. For CAPWAP is transferred based on Layer-3 network, it supports flexible network deployment in multi network; with the standard protocol, it raises the possibility of interconnection between different products from different manufacturers. Forwarding mode supports AC centralized forwarding and AP local forwarding. Authentication mode supports AC centralized authentication and AP local authentication. 10.1 Wireless Network Architecture 10.1.1 CAPWAP Description Control and provisioning of wireless access points (CAPWAP) protocol is belonging to IETF. It rules the interconnection between WTP and AC, which achieve the management and data forwarding for all the WTPs controlled by AC. Now CAPWAP is classified into two types: • CAPWAP control channel • CAPWAP data channel 10.1.2 CAPWAP Control Channel CAPWAP control channel is classified into two types: Static discovery: specify the IP address of AC in AP Dynamic discovery: configure broadcast discovery, DHCP discovery and DNS discovery and so on in AP More, AP will actively require update version and configuration, which reduce the maintenance. 70 JadeOS User Manual 10.1.3 CAPWAP Data Channel After configuration request by AP, AC will consult with AP to enable data channel. In centralized forwarding mode, up-link message will be encapsulated with CAPWAP in AP, decapsulated in AC, and then forwarding; down-link message will be encapsulated with CAPWAP in AC, and then arrive AP through CAPWAP tunnel; the down-link message will be decapsulated in AP, and then arrive user terminals through 802.11 protocols. 10.1.4 Mirror Upgrade and Configuration Management AP will automatically check for version upgrade. You just need to configure in AC for configuration management, no need to configure a large quantity of APs. The configuration will be in effective when AC receives AP request. The configuration command is as below: copy ap-image primary-image ftp 192.168.50.222 admin AmOS-1.4.1.2 41724 WIA3200-10 A1 AmOS-1.4.1.2 10.1.5 Forwarding Mode JadeOS achieve AC centralized forwarding and AP local forwarding in CAPWAP standard. You can specify the forwarding mode through configuration. 10.1.6 Authentication Mode JadeOS achieve AP centralized authentication and AP local authentication. Each SSID can specify a VLAN, and then look for AAA profile according to VLAN; please refer to chapter 9.3 for more information. 10.1.7 STATION Management The authentication of Station will be handled in AC. AC will record the authentication process of AP and the information connected AP, which is the basis of choosing CAPWAP data channel and roaming. Station management includes 802.11 management, STA information inquiry, log backup and recovery. 10.2 Forwarding Mode Forwarding mode is classified into 802.11 tunnel centralized forwarding, 802.3 tunnel centralized forwarding, AC authentication local forwarding and local authentication local forwarding. 71 JadeOS User Manual 10.3 Configuring Power You can configure to automatically choose the power of AP and station in AC, the configuring command is as follows: transmit-power 0 Configuring Radio Frequency You can manually configure radio frequency of AP, at the same time, AP can keep the original radio frequency information when AP online again after AP offline normally. For example: (JadeOS) (config)#radio dot11g-profile default (JadeOS) (802.11g radio Profile "default")#channel 149 Configuring Radio Power • JadeOS supports manually power regulation. For example (JadeOS) (config)#radio dot11a-profile default (JadeOS) (802.11a radio Profile "default")#transmit-power 10 (JadeOS) (802.11a radio Profile "default")#transmit-power 20 • JadeOS supports automatically power regulation. (JadeOS) (802.11a radio Profile "default")#transmit-power 0 10.4 Configuring Radio You can automatically choose the working channel of AP and station. For example: channel 0 10.5 DTLS and CA Datagram Transport Layer Security (DTLS) is based on the standard IETF protocol in TLS. CAPWAP control message and part of CAPWAP data message are using DTLS encryption mechanism of UDP layer. The configuration command is as follows: dtls Import CA Import CA in server into AC, which means transferring the CA format into another format that can be recognized by DTLS control channel and remove the password. For example: (JadeOS) #copy ftp 1.2.3.4 user cert_file flash sc-file-1 72 JadeOS User Manual (JadeOS) #Cert import pem serverCert sc-1 sc-file-1 10.6 Special SSID and SSID Control In EDU mode, in