Ruijie RG-EG Implementation Cookbook (V1.0)

2020-02-15 View:

Please rate this document

Feedback

Please rate this document.

* This field is required.

Please leave your suggestions here.

200 characters left

If Ruijie may contact you for more details, please leave your contact information here.

* I understand and agree to Terms of Use and acknowledge Ruijie's Privacy Policy.

* This field is required.

Send Feedback

Thank you for your feedback!

Catalog

Download Options

Ruijie RG-EG Implementation Cookbook (V1.0)

Download

11.x项目配置指南模板

Product Introduction

1.1 Product Abstract

RG-EG series business assurance gateway(Following will call it RG-EG) is the product that Ruijie research and developby itself. RG-EG aimed at soloving export problems for small and medium-sizedenterprises. RG-EG series product is equiped with advanced software andfirmware structure. Not only has efficient NAT forwarding performance asprofessional export device, but also equiped with flow control, intelligentrouting, behavior management, security, WEB authentication, VPN and otherfunction. We don't need to consider using router, firewall or flow controldevice, only using a RG-EG series product can meet all your requirements.

1.2 Working Mode

EG has 3 working modes：Gateway mode,bridge mode and bypass mode. Gateway mode and bridge mode are common used. (EG2100-P don’t have bridge mode)

A. Gateway Mode：Regard EG as the export of network andsupports the forwarding of NAT and routing.

B.Bridge Mode：Regard EG as a bridge, Deploy EG in between intranetcore switch and extranet gateway export. Bridge mode is divided into 3 types：Forward/Sniffer/Bypass.

Foeward：Can realize flow audit, application recognition, application block,flow control.

Sniffer：Can realize flow audit, application recognition.

bypass：Packets can be forwarded without dealing with.

C. Bypass Mode：Can only realize application recognition, only receieve packet, notforward.

11.x项目配置指南模板

Daily Maintenance

2.1 Device Login

2.1.1 WEB Login

1) Modify the IP address of PC.

IP address: 192.168.1.x (except 192.168.1.1)

Subnet mask: 255.255.255.0

Default gateway: 192.168.1.1(default LAN IP)

2) Connect the PC to any port (except WAN0)on the device.

3) Visit http://192.168.1.1 by Chromebrowser.

4) Enter the username and password on thelogin page and click “Log In”.

Default Username: admin

Default Password: admin

5) Change the password at the first login.

2.1.2 Console Login

Ø Tools Needed：PUTTY (or others) software in yourcomputer, console cable (as shown on the left), computer with COM port. If yourcomputer doesn’t have COM port, please buy COM to USB cable (as shown on theright) by yourself.

Ø Operation Steps：

Step 1-Connect console cable to EG console port.

Step 2-Check your COM port number in your computer‘Device manager’. You should install drivers first or you won’t see the COMport number.

Step 3-Open PUTTY and change the protocol to ‘Serial’.Chooseyour COM port number, set baud rate to 9600, uncheck RTS/CTS.Then click ‘Open’button.

Step 4-Press ‘Enter’ to enter user mode.

2.2 Software Maintenance

2.2.1 Software Information Check

Main Process Software Version Check：

You can see product model and softwareversion information on web home page.

You can also use the command ‘show version’in CLI.

2.2.2 Software Version Upgrade

Note：

1. Upgrading needs to restart, please upgradein the time section that allow to break network. Upgrading will last about 10minutes.

2. Download corresponding software versionaccording to product model. Ensure software version and device model arematching. Please read version issue statement carefully before upgrading.

Note：Download software on our official website (http://www.ruijienetworks.com/), click ‘Support’ then choose ‘Software Download’. Then you shouldinput your product model or key words to search the latest software version andother versions. Take RG-N18000 as an example.

3. Shut down EG attack defense function, or add thePC IP address for upgrading into management IP address.

A. Use WEB to upgrade

1. You can shut down attack defense function or addmanagement IP address as below. If you have shut down ‘Flow Attack Defense’,you don’t need to add management IP.

2. Then click ‘Advanced’, choose ‘Upgrade’, click ‘Browse’to choose the upgrading file you downloaded then click ‘Upgrade’.

Note：Before choosing the upgrading file, you should change the file nameas ‘rgos.bin’.

After finishing upgrading, it prompt you to restartdevice, you should click ‘OK’. After restarting, upgrading is successful.

B. Use console to upgrade

1. Change the file name as ‘rgos.bin. Because of11.X version is large, so using CLI to upgrade should download ‘3CDaemon’ tftptool. If you don’t use this tool, it will lead to upgrading failure.

Note：Please check windows firewall, anti-virus software setting, systemsecurity and so on before upgrading. You can only open 1 TFTP server to preventport conflicts.

2. Open 3CDaemon to run TFTP server and choose filelocation.

3. Using console login device. Input command ‘copytftp://192.168.1.100/rgos.bin sata0:rgos.bin’ and press ‘Enter’.

Note：192.168.1.100 is your computer IP address.

4. After importing main process, don’t restart.Input command ‘upgrade sata0:rgos.bin force’ to update main process.

5. You can input command ‘show version’ to checkversion information.

2.3 Password Recovery

Note：

1. Please prepare console cable ahead oftime.

2. Password recovery will lead to devicerestart and break network. Please choose the time section allowing networkbroken.

Ø Operation Steps：

Step 1-Open your PUTTY or other controlsoftwares, press ‘Enter’ to enter user mode. (Ruijie>)

Step 2-Turn off the power then turn on, input‘ctrl+c’ in PUTTY consecutivelyuntil following menu appear.

Step 3-Press ‘ctrl+q’ to enter uboot CLI,input command ‘main_config_password_clear’ then press ‘Enter’. After thatdevice will restart, and don’t need password to enter system this time.

Step 4-Change your password in privilegedmode. For example, in the following picture 1, we set new web management andCLI privileged mode password as ‘ruijie’ then input ‘write’ to save yourconfiguration.

Step 5-You could access web page to confirmif it is successful.

