HP VPN Firewall Appliances Network Management Configuration Guide Part number: 5998-4164 Software version: F1000-A-EI/F1000-S-EI (Feature 3726) F1000-E (Release 3177) F5000 (Feature 3211) F5000-S/F5000-C (Release 3808) VPN firewall modules (Release 3177) 20-Gbps VPN firewall modules (Release 3817) Document version: 6PW101-20130923
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Managing interfaces ···················································································································································· 1 Overview············································································································································································ 1 Managing interfaces in the web interface ············································································································
Modifying a port ··················································································································································· 37 VLAN configuration example ······························································································································· 38 Configuring VLANs at the CLI ······································································································································· 42 Configuring basic
Configuring spanning tree timers ························································································································ 90 Configuring the timeout factor ····························································································································· 91 Configuring the maximum port rate ···················································································································· 91 Configuring edge ports···················
Configuring inline Layer 2 forwarding ······················································································································ 136 Configuration restrictions and guidelines ········································································································· 137 Configuring inline forwarding in the Web interface ······················································································· 137 Configuring inline forwarding at the CLI ···············
Configuring the DHCP relay agent ························································································································ 187 Overview······································································································································································· 187 Fundamentals ······················································································································································· 187 DHCP
Configuring static domain name resolution ······································································································ 223 Configuring dynamic domain name resolution ································································································ 223 Configuring the DNS proxy ······························································································································· 224 Configuring DNS spoofing ····································
Enabling common proxy ARP ····································································································································· 258 Enabling local proxy ARP············································································································································ 258 Displaying and maintaining proxy ARP····················································································································· 259 Proxy ARP configurati
Priority marking configuration example ············································································································ 303 Packet filtering configuration example ·············································································································· 309 Configuring traffic policing ···································································································································· 315 Overview·······························
Configuring RIP at the CLI ··········································································································································· 353 RIP configuration task list ···································································································································· 353 Configuring basic RIP ········································································································································· 353 Configuring
Configuring P2P network type of an interface ································································································· 436 Configuring IS-IS routing information control ············································································································ 437 Configuration prerequisites ································································································································ 437 Configuring IS-IS link cost ·················
Enabling trap ······················································································································································· 505 Enabling logging of session state changes······································································································· 505 Configuring BFD for BGP ··································································································································· 506 Displaying and maintaining BGP ··
IGMP configuration example ····························································································································· 577 Configuring IGMP at the CLI······································································································································· 581 IGMP configuration task list ······························································································································· 581 Configuring basic IGMP func
PIM configuration examples ······························································································································· 627 Troubleshooting PIM ···················································································································································· 644 A multicast distribution tree cannot be built correctly ······················································································ 644 Multicast data abnormally termina
Configuring parameters related to RA messages ···························································································· 688 Configuring the maximum number of attempts to send an NS message for DAD ······································· 690 Enabling ND proxy ············································································································································· 691 Configuring path MTU discovery ·························································
IPv6 address and configuration parameters assignment configuration example ········································· 720 Static IPv6 address and prefix assignment configuration example ······························································· 722 Dynamic IPv6 address and prefix assignment configuration example ·························································· 725 Configuring the DHCPv6 relay agent ·······························································································
Configuring an additional routing metric ········································································································· 754 Configuring RIPng route summarization ··········································································································· 755 Advertising a default route ································································································································· 755 Configuring a RIPng route filtering policy·······
Configuring OSPFv3 IPsec policies ··················································································································· 794 Troubleshooting OSPFv3 configuration ····················································································································· 797 No OSPFv3 neighbor relationship established ································································································ 797 Incorrect routing information ························
Configuring IPv6 BGP community ····················································································································· 824 Configuring an IPv6 BGP route reflector··········································································································· 824 Configuring BFD for IPv6 BGP ···································································································································· 825 Displaying and maintaining IPv6 BGP·······
Enabling state-refresh capability ························································································································ 862 Configuring state refresh parameters ················································································································ 863 Configuring IPv6 PIM-DM graft retry period ···································································································· 863 Configuring IPv6 PIM-SM ···························
Configuring MLD SSM mapping ································································································································ 915 Configuration prerequisites ································································································································ 915 Enabling MLD SSM mapping ····························································································································· 915 Configuring MLD SSM mapping entries
Troubleshooting SSL ····················································································································································· 949 SSL handshake failure ········································································································································· 949 Support and other resources ·································································································································· 950 Contacting
Managing interfaces All configuration tasks in this chapter are independent and optional. You can perform these configuration tasks in any order. Overview An interface is the point of interaction or communication between devices. It is used for exchanging data between devices. A physical interface is an interface that materially exists and is supported by a device. For example, an Ethernet interface is a physical interface.
subinterface sends and receives VLAN-tagged packets, see Layer 2—LAN Switching Configuration Guide. • VLAN interface—Virtual Layer 3 interface used for Layer 3 communications between VLANs. Each VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network segment different from that of the VLAN.
Figure 1 Interface management 2. Click the interface name in the Name column to view the statistics of an interface.
Creating an interface 1. Select Device Management > Interface from the navigation tree. 2. Click Add to enter the page for creating an interface. Figure 3 Creating an interface 3. Configure the interface information as described in Table 1. 4. Click Apply. Table 1 Configuration items Item Description Set the name for the interface or its subinterface.
Item Description Set the VLAN ID associated with the subinterface. VID This parameter is available on a subinterface of a Layer 3 Ethernet interface and a RAGG interface in the previous step. MTU Set the MTU of the interface. TCP MSS Set the maximum segment size for TCP on the interface. Set how the interface obtains an IP address: • None—Does not set an IP address for the interface. • Static Address—Manually assigns an IP address to the interface.
Figure 4 Modifying interface information 3. Modify the interface as described in Table 2 and Table 1. 4. Click Apply. Table 2 Configuration items Item Description Interface Type Set the interface type, which can be None. Display and set the interface status: • Connected—Indicates that the current interface is up and connected, click the Disable button to shut down the interface.
Item Description Configure the interface to operate in bridge mode or router mode. A loopback interface operates only in router mode. Working Mode Before configuring an IP address for the interface, make sure the interface is configured to operate in router mode. Interface management configuration example Network requirements As shown in Figure 5, Firewall connects Host A and Host B through its interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2, respectively.
Figure 6 Modifying interface GigabitEthernet 0/1 2. Change the operating mode of GigabitEthernet 0/2 into bridge. The configuration here is the same as that for GigabitEthernet 0/1. 3. Create VLAN-interface 1: By default, VLAN 1 exists, and all ports are untagged members of VLAN 1. a. Click Add on the interface management page. b. Set the interface name to Vlan-interface1, select Static Address for IP Config, enter IP address 1.1.2.1, and select 24 (255.255.255.255) as the network mask. c. Click Apply.
Figure 7 Creating VLAN-interface 1 4. Assign VLAN-interface 1 to a security zone (depending on the network environment): For example, you can assign VLAN-interface 1 to security zone Trust. a. Select Device Management > Zone from the navigation tree. b. Click the icon for zone Trust. c. Select Vlan-interface1 from the Interface Name field. d. Click Apply.
Figure 8 Assigning VLAN-interface 1 to a security zone Host A and Host B can access the firewall. 5. Display the statistics on interface GigabitEthernet 0/1: a. Select Device Management > Interface from the navigation tree. b. Click interface name GigabitEthernet0/1 to view its statistics.
Figure 9 Displaying interface statistics 6. Shut down interface GigabitEthernet 0/1: a. Click Back on the Port Statistics page. b. Click the icon for GigabitEthernet0/1. c. Click Disable at the end of the Interface Status line. GigabitEthernet 0/1 is shut down, and Host A cannot access the firewall. Managing interfaces at the CLI Performing general configurations This section describes the settings common to Layer 2 and Layer 3 Ethernet interfaces or subinterfaces.
Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes F5000-S/F5000-C No VPN firewall modules Yes 20-Gbps VPN firewall moduless Yes Overview A combo interface is a logical interface that comprises one fiber port and one copper port. The two ports share one forwarding channel and one interface view, so they cannot work simultaneously. When you enable one port, the other port is automatically disabled.
• Half-duplex mode (half)—Interfaces that operate in this mode cannot send and receive packets simultaneously. • Auto-negotiation mode (auto)—Interfaces that operate in this mode negotiate a duplex mode with their peers. You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its peer. To configure an Ethernet interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view.
Shutting down an Ethernet interface or subinterface CAUTION: Use this command with caution. After you manually shut down an Ethernet interface, the Ethernet interface cannot forward packets even if it is physically connected. You might need to shut down and then bring up an Ethernet interface or subinterface to activate some configuration changes, for example, the speed or duplex mode changes. To shut down an Ethernet interface or subinterface: Step Enter system view. 1.
External loopback testing—Tests hardware of Ethernet interfaces. To perform external loopback testing on an Ethernet interface, connect a loopback plug to the Ethernet interface. The device sends test packets out of the interface, which are expected to loop over the plug and back to the interface. If the interface fails to receive any test packets, the hardware of the interface is faulty.
Step 2. Command Change the link mode of the specified Ethernet interfaces. port link-mode { bridge | route } interface-list To change the link mode of an Ethernet interface: Step Command 1. Enter system view. system-view 2. Enter Ethernet interface view. interface interface-type interface-number 3. Change the link mode of the Ethernet interface.
Step 4. Command Configure jumbo frame support. Remarks jumboframe enable [ value ] By default, the device does not allow jumbo frames within the specified length to pass through all Layer 2 Ethernet interfaces. If you set the value argument multiple times, the most recent configuration takes effect. To configure jumbo frame support on a Layer 2 Ethernet interface for other firewall modules: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view.
Step Command Remarks 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3. Enable subinterface rate statistics collection on the Ethernet interface. sub-interface rate-statistic By default, subinterface rate statistics collection is disabled.
Step Command Set the unknown unicast suppression threshold ratio. 5. Remarks Optional. unicast-suppression ratio By default, unknown unicast traffic is allowed to pass through an interface. Setting the MDI mode of an Ethernet interface IMPORTANT: Fiber ports do not support the MDI mode setting. You can use both crossover and straight-through Ethernet cables to connect copper Ethernet interfaces.
To set the MTU for an Ethernet interface or subinterface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface or subinterface view. interface interface-type { interface-number | interface-number.subnumber } N/A 3. Set the MTU. mtu size The default setting is 1500. Configuring an Ethernet interface to operate in promiscuous mode An Ethernet interface usually receives only packets with matched destination MAC addresses.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a loopback interface and enter loopback interface view. interface loopback interface-number N/A 3. Set the interface description. description text 4. Shut down the loopback interface. shutdown 5. Restore the default settings for the loopback interface. default Optional. By default, the description of a loopback interface is interface name Interface. Optional. By default, a loopback interface is up. Optional.
Displaying and maintaining an Ethernet interface or subinterface Task Display Ethernet interface or subinterface information. Command Remarks display interface [ interface-type ] brief [ down ] [ | { begin | exclude | include } regular-expression ] display interface interface-type { interface-number | interface-number.subnumber } [ brief ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Bulk configuring interfaces Bulk configuring interfaces can be configured only at the CLI. You can enter interface range view to bulk configure multiple interfaces with the same feature instead of configuring them one by one. For example, you can perform the shutdown command in interface range view to shut down a range of interfaces. Command application failure on one member interface does not affect the application of the command on the other member interfaces.
Step 3. 4. 5. Command Remarks Display commands available for the first interface in the interface range. Enter ? at the interface range prompt. Optional. Perform available commands to configure the interfaces. Available commands vary by interface. N/A Verify the configuration. display this Optional.
Configuring IPv4 addresses The IPv4 address configuration can be configured in the web interface and at the CLI. This chapter only describes the IPv4 address configuration at the CLI. For the IPv4 address configuration in the web interface, see "Managing interfaces." For the IPv6 address configuration, see "Configuring basic IPv6 settings." This chapter describes IP addressing basic and manual IP address assignment for interfaces.
Table 3 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address. A 0.0.0.0 to 127.255.255.255 B 128.0.0.0 to 191.255.255.255 N/A C 192.0.0.0 to 223.255.255.255 N/A D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255.
Figure 11 Subnetting a Class B network Subnetting increases the number of addresses that cannot be assigned to hosts. After being subnetted, a network can accommodate fewer hosts. For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets. • Without subnetting—65534 hosts (216 – 2). (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Assign an IP address to the interface. ip address ip-address { mask-length | mask } [ sub ] By default, no IP address is assigned to any interface. Displaying and maintaining IP addressing Task Command Remarks Display IP configuration information for a specific Layer 3 interface or all Layer 3 interfaces.
Figure 12 Network diagram Configuration procedure # Assign a primary IP address and a secondary IP address to GigabitEthernet 0/1. system-view [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address 172.16.1.1 255.255.255.0 [Firewall-GigabitEthernet0/1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the hosts attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the hosts attached to subnet 172.16.2.0/24.
Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms The output shows that the firewall can communicate with the host on subnet 172.16.2.0/24. # Ping a host on subnet 172.16.1.
Configuring VLANs Overview Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full of collisions and broadcasts. As a result, the LAN performance is degraded or even the LAN becomes unavailable. You can deploy bridges or Layer 2 switches in the LAN to reduce the collisions, but this cannot confine broadcasts.
VLAN frame encapsulation In order that a network device can identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation. The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999. As shown in Figure 14, in the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address (DA & SA) field is the Type field, which indicates the upper layer protocol type.
VLAN types You can implement VLANs based on the following criteria: • Port • MAC address • Protocol • IP subnet • Policy • Other criteria Among these types of VLANs, the device only supports configuring port-based VLANs. This chapter describes only port-based VLANs. Introduction to port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.
Figure 16 Network diagram VLAN 2 VLAN 2 VLAN 3 Device A Device B Device C Access links are required Trunk links are reuqired VLAN 3 Hybrid links are required PVID By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as required. When you configure the PVID on a port, follow these guidelines: • An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.
Actions Access Trunk Hybrid • Receives the frame if Incoming tagged frame its VLAN ID is the same as the PVID. • Drops the frame if its VLAN ID is different from the PVID. • Receives the frame if its VLAN is permitted on the port. • Drops the frame if its VLAN is not permitted on the port. • Removes the tag and sends Outgoing frames Removes the VLAN tag and sends the frame. the frame if the frame carries the PVID tag and the port belongs to the PVID.
Figure 17 VLAN configuration page On the page shown in Figure 17, you can enter a VLAN range in the VLAN Range field and click Select to display the VLANs matching the VLAN range in the VLAN list below. When you query VLANs, the VLANs are query in the specified VLAN range. This facilitates VLAN operations when a large number of VLANs exist. If you input a VLAN range in the VLAN Range field and click Remove, the VLANs matching the VLAN range will be deleted. 2.
3. Modify the member ports of the VLAN as described in Table 4. 4. Click Apply. Table 4 Configuration items Item Description ID Displays the ID of the VLAN to be modified. Set the description of the VLAN. Description Untagged Member Tagged Member By default, the description of a VLAN is its VLAN vlan-id, where vlan-id is the ID of the VLAN. For example, the default description of VLAN 100 is VLAN 0100. Set the member type of the port to be modified in the VLAN.
Table 5 Configuration items Item Description Port Displays the port to be modified. Untagged Member VLAN Displays the VLANs to which the port belongs as an untagged member. Tagged Member VLAN Displays the VLANs to which the port belongs as a tagged member. Untagged Set the target member type of the port. Tagged Select the Untagged, Tagged, or Not a Member option. • Untagged—The port sends the traffic of the VLAN with the VLAN tag removed.
