Ruijie Reyee RG-NBR Series Routers Web-Based Configuration Guide, RGOS 11.9 (6) B15 (V1.1)

Ruijie Reyee RG-NBR Series Routers
RGOS 11.9(6)B15
Web-based Configuration Guide
Document Version: V1.1

Date: February 21, 2023
Copyright © 2023 Ruijie Networks
Copyright
Copyright © 2023 Ruijie Networks
All rights are reserved in this document and this statement.
Any reproduction, excerption, backup, modification, transmission, translation or commercial use of this document
or any portion of this document, in any form or by any means, is prohibited without the prior written consent of
Ruijie Networks.
Trademarks including , , are owned

by Ruijie Networks.
All other trademarks or registered trademarks mentioned in this document are owned by their respective owners.
Disclaimer
The products, services, or features you purchase are subject to commercial contracts and terms. Some or all of
the products, services, or features described in this document may not be within the scope of your purchase or
use. Unless otherwise agreed in the contract, Ruijie Networks does not make any express or implied statement
or guarantee for the content of this document.
The content of this document will be updated from time to time due to product version upgrades or other reasons.
Ruijie Networks reserves the right to modify the content of the document without any notice or prompt.
This manual is for reference only. Ruijie Networks endeavors to ensure content accuracy and will not shoulder
any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.
I
Preface
Intended Audience
This document is intended for:
 Network engineers
 Technical support and servicing engineers
 Network administrators
Technical Support
 The official website of Reyee: https://www.ireyee.com/
 Technical Support Website: https://www.ruijienetworks.com/support
 Case Portal: https://caseportal.ruijienetworks.com
 Community: https://community.ruijienetworks.com
 Technical Support Email: [email protected]
Conventions
1. GUI Symbols
Interface
Description Example
symbol
1. Button names
1. Click OK.
2. Window names, tab name, field name and
Boldface 2. Select Config Wizard.
menu items
3. Click the Download File link.
3. Link
> Multi-level menus items Choose System > Time.
2. Signs
The signs used in this document are described as follows:
Danger
An alert that calls attention to safety operation instructions that if not understood or followed when operating
the device can result in physical injury.
Warning
An alert that calls attention to important rules and information that if not understood or followed can result in
data loss or equipment damage.
Caution
An alert that calls attention to essential information that if not understood or followed can result in function
failure or performance degradation.
I
Note
An alert that contains additional or supplementary information that if not understood or followed will not lead to
serious consequences.
Specification
An alert that contains a description of product or version support.
3. Note
This manual introduces the features of the product and offers guidance on configuration and testing.
II
Web-based Configuration Guide Product Overview
1 Product Overview
RG-NBR-E series enterprise-class routers are multi-service integrated routers tailored by Ruijie Reyee for
integrated scenarios such as office, hotel, restaurant, entertainment, and scenic spot. RG-NBR-E series
enterprise-class routers support many functions such as service acceleration channel, precise flow control,
network access behavior management, VPN total-division interconnection, and intelligent routing, and support
connection to Ruijie cloud platform (MACC free cloud platform) for remote cloud O&M and central management,
which can well meet the integrated network needs of scenarios such as office, hotel, restaurant, entertainment,
and scenic spot.
RG-NBR-E series enterprise-class routers support the web management GUI. The web management system
can be used to configure and manage the common functions of the devices.
3
Web-based Configuration Guide Device for Login
2 Device for Login

You can access the management IP address of the NBR-E enterprise-class device through the client (PC or
mobile terminal device) for access to the web management system for device configuration and management.
2.1 Configuration Environment Requirements

The client (PC or mobile terminal) used for login to the web management system must meet the following
environmental requirements:
 Browsers: Google Chrome, Internet Explorer 9.0, Internet Explorer 10.0, Internet Explorer 11.0, and some
Google/Internet Explorer kernel-based browsers (for example, 360 Security Browser (recommended mode:
Extreme)) are supported. If you log in to the web management system using other browsers, exceptions such
as garbled characters or formatting errors may occur.
 Resolution: The recommended resolution specifications are 1024 x 768, 1280 x 1024, 1440 x 960, and 1600
x 900. At other resolutions, the fonts and formats may be out of alignment or not aesthetically pleasing.
2.2 Default Configurations
Table 2-1 Default web configurations
Function Item Default Value
After initial configuration or restoration to factory settings, the default web

Device IP management address is http://192.168.1.1.
If HTTPS is used, the initial management address is
https://192.168.1.1:4430.
User name/Password admin/admin
Port Gi0/0 port for connecting the PC to the device in router mode.
2.3 Login to the Web Management System Using a PC

2.3.1 Device Connection
To access the management page for router configuration, establish a network connection between the
management client and the device.
Figure 2-1shows the connection between the device and the client.
4
Figure 2-1 Connection diagram
NBR-E
Switch at the access layer
Client
2.3.2 Management Client IP Address Configuration
Configure an IP address for the management client that is in the same network segment as the default IP address
of the device (default IP address of the device: 192.168.1.1; subnet mask: 255.255.255.0) so that the
management client can access the device. For example, set the IP address of the management client to
192.168.1.200.
2.3.3 Login to the Web Management System
Prerequisites
Both the web management upgrade package of the NBR series device (the web.gz package exists on the device)
and the NGX environment for web operation have been verified for web management. Otherwise, the web
management page is not displayed. The files and environment have been installed by default on the device. If
they are not installed, perform installation according to the methods mentioned in the user guide.
Procedure
(1) Open a browser, enter the IP address of the device (192.168.1.1 by default) in the address box, and press
Enter. The login page is displayed.
5
On the login page:
 If you forget your user name or password, click Forgot password?
 If customer service assistance is required, click Online Service at the bottom of the page to contact our
customer service online.
(2) Enter the user name and password and click Log In. The home page of the web management system is
displayed.
Follow-up Procedure
 For device security, you are recommended to change the default password upon your first login to the web
management system.
 If you forget the IP address or password, you can press and hold the reset button on the device panel for
more than 5s when the device is powered on to restore the device to factory settings. You can use the default
6
IP address and password for login after restoration.
Caution
Exercise with caution. If restoration to factory settings is performed, the existing configurations will be deleted,
and you need to re-configure information next time you log in to the device.
2.4 Main Page of the Web Management System

The following figure shows the main page of the web management system.
2.4.1 Title Area
This area provides links to some commonly used functions for you to quickly access the corresponding setup
pages, including Config Wizard, Detect New Network, Online Service, and Log Out.
Function Item Description Reference Chapter/Section
Wizard-based configurations are provided.

Config Wizard You can click it for quick device access to the 3.1 Quick Configuration
network.
You can click it to complete integrated

3.2 Reyee Integrated
Detect New Network configuration when a new device is
Configuration
connected to the networking environment.
7
Function Item Description Reference Chapter/Section
You can click it to contact our online customer

Online Service service for consultation in case of problems N/A
during use.
After completing related operations, you can

Log Out click it to exit the current page. The login N/A
page is displayed.
2.4.2 Menu Navigation Area
The NBR menu navigation area is displayed on the left of the main page of the web management system, where
all NBR function menu items are listed. After you choose a menu item in the navigation tree on the left, the
detailed setup page is displayed in the main operating area.
The system uses a two-level menu structure. After you choose a function menu item in the navigation tree, the
corresponding sub-item menu is displayed. For example, after you choose Behavior in the navigation tree, the
sub-item menu corresponding to the function category is displayed, as shown in the following figure.
2.4.3 Main Operating Area
You can complete NBR function configurations in this area. After you choose a menu item in the navigation tree
on the left or click a shortcut function item on the top, the corresponding detailed setup page is displayed in the
main operating area.
8
2.4.4 Status Area
In this area, the device model and version are displayed on the left, and the technical forum website link and
technical support contact information are displayed on the right. You can contact our customer service for
assistance in case of problems during use through the two contact channels.
You can click the RITA icon added in the lower right corner for consultation.
9
Web-based Configuration Guide Quick Configuration
3 Quick Configuration
3.1 Quick Configuration
Application Scenario
The device is in the empty configuration state upon your first login to the web management page. To simplify
configuration, you are recommended to set the common functions of the device according to the corresponding
wizard.
Note
 If this function is not required, click Exit to directly access the web management page. In this case, the
device is in the empty configuration state. (Not recommended; Quick configuration is required. Otherwise,
function exceptions such as flow control and default routing may occur even for the device to be
upgraded to this version from an old version.)
 You can also click Config Wizard in the upper right corner of the main page of the web management
system for quick configuration.
Prerequisites
 This function is supported only in router mode.
 The device has been connected to the power supply, and the WAN port of the device has been connected to
the upper-level device with a network cable, or directly connected to the home network cable.
 The network access mode has been configured according to the requirements of the local network carrier.
10
Otherwise, the setup may fail, resulting in network access failure. You are recommended to contact the local
network carrier to verify the network access method (dynamic IP address/PPPoE(ADSL)/static IP address).
○ If PPPoE(ADSL) is used, the corresponding broadband account and password are required.
○ If the static IP address method is used, the corresponding IP address, subnet mask, router, and DNS are
required.
Procedure
Complete related configurations according to the wizard.
(1) Reset the administrator password.
(2) Configure the interface and click Next.
(3) Wait for the system to automatically deliver the configurations.
The system automatically delivers the configurations.
11
Follow-up Procedure
(1) Click Interface for interface configuration.
Interface configuration is the key configuration for intranet access. Correct port information configuration ensures
normal intranet access.
 Intranet port configuration: Select the intranet port to be configured, and set IP Address and Submask in
the area below.
12
 Extranet port configuration: select the extranet port to be configured, and set the client IP address allocation
method, bandwidth information, line type, and other information in sequence.
○ If you set the client network access method to Static IP, set the IP address of the carrier/intranet, subnet
mask, and router, as shown in the following figure.
○ Set the client network access method to PPPoE(ADSL) if an ADSL line is applied for from the carrier,
and configure related information, as shown in the following figure.
○ If you set the client network access method to DHCP, no additional configuration is required.
Note
You can click Advanced Settings to set the upstream/downstream bandwidth of the line. Be sure to set
bandwidth information correctly according to the actual bandwidth applied for from the carrier so that the
device can manage the bandwidth for you in a better and more intelligent way.
13
(2) Click . In this case, you can manage the network operation status on the web management page.
3.2 Reyee Integrated Configuration

You can click Detect New Network to complete integrated configuration when a new device is connected to the
networking environment.
Procedure
(1) Click Detect New Network on the top of the page. The current networking information is displayed on the
displayed page.
(2) Click Start Config and configure port information as prompted.
14
(3) Click Create Project and Connect to Network. The system delivers configuration information.
(4) Check the system prompt. A prompt indicating successful configuration is displayed after the configurations
are completed.
15
Note
If you change the IP address of the interface, you need to re-enter the new IP address in the address box of
the browser for access to the web management system.
16
Web-based Configuration Guide Home
4 Home
4.1 Dashboard
The Dashboard page is automatically displayed upon login to the web management page or after you choose
in the menu area.
It is easy for you to view the device CPU, memory, and hard disk usage, number of online users, system version,
current system time, and other information on this page. By analyzing the traffic trend, and bandwidth usage of
the top 10 applications by traffic, top 10 applications by traffic, top 10 users by traffic, and top 10 users by number
of sessions of the current day, you can view the current status of intranet traffic in an all-round way, and
troubleshoot common network problems on this page and solve them quickly.
4.1.1 Interface Info
On the top of the Dashboard page, interface information is displayed. Click an interface. The basic information
about the interface, including the interface type and IP address, is displayed.
4.1.2 Device Info
On the top of the Dashboard page, the current device memory/CPU usage, number of online users, system
version, system time, and other information are displayed.
17
Parameter Description
CPU usage of the current device, where it is easy for you to find out the operation
CPU Usage
status of the device.
Memory usage of the current device, where it is convenient for you to find out the
Memory Usage
device memory usage.
Online Users Total number of online users of the current device.
Current system time.
If the current system time is incorrect or time resetting is required, you can
choose Advanced>System>System Time for resetting.
When the difference between the device time and the management PC time is 1
System Time hour, an alarm icon is displayed next to System Time. You can click this icon to
access the system time configuration page.
Click it to view the system startup time, running time, hardware version, software
Details
version, and other information.
4.1.3 Bandwidth Status
The system bandwidth status is displayed on the Dashboard page, where it is easy for you to view the current
device's traffic trend graph for the last hour, and bandwidth usage of the top 10 applications by traffic, top 10
applications by traffic, top 10 users by traffic, and top 10 users by number of sessions of the current day.
 Traffic trend graph for the last hour
○ In the traffic trend graph, the yellow curve indicates the trend of "traffic before flow control/suppression"
and the blue curve indicates the trend of the actual passed traffic after flow control/suppression.
○ You can set and to view the upstream/downstream

traffic trend of all interfaces.
○ Mouse over a point on the traffic trend curve to view "traffic before flow control/suppression" and "passed
18
traffic".
○ You can click to hide the curve for the trend of "traffic before flow
control/suppression" and click to hide that for the trend of "passed traffic".
 Bandwidth usage of the top 10 applications by traffic
The ratio of the top 10 applications by real-time traffic to the total bandwidth is shown in a graph.
 Top 10 applications by traffic of the current day
○ The top 10 applications by traffic are displayed in the table. You can click Details to view the application
traffic details.
○ You can set to view the top 10 applications by upstream/downstream traffic for
the last 10 minutes.
○ You can set to view the top 10 applications by traffic of specified interfaces.
 Top 10 users by traffic
19
The table shows the top 10 users by traffic.
 Top 10 users by number of sessions of the current day
○ The top 10 users by number of sessions are displayed in the table shown in the preceding figure.
○ You can set to view the top 10 applications by number of sessions of specified
interfaces.
4.2 Service
You can disable the functions that are not used frequently on this page.
A disabled function will not run in the background or be automatically started upon system startup. The
corresponding web page will not be displayed.
Procedure
(1) Choose Home>Service.
(2) Click Disable in the Action column corresponding to the function to be disabled.
(3) In the window where a prompt is displayed, click OK.
20
Follow-up Procedure
Click Enable to re-enable the corresponding function.
4.3 Interface Status