2.4 Configuration Backups

Ø Use WEB to backups

Click ‘Advanced’, choose ‘System’, choose ‘Backup’,click ‘Export Config’ and choose save location for configuration export. Click ‘Scan…’and choose configuration file then click ‘Import’ for import.

Ø Use CLI to backups

1. Open TFTP software in your computer.

2. Input command ‘copy flash:config.text tftp://192.168.1.100/config.text’,192.16.1.100 is your computer IP address.

3. If you see the prompt ‘Transmissionsuccess,file length 50281 bytes’, it means successful.

2.5 Main Process Recovery (Layer Ctrl Upgrade)

Note：If the main process of device is lost because of some reasons,please try to recover it through ctrl layer. Main process lost will lead to PWRand SYS light always on, but other port lights not on.

Ø Operation Steps：

Step 1-Download the main process from our officialwebsite. Detailed steps please refer to 4.2.2.

Step 2-Change file name as ‘rgos.bin’.

Step 3-Open 3CDaemon to run TFTP server and choosefile location.

Step 4-Open PUTTY, turn off power then turn on. Input‘ctrl+c’ in PUTTY consecutively untilfollowing menu appear.

Step 5-Input ‘0’ behind the prompt ‘Press a key torun the command’.

Step 6-Then input ‘1’ behind the prompt ‘Press akey to run the command’. Input ‘y’ behind the prompt ‘Determined to upgrade?’ .

Step 7-Press ‘ctrl+z‘back to upper menu. Input ‘2’behind the prompt ‘Press a key to run the command’ to restart and load mainprocess.

Step 8-You could access web page to confirmif it is successful.

2.6 Factory Reset

Note：

1. After factory reset, existing configuration will be deleted.

2. Factory reset needs to restart.

3. If you can not login web page, please useCLI for factory reset.

Ø Use WEB to factory reset

Click ‘Advanced’, choose ‘System’, choose ‘FactoryReset’, and then click ‘Reset’.

Ø Use CLI to factory reset

Open PUTTY or other softwares (telnet is alsoOK). Input the command ‘delete flash:config.text’, and then press ‘Enter’.Input ‘y’ behind the prompt ‘Do you want to delete [Flash:/config.text]?’, andthen press ‘Enter’.

After that input the command ‘reload’ torestart device. Input ‘y’ behind the prompt ‘Reload system?’ and press ‘Enter’.Device reloading will spend about 5 minutes.

2.7 View Alarm Log

Ø Alarm Functions：

1. Flow Attack Alarm：If there are large number of flowalarm information existing and lasting long. We suggest turning on ‘AttackDefense’ funcition. If attacks are from intranet, you should check up if there is a virus in a host in your intranet. Ifattacks are from extranet, you should contact carrier to help you solve theproblem.

2. SignatureDatabase Alarm：There someapplications lost in the new signature database, and you configured somestrategies about these applications before, there will be an alarm here.

3. SATA Disk Alarm：There will not be an alarm appear here in normal status, if not please contact us.

4. Config File Alarm：Prompt you for the size of current configuration file.

5. Default RouteAlarm：If you have no default route, itwill have an alarm here.

Ø Opreation Steps：

Step 1-If you findthe ‘Alarm’ turn to be red or twinkle, please click it to check. (Normal statusis black)

Step 2-You can see which kinds of alarm appear; thealarm item will turn to be red either. Green means all are normal, just likethe following picture.

2.8 System Log View and Export

Click ‘Advanced’, choose ‘System Log’, choose‘System Log’. If you want to view syslog, you should click ‘Update’ and thenstart scanning it.

You can export syslog by click ‘Export Log’,it will packet the log information and download in your computer.

Note：

1. Sever Log：You can associate EG to your logsever by configuring this function. In that case, your log server will record designated log by you.

2. Local Log：You can save flow-log or NAT-log inthe disk of device.

2.9 Change Password

Note：Device only has web management password when leaving factory.Default user and password are ‘admin’ for web management.

Ø Use WEB to change password

Click ‘Advanced’, choose ‘System’, and choose ‘ChangePassword’. You can change your web management and telnet password here. CLI privileged mode password is the same as telnetpassword, if you don’t set other configurations by CLI.

Ø Use CLI to change password

Ruijie#configure

Ruijie(config)#webmaster level 0 username adminpassword ruijie //change adminpassword as ruijie

Ruijie(config)#enable secret ruijie //change privileged mode password asruijie

Ruijie(config)#line vty 0 4

Ruijie(config-line)#password ruijie //change telnet password as ruijie

Ruijie(config-line)#end

Ruijie#write

2.10 Administrator Authority Setting

Note：

1. If your company has many administrators,in charge of different functions. You can use this function to configure.

2. These administrators can use web to login,but can not login by telnet.

3. These administrators can change their ownpasswords, but can not change admin’s password. If these new administratorsforeget their passwords, you can login admin to reset.

You can click ‘edit to reset password. Onlyinputting a new password and then confirming is ok.

11.x项目配置指南模板

EG Quick Start

3.1 EG2100-P Quick Start Guide

3.1.1 Setup via EG local Web

1) Modify the IP address of PC.

IP address: 192.168.1.x (except192.168.1.1)

Subnet mask: 255.255.255.0

Default gateway: 192.168.1.1(default LAN IP)

2) Connect the PC to any port (except WAN0)on the device.

3) Visit http://192.168.1.1by Chrome browser.

4) Enter the username and password on thelogin page and click “Log In”.

Default Username: admin

Default Password: admin

5) Change the password at the first login.

Select a scenario.

Configure the WAN port (DHCP, Static IP orPPPoE).

It is not recommended to change the IP ofLAN port; otherwise, you may need to log in and configure again. After wizardcompletes, you can configure LAN port on the interface configuration page.

6) Click Dashboard to open the homepage, orclick Interface to enter the interface configuration page. If the WAN port isconnected to the Internet, you can access the Internet now and add the EG tothe Cloud.

3.1.2 Setup via Mobile App (Recommended)

3.1.2.1 Configure WAN Uplink Port

1) Connect AP710 to any of LAN1-LAN7 ports on EG2100-P. After AP ispowered on, it will broadcast the default SSID: RJ-xxxxxx (xxxxxx is the lastsix digits of EG2100-P SN).