Figure 23 Creating VLANs 2. Configure VLAN 100 as the PVID of GigabitEthernet 0/1 (By default, all ports are access ports and their PVIDs are all VLAN 1.): a. Select Network > VLAN > Port from the navigation tree. b. Click the icon for port GigabitEthernet 0/1 in the Operation column. The page as shown in Figure 24 appears. c. Select the Untagged option for Member Type. d. Enter VLAN ID 100. e. Click Apply. Figure 24 Configuring the PVID of GigabitEthernet 0/1 3.
Figure 25 Assigning GigabitEthernet 0/1 to VLAN 2 and VLANs 6 through 50 as an untagged member 4. Assign GigabitEthernet 0/1 to VLAN 100 as a tagged member: a. Select Network > VLAN > VLAN from the navigation tree. b. Enter 100 in the VLAN Range field. c. Click Select. The page is as shown in Figure 26. Figure 26 VLAN configuration page d. Click the icon for VLAN 100 in the Operation column. The page shown in Figure 27 appears. e. Select the Tagged Member option for GigabitEthernet 0/1. f. Click Apply.
Figure 27 Assigning GigabitEthernet 0/1 to VLAN 100 as a tagged member 5. Configure the security zone for GigabitEthernet 0/1, VLAN 2, VLANs 6 through 50, and VLAN 100. (Details not shown.) Configuring Device B Configure Device B in the same way Device A is configured. Verifying the configuration Display the port statistics of GigabitEthernet 0/1 on Device A: 1. Select Device Management > Interface from the navigation tree. 2. Click GigabitEthernet0/1 on the page that appears.
Figure 28 Displaying the port statistics of GigabitEthernet 0/1 Configuring VLANs at the CLI Configuring basic VLAN settings Configuration restrictions and guidelines • As the default VLAN, VLAN 1 cannot be created or removed. • You cannot manually create or remove VLANs reserved for special purposes. • To remove a protocol reserved VLAN, remove the configuration from the VLAN first, and execute the undo vlan command.
Step 3. Enter VLAN view. 4. Configure a name for the VLAN. Command Remarks vlan vlan-id Required only when you create VLANs in bulk. Optional. The default name is VLAN vlan-id, which is the ID of the VLAN. For example, the name of VLAN 100 is VLAN 0100 by default. name text Optional. 5. Configure a description for the VLAN. The default description is VLAN vlan-id, which is the ID of the VLAN. For example, the description of VLAN 100 is VLAN 0100 by default.
Step Command Remarks Optional. 8. Cancel the action of manually shutting down the VLAN interface. By default, a VLAN interface is not manually shut down. The VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down. undo shutdown VLAN interface configuration example 1. Network requirements As shown in Figure 29, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to different IP subnets and cannot communicate with each other.
[Firewall-Vlan-interface10] ip address 192.168.1.20 24 [Firewall-Vlan-interface10] return b. Configure the default gateway of PC A as 192.168.0.10. c. Configure the default gateway of PC B as 192.168.1.20. 3. Verifying the configuration a. The PCs can ping each other. b. Display brief information about Layer 3 interfaces on Firewall to verify the configuration.
Step Command Remarks Use one of the commands. • The configuration made in Layer 2 Ethernet • Enter Layer 2 Ethernet 2. 3. 4. interface view: interface interface-type interface-number Enter interface view or port group view. • Enter Layer 2 aggregate Configure the link type of the ports as access. port link-type access Assign the access ports to a VLAN. port access vlan vlan-id interface view: interface bridge-aggregation interface-number interface view applies only to the port.
To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type to access first. After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure the trunk port to allow packets from the PVID to pass through. Assigning a hybrid port to a VLAN A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view. Before assigning a hybrid port to a VLAN, create the VLAN first.
Task Display VLAN interface information. Display hybrid ports or trunk ports on the device. Command Remarks display interface [ vlan-interface ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface vlan-interface vlan-interface-id [ brief ] [ | { begin | exclude | include } regular-expression ] display port { hybrid | trunk } [ | { begin | exclude | include } regular-expression ] Available in any view. Available in any view.
[FirewallA] vlan 200 [FirewallA-vlan200] port gigabitethernet 0/2 [FirewallA-vlan200] quit # Configure port GigabitEthernet 0/3 as a trunk port, and assign it to VLANs 100 and 200, to enable GigabitEthernet 0/3 to forward traffic of VLANs 100 and 200 to Firewall B. [FirewallA] interface gigabitethernet 0/3 [FirewallA] port link-mode bridge [FirewallA-GigabitEthernet0/3] port link-type trunk [FirewallA-GigabitEthernet0/3] port trunk permit vlan 100 200 Please wait... Done. 2.
Configuring the MAC address table This document covers only the configuration of unicast MAC address entries, including static, dynamic, and destination blackhole MAC address entries. The MAC address table configuration tasks can be performed in any order. The MAC address table can contain only Layer 2 Ethernet ports (excluding Layer 2 subinterfaces) and Layer 2 aggregate interfaces.
from the one to which the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead. To improve port security, you can bind specific user devices to the port by manually adding MAC address entries to the MAC address table of the device. Types of MAC address entries A MAC address table can contain the following types of entries: • Static entries—Manually added and never age out.
Figure 31 MAC address table displaying page 2. Click Add to enter the page shown in Figure 32. Figure 32 Adding a MAC address entry 3. Configure MAC address entry information, as shown in Table 6. 4. Click Apply. Table 6 Configuration items Item Description MAC MAC address to be added. Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out. • Blackhole—Blackhole MAC address entries that never age out.
Setting the aging time for MAC address entries 1. Select Network > MAC > Configuration from the navigation tree. The page shown in Figure 33 appears. Figure 33 Setting the aging time for MAC address entries 2. Set the aging time for MAC address entries. If you select No-aging, MAC address entries do not age out. 3. Click Apply.
from the navigation tree, and then find and select GigabitEthernet 0/1 to configure it accordingly. In addition, specify the security zone to which GigabitEthernet 0/1 belongs. 1. Create a static MAC address entry: a. Select Network > MAC > MAC from the navigation tree. b. Click Add. c. Enter MAC address 000f-e235-dc71. Select static from the Type list. Select 1 from the VLAN list. Select GigabitEthernet0/1 from the Port list. d. Click Apply. Figure 35 Creating a static MAC address entry 2.
Figure 37 Setting the aging time for dynamic MAC address entries Configuring the MAC address table at the CLI Configuring static, dynamic, and destination blackhole MAC address entries To prevent MAC address spoofing attacks and improve port security, manually add MAC address entries to bind ports with MAC addresses. You can also configure destination blackhole MAC address entries to filter out packets with certain destination MAC addresses.
Step 3. Command Add or modify a static or dynamic MAC address entry. Remarks mac-address { dynamic | static } mac-address vlan vlan-id By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN. Configuring a destination blackhole MAC address entry Step Command Remarks N/A 1. Enter system view. system-view 2. Add or modify a destination blackhole MAC address entry.
Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C Yes VPN firewall modules No 20-Gbps VPN firewall modules No As the MAC address table grows, the forwarding performance of your device might degrade. To prevent the MAC address table from getting so large that the forwarding performance degrades, you can limit the number of MAC addresses that a port can learn.
• The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so all packets destined for the host are dropped. • Set the aging timer for dynamic MAC address entries to 500 seconds. Figure 38 Network diagram Configuration procedure # Add a static MAC address entry.
Configuring spanning tree protocols As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, putting them in a standby state, which still allows for link redundancy. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). STP STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a LAN.
Basic concepts in STP Root bridge A tree network must have a root bridge. There is only one root bridge in the entire network. The entire network contains only one root bridge. All the other bridges in the network are called "leaf nodes." The root bridge is not permanent, but can change when the network topology changes. Upon initialization of a network, each device generates and periodically sends configuration BPDUs with itself as the root bridge.
STP algorithm The spanning tree calculation process described in the following sections is a simplified process for example only. The STP algorithm uses the following calculation process: 1. State initialization. Upon initialization of a device, each port generates a BPDU with the device as the designated port, the device as the root bridge, 0 as the root path cost, and the device ID as the designated bridge ID. 2. Root bridge selection.
Step Actions 2 The device compares the configuration BPDUs of all ports and chooses the optimum configuration BPDU. The following are the principles of configuration BPDU comparison: { { { The configuration BPDU with the lowest root bridge ID has the highest priority. If configuration BPDUs have the same root bridge ID, their root path costs are compared. For example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S.
Device Device C 5. Port name Configuration BPDU on the port Port C1 {2, 0, 2, Port C1} Port C2 {2, 0, 2, Port C2} BPDUs comparison on each device. In Table 10, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.
Device Configuration BPDU on ports after comparison Comparison process • Port C1 receives the configuration BPDU of Port A2 {0, 0, 0, Port A2}, finds that the received configuration BPDU is superior to its existing configuration BPDU {2, 0, 2, Port C1}, and updates its configuration BPDU.
Figure 41 The final calculated spanning tree A Root bridge Root port Designated port Blocked port Normal link B Blocked link C The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
• Max age—The device uses the max age to determine whether a stored configuration BPDU has expired, and discards it if the max age is exceeded. RSTP RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP. A newly elected RSTP root port rapidly enters the forwarding state if the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data.
MSTP basic concepts Figure 42 shows a switched network that comprises four MST regions, with each MST region comprising four MSTP devices. Figure 43 shows the network topology of MST region 3.
MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics: • A spanning tree protocol is enabled. • Same region name. • Same VLAN-to-instance mapping configuration. • Same MSTP revision level. • Physically linked together. Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region.
Common root bridge The common root bridge is the root bridge of the CIST. In Figure 42, the common root bridge is a device in MST region 1. Port roles A port can play different roles in different MSTIs. As shown in Figure 44, an MST region comprises Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other MST regions.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST. Port states In MSTP, a port can be in one of the following states: • Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user traffic.
Implementation of MSTP on devices MSTP is compatible with STP and RSTP. Devices that run MSTP can recognize STP and RSTP protocol packets used for spanning tree calculation. In addition to basic MSTP functions, the following functions are provided for ease of management: • Root bridge hold • Root bridge backup • Root guard • BPDU guard • Loop guard • TC-BPDU guard Protocols and standards • IEEE 802.1d, Media Access Control (MAC) Bridges • IEEE 802.
Configuring an MST region 1. From the navigation tree, select Network > MSTP > Region. The page as shown in Figure 45 appears. Figure 45 MSTP region 2. Click Modify. The MSTP Region Configuration page as shown in Figure 46 appears. Figure 46 Modifying an MSTP region 3. Configure the MST region information as described in Table 12. 4. Click Activate. Table 12 Configuration items Item Description Region Name Set the MST region name. Revision Level Set the revision level of the MST region.
Item Description Modulo Set the modulo value based on which 4094 VLANs are mapped to the corresponding MSTIs. Configuring MSTP globally 1. From the navigation tree, select Network > MSTP > Global. The Global MSTP Configuration page as shown in Figure 47 appears. Figure 47 Configuring MSTP globally 2. Configure the global MSTP configuration as described in Table 13. 3. Click Apply.
Table 13 Configuration items Item Description Specify whether to enable STP globally: Enable STP Globally • Enable—Enables STP globally. • Disable—Disables STP globally. Other MSTP configurations can take effect only after you enable STP globally. Specify whether to enable BPDU guard globally: • Enable—Enables BPDU guard globally. • Disable—Disables BPDU guard globally. BPDU Protection BPDU guard can protect the device from malicious BPDU attacks, making the network topology stable.
Item Description Set the Hello time. The Hello time is the interval at which the device sends hello packets to the surrounding devices to make sure the paths are fault-free. Hello Time An appropriate hello time setting enables the device to timely detect link failures on the network without using excessive network resources. If the hello time is set too long, the device takes packet loss as a link failure and triggers a new spanning tree calculation process.
Figure 48 MSTP configuration of a port 2. Click the icon for a port. The MSTP Port Configuration page of the port as shown in Figure 49 appears. Figure 49 MSTP port configuration 3. Configure the MSTP port configuration as described in Table 14. 4. Click Apply. Table 14 Configuration items Item Description Port Number Specify the port number. Specify whether to enable STP on the port: STP Status • Enable—Enable STP on the port. • Disable—Disable STP on the port.
Item Description Specify the type of protection enabled on the port: • Not Set—No protection is enabled on the port. • Edged Port—Set the port as an edge port. Some ports of access layer devices are directly connected to PCs or file servers, which cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition for these ports.
MSTP configuration example Network requirements As shown in Figure 50, all devices on the network are in the same MST region, Device A and Device B work on the distribution layer, and Device C and Device D work on the access layer.
− Select the Manual option. − Select 1 from the Instance ID list. − Set the VLAN ID to 10. − Click Apply to map MSTI 1 to VLAN 10. − Select 3 from the Instance ID list. − Set the VLAN ID to 30. − Click Apply to map MSTI 3 to VLAN 30. − Select 4 from the Instance ID list. − Set the VLAN ID to 40. − Click Apply to map MSTI 4 to VLAN 40. − Click Activate. Figure 51 Configuring an MST region on Device A 2.
Figure 52 Configuring global MSTP parameters on Device A Configuring Device B 1. Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. (The procedure here is the same as that of configuring an MST region on Device A.) 2. Enable MSTP globally and configure the current device as the root bridge of MSTI 3: a. From the navigation tree, select Network > MSTP > Global. b.
Configuring Device C 1. Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. (The procedure here is the same as that of configuring an MST region on Device A.) 2. Enable MSTP globally and configure the current device as the root bridge of MSTI 4: a. From the navigation tree, select Network > MSTP > Global. b.
3. 3 GigabitEthernet0/1 DESI FORWARDING NONE 3 GigabitEthernet0/3 DESI FORWARDING NONE Display brief spanning tree information on Device C. [DeviceC] display stp brief MSTID 4.
Configuring MSTP at the CLI Configuration guidelines Follow these guidelines when you configure MSTP: • Two or more spanning tree-enabled devices belong to the same MST region only if the following are true: { { They are configured with the same format selector (0 by default, not configurable), MST region name, VLAN-to-instance mapping entries in the MST region, and MST region revision level. They are interconnected through physical links.
STP configuration task list Task Remarks Required. Setting the spanning tree mode Configuring the root bridge Configure the device to operate in STP mode. Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the network diameter of a switched network Optional. Configuring spanning tree timers Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional.
Task Remarks Configuring the timeout factor Optional. Configuring the maximum port rate Optional. Configuring edge ports Optional. Configuring the port link type Optional. Configuring the mode a port uses to recognize and send MSTP packets Optional. Enabling the spanning tree feature Required. Required. Configuring the leaf nodes Setting the spanning tree mode Configure the device to operate in RSTP mode. Configuring the device priority Optional. Configuring the timeout factor Optional.
Task Remarks Configuring edge ports Optional. Configuring the port link type Optional. Configuring the mode a port uses to recognize and send MSTP packets Optional. Enabling the spanning tree feature Required. Optional. Configuring the leaf nodes Setting the spanning tree mode By default, the device operates in MSTP mode. Configuring an MST region Required. Configuring the device priority Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Set the spanning tree mode. stp mode { mstp | rstp | stp } The default setting is MSTP mode. Configuring an MST region Two or more spanning tree devices belong to the same MST region only if they are configured to have the same format selector (0 by default, not configurable), MST region name, MST region revision level, and VLAN-to-instance mapping entries in the MST region, and they are connected via a physical link.