Procedure
Choose Home>Interface Status to view the status information about each interface, including the IP address,
rate, DNS, and connection status.
Note
If an interface does not support IPv6, its IPv6-related information is not displayed.
21
Web-based Configuration Guide Behavior Management
5 Behavior Management
5.1 Traffic Monitoring
5.1.1 Introduction
The Traffic Monitoring module is used to view the current network traffic usage and perform intelligent analysis
on specific applications.
5.1.2 Real-Time Traffic
1. Overview
You can perform this operation to view the real-time monitoring data.
Procedure
(1) Choose Flow > Traffic Monitoring > Real-Time Traffic.
(2) Select a data refreshing frequency.
22
You can select to refresh the current device traffic information once every 10s, 30s, or every minute, or manually
refresh the information.
(3) You can switch among tabs to view device traffic statistics
by interface, application, or user.
(4) You can select an interface from the drop-down list to view the traffic information of
a specific interface, or select All Interfaces to view the total traffic of all interfaces.
(5) Time Span indicates the statistical time period of the displayed traffic information. means that
the current traffic information is displayed.
(6) Click to access the Advanced Search window, in which you can view the traffic,
number of online users, and number of sessions.
23
 View traffic details: You can view the current traffic or the traffic within a time span of an interface by user, IP
address, or application.
a Select Traffic, and then select a query filter from the drop-down list of Name. Then, in the text box on
the right, select the app scope or user scope you want to query from the displayed app tree or user tree.
b Select an option from the drop-down list of Interface and click . The query results are
displayed.
24
 View details of online users: You can view the number of currently online users or online users within a time
span of an interface.
a Select Online Users and then select the interface you want to query.
c Click . The following query results are displayed.
 View details of sessions: You can view the number of current sessions or sessions within a time span of an
interface.
a Select Sessions and then select the interface you want to query.
d Click . The following query results are displayed.
25
2. Interface Traffic Analysis
This function allows you to make statistics on, control, and analyze bandwidth usage by interface to improve the
traffic usage values. Click on the Real-Time Traffic tab page. The following information is
displayed:
Interface Traffic Information Overview
The first part of the page displays the traffic information of a specified interface. When All Interfaces is selected,
the total traffic of all interface and the traffic of each interface are displayed.
According to the traffic information displayed in the figure above, you can check whether the current traffic is
normal (whether any alarm occurs). If the traffic is too high, a yellow alarm occurs, which helps you
quickly locate the bandwidth problem.
26
Note
Condition for triggering the yellow alarm: When the total traffic is over 95% of the interface bandwidth (the
bandwidth that a user purchases from China Telecom or other carriers).
Solution for the yellow alarm:
 When a yellow alarm occurs and the traffic of the Key App group is equivalent to the total traffic, choose
Flow > Flow Control Policy or choose Flow > Object > Custom App to check whether all the selected
applications are those whose traffic you want to guarantee. If yes, the current bandwidth is insufficient. In this
case, you want to apply for more bandwidth from your carrier to ensure sufficient bandwidth.
 When a yellow alarm occurs and the bandwidth used by the Rate-Limited App group is large, reduce the
traffic used by the Rate-Limited App group.
 When an alarm occurs and the traffic of the Normal App group is equivalent to that of the Rate-Limited App
group, reduce the traffic used by the Rate-Limited App group and the Normal App group in turn.
Application Traffic Information of an Interface
The middle part of the page displays the application traffic information of a specified interface, including the ratio
of bandwidth occupied by different types of applications (key/guaranteed applications, normal/other applications,
and rate-limited applications), the total number of applications that are using the traffic, the specific applications,
and the traffic usage of each application, and the traffic dropped by the rate limiting policy.
 The two pie charts at the top of this area display the uplink and downlink traffic occupied by different types of
applications on the selected interface. You can move the pointer onto the pie charts to view the uplink or
downlink traffic not used by applications on the selected interface.
27
○ Key/guaranteed applications: Display the total uplink or downlink traffic used by key/guaranteed
applications on the selected interface, and the percentage of used traffic in the total uplink or downlink
traffic of the selected interface.
○ Normal/other applications: Display the total uplink or downlink traffic used by normal/other applications
on the selected interface, and the percentage of used traffic in the total uplink or downlink traffic of the
selected interface.
○ Rate-limited applications: Display the total uplink or downlink traffic used by rate-limited applications on
the selected interface, and the percentage of used traffic in the total uplink or downlink traffic of the
selected interface.
○ Not used: Display the uplink or downlink traffic not used by applications on the selected interface, and
the percentage of not used traffic in the total uplink or downlink traffic of the selected interface.
 Tables in the lower part of this area display the current traffic usage of specific applications on the selected
interface, including the uplink/downlink traffic occupied by each application and the traffic dropped by the rate
limiting policy.
In the navigation menu in the upper-left corner of the tables, select , and the system
displays the traffic of the current application group on the selected interface.
Click and the following window is displayed:
28
This window displays the application group and type of the selected application, the uplink/downlink traffic
occupied by the selected interface, the traffic dropped by the rate limiting policy, and the traffic of the user
that runs this application.
You can click to block the traffic of the current application. After blocking, the subsequent traffic
of this application is completely dropped by the selected interface.
User Traffic Information of an Interface
The lower part of the page displays the traffic usage of users on the current interface, including the number of
online users and sessions on the selected interface, and the traffic of users using this interface.
You can choose to view the traffic of a local user or an external user through the drop-down list
Click . The following window appears, which displays the traffic usage of the selected user on the
selected interface, details of applications run by the selected user, and the traffic usage of each application.
29
You can click to block the traffic of the current user. After blocking, the subsequent traffic of this user
is completely dropped by the selected interface.
3. Application Traffic Analysis
This function allows you to make statistics on the bandwidth usage of different applications to control and analyze
application traffic, so as to improve the traffic usage values. Click on the Real-Time Traffic tab
page. The following information is displayed:
The page displays the system application traffic usage overview, and the traffic usage of key/guaranteed
applications, normal/other applications, and rate-limited applications.
 Application traffic usage overview
30
This part displays the used traffic and bandwidth usage of key/guaranteed applications, normal/other
applications, and rate-limited applications on the selected interface, and the traffic dropped by the rate limiting
policy.
 Traffic analysis of key/guaranteed applications: Display the details of key/guaranteed applications on the
selected interface, the traffic usage of each application, details of users running the key/guaranteed
applications, and the traffic usage of each user.
Click , and the application traffic details window is displayed. For details, see the application traffic
details window description in the section Interface Traffic Analysis.
The above figure displays the traffic usage of key/guaranteed applications. You can click User in
to display the traffic usage of users running the key/guaranteed applications on the
current interface:
Click , and the user traffic details window is displayed. For details, see the user traffic details
window description in the section Interface Traffic Analysis.
 Traffic analysis of normal/other applications: Display the details of normal/other applications on the selected
interface, the traffic usage of each application, details of users running the normal/other applications, and the
traffic usage of each user.
31
The above figure displays the traffic usage of normal/other applications. You can click User in
to display the traffic usage of users running the normal/other applications on

the current interface:
 Traffic analysis of rate-limited applications: Display the details of rate-limited applications on the selected
interface, the traffic usage of each application, details of users running the rate-limited applications, and the
traffic usage of each user.
The above figure displays the traffic usage of rate-limited applications. You can click User in
to display the traffic usage of users running the rate-limited applications on

the current interface:
32
4. User Traffic Analysis
This function allows you to analyze users' traffic usage by interface and monitor users' current traffic usage and
details of applications in real time, so that you can easily adjust the user traffic usage to rapidly limit users with
excessive traffic usage. If your network has many users, you can filter users by user name or IP address. Click
on the Real-Time Traffic tab page. The following information is displayed:
This page displays the number of online users and sessions on the selected interface, user traffic ranking, user
group traffic ranking, VIP user traffic ranking, and user sessions ranking.
Users are divided into multiple groups by class, department, or floor. NBR can view and manage the traffic based
on the user groups.
Note
To configure a user group, choose User > User > Common User > User Structure.
5.1.3 Historical Interface Traffic
This function allows you to view the interface traffic in real time and the real-time curve within a unit time. You
can view the real-time traffic monitoring curve within a day.
Procedure
33
(1) Choose Flow > Traffic Monitoring > Historical Traffic.
(2) Select the interface you want to monitor.
(3) Select the time period you want to monitor.
5.1.4 VPN Traffic
On this tab page, you can view the details of users who access the network through VPN dial-up on an interface
and the traffic usage of each VPN user.
Procedure
(1) Choose Flow > Traffic Monitoring > VPN Traffic.
(2) Set a query filter.
 Select an interface from to view the VPN traffic usage on this interface.
 Select an option from to refresh the current VPN traffic usage of the device
34
once every 10s, 30s, or every minute, or manually refresh the information.
Click . You can view the traffic usage of a VPN user on an interface. Input the name
or IP address, select an interface, and click .
5.2 Flow Control Policy

5.2.1 Smart Flow Control
On this tab page, you can enable smart flow control for applications in one click. You can use the entertainment
template or office template to provide traffic to your entertainment or office applications first.
Procedure
(1) Choose Flow > Flow Control Policy > Smart Flow Control.
(2) Set the flow control switch to ON.
(3) Add an associated application template.
35
(4) Select an interface and set the bandwidth.
(5) Click Save.
5.2.2 Change Policy
You can plan and manage your company's internal network or any user or application based on the network
condition and company demands.
36
Procedure
1. Add Policy
(1) Click . The Add Policy window is displayed.
(2) Set policy configuration items.
○ Policy Name: In the Policy Name field, input a name for the policy that can indicate the policy purpose
or usage.
○ User: Select at least one user.
○ Select App Group: Select an existing application group from the drop-down list. If the existing application
groups do not meet your requirements, you can click to customize an application
group.
37
○ Flow Limit: You can control the traffic separately. If you select No Rate Limit, all applications share the
bandwidth. The guaranteed speed and maximum speed are the minimum and maximum speeds at which
all users share at the current interface. Maximum Uplink/Download per IP indicates the maximum
bandwidth for each user.
You can click to make more advanced settings.
○ External IP Group: Click to select an IP group.
○ Active Time: Select an active time available from the drop-down list. You can also click
to configure an active time.
(3) Click Save.
2. View Policy
After a policy is added, all flow control policies configured for the device are listed in a table on the page. You
can modify or delete existing policies, as shown below:
 Click in the App Group column to view applications of an application group.
 Enable: You can enable or disable a single policy or all policies. After enabling or disabling, the status
38
displayed in the Status column changes to Active or Inactive.
 Status: Options are Active and Inactive. When the current time is not the Active Time or a policy is disabled,
the policy status is Inactive.
 Priority: The flow control policies come into effect in descending order of configuration time. The first policy
is displayed at the top of the table. You can click or to adjust the priority of existing policies.
 Click . In the dialog box displayed, you can edit or modify a policy.
 Click to delete a policy.
 Click to copy the flow control policies of an interface to another interface.
5.2.3 Change Application
This function allows you to adjust the application classification.
Procedure
(1) Choose Flow > Flow Control Policy > Change App.
(2) Select the application you want to modify and click Edit.
39
5.2.4 VPN Flow Control
This function allows you to enable VPN flow control for an interface.
Procedure
(1) Choose Flow > Flow Control Policy > VPN Flow Control.
(2) Select the interface for which you want to enable VPN flow control.
(3) Select a key application.
(4) Click Save.
Follow-up Procedure
After configuring the interface, click View/Edit to configure the available bandwidth for key VPN applications on
the current channel.
40
5.3 Object Definition

5.3.1 Introduction
For management convenience, the system allows you to abstract some common configuration items into objects,
such as time objects, application group objects, and VLAN objects. The following figure shows objects supported
by the system:
5.3.2 Custom App Group
41
This page displays all application groups available in the current system and applications of each application
group. Key App, Rate-Limited App, Blocked, Normal App, Web Page, Online Video, P2P Video Streaming,
Download, P2P Download, App Update, and Upload are application groups available in the system, and others
are application groups defined by users.
1. App Group
You can set application groups to manage usage of a company's internal protocol in a unified manner and ensure
that the company's internal network can be accessed smoothly and the bandwidth is not wasted.
Procedure
(1) Choose Flow > Object > Custom App.
(2) Click to customize an application group.
(3) In the App Group Name field, input a name for the application group, and select applications that you want
to join this application group.
(4) Click to save the configuration of the custom application group. The information of the
configured application group is displayed in the table on the Custom App page.
Follow-up Procedure
 Edit an application group:
In the table on the Custom App page, click to reallocate applications to an application group.
42
Applications displayed in green are already in the key/guaranteed application group. Applications displayed
in orange are already in the rate-limited application group. Applications in red are already in the blocked
application group. Applications in black are already in normal/other application group or applications not
added to any group.
Applications already added to the key/guaranteed application group, rate-limited application group, or
blocked application group cannot be added to any other groups.
To modify a rate-limited application to a key/guaranteed application, you must first delete the target
application from the rate-limited application group, and then add this application to the key/guaranteed
application group.
 Delete an application group:
In the table on the Custom App page, click to delete a custom application group. You cannot
delete system application groups, that is, the key/guaranteed application group, the rate-limited application
group, the blocked application group, and the normal/other application group.
2. Custom App
In addition to built-in network application protocols of the system, you can also customize other network
applications, such as applications based on a port or a destination server. Like built-in protocols of the system,
custom protocols can also be used for policy-based network application control and bandwidth management, as
well as real-time network application monitoring.
Note
Custom protocols have the highest priority. When a custom protocol conflicts with a built-in protocol of the
system (for example, their port IDs are the same), the custom protocol is applied.
43
Procedure
(1) Choose Flow > Object > Custom App.
(2) On the Custom App page, click . The following Add Custom App window is
displayed:
(3) Set configuration items for the custom application.
Input a name for the custom application, select the protocol type, select the rule type, select the application
group (you can customize an application group or select among built-in application groups), and input the source
or destination port ID or IP address based on the selected rule type.
(4) Click . The configuration is successful.
Follow-up Procedure
 Edit a custom application: Select the application you want to modify and then click .
 Delete a custom application: Select the application you want to delete and then click .
3. Feed Back Applications that Failed to be Identified
44
When the traffic of a network application cannot be identified by the current device and thus you cannot
effectively control this application, you can click . In the window displayed, report the
event to Ruijie Cloud Center and we will analyze the application you report and add it to the feature library to
meet your requirements.
5.3.3 Custom Website Group
The following figure shows the Custom Website page, which displays all application groups available in the
current system and applications of each application group.
1. Website Group
You can set website groups to manage websites accessed by internal employees of the company in a unified
manner and ensure that the company's internal network can be accessed smoothly and the bandwidth is not
wasted on work-irrelated networks.
Procedure
(1) Choose Behavior > Object > Custom Website.
(2) Click to customize a website group.
45
(3) Input a name for the website group and select the websites for this website group.
(4) Click . Then, a new website group is created.
Follow-up Procedure
 Edit a website group:
In the table on the Custom Website page, click to reallocate websites to a website group:
Select the desired websites, deselect the undesired websites, and then click .
 Delete a website group:
In the table on the Custom Website page, click to delete the selected website group.
2. Custom Website
46
In addition to built-in website types of the system, you can custom other websites. For example, you can allocate
several similar websites to a website group. Like built-in websites of the system, action policies can also be
applied to custom websites.
Procedure
(1) Choose Behavior > Object > Custom Website.
(2) On the Custom Website page, click . The following Custom Website window is
displayed:
(3) Set website configuration items.
Create a custom website: Input a name that can clearly indicate the intention or user of this website for the
custom website, and input the domain names of the website (separate multiple domain names by commas
(,)).
(4) Click . The configuration is successful.
The system allows you to configure up to 100 custom websites.
Follow-up Procedure
 Edit a custom website: Select the website you want to modify and then click .
 Delete a custom website: Select the website you want to delete and then click .
47
5.3.4 Time Object
This function allows you to define a time object which is used during policy setting.
Procedure
(1) Choose Flow > Object > Time Object.
(2) Click .
(3) In the window displayed, input a name for the object and select one or more time spans.
The following describes how to create a weekday time object:
a In the Object Name field, input a name for the time object.
b From the drop-down list of Time Span, select a time interval, that is, select a week starting from Monday
to Friday.
c From the drop-down list of Time Span, select a time span.
d You can click Add to add another time span.
48
(4) Then, click . A time object is generated.
Follow-up Procedure
 Edit a time object: Select the time object you want to edit, and click . In the window displayed, you
can delete or modify the time object or add a time object.
 Delete a time object: Select a time object in the list and then click to delete it.
 Delete a time span: To delete a time span of a time object, select a time object in the list. In the window
displayed, select the time span you want to delete, and then click .
5.3.5 External IP Object
An external IP object is an external server address or other IP address except for your internal IP address. For
example, the server of your company's OA or service system is not deployed in your company, but in the
computer room of China Telecom or a hosting center. To ensure that your internal network users can access this
server, you can configure the address of this server as an external IP object and specify the minimum bandwidth
for users in flow control policies.
The system has a default object "/". When L2 or L3 classification recognition is enabled, the destination IP
address in the packets matches the default object "/" when it does not match any other network object.
Procedure
49
(1) Choose Flow > Object > External IP Object.
(2) The tree on the left shows the structure of current external IP objects. After you select an external IP object,
the object information is displayed on the right. You can edit or modify the object information.
 Click to modify the name of selected external user group or external IP group.
 Click to delete the selected external user group or external IP group from the tree of
external IP objects.
 Click to add an external user sub-group to the selected external user group.
50
 Click to add an IP group to the selected external user group.
 Click to add a user member to the selected external user group or external IP group.
User list of external user group or external IP group:
The table above shows all the users of the external user group or external IP group you have selected from
the left tree. You can edit or delete users.
Click . In the Edit User dialog box displayed, you can modify the user name, IP address, and
parent group (move a user to another external user group).
51
 Click to delete a user from the selected external user group or external IP group. You can also
select multiple users and then click to delete them.
(3) Import/export.
 You can also import or export external IP addresses from or to a file. Click and the following
window is displayed.
52
 Import external IP addresses: This function allows you to import external IP addresses from a file to help
the administrator edit external IP addresses in one click.
a Create a table named ipuser-info.csv on a local PC, and input the external IP address information
according to the following format in the table:
b Click Browse and find the file ipuser-info.csv.
c Click . An import progress bar is displayed. When the progress bar is loaded completely,
the file is uploaded.
 Export external IP addresses: Click , select a save path, and then click Save.
5.3.6 VLAN Object
Multiple VLAN objects cannot have the same VLAN ID and multiple VLAN IDs must be separated by commas
(,). To configure several continuous VLAN IDs for the same VLAN object, separate the start VLAN ID and end
VLAN ID by "-".
The system has a default VLAN object "any". When L2 or L3 classification recognition is enabled, in router mode,
all data streams match the default object "any" by default. In bridge mode, all data streams match the VLAN
53
object corresponding to the native VLAN in the bridge by default. If no VLAN object is set for the bridge native
VLAN, the data streams match the default object "any".
Procedure
(1) Choose Flow > Object > VLAN Object.
(2) Input a name and ID in the VLAN Object Name and VLAN Object ID fields respectively.
(3) Click .
Follow-up Procedure
 Edit a VLAN object: Select the VLAN object you want to edit and then click .
For example, to edit the object vlan1, click , modify its name or ID, and then click .
 Delete a VLAN object: Select the VLAN object you want to delete and then click .
For example, to delete the object vlan1, click next to vlan1. To delete all VLAN objects, click
5.3.7 IP Object
Procedure
54
(1) Choose Flow > Object > IP Object.
(2) Perform required operations as follows:
 Click Import IP Object to add multiple IP objects in batch through the configuration file.
 Add an IP object group: Click Add Object Group. In the window displayed, input the group ID and object
group description, and object IP address, and then click .
 Delete an IP object group: Click to directly delete the object group selected
from the IP object list.
 Add an IP object: Click to add an IP object to the IP group.
 Delete the selected IP object: Click to delete the IP object selected in the table.
 Edit an IP object: Click to edit the IP object.
 Delete an IP object: Click to delete the IP object.
5.4 Behavior Policy