2) Launch Ruijie Cloud App, tap Tool menu, and tap Gateway Setup tostart the Gateway Quick Setup, as shown below:

3) Log in with the default account(username: admin, password: admin).

4) Reset the Web management password, andtap Next (Note: This password is required when you add EGs by scanning theQR-code).

5) Select a Scenario. If you select the S&MEnterprise, Flow Control Configuration will be added to the wizard. Here youcan just tap Next to enter the Interface settings.

6) Configure the WAN port (PPPoE, Static IP or DHCP), tap Next andwait for about 5 seconds until a success message is displayed. (Note: After themessage is displayed, EG will restart).

7) The initial configuration complete. Now you can create thenetwork and add devices on App.

3.1.2.2 Add Network and Device

1) Open the Ruijie Cloud App, tap Create Network, and enter the networkname and SSID.

2) After the network is created, enter thenetwork and tap Add Device to add AP and EG2100-P by scanning the QR code (APSN/MAC) on the back of the device. (Note: When adding an EG, you need to enterits Web management password.)

3) Wait for about 3 to 5 minutes, and youcan see the online status of AP and EG devices.

The SN/MAC QR-Code demo on the back of AP:

3.1.2.3 Access EG Web from Cloud

1) After an EG comes online on the RuijieCloud, you can visit its eWeb page for advanced configuration. Select the EG inthe Gateway List, and click eWeb.

2) After the tunnel is created, the Webmanagement page will open automatically, as shown below:

3) If the following information isdisplayed, click Proceed to enter the eWeb system.

3.2 EG3000 Series Quick Start Guide

3.2.1 WAN Uplink Quick Setup

1) Modify the IP address of PC.

IP address: 192.168.1.x (except192.168.1.1)

Subnet mask: 255.255.255.0

Default gateway: 192.168.1.1(default LAN IP)

2) Connect the PC to any port (except WAN0)on the device.

3) Visit http://192.168.1.1by Chrome browser.

4) Enter the username and password on thelogin page and click “Log In”.

Default Username: admin

Default Password: admin

5) Change the password at the first login.

Select a scenario.

Configure the WAN port (DHCP, Static IP orPPPoE).

It is not recommended to change the IP ofLAN port; otherwise, you may need to log in and configure again. After wizardcompletes, you can configure LAN port on the interface configuration page.

3.2.2 Add Device to Ruijie Cloud

1) Open the Ruijie Cloud App, tap CreateNetwork, and enter the network name and SSID.

2) After the network is created, enter thenetwork and tap Add Device to add AP and EG3250 by scanning the QR code (APSN/MAC) on the back of the device (Note: There is no QR code behindEG3000UE/XE, so please manually enter SN). When adding an EG, you need to enterits Web management password.

3) Wait for about 3 to 5 minutes, and youcan see the online status of EG device.

The SN/MAC QR-Code demo on the back of EG:

3.2.3 Access EG Web from Cloud

1) After an EG comes online on the RuijieCloud, you can visit its eWeb page for advanced configuration. Select the EG inthe Gateway List, and click eWeb.

2) After the tunnel is created, the Webmanagement page will open automatically, as shown below:

3) If the following information isdisplayed, click Proceed to enter the eWeb system.

11.x项目配置指南模板

Basic Function Configuration

4.1 WAN Load Balance

The load balancing function distributes thedata to multiple WAN interfaces to avoid the traffic congestion and provideredundancy.

Network Topology

Configuration Key Points

1. Configure IP address of the WAN ports and default routes.

2. Enable the load balancing policy.

3. Customize interface weight to ensure that traffic goes through thedifferent egress according to weight.

Configuraiton Steps

Step 1: Configure WAN 0

Step 2: Change the LAN1 port to WAN port

Step 3: Configure WAN 1

Step 4: Enable Load Balance

Step 5: Configure the interface weight

Configuration Verfication

4.2 DHCP Configuration

Step 1-Turn on ‘DHCP’ service in ‘Network-DHCP’.

Step 2-Click ‘Add DHCP’.

Step 3-Set necessary configuration, such as ‘DHCPPool Name’, ‘Subnet’ and so on. Then click ‘Save’.

Note：You can also set option 43 or 138 for wireless AP getting AC’s IPaddress here.

Step 4-Set ‘Excluded Address Range’ to retainsome IP address for servers or others if necessary.

Step 5-Test it, clear your PC IP address andchange IP address getting way to automatic getting. Click ‘User List’, if youroperation is effective, you will see your PC in this list.

Added Step：If you want to give some terminalsdesignated IP addresses from DHCP pool every time, you can configure ‘Static IPAddress’ for them.

Ø Use CLI configure DHCP

Command is as follow：

Ruijie>enable

Ruijie#configure ter

Ruijie(config)#service dhcp ------>Set DHCPservice enable.

Ruijie(config)#ip dhcp excluded-address 192.168.1.1192.168.1.10 ------>Retain192.168.1.1-192.168.1.10.

Ruijie(config)#ip dhcp pool Test ------>Creat a DHCP pool named ‘Test’.

Ruijie(dhcp-config)#lease 0 1 0------> Set leasetime，’0 1 0’ means 0 day，1 hour，0 minute. Default lease time is 24 hours.

Ruijie(dhcp-config)#network 192.168.1.0255.255.255.0 ------>Set IPaddress section for DHCP pool.

*The following is static IP distribution in DHCP.

Ruijie(dhcp-config)# hardware-address0026.b90b.a48a ------>Set terminal MAC address as ‘0026.b90b.a48a’.

Ruijie(dhcp-config)# host 192.168.1.150 255.255.255.0 ------>Set static IP and Mask.

*The above is static IP distribution in DHCP.

Ruijie(dhcp-config)#dns-server 192.168.58.110 8.8.8.8------>192.168.58.110 is major DNS server，8.8.8.8 isbackup.

Ruijie(dhcp-config)#default-router 192.168.1.1 ------>Set gateway IP address.