A device has independent roles in different spanning trees. It can act as the root bridge in one spanning tree and as a secondary root bridge in another. However, one device cannot be the root bridge and a secondary root bridge in the same spanning tree. A spanning tree can have one root bridge only. If two or more devices are selected as the root bridge at the same time, the device with the lowest MAC address wins.
To configure the priority of a device in a specified MSTI: Step 1. 2. Enter system view. Configure the priority of the current device. Command Remarks system-view N/A • In STP/RSTP mode: Use one of the commands. stp priority priority • In MSTP mode: stp [ instance instance-id ] priority priority The default setting is 32768. For information about the value range for the instance-id argument, see Network Management Command Reference.
Configuring spanning tree timers The following timers are used for spanning tree calculations: • Forward delay—The delay time for port state transition. To prevent temporary loops on a network, the spanning tree sets an intermediate port state, the learning state, before it transits from the discarding state to the forwarding state. The port transits its state after a forward delay timer expires, to make sure the state transition of the local port remains synchronized with the peer.
Step Command Remarks Optional. 3. Configure the hello timer. stp timer hello time Use one of the commands. The default setting is 2 seconds. 4. Configure the max age timer. Optional. stp timer max-age time Use one of the commands. The default setting is 20 seconds. Configuring the timeout factor The timeout factor is a parameter used to calculate the timeout time in the following formula: Timeout time = timeout factor × 3 × hello time.
Configuring edge ports If a port directly connects to a user terminal rather than another device or a shared LAN segment, this port is regarded as an edge port. When network topology changes occur, an edge port will not cause a temporary loop. Because a device does not determine whether a port is directly connected to a terminal, you must manually configure the port as an edge port. After that, the port can transit rapidly from the blocked state to the forwarding state.
Table 15 Mappings between the link speed and the path cost Path cost Link speed Port type IEEE 802.1d-1998 IEEE 802.
Perform the following tasks to specify a standard for the device to use when it calculates the default path cost: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify a standard for the device to use when it calculates the default path costs of its ports. stp pathcost-standard { dot1d-1998 | dot1t | legacy } Optional. The default setting is legacy.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A • In STP/RSTP mode: Use one of the commands. Configure the port priority. 3. stp port priority priority • In MSTP mode: stp [ instance instance-id ] port priority priority The default setting is 128. For information about the value range for the instance-id argument, see Network Management Command Reference.
By default, the packet format recognition mode of a port is auto. The port automatically distinguishes the two MSTP packet formats, and determines the format of packets that it will send based on the recognized format. You can configure the MSTP packet format on a port. When operating in MSTP mode after the configuration, the port sends and receives only MSTP packets of the format that you have configured to communicate with devices that send packets of the same format.
Performing mCheck If a port on a device that is running MSTP or RSTP connects to an STP device, this port automatically migrates to STP mode. However, it cannot automatically transit back to the original mode when: • The STP device is shut down or removed. • The STP device transits to MSTP or RSTP mode. Suppose Device A running STP, Device B with no spanning tree feature enabled, and Device C running RSTP or MSTP are connected in order.
Configuration prerequisites Before you enable digest snooping, make sure associated devices of different vendors are connected and running spanning tree protocols. To enable digest snooping, you must follow these guidelines: • With the digest snooping feature enabled, in-the-same-region verification does not need comparison of configuration digest, so the VLAN-to-instance mappings must be the same on associated ports.
Figure 54 Network diagram 2. Configuration procedure # Enable digest snooping on GigabitEthernet 0/1 of Firewall A and enable global digest snooping on Firewall A. system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] stp config-digest-snooping [FirewallA-GigabitEthernet0/1] quit [FirewallA] stp config-digest-snooping # Enable digest snooping on GigabitEthernet 0/1 of Firewall B and enable global digest snooping on Firewall B.
Figure 55 Rapid state transition of an MSTP designated port Figure 56 Rapid state transition of an RSTP designated port If the upstream device is a third-party device, the rapid state transition implementation might be limited.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A 3. Enable No Agreement Check. stp no-agreement-check By default, No Agreement Check is disabled. No Agreement Check configuration example 1. Network requirements As shown in Figure 57: { { Firewall A connects to a third-party firewall (Firewall B) that has a different spanning tree implementation.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks. With the BPDU guard function enabled on devices, when edge ports receive configuration BPDUs, the system closes these ports and notifies the NMS that they have been closed by the spanning tree protocol. The device will reactivate closed ports after the port status detection timer expires. For more information about the port status detection timer, see Getting Started Guide.
transit to the forwarding state, resulting in loops in the switched network. The loop guard function can suppress the occurrence of such loops. The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives BPDUs, it transits its state correctly. Otherwise, it stays in the discarding state to prevent temporary loops. To enable loop guard, you must follow these guidelines: • Configure loop guard on the root port and alternate ports of a device.
Displaying and maintaining the spanning tree Task Command Remarks Display information about ports blocked by spanning tree protection functions. display stp abnormal-port [ | { begin | exclude | include } regular-expression ] Available in any view. Display BPDU statistics on ports. display stp bpdu-statistics [ interface interface-type interface-number [ instance instance-id ] ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 58 Network diagram MST region Device A Device B Permit: all VLAN GE0/3 GE 0/2 GE0/3 0/2 GE Permit: VLAN 10, 20 G /2 E0 P 0, N1 LA V it: erm 20 Permit: VLAN 20, 30 Pe rm it: V LA N 20 ,3 GE0/3 0 GE 0/2 GE0/3 Permit: VLAN 20, 40 Device C Device D Configuration procedure 1. 2. Configure VLANs and VLAN member ports (details not shown): { Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B, respectively. { Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
[DeviceB] stp region-configuration [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration. [DeviceB-mst-region] active region-configuration [DeviceB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [DeviceB] stp instance 3 root primary # Enable the spanning tree feature globally.
[DeviceD] stp enable Verifying the configuration In this example, suppose Device B has the lowest root bridge ID. As a result, Device B is elected as the root bridge of MSTI 0. You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A.
Figure 59 MSTIs mapped to different VLANs A B A C B C MSTI 1 mapped to VLAN 10 A MSTI 0 mapped to VLAN 20 B D C MSTI 3 mapped to VLAN 30 Root bridge D D MSTI 4 mapped to VLAN 40 Normal link Blocked link 108
Configuring PPP PPP can be configured only at the CLI.
Figure 60 PPP link establishment process Dead Up Establish Opened Fail Down Authenticate Fail Terminate Closing Success /None Network 1. Initially, PPP is in Link Dead phase. After the physical layer goes up, PPP enters the Link Establishment phase (Establish). 2. In the Link Establishment phase, the LCP negotiation is performed. The LCP configuration options include Authentication-Protocol and MP. If the negotiation fails, LCP reports a Fail event, and PPP returns to the Dead phase.
with a username. HP recommends that you configure a username for the authenticator, which makes it easier for the peer to verify the identity of the authenticator. CHAP transmits usernames but not passwords over the network; or rather, it does not directly transmit passwords and transmits the result calculated from the password and random packet ID by using the MD5 algorithm. Therefore, it is more secure than PAP. • MS-CHAP—MS-CHAP is a three-way handshake authentication.
Enabling PPP encapsulation on an interface The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No To enable PPP encapsulation on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable PPP encapsulation on the interface. Optional.
Step Command Remarks For local AAA authentication, the username and password of the peer must be configured on the authenticator. 4. Configure local or remote AAA authentication. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Access Control Configuration Guide. 2. The username and password configured for the peer must be the same as those configured on the peer.
Step Command For local AAA authentication, the username and password of the peer must be configured on the authenticator. 5. Configure local or remote AAA authentication. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Access Control Configuration Guide. Remarks The username configured for the peer must be the same as that configured on the peer.
Step Command Remarks For local AAA authentication, the username and password of the peer must be configured on the authenticator. 4. Configure local or remote AAA authentication. For remote AAA authentication, the username and password of the peer must be configured on the remote AAA server. For more information about AAA authentication, see Access Control Configuration Guide.. The username configured for the peer must be the same as that configured on the peer.
Step 4. Assign a username to the MS-CHAP or MS-CHAP-V2 authenticator. Command Remarks ppp chap user username The username you assign to the authenticator here must be the same as the local username you assign to the authenticator on the peer. For local AAA authentication, the username and password of the peer must be configured on the authenticator. 5. Configure local or remote AAA authentication.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the polling interval. timer hold seconds Optional. The default setting is 10 seconds.
To configure the device as the server when PPP authentication is not enabled: Step Enter system view. 1. Command Remarks system-view N/A • (Method 1) Define a global address pool and bind it to the interface: Assign an IP address of a global address pool to the peer or specify the IP address to be allocated to the peer. 2. a. ip pool pool-number low-ip-address [ high-ip-address ] b. interface interface-type interface-number c.
To configure settings for DNS server address negotiation when the device is functioning as the client in PPP negotiation: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the device to request the peer for a DNS server address. ppp ipcp dns request By default, a device does not request its peer for a DNS server address. 4. Enable the device to accept the DNS server address assigned by the peer.
Step Enable PPP traffic statistics collection. 3. Command Remarks ppp account-statistics enable [ acl { acl-number | name acl-name } ] Disabled by default. Enabling extended PPP traffic statistics collection With this feature enabled, AAA starts traffic statistics collection only after it is informed of the IP address assigned to an authenticated PPP user by the peer during NCP negotiation.
Displaying and maintaining PPP Task Command Remarks Display PPP user binding information. display ppp user bind [ virtual-template number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about a VA interface or all the VA interfaces on a VT interface. display virtual-access [ va-number | dialer dialer-number | peer peer-address | user user-name | vt vt-number ] * [ | { begin | exclude | include } regular-expression ] Available in any view.
Solution Do the following: • Enable IPv6 before configuring an IPv6 address on a PPP link. • If IPv6CP negotiation fails, re-enable the interface by executing the shutdown command and then the undo shutdown command to re-enable IPv6CP negotiation.
Configuring PPPoE The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. The firewalls only support acting as a PPPoE client.
Figure 61 Network structure 1 DSLAM Carrier device PPPoE server Internet Router B Modem Client device Router A Host A • PPPoE client Host B Host C As shown in Figure 62, the PPPoE session is established between each host (PPPoE client) and the carrier router (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client dialup software. This network structure is applicable to campus and residential environments.
Dialer interfaces created by selecting Device Management > Interface Management can be displayed, modified, and removed in the PPPoE client page. However, they cannot establish PPPoE client sessions. Figure 63 PPPoE client information 2. Click Add to enter the page for creating a PPPoE client. Figure 64 Creating a PPPoE client 3. Configure the PPPoE client information, as described in Table 16. 4. Click Apply.
Task Remarks Configure the way the dialer interface gets its IP address: IP Config • None—Does not configure IP address. • Static Address—Statically configures an IP address and subnet mask for the interface. • PPP Negotiate—Gets an IP address through PPP negotiation. • Unnumbered—Borrows the IP address of another interface on the same device. IP Address Configure an IP address and subnet mask for the dialer interface.
Figure 66 PPPoE session summary Table 17 Field description for the PPPoE session statistics Field Description Interface Ethernet interface where the PPPoE session belongs. Session Number PPPoE session ID. Received Packets Number of received packets in the PPPoE session. Received Bytes Number of received bytes in the PPPoE session. Dropped Packets (Received) Number of dropped packets which are received in the PPPoE session. Sent Packets Number of transmitted packets in the PPPoE session.
PPPoE client configuration example Network requirements Configure the PPPoE client on the device, and enable the PPPoE client to communicate with the PPPoE server, as shown in Figure 67. Figure 67 Network diagram Configuring the PPPoE client 1. Create a PPPoE client: a. Select Network > PPPoE > Client from the navigation tree. b. Click Add. c. Enter 1 for the dialer interface name, user1 for the username, and password1 for the password.
You must enable the PPPoE protocol on the PPPoE server, configure the PPPoE username and password, and assign an IP address to the peer of the PPP connection. (Details not shown.) Verifying the configuration 1. View the summary about PPPoE client sessions on the PPPoE client: a. Select Network > PPPoE > Session from the navigation tree. b. Select Summary Information from the Information Type list. Figure 69 shows that the status of the PPPoE client session is PPPUP .
Configuring a dialer interface Before establishing a PPPoE session, you must first create a dialer interface and configure a dialer bundle on the interface. Each PPPoE session uniquely corresponds to a dialer bundle and each dialer bundle uniquely corresponds to a dialer interface. A PPPoE session uniquely corresponds to a dialer interface. Configuring a dialer interface for an IPv4 PPPoE client Step Command 1. Enter system view. system-view 2. Configure a dialer rule.
You can establish multiple PPPoE sessions on an Ethernet interface. However, a dialer bundle can only have one Ethernet interface. A PPPoE session uniquely corresponds to a dialer bundle, and vice versa. IPv6 PPPoE sessions cannot be packet-triggered PPPoE sessions. To configure a PPPoE session: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3.
[Router-Virtual-Template1] ip address 1.1.1.1 255.0.0.0 [Router-Virtual-Template1] remote address 1.1.1.2 [Router-Virtual-Template1] quit # Configure the PPPoE server. [Router] interface gigabitethernet 0/1 [Router-GigabitEthernet0/1] pppoe-server bind virtual-template 1 2.
[Firewall-Dialer1] quit [Firewall] local-user user1 [Firewall-luser-user1] password simple hello [Firewall-luser-user1] quit # Configure the PPPoE session. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] pppoe-client dial-bundle-number 1 Configuration example for connecting a LAN to the Internet using an ADSL modem Network requirements As shown in Figure 72: • Firewall provides Internet access for Host A, Host B, and Host C.
[Firewall-Dialer1] ip address ppp-negotiate [Firewall-Dialer1] ppp pap local-user user1 password cipher 123456 [Firewall-Dialer1] quit # Configure a PPPoE session. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] pppoe-client dial-bundle-number 1 [Firewall-GigabitEthernet0/1] quit # Configure an Internet interface for the LAN and configure the default route. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 192.168.1.1 255.255.255.
[Router-radius-test] primary accounting 10.110.91.146 1813 [Router-radius-test] key authentication expert [Router-radius-test] key accounting expert [Router-radius-test] server-type extended [Router-radius-test] user-name-format with-domain [Router-radius-test] quit For more information about RADIUS, see Access Control Configuration Guide.
Configuring Layer 2 forwarding Layer 2 forwarding includes the following categories: • Normal • Inline • Inter-VLAN Configuring normal Layer 2 forwarding Normal Layer 2 forwarding can be configured only at the CLI. If the destination MAC address of an incoming packet matches the MAC address of the receiving Layer 3 interface, the device forwards the packet through that interface. If not, the device performs normal Layer 2 forwarding through a Layer 2 interface.
Blackhole type—A packet received on an interface is discarded. A complete configuration contains an ID, which uniquely identifies an inline Layer 2 forwarding entry, and one interface. • The inline Layer 2 forwarding feature is supported on interfaces and subinterfaces. Configuration restrictions and guidelines • An interface can only belong to one inline forwarding entry, and the last configured port inline-interfaces id command on an Ethernet interface takes effect.
Figure 74 Adding an inline forwarding policy 3. Configure the inline forwarding policy as described in Table 19. 4. Click Apply. Table 19 Configuration items Item Description Policy ID Set the ID for identifying an inline forwarding policy. Policy Type Select the inline forwarding type, which can be forward, blackhole, or reflect. Port 1 Assign a port to the inline forwarding policy. Port 2 Assign a port to the inline forwarding policy when the forwarding type is Forward.