order to avoid AP disables all the SSIDs when AP disconnects with AC, AC will specify a special SSID when AP connects with AC; when CAPWAP is disconnected, AP will enable this SSID to ensure the normal service. The configuring command is as follows: (JadeOS) (config)#wlan ssid-profile SSID (JadeOS) (SSID Profile "SSID")#special-ssid Timing Shutdown Timing shutdown supports the following functions: ¾ Support AC timing shutdown the function of radio frequency in specified AP ¾ Support AC timing shutdown the specified functions of SSID The configuring command: time-range default Example: (JadeOS) (config)#time-range-profile default (JadeOS) (Time Range Profile "default")#range weekday 17:00 18:00 (JadeOS) (Time Range Profile "default")#range weekend 17:00 18:00 (JadeOS) (Time Range Profile "default")#range daily 17:00 18:00 (JadeOS) (Time Range Profile "default")#exit (JadeOS) (config)#wlan vap default (JadeOS) (Virtual AP Profile "default")#time-range default (JadeOS) (Virtual AP Profile "default")#exit (JadeOS) (config)#radio dot11a-profile default (JadeOS) (802.11a radio Profile "default")#time-range default (JadeOS) (802.11a radio Profile "default")#exit Note: Shutdown the frequency will make the whole radio disable; shutdown SSID just disable one SSID in radio. 10.7 ACL User access is mainly to issue ACL based on SSID, MAC, flow threshold, bandwidth control. ACL is important in building secure network, and mainly supports the following functions: ¾ ACL based on MAC address Configure ACL based on MAC address in AC, which achieve the black-list and white-list based on MAC address. 73 JadeOS User Manual For example: Add mac 11:22:33:44:55:6 into black-list: (JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#list-type deny (JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#mac 11:22:33:44:55:66 Add mac 11:22:33:44:55:6 into white-list: (JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#list-type accept (JadeOS) (AP MAC ACL Profile “mac-acl-prof-1”)#mac 11:22:33:44:55:66 ¾ Support to disconnect network automatically based on idle traffic monitor; you can configure time and the default value is 300s. the configuring command is as follows: idle-timeout <300-15300> ¾ Support ACL based on traffic threshold and the default value is 1KB: idle-threshold <0-1048576> Configuring ACL Configuring ACL based on IP address in AC achieves user access control. Configuring different ACls in AC can control different user access, for example: you can make user in the specified IP segment access the specified network segment. For ACL based on IP address is according to SSID, you can configure different ACLs in different SSID. Functions supported by ACL: ¾ Match source IP address and network segment ¾ Match destination IP address and network segment ¾ Match specified IP protocol and range ¾ Match source port and destination port of UDP/TCP protocol ¾ Support the operation of ‘permit’ and ‘deny’ according to the above rules Configuration command: any any any deny/permit For example: (JadeOS) (config)#ip access-list session acl1 (JadeOS) (config-sess-acl1)#host 1.1.1.1 any tcp 1 100 deny (JadeOS) (config-sess-acl1)#exit (JadeOS) (config)#user-role role1 (JadeOS) (config-role)#access-list session acl1 (JadeOS) (config-role)#exit (JadeOS) (config)#aaa profile aaa1 74 JadeOS User Manual (JadeOS) (AAA profile "aaa1")#initial-role role1 (JadeOS) (AAA profile "aaa1")#exit (JadeOS) (config)#wlan virtual-ap default (JadeOS) (Virtual AP Profile "default")#aaa-profile aaa1 (JadeOS) (Virtual AP Profile "default")#exit 10.8 Authentication Exemption For the special user that accounting exemption such as administrator and so on, JadeOS supports authentication exemption, for example: Step 1 Configure AAA profile, disable radius-accounting (JadeOS) (config)#aaa profile a1 (JadeOS) (AAA profile "a1")#no radius-accounting enable (JadeOS) (AAA profile "a1")#exit Step 2 Apply AAA profile to the VLAN (JadeOS) (config)#vlan 10 aaa profile a1 10.9 Anti-fake and Rogue AP detect Anti-fake To enable anti-fake function, use the following command: validate-sta-enable To disable anti-fake function, use the following command: no validate-sta-enable Rogue AP Detect AC will configure detect rule according to the message sent by AP, that is to make a detect policy for rogue equipment; then AC will classify the APs according to the detect rule. For example: (JadeOS) (config)#wids ap-classification-rule (JadeOS) (IDS AP Classification Rule )# enable (JadeOS) (IDS AP Classification Rule )# ssid test encription open (JadeOS) (IDS AP Classification Rule )# ap-oui 11:22:33 Note:To display rogue ap, use show rogue-ap command. 