Ruijie(dhcp-config)#end

Ruijie#write ------>Save configuration.

4.3 DNS Configuration

Ø Regular Configuration

Choose ‘Network’, choose ‘DNS Settings’, click‘DNS Server’, add DNS server and save.

Ø DNS Proxy

1. Working Principle

If you turn on DNS proxy, EG LAN port will interceptDNS message. Replace destination DNS server IP address with others which havebeen configured in WAN port. And then send the message to that new DNS server.That case, terminal will associate to the new DNS server.

2. Effect

A. Realize load balance. When a link has loadedheavily, LAN port can intercept the message which destination DNS server is inthat link. And then replace destination with other DNS server not in that link.

B. Users can set DNS server in his PC freely. If auser set a wrong DHCP IP address, LAN port can intercept the message andreplace it with a right destination.

C. Detect faulty actively and switch to a newavailable DNS sever.

3. Operation Steps：

Step 1- Choose ‘Network’, choose ‘DNS Settings’,click ‘DNS Proxy’, choose ‘Basic Settings’.

Step 2-Choose your intranet gateway to interceptDNS message. (Take Gi0/0 as an example)

Step 3-Choose your extranet port (Take Gi0/6 as anexample), and input correct DNS server IP address.The first one is masterserver, the second one is backup server. And then click ‘Save’.

Step 4-You can change DNS server IP address in yourcomputer to test if you can succeed to access other websites.

Step 5-Add IP address into ‘DNS Whitelist’. Thisway, DNS proxy will not have an influence on these IP/IP range. DNS whitelisteffect is as the following picture.

Note：It is necessary to set nexthop IP address in WAN port (Exceptgetting IP address by dialer and DHCP). For example, if Gi0/7 port needs to beset DNS proxy, you should set nethop IP address xxx.xxx.xxxx.xxx in Gi0/7.

Ø DNS Blacklist

Add IP address into ‘DNS blacklist’. This way, DNSproxy will intercept DNS response packet, and discard it. Generally speaking,this function can prevent users from some maliciouswebsite attack.

4.4 Behavior Policies

4.4.1 Basic Settings

4.4.1.1 Enabling of All Audit Functions

Networking Requirements

1. The EG device serves as an egressand can access the Internet by using a static IP address. The LAN user gatewayis configured on the LAN port of the EG device, to implement the basic Internetaccess function.

2. The WAN bandwidth is 10 Mbps, theWAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1,and the LAN is in the 192.168.1.0/24 network segment.

3. Users in the LAN business securitygroup (192.168.1.2 to 192.168.1.100) are prohibited from accessing theInternet.

Configuration Key Points

Enable all audit functions on BasicSettings.

Configuration Steps

Choose Flow > Behavior Policy > BasicSettings and select all audit functions.

Configuration Verification

View audit records of services in behaviorreports.

4.4.1.2 User Blacklist

Networking Requirements

2. The WAN bandwidth is 10 Mbps, theWAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1,and the LAN is in the 192.168.1.0/24 network segment.

3. Users in the LAN business securitygroup (192.168.1.2 to 192.168.1.100) are prohibited from accessing theInternet.

Configuration Key Points

1. Choose User > User to add usersto be prohibited from accessing the Internet.

2. Choose Flow > Behavior Policy> Basic Settings and click User Blacklist.

Configuration Steps

Choose User > User > Common User andadd the IP addresses of users to be prohibited from accessing the Internet.

Choose Flow > Behavior Policy > BasicSettings and click User Blacklist.

Click Add Blacklisted User.

Note: If the IP address of a blacklisteduser is added to the audit-exempt user list, all applications of the user arelimited by no policy.

4.4.1.3 Website Blacklist

Networking Requirements

2. The WAN bandwidth is 10 Mbps, theWAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1,and the LAN is in the 192.168.1.0/24 network segment.

3. All LAN users are prohibited fromaccessing the website www.baidu.com.

Configuration Key Points

1. Choose User > User > CommonUser and add users to be prohibited from accessing the website www.baidu.com.

2. Choose Flow > Behavior Policy> Basic Settings, click Website Blacklist/Whitelist, and click BlacklistMode.

Configuration Steps

1. Choose Flow > Behavior Policy> Basic Settings and click Website Blacklist/Whitelist.

2. Click Blacklist Mode and add awebsite to the blacklist.

The URL categories displayed after clickingSelect are default website classifications of the device. Alternatively, youcan click Enter a URL to enter a URL.

Keyword matching is adopted here. You onlyneed to enter the keyword of the primary domain name to be blacklisted even ifthere are secondary domain names or multi-level directories.

Configuration Verification

When a LAN user accesses www.baidu.com,a prompt is displayed, indicating that the user is prohibited from accessingthis website and needs to contact the website administrator.

4.4.1.4 Website Whitelist

Networking Requirements

2. The WAN bandwidth is 10 Mbps, theWAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1,and the LAN is in the 192.168.1.0/24 network segment.

3. LAN users are allowed to accessonly the specified website www.126.com.

Configuration Key Points

1. Choose User > User and add userIP addresses.

2. Choose Flow > Behavior Policy> Basic Settings, click Website Blacklist/Whitelist, and click WhitelistMode.

Configuration Steps

1. Choose Flow > Behavior Policy> Basic Settings and click Website Blacklist/Whitelist.

2. Click Whitelist Mode and add awebsite to the whitelist.

The URL categories displayed after clickingSelect are default website classifications of the device. Alternatively, youcan click Enter a URL to enter a URL.

Flexible Whitelist: After FlexibleWhitelist is selected, some pictures not belonging to a whitelisted website canbe normally displayed when the whitelisted website is accessed. For the testprocess, see "Configuration Verification."

Configuration Verification

Test whether www.ruijienetworks.comcan be accessed. The website can be normally accessed but other websitescannot.

The following figure shows the websitedisplayed when Flexible Whitelist is not selected.

The access to other websites is prohibited.

4.4.1.5 Audit-Exempt URL

Networking Requirements

2. The WAN bandwidth is 10 Mbps, theWAN port address is 192.168.33.56/24, the WAN gateway address is 192.168.33.1,and the LAN is in the 192.168.1.0/24 network segment.