Figure 75 Adding a forward-type inline forwarding policy Blackhole-type inline forwarding configuration example 1. Network requirements Packets coming from GigabitEthernet 0/1 must be discarded. Configure blackhole-type inline forwarding on GigabitEthernet 0/1. Before configuration, make sure the GigabitEthernet 0/1 interface operates in bridge mode and has been added to a zone. 2. Add a blackhole-type inline forwarding policy: a. Select Network > Forwarding from the navigation tree. b.
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an inline Layer 2 forwarding entry. inline-interfaces id [ blackhole | reflect ] N/A 3. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A Assign an interface to the inline Layer 2 forwarding entry. 4. By default, an interface does not belong to any inline Layer 2 forwarding entry.
[Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] port inline-interfaces 1 Configuration guidelines When you configure inline forwarding, follow these guidelines: • Inline forwarding is applicable to Layer 2 Ethernet interfaces and subinterfaces. • An interface can be assigned to only one inline forwarding policy. If you assign an interface to multiple policies, the last configuration takes effect.
Configuration procedure To achieve Layer 2 forwarding between VLANs, you can create these VLANs on the switch and configure the same number of subinterfaces for the ten-GigabitEthernet interface on the firewall card. Perform the following configurations to achieve Layer 2 forwarding between two VLANs: 1. Configure the switch: { { 2. Create two VLANs. Assign the two access ports to different VLANs.
Step Command Remarks Create a VLAN for the firewall card and enter VLAN view. vlan vlan-id N/A 3. Exit to system view. quit N/A 4. Enter the view of the ten-GigabitEthernet interface that connects to the switch. interface ten-gigabitethernet interface-number N/A Configure the operating mode of the interface as Layer 2. port link-mode bridge The default operating mode depends on the device model. Configure the link type of the ten-GigabitEthernet interface as trunk.
Displaying and maintaining inter-VLAN Layer 2 forwarding Task Command Remarks Display VLAN information. display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | interface interface-type interface-number.subnumber | reserved | static ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display brief interface/subinterface information. display interface [ interface-type [ interface-number | interface-number.
Configuration procedure 1. Configure the switch: # Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103. system-view [Sysname] vlan 102 [Sysname-vlan102] port gigabitethernet 3/0/1 [Sysname-vlan102] quit [Sysname] vlan 103 [Sysname-vlan103] port gigabitethernet 3/0/2 [Sysname-vlan103] quit # Configure the link type of Ten-GigabitEthernet 2/0/1 as trunk, assign the trunk port to VLAN 102 and VLAN 103, and set VLAN 100 as the default VLAN.
Displaying frame forwarding statistics This section describes how to display frame forwarding statistics in the Web interface. For information about displaying frame forwarding statistics at the CLI, see Displaying and maintaining normal Layer 2 forwarding and Displaying and maintaining inline Layer 2 forwarding. Overview The frame forwarding statistics module allows you to display the frame forwarding statistics of all the Layer 2 interfaces on the device.
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent.
Dynamic IP address allocation process Figure 81 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For related information, see "DHCP message format." 3.
DHCP message format Figure 82 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 82 DHCP message format • op—Message type defined in option field. 1 = REQUEST, 2 = REPLY • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled.
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 83 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option.
• Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password. • Service provider identifier, which is acquired by the Customer Premises Equipment (CPE) from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see System Management and Maintenance Configuration Guide.
Relay agent option (Option 82) Option 82 is the relay agent option in the option field of the DHCP message. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server. The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting.
{ Sub-option 1—Contains the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received the client's request. The VLAN ID field has a fixed length of 2 bytes. All other padding contents of sub-option 1 are length variable. See Figure 89.
{ Sub-option 1—Contains the VLAN ID of the interface that received the client's request, module (subcard number of the receiving port on a centralized device or slot number of the receiving port on a distributed device) and port (number of the receiving port). The value of the sub-option type is 1, and the value of the circuit ID type is 0. Figure 93 Sub-option 1 in standard padding format { Sub-option 2—Contains the MAC address of the DHCP snooping device that received the client's request.
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and most users must acquire IP addresses dynamically. • Most hosts do not need fixed IP addresses.
2. If the receiving interface has an extended address pool referenced, the DHCP server assigns an IP address from this address pool. If no IP address is available in the address pool, the DHCP server fails to assign an address to the client. For the configuration of such an address pool, see "Configuring dynamic address allocation for an extended address pool." 3.
Configuring the DHCP server in the Web interface Recommended configuration procedure Step Remarks Required. Enabling DHCP 1. Enable DHCP globally. By default, global DHCP is disabled. Use either method. IMPORTANT: Creating an address pool for the DHCP server: 2.
Figure 94 DHCP configuration page Creating a static address pool for the DHCP server 1. From the navigation tree, select Network > DHCP > DHCP Server. The DHCP configuration page shown in Figure 94 appears. 2. Select the Static option in the Address Pool field to view all static address pools. 3. Click Add. The page for creating a static address pool appears.
Figure 95 Creating a static address pool 4. Configure the static address pool as described in Table 20. 5. Click Apply. Table 20 Configuration items Item Description IP Pool Name Enter the name of the static address pool. IP Address Enter an IP address and a mask. Mask The IP address cannot be the IP address of any interface on the DHCP server. Otherwise, an IP address conflict might occur and the bound client cannot obtain an IP address correctly.
Item Description Enter the gateway addresses for the client. Gateway Address A DHCP client that wants to access an external host needs to send requests to a gateway. You can specify gateways in each address pool and the DHCP server assigns gateway addresses while assigning an IP address to the client. Up to eight gateways can be specified in a DHCP address pool, separated by commas. Enter the DNS server addresses for the client.
5. Click Apply. Table 21 Configuration items Item Description IP Pool Name Enter the name of a dynamic address pool. IP Address Enter an IP address segment for dynamic allocation. Mask To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic allocation. You can Enter a mask length or a mask in dotted decimal notation. Lease Duration Unlimited Configure the address lease duration for the address pool.
Figure 97 Configuring a DHCP server interface 3. Select the Enable option. 4. Click Apply. Table 22 Configuration items Item Description Interface Name This field displays the name of a specific interface. Enable or disable the DHCP server on the interface. DHCP Server Upon receiving a DHCP request from a client, the interface with the DHCP server disabled neither assigns an IP address to the client, nor serves as a DHCP relay agent to forward the request.
Static IP address assignment configuration example Network requirements As shown in Figure 99, the DHCP client (Router A) and the BOOTP client (Router B) obtain a static IP address, DNS server address, gateway address, and other related parameters from the DHCP server (Firewall). The client ID of Ethernet 1/1 on Router A is: 3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30. The MAC address of Ethernet 1/1 on Router B is: 000f-e200-01c0. Figure 99 Network diagram Gateway 10.1.1.
Figure 100 Enabling the DHCP service 3. Configure the static address pool 0 to assign a static IP address to Router A: a. Click Add in the Address Pool area. b. In the Address Pool area, the Static option is selected by default. Clicking Add guides you to create a static address pool.
Figure 101 Creating a static address pool c. Enter 0 for IP Pool Name, enter 10.1.1.5 for IP Address, enter 25 for Mask, select Client ID option, and enter the client ID: 3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30. d. Enter 10.1.1.126 for Gateway Address, and 10.1.1.2 for DNS Server Address. e. Click Apply. 4. Configure the static address pool 1 to assign a static IP address to Router B: a. Click Add in the Address Pool field. b. Enter 1 for IP Pool Name, 10.1.1.
Figure 102 Creating a static address pool 5. Enable the DHCP server on GigabitEthernet 0/1. With DHCP enabled, interfaces operate in the DHCP server mode: a. In the Interface Configuration field, click the icon next to GigabitEthernet 0/1. b. On the DHCP Server Interface Config page, select the Enable option. c. Click Apply. Figure 103 Enabling DHCP server on interface GigabitEthernet 0/1 Verifying the configuration Router A and Router B can obtain IP addresses 10.1.1.5 and 10.1.1.
Address pool 10.1.1.128/25 has the address lease duration five days, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, and gateway address 10.1.1.254/25 and has no WINS server address. The domain name suffix and DNS server address in address pools 10.1.1.0/25 and 10.1.1.128/25 are the same. Therefore, the domain name suffix and DNS server address need to be configured only for subnet 10.1.1.0/24. Subnet 10.1.1.0/25 and 10.1.1.128/25 can inherit the configuration of subnet 10.1.1.0/24.
Figure 105 Enabling the DHCP service 3. Configure DHCP parent address pool 0 (network segment, client domain name suffix, and DNS server address): a. Select the Dynamic option in the Address Pool field. b. Click Add. c. Enter pool0 for IP Pool Name, 10.1.1.0 for IP Address, 255.255.255.0 for Mask, aabbcc.com for Client Domain Name, and 10.1.1.2 for DNS Server Address. d. Click Apply.
4. Configure DHCP child address pool 1 (network segment, gateway, lease duration, and WINS server address): a. Click Add in the address pool field. (The Dynamic option must be selected.) b. Enter pool1 for IP Pool Name, enter 10.1.1.0 for IP Address, enter 255.255.255.128 for Mask, set Lease Duration to 10 days, 12 hours, 0 minutes, and 0 seconds, enter 10.1.1.126 for Gateway Address, and enter 10.1.1.4 for WINS Server Address. c. Click Apply. Figure 107 Configure DHCP child address pool 1 5.
Verifying the configuration Clients in subnets 10.1.1.0/25 and 10.1.1.128/25 can obtain corresponding IP addresses and other configuration information from the DHCP server Firewall. From the navigation tree, select Network > DHCP > DHCP Server on Firewall and view the client IP address assigned by the DHCP server in Address in Use. Configuring the DHCP server at the CLI DHCP server configuration task list Task Remarks Configuring an address pool on the DHCP server Required. Enabling DHCP Required.
Task Remarks Specifying a server's IP address for the DHCP client Configuring self-defined DHCP options Creating a DHCP address pool When you create a DHCP address pool, specify it as a common address pool or an extended address pool. To create a DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a DHCP address pool and enter its view. dhcp server ip-pool pool-name [ extended ] No DHCP address pool is created by default.
{ { When the device serves as a DHCP client or BOOTP client, you must bind the DHCP client's ID to an IP address, or bind the BOOTP client's MAC address to an IP address on the DHCP server. Otherwise, the DHCP or BOOTP client cannot obtain a static IP address. If the interfaces on a DHCP client share the same MAC address, specify the client ID, rather than MAC address, in a static binding to identify the requesting interface. If you do not do this, the client might fail to obtain an IP address.
Step Command Remarks Not specified by default. 3. Specify a subnet. network network-address [ mask-length | mask mask ] 4. Specify the IP address range on the subnet for dynamic allocation. network ip range min-address max-address Optional. Specify the address lease duration. expired { day day [ hour hour [ minute minute ] [ second second ] ] | unlimited } Optional. Return to system view. quit N/A 5. 6. Not specified by default. One day by default. Optional.
Configuring a domain name suffix for the client You can specify a domain name suffix in each DHCP address pool on the DHCP server to provide the clients with the domain name suffix. With this suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring IPv4 DNS." To configure a domain name suffix in the DHCP address pool: Step Command Remarks 1. Enter system view.
Step Command Remarks N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] 3. Specify WINS servers. nbns-list ip-address&<1-8> 4. Specify the NetBIOS node type. netbios-type { b-node | h-node | m-node | p-node } Optional for b-node. No WINS server is specified by default. Not specified by default.
To configure the IP address and name of the TFTP server and the bootfile name in the DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Specify the IP address or the name of the TFTP server. • Specify the TFTP server: tftp-server ip-address ip-address • Specify the name of the TFTP server: Not specified by default. bootfile-name bootfile-name Not specified by default.
Step Command Remarks 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Configure a self-defined DHCP option. option code { ascii ascii-string | hex hex-string&<1-16> | ip-address ip-address&<1-8> } No self-defined DHCP option is configured by default. See Table 24 for a description of common options and corresponding commands.
When the DHCP server and client are on the same subnet: • { { With the keyword subaddress specified, the DHCP server preferably assigns an IP address from an address pool that resides on the same subnet as the primary IP address of the server interface (connecting to the client). If the address pool contains no assignable IP address, the server assigns an IP address from an address pool that resides on the same subnet as the secondary IP addresses of the server interface.
Configuring the DHCP server security functions Configuration prerequisites Before you perform this configuration, complete the following configurations on the DHCP server: 1. Enable DHCP. 2. Configure the DHCP address pool. Enabling unauthorized DHCP server detection Unauthorized DHCP servers on a network might assign wrong IP addresses to DHCP clients. With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request contains Option 54 (Server Identifier Option).
address of the client. Removing an ARP entry manually does not remove the corresponding client's IP-to-MAC binding. To enable offline detection: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable offline detection. dhcp server client-detect enable Disabled by default.
The maximum IP address utilization of the address pool • Trap messages help network administrators know the latest usage information about the DHCP server. To specify the threshold for sending trap messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the threshold for sending trap messages to the network management server. dhcp server threshold { allocated-ip threshold-value | average-ip-use threshold-value | max-ip-use threshold-value } Optional. Disabled by default.
Static IP address assignment configuration example Network requirements As shown in Figure 109, Firewall (DHCP server) assigns a static IP address, DNS server address, and gateway address to Router A (DHCP client) and Router B (BOOTP client), respectively. The MAC address of the interface GigabitEthernet 0/1 on Router B is 000f-e200-01c0. The client ID of the interface GigabitEthernet 0/1 on Router A is: 3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30.
[Firewall-dhcp-pool-1] static-bind ip-address 10.1.1.6.25 [Firewall-dhcp-pool-1] static-bind mac-address 000f-e200-01c0 [Firewall-dhcp-pool-1] dns-list 10.1.1.2 [Firewall-dhcp-pool-1] gateway-list 10.1.1.126 Verifying the configuration Router A can obtain IP address 10.1.1.5 and other network parameters, and Router B can obtain IP address 10.1.1.6 and other network parameters from Firewall.
# Enable the DHCP server on GigabitEthernet 0/1 and GigabitEthernet 0/2. [Firewall] interface ethernet 1/1 [Firewall-GigabitEthernet0/1] dhcp select server global-pool [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] dhcp select server global-pool [Firewall-GigabitEthernet0/2] quit # Exclude IP addresses from dynamic allocation (addresses of the DNS server, WINS server, and gateways). [Firewall] dhcp server forbidden-ip 10.1.1.
value of the sub-option length. The numbers 00 00 are the value of the PXE server type. The number 02 indicates the number of servers. The numbers 01 02 03 04 02 02 02 02 indicate that the PXE server addresses are 1.2.3.4 and 2.2.2.2. Figure 111 Network diagram Configuration procedure 1. Specify IP address for interface GigabitEthernet 0/1. (Details not shown.) 2. Configure the DHCP server: # Enable DHCP. system-view [Firewall] dhcp enable # Enable the DHCP server on GigabitEthernet 0/1.
3. Enable the network adapter or connect the network cable. Release the IP address and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client: a. In Windows environment, select Start > Run. b. Enter cmd in the dialog box, and click OK to enter the command line interface. c. Enter ipconfig/release to relinquish the IP address. d. Enter ipconfig/renew to obtain another IP address.
Configuring the DHCP relay agent The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet, centralizes management, and reduces investment.
1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. 2. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response to the relay agent, and the relay agent conveys it to the client.
Configuring the DHCP relay agent in the Web interface Recommended configuration procedure Step 1. Remarks Enabling DHCP and configuring advanced parameters for the DHCP relay agent Required. Enable DHCP globally and configure advanced DHCP parameters, including unauthorized DHCP server detection and periodic refresh of dynamic client entries. By default, global DHCP is disabled. Required. 2.