5.4.1 Introduction
The behavior policy module allows you to perform access audit, monitoring, and policy configuration for user
behaviors. It can provide access audit information for users and allow the administrator to manage user
behaviors, which can guide users to perform correct network behaviors and allocate the access time and block
impact of bad information on users.
The policies for behavior management are matched in a certain order.
If the first type of behavior management service does not block the packets, the packets will be processed by
the next behavior management service. If a packet is blocked by a behavior management service, the packet
will not be processed by the next behavior management service. The following figure shows the processing
sequence of behavior management services:
55
Figure 5-1 Processing sequence of behavior management services
Website access
Search engine
Email control
IM chatting
Application
BBS forum
Web email
control
Packet Forwarding/audit
Match the
blocking Block/audit
policy
The behavior policies are matched according to the priorities of the policy groups and rules.
Figure 5-2 Priority-based policy and rule matching sequence
Packet
Policy group-1 Rule-1 Rule-1 Rule-1

……
Email control IM chatting Application control
5.4.2 Basic Settings
On the Basic Settings page, you can enable or disable the default audit function for website access, email
sending/receiving, IM chatting, forum posting, and search engines. You can also perform special operations,
such as direct filtering or audit exemption, for specific users, applications, websites, or file extensions.
56
Procedure
(1) Choose Behavior > Behavior Policy > Basic Settings.
(2) Enable the default audit function.
After the default audit function is enabled for a function, the device audits all network access records of this
type.
(3) Application blacklist
Click and the following window is displayed, in which you can view which applications
are blacklisted and blacklist an application or remove a blacklisted application from the blacklist.
○ Click . The following window is displayed:
57
Select the application you want to blacklist, for example, Games, and then click . The selected
application is blacklisted.
○ Click to remove a blacklisted application from the blacklist.
○ Click to remove all blacklisted applications from the blacklist.
○ When an application blacklist is enabled, the device prohibits users from running applications in the
blacklist.
(4) User blacklist
Click and the following window is displayed, in which you can view which users are
blacklisted and blacklist a user or remove a blacklisted user from the blacklist.
58
○ Click and the following window is displayed:
Select the user you want to blacklist and click . The selected user is added to the user blacklist.
○ Click to remove a user from the user blacklist.
○ When a user blacklist is enabled, the device blocks the network access behaviors of users in the user
blacklist.
(5) Configure an audit-exempt user.
Click and the following window is displayed, in which you can view which user
devices are exempted from audit and add or delete an audit-exempt user.
59
○ Click and the following window is displayed:
○ Select a user that you want to exempt from audit. Flow control is not enabled for audit-exempt users by
default. To enable flow control for all users, select and then click
to add the user to the flow-control-exempt list.
In the Flow Control-Exempt column, indicates that the user is exempted from flow control and
indicates that flow control is enabled for this user.
○ Click to remove a user from the flow-control-exempt list.
○ The device does not audit the network access records of audit-exempt users. If Not Exempt from Flow
Control is selected, the rate limiting rules in the flow control policy still apply to the audit-exempt users.
(6) Set a website blacklist.
60
Click and the Website Blacklist/Whitelist window is displayed, in which you can
view which websites are blacklisted and blacklist a website or remove a blacklisted website from the blacklist.
This function supports the blacklist mode and whitelist mode.
 Blacklist mode: Only websites in the blacklist are blocked by the device. Other websites are allowed to access.
○ Add a website to the blacklist: You can select a URL from the available URLs or directly input a URL.
Select from available URLs: As shown in the figure above, check Select and then click in the text box. The
following window is displayed, in which you need to select the URLs you want to blacklist, click ,
and then click .
61
Input a URL: As shown in the figure below, in the Enter a URL field, input a URL you want to blacklist and
then click .
○ Remove a website from the blacklist: Select the website you want to remove from the blacklist and then
click .
 Whitelist mode: Only websites in the whitelist can be accessed. Other websites are blocked by the device.
62
○ Add a website to the whitelist: You can select a URL from the available URLs or directly input a URL.
The operation is the same as that of adding a website to the blacklist and is omitted here.
○ Remove a website from the whitelist: Select the website you want to remove from the whitelist and then
click .
○ Flexible whitelist: Select . All URL requests initiated by whitelisted websites

are allowed. For example, if www.ruijie.com.cn is a whitelisted website, all links on this website are
allowed to access.
(7) Blacklisted file extensions.
Click and the following window is displayed, in which you can view which file extensions
are blocked by the device and blacklist a file extension or remove a blacklisted file extension from the
blacklist.
○ Click to enable the file extension blacklist function.
When this function is enabled, the device does not allow you to upload or download files of the blacklisted
extension.
○ Click to add the file extension names you want to blacklist. Separate
multiple extension names by commas (,).
63
Input the file extension name you want to blacklist and click . The file extension name is added
to the blacklist.
○ Click to remove the deselected file extensions from the blacklist.
(8) Audit-exempt URL
Click and the following window is displayed, in which you can view which URLs
are exempted from audit and add or delete an audit-exempt URL.
○ Select to enable the audit-exempt URL function:
After this function is enabled, accesses to these URLs are neither audited nor blocked by the device.
64
○ Click . In the window displayed, input a URL you want to exempt from audit, and click OK.
The URL is added to the audit-exempt URL list.
○ Click to delete a URL from the audit-exempt URL list.
○ Click to delete URLs in batch from the audit-exempt URL list.
5.4.3 Advanced Settings
Internet-based information transmission has been a key application for enterprises and institutions. However,
problems such as information confidentiality, health, and political correctness must be concerned.
Ruijie NBRs provide brand-new refined information sending/receiving monitoring and audit functions, helping
you effectively control the transmission scope of key information and avoid possible legal risks.
Ruijie NBRs allow you to monitor information transmission channels, such as email, webmail, BBS, IM, Web-
SEARCH, FTP, Telnet, and web pages. For example, you can audit content of emails, chatting, and posts.
Procedure
(1) Choose Behavior > Behavior Policy > Advanced Settings.
65
On this page, you can manage and configure application control policies and website access policies.
(2) Click and the Add Behavior Policy window is displayed.
a Policy group name: In the Policy Group Name field, input a name for the policy that can clearly indicate
the policy rules or usage, and then click Next.
b Behavior control: Select behavior rules you want to apply to this policy. You can select multiple behavior
rules at a time. The page is as follows:
Click a rule name on the left to view all rules under this policy. To edit a rule, select the check box
before the policy and then edit, delete, or add rules. Then, click Next. For the addition page of
each type, see the sections below.
66
Control rule description:
○ Allow and Audit: The device does not block network access behaviors of the selected user but will
record the network access information.
○ Allow and Not Audit: The device neither blocks network access behaviors of the selected user nor
records the network access information.
○ Deny and Audit: The device blocks network access behaviors of the selected user and records the
blocked access request information.
○ Deny and Not Audit: The device blocks network access behaviors of the selected user but does not
record the blocked access request information.
○ Active Time: Specify the active time for the rule. The rule is active only within the active time.
c Associated user: Select users (either local or external) to which the policy is applied. An external user is
a user that passes third-party login authentication, such as an authenticated VPN user or web user.
(3) Application control.
67
This function allows you to monitor the network behaviors of applications, release or block data streams of
relevant applications as needed, and audit the control behaviors. You can create an application control
policy as follows:
Click Click to Select and the following page is displayed:
68
From the left application list, select the applications you want to control or click to
customize applications. You can create an application group or click to

select one from available application groups. To create an application group, select applications you want
to control, input a name for the group in the App Group Name field, and then click OK.
Click to delete a selected application.
(4) Website access policy.
This function allows you to monitor accesses to URLs, classify and audit all URL access requests initiated
by the internal network, and block or release the URL access requests as needed. The configuration page
is as follows:
Click Click to Select and the following page is displayed:
69
The tree on the left shows the structure of URL categories of the current system. You can select a URL
category from the tree as the monitoring object. If no URL is selected, all URLs are used by default.
Click to customize a website. You can create a website group or click
to select one from available website groups. To create a website group,

select the websites you want to control, input a name for the group in the Group Name field, and then click
OK.
Click to delete a selected website.
5.5 Realtime Audit

This page allows you to make statistics on the audit records of user traffic.
Note
Considering the large number of website access records and external transmission records, the page does not
display these two audit records.
Procedure
(1) Choose Behavior > Realtime Audit.
(2) View detailed audit records.
70
71
Web-based Configuration Guide Security Authentication
6 Security Authentication
6.1 User Organization
6.1.1 User management
Users on the device can be either internal users or authenticated web users or VPN users.
One user can log in to a VPN and be used for web authentication. For example, a user named Lisan is configured
under the financial department. VPN and web authentication is enabled for this user and the computer IP
address assigned for Lisan is bound to his account. In this way, Lisan's network behaviors can be audited and
controlled no matter Lisan logs in to his account from the company's network or from a web or VPN. VPN here
refers to PPTP, L2TP, or SSLVPN.
Procedure
(1) Choose User > User > Common User.
(2) The tree on the left is the structure of all users of the current system. After you select a user group, information
about this object is displayed on the right. You can edit or modify the object information.
To modify a user or user group, click the corresponding user group. The following page is displayed.
72
 Click to edit the selected user group, as shown below:
You can modify the user group name and move a user to another user group.
 Click to add a user sub-group to the selected user group, as shown below:
The user group name can contain up to 31 English characters. One Chinese character equals two English
characters.
 Click to delete the selected user group from the user tree. All users in this user group are also
deleted.
 Click to create a user or IP range under the selected user group.
73
○ User Name: The name of this user, which is used for VPN login or web authentication.
○ Permission: Indicate whether this user name and password can be used for web authentication or VPN
login. If yes, you must set a password; otherwise, login may fail.
○ Password: The password used for web authentication or VPN login.
○ Allow Internal Web Auth User Password Change: This item is displayed only after you select Allow
Internal Web Auth. It indicates whether to allow users to modify the password after web authentication
is passed.
○ Deny Internal Web Auth: This item is displayed only after selecting Allow Internal Web Auth. In this
mode, users can only access internal network resources and cannot access external networks even after
web authentication is passed.
○ IP Address and MAC Address: The IP address or MAC address of the user. You can configure an IP
address range or configure both an IP address and a MAC address. To configure an IP address range,
separate IP addresses by "-".
○ Auth Mode: Options are Single Direction Bind and Dual Direction Bind. This item is available only
after selecting Allow Internal Web Auth. Dual Direction Bind means that, in real time authentication
mode, the user name can only use the specified address to access networks and the specified address
can only be used by this user. Single Direction Bind means that, in real-time authentication mode, the
user name can only use the specified address to access networks but the specified address can be used
by other users.
Note
You can also click to add or delete a user group or add a user.
(3) You can perform operations in the following figure on the user list of a user group.
74
The table above shows all the users of the user group you have selected from the left tree. You can edit or delete
users.
 Click or . The action policy associated with the user or user group is displayed, as shown
below:
 The device allows you to edit users in batch: Select users you want to edit and then click
to delete or edit users in batch. The edition page is shown below:
 Click to edit user parameters. For the function of each parameter, see the section Add User.
75
 In the search box, input user name or IP address. The query results are displayed in the table below.
6.1.2 Import and Export Users
This function allows you to:
 Export user configurations existing in the system.
 Import user configurations in batch based on a template.
Procedure
(1) Choose User > User > Import/Export User.
76
(2) Import users.
You can import users from a file to help the administrator edit users in one click.
a Create a table named user-info.csv on a local PC, and input the user information according to the
following format in the table:
b Click and import the file user-info.csv.
c Click . An import progress bar is displayed. When the progress bar is loaded completely,
the file is uploaded.
(3) Export users. Click . In the Save dialog box displayed, save the file user-info.csv to a local
PC.
6.1.3 Special User Management
Special users include VIP/server users, blacklisted users, and audit-exempt users.
77
 VIP/Server User: These users are key users or internal network servers that need to be protected. These
users will be given priority when they access the network. Click . The VIP/server user
configuration window is displayed, in which you can add or delete a VIP/server user.
○ Click to add a VIP/server user. You can also check Select User and
select users in the tree, or select Add VIP or Internal Server, and then manually input the user name
and IP address.
78
 User Blacklist: These users are blacklisted. To block all network access behaviors of a user, you can add
this user to the blacklist. Click and the user blacklist configuration window is displayed, in
which you can add or remove a user to or from the blacklist. For details, see the section 5.4.2 (4) User
blacklist.
 Audit-Exempt User: These users are users exempted from traffic audit or flow control. For example, a boss
does not want his/her network access behaviors audited, and then you can set this boss as an audit-exempt
user. Click and the audit-exempt user configuration window is displayed, in which
you can add or delete an audit-exempt user. For details, see the section 5.4.2 (5) Configure an audit-exempt
user.
6.1.4 Block Internet Access
After Block Internet Access is enabled, all users of an internal network cannot access the Internet.
You can add a user to a whitelist so that this user can access the Internet.
Procedure
(1) Choose User > Block Internet Access.
79
(2) Click to add at least one user to a whitelist and select to

enable Block Internet Access.
(3) Select users you want to add to the whitelist.
(4) Click .
80
Follow-up Procedure
 Click in the Delete column to delete a single whitelisted user.
 Click to delete multiple selected whitelisted users.
6.2 Web Authentication