3. All LAN users can access theaudit-exempt website www.google.com.

Configuration Key Points

1. Choose User > User > CommonUser and add users who can access the audit-exempt website www.google.com.

2. Choose Flow > Behavior Policy> Basic Settings, and click Audit-Exempt URL to add audit-exempt URLs.

Note: If you select Shield Invalid/VirusWebsites in wizard-based setup or enable website access in default audit inBehavior Policy, the system automatically delivers one audit-exempt websitepolicy to exempt the websites of the unknown category and system upgrade categoryfrom audit, to prevent junk data audit. The priority of the website auditexemption policy is high. If you block the websites of the preceding twocategories in Behavior Policy > Advanced Settings, the blocking may fail.

For example, a customer configures abehavior policy to block www.360safe.com,which belongs to the system upgrade category by default. The website auditexemption policy has a higher priority and users can still access www.360safe.comeven if this website is configured in a different category. To avoid such acase: (1) Check whether the category of the website www.360safe.comis correct. If no, contact R&D engineers. (2) Run commands on the CLI todelete the system upgrade category from the website audit exemption policy. Ifyou still want to exempt other websites of the system upgrade category fromaudit, configure websites with priorities lower than that of the policy forblocking www.360safe.comon Advanced Settings.

Configuration Steps

Choose Flow > Behavior Policy > BasicSettings, and click Audit-Exempt URL.

Click Add URL to specify a required URL.

Configuration Verification

LAN users can access www.google.com successfully and there is noaudit record in the behavior audit report. An audit record is generated afteryou delete www.google.com from audit-exempt websites andaccess the website again.

4.4.2 Advanced Settings

4.4.2.1 Website Access Policy

Networking Requirements

1. The EGdevice serves as an egress and can access theInternet by using a static IP address. The LAN user gatewayis configured on the LAN port of the EG device, toimplement the basic Internet access function.

2. The WANbandwidth is 10 Mbps, the WAN port address is 192.168.33.56/24, the WAN gatewayaddress is 192.168.33.1, and the LAN is in the 192.168.1.0/24 network segment.

3. All LANusers are prohibited from accessing online shopping websites such as www.taobao.com.

Configuration Key Points

1. Choose Flow> Behavior Policy and click the Advanced Settings.

2. Configure awebsite access policy during policy creation.

3. Ifthe policy does not take effect after the configuration is complete, checkwhether the user objects, application time, and selected applications are correctin policy configuration.

Configuration Steps

1. Choose Flow > Behavior Policy and clickthe Advanced Settings tab.

Click Add Behavior Policy.

a. Define the name of a policy.

b. Configure a behavior control policy.

c. Select the URL category: Select the online shoppingwebsite defined previously.

d. Select Deny and Audit from Action.

e. Associate users.

Click Finish to generate the policy.

Note: In the external authentication server environment,select external server users as user objects.

2. View the configured policy on AdvancedSettings.

Note: A policy configured later takes effect prior to a policyconfigured earlier. Policies are matched from top down.

Configuration Verification

When a user accesses www.taobao.com, a promptis displayed, indicating that the user is prohibited fromaccessing this website and needs to contact the website administrator.

If a policy does not take effect, click ? to viewthe cause for the failure, as shown in the figure below.

4.4.2.2 Audit Record Clearing

Networking Requirements

When considerable audit records stored onthe hard disk lead to space insufficiency or some audit records need to beforcibly deleted, administrators need to clear the audit records.

Configuration Key Points

After you confirm the cleanup operation,the device needs several to dozens of minutes to clear the audit records, andautomatically restarts after the clearing.

Configuration Steps

When you need to clear content auditrecords on the device, choose Flow > Behavior Policy > Advanced Settings,and click Clear Behavior Policy Record.

Configuration Verification

Check whether audit records are clearedafter device restart.

4.4.2.3 HTTPS Domain Name Filtering and Audit

Networking Requirements

2. The access of LAN users to HTTPSwebsites can be audited and blocked.

Note: The EG device of version 11.1(6)B4and later versions support HTTPS website domain name filtering and audit.

Network Topology

Configuration Key Points

1. On Basic Settings, use the defaultaudit policy to audit the domain names of HTTPS websites.

2. On Basic Settings, select theblacklist mode to block specified websites.

3. On Basic Settings, select thewhitelist mode to restrict accessible websites.

4. On Advanced Settings, configure thewebsite blocking/allowing and audit/audit exemption functions.

Configuration steps

Method 1: Enable the HTTPS domain nameaudit on Basic Settings.

Log in to the Web page of the gateway,choose Flow > Behavior Policy > Basic Settings and select Website andHTTPS Audit in Enable Audit to enable the HTTPS domain name audit.

Method 2: Blacklist websites on BasicSettings.

(1) Choose Flow > Behavior Policy> Basic Settings and select HTTPS Audit in Enable Audit to enable the HTTPSwebsite audit.

(2) Choose Flow > Behavior Policy> Basic Settings, click Website Blacklist/Whitelist, and click BlacklistMode.

(3) Click Select, click the entry box,and select websites to be blocked.

(4) Click Enter a URL and enter thewebsite to be blocked in the entry box.

Method 3: Whitelist websites on BasicSettings.

(1) Choose Flow > Behavior Policy> Basic Settings and select HTTPS Audit in Enable Audit to enable the HTTPSwebsite audit.

(2) Choose Flow > Behavior Policy >Basic Settings, click Website Blacklist/Whitelist and click Whitelist Mode.

(3) Click Select, click the entry box,and select websites that are allowed.

(4) Click Enter a URL and enter anallowed website in the entry box.

Method 4: Configure the HTTPS websiteblocking/allowing and audit/audit exemption functions on Advanced Settings.

(1) Choose Flow > Behavior Policy> Basic Settings and select HTTPS Audit in Enable Audit to enable the HTTPSwebsite audit.

(2) Choose Flow > Behavior Policy> Advanced Settings and click Add Behavior Policy to create a behaviorpolicy.