Figure 114 DHCP relay agent configuration page 4. Configure advanced parameters for the DHCP relay agent as described in Table 26. 5. Click Apply. Table 26 Configuration items Item Description DHCP Service Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses.
Item Description Enable or disable periodic refresh of dynamic client entries, and set the refresh interval. Dynamic Bindings Refresh Through the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCP server to relinquish its IP address. In this case, the DHCP relay agent simply conveys the message to the DHCP server and does not remove the corresponding client entry. To solve this problem, you can enable the periodic refresh of dynamic client entries.
Enabling the DHCP relay agent on an interface 1. From the navigation tree, select Network > DHCP > DHCP Relay. The DHCP relay agent configuration page appears, as shown in Figure 114. In the Interface Config field, the DHCP relay agent state of interfaces is displayed. 2. Click the icon next to a specific interface. The page for configuring a DHCP relay agent interface appears. Figure 116 Configuring a DHCP relay agent interface 3. Configure a DHCP relay agent interface as described in Table 28. 4.
The page for creating a static IP-to-MAC binding as shown in Figure 118 appears. Figure 117 Displaying IP-to-MAC bindings Figure 118 Creating a static IP-to-MAC binding 4. Configure clients' IP-to-MAC bindings as described in Table 29. 5. Click Apply. Table 29 Configuration items Item Description IP Address Enter the IP address of a DHCP client. MAC Address Enter the MAC address of the DHCP client. Select the Layer 3 interface connected with the DHCP client.
Figure 119 Network diagram DHCP client DHCP client GE0/1 10.10.1.1/24 GE0/2 10.1.1.2/24 Eth1/1 10.1.1.1/24 Firewall DHCP relay DHCP client Router DHCP server DHCP client Configuring Firewall You must also configure the DHCP server on Router. For more information about DHCP server configuration, see "Configuring the DHCP server." Because the DHCP relay agent and server are on different subnets, you need to configure static routing or a dynamic routing protocol to make them reachable to each other. 1.
Figure 120 Enabling the DHCP service 3. Configure a DHCP server group: a. In the Server Group field, click Add. b. Enter 1 for Server Group ID. c. Enter 10.1.1.1 for IP Address. d. Click Apply. Figure 121 Creating a DHCP server group 4. Enable the DHCP relay agent on GigabitEthernet 0/1: a. In the Interface Config field, click the icon of GigabitEthernet 0/1. b. Select the Enable option in the DHCP Relay field. c. Select 1 for Server Group ID.
d. Click Apply. Figure 122 Enabling DHCP relay agent on interface GigabitEthernet 0/1 After the preceding configuration is complete, DHCP clients can obtain IP addresses and other configuration information from the DHCP server through the DHCP relay agent. Configuring the DHCP relay agent at the CLI DHCP relay agent configuration task list Task Remarks Enabling DHCP Required. Enabling the DHCP relay agent on an interface Required.
An IP address pool that contains the IP address of the DHCP relay agent interface must be configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP addresses. To enable the DHCP relay agent on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCP relay agent on the current interface.
Address check can block illegal hosts from accessing external networks. With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the DHCP relay agent so that users can access external networks by using fixed IP addresses.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable periodic refresh of dynamic client entries. dhcp relay security refresh enable Optional. Enabled by default. Optional. Configure the refresh interval. 3. dhcp relay security tracker { interval | auto } The default setting is auto. The auto interval is calculated by the relay agent according to the number of client entries. Enabling unauthorized DHCP server detection.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable MAC address check. dhcp relay check mac-address The default setting is disabled. A DHCP relay agent changes the source MAC addresses of DHCP packets before forwarding them out. Therefore, enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients.
To support Option 82, you must perform related configurations on both the DHCP server and relay agent. For more information about DHCP server configuration, see "Configuring the DHCP server." If the handling strategy of the DHCP relay agent is configured as replace, you must configure a padding format for Option 82. If the handling strategy is keep or drop, you need not configure any padding format. The system name (sysname) if padded in sub-option 1 (node identifier) of Option 82 must not contain spaces.
Displaying and maintaining the DHCP relay agent Task Command Remarks Display information about DHCP server groups correlated to a specific or all interfaces. display dhcp relay { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display Option 82 configuration information on the DHCP relay agent.
Figure 123 Network diagram DHCP client DHCP client GE0/1 10.10.1.1/24 GE0/2 10.1.1.2/24 GE0/1 10.1.1.1/24 Firewall DHCP relay agent DHCP client Router DHCP server DHCP client Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. system-view [Firewall] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1 [Firewall] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on GigabitEthernet 0/1.
[Firewall] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [Firewall] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] dhcp select relay # Correlate GigabitEthernet 0/1 to DHCP server group 1. [Firewall-GigabitEthernet0/1] dhcp relay server-select 1 # Enable the DHCP relay agent to handle Option 82, and perform Option 82-related configurations.
Configuring DHCP client The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. You cannot configure an interface of an aggregation group as a DHCP client. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
Displaying and maintaining the DHCP client Task Command Remarks Display specified configuration information. display dhcp client [ verbose ] [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. DHCP client configuration example Network requirements As shown in Figure 125, Firewall contacts the DHCP server through GigabitEthernet 0/1 to obtain an IP address, DNS server address, and static route information.
# Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from automatic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02 2.
127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.
Configuring BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces, and VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. You cannot configure an interface of an aggregation group as a BOOTP client.
Configuring the BOOTP client in the Web interface For more information about configuring the BOOTP client in the Web interface, see "Configuring interfaces management." Configuring the BOOTP client at the CLI Configuring an interface to dynamically obtain an IP address through BOOTP Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an interface to dynamically obtain an IP address through BOOTP.
Figure 126 Network diagram Configuration procedure The following describes only the configuration on Firewall serving as a client. # Configure GigabitEthernet 0/1 to dynamically obtain an IP address by using BOOTP. system-view [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address bootp-alloc # Use the display bootp client command to view the IP address assigned to the BOOTP client.
Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address.
The DNS client comprises the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store the latest mappings between domain names and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query next time.
Figure 128 DNS proxy networking application A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3.
• The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established through the dial-up interface, the device dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the DNS server, if it cannot find a match in the local domain name resolution table.
Static name resolution table configuration task list Task Configuring static name resolution entries Remarks Required. By default, no name-IP address mapping exists in a static name resolution table. Dynamic domain name resolution configuration task list Task Remarks Required. Configuring dynamic domain name resolution This function is disabled by default. Required. Configuring DNS server addresses Not configured by default. Optional. Configuring domain name suffixes Not configured by default.
Figure 131 Creating a static domain name resolution entry 3. Type the name and IP address. (Each name corresponds to one IP address only. If you configure multiple IP addresses for a host name, the one last configured takes effect.) 4. Click Apply. Configuring dynamic domain name resolution NOTE: The device can revolve a maximum of four IP addresses for a domain name. 1. From the navigation tree, select Network > DNS > Dynamic.
2. Select the Enable option for DNS Proxy. 3. Click Apply. Configuring DNS server addresses 1. From the navigation tree, select Network > DNS > Dynamic. The dynamic domain name resolution configuration page appears, as shown in Figure 132. 2. Click Add IP. The page for configuring a DNS server address appears. 3. Enter the IP address of the DNS server. 4. Click Apply. Figure 133 Configuring a DNS server address Configuring domain name suffixes 1.
Dynamic domain name resolution configuration example Network requirements The IP address of the DNS server is 2.1.1.2/16 and the domain name suffix is com. Firewall serving as a DNS client uses dynamic domain name resolution to access the host with the domain name host.com and the IP address 3.1.1.1/16, as shown in Figure 135.
a. In Figure 137, right-click zone com. b. Select New Host. A dialog box as shown in Figure 138 appears. c. Enter host name host and IP address 3.1.1.1. d. Click Add Host.
Figure 138 Adding a mapping between domain name and IP address Configuring the DNS client 1. Enable dynamic domain name resolution: a. From the navigation tree, select Network > DNS > Dynamic. b. Select the Enable option for Dynamic DNS. c. Click Apply. Figure 139 Enabling dynamic domain name resolution 2. Configure the DNS server address: a. Click Add IP.
b. Enter 2.1.1.2 for DNS Server IP Address. c. Click Apply. Figure 140 Configuring a DNS server address 3. Configure the domain name suffix: a. Click Add Suffix. b. Enter com for DNS Domain Name Suffix. c. Click Apply. Figure 141 Configure the domain name suffix Verifying the configuration On the DNS client, ping the host name host: 1. From the navigation tree, select Network > Diagnostic Tools. The Ping operation page appears. 2. Enter the destination host name host. 3. Click Start. 4.
Figure 142 Result of the ping operation Configuring IPv4 DNS at the CLI Configuring static domain name resolution Configuring static domain name resolution refers to specifying the mappings between host names and IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses. To configure static domain name resolution: Step 1. Enter system view. Command Remarks system-view N/A Not configured by default. 2.
Configuration guidelines Follow these guidelines when you configure dynamic domain name resolution: • You can configure up to six DNS servers, including those with IPv6 addresses, in system view, and up to six DNS servers on all interfaces of a device. • A DNS server configured in system view has a higher priority than one configured in interface view. A DNS server configured earlier has a higher priority than one configured later in the same view.
Step Command Remarks • Method 1 (In system view): dns server ip-address Specify a DNS server. 3. • Method 2 (In interface view): a. interface interface-type interface-number No DNS server is specified by default. b. dns server ip-address Configuring DNS spoofing DNS spoofing is effective only when: • The DNS proxy is enabled on the device. • No DNS server or route to any DNS server is specified on the device. To configure DNS spoofing: Step Command Remarks 1. Enter system view.
Task Command Remarks Display DNS suffixes. display dns domain [ dynamic ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about the dynamic IPv4 domain name cache. display dns host ip [ | { begin | exclude | include } regular-expression ] Available in any view. Clear information about the dynamic IPv4 domain name cache. reset dns host ip Available in user view.
round-trip min/avg/max = 1/2/4 ms Dynamic domain name resolution configuration example Network requirements As shown in Figure 144, the firewall wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16.
Figure 145 Creating a zone c. On the DNS server configuration page, right-click zone com, and select New Host. Figure 146 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created.
Figure 147 Adding a mapping between domain name and IP address Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [Firewall] dns resolve # Specify the DNS server 2.1.1.2. [Firewall] dns server 2.1.1.2 # Configure com as the name suffix. [Firewall] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.
DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function. As shown in Figure 148: • Specify Firewall as the DNS server of Device (the DNS client). Firewall acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. • Configure the IP address of the DNS proxy on Device.
[Device] dns server 2.1.1.2 Verifying the configuration # Execute the ping host.com command on Device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1. [Device] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2) PING host.com (3.1.1.1): 56 data bytes, press CTRL_C to break Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms Reply from 3.1.1.
Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
With the DDNS client configured, a device can dynamically update the latest mapping between its domain name and IP address on the DNS server through DDNS servers at www.3322.org or www.oray.cn for example. The DDNS update process does not have a unified standard but depends on the DDNS server that the DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn (also known as the PeanutHull server), and www.dyndns.com.
Figure 151 Creating a DDNS entry 3. Configure DDNS as shown in Table 30. 4. Click Apply. Table 30 Configuration items Item Description Domain Name Specify the DDNS entry name, which is the only identifier of the DDNS entry. Server Provider Select the DDNS server provider, which can be 3322.org or PeanutHull. Specify the DDNS server name. After the server provider is selected, a DDNS server name appears automatically:. • If the server provider is 3322.org, the server name is members.3322.org.
Item Description Select an interface to which the DDNS policy is applied. Associated Interface The IP address in the host name-to-IP address mapping for update is the primary IP address of the interface. IMPORTANT: You can apply at most two DDNS policies to one interface, and at most six to a host through DHCP. Specify the FQDN in the IP-to-FQDN mapping for update. Other settings The FQDN is the only identification of a node in the network.
Configuring Firewall Before configuring DDNS on Firewall, register at http://www.3322.org/ (account name: steven and password: nevets), add Firewall's host name-to-IP address mapping to the DNS server, and make sure the devices are reachable to each other. 1. Enable dynamic domain name resolution: a. From the navigation tree, select Network > DNS > Dynamic. b. Select the Enable option for Dynamic DNS. c. Click Apply. Figure 153 Enabling dynamic domain name resolution 2.
c. Enter 3322 for Domain Name, select 3322.org from the Server Provider list, enter steven for Username, enter nevets for Password, select GigabitEthernet0/1 from the Associated Interface list, and enter whatever.3322.org for FQDN. d. Click Apply. Figure 155 Configuring DDNS Verifying the configuration After the preceding configuration is completed, Firewall notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org whenever its IP address changes.
http://username:password@members.3322.org/dyndns/update?system=dyndns&hostname=&myip= When a DDNS client contacts a PeanutHull DDNS server by using TCP, the URL address for update requests should be configured as: • oray://username:password@phservice2.oray.net Replace the parameters username and password in the URL with your actual login ID and password registered at the DDNS service provider's website. members.3322.org and phservice2.oray.net are the domain names of DDNS servers.
The URL address for an update request can start with http://, https://, or oray://. • http:// indicates the HTTP-based DDNS server. • https:// indicates the HTTPS-based DDNS server. • oray:// indicates the TCP-based PeanutHull server.
DDNS configuration example 1 Network requirements As shown in Figure 156, Firewall is a Web server with the domain name whatever.3322.org. Firewall acquires the IP address through DHCP. Through DDNS service provided by www.3322.org, Firewall informs the DNS server of the latest mapping between its domain name and IP address. The IP address of the DNS server is 1.1.1.1. Firewall uses the DNS server to translate www.3322.org into the corresponding IP address. Figure 156 Network diagram www.3322.
[Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ddns apply policy 3322.org fqdn whatever.3322.org After the preceding configuration is completed, Firewall notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.org, whenever the IP address of Firewall changes. Therefore, Firewall can always provide Web service at whatever.3322.org.
[Firewall] dns server 1.1.1.1 # Apply the DDNS policy to interface Ethernet 1/1 to enable DDNS update and dynamically update the mapping between whatever.gicp.cn and the primary IP address of GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ddns apply policy oray.cn fqdn whatever.gicp.
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). The term "router" in this document refers to routers and routing-capable firewalls. Overview ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format ARP uses two types of messages, ARP request and ARP reply. Figure 158 shows the format of the ARP request/reply.
1. Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B. 2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request.
Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry. Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
Creating a static ARP entry 1. From the navigation tree, select Firewall > ARP Management > ARP Table. The ARP Table configuration page shown in Figure 160 appears. 2. Click Add. The New Static ARP Entry page appears. Figure 161 Adding a static ARP entry 3. Configure a static ARP entry as described in Table 31. 4. Click Apply. Table 31 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry.
Figure 162 Dynamic entry management page 2. Click Disable all to disable all interfaces in the list from learning dynamic ARP entries. 3. Select the boxes in front of the interfaces and click Disable selected to disable the selected interfaces from learning dynamic ARP entries. 4. Click Enable all to enable all interfaces in the list to learn dynamic ARP entries. 5. Select the boxes in front of the interfaces and click Enable selected to enable the selected interfaces to learn dynamic ARP entries.
Figure 164 Network diagram Configuring Firewall Before the following configurations, if the operating mode of interface GigabitEthernet 0/1 is router mode, select Device Management > Interface from the navigation tree and change the operating mode of the interface to bridge mode. 1. Create VLAN 10: a. From the navigation tree, select Network > VLAN > VLAN. b. Click Add. The VLAN configuration page appears. c. Enter 10 for VLAN ID. d. Click Apply. Figure 165 Creating a VLAN 2.