The system provides web authentication and web authentication exemption functions.
6.2.1 Web Authentication
Web authentication is also known as user authentication.
User authentication is an authentication method used to control users' permission to access a network. You do
not need to install a specific client authentication software and can just use a common browser for access
authentication. When an external user accesses a network, the authentication device forces the user to log in
to the specified site and then the user can access services of the network for free. When the user needs other
information on the Internet, the user must be authenticated on the web authentication server and then can use
Internet resources. If the user attempts to access other external networks via HTTP, the user is forced to access
the web authentication website and thus the web authentication process is started. This method is called forced
authentication. Authentication provides users with convenient management functions. Portal websites can
provide advertising, community service, and customized services.
The device supports both the built-in authentication server and external authentication server. When the built-in
authentication server is used, the device already provides relevant service functions and thus you do not need
to use an external server. When an external authentication server is used, you must deploy an ePortal server
and Radius server first.
Procedure
(1) Choose User > Web Auth > Web Auth.
(2) Set the built-in authentication server.
81
Click and the following window is displayed, in which you can view currently authenticated
online users. Click Force Offline to make the selected user offline. You can also query online users:
 WiFiDog Auth: When the built-in portal server of the device is used for user identity authentication, you can
obtain the user information from a local server, from a Radius server, or from both the local and Radius
servers. The option External user preferentially is recommended but you have to build a Radius server first.
 Server Port: The port ID of the built-in portal server, ranging from 1025 to 65535. The default port ID is 8081.
You can modify the port.
 Share Account: One account can have only one IP address at a time. After Share Account is enabled,
multiple IP addresses can share one account. After this function is disabled, the account logged in later is
valid.
 SMP User Changes Password: After this function is enabled, you need to input the URL for password
modification, and then SMP users can modify their passwords through this URL.
 Advertising Mode: Set the advertising display method. Options are AD after Auth or No AD.
82
 AD URL: The URL of the advertising page.
 Seamless Auth: After this function is enabled, the advertising is pushed without the need of authenticating
the user IP address.
 Custom Logo: When this function is enabled, the custom logo is displayed. When this function is disabled,
the system default logo is displayed. You can customize authentication logos.
 Advanced Settings: Click to configure more parameters, as shown below. For

details, see the section 6.2.3 Advanced Settings for User Authentication.
(3) Set the external authentication server.
83
 Server IP: Input the IP address for the external ePortal server you have built. Generally, the authentication
page is provided by the authentication ePortal server.
 Redirected URL: Input the URL of the authentication page in this field. When an unauthenticated user
accesses network resources, the system redirects to this page automatically and remains on this page after
the user is authenticated.
 Specified User Subnet: The network segment in which IP addresses must be authenticated by the ePortal
server. IP addresses not in this network segment do not need to be authenticated.
 Add Backup Server: When the active server communication fails, the system automatically switches to the
backup server. Web authentication service is interrupted when you edit the server configurations. As shown
below, the web allows you to add up to 4 backup portal servers:
 Encryption Password: Set the password for communication between the device and the authentication
server. This password must be consistent with the communication password of the authentication server;
otherwise, it does not come into effect.
 SNMP Dest Host: The host address of the authentication server.
 SNMP can be configured only when an external authentication server is used. To enable authentication by
an external server, you must set the NIC parameters for SNMP communication between the authentication
device and the authentication server, including SNMP Password and SNMP Dest Host.
 Advanced Settings: Click to configure more parameters, as shown below. For

details, see the section 6.2.3 Advanced Settings for User Authentication.
84
(4) Set the advertising push service.
 Input the advertising URL.
 Advanced Settings: Click to configure more parameters, as shown below.
After the advertising push service configuration is saved, the advertising page pops up when the advertising
push user accesses the network for the first time. After Push AD is enabled, if the advertising page does not
pop up, choose Internet options > Privacy and unselect Enable pop-up blocker, or enable Not Block ADs
in Advanced Settings.
Follow-up Procedure
If user authentication is no longer required, select and then click to

disable the function.
6.2.2 Web Authentication Exemption
 Whitelisted Network: Input the IP address of the network server. Then all users, including unauthenticated
85
users, can access this IP address. You can set up to 1,000 rules.
 IP/MAC of Whitelisted User: This user can directly access the network and no advertising will be pushed to
this user. You can set up to 1,000 rules.
Procedure
(1) Choose User > Web Auth > Whitelist Settings.
(2) Set the whitelisted networks.
 Whitelisted Network: After Web Auth is enabled, unauthenticated users must pass web authentication first
before they can access networks. To allow unauthenticated users to access some whitelisted networks, you
can use this item to set whitelisted networks. After a website is set as a whitelisted network, all users,
including unauthenticated users, can access this website. By default, unauthenticated users cannot access
non-whitelisted networks. (Note: You can configure a single IP address or an IP address range (in the format
of IP address + mask, such as 192.168..1.0 255.255.255.0). The IP address range is a whitelisted network.)
 Whitelisted User: If the IP address of a user is whitelisted, the user can directly access all reachable
networks without needing to pass the web authentication. No whitelisted user is configured by default. All
users must pass the web authentication before they can access networks. (Note: You can configure a single
IP address or an IP address range (in the format of IP address + mask, such as 192.168..1.0 255.255.255.0).
The IP address range is a whitelisted network.)
 Whitelisted MAC: You can query, add, delete, or modify the user MAC addresses.
86
6.2.3 Advanced Settings for User Authentication
 Max HTTP Sessions: You can set a maximum number of HTTP sessions for each authenticated user. When
an unauthenticated user accesses a network, the user PC sends an HTTP session connection request. The
device blocks the HTTP packet and requires the user to pass the web authentication through a redirection
request. To prevent an unauthenticated user from sending too many HTTP connection requests to save the
device resources, you need to set a maximum number of HTTP sessions for the unauthenticated user on the
authentication device. One HTTP session is occupied for user authentication, while other applications of the
user may occupy HTTP sessions. Therefore, do not set the maximum number of HTTP sessions of
unauthenticated users to 1. By default, the maximum number of HTTP sessions of unauthenticated users is
255.
 Redirection Timeout: You can set a redirection timeout time. When an unauthenticated user accesses a
network via HTTP, the user's TCP connection requests will be blocked and a TCP connection is established
with the authentication device. After the connection is established, the authentication device waits for the
HTTP GET/HEAD packet from the user, returns an HTTP redirection packet, and then closes the connection.
The redirection timeout time can prevent the problem that the user does not send the GET/HEAD packet and
occupies the TCP connection for a long time. By default, the redirection timeout time is 3s.
 Redirection HTTP Port: You can set up to 10 destination port IDs. When a user accesses a network (such
as accessing the Internet through a browser), the user will send an HTTP packet, and the authentication
device blocks this HTTP packet and judges whether the user is accessing a network. When the authentication
device detects that an unauthenticated user is accessing a network, the device blocks the user's network
access request and displays the authentication page. By default, the authentication device blocks HTTP
packets sent from the port 80 to check whether the user is accessing a network.
 Refresh Interval: You can set an interval for refreshing online user information. The authentication device
maintains online user information and needs to update such information periodically, including the online
duration. In this way, the device can monitor the network resources used by online users. When the online
duration of a user is greater than or equal to the online limit, the user is disabled from using the network
again. By default, the refresh interval is 60s.
 Idle Timeout: You can set a traffic-based user offline detection mode. For example, if the user traffic does
not increase within 15 minutes, the device judges that the user has been offline. This command is used to
check whether a user is offline, but some detection errors may occur. The system supports two user offline
87
detection modes: a. The user has clicked the Offline button on the authentication page. b. The traffic-based
user offline detection mode is used. When user traffic does not increase within 15 minutes, the device judges
that the user has been offline. Both modes are enabled by default.
 IP-MAC Binding: Set the IP-MAC binding mode to IP+MAC. In an L2 network, you can bind a user name to
both the MAC address and IP address.
 Whitelisted IP: Advertising is pushed to users whose IP addresses are whitelisted without the need to
authenticate such users.
6.3 Local Server Authentication

6.3.1 Authentication Policy
Procedure
(1) Choose User > Local Auth > Auth Policy.
(2) Set Local Server Auth to ON.
If Local Server Auth is set to OFF, only Auth Policy is available in the Local Server Auth sub-menu.
(3) Add or edit an authentication policy
Click Add Policy or Edit to configure an authentication policy.
You can edit the policy only after selecting Enable. The authentication server obtains relevant requests through
the Auth Server interface.
88
(4) Adjust the priority of an authentication policy
Click the arrows in the Match Order column to switch the priorities of authentication policies.
Follow-up Procedure
Click or to delete authentication policies.
6.3.2 Authentication Server
Procedure
(1) Choose User > Local Auth > Auth Server.
(2) Delete the authentication server
Click or to delete the authentication server.
(3) Add or edit an LDAP server.
Click Add Auth Server or Edit to configure an LDAP server.
89
Field Note
The name of the authentication server

Server Name
Server Address The IP address of the server
Source Interface Address The source interface address, which can be left blank
Admin Name The administrator name
Admin Password The administrator password
Search API The search API
User Attribute The user attribute
Unique Attribute The user unique attribute
90
6.3.3 Advanced Settings
Procedure
(1) Choose User > Local Auth > Advanced Settings.
(2) Set advanced configuration items.
Field Note
The network type

Network Type
L2 Network
L3 Network
Unauthorized Uptime The online duration of an unauthorized user
Authorized Uptime The online duration of an authorized user
Auto Remember MAC Whether to automatically record the account's MAC address
MAC Address Limit The maximum number of MAC addresses recorded for each account
Seamless Auth 0: Close
91
Field Note
1: Seamless MAC bypass
2: Seamless Web Popup
User Seamless Aging Time The idle aging time of the account
Fetch MAC Through DHCP

Whether to obtain the MAC address through DHCP Snooping
Snooping
Idle Timeout Whether to enable offline detection when there is no traffic
Over x minutes The duration
the clients with a rate lower

than x KB/s will be forced The traffic below which the user's traffic is will the user be forced offline
offline.
HTTPS Redirection Whether to enable HTTPS redirection
Authorization Control Whether to enable authorization control
Authorization Times for

The number of authorization times for an authorized user
Unprivileged Users
When Internet access from PCs or mobile terminals is disabled, terminal

Terminal Control
control can be enabled.
Deny PC Access Whether accesses from PCs are denied
The exceptional time for Deny PC Access

Exceptional Time
You must set an exceptional time of None.
Deny Mobile Terminal Access Whether accesses from mobile terminals are denied
The exceptional time for Deny Mobile Terminal Access

Exceptional Time
You must set an exceptional time of None.
(3) Click Save.
6.3.4 Whitelisted Settings
After IP addresses or MAC addresses are configured for whitelisted users, they can directly access the Internet
without passing authentication. Traffic from all the users in the blacklist is blocked.
92
Whitelisted User: This user is allowed to access the Internet without authentication. No AD will be pushed to this
user.
Whitelisted External IP: All users are allowed to access this external IP address.
Whitelisted URL: All users are allowed to access this URL.
Whitelisted MAC: This MAC address is allowed to access the Internet without authentication. No AD will be
pushed to this MAC address.
Blacklisted MAC: This MAC address is not allowed to access Internet.
Temporary Blacklist: You can configure a valid time for whitelisted users, whitelisted external IP addresses,
whitelisted MAC addresses, and blacklisted MAC addresses. After the time expires, the settings will be removed
automatically.
Procedure
(1) Choose User > Local Auth > Whitelist Settings.
(2) Set whitelisted users.
Click to set the IP address range and valid time for the whitelisted users. The
value can be a single IP address (such as 192.168.110.2) or an IP address range (such as 192.168.110.2-
192.168.110.254).
93
(3) Set whitelisted external IP addresses.
Click , input external IP addresses that can be accessed by users
without authentication and input the valid time, and then click .
94
(4) Set a URL whitelist.
Click , input the whitelisted URLs, and click . When the destination
URL of the user is in the URL whitelist, traffic from the user will be permitted directly, regardless of whether the
user passes authentication.
(5) Set a user MAC whitelist.
95
Click , input the MAC addresses of whitelisted users and the valid time, and then
click .
(6) Set a user MAC blacklist.
Click , input the MAC addresses of blacklisted users and the limit time, and then
click .
96
(7) To delete the whitelist configuration, click in the Action column.
6.3.5 User Permissions
Set user permissions and specify a user that can grant access permissions to visitors.
Procedure
(1) Choose User > Local Auth > User Permission.
(2) The system displays information about registered users and users in the privileged group.
Registered users are entries generated after a user goes online. After a user is generated, click to
add a MAC address and specify the terminal type under this account.
97
(3) Set users in a privileged group.
You can set users in a privileged group. Users in this group can grant access permissions to other users.
Privileged groups are divided into the local user privileged group and AD domain user privileged group.
a Edit a local user privileged group: Click , select local users you want to add to
the privileged group, and then click .
b Edit an AD domain user privileged group: Click , select AD domain

users from the tree that you want to add to the privileged group, or input user names in the text box, and
then click . Finally, click .
98
6.3.6 Online Information
This function allows you to get details of online users.
Procedure
(1) Choose User > Local Auth > Online Info.
(2) The system displays information of online users. You can query details of a specific online user by user name
or IP address. You can click to force an online user offline.
6.4 Local Attack Prevention

99
The Local Attack Prevention function allows you to classify, filter, and limit the rate of data packets to be
processed at the control layer. It can prevent attacks and protect key resources at the control layer.
Procedure
(1) Choose Security > Local Attack Prevention.
(2) Set an policy.
ARP attacks are targeted at Ethernet Address Resolution Protocol (ARP). Such attacks help attackers obtain or
even tamper with data packets in a LAN and make a specific computer or all computers on the network unable
to be connected.
 ARP spoofing detection: You can enable to prevent hackers

from eavesdropping on all IP or MAC addresses in the network and pretending to be a PC in the network for
ARP spoofing.
 View the ARP spoofing list: You can click to view the list of hosts suspected of
ARP spoofing in the current system.
(3) Set a flow attack defense policy.
100
Flow Attack Defense: Enable . If the packets of the process exceed

the threshold, the packets will be discarded. The threshold is 200 packets per second on average. 300 packets
can be sent per second in emergency cases.
Attack Flow Logs: Click to view the logs of current attacks of the system or click
to view the logs of historical attacks of the system.
(4) Set other anti-attack policies.
 Disable Web GUI Access: After is enabled, internal
network users cannot log into the web system of this device. After is enabled, external
network users cannot log into the web system of this device.
 Add IP Whitelist: The IP address input here must be the IP address of the administrator which is not affected
by the rate limiting policy. This can improve the device management efficiency of the administrator. You can
click to view and manage more information:
101
 Disable Ping: You can select and to prevent internal

network users or external network users from pinging the same device. This function can filter out some
malicious packets because some packets will no longer intrude on the system when they find that the system
cannot be pinged.
 Web Access Port: The default port is 80. If you have modified the port ID, you must add the port ID in the
address bar and then you can access the device via the URL http://IP address: access port ID.
(5) Click .
6.5 Interface Access Control

You can apply an ACL to a device interface to control inbound and outbound packets of the interface, so as to
improve the network device security.
Prerequisites
You can configure an ACL. For details, see 6.7 ACL.
Procedure
(1) Choose Security > Interface.
(2) Click to add an interface access control rule.
102
a Select the number of the ACL you want to apply and the matching interface.
b Set a packet filter direction. Options are Inbound and Outbound.
c Click . Then, the access control rule is applied to the interface and serves as a firewall.
The firewall supports ACLs based on status tracing. After is selected, you
can trace network disconnections and allow reflexive traffic to enter the network again.
6.6 ARP Entries

The device learns the IP address and MAC address of the network devices connected to its interfaces and
generates the corresponding ARP entries. You can bind ARP mapping entries and enable gratuitous ARP to
restrict Internet access of LAN hosts, prevent ARP spoofing, and improve network security.
Procedure
(1) Choose Security > ARP.
103
(2) Bind static IP addresses/MAC addresses.
You can manually bind static IP addresses/MAC addresses one by one or bind addresses in batch by scanning.
 Click and the following window is displayed:
Single Binding: You just need to input the IP address and MAC address and then click .
Batch Binding: Select the external interface you want to scan, specify the address range to be scanned (if no
address range is specified, the addresses of all computers in the network are scanned), and then click
104
. The device automatically binds IP addresses and MAC addresses within the specified range. If
ARP learning is disabled for the interface, the scanning function is invalid.
(3) Enable Allow Only Statically Bound User to Access Internet.
After this function is selected, the device only permits traffic of statically bound IP addresses and MAC addresses.
Follow-up Procedure
 The ARP entry table displays the IP addresses and MAC addresses statically bound by a user or dynamically
bound by the system.
 Delete a statically bound address
In the ARP entry table, select the statically bound IP address or MAC address you want to delete, and then
click .
 Convert dynamic binding to static binding
In the ARP entry table, select the dynamically bound IP address or MAC address you want to change, and
then click .
 ARP function setting
○ Disable ARP Learning: Select the interface for which you want to disable ARP learning. Then PCs
dynamically bound to this interface cannot access the Internet. Only PCs statically bound to this interface
can access the Internet.
○ Enable Gratuitous ARP: When a network interface of the device serves as the router for downstream
devices but a downstream device acts as a router, if gratuitous ARP is enabled, you can set a gratuitous
ARP request periodically from this interface to advertise this interface is the real router.
105
6.7 ACL
An Access Control List (ACL) defines a series of Permit or Deny rules and applies these rules to a device
interface to control inbound and outbound packets of the interface, so as to improve the network device security.
You can configure ACLs to ensure network security, reliability, and stability, prevent packet attacks, and control
network accesses.
Procedure
(1) Choose Security > ACL.
(2) Click to add an ACL.
a Select the ACL type. Options are Standard ACL (Source-address-based Control) and Extended ACL
(Flow-based Control).
b Input a name for the ACL.
c Click OK.
(3) Click . In the window displayed, set access control rules.
 Standard ACL (Source-address-based Control): Select the access control action and time period, input
the IP address, and then click . A standard ACL is then generated.
106
 Extended ACL (Flow-based Control: Select the access control action, protocol type, and time period,
configure the corresponding source and destination IP addresses and source and destination ports, and then
click . An extended ACL is then generated.
107
○ You can select the source and destination IP address type from the drop-down list :
○ Single IP: Input a single source or destination IP address.
○ IP&Mask: Input the source or destination IP address ranges in the format of masks.
○ IP&Wildcard: Input the source or destination IP address ranges in the format of wildcards.
Note
 You can set any source or destination IP addresses and source or destination ports.
 The wildcard masks specify which bits of an IP address will be ignored when this IP address is compared
with other IP addresses. 1 in the wildcard masks indicates ignoring the corresponding bit in the IP
address and 0 indicates retaining this bit. If the wildcard mask is omitted, 0.0.0.0 will be considered the
default mask.
Follow-up Procedure
The system generates ACLs.
 Click to adjust the sequence of an ACL.
 Click to edit the selected ACL.
 To delete an ACL, select the ACL you want to delete and then click .
6.8 Limiting the Number of Connections

This function allows you to limit the total number of sessions of the device, to avoid network lag because a user
consumes excessive created connections while other users cannot connect to the network.
Procedure
(1) Choose Security > Max Sessions.
108
(2) Configure attack defense for the device.
 Uplink Attack Defense: Limit the packet uplink rate per second for internal network users to prevent uplink
attacks against the internal network. You can limit the rate for all users or for a single user.
 New Session Limit: Limit the number of new sessions created per second for internal network users to avoid
sessions attack. You can limit the rate for all users or for a single user. Click to
view the list of hosts suspected of making sessions attack.
(3) Create a sessions limiting policy.
Click to create a sessions limiting policy. You can limit the number of sessions
based on user or based on ACL.
 User-based sessions limiting policy:
109
a Select User: Click . In the Select window displayed, select users for which you want to
limit the number of sessions, and then click .
b Method: Select a control method from the drop-down list . If Block is selected,
selected users cannot access the Internet. If Limit Session Count is selected, you need to set the
maximum number of sessions of all IP addresses and the maximum number of sessions of each IP
address. The range is 1 to 200000, which depends on the specific product model.
c Click Save.
 User-ACL sessions limiting policy:
110
b ACL No.: Select an ACL No. available in the system from the drop-down list
. Or, you can click to create an ACL and configure it.