10.10 Anti-DoS The function of WLAN Dos is to prevent DoS attack. 75 JadeOS User Manual For example: (JadeOS) (config)#wids dos-profile default (JadeOS) (IDS DOS-Profile "default")#dos-prevention (JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-interval 10 (JadeOS) (IDS DOS-Profile "default")#mgmt-frame-throttle-limit 100 To display the attack in all the Aps, use show wlan dos command. To display the attack in specified MAC, use show wlan dos ap command. 76 JadeOS User Manual Chapter 10 WEBUI 11.1 WEBUI Description JadeOS supports WEBUI configuration. 11.2 WEBUI Login Step 1 Open IE browser and input IP address, then JadeOS will pop up the following dialog box: Figure 12-1 Login Dialog Box Step 2 Input user account ‘admin’ and password ‘admins’ and click Login button, then JadeOS will redirect to the following login page: Figure 12-2 webUI page 77 JadeOS User Manual Chapter 11 Configuring SNMP 12.1 Configuring SNMP Simple Network Management Protocol (SNMP) is an Internet-standard protocol for managing devices on IP networks. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. JadeOS support versions 1, 2c, and 3 of SNMP. You can configure SNMP using the following commands: snmp-server community rw|ro snmp-server traphost {udp-port portno} Parameter Description WORD Name of Community udp-port port no (optional) port number, default value: 162 IP IP address Table 13- 1 Basic Parameters of SNMP For example: (JadeOS)#configure terminal (JadeOS)(config)#snmp-server community ro ww 1.1.1.1 78 JadeOS User Manual Chapter 12 Maintanence and Diagnosis 13.1 Log System Log system is used to record system running status, which can be saved in local or remote log server. Log is classified to 8 levels from emerg to debug, and the default level is error. To set log level, use the following command in config mode: logging level [process app] logging [severity level] [type category] Note:log level: emerg , alert, crit, err, warning, notice, info, debug. To set the log size in local server, use the command in config mode: log size <100-102400> (unit:KB) To recovery the log level in local to the default, use the command in config mode: no logging level [process app] no logging [severity level] [type category] For example: (JadeOS)(config)#logging level err all (JadeOS)(config)#logging 192.168.16.84 (JadeOS)(config)#log size 102400 (JadeOS)(config)#end To inquiry the local log, use the command in enable mode: show log [line] (JadeOS) #show log all 13.2 System Management JadeOS is a unified multi-level scalable technology. It uses the active-standby mode in control plane and active-active mode in data plane to achieve the high performance and high availability. The distributed architecture has been extended to meet requirements of high performance equipment. You can have a general view for the system management and telecommunications among all modules in figure 14-1. 79 JadeOS User Manual Figure 14- 1 Modules Diagram for the System Management When system powering up, a “master” system manager will be elected among all line cards existing in the chassis to control the whole equipment. The shelf manager control board sends/receives messages from the cards and modules over I2C bus. The elected “master” system manager on the line card get information from the shelf manager control board across the switch board by TCP/IP to control and monitor the whole system. Information Inquire To restart the system when JadeOS is in trouble, use the following command: reload To inquire the system information such as JadeOS version, gateway uptime, and so on, use the following command: show version To inquire chassis components status such as power module connection status, fan speed, line card temperature and so on, use the following command: show inventory To inquire the factory default information about chassis, use the following command: show chassis_info To inquire the environment temperature about the chassis, use the following command: show temperature chassis 80 JadeOS User Manual To inquire the CPU usage percentage, use the following command: show cpuload To inquire the CPU memory usage information, use the following command: show memory To inquire system log, use the following command: show log all To inquire the process status, use the following command: show process monitor statistics