Figure 166 Modifying VLAN configuration 3. Configure a security zone for interface GigabitEthernet 0/1 and VLAN 10. (Details not shown.) 4. Create VLAN-interface 10, and assign an IP address to it: a. From the navigation tree, select Device Management > Interface. b. Click Add. c. Set the interface name to Vlan-interface 10, select Static Address for IP Config, enter 192.168.1.2 for IP Address, and enter 24(255.255.255.0) for Mask. d. Click Apply. Figure 167 Creating an interface 5.
c. Enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address, select the Advanced Options box, enter 10 for VLAN ID, and select GigabitEthernet0/1 for Port. d. Click Apply. Figure 168 Creating an ARP entry Configuring ARP at the CLI Configuring a static ARP entry A static ARP entry is effective when the device works correctly. If a VLAN or VLAN interface is deleted, all long static ARP entries in the VLAN are deleted, and all resolved short static ARP entries in the VLAN becomes unresolved.
Configuring the maximum number of dynamic ARP entries for an interface An interface can dynamically learn ARP entries, so it might hold too many ARP entries. To solve this problem, you can set the maximum number of dynamic ARP entries that an interface can learn. When the maximum number is reached, the interface stops learning ARP entries. A Layer 2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached.
With this feature enabled, the device calculates the subnet address by using the default mask of the class A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as 10.11.11.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request. To enable natural mask support for ARP requests: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable natural mask support for ARP requests. naturemask-arp enable Disabled by default.
Figure 169 Network diagram Configuration procedure # Create VLAN 10. system-view [Firewall] vlan 10 [Firewall-vlan10] quit # Add interface GigabitEthernet 0/1 to VLAN 10. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] port link-type trunk [Firewall-GigabitEthernet0/1] port trunk permit vlan 10 [Firewall-GigabitEthernet0/1] quit # Create interface VLAN-interface 10 and configure its IP address.
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a change of its MAC address.
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group. Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.
• Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface. • If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval.
Configuring proxy ARP Proxy ARP can be configured only at the CLI. Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP—Allows communication between hosts that connect to different Layer-3 interfaces and reside in different broadcast domains.
Local proxy ARP As shown in Figure 172, Host A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects to GigabitEthernet 0/3 while Host B connects to GigabitEthernet 0/1. Enable local proxy ARP on Firewall to allow Layer 3 communication between the two hosts. Figure 172 Application environment of local proxy ARP Firewall GE0/2 VLAN 2 Vlan-int2 192.168.10.100/16 VLAN 2 port-isolate group 2 GE0/2 uplink-port GE0/3 GE0/1 Host A Switch Host B 192.168.10.200/16 192.168.10.
Step 3. Enable local proxy ARP. Command Remarks local-proxy-arp enable [ ip-range startIP to endIP ] Disabled by default. Displaying and maintaining proxy ARP Task Command Remarks Display whether proxy ARP is enabled. display proxy-arp [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display whether local proxy ARP is enabled.
[Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 0/2. [Firewall-GigabitEthernet0/2] proxy-arp enable [Firewall-GigabitEthernet0/2] quit # Configure the IP address of interface GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 0/1.
Configuration procedure 1. Configure the switch: # Add GigabitEthernet 0/3, GigabitEthernet 0/1, and GigabitEthernet 0/2 to VLAN 2. Configure port isolation for Host A and Host B.
Layer 3 forwarding configuration NOTE: For the configurations on a switch in a network that contains firewall cards and switches, see "Configuring Layer 3 subinterface forwarding." Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding. Layer 3 subinterface forwarding If the VLAN tag of an incoming packet matches the PVID of a subinterface of the receiving interface on the firewall, the firewall removes the Layer 2 header and sends the packet to the subinterface.
The following prerequisites are necessary for inter-VLAN Layer 3 forwarding: • The ingress interface and egress interface on the switch belong to different VLANs. • The two ten-GigabitEthernet interfaces at both ends of the link between the switch and the firewall card are configured as trunk. • The operating mode of the firewall card's ten-GigabitEthernet port that connects to the switch is configured as Layer 2.
Add these two subinterfaces to security zones. • NOTE: To achieve Layer 3 forwarding between VLANs, you can create these VLANs on the switch and configure the same number of subinterfaces for the ten-GigabitEthernet interface on the firewall card. Then add the subinterfaces to security zones. Configure the ports of the switch Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VLAN and enter VLAN view. vlan vlan-id N/A 3. Assign access ports to the VLAN.
Step 6. Assign an IP address to the subinterface. Command Remarks ip address ip-address { mask | mask-length } [ sub ] By default, no IP address is configured for the subinterface. • Method 1 a. Enter security zone view from system view: zone name zone-name [ id zone-id ] 7. b. Add the subinterface to the security zone: import interface interface-type interface-number [ vlan vlan-id ] Add the subinterface to a security zone. Use either method. This security zone is for incoming packets.
Task Command Remarks Display interface/subinterface state and related information. display interface [ interface-type [interface-number | interface-number.subnumber ] ] Available in any view. Clear interface/subinterface statistics. reset counters interface [ interface-type [ interface-number | interface-number.subnumber ] ] Available in user view.
Step Command Remarks 4. Create another VLAN and enter VLAN view vlan vlan-id N/A 5. Assign access ports to the VLAN. port interface-list By default, all ports belong to VLAN 1. 6. Enter the view of the ten-GigabitEthernet interface that connects to the firewall card. interface ten-gigabitethernet interface-number N/A 7. Configure the link type of the interface as trunk. port link-type trunk N/A 8. Assign the trunk port to the two VLANs.
Step Command… Remarks • Method 1 a. Enter security zone view from system view: zone name zone-name [ id zone-id ] 10. Add the interface and the VLAN interface to a security zone. b. Add the subinterface to the security zone: import interface interface-type interface-number [ vlan vlan-id ] Use either method. This zone is for incoming packets. • Method 2 Enter the Web page and select System > Zone.
Task Command Remarks Display interface/subinterface state and related information. display interface [ interface-type [interface-number | interface-number.subnumber ] ] Available in any view. Clear interface/subinterface statistics. reset counters interface [ interface-type [ interface-number | interface-number.subnumber ] ] Available in user view. Display VLAN information. display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | interface interface-type interface-number.
# Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103. system-view [Sysname] vlan 102 [Sysname-vlan102] port GigabitEthernet 3/0/1 [Sysname-vlan102] vlan 103 [Sysname-vlan103] port GigabitEthernet 3/0/2 [Sysname-vlan103] quit # Configure the link type of ten-GigabitEthernet 2/0/1 as trunk and assign the trunk port to VLAN 102 and VLAN 103.
# Add ten-GigabitEthernet 0/0.2 to security zone Untrust.
Inter-VLAN Layer 3 forwarding configuration example Network requirements As shown in the Figure 177, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by a firewall card, and inter-VLAN Layer 3 forwarding needs to be configured. • Configure the operating mode of GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of the switch as access. Assign them to VLAN 102 and VLAN 103 respectively.
Figure 177 Network diagram for inter-VLAN Layer 3 forwarding XGE0/0 XGE2/0/1 IP network GE3/0/1 GE3/0/2 IP network Configuration procedure 1. Configure the ports on the switch. # Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103.
# Add ten-GigabitEthernet 0/0 and VLAN-interface 103 to the security zone Untrust.
275
Configuring flow classification Overview Flow classification organizes packets with different characteristics into different classes by using certain match criteria. It is the basis for providing differentiated services. For a multi-core device, the control plane and data plane run on different kernels and threads respectively. The data plane processes packets based on flows. A flow identifies packets with the same characteristics (identical quintuple) and processing procedure.
QoS overview In data communications, Quality of Service (QoS) is a network's ability to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones. For example, when bandwidth is fixed, more bandwidth for one traffic flow means less bandwidth for the other traffic flows.
QoS techniques overview The QoS techniques include traffic classification, traffic policing, traffic shaping, rate limit, congestion management, and congestion avoidance. The following section briefly introduces these QoS techniques.
2. The QoS module takes various QoS actions on classified traffic as configured, depending on the traffic processing phase and network status. For example, you can configure the QoS module to perform traffic policing for incoming traffic, traffic shaping for outgoing traffic, congestion avoidance before congestion occurs, and congestion management when congestion occurs.
Non-MQC approach In the non-MQC approach, you configure QoS service parameters without using a QoS policy. For example, you can use the rate limit feature to limit the traffic rate on an interface without using a QoS policy. Traffic policing Traffic policing limits the traffic rate and resource usage according to traffic specifications. Once a particular flow exceeds its specifications, such as assigned bandwidth, the flow is policed to make sure it is under the specifications.
Figure 180 Traffic policing Traffic policing is widely used in policing traffic entering the networks of ISPs. It can classify the policed traffic and take predefined policing actions on each packet depending on the evaluation result, for example: • Forwarding the packet if the evaluation result is "conforming." • Dropping the packet if the evaluation result is "excess." Rate limit Rate limit also uses token buckets to evaluate traffic specifications for traffic control.
Figure 181 Rate limit implementation In the token bucket approach to traffic control, bursty traffic can be transmitted as long as enough tokens are available in the token bucket. If tokens are inadequate, packets cannot be transmitted until the system generates the required number of tokens in the token bucket. The traffic rate is restricted to the rate for generating tokens. The traffic rate is limited, and bursty traffic is allowed.
Recommended QoS policy configuration procedure Step Remarks Optional. This task creates a class and configures classification rules for the class. 1. Configuring a class. The system-defined classes include default-class, ef, af1, af2, af3, af4, ip-prec0, ip-prec1, ip-prec2, ip-prec3, ip-prec4, ip-prec5, ip-prec6, and ip-prec7. You cannot modify or delete a system-defined class. Support for the system-defined classes depends on the device model.
Figure 182 Classes 2. Click Add to enter the page for creating a class. Figure 183 Creating a class 3. Configure the class name and the operation type, as described in Table 33. 4. Click Apply. Table 33 Configuration items Item Classifier Name Description Specify a name for the classifier to be created. Make sure the name is different from those of the system-defined classifiers, if any.
Configuring classification rules 1. Click the page. icon in the Operation column for the class to be configured in the class list to enter the On the upper part of the page, you can modify the basic information of the class. On the lower part of the page, information about all rules of the class is displayed. Figure 184 Classification rule configuration page 2. Click Create to enter the page for creating a classification rule for the class. Figure 185 Creating a classification rule for a class 3.
Item Description Define an ACL-based match criterion, and specify the ACL by number. You can select or enter an ACL number. The available ACLs are those configured in Firewall > ACL. For information about configuring an ACL, see Access Control Configuration Guide. ACL If the specified ACL does not exist, you can successfully configure the match criterion, but it does not take effect. Define a criterion to match a protocol group.
Figure 186 Behavior configuration page 2. Click Add to enter the page for creating a behavior. Figure 187 Creating a behavior 3. Specify a name for the traffic behavior. Make sure the name is different from those of the system-defined traffic behaviors, if any. 4. Click Apply.
Configuring actions for the traffic behavior 1. Click the icon in the Operation column for the traffic behavior to be configured. Figure 188 Configuring actions for a traffic behavior 2. Configure actions for the behavior, as described in Table 35. 3. Click Apply. A configuration progress dialog box appears. 4. Click Close when the dialog box prompts that the configuration succeeds. Table 35 Configuration items Item Description Behavior Name Name of the traffic behavior being configured.
Item Description Discard Pass Green Pass (Remark DSCP) IP Precedence Set the action to perform for conforming packets (green packets): • Discard—Drops the packets. • Pass—Permits the packets to pass through. • Pass (Remark DSCP)—Sets a specific DSCP value for the packets and permits the packets to pass through. With this option selected, you must select a DSCP value. By default, conforming packets are permitted to pass through. Mark matching packets with the selected IP precedence.
Configuring a policy To configure a policy, create it first and then configure class-behavior associations for it. Creating a policy 1. Select Firewall > QoS > Policy from the navigation tree to enter the policy displaying page. Figure 189 Policy configuration page TIP: To delete a QoS policy, select the QoS policy from the Policy Name list, and then click Remove. The system-defined QoS policies cannot be deleted. 2. Click Add to enter the page for creating a policy. Figure 190 Creating a QoS policy 3.
Figure 191 Selecting a policy name 2. Click Add Relation. Figure 192 Associating a classifier with a behavior 3. Associate a class with a behavior. You can manually enter the class name and behavior name or select the class name and behavior name from the lists. If the specified class or behavior does not exist, the system automatically creates a null class and a null behavior. 4. Click Apply. Applying the policy to an interface 1.
Figure 194 Applying a QoS policy to an interface 3. Apply the QoS policy to an interface, as described in Table 36. 4. Click Apply. Table 36 Configuration items Item Description Interface Name Specify the interface to which the policy is to be applied. Policy Name Select the QoS policy to be applied. Specify the direction in which the policy is to be applied. • Inbound—Applies the policy to the incoming packets on the specified interface.
If the interface is a virtual interface, a tunnel interface for example, 0 kbps applies. • To set the port bandwidth limit: 1. Select Firewall > QoS > PortBandwidth from the navigation tree. 2. Click Setup to enter the page for configuring port bandwidth limit. Figure 195 Port bandwidth 3. Configure the port bandwidth limit, as described in Table 37. 4. Click Apply. Table 37 Configuration items Item Description Bandwidth Limit Enable or disable port bandwidth limit for selected ports.
Figure 196 QoS policy configuration procedure Defining a class Step 1. Enter system view. Command Remarks system-view N/A By default, the operator of a class is AND. 2. Create a class and enter class view. traffic classifier classifier-name [ operator { and | or } ] The operator of a class can be AND or OR. • AND—A packet is assigned to a class only when the packet matches all the criteria in the class. • OR—A packet is assigned to a class if it matches any of the criteria in the class. 3.
Defining a policy Configuring a policy You associate a behavior with a class in a QoS policy to perform the actions defined in the behavior for the class of packets. To associate a class with a behavior in a policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a policy and enter policy view. qos policy policy-name N/A 3. Associate a class with a behavior in the policy.
Displaying and maintaining QoS policies Task Command Remarks Available in any view. Display traffic class configuration. display traffic classifier { system-defined | user-defined } [ classifier-name ] [ | { begin | exclude | include } regular-expression ] display traffic behavior { system-defined | user-defined } [ behavior-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display traffic behavior configuration.
Figure 197 Configuring rate limit on a port 3. Configure the rate limit, as described in Table 38. 4. Click Apply. Table 38 Configuration items Item Description Please select an interface type Select the interface type to be configured with rate limit. Rate Limit Enable or disable rate limit on the specified port. Select a direction to which the rate limit is to be applied. Direction • Inbound—Limits the rate of packets received on the specified port.
QoS configuration examples CAR configuration example Network requirements As shown in Figure 198, Server and Host can access the Internet through Firewall. Perform traffic control on GigabitEthernet 1/0/1 of Firewall for traffic received from Server and Host, respectively. • Limit the rate of traffic from Server to 54 kbps to transmit the conforming traffic but drop the exceeding traffic.
g. Select Permit from the Operation list. Select the Source IP Address box, enter 1.1.1.1 as the source IP address, and 0.0.0.0 as the source wildcard. h. Click Apply. Figure 200 Configuring rules for ACL 2000 2. Configure ACL 2001 to match traffic from Host: a. Click Back on the page displaying the rules of ACL 2000. b. Click Add. c. Enter 2001 as the ACL number. d. Click Apply. e. Click the icon for ACL 2001 on the ACL list. f. Click Add. g. Select Permit from the Operation list.