For how to create an ACL, see 6.8 ACL.
d Method: Select a control method from the drop-down list . If Block is selected,
users to which the selected ACL is applied cannot access the Internet. If Limit Session Count is selected,
you need to set the maximum number of sessions. The range is 1 to 200000, which depends on the
specific product model.
e Click Save.
Follow-up Procedure
 The following figure lists sessions limiting policies.
○ Policy Type: Indicate that the policy is based on ACL or user.
○ Status: Indicate whether the current policy is active.
The sessions limiting policies come into effect in descending order of configuration time. You can click
or in the Priority column to adjust the priority of existing policies.
Click to modify the policy and click to delete the policy.
 View sessions per IP address
111
Click to view the number of sessions per IP address when sessions limiting
per IP address is enabled for the device.
6.9 Account Sharing Prevention

6.9.1 One-click Account Sharing Prevention
The device will deliver the configurations based on the predefined policy after the one-click account sharing
prevention feature is enabled. You can add or modify the account sharing prevention policy on the Policy page.
If the one-click account sharing prevention is enabled, the device will only detect sharing users but not block
Internet access, or block Internet access or limit Internet speed for the sharing users according to the punishment
method configured in the policies. If this feature is disabled, all account sharing prevention policies will be cleared.
Procedure
(1) Choose Security > Prevent Share > Prevent Share.
(2) Turn on Enable One-click Account Sharing Prevention.
6.9.2 Account Sharing Prevention Policy
Through the account sharing prevention policy, you can detect specified users. You can also choose to only
detect users but not block Internet access, or block Internet access or limit Internet speed for those sharing
users.
Procedure
(1) Choose Security > Prevent Share > Policy.
(2) Click Add Account Sharing Prevention Policy to access the Add Account Sharing Prevention Policy
page.
112
(3) Select the user and the punishment mode. Select Detection only to only detect whether the user accesses
the Internet through account sharing. Select Blocked from Internet Access to block sharing users from
Internet access. Select Limit Internet speed to limit Internet speed of sharing users.
(4) Click OK.
(5) (Optional) Click Sharing Prevention white list to add users exempted from detection to the whitelist. The
device will not detect the users in the whitelist.
6.9.3 Real-Time Monitoring
The function is used to display the monitoring results and query the monitoring information based on the IP
address, the user name, the user type, the user status, time, client information and the action.
Procedure
(1) Choose Security > Prevent Share > Real-Time Monitor.
(2) Select the query criterion from the drop-down list box and click Search to display the monitoring results.
113
6.9.4 Historical Log
The function is used to display the historical logs.
Procedure
(1) Choose Security > Prevent Share > Historical Log.
(2) Click Search to configure filtering conditions for historical logs.
114
Web-based Configuration Guide Network
7 Network
7.1 Interface Configuration
Interface configuration is the key configuration for intranet access, and its correctness is related to normal
intranet access. The following figure shows the interface configuration page.
If the icon corresponding to an interface is highlighted in blue like this ( ), the interface is powered on
(the network cable is connected). A grayscale icon ( ) indicates that the corresponding interface is not
powered on. If the icon has a small globe, the corresponding interface is an extranet port. Otherwise, it is
an intranet port.
Interface configuration varies with the mode (router or bridge), which will be described separately below.
7.1.1 Basic Settings
This operation allows you to configure various interfaces of the device.
Procedure
(1) Choose Network > Interface > Basics Settings.
115
(2) Configure an intranet port.
a Click the icon (for example, ) corresponding to the intranet port to be configured.
b Set the IP address and subnet mask.
IP Address: IP address of the intranet port, which is the router IP address in the planned network
segment of the intranet.
Submask: mask corresponding to the network segment.
c Expand Advanced Settings and set other configuration items corresponding to the LAN port.
116
MAC Address: physical address of the interface, which is mainly used to prevent internal physical
addresses from conflicting with each other. Generally, it can be left unset.
Any IP: If this function is enabled, normal network access is available with random IP address
configuration or without IP address configuration for the intranet PC. That is, this function allows normal
network access for some PCs when the IP addresses are incorrectly set.
Reverse Path: If this function is enabled, the incoming packets from the CERNET interface still go out
through the CERNET interface, and the routing table will not be queried when response packets are sent.
This prevents the scenario where it is found by routing table query during response packet sending that,
for example, the incoming DNS request packets of China Telecom users from the CERNET interface
shall go out from the Telecom interface, while the carrier will take corresponding measures to prevent the
failure of packet loss resolution in this case.
d Set the parameters in the Secondary IP and Sub Interface windows.
Secondary IP: The Ethernet interface supports multiple IP addresses, and the secondary IP address is
an IP address other than the one configured for the first time. Click to check and
manage the secondary IP address corresponding to the selected interface.
Sub Interface: Sub interfaces are multiple logical interfaces derived from one physical interface. This
means that multiple logical interfaces are associated with one physical interface, and several logical
interfaces belonging to the same physical interface share the physical configuration parameters of the
physical interface when they work, but have separate link layer and network layer configuration
parameters. Click to check and manage the sub interface derived from the selected
interface.
117
(3) Configure an extranet port.
Properly connect the extranet line you applied for to the extranet port of the device and select the extranet port
to be configured. The configuration page is displayed, as shown in the following figure.
a Set the line type.
The options for extranet port configuration are Static IP, DHCP, and PPPoE(ADSL).
○ Static IP:
118
If you select it, set the IP address assigned to you by the operator, subnet mask, and next hop address
(also router).
○ PPPoE(ADSL):
Select it if you apply for an ADSL line from the carrier. You need to set the dial-up account and password
you applied for from the network carrier.
○ DHCP:
If you select it, the system will obtain the IP address dynamically.
119
b Expand Advanced Settings and set other configuration information about the extranet port.
○ Interface Desc: describes interface information. Set it when Static IP is selected, which is optional.
○ Uplink Bandwidth/Downlink Bandwidth: maximum bandwidth allowed by the interface. Set it

according to the actual bandwidth you applied for from the carrier. The bandwidth ranges from 0.5 Mbps
to 1000 Mbps.
(4) Click Save.
7.1.2 Multi-PPPoE
This function allows dialer line adding for the corresponding interface.
Procedure
(1) Choose Network > Interface > Multi-PPPoE.
(2) Enable this function.
7.1.3 Multi-link Aggregation
An Aggregate Port (AP) can bind multiple physical links together to form a logical link for link bandwidth
expansion, which provides higher connection reliability. You can set link aggregation if link bandwidth expansion
is required.
Procedure
(1) Choose Network > Interface > Aggregate Port.
120
(2) Click .
(3) Set the configuration items related to intranet multi-link aggregation, that is, set Aggregate Port, Type, and
Member Port.
(4) Click .
7.1.4 Interface Conversion
Except for the fixed LAN ports and WAN ports, all other interfaces support switching between intranet ports and
extranet ports. You can perform the switching on this page.
Procedure
(1) Choose Network > Interface > Interface Conversion.
121
(2) Click the icon corresponding to the interface for conversion, and select LAN Port or WAN Port from the drop-
down list for conversion.
(3) Click and restart the device for the interface mode to take effect.
7.1.5 Link Detection
This operation allows you to check whether the extranet port of the device is working properly.
Procedure
(1) Choose Network > Interface > Link Detection.
(2) Enable link detection for the corresponding interface, for example, select
. The link detection configuration items for

the Gi0/7 interface are displayed.
○ To check whether an interface can be connected, enter a pingable IP address, for example,
122
183.79.250.251 (yahoo.co.jp).
Caution
Please do not enter an IP address that cannot be pinged even when the interface works properly.
Otherwise the network may be down. When the peer IP is unreachable, the link will be judged as
problematic. Thus, the corresponding interface protocol status will turn to Down, which means the
interface cannot be connected.
○ Set Next Hop IP. Set it to the router IP address for an intranet device.
○ Set Detection Interval. The default interval is 100 ms.
(3) Click . If the interface complies with the preceding configurations and can be pinged, a prompt
indicating good network connection is displayed in the system. Otherwise, a prompt is displayed, indicating
that the network is disconnected.
7.2 SUPER-VLAN
7.2.1 Introduction
SUPER-VLAN: implements the one-armed routing function, which allows the traffic of each VLAN to be routed
to and from a specified intranet port without sub interface configuration.
7.2.2 SUPER-VLAN Settings
You can enable and configure the SUPER-VLAN function on this page.
Procedure
(1) Choose Network > SUPER-VLAN > SUPER-VLAN Settings.
(2) Select Enable.
(3) Set Max Online Users Per VID.
123
Max Online Users Per VID: maximum number of online users allowed by a VLAN, which ranges from 1 to
1000.
(4) Set the VID for the intranet port.
Select the intranet port to be configured. The corresponding configuration item is displayed below. The VID
ranges from 1 to 4085. The VIDs for two interfaces cannot overlap. For example, if a VID of 1–1000 is
configured for one port, only a VID out of the range of 1–1000 can be configured for the other port (for
example, a VID of 500–600 cannot be configured).
(5) Click .
7.2.3 SUPER-VLAN Users
Procedure
(1) Choose Network > SUPER-VLAN > SUPER-VLAN Users.
(2) Check the current information on this page, as shown in the following figure.
7.3 Route/Load
7.3.1 Introduction
 Routes are classified into policy-based routes and common IP-based routes, which can be used as the basis
for packet forwarding. When the policies exist simultaneously, the priority levels are in descending order for
the policy-based route, static route, and default route.
 Load balancing: Generally, a network egress interface is connected to two or more carrier links. For example,
a campus network egress interface is generally connected to CERNET and China Telecom/CNC lines, and
a government extranet egress interface is generally connected to China Telecom and CNC lines. Multiple
carrier links share traffic or function as backups according to certain policies, which is known as multi-link
load balancing.
7.3.2 Policy-Based Route
Policy-based routing is a data packet routing and forwarding mechanism, which is more flexible than destination
network–based routing. When policy-based routing is applied, the device will determine how to process packets
to be routed according to a route diagram, which determines the next hop forwarding device for packets.
To apply policy-based routing, you must specify the route diagram to be used for policy-based routing and create
the route diagram. A route diagram consists of many policies, each of which defines one or more matching rules
124
and corresponding operations. After policy-based routing is applied to an interface, all packets received by the
interface will be checked. Packets that do not conform to any policy in the route diagram will be processed
according to the common routing and forwarding mechanism, and packets that conform to a policy in the route
diagram will be processed according to the operations defined in the policy.
Procedure
(1) Choose Network > Route/Load > Policy-Based Route.
(2) Set related configuration items.
a Select the interface that requires a policy.
b Set Policy Priority.
c Set ACL ID (the ACL is used to specify the data stream matched by the policy-based route). You can
click for ACL adding. For detailed operation, see 6.7 ACL.
d Set the next hop address.
If you select Interface and select an interface from the drop-down list, the router address of this interface
is used as the next hop address for routing. If you select Next Hop Address, be sure to enter an IP
address in the text box.
e Click .
Follow-up Procedure
 Select the interface and view the generated policy-based route under Policy-Based Route List.
125
 Editing: Click in the policy-based route list and modify the corresponding policy-based route.
 Deletion: Click in the policy-based route list to delete the corresponding item. You can click
in the upper right corner of the configuration page to delete all policy-based routes from the
corresponding group.
7.3.3 IP-Based Route
Common IP-based routing enables transmission of packets to the specified destination network according to the
predetermined path. When Ruijie's products cannot learn the routes of some destination networks, it is important
to configure a static route. It is common practice to configure a default route for all packets that do not have an
exact route.
Common IP-based routes include static routes, and default routes, where default routes have the lowest priority.
Procedure
(1) Choose Network > Route/Load > IP-Based Route.
The table in the preceding figure lists the static routes and default routes configured in the system. You can set
to filter out the static routes or default routes only.
(2) Click .
126
(3) Set configuration items related to the static route.
 Dest Network: destination network segment of the route.
 Submask: mask of the destination network segment.
 Outbound Interface: egress interface of the route.
 Next Hop IP: ingress interface address of the next route (router).
 Route: specifies the routing priority. If it is set to Primary Route, the primary route is given the top priority. If
it is set to Backup Route-N, a smaller N value indicates higher priority.
(4) Click .
Follow-up Procedure
 View the generated common route.
 Click to delete a static route.
 Click . The window shown in the following figure is displayed.
127
Set Outbound Interface, Next Hop Address, and Route, and click to configure a default route.
Click to delete a default route.
7.3.4 Multi-link Load Balancing
This function allows appropriate traffic distribution on multiple links according to certain policies, improving the
efficiency of link resource utilization.
Procedure
(1) Choose Network > Route/Load > Load Balance.
128
(2) Select Enable.
(3) Click Save.
Follow-up Procedure
Click to view the effect of load balancing.
7.4 DNS Configuration

7.4.1 Introduction
The Domain Name System (DNS), a distributed database on the Internet that provides mutual mapping between
domain names and IP addresses, makes it easier for users to access the Internet without having to memorize
IP strings that can be directly read by machines. Domain name resolution (or host name resolution) is a process
where the IP address corresponding to a given host name is finally obtained.
DNS configuration includes DNS server configuration and DNS proxy configuration.
7.4.2 DNS Server
129
This function allows the configuration of the DNS server address of the device, similar to the preferred DNS
server address of the PC.
Procedure
(1) Choose Network > DNS Settings > DNS Server.
(2) Set the IP address of DNS server 1.
(3) (Optional) Click to set the IP address of DNS server 2 if you need to configure multiple servers.
(4) Click .
Configuration Verification
Pinging www.google.com is used as an example to illustrate the effect of DNS server configuration.
 When the DNS server address is not configured, www.google.com cannot be pinged using the device
because the device cannot resolve the domain name www.google.com.
 www.google.com can be pinged only when an available DNS server address is configured.
7.4.3 DNS Proxy
A DNS proxy is typically deployed between the DNS server and the user's PC, functioning as a proxy for the
DNS server to process the user's domain name resolution requests.
Procedure
(1) Choose Network > DNS Settings > DNS Proxy.
(2) Click the Basic Settings tab and set related configuration items.
130
a Select the intranet ports for which the DNS proxy function needs to be enabled.
b Select the extranet port to be connected to the DNS server and set the DNS server address for the
corresponding line.
c Click .
d View the DNS proxy statistics below.
131
(3) Click the DNS Whitelist tab and set the configuration items related to DNS proxy exclusion.
This function is used to set some special resources (including the IP address and DNS server) that do not need
to be affected by the DNS proxy function.
Set Type to IP/IP Range or DNS Server, enter the corresponding IP address in the text box, and click .
The configurations will be displayed in the table below.
7.5 VPN Configuration