Alternatively, click an existing behaviorpolicy in the list for modification.

(3) Click Policy Group to set the nameof a policy group.

(4) Click Behavior Policy to add abehavior control policy.

(5) Click User to apply the policy groupto users or a user group.

Configuration Verification

1. Test procedure:

(1) Bind a static IP address to the testPC or enable the test PC to succeed in real-time authentication for Internetaccess.

(2) Use the test PC to access aspecified website from a browser.

(3) Choose Flow > Audit Report >Access Audit Report > Website Access Details on the EG device to view auditcontent.

2. Test results:

(1) After HTTPS domain name audit isenabled on Basic Settings, the domain names of HTTPS websites accessed by theuser are all audited.

(2) HTTPS websites configured inblacklist mode on Basic Settings cannot be accessed.

(3) Only HTTPS websites configured inwhitelist mode on Basic Settings can be accessed.

(4) HTTPS websites blocked on AdvancedSettings cannot be accessed.

(5) The behavior audit report displaysthe access records.

4.5 Rate Limit

Rate limit is used to control the rate oftraffic sent or received by a network interface controller.

Network Topology

Configuration Steps

Step 1：Enable Flow Control

Step 2: Add a flow control policy:

Configuration Verification

Use Speed test tool to verify the rate limitsetting:

4.6 Port Mapping

ApplicationScenario

A customerdeploys a server on the LAN and enables the HTTP orother services. The server address is a private address. WAN users can neitheraccess this address directly nor use servicesprovided by the server. In this case, you can enable the port mapping function to allow WAN users toaccess the LAN server.

For example,the server address is 192.168.1.20 and HTTP is enabled. As the server addressis a private address, WAN users cannot directly access the HTTP serviceprovided by the server. In this case, you can map the server address and serverports to a public network address on the EG device so that WAN users can accessthe HTTP service provided by the server.

Networking Requirements

1. The WAN line is a single 10 Mbps fixedfiber line of China Telecom. The address is 192.168.33.56, subnet mask is255.255.255.0, WAN gateway is 192.168.33.1, and DNS address is 218.85.157.99.

2. There is a remote desktop server onthe LAN. The IP address of the server is 192.168.1.150. If the LAN server needs to be accessed from the WAN, portmapping is required tomap the interfaces of the LAN server to the public network.

Network Topology

Configuration Key Points

1. Ensure that LAN terminals can access the server normally.

2. The server IP address and gateway areconfigured, and theserver can access theInternet normally.

3. Determine the ports to be mapped onthe server, and whether UDP or TCP is required.

4. If there are multiple WAN egresses inthe real network environment of a customer (see the topology in Figure 2 above),for example, lines of China Telecom + China Netcom orChina Telecom lines, dual-line port mapping needs to be configured on the LANserver. Then, WAN users of different carriers canaccess the server through their WAN line IP addresses. It is recommended toenable the RPL function on the WAN interfaces.

Configuration Steps

1. Determine that only TCP port 3389 of the server needs to be mapped.

Choose Network> NAT/Port Mapping > Port Mapping.

a. Mapping Type: Select Port Mapping from the drop-downlist, indicating that a port of the LAN server needs to be mapped.

b. Internal IP: Indicates the IP address of the server.

c. Internal Port Range: Indicates the port for the server that is to provide external services.

d. External IP: Indicates the IP address of a WAN port (IP Address is selected when a WAN line is used in a dynamic environment).

e. External Port Range: Indicates the target WAN service port of port mapping.

f. Protocol Type: Indicates the protocol used by the server to provideservices.

Note: EG_RGOS11.1(6)B9 and later versions support adding continuous ports in batches. Seethe figure below.

2. Command generated on the CLI:

ip nat inside source static tcp 192.168.1.150 3389 192.168.33.563389 permit-inside

3. For multi-egress network environments of customers, it is recommended to enable the RPL function onthe WAN interface.

Select ReversePath Limited.

Commands generated on the CLI:

interface GigabitEthernet 0/1

ip nat outside

ip address 192.168.33.57 255.255.255.0

reverse-path-----RPL

nexthop 192.168.33.1

Configuration Verification

1. Click Startand choose Remote Desktop Connection to open the Remote Desktop Connection dialog box. Enterthe IP address of the WAN port.

Click Connect. The server login page is displayed.

4.7 DMZ Host Mapping

ApplicationScenario

A customerdeploys a server on the LAN and enables multiples services. The server addressis a private IP address. WAN users cannot access services provided by theserver by using the server address. If port mapping is enabled, numerous portswill be involved because many services are enabled. Inthis case, IP mapping can be configured to meet customer requirements.

For example,the server address is 192.168.1.20, and services such as HTTP, FTP, and videostreaming media are enabled. WAN users cannot directly access services providedby the server because the server address is a private IP address. In this case,the server IP address can be mapped to a private IP address in IP mapping modeon the EG device, so that WAN users can access the server.

NetworkingRequirements

1. The WAN line is a single 10 Mbps fixedfiber line of China Telecom. The address is 192.168.33.56, subnet mask is255.255.255.0, WAN gateway is 192.168.33.1, and DNS address is 218.85.157.99.

2. There is a remote desktop server onthe LAN. The IP address of the server is 192.168.1.150. WAN users can accessall services provided by the LAN server.

NetworkTopology

ConfigurationKey Points

1. Ensure that LAN terminals can access the server normally.

2. The server IP address and gateway areconfigured, and LAN users can access the Internet normallythrough this server.

Note: The EGdevice does not support the mapping from one private IP address to twodifferent public IP addresses..Only the mapping from one private IP address to one public IP address is supported on one line, and the other line uses port mapping.

ConfigurationSteps

1. Confirm that the TCP port 3389 ofthe server needs to be mapped.

Choose Network> NAT/Port Mapping > Port Mapping.

a. Mapping Type: Select DMZ Host from the drop-down list,indicating that all ports of the LAN server need to be mapped.

b. Internal IP: Indicates the IP address of the server.

c. External IP: Indicates the IP address of a WAN port (IP Address is selected when a WAN line isused in a dynamicenvironment).