Figure 202 Configuring rules for class classifier_server 4. Create a class named classifier_host, and reference ACL 2001 in the class: a. Click Back on the page displaying the rules of class classifier_server. b. Click Add. c. Enter classifier_host as the classifier name. d. Click Apply. e. Click the icon for classifier_host on the classifier list. f. Click Add. g. Select the ACL option, and then select 2001 from the list. h. Click Apply. 5.
Figure 204 Configuring actions for behavior behavior_server 6. Create a behavior named behavior_host, and configure CAR for the behavior: a. On the page displaying behaviors, click Add. b. Enter behavior_host as the behavior name. c. Click Apply. d. Click the icon for behavior_host on the behavior list. e. Select the CAR box. Enter 8 in the CIR field. Select the CBS box, and then enter 1875. f. Click Apply. The configuration progress dialog box appears. g.
d. Click Apply. Figure 205 Creating a policy named policy e. Select policy from the Policy Name list. f. Click Add Relation. g. Select classifier_server from the Classifier Name list. Select behavior_server from the Behavior Name list. h. Click Apply. Figure 206 Configuring class-behavior associations for the policy named policy i. Select policy from the Policy Name list. j. Click Add Relation. k. Select classifier_host from the Classifier Name list. Select behavior_host from the Behavior Name list.
Priority marking configuration example Network requirements As shown in Figure 208, the enterprise network of a company interconnects hosts with servers through Firewall. The network is described as follows: • Host A and Host B are connected to GigabitEthernet 0/1 of Firewall. • The data server, mail server, and file server are connected to GigabitEthernet 0/2 of Firewall.
Figure 209 Creating ACL 3000 e. Click the icon for ACL 3000 on the ACL list. f. Click Add. g. Select Permit in the Operation list. h. Select the Destination IP Address box, and enter IP address 192.168.0.1 and destination wildcard 0.0.0.0. i. Click Apply. Figure 210 Configuring rules for ACL 3000 2. Configure ACL 3001 to match packets with destination address 192.168.0.2. a. Click Back on the page displaying the rules of ACL 3000. b. Click Add. c. Enter the ACL number 3001.
d. Click Apply. e. Click the icon for ACL 3001 on the ACL list. f. Click Add. g. Select Permit in the Operation list. Select the Destination IP Address box, and enter IP address 192.168.0.2 and destination wildcard 0.0.0.0. h. Click Apply. 3. Configure ACL 3002 to match packets with destination address 192.168.0.3: a. Click Back on the page displaying the rules of ACL 3001. b. Click Add. c. Enter the ACL number 3002. d. Click Apply. e. Click the icon for ACL 3002 on the ACL list. f. Click Add. g.
Figure 212 Configuring rules for class classifier_dbserver 5. Configure class classifier_mserver to match packets based on ACL 3001: a. Click Back on the page displaying the rules of class classifier_dbserver. b. Click Add. c. Enter the class name classifier_mserver. d. Click Apply. e. Select classifier_mserver on the classifier list and click its icon. f. Click Create. g. Select the ACL option and select ACL 3001. h. Click Apply. 6.
Figure 213 Creating traffic behavior behavior_dbserver e. Click the icon for behavior_dbserver on the behavior list. f. Select the Dot1p box, and then select 4 in its list. g. Click Apply. The configuration progress dialog box appears. h. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 214 Configuring actions for traffic behavior behavior_dbserver 8. Configure traffic behavior behavior_mserver to mark packets with local precedence 3: a.
c. Enter the behavior name behavior_mserver. d. Click Apply. e. Click the icon for behavior_mserver on the behavior list. f. Select the Dot1p box, and then select 3 in its list. g. Click Apply. The configuration progress dialog box appears. h. Click Close when the progress dialog box prompts that the configuration succeeds. 9. Configure traffic behavior behavior_fserver to mark packets with local precedence value 2: a. On the page display traffic behaviors, click Add. b.
Figure 216 Configuring class-behavior associations for policy policy_server i. Select policy_server from the Policy Name list above the policy list. j. Click Add Relation. k. Select class_mserver in the Classifier Name list. Select behavior_mserver in the Behavior Name list. l. Click Apply. m. Select policy_server from the Policy Name list above the policy list. n. Click Add Relation. o. Select class_fserver in the Classifier Name list. Select behavior_fserver in the Behavior Name list. p.
Figure 218 Network diagram Configuring the firewall 1. Create ACL 3000, and configure a rule to match packets whose TCP source port is not 21: a. Select Firewall > ACL from the navigation tree. b. Click Add. c. Enter 3000 as the ACL number. d. Click Apply. Figure 219 Creating ACL 3000 Click the icon for ACL 3000 on the ACL list. a. Click Add. b. Select Permit from the Operation list. Select 6 TCP from the Protocol list. Select not equal to from the Source Operation list, and enter 21 in the Port field.
Figure 220 Configuring rules for ACL 3000 2. Create a class named classifier_1, and reference ACL 3000 in the class: a. Select Firewall > QoS > Classifier from the navigation tree. b. Click Add. c. Enter classifier_1 as the classifier name. d. Click Apply. Figure 221 Creating a class named classifier_1 Click the icon for classifier_1 on the classifier list. a. Click Add. b. Select the ACL option, and then select 3000 from the list. c. Click Apply.
Figure 222 Configuring rules for class classifier_1 3. Create a behavior named behavior_1, and configure the packet filtering action for the behavior to drop packets: a. Select Firewall > QoS > Behavior from the navigation tree. b. Click Add. c. Enter behavior_1 as the behavior name. d. Click Apply. Figure 223 Creating a traffic behavior named behavior_1 Click the icon for behavior_1 on the behavior list. a. Select the Packet Filter box, and then select Deny. b. Click Apply.
Figure 224 Configuring actions for behavior behavior_1 4. Create a policy named policy, and configure class-behavior associations in the policy: a. Select Firewall > QoS > Policy from the navigation tree. b. Click Add. c. Enter policy as the policy name. d. Click Apply. Figure 225 Creating a policy named policy Select policy from the Policy Name list. a. Click Add Relation. b. Select classifier_1 from the Classifier Name list. Select behavior_1 from the Behavior Name list.
c. Click Apply. Figure 226 Configuring class-behavior associations for the policy named policy 5. Apply the policy named policy to the incoming packets of GigabitEthernet 0/1: a. Select Firewall > Traffic Policing > Apply from the navigation tree. b. Click Apply Policy. c. Select GigabitEthernet 0/1 from the Interface Name list. Select policy from the Policy Name list. Select Inbound from the Direction list. d. Click Apply.
Configuring traffic policing Overview Traffic policing, traffic shaping, and rate limit are QoS techniques that help assign network resources, such as assign bandwidth. They increase network performance and user satisfaction. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic. Traffic policing limits the traffic rate and resource usage according to traffic specifications.
• EBS—Size of bucket E, which specifies the transient burst of traffic that bucket E can forward. CBS is implemented with bucket C, and EBS with bucket E. In each evaluation, packets are measured against the following bucket scenarios: • If bucket C has enough tokens, packets are colored green. • If bucket C does not have enough tokens but bucket E has enough tokens, packets are colored yellow. • If neither bucket C nor bucket E has sufficient tokens, packets are colored red.
Configuring traffic policing in the Web interface Recommended traffic policing configuration procedure Step 1. Remarks Creating a CAR list. Required. Create an IP network segment-based CAR list. Required. 2. Applying a CAR list to an interface. Apply the CAR policy to the specified interface. You can configure multiple CAR policies on an interface, and these CAR policies are executed in the order they are configured. Creating a CAR list 1.
4. Click Apply. Table 39 Configuration items Item Description CAR List Index Specify the CAR list index. IP Type Configure a source IP-based CAR list or destination IP-based CAR list. Define the way of specifying a set of IP addresses. Two options are available: • Subnet—Specifies a network segment by specifying an IP address and a IP Set subnet mask. • IP Range—Specifies an IP address range by specifying a start IP address and an end IP address.
Figure 232 Applying a CAR list to an interface 3. Apply the CAR list to an interface, as described in Table 40. 4. Click Apply. Table 40 Configuration items Item Description Interface Name Specify the interface to which a CAR list is to be applied. Specify the direction in which a CAR list is to be applied. Direction • Inbound—Applies the CAR list to the packets received on the specified interface. • Outbound—Applies the CAR list to the packets sent out of the specified interface.
Item Description EBS Set the EBS. Set the action to be taken on conforming packets: • Discard—Drops the packets. • Pass—Permits the packets to pass through. Green Set the action to be taken on excess packets: • Discard—Drops the packets. • Pass—Permits the packets to pass through. Red Traffic policing configuration example Network requirements As shown in Figure 233, configure the firewall to limit the total rate of traffic received on GigabitEthernet 0/1 to 50 kbps.
Figure 234 Configuring a CAR list 2. Apply the CAR list to the interface: a. Select Firewall > Traffic Policing > Apply from the navigation tree. b. Click Apply Policy. c. Select GigabitEthernet 0/1 from the Interface Name list. d. Select Inbound from the Direction list. e. Enter 1 in the CAR List Index field. f. Enter 50 in the CIR field. g. Select the Pass option for Green. h. Select the Discard option for Red. i. Click Apply.
Configuring traffic policing at the CLI Configure traffic policing by using either policy approach or non-policy approach. In non-policy approach, you can configure CAR list-based traffic policing, ACL-based traffic policing, and traffic policing for all traffic. Configuring traffic policing by using policy approach Step Command 1. Enter system view. system-view 2. Create a class and enter class view. traffic classifier classifier-name [ operator { and | or } ] 3. Configure match criteria.
Configuring ACL-based traffic policing Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an ACL. See Access Control Configuration Guide. Configure rules for the ACL. 3. Enter interface view. interface interface-type interface-number N/A 4. Configure an ACL based CAR policy on the interface.
Traffic control for packets forwarded by GigabitEthernet 0/1 and GigabitEthernet 0/2 of the router is as follows: • Limit the receiving rate on GigabitEthernet 0/1 of the router to 500 kbps, and the excess packets are dropped. • Limit the sending rate on GigabitEthernet 0/2 of the router to 1000 kbps, and the excess packets are dropped. Figure 236 Network diagram Configuration procedure 1.
[Router-GigabitEthernet0/1] quit # Configure a CAR policy on GigabitEthernet 0/2 to limit the sending rate to 1 Mbps and drop the excess packets.
Basic forwarding on the device Upon receiving a packet, a device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and uses the matching entry to forward the packet. FIB table A router selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next hop IP address and output interface for packets destined for a specific subnet or host.
Displaying and maintaining the FIB table Task Command Remarks Display FIB information. display fib [ vpn-instance vpn-instance-name ] [ acl acl-number | ip-prefix ip-prefix-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display FIB information matching the specified destination IP address. display fib [ vpn-instance vpn-instance-name ] ip-address [ mask | mask-length ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Updating magic numbers for fast forwarding Feature and hardware compatibility Hardware Fast forwarding magic number update compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules Yes Overview After the ipffmagicnumber update command is enabled, the device decides whether a service can be fast forwarded according to the driver registration.
Configuring IP forwarding mode Feature and hardware compatibility Hardware Traffic forwarding mode compatibility F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 No F5000-S/F5000-C Yes VPN firewall modules Yes 20-Gbps VPN firewall modules Yes Overview The device supports two IP forwarding modes: flow-based and packet-based.
Forwarding a unicast IP packet with multicast MAC address Overview A packet with a unicast destination IP but a multicast or broadcast destination MAC is typically for load balancing on the server. If the device forwards such a packet in a VRRP network, a loop might occur at Layer 3. To avoid service malfunction caused by the network loop, the device drops such a packet by default. To forward such a packet, use a command and make sure no loops occur. Configuration procedure Step Command Remarks 1.
IP routing basics The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. IP routing directs IP packet forwarding on routers based on a routing table. A router maintains at least two routing tables: a global routing table and a FIB. The FIB table contains only the optimal routes, and the global routing table contains all routes. The router uses the FIB table to forward packets.
Configuring static routing The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work correctly. Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually.
Table 42 Configuration items Item Description Destination IP Address Enter the destination IP address in dotted decimal notation. IMPORTANT: You can enter 0.0.0.0 for both Destination IP Address and Mask to configure a default route. A default route is used to forward packets that match no route entry in the routing table. Mask Enter the destination IP address mask. Next Hop Enter the next hop IP address in dotted decimal notation. Outbound Interface Enter the outbound interface.
c. Enter 0.0.0.0 as the destination IP address, select 0.0.0.0 from the mask list, and enter 1.1.4.2 as the next hop. d. Click Apply. Figure 240 Configuring a static route on Device A 4. Configure a static route to Device A and a static route to Device C on Device B: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 1.1.2.0 as the destination IP address, select 255.255.255.0 from the mask list, and enter 1.1.4.1 as the next hop. d. Click Apply. e.
Ping statistics for 1.1.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms 2. Traceroute Host A on Host B: C:\Documents and Settings\Administrator>tracert 1.1.2.2 Tracing route to 1.1.2.2 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 1.1.6.1 2 <1 ms <1 ms <1 ms 1.1.4.1 3 1 ms <1 ms <1 ms 1.1.2.2 Trace complete.
Step Command Remarks • Method 1: 2. Configure a static route.
Configuring bidirectional control mode To use BFD bidirectional control detection between two devices, enable BFD control mode for each device's static route destined to the peer. To configure a static route and enable BFD control mode for it, specify an output interface and a direct next hop, or specify an indirect next hop and a specific BFD packet source address for the static route. To configure BFD control mode for a static route (direct next hop): Step 1. Enter system view.
Step 2. Command Configure the source address of echo packets. Remarks By default, the source address of echo packets is not configured. bfd echo-source-ip ip-address For more information about this command, see High Availability Command Reference. • Method 1: 3. Configure BFD echo mode for a static route.
Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure static routes: # Configure a default route on Firewall A. system-view [FirewallA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two static routes on Firewall B. system-view [FirewallB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1 [FirewallB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6 # Configure a default route on Firewall C.
1.1.6.1/32 Direct 0 0 127.0.0.1 InLoop0 # Use the ping command on Host B to test the reachability of Host A (Windows XP runs on the two hosts). C:\Documents and Settings\Administrator>ping 1.1.2.2 Pinging 1.1.2.2 with 32 bytes of data: Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Ping statistics for 1.1.2.
Figure 242 Network diagram Device Interface IP address Device Interface IP address Firewall A GE 1/1 12.1.1.1/24 Firewall B GE 1/1 12.1.1.2/24 GE 1/2 10.1.1.102/24 GE 1/2 13.1.1.1/24 GE 1/1 10.1.1.100/24 GE 1/2 13.1.1.2/24 Router Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure static routes and BFD: # Configure static routes on Firewall A and enable BFD control mode for the static route that traverses the Layer 2 switch.
[Router] ip route-static 121.1.1.0 24 gigabitethernet 1/1 10.1.1.102 3. Verify the configuration: # Display BFD sessions on Firewall A. display bfd session Total Session Num: 1 Init Mode: Active Session Working Under Ctrl Mode: LD/RD SourceAddr DestAddr State Holdtime Interface 4/7 12.1.1.1 12.1.1.2 Up 2000ms GigabitEthernet1/1 The output shows that the BFD session has been created. # Display static routes on Firewall A.