7.5.1 Introduction
A Virtual Private Network (VPN) is not a real physical link, but a virtual line simulated through technical means.
Through a VPN, a virtual private data transmission channel can be established between two nodes on the
Internet, where the information transmitted to each other will not be interfered with or eavesdropped.
7.5.2 VPN Server (Headquarters) Configuration
The following figure shows the configuration page for the first VPN configuration.
132
(1) Click Configure on the right. In the window shown in the following figure, select Headquarter and click Next.
(2) Select a branch type according to the access terminal type. Select Mobile User for a mobile terminal of an
individual user, and Branch for an egress router of a branch. Click Next.
133
(3) Set the VPN type as required. Configuration steps vary with the VPN types. Click Next. The next configuration
page is displayed. In the following content, the L2TP IPSec type is used as an example.
PPTP/L2TP: supports access authentication without data encryption.
IPSec: support data encryption.
L2TP IPSec: supports access authentication and data encryption.
134
(4) On the page corresponding to Configure Basic Information, set basic parameters about the VPN
headquarters.
○ Client IP Range: tunnel IP addresses assigned to the VPN clients. The number of IP addresses
determines the number of VPN clients that can be connected.
○ DNS Server: Set the DNS server address when a VPN client needs to access the LAN through the
domain name, which is the same as the address of the LAN DNS server.
○ Click and set the following configuration items:
135
○ Local Tunnel IP: tunnel IP address used by the local device when a remote client establishes a VPN
tunnel with the local device using PPTP or L2TP. The first IP address in the client address range is used
by default.
○ PPTP Keepalive Interval: If you set the interval, the local device will proactively detect the tunnel status
if it does not receive any legal packets from the peer end of the tunnel within this interval. The default
interval 60s is recommended.
○ L2TP Keepalive Interval: interval for tunnel control message retransmission. If there is no session within
this interval, the tunnel will be automatically cleared. The default interval 600s is recommended.
○ L2TP Verification Code: Verification is not required for L2TP tunnel establishment by default. If
verification is required, both ends of the L2TP tunnel must be configured with the same verification
password.
○ Allow HQ to Access Branch: For headquarters access to the branch intranet, you must plan in advance
the tunnel IP address of each branch dialing into the headquarters and the intranet segment of each
branch. Click , hover your mouse over , and set basic information in the table in the
Config Wizard window, as shown in the following figure.
Click Next. The next configuration page is displayed.
(5) On the configuration page corresponding to Manage Account, configure user information for user
authentication of clients attempting remote PPTP or L2TP access to the local device, as shown in the
following figure. Select Local Device or Other System under Save Account on.
If you select Local Device, the configuration page shown in the following figure is displayed, where the table
lists the user name and password information that has been configured on this device. You can click
136
or in the Action column for modification or deletion. You can also click
for user name and password adding.
If you select Other System, you can manage user information through a third-party server.
(6) Set IPSec-related parameters on the configuration page shown in the following figure. (L2TP IPSec is a
combination of L2TP and IPSec. If you select Headquarter and L2TP IPSec, this operation is mandatory in
addition to L2TP-related parameter setting on the pages corresponding to Configure Basic Info and
Manage Account.)
137
○ Pre-shared Key: key that must be correctly entered on the mobile user or branch side for successful
dial-in.
○ Interface: For each interface through which IPSec communication will pass, an encrypted mapping set
needs to be configured (the set associates the transform sets with data streams, describes the address
of the peer end and the required parameters for communication, and completely describes what is
required for IPSec communication with the remote peer. Encrypted mapping entries are required for an
IPSec security association.) Extranet ports that have been configured for the device are listed, which are
selected by default.
○ IKE Policy: Set Encryption Algorithm, Hash Algorithm, and DH Group for IKE. To ensure successful
IKE negotiation, the two parties engaged in IKE negotiation must have at least one set of consistent IKE
policy.
○ Transform Set: combination of specific security protocols and algorithms. During IPSec security
association negotiation, the two parties use the same transform set to protect specific data streams.
○ IPSec Lifetime: When the life cycle of the tunnel establishment ends, the two parties will automatically
renegotiate for tunnel establishment, which can effectively prevent the tunnel from being cracked. The
default lifetime 1 hour is recommended.
When IPSec VPN headquarters-related parameters are set, the page shown in the following figure is displayed.
The basic parameters are generally the same as those on the configuration page shown in the preceding figure
(an example for L2TP IPSec), except that the Network table is added. You can configure the IP addresses in
the specified network segment to be encrypted for mutual access through the IPSec tunnel between the
headquarters and the branch in this table.
138
(7) Click Next. The page shown in the following figure is displayed.
Click Finish in the lower right corner to complete VPN configuration for the headquarters. Before clicking Finish,
click to check and record the corresponding VPN configurations required for the branch, as shown
in the following figure.
139
You can also click the content corresponding to Configuration Step for a reference guide on how to connect a
mobile user's PC to the VPN server (headquarters).
7.5.3 VPN Client (Branch) Configuration
(1) Click .
140
(2) Select Branch and click Next.
(3) Set the VPN client parameters.
○ VPN Type: Set it to L2TP IPSec, L2TP, or IPSec.
○ HQ Public IP: public IP address of the VPN server (headquarters).
○ Pre-shared Key: the same as that configured for the VPN server (headquarters), which can be obtained
from the VPN server (headquarters) administrator.
○ User Name/Password: user name/password for login to the VPN.
○ HQ Network: intranet network segment of the headquarters to be accessed.
141
○ Advanced Settings: includes IKE Policy, Transform Set, and Allow HQ to Access Branch, which
must be set the same as those for the VPN server (headquarters).
(4) Click Next. The page shown in the following figure is displayed. Wait for a period of time. A prompt indicating
successful connection or connection failure is displayed. If the connection is successful, click Finish in the
lower right corner to complete VPN configuration for the branch.
7.5.4 VPN Configuration Management
1. Topo
After VPN configuration, the configuration page shown in the following figure is displayed.
142
You can view the location of the local device in the topology area, where the device with "(local device)" is the
one currently under configuration, as shown by in the preceding

figure. You can click this icon to view and modify VPN configuration information about the local device. In the
topology, gray devices indicate disconnected users or devices, gray lines indicate VPN channels where
connection is not successfully established, and blue devices/lines indicate successfully connected VPN
devices/channels.
The device above the local device indicates the headquarters to which the local device is connected when it is
used as a VPN branch. Click to add the headquarters to which the local device is to be connected
when it is used as a VPN branch. You can perform the configuration for multiple times. The local device can be
connected to a maximum of nine VPN headquarters. For details about the configuration, see 7.5.3 VPN Client
(Branch) Configuration.
The devices below the local device indicate the devices connected to the local device when it is used as the
VPN headquarters. If the local device is used as the L2TP or L2TP IPSec VPN headquarters,
is displayed. You can click it to add an account.
If the current device is only configured as a VPN branch, as shown in the following figure, you can click
to configure the local device as the VPN headquarters. For details, see 7.5.2 VPN
Server (Headquarters) Configuration.
143
2. Table
As shown in the preceding figure, the first table lists the information about the headquarters to which the local
host is connected when it is used as a VPN branch; the second table lists the information about the branches
connected to the local host when it is used as the VPN headquarters.
You can click to view and modify VPN configuration information about the local
device. You can click to add multiple headquarters to which the local device is to be connected
when it is used as a VPN branch. You can click to add user information. You can click the
corresponding icon in the Action column of the table to view/modify/delete

information about the selected user.
3. View headquarter configuration/View branch configuration
Click the local device icon on the Topo tab page or click Manage Local Config on the Table tab page. The
window shown in the following figure is displayed. You can view the VPN configuration information about the
local device.
144
If is blue, the configuration information about the device that is
used as the VPN headquarters is displayed. In this case, click . The

configuration information about the device that is used as a VPN branch is displayed, as shown in the following
figure.
145
If the local device used as a VPN branch is connected to multiple devices, there are multiple tabs above VPN
Parameters, as shown by . In this case, the VPN configuration about the local device
connected to headquarters 1 is displayed. You can click . The VPN configuration about the local
device connected to headquarters 2 is displayed.
You can click to modify the current VPN configuration information, as shown in the following figure.
146
Click .
You can click to clear the current VPN configuration information. For example, if the HQ2
tab is clicked, the local device will be disconnected from headquarters 2.
4. Mobile User
When the local device is configured as the VPN headquarters, you can view the mobile user configuration
information on the VPN monitoring page, as shown in the following figure.
Click . The mobile user management page is displayed, as shown in the following figure. You can view,
modify, or delete information about a specific user and click for mobile user
management.
147
7.6 NAT/Port Mapping

7.6.1 Introduction
Network Address Translation (NAT) allows an entire organization to appear on the Internet with a common IP
address. As the term implies, it is a technology that translates internal private network addresses (IP addresses)
into legal network IP addresses.
7.6.2 Port Mapping
The following two types of port mapping are available: port mapping and DMZ host mapping.
1. Port Mapping
Procedure
(1) Choose Network > NAT/Port Mapping > Port Mapping.
(2) Click Add, set Mapping Type to Port Mapping, set related configuration items, and click OK.
148
○ Internal IP: intranet IP address to be mapped to the extranet, which is generally the IP address of your
server.
○ Internal Port Range: port(s) to be mapped to the extranet.
○ External IP: WAN IP address. If Interface is set, all IP addresses at the extranet interface will be mapped.
○ External Port Range: ports on the WAN. The port number ranges from 1 to 65535.
○ Protocol Type: Select TCP or UDP as required.
You can click Example for configuration according to the example.
2. DMZ Host
Procedure
149
(1) Choose Network > NAT/Port Mapping > Port Mapping.
(2) Click Add, set Mapping Type to DMZ Host, set Internal IP and IP Address/Interface corresponding to
External IP, and click OK. When an incoming packet does not hit any port mapping rule, the packet is
redirected to the intranet server according to the DMZ rule. This indicates that all data packets proactively
sent from the Internet to the device are forwarded to the specified DMZ host.
7.6.3 NAT Rule
The function allows application of an ACL to a NAT address pool. That is, only addresses that match the ACL
will be translated.
Procedure
(1) Choose Network > NAT/Port Mapping > NAT Rule.
150
(2) Click Add.
○ ACL ID: No. or name of the ACL where this rule is applied.
○ Address Pool: destination address pool.
(3) Click OK.
7.6.4 NAT Address Pool
When there are multiple extranet IP addresses, you can add an address pool for the intranet IP address to
automatically select the extranet IP addresses in the address pool for translation.
Procedure
(1) Choose Network > NAT/Port Mapping > NAT Address Pool.
151
(2) Click Add Address Pool.
○ Address Pool Name: name of the address pool.
For address adding to an existing address pool, select the existing address pool, as shown by
○ WAN Port: Select the extranet port for address adding. In this case, the configuration items shown in the
following figure are displayed below.
Set Start IP and End IP. If there is only one IP address, set Start IP and End IP to the same IP address.
You can configure multiple network segments for one address pool, which cannot overlap.
(4) Click OK to save the configurations.
7.7 DHCP Configuration

7.7.1 Introduction
Dynamic Host Configuration Protocol (DHCP) is a network management protocol applied on the LAN. It works
using UDP and is widely used to dynamically allocate network resources that can be reused, such as IP
addresses. For smaller networks, DHCP makes subsequent network device adding easy and fast.
Using DHCP enjoys the following benefits:
 Reduced client configuration and maintenance costs
DHCP is easy to configure and deploy. For non-technical users, DHCP can minimize configuration-related
operations on the client and reduce remote deployment and maintenance costs.
 Central management
152
The DHCP server can be used to manage the configuration information about multiple network segments. When
the configurations of a network segment change, the administrator only needs to update related configurations
on the DHCP server.
The NBR series router device can function as a DHCP server to provide IP addresses for intranet users.
7.7.2 Settings
Choose Network > DHCP > Settings.
 Set DHCP to ON.
 Add a DHCP entry.
Click Add DHCP in the upper left corner and set related parameters in the Add DHCP window.
153
○ Pool Name: address pool name.
○ Subnet: network segment for assignment.
○ Mask: subnet mask. The range of IP addresses to be assigned is determined by the values of Subnet
and this parameter.
○ Default Router: default router for assignment.
○ Lease Time: address lease period. After the lease period expires, IP addresses will be reclaimed without
renewal.
○ DNS Server: DNS server address for assignment.
○ Option 43: When the AC (wireless controller) and the AP are not on the same LAN, the AP cannot detect
the AC through broadcast after obtaining an IP address from the DHCP server. To enable the AP to
detect the AC, you need to configure Option 43 information carried in the DHCP response packet on the
DHCP server.
○ Option 138: Similar to Option 43, when the AC and AP are not on the same LAN, you can configure
Option 138 to enable the downlink AP to obtain the IPv4 address of the AC.
 Delete DHCP configuration entries in batches.
Select the DHCP configuration entries to be deleted and click Delete Selected DHCP.
154
 Configure the network segments excluded from assignment.
Click Excluded Address Range, set Excluded IP Range1, and click Save. You can configure multiple such
network segments.
 Modify a DHCP configuration entry.
Click Edit corresponding to a DHCP configuration entry. In the window that is displayed, modify related
information.
155
 Delete a DCHP configuration entry.
Click Delete corresponding to a DHCP configuration entry. In the confirmation window that is displayed, click
OK for deletion.
7.7.3 Static Address
Choose Network > DHCP > Static IP Address.
156
 Add a static address entry.
Click Add Static Address in the upper left corner. In the window that is displayed, add static address bonding
to assign a fixed IP address to the specified host.
 Delete static address entries in batches.
Select the static addresses to be deleted and click Delete Selected Address.
157
 Modify a static address entry.
Click Edit corresponding to a static IP address entry. In the window that is displayed, modify related information.
 Delete a static address entry.
Click Delete corresponding to a static IP address entry. In the confirmation window that is displayed, click OK
for deletion.
7.7.4 User List
 Bind MAC to Dynamic IP
158
In the list, select the entry for bonding, and click Bind MAC to Dynamic IP.
 Search by IP Address
Enter the IP address to be queried in the text box. Click Search. The search result that matches the criterion is
displayed in the list.
1.2 Line Escape

7.7.5 Introduction
This function is used to detect whether the line is normal periodically. When an exception occurs, the line is
disabled in a timely manner so that the application traffic can go out from normal lines.
7.7.6 Line Traffic Escape
Precautions
 The configuration is at high risk. Whether the line is normal is checked. In case of a line exception, the
network connection may fail.
 Interface enabling and disabling is at high risk. Exercise with caution.
Procedure
(1) Choose Network > Line Escape > Line Traffic Escape.
(2) Set Line Detection to Enable to enable one-click line traffic escape.
(3) Expand Advance and set the advanced configuration items.
159
(4) Click Save.
7.7.7 Escape Log
This operation allows you to view the recent escape logs.
Procedure
(1) Choose Network > Line Escape > Escape Log.
(2) View escape log details, including the ID, time, type, and specific information.
160
Web-based Configuration Guide Firewall
8 Firewall
The firewall feature can detect multiple types of network-layer attacks and take measures based on the
configured policy to protect the internal network from malicious attacks, thereby ensuring the normal operation
of the internal network.
Note
 The NBR6205-E, NBR6210-E and NBR6215-E enterprise-class routers support the firewall feature.
 The NBR6120-E enterprise-class router does not support the firewall feature.
8.1 Attack Defense Configuration