Alarm The hardware running status on JadeOS can be monitored and reported to system manager. If the working state on each card or module, for example temperature, is beyond the threshold, the alarms will arise and the LEDs on the card or module will turn on. The thresholds can be set manually using the following command: alarmthreshold NOTE: The alarm LED on SAD card will not turn off automatically when the alarm is relieved until you clear the alarm manually. To clear the alarm LED on SAD card, use the following command on the master line card: turn-off-led 13.3 Sniffer Tool JadeOS provides the sniffer tools for network diagnosis; it can capture the data packet in network interface and filter based on interface, IP address and tcp/udp port number. The operation steps are as following: Step 1 Configure filter conditions, and specify the capture traffic is 10M in maximum. (JadeOS) #packet capture interface gigaethernet 1/0 datatype all maxsize 10 Step 2 Start capture (JadeOS) #packet capture start Step 3 Stop capture (JadeOS) #packet capture stop Step 4 Display the packet capture (JadeOS) # show packet capture 81 JadeOS User Manual Abbrviations AC ACC ACL AS ATCA AP Alternating Current Automatic Current Control Access Control List Autonomous System Advanced Telecom Computing Architecture Access Point BCMC Broadcast and Multicast CAPWAP CDP CE CLI Control And Provisioning of Wireless Access Points Cisco Discovery Protocol Communication Edge Command Line Interface DES DHCP DNS DOS Data Encryption Standard Dynamic Host Configuration Protocol Domain Name Server Disk Operating System EAP EAPOL ECN Enterprise Application Platform Extensible Authentication Protocol Engineering Change Notice FRU FTP Field Replaceable Unit File Transfer Protocol GRE GMT Generic Routing Encapsulation Greenwich Mean Time IDS IDPS Intrusion Detection System Intrusion Detection and Prevention System 82 JadeOS User Manual IETF IGP IP IPMB IPMC IPMI IPS Internet Engineering Task Force Interior Gateway Protocol Internet Protocol Intelligent Platform Management Bus Intelligent Platform Management Controller Intelligent Platform Management Interface Intrusion Prevention System LACP LAG LDAP LED Link Aggregation Control Protocol Link Aggregation Group Lightweight Directory Access Protocol Light Emitting Diode MAC MLVDS Multi-Access Computer Multipoint Low-Voltage Differential Signaling NAT NTP Network Address Translation Network Time Protocol OSPF Open Shortest Path First PCB PEM PPC PVST Printed Circuit Board Power Entry Module Per Vlan Spanning Tree OS OSPF OUI Operation Software Open Shortest Path First Organizationally unique identifier QOS Quality Of Service RAM Random Access Memory 83 JadeOS User Manual RFC RSTP RTC RTM Request For Comments Rapid Spanning Tree Protocol Real Time Clock Rear Transmission Module SAD SAP SHA SNMP SSID SSL SSH STP Shelf Alarm Display Shelf Alarm Panel Secure Hash Algorithm Simple Network Management Protocol Service Set Identifier Secure Sockets Layer Secure Shell Spanning Tree Protocol TCA TCP/IP TFTP TKIP Telecommunications Computing Architecture Transmission Control Protocol / Internet Protocol Trivial File Transfer Protocol Temporal Key Integrity Protocol UDP User Datagram Protocol VCCI VLAN VPN VRID VRRP VTP Voluntary Control Council for Interference Virtual Local Area Network Virtual Private Network Virtual Router ID Virtual Router Redundancy Protocol Virtual Trunk Protocol WEP WPA 84 Wired Equivalent Privacy Wi-Fi Protected Access JadeOS User Manual

Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
XMP Toolkit                     : Adobe XMP Core 4.2.1-c041 52.342996, 2008/05/07-20:48:00
Producer                        : Acrobat Distiller 7.0.5 (Windows)
Creator Tool                    : PScript5.dll Version 5.2
Modify Date                     : 2014:09:18 08:42:03+08:00
Create Date                     : 2014:09:17 18:31:44+08:00
Metadata Date                   : 2014:09:18 08:42:03+08:00
Format                          : application/pdf
Title                           : Microsoft Word - JadeOS User Manual_1_.docx
Creator                         : Administrator
Document ID                     : uuid:4c7ec52d-dde6-43c0-bc52-de7485b0c258
Instance ID                     : uuid:952a99ea-f799-4ec0-99d1-e3fb8a078b6e
Has XFA                         : No
Page Count                      : 94
Author                          : Administrator
EXIF Metadata provided by EXIF.tools
FCC ID Filing: 2ACKD-WIA3200

Navigation menu