2. Commands generated on the CLI:

ip nat inside source static 192.168.1.150 192.168.33.56 permit-inside

ConfigurationVerification

1. Click Start and choose RemoteDesktop Connection to open the RemoteDesktop Connectiondialog box. Enter the IPaddress of the WAN port.

Click Connect. The server login page is displayed.

4.8 IPsecVPN

4.8.1 The Branch RouterAccesses the HQ Router at a Static IP Address in Dialup Mode

Networking Requirements

The HQ and branch routers use static IP addresses. The HQ router needs to verify the IP address of the branch router.

Network Topology

Configuration Key Points

1. Configure router A in the HQ as the IPsec server.

2. Configure router B in the branch as the IPsec client.

3. Keep parameter settings at both endsconsistent. The parameter settings in this case are as follows:

Authentication mode: preshared key, with the key set to ruijie.

IKE algorithm:3DES-MD5, DH2

IPsecnegotiation scheme: ESP(3DES-MD5)

Configuration Steps

1. Configurerouter B in the branch.

(1) Complete wizard-based setup to meet basicInternet access requirements of users in the HQ and branch. If theusers can access theInternet, check whether the next hop address isconfigured for the WAN interface.

(2) Configure IPsec for router B in thebranch.

Choose Network> VPN and click Configure. Select Branch, andclick Next.

Configure basic branch information.

Note: Onlyinterfaces configured withthe nexthop x.x.x.x command aredisplayed in the interface list (after thewizard-based setup iscompleted on the Web page, this command is configured on the WAN interface ofthe CLI by default).

The dialer interface can be configured on the Web page.

IKE algorithm:3DES-MD5, DH2

IPsecnegotiation scheme: ESP(3DES-MD5)

2. Configure router A in the HQ.

(1) Complete wizard-based setup to implement basic Internet access service ofthe HQ router.

(2) Configure IPsec for router A in the HQ.

Choose Network> VPN and click Configure. Select Headquarter, and click Next.

Select Branch, andclick Next.

Select IPsec, and click Next.

Configure the IPsec VPN, and click Next.

The IPsec VPN configuration is complete.

Configuration Verification

Choose Network > VPN, and click the Topo tab to view the configuration.

Configuration of the HQ router:

Configuration of the branch router:

Check whether the routers in the HQ and branch can access each other.

Notes

1. When the Internet access service is configured via wizard-based setup on the Web of the EG device, IPsec VPN can beconfigured only after the next hop address is configured on the interfaceconfiguration page in the wizard-based setup. If no next hop address is configured for an interface, the interfacecannot be selected during VPN configuration.

2. After a VPN is configured, the deviceautomatically delivers AAA configuration (the system prompts you to enter theusername and password during device login, and the telnet password needs to bereconfigured).

3. Close thebrowser after clearing theVPN configuration for the clearing operation to take effect. Otherwise, the system retains the previous VPNconfiguration.

4. When a WAN port receives an IPsec request but no traffic ofinterest is configured on the device, the error "Failed to find map"may occur. This error is generated because packets from IPsec port 500 are sentto the CPU when the IPsec map does not exist, and this does not affectnetwork data forwarding and management, but instead is beneficial to network management. An ACL can be configured to filter out requests from undesired IPsec-compliant devicethat is connected to the EG device.

5. Some Web modules use specific ACLs. For example, the VPN module uses ACL 110 and ACL 199, the ARP guard module uses ACL 197 and ACL 2397, and the VWAN module uses ACL 198. Therefore, do not use these ACLs on the CLI, especially ACL 199, whichprohibits policy configuration on the CLI. Otherwise, ACEs required by the VPNmodule fail to be configured on the Web page.

4.8.2 The Branch RouterAccesses the HQ Router at a Dynamic IP Address in Dialup Mode

Networking Requirements

The HQ router uses a dynamic IP address and the branch router accesses the HQ router by using the domain name in dialup mode.

Network Topology

Configuration Key Points

1. Configure router A in the HQ as the IPsec server.

2. Configure router B in the branch as the IPsec client.

3. Keep parameter settings at both endsconsistent. The parameter settings in this case are as follows:

Authentication mode: preshared key, with the key set to ruijie.

IKE algorithm:3DES-MD5, DH2

IPsecnegotiation scheme: ESP(3DES-MD5)

Configuration Steps

1. Configure router B in the branch.

The Web pagedoes not support dynamic domain names. Therefore, complete configuration on theWeb page and then performmodification on the CLI.

(2) Choose Network > VPN andclick Configure. Select Branch, and click Next.

(3) Configure basic IPsec information, and click Next.

(4) Click Finish.

On the CLI,change the public IP address of the HQ router to a dynamic domain name:

branch(config)#no crypto isakmp key 0 ruijie address 192.168.2.1

branch(config)#crypto isakmp key 0 ruijie hostnameruijie.xicp.net

branch(config)#crypto map Gi0/6 20 ipsec-isakmp

branch(config-crypto-map)#no set peer 192.168.2.1

branch(config-crypto-map)#set peer ruijie.xicp.net

2. Configure router A in the HQ.

On theinterface configuration page, click a WAN interface to configure it. Dynamic IP addresses can beallocated in DHCP mode or obtained in dialup mode.

Choose Network> VPN and click Configure. Select Headquarter, and click Next.

Select Branch, and click Next.

Select IPsec, and click Next.

Configure IPsec basic information, and click Next.

Click Finish.

Configuration Verification

Choose Network > VPN, and click the Topo tab to view the configuration.

Configuration of the HQ router:

Configuration of the branch router:

Check whether the HQ router and branchrouter can access eachother.

Notes(Optional)

1. On the Web page, IPsec supports onlypeer IP addresses and does not support domain names. IPsec using domain names needs to be configured on the CLI.

2. When a WANport receives an IPsec request but no traffic of interest is configured on thedevice, the error "Failed to find map" may occur. This error isgenerated because packets from IPsec port 500 are sent to the CPU when theIPsec map does not exist. Theerror does not affect network data forwarding andmanagement, which is beneficial to network management. An ACL can be configured to filter out requests from undesired IPsec-compliant device that isconnected to the EG device.