The router is usually deployed on the intranet egress. Both normal service traffic and malicious attack traffic
pass through the router. You can enable the attack defense function and configure corresponding policies to
detect and block the attack traffic passing through the router, ensuring the safety of the internal network.
Attack defense configuration supports the protocol policy, zone policy, and global defense policy, which are
prioritized in a decreasing order.
8.1.1 Attack Defense Feature
The attack defense feature is used to display the menu and configure the attack defense. Only when you enable
the feature can you view and configure the attack defense feature. If the attack defense is enabled, the device
and the internal network will be defended according to the predefined policies. You can add new defense policies
as required.
Procedure
(1) Choose Firewall > Attack Defense Config > Attack Defense.
(2) Select Enable to enable the attack defense feature and click Save.
8.1.2 Global Defense
Global defense is designed to defend the router. The global defense limits the establishment speed of sessions
to ensure efficient utilization of router resources. You can enable global defense to prevent resource exhaustion
attacks or DoS attacks.
Procedure
(1) Choose Firewall > Attack Defense Config > Global Defense.
161
(2) Click Start and the device will obtain an optimal protection threshold that fits the current network through
automatic learning.
Caution
 To guarantee better effects of the learned policy, please ensure that the automatic learning period
includes the traffic peak period.
 The default learning period is seven days. You can suspend the learning period or set a new period as
required.
 You are advised to make the device relearn and apply new learning results after the network is changed.
(3) After global defense policy learning is completed, click Apply learning results. Adjust the threshold based
on the network conditions and learning results.
162
(4) Click OK after the configuration is completed.
8.1.3 Protocol Policy
Protocol policies can defend against attacks for vulnerabilities of the protocol operating mechanism. The device
will filter protocol packets with attack characteristics if the corresponding protocol is enabled.
Procedure
(1) Choose Firewall > Attack Defense Config > Protocol Policy.
(2) Click to enable the defense policy as required to make the specified policy take effect.
8.1.4 Zone Policy
A defense zone is a collection of clients that have the same defense requirements. You can group clients with
different defense requirements into corresponding defense zones to defend the clients based on groups and
manage them separately. You can configure defense policies for specified zones respectively to defend the client
precisely.
Procedure
163
(1) Choose Firewall > Attack Defense Config > Zone Policy.
(2) Click Configure Now to enter the Config Wizard for Creating a New Defense Zone page.
(3) Enter the security zone name, description and the protected client range, and click Next.
Note
The protected client range supports a single IP address (example: 1.1.1.1), subnet bit length (example:
1.1.1.0/24), or subnet mask (example: 1.1.1.0/255.255.255.0). Enter the protected client range and click Add
to enter another range.
(4) Select policy configuration mode as required and click Finish.
164
(5) If you select Auto Learning for the policy configuration mode, follow the procedure to configure the policy. If
you select Manual Config, you can skip the procedure.
a Click Apply learning results after leaning to enter the Apply learning results page.
b Configure the threshold based on the learning results and the actual conditions of the defense zone.
Note
As the traffic monitoring function consumes some of device performance. You are advised to disable the
traffic monitoring function after the defense zone policy works smoothly to ensure that the device can
achieve the maximum service processing capacity.
165
c Click OK after the configuration is completed.
(6) If you select Manual Config for the policy configuration mode, follow the procedure to configure the policy.
If you select Auto Learning, you can skip the procedure.
Note
As the traffic monitoring function consumes some of device performance. You are advised to disable the traffic
monitoring function after the defense zone policy works smoothly to ensure that the device can achieve the
maximum service processing capacity.
(7) (Optional) For a trusted source IP address, you can add it to the whitelist to bypass the detection of the device
and the traffic of this source IP will not be affected. Click Config of the whitelist to access the Configure
166
Whitelist page, enter the source IP address, the subnet mask, select the protocol type and the designation
port range, and click Add.
Note
 The whitelist is valid only for this defense zone.
 The whitelist overrides the blacklist. If an IP address is added to a whitelist and a blacklist simultaneously,
the whitelist is valid.
(8) (Optional) For an untrusted source IP address, you can add it to the blacklist. The traffic to or from the
blacklisted client will be blocked by the device. Click Config of the blacklist to access the Configure Blacklist
page, enter the client IP address, and click Add.
Note
 The blacklist is valid only for this defense zone.
 The whitelist overrides the blacklist. If an IP address is added to a whitelist and a blacklist simultaneously,
the whitelist is valid.
167
(9) (Optional) Click Config of the attack log to enable logging and printing of the specified type of policy. Select
the log types as required, and click OK.
8.2 Security Zone Configuration

A security zone is a logical concept that the objects in a security zone have same security requirements, security
access control, and border control policies. You can group multiple interfaces or IP addresses with the same
security requirements on the device into the same security zone to implement hierarchical management of
policies and precise protection. For example, the subnet A is connected to the interface 1 of the router device
which belongs to the security zone 1, and the subnet B is connected to the interface 2 of the router device which
belongs to the security zone 2. You can only configure the access policy between the security zone 1 and the
security zone 2 to perform the access control on the subnet A and the subnet B.
8.2.1 Enabling the Security Zone Feature
The security zone feature is used to display and configure the security zone menu. You can enable this feature
to view and configure the security zone and related policies.
168
Procedure
(1) Choose Firewall > Security Zone Config > Security Zone Feature.
(2) Select the security zone feature and click Save.
8.2.2 Security Zone
The device supports creating a security zone based on the IP address (IPv4 only) or the device interface. You
cannot use the two types of security zones simultaneously. The existing security zone and zone policies will be
cleared if you switch the creating mode. An interface-based security zone is created by default.
The default access rules between different security zones are as follows.
 The clients or interfaces in the same security zone cannot access each other.
 The security zone of higher priority can access the security zone of lower priority, but not vice versa.
 The security zones of the same priority cannot access each other.
If the zone policy and the global policy are configured, the device will process the packets based on the access
control rule of the zone policy and the global policy. Otherwise, the device will process the packets based on the
default access policy.
1. Interface-based Security Zone
After the interfaces are grouped into a security zone, when a packet reaches the device, the device will identify
the source interface and the destination interface of the packet, match the interface of the packet with the
interface associated with the security zone to determine the source security zone and the destination security
zone to which the packet belongs, and then forward or block the packet according to the access policy between
security zones or the default access policy.
The default security zone is predefined by the device and cannot be deleted. Interfaces that are not grouped
into specified security zones will be assigned to the default security zone.
Procedure
(1) Choose Firewall > Security Zone Config > Security Zone.
(2) Click Add to access the Create Interface-based Security Zone page.
Note
The device will display the page of the interface-based security zone by default. If not, you can click Switch to
enter the page of the interface-based security zone.
169
(3) Enter the security zone name and description. Click Select to select the interfaces belonging to this security
zone. Enter the security zone level, select whether to allow intra-zone communication and click OK.
Note
The security zone level is the priority. The higher value indicates higher priority. By default, the security zone
with a high priority can access the security zone with a low priority, but not vice versa. The security zones of the
same priority cannot access each other.
170
2. IP-based Security Zone
After the IP addresses are grouped into a security zone, when a packet reaches the device, the device will
identify the source IP address and the destination IP address of the packet, match the IP address with the ACLs
associated with the security zone to determine the source security zone and the designation security zone which
the packet belongs to, and then forward or block the packet according to the policy between the security zones
or the default access control rule.
The default security zone is predefined by the device and cannot be deleted. IP addresses that are not grouped
into specified security zones will be assigned to the default security zone.
Procedure
(1) Choose Firewall > Security Zone Config > Security Zone.
(2) Click Switch to access the Switch Security Zone Creation Mode page.
(3) Select IP Address and click OK.
(4) Click Add to access the Create IP-based Security Zone page.
171
(5) Enter the parameters of the IP-based security zone and click OK.
Parameter Description
Security Zone
The unique identifier of the security zone.
Name
Description The description of the security zone
172
Indicate the client IP range of the security zone. You can enter a single IP
Protected address (example: 1.1.1.1), a subnet or mask length (example: 1.1.1.0/24), a
Client Range subnet or mask (example: 1.1.1.0/255.255.255.0) or any. Enter a protected
client range and click Add to enter another range.
Indicate the IP address that does not belong to the security zone. For
Exception
example, add the subnet 1.1.1.0/24 to a security zone, except for the IP
Client Range
address 1.1.1.1 in this subnet. You can add it to the exception client range.
The security zone level is the priority. The higher value indicates higher priority.
Security Zone By default, the security zone of higher priority can access the security zone of
Level lower priority, but not vice versa. The security zones of the same priority cannot
access each other.
Allow Intra-
Select whether the IP addresses in the security zone are allowed for intra-
zone
zone communication.
Communication
8.2.3 Global Policy Configuration
The global access policy is used to control whether to allow the intra-zone communication, whether to allow the
communication between security zones of the same priority, whether to generate a log when connections are
established and canceled after the security zone policy is matched, and whether to generate a log when the
packet is discarded due to the violation of the security zone access policy.
The priority of the global policy is higher than the default access policy.
Procedure
(1) Choose Firewall > Security Zone Config > Global Policy Config.
(2) Select the configuration items as required and click Save.
8.2.4 Zone Policy Configuration
The zone policy function is used to control whether to allow the inter-domain communication.
After the packet reaches the device, the device will identify the source security zone and the destination security
zone to which the packet belongs based on the packet characteristics. If the source security zone is not equal
to the destination security zone, it is an inter-domain access, and the packet is forwarded according to the zone
policy. If the zone policy is not configured, the packet will be processed according to the global policy or the
173
default access policy. If the source security zone is equal to the destination security zone, it is an intra-domain
access, and the packet will be processed according to the security zone configuration.
The zone policy varies with the security zone creation mode. That is, if the creation mode is switched from the
interface-based mode to the IP-based mode, the zone policy page will also switch to the IP-based security zone
policy configuration page and the existing zone policy will be invalid and deleted, and vice versa.
The priority of the zone policy, the global policy and the default access policy is in a decreasing order.
1. Creating an Interface-based security zone policy
The interface-based security zone policy is not configured by default.
Prerequisite
Select the Interface mode for security zone policy configuration.
Procedure
(1) Choose Firewall > Security Zone Config > Zone Policy Config.
(2) Click Add to access the Add Policy page.
(3) Configure the policy parameters according to the following information and click OK.
174
Configuration Item Parameter
Control the access between the designated source security zone and
Source Security Zone
the destination security zone.
Dest Security Zone
Indicate the policy priority. The lower value indicates the higher priority.
SN The policy of higher priority is matched preferentially if multiple zone
policies are configured.
Description The description of the zone policy.
Access control for packets from the designated source IP address. Click
Source IP IP Resource Configuration to add a new IP address object. For
details, see 1.4 IP Resource Configuration.
Access control for the packets to the designated destination IP address.

Dest IP Click IP Resource Configuration to add a new IP address object. For
details, see 1.4 IP Resource Configuration.
Access control for the packets from the selected service type. Click
Select Service Service Resource Configuration to add a new service object. For
details, see 1.5 Service Resource Configuration.
Filter Action The action executed on the packets matching with the zone policy.
Time Span The time span in which the policy takes effect.
Indicate whether to enable the policy. Only an enabled zone policy will
Enable Policy
match with the packet.
2. Creating an IP-based Security Zone Policy
The interface-based security zone policy is not configured by default.
Prerequisite
Select the IP mode for security zone policy configuration.
Procedure
(1) Choose Firewall > Security Zone Config > Zone Policy Config.
(2) Click Wizard to access the Create security zone policy page.
175
(3) Configure the policy parameters according to the following information and click Next.
Source Security Zone
Dest Security Zone
Description The description of the zone policy.
Indicate the policy priority. The lower value stands for the higher priority.
Rule SN The policy of higher priority is matched preferentially if multiple zone
policies are configured.
176
Indicate the mode of matching packets, which supports matching

Policy Config Mode
packets based on the IP range or ACL rules.
(4) Configure the IP range according to the following information and click Finish. If you select Cite ACL Policy
for the policy configuration mode, skip this procedure and move on to next step.
Note
After the IP range is configured, the access is allowed or blocked according to the ACL policy with which the IP
range matches.
Access control for the packets from the designated source IP address.
You can enter a single IP address (example: 1.1.1.1), a subnet or mask
Source IP Range length (example: 1.1.1.0/24), a subnet or mask (example:
1.1.1.0/255.255.255.0) or any. Enter a source IP range and click Add to
enter another range.
177
Access control for the packets to the designated destination IP address.

You can enter a single IP address (example: 1.1.1.1), a subnet or mask
Dest IP Range length (example: 1.1.1.0/24), a subnet or mask (example:
1.1.1.0/255.255.255.0) or any. Enter a source IP range and click Add to
enter another range.
Transport Protocol Access control for the packets of the selected protocol.
Indicate the time span in which the policy takes effect. Click Time Span
Select Effective Time
Management to select a time span.
(5) Configure the ACL policy according to the following information and click Finish. If you select IP Range for
the policy configuration mode, skip this procedure.
a Click Select to select configured ACL policy. If there is no available ACL policy, click Manage to create an ACL
policy.
b Click Add ACL to access the Add ACL page.
178
c Select the ACL type, enter the ACL name or the ACL number and click OK.
d Select the created ACL and click Add ACE to access the Add ACE page.
179
e Configure the ACE according to the following information and click OK.
Configuration
Parameter
Item
Access
Access control for the packets matching the ACE.
Control
Indicate the time period in which the ACE takes effect. Click the drop-down list
Time Period
box to select a time period.
Access control for the packets from or to the designated IP address. You can
enter a single IP address (example: 1.1.1.1), a subnet or mask (example:
IP Address
1.1.1.0/255.255.255.0) or a wildcard (example: 1.1.1.0/0.0.0.255). If you select
Any IP Address, the packets from all IP addresses will match the ACE.
f After the ACE is configured, close the ACL Management page. Click Select on the Create security zone policy
page to access the Please select the ACL policy from the table page.
180
g Click Refresh, select the created ACL policy and click OK.
h Click Finish.
181
8.3 Defense Zone Monitoring

8.3.1 Zone Running Status
The function is used to display the basic information and traffic statistics of each defense zone.
Prerequisite
The defense zone policy is configured. For details, see 1.1.4 Zone Policy.
Procedure
(1) Choose Firewall > Defense Zone Status > Zone Running Status.
(2) Select a defense zone, and its basic information, running status and traffic statistics will be displayed on the
right of the page.
182
8.3.2 Current Attacks
The function is used to display the current attacks in each defense zone, and filter the attack information based
on attack types or protocol types.
Prerequisite
The defense zone policy is configured. For details, see 1.1.4 Zone Policy.
Procedure
(1) Choose Firewall > Defense Zone Status > Current Attacks.
(2) Select a defense zone. By default, the current attacks in the selected defense zone will be displayed by attack
types on the right of the page.
(3) (Optional) Click the drop-down list box of Protocol Type and select another protocol. Click Search to display
the attack information based on protocol types.
8.3.3 Viewing Firewall Traffic
The function is used to display global defense information.
Prerequisite
Global defense is configured. For details, see 1.1.2 Global Defense.
Procedure
(1) Choose Firewall > Defense Zone Status > View Firewall Traffic.
183
(2) Click Global Defense Statistics to view defense traffic statistics.
(3) Click Statistics of Overall Discarded Packets to view the statistics of the discarded packets based on the
defense policy.
8.4 IP Resource Configuration

The IP resource function must work with other functions instead of working independently. For example, when
configuring the inter-domain policy, you can implement access control on the packets of the designated source
IP address in the source security zone.
8.4.1 Host IP Address
The host IP address is a single IP address. The administrator can configure a proper name for a single IP
address to identify the device with the IP address quickly.
Procedure
(1) Choose Firewall > IP Resource > Host IP.
(2) Click Add.
(3) Enter the name, description and the IP address, and click Add. If you need multiple IP addresses, you can
enter other IP addresses and click Add.
184
(4) Click OK.
8.4.2 IP Range
IP range indicates a range of multiple IP addresses, such as 1.1.1.1 to 1.1.1.10. The administrator can configure
a proper name for an IP range to identify the device with the IP address within the range quickly.
Procedure
(1) Choose Firewall > IP Resource > IP Range.
(2) Click Add.
(3) Enter the name, description and the IP range. If there is an excluded IP address, enter the excluded IP
address (only a single IP address is supported.) and click Add. If you need to add multiple excluded IP
addresses, enter other excluded IP addresses and click Add.
(4) Click OK.
185
8.4.3 Subnet IP Address
For example, 1.1.1.0/255.255.255.0 is a subnet IP address. The administrator can configure a proper name for
a subnet IP address to identify the subnet quickly.
Procedure
(1) Choose Firewall > IP Resource > Subnet IP.
(2) Click Add.
(3) Enter the name, description, the IP address or the mask. If there is an excluded IP address, enter the
excluded IP address (only a single IP address is supported.) and click Add. If you need to add multiple
excluded IP addresses, enter other excluded IP addresses and click Add.
(4) Click OK.
8.4.4 IP Group Configuration
An IP group is a collection of multiple IP addresses. You can put the host IP address, the IP range or the subnet
IP address with the same defense requirements into an IP group for convenient management.
Prerequisite
The host IP address, the IP range or the subnet IP address are configured.
Procedure
(1) Choose Firewall > IP Resource > IP Group Config.
(2) Click Add.
186
(3) Enter the name and description, select the members of the IP group as required, and click Add.
(4) Click OK.
8.5 Service Resource Configuration