3. Some Web modules use specific ACLs. For example, the VPN module uses ACL 110 and ACL 199, the ARP guard module uses the ACL 197 and ACL 2397, and the VWAN module uses ACL 198. Therefore, do not use these ACLs on theCLI. especially ACL 199, whichprohibits policy configuration on the CLI. Otherwise, ACEs required by the VPNmodule fail to be configured on the Web page.

4.8.3 The Branch RouterAccesses the HQ Router on the LAN in Dialup Mode

NetworkingRequirements

The HQ router is deployed on the LAN, mapping isconfigured on the egress of the LAN, and users in the branch access the HQ router in dialup mode.

Network Topology

Configuration KeyPoints

1. Configure the LAN gateway router A inthe HQ as the IPsec server.

2. Configure router B in the branch as the IPsec client.

3. Keep parameter settings at both endsconsistent. The parameter settings in this case are as follows:

Authentication mode: preshared key, with the key set to ruijie.

IKE algorithm:3DES-MD5, DH2

IPsecnegotiation scheme: ESP(3DES-MD5)

4. Configure NAT mapping on the outermost egress of the HQ and establish an IPsec connection on the LAN gateway.

Configuration Steps

1. Ensure thatbasic configuration on the EG device and routers in both the HQ and branch are normal, and LANs users at both ends can access the WAN.

2. Configure router B in the branch.

Choose Network> VPN and click Configure. Select Branch, and click Next.

Configure anIPsec policy, set the public IP address of the HQ router to the IPaddress obtained after NAT,and click Next.

Click Finish.

3. Configure router A in the HQ.

Configure IPsecon the LAN EG device.

(1) Choose Network > VPN and click Configure. Select Headquarter, and click Next.

(2) Select Branch, and click Next.

(3) Select IPsec, and click Next.

(4) Configure IPsec basic information, and click Next.

(5) Click Finish.

4. IPsec uses UDP ports 500 and 4500. Map UDP ports 500 and 4500 onthe egress of the HQ respectively to UDP ports 500 and 4500 of the LAN EGdevice.

(1) Map UDP port 500.

ip nat inside source static udp 10.0.0.1 500 1.1.1.1 500

(2) Map UDP port 4500.

ip nat inside source static udp 10.0.0.1 4500 1.1.1.1 4500

ConfigurationVerification

Choose Network > VPN, and click the Topo tab to view the configuration.

Configuration of the HQ router:

Configuration of the branch router:

Check whether the HQ router and branchrouter can access eachother.

4.9 Local Web Authenticaiton

Networking Requirements

1. LAN users access the Internet throughthe EG device.

2. The WAN bandwidth is 10 Mbps, theaddress of the WAN port is 192.168.33.56/24, the address of the WAN gateway is192.168.33.1, and the addresses of LAN ports are in the 192.168.1.1/24 networksegment.

3. LAN users can access the WAN onlyafter succeeding in identity authentication.

4. The EG device of RGOS10.3 (4B8) andlater versions support subinterface Web authentication. The configurationmethod is the same as that of common Web authentication.

5. Internal Web authentication allowsusers to proactively add the go-offline page to favorites and modify passwords.It also supports the following functions: forbidding users from accessing theInternet (blocking user accounts) and kicking users offline.

Note: The IP addresses above are used in asimulated environment and are not provided by carriers.

Network Topology

Configuration Key Points

1. Perform wizard-based setup to ensurethat LAN users can successfully access the WAN.

2. Select the internal Webauthentication server function in the real-name Internet access policy.

Notes:

1. If advertisement push is enabled, theentered advertisement address cannot contain the character "?".

2. If Web authentication is enabled andport mapping is configured, the LAN server IP address used for port mappingneeds to be added to the authentication-exempt IP address list. Otherwise, portmapping will fail.

3. After Web authentication is enabled,the remote login password (that is, telnet password) needs to be changed.

Auxiliary information:

1. The Web authentication function ofthe EG device allows the Dynamic Host Configuration Protocol (DHCP), DNS, andAddress Resolution Protocol (ARP) traffic to pass by default, without a need ofadditional settings.

2. When you log in to the EG device intelnet mode with Web authentication enabled, if you enter a wrong username orpassword for more than 3 consecutive times for the EG device of RGOS4B8 or 50consecutive times for the EG device of RGOS4B10, the account will be locked.The account will be unlocked after 15 hours by default and then you can log inwith the account again. You are recommended to run the following commands tomodified two parameters after configuring Web authentication:

Ruijie(config)#aaa local authenticationlockout-time 1 //Unlocking an account 1 hour after the account is locked

Ruijie(config)#aaa local authenticationattempts 10 //Setting the allowable login attempts to 10.

Configuration Steps

Choose User > Auth and click InternalPortal Auth on the Web Auth tab page to enable the internal authenticationfunction, as shown in the figure below.

a. Internal Portal Auth: Refers to theinternal authentication server of the EG device.

b. Auth Mode: A users needs to beauthenticated before accessing the Internet. Specify the server matching priorityfor authentication information here.

c. Advertising Mode: Ruijie EG deviceprovides the advertisement push function, for example, a hotel can use thisfunction to push the hotel homepage to guests and promote the hotel brand. Youcan also set the mode to No AD, Display AD Before Auth, or Display AD AfterAuth.

Add a user to be authenticated: Click auser group in the user organization structure on the left, add a user (IPrange) to the user group, and configure the username and password, as shown inthe figure below.

A user added successfully is displayed inthe user list, as shown in the figure below.

The user configuration method on the CLI isas follows:

#Add a user named ruijie under the rootdirectory, set the password to 111, and configure the account to use only Webauthentication.

Ruijie(config)# subscriber static name"ruijie" parent "/" password 111

Ruijie(config)# subscriber allow"ruijie" privilege webauth

If you select Allow Internal Web Auth UserPassword Change when configuring a username and password. The Change Passwordoption is displayed after Web authentication is successful.