The service resource is represented by protocol types and features. Protocol features are used to match the
upper layer protocols carried in the packets, such as the source port and the destination port of TCP and UDP,
the ICMP message type or message authentication code.
The service resource does not work independently but works with other functions. For example, you can
implement access control on the packets of a specified service when configuring the inter-security zone policies.
8.5.1 Customer Service
The device predefines common services. You can view the services on the Predefined Service page. If the
predefined services do not include the required service, you can configure the service resource by yourself.
Procedure
(1) Choose Firewall > Service Resource > User-defined Service.
(2) Click Add.
187
(3) Enter the name and description. Select the protocol, configure the parameters of the protocol and click OK.
Note
The parameters may vary with the protocols. The parameters displayed on the webpage prevails.
8.5.2 Service Group Configuration
A service group is a collection of multiple services. You can add the custom or predefined services with the same
defense requirements to a group for convenient management.
Procedure
(1) Choose Firewall > Service Resource > Service Group Config.
(2) Click Add.
(3) Enter the name and description. Select service group members as required and click Add.
188
(4) Click OK.
8.5.3 Predefined Service
The function is used to display predefined services.
Procedure
(1) Choose Firewall > Service Resource > Predefined Service.
(2) (Optional) Select a query item or enter a keyword and click Search to search for the service information you
need.
189
Web-based Configuration Guide Advanced
9 Advanced
9.1 System
9.1.1 Change Password
Web management password: For device configuration on the web page, the password is required for device
login. You can change the login password as the admin user on this page. After a new web management
password is set, the new password is required for re-login.
Telnet password: For device login and configuration using Telnet, the password is required.
Caution
 Be sure to keep the password after change in mind. Otherwise, login may fail next time.
 Only the Administrators group has permission to configure this page, that is, this page is visible only to
the admin user.
For device security, you are recommended to change the initial password of the device as soon as possible after
your first login.
Procedure
(1) Choose Advanced > System > Change Password.
(2) Enter the web management password or Telnet password based on the actual requirements and click Save.
190
9.1.2 Restart
Device restart takes about 1 minute. Do not perform any other operations during restart. The page will be
automatically refreshed after the restart is successful.
Prerequisites
All configurations have been saved before restart. Otherwise, unsaved configuration information will be lost after
restart.
Procedure
(1) Choose Advanced > System > Restart.
(2) Click Restart.
9.1.3 Factory Reset
Factory Reset: clears all the current configurations of the device and restores the device to the default factory
settings. To keep your existing configurations, export the current configurations on the Backup tab page first.
Procedure
(1) Choose Advanced > System > Factory Reset.
(2) Click Reset.
9.1.4 Backup
1. Export Config
Export Config: exports the current configurations of the device to a local computer for backup.
Procedure
(1) Choose Advanced > System > Backup.
(2) Click Export Config.
191
(3) Set the path for storing the configuration file and click Save.
2. View Config
View Config: views all configuration commands of the current device.
(1) Choose Advanced > System > Backup.
(2) Click View Config.
9.1.5 System Time
System Time: sets the system time of the device. The device supports the following two system time change
methods: manual change and synchronization from the time server. For the latter one, before time
192
synchronization from the Internet time server, choose Network > DNS Settings and set the DNS server correctly
to ensure network connectivity between the device and the time server.
Procedure
(1) Choose Advanced > System > System Time.
(2) Change the system time manually.
a Deselect Sync with Internet Time Server and Sync with Internet Time Server via Management Port.
Click the text box corresponding to Reset Time and set the date and time.
b Set Time Zone and click Save.
(3) Synchronize the time from the time server.
a Select Sync with Internet Time Server or Sync with Internet Time Server via Management Port.
Note
When the device is in bridge or router mode and can be connected to the extranet only through the
management port, Sync with Internet Time Server via Management Port must be selected.
When the server that comes with the system is configured as the time server, no additional DNS
configuration is required.
b Set Time Zone and click Save.
193
9.1.6 Enhancement
This page provides multiple function configuration entries in a centralized manner, and the individual functions
do not affect each other.
 Save Logs Locally: In the disabled state, logs are not stored on hard disks, but transmitted to the external
log server via the log service function.
 Prompt Upon Blocked Access: sets the prompt displayed when users access a blacklisted website. For
example, if you choose Behavior > Behavior Policy > Website Blacklist/Whitelist and specify
www.xxx.com as the blacklisted website, this prompt is displayed when users access this website.
 Traffic Audit Data Refresh Interval: sets the period for the device to generate traffic audit data in real time.
 Web Login Timeout: sets the login timeout interval. The default timeout interval is 60 minutes, that is, you
will be forced to log out of the system if you perform no web operation within 60 minutes upon login.
 Device Name: sets the device name. After changing the device name, you can choose Home > Dashboard
and check the updated device name.
Procedure
(1) Choose Advanced > System > Enhancement.
(2) Set one or more of the following functions as required:
○ Save Logs Locally: Deselect Disable and click OK. You need to restart the device for the configuration
to take effect.
○ Prompt Upon Blocked Access: Enter the prompt and click Save.
○ Traffic Audit Data Refresh Interval: Set Refresh Interval and click OK.
○ Web Login Timeout: Enter the interval and click OK. The configuration takes effect immediately.
194
○ Device Name: Enter the name and click OK. The configuration takes effect immediately.
9.1.7 SNMP
Simple Network Management Protocol (SNMP) allows the administrators to perform information query, network
configuration, fault locating, and capacity planning for nodes on the network for easy management.
Procedure
(1) Choose Advanced > System > SNMP.
(2) Set the SNMP configuration items and click Save.
Configuration Item Description
Currently, the options are V2 and V3. If it is set to V3, the encryption password and
SNMP Version
authentication password of the SNMP user are required for enhanced security.
195
Device Location Name used to identify your SNMP service.
SNMP Password Password used by the management host for connection to the current device.
Password for connection to the management host. In case of an alarm, the device
Trap Password
will also send alarm information to the management host proactively.
The inform message of the SNMP destination host requires support from the
SNMP Dest Host server. If a Ruijie ePortal server is used during association, enter the IP address of
the ePortal server. Use commas (,) to separate multiple IP addresses.
IP address of the management host that receives device alarm information. Use
Trap Recipient
commas (,) to separate multiple IP addresses.
9.2 Upgrade
Upgrade: performs upgrade to the new versions of the system software, web package, and signature database.
You can update the corresponding version as required. The upgrade takes about 50s. Do not close or refresh
this page before a prompt indicating successful upgrade is displayed. Otherwise, the upgrade may fail.
Prerequisites
An available DNS server has been configured before the functions, such as online upgrade and automatic
update, are used.
Procedure
(1) Choose Advanced > Upgrade.
(2) Set one or more of the following items according to the actual requirements:
○ Local Upgrade:
You can download the latest upgrade file from the Ruijie Networks official website to the local device for
device software version upgrade.
Click Choose File, select the upgrade file, and click Upgrade. The upgrade takes about 50s. Do not
perform any operations during upgrade. After a prompt indicating successful upgrade is displayed, click
OK.
○ Latest Software Version: If a new version is available, a message is displayed, prompting you to
196
perform upgrade. In this case, click Upgrade.
○ Online Upgrade Web Package: If a new version is available, a message is displayed, prompting you to
perform upgrade. In this case, click Upgrade.
○ Check For Latest Version: displays the version of the current device. Click Check For Latest Version.
The system automatically checks for the latest version released. If the current device is not of the latest
version, Upgrade is displayed. Click this button. The Application Class Database Version and URL
Database Version files are automatically downloaded to the device for upgrade.
○ Automatic Update: specifies the time for the system to check for the latest software and signature
database versions and perform automatic update.
Select Enable, set Update Time, and click Save.
9.3 Administrator
Administrator: used for device administrator adding. You can log in to the device on the web page for daily
maintenance or management, but cannot log in to the device using Telnet for command running as the
administrator.
Caution
You can view and edit this page only as the admin user.
Procedure
197
(1) Choose Advanced > Administrator.
(2) Click Add Admin. The Add Admin window is displayed.
(3) Set User Name, Password, and Confirm Password, and click OK.
9.4 One-Click Collection

One-Click Collection: collects fault information about the device for troubleshooting.
Procedure
(1) Choose Advanced > Issue Collection.
(2) Click One-Click Collection.
(3) In the displayed prompt window shown in the following figure, click OK.
198
(4) After the collection is completed, click Download. The generated package is downloaded, which facilitates
engineers' fault analysis.
9.5 Connectivity Detection

9.5.1 Ping Detection
Ping Detection: tests the network connectivity between the current device and the destination IP
address/domain name.
Procedure
(1) Choose Advanced > Connectivity Detection > Ping Detection.
(2) Set Dest IP/Domain Name and Repetition Times (1-10), and click Detect.
(3) Check the detection result. After the detection is completed, the detection result is displayed at the bottom of
the page.
9.5.2 Tracert Detection
Tracert Detection: views the network path traversed by this device to the destination IP address or domain
name.
199
Procedure
(1) Choose Advanced > Connectivity Detection > Tracert Detection.
(2) Set Dest IP/Domain Name and click Detect.
9.6 Central Management

Systems such as Ruijie Remote Auto-management Center (RAC) and Ruijie Cloud can be used to manage NBR
series router device in a centralized manner and monitor the device performance, VPN, traffic, and service
conditions on a global basis, significantly improving web management efficiency.
It is applicable to enterprises with headquarters and branches, and chain hotels where simultaneous
management of multiple router devices is required.
Prerequisites
Ruijie RAC or Ruijie Cloud has been deployed, with related configurations completed on Ruijie RAC or Ruijie
Cloud platform.
Procedure
(1) Choose Advanced > Central Management.
(2) Set Central Management to Enable, set Management Type, and set connection parameters.
○ When Management Type is set to Ruijie Cloud, set the parameter shown in the following figure.
○ When Management Type is set to RAC-SNC, set the parameters shown in the following figure.
200
(3) Click Save.
9.7 Screen Mirroring
Note
 The NBR6205-E, NBR6210-E and NBR6215-E enterprise-class routers support the screen mirroring
feature.
 The NBR6120-E enterprise-class router does not support the screen mirroring feature.
Screen mirroring allows you to mirror your smartphone to the TV screen. In the hotel industry, almost every room
in every hotel is equipped with a TV. Usually, the televisions and clients in a hotel are in the same local area
network, which may cause wrong or random casting of the TV screens. The television in the hotel will bring the
customer a bad experience if it only serves as a decoration.
The screen mirroring feature supported by RG-NBR series routers can address the above problem. As a
mirroring proxy, the router can bind the client to the TV in different LANs through isolating the networks of the
client and the TV to implement one-to-one screen mirroring in the hotel.
The screen mirroring feature is designed for the hotel scenario. This feature can work in some simple inter-
VLAN topologies.
Procedure
(1) Configure the IP range.
a Choose Advanced > Mirroring Service > IP RangeConfig.
201
b Click Add to configure the isolation segment and set the hotel TV segment.
c Click Save.
d Set the client segment in the same way. The following page displays the configuration. (The figure is only
an example.)
(2) Configure screen mirroring.
a Choose Advanced > Mirroring Service > Mirroring Config.
b Click to enable the screen mirroring feature and keep it ON.
202
c Select the matching mode as required. Click Add to bind the room number to the TV IP address or MAC
address.
Note
If you switch the matching mode, the existing configuration will be cleared. Please proceed with
caution.
A room number is bound to only one IP address or MAC address.
d Click Finish.
203
(3) (Optional) Configure advanced settings.
a Choose Advanced > Mirroring Service > Advanced.
b Choose to enable authentication for the screen mirroring feature and to enable other mirroring functions
as required.
Caution
You must click Save after configuring each item. Otherwise the configuration will not take effect.
204
(4) (Optional) Display the mirroring status.
a Choose Advanced > Mirroring Service > Status.
b Display the mirroring status of every room. You can search for the screen mirroring data based on the
room number, the TV IP, and the client IP or account.
9.8 VRRP
Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant routing protocol. VRRP adds a group of router
devices to a backup group called a virtual router, assigns a virtual IP address to the virtual router, and determines
the router that functions as the master for forwarding based on the election mechanism. Hosts on the LAN only
need to know the virtual IP address of this virtual router and set it as the IP address of the router to communicate
with the extranet through this virtual router.
VRRP adopts the active/standby mode. Generally, the master is responsible for packet forwarding. If the master
fails, a backup will take over the responsibility to ensure normal service traffic forwarding, which greatly
enhances link reliability.
Note
 The NBR6205-E, NBR6210-E and NBR6215-E enterprise-class routers support the VRRP feature.
 The NBR6120-E enterprise-class router does not support the VRRP feature.
Procedure
(1) Choose Advanced > VRRP > VRRP.
(2) Set Group ID, Group IP, and Priority, and click Add.
205
Interface Enables VRRP at the specified interface.
Group ID The value ranges from 1 to 255.
IP address of the virtual router, which is used by the hosts on the LAN as the
Group IP
default router.
A greater value indicates higher priority. The backup group with higher priority will
Priority function as the master routing device for packet forwarding. VRRP groups with
different priority levels have an active/standby relationship with each other.
(3) (Optional) You can add more VRRP groups as required.
9.9 System Log

9.9.1 Server Log
Server Log: sets Elog log system information. After device connection to the Elog log system, logs of specified
types can be sent to the Elog log system.
Prerequisites
Network connectivity is available between the device and the Elog log system.
Server Log has been enabled on the page under Home > Service.
Procedure
(1) Choose Advanced > System Log > Server Log.
206
(2) Set Log Upload Mode, Server IP, and Port, and configure information under Transmission Log Type.
(3) Click Save.
9.9.2 System Log
System Log: views and exports system logs.
Procedure
(1) Choose Advanced > System Log > System Log.
(2) Click Update to refresh log information, as shown in the following figure.
207
(3) Select Syslog Config Switch and click OK. Click Export Log to export system logs and download them to
the local device.
Caution
This step is mandatory for log export.
9.9.3 Syslog Server
Syslog Server: enables the device to send logs in Syslog format to the specified server periodically.
Prerequisites
Network connectivity is available between the device and the Syslog log server.
Configurations related to log receiving have been completed on the Syslog server.
208
Procedure
(1) Choose Advanced > System Log > Syslog Server.
(2) Set Syslog Server IP, Port, and Log send mode, and click Save.
Note
If Log send mode is set, only the logs of the selected types are sent to the Syslog server. Otherwise, logs of
all types are sent.
9.10 Log Policy

Log Policy: specifies whether to report the logs about users and IP addresses/IP segments to a third-party
server or the Elog log system, and the log types for reporting.
Procedure
(1) Choose Advanced > Log Policy.
(2) Click Add Policy.
(3) In the Add Policy window, set Policy Name, Log Type, and Associate Type (options: User and IP), and
corresponding information. Click Save.
Caution
 Server Log must be enabled on the page under Home > Service if you want to set Log Type to Order
82 Log or Elog.
 If you set Log Type to Disable Log, logs about the specified user or IP address are not sent.
 If you set Log Type to Order 82 Log or Elog, the logs of this type are sent to the Elog log system. For
configuration about the Elog log system, see 9.9.1 Server Log.
209
9.11 Operation Log

Operation Log: views device web operation logs. You can also export these logs in reports and view them on
the local device.
Procedure
(1) Choose Advanced > Report.
(2) Set the query date. The web operation records on the specified date are displayed at the bottom of the page.
(3) Click Export Report. Web operation records are exported in reports and downloaded to the local device.
210

Ruijie Reyee RG-NBR Series Routers Web-Based Configuration Guide, RGOS 11.9 (6) B15 (V1.1)

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Ruijie Reyee RG-NBR Series Routers Web-Based Configuration Guide, RGOS 11.9 (6) B15 (V1.1)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ruijie Reyee RG-NBR Series Routers Web-Based Configuration Guide, RGOS 11.9 (6) B15 (V1.1)

Uploaded by

Copyright:

Available Formats

Ruijie Reyee RG-NBR Series Routers

Web-based Configuration Guide

Document Version: V1.1

All rights are reserved in this document and this statement.

Trademarks including , , are owned

 Technical support and servicing engineers

 Technical Support Website: https://www.ruijienetworks.com/support

 Case Portal: https://caseportal.ruijienetworks.com

 Technical Support Email: [email protected]

> Multi-level menus items Choose System > Time.

An alert that contains a description of product or version support.

2 Device for Login

2.1 Configuration Environment Requirements

2.2 Default Configurations

Table 2-1 Default web configurations

Function Item Default Value

After initial configuration or restoration to factory settings, the default web

User name/Password admin/admin

2.3 Login to the Web Management System Using a PC

Figure 2-1 Connection diagram

Switch at the access layer

2.3.2 Management Client IP Address Configuration

2.3.3 Login to the Web Management System

On the login page:

 If you forget your user name or password, click Forgot password?

IP address and password for login after restoration.

2.4 Main Page of the Web Management System

2.4.1 Title Area

Function Item Description Reference Chapter/Section

Wizard-based configurations are provided.

You can click it to complete integrated

Function Item Description Reference Chapter/Section

You can click it to contact our online customer

After completing related operations, you can

2.4.2 Menu Navigation Area

2.4.3 Main Operating Area

2.4.4 Status Area

 This function is supported only in router mode.

Complete related configurations according to the wizard.

(1) Reset the administrator password.

(2) Configure the interface and click Next.

(3) Wait for the system to automatically deliver the configurations.

The system automatically delivers the configurations.

(1) Click Interface for interface configuration.

3.2 Reyee Integrated Configuration

(2) Click Start Config and configure port information as prompted.

in the menu area.

4.1.1 Interface Info

4.1.2 Device Info

Online Users Total number of online users of the current device.

Current system time.

4.1.3 Bandwidth Status

 Traffic trend graph for the last hour

○ You can set and to view the upstream/downstream

 Bandwidth usage of the top 10 applications by traffic

 Top 10 applications by traffic of the current day

 Top 10 users by traffic