Summary Count : 1 Destination/Mask Proto Pre 120.1.1.0/24 Static 65 Cost NextHop Interface 0 10.1.1.100 GE1/2 Cost NextHop Interface 0 12.1.1.2 GE1/1 Static Routing table Status : < Inactive> Summary Count : 1 Destination/Mask Proto Pre 120.1.1.0/24 Static 60 The output shows that Firewall A communicates with Firewall B through Router.
Figure 243 Network diagram Device Interface IP address Device Interface IP address Firewall A GE1/1 12.1.1.1/24 Firewall B GE1/1 11.1.1.2/24 GE1/2 10.1.1.102/24 GE1/2 13.1.1.1/24 Loop1 1.1.1.9/32 Loop1 2.2.2.9/32 GE1/1 10.1.1.100/24 GE1/1 12.1.1.2/24 GE1/2 13.1.1.2/24 GE1/2 11.1.1.1/24 Router A Router B Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2.
# Configure static routes on Router A. system-view [RouterA] ip route-static 120.1.1.0 24 gigabitethernet 1/2 13.1.1.1 [RouterA] ip route-static 121.1.1.0 24 gigabitethernet 1/1 10.1.1.102 # Configure static routes on Router B. system-view [RouterB] ip route-static 120.1.1.0 24 gigabitethernet 1/2 11.1.1.2 [RouterB] ip route-static 121.1.1.0 24 gigabitethernet 1/1 12.1.1.1 3. Verify the configuration: # Display the BFD session information on Firewall A.
Public Routing Table : Static Summary Count : 2 Static Routing table Status : Summary Count : 1 Destination/Mask Proto 120.1.1.0/24 Static 65 Pre Cost NextHop Interface 0 10.1.1.100 GE1/2 Cost NextHop Interface 0 2.2.2.9 Static Routing table Status : Summary Count : 1 Destination/Mask Proto 120.1.1.0/24 Static 60 Pre The output shows that Firewall A communicates with Firewall B through Router A.
Configuring a default route The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. A default route is used to forward packets that match no entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded. A default route can be configured in either of the following ways: • The network administrator can configure a default route with both destination and mask being 0.0.0.0.
Configuring RIP The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Routing Information Protocol (RIP) is a distance-vector simple interior gateway protocol suited to small-sized networks. It employs UDP to exchange route information through port 520. RIP uses a hop count to measure the distance to a destination. The hop count from a router to a directly connected network is 0. The hop count from a router to a directly connected router is 1.
Figure 244 RIP global configuration page 2. Configure RIP globally as described in Table 43. 3. Click Apply. Table 43 Configuration items Item Description Enable RIP (enable all interfaces automatically) Enable RIP on all interfaces. Import static routes Configure RIP to redistribute active static routes. Configuring interface RIP 1. Select Network > Routing Management > RIP from the navigation tree. The RIP configuration page appears. If RIP is enabled, the More button is displayed. 2.
Figure 246 RIP interface configuration page 4. Configure RIP interface as described in Table 44. 5. Click Apply. Table 44 Configuration items Item Description Interface Displays the RIP interface name. Set whether to allow the receiving/sending of RIP packets on the interface: Work State • On—Allows the receiving/sending of RIP packets on the interface. • Off—Disallows the receiving/sending of RIP packets on the interface.
Item Description Authentication Mode Set the authentication mode and parameters for authenticating RIP packets on a RIPv2 interface: Key String • If the Authentication Mode is null, the interface does not authenticate RIP packets, and the Key String and Key ID are not required. • If Simple is specified for Authentication Mode, the interface authenticates RIP packets using simple text key. You need to configure a Key String in simple text.
Configuring Device B 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown) 2. Enable RIP: a. Select Network > Routing Management > RIP from the navigation tree. b. Select the Enable RIP(Enable all interfaces automatically) box. c. Click Apply. Verifying the configuration 1. Display active routes of Device A: Select Network > Routing Management > Routing Info from the navigation tree to display learned RIP route destined for 10.0.0.0/8.
Configuring RIP at the CLI RIP configuration task list Task Remarks Configuring basic RIP Required Configuring RIP route control Tuning and optimizing RIP networks Configuring BFD for RIP Configuring an additional routing metric Optional Configuring RIPv2 route summarization Optional Disabling host route reception Optional Advertising a default route Optional Configuring received/redistributed route filteringConfiguring received/redistributed route filteringConfiguring received/redistributed
If you configure RIP settings in interface view before enabling RIP, the settings do not take effect until RIP is enabled. If a physical interface is attached to multiple networks, you cannot advertise these networks in different RIP processes. To enable RIP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable a RIP process and enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] By default, the RIP process is disabled. 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A Optional. By default, if an interface has an interface-specific RIP version, the version takes precedence over the global one. If no interface-specific RIP version is specified, the interface can send RIPv1 broadcasts, and receive RIPv1 broadcasts and unicasts, and RIPv2 broadcasts, multicasts, and unicasts. 3. Specify a global RIP version.
Step 4. Specify an outbound additional routing metric. Command Remarks rip metricout [ route-policy route-policy-name ] value Optional. The default setting is 1. Configuring RIPv2 route summarization Perform this task to summarize contiguous subnets into a summary network and sends the network to neighbors. The smallest metric among all summarized routes is used as the metric of the summary route. 1.
Disabling host route reception Perform this task to disable RIPv2 from receiving host routes from the same network and save network resources. This feature does not apply to RIPv1. To disable RIP from receiving host routes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Disable RIP from receiving host routes. undo host-route By default, RIP receives host routes.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A Configure the filtering of received routes. filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import [ interface-type interface-number ] Configure the filtering of redistributed routes.
Step Redistribute routes from other routing protocols. 4. Command Remarks import-route protocol [ process-id | all-processes | allow-ibgp ] [ cost cost | route-policy route-policy-name | tag tag ] * By default, route redistribution is disabled. Tuning and optimizing RIP networks Configuration prerequisites Before you tune and optimize RIP networks, complete the following tasks: • Configure IP addresses for interfaces to ensure IP connectivity between neighboring nodes. • Configure basic RIP.
Step 2. Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable split horizon. rip split-horizon Optional. By default, split horizon is enabled. Enabling poison reverse Poison reverse allows RIP to send routes through the interface where the routes were learned, but the metric of these routes is always set to 16 (unreachable) to avoid routing loops between neighbors.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable zero field check on incoming RIPv1 messages. checkzero Optional. By default, this function is enabled. Enabling source IP address check on incoming RIP updates Perform this task to enable source IP address check on incoming RIP updates.
Follow these guidelines when you specify a RIP neighbor: • Do not use the peer ip-address command when the neighbor is directly connected. Otherwise, the neighbor might receive both the unicast and multicast (or broadcast) of the same routing information. • If a specified neighbor is not directly connected, disable source address check on incoming updates. To specify a RIP neighbor: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view.
Hardware Compatibility F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No BFD for RIP provides the following link detection modes: • Single-hop echo detection mode for a directly connected RIP neighbor. In this mode, a BFD session is established only when the neighbor has route information to send. • Single-hop echo detection mode for a specific destination.
Step 3. Enter interface view. Command Remarks interface interface-type interface-number N/A By default, BFD for RIP is disabled. 4. rip bfd enable destination ip-address Enable BFD for RIP. The rip bfd enable destination command and the rip bfd enable command are mutually exclusive and cannot be configured on a device at the same time. Configuring bidirectional control detection This feature only works for RIP neighbors that are directly connected (one hop away from each other).
Task Command Remarks Reset a RIP process. reset rip process-id process Available in user view. Clear the statistics of a RIP process. reset rip process-id statistics Available in user view. RIP version configuration example In this example, Router A is the firewall. Network requirements As shown in Figure 251, enable RIPv2 on all interfaces on Router A and Router B. Figure 251 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2.
# Configure RIPv2 on Router A. [RouterA] rip [RouterA-rip-1] version 2 [RouterA-rip-1] undo summary [RouterA-rip-1] quit # Configure RIPv2 on Router B. [RouterB] rip [RouterB-rip-1] version 2 [RouterB-rip-1] undo summary # Display the RIP routing table on Router A. [RouterA] display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------------------Peer 1.1.1.
# Enable RIP 100, and configure RIPv2 on Router A. system-view [RouterA] rip 100 [RouterA-rip-100] network 10.0.0.0 [RouterA-rip-100] network 11.0.0.0 [RouterA-rip-100] version 2 [RouterA-rip-100] undo summary [RouterA-rip-100] quit # Enable RIP 100 and RIP 200, and configure RIPv2 on Firewall. system-view [Firewall] rip 100 [Firewall-rip-100] network 11.0.0.
Routing Tables: Public Destinations : 8 4. Routes : 8 Destination/Mask Proto Pre Cost NextHop Interface 10.2.1.0/24 RIP 100 1 12.3.1.1 GE0/1 11.1.1.0/24 RIP 100 1 12.3.1.1 GE0/1 12.3.1.0/24 Direct 0 0 12.3.1.2 GE0/1 12.3.1.2/32 Direct 0 0 127.0.0.1 InLoop0 16.4.1.0/24 Direct 0 0 16.4.1.1 GE0/2 16.4.1.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.
Figure 253 Network diagram Configuration procedure 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure basic RIP: # Configure Firewall. system-view [Firewall] rip [Firewall-rip-1] network 1.0.0.0 [Firewall-rip-1] version 2 [Firewall-rip-1] undo summary [Firewall-rip-1] quit # Configure Router A. system-view [RouterA] rip [RouterA-rip-1] network 1.0.0.0 [RouterA-rip-1] version 2 [RouterA-rip-1] undo summary # Configure Router B.
[Firewall] display rip 1 database 1.0.0.0/8, cost 0, ClassfulSumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, Rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, Rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 1, nexthop 1.1.2.2 1.1.5.0/24, cost 2, nexthop 1.1.1.2 1.1.5.0/24, cost 2, nexthop 1.1.2.2 The output shows that two RIP routes can reach network 1.1.5.0/24. Their next hops are Router A (1.1.1.2) and Router B (1.1.2.2), respectively, with the same cost of 2.
Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B. system-view [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.
4. Destination/Mask Proto Pre Cost NextHop Interface 10.1.1.0/24 RIP 100 1 11.3.1.1 GE0/1 10.2.1.0/24 RIP 100 1 11.3.1.1 GE0/1 10.5.1.0/24 RIP 100 1 11.3.1.1 GE0/1 10.6.1.0/24 RIP 100 1 11.3.1.1 GE0/1 11.3.1.0/24 Direct 0 0 11.3.1.2 GE0/1 11.3.1.2/32 Direct 0 0 127.0.0.1 InLoop0 11.4.1.0/24 Direct 0 0 11.4.1.2 GE0/2 11.4.1.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.
• Use the display rip command to verify whether an interface is disabled. Route oscillation occurred Symptom When all links work correctly, route oscillation occurs on the RIP network. After displaying the routing table, you might find some routes intermittently appear and disappear in the routing table. Analysis In the RIP network, make sure that all the same timers within the entire network are identical and have logical relationships between them.
Configuring OSPF The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Unless otherwise stated, OSPF refers to OSPFv2 throughout this chapter. Overview Open Shortest Path First (OSPF) is a link state IGP developed by the OSPF working group of the IETF. OSPF version 2 is used for IPv4. OSPF has the following features: • Wide scope—Supports various network sizes and up to several hundred routers in an OSPF routing domain.
Step Remarks Required. Enable OSPF, and configure OSPF to redistribute static routes. 1. Configuring OSPF globally NOTE: OSPF multiprocess is not supported in the Web interface. Enabling OSPF creates process 1, and disabling OSPF removes process 1. Required. 2. Configuring OSPF areas Configure an OSPF area, specify the network segment included in the area, so as to enable OSPF on the interface attached to the specified network segment.
Table 45 Configuration items Item Description Enable OSPF Enable OSPF. Import static routes Configure OSPF to redistribute active static routes (except default routes) and advertise them in Type-5 LSAs or Type-7 LSAs. Configuring OSPF areas 1. Select Network > Routing Management > OSPF from the navigation tree. The OSPF configuration page appears. After you enable OSPF, the Area Configuration tab is displayed. Figure 256 Tabs on the OSPF area configuration page 2.
Figure 257 OSPF area configuration page 3. Configure an OSPF area as described in Table 46. 4. Click Apply. Table 46 Configuration items Item Description Area ID Enter an area ID. Select an area type, including Normal, Stub, and NSSA. Area Type IMPORTANT: The type of a backbone area (with area ID 0) can only be configured as Normal. Enable all interfaces Network Address Network Items Network Mask Set whether to enable OSPF on all the interfaces.
Configuring OSPF interfaces 1. Select Network > Routing Management > OSPF from the navigation tree. The OSPF configuration page appears. 2. After you complete OSPF area configurations, click More. The hidden OSPF interface list is displayed. Figure 258 OSPF interface list page 3. Click the icon. The page for configuring the specified OSPF interface appears. Figure 259 OSPF interface configuration page 4. Configure the specified OSPF interface as described in Table 47. 5. Click Apply.
Table 47 Configuration items Item Description Interface Displays the OSPF interface name. Set the interval for sending hello packets. The hello interval must be identical on OSPF neighbors. Hello Interval The hello interval on P2P, Broadcast interfaces defaults to 10 seconds and defaults to 30 seconds on P2MP and NBMA interfaces. The smaller the hello interval is, the faster the network converges and the more network resources are consumed.
Item Description Authentication Mode Set the authentication mode and parameters for authenticating OSPF packets on the interface. Key String To prevent leakage of routing information and guard against attacks to OSPF routers, OSPF provides the packet authentication function. To establish neighboring relationship with a router, an OSPF router sends packets containing the preconfigured password for authentication. OSPF only receives packets that pass authentication.
Table 48 Field description Field Description Interface Name Interface name. IP Address IP address of the interface. In case of IP unnumbered, the IP address of the borrowed interface is displayed. Area ID ID of the area to which the interface belongs. Cost Cost for the interface. Network Type Network type for the interface. DR Priority DR priority for the interface. Current state of the interface: • Down—Indicates that no packet is sent or received through the interface.
Field Description DR Priority DR priority of the neighbor router. Current state of the neighbor: • Down—Indicates the initial state of the neighboring relationship. • Init—Indicates that a Hello packet is received from the neighbor before the neighbor is down, but it does not contain the router ID. In such cases, bidirectional communication is not available. • Attempt—Which is available the neighbor of an NBMA network only.
a. Select Network > Routing Management > OSPF from the navigation tree of Device A. b. Select the Enable OSPF box. Figure 263 Enabling OSPF c. Click Apply. The Area Configuration tab is displayed. Figure 264 Web page displayed after OSPF is enabled 3. Configure Normal area Area 0: a. Click Add on the Area Configuration tab. b. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Click Apply.
Figure 265 Configuring area 0 4. Configure NSSA area Area 1: a. Click Add on the Area Configuration tab. b. Enter 1 for Area ID, select NSSA for Area Type, enter 10.2.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Click Apply.
Figure 266 Configuring area 1 Configuring Device B 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown.) 2. Enable OSPF: a. Select Network > Routing Management > OSPF from the navigation tree of Device B. b. Select the Enable OSPF box. c. Click Apply. 3. Configure Normal area Area 0: a. Click Add on the Area Configuration tab. b. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.
Configuring Device C 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown.) 2. Enable OSPF, and configure OSPF to redistribute static routes: a. Select Network > Routing Management > OSPF from the navigation tree of Device C. b. Select the Enable OSPF and the Import static routes boxes. c. Click Apply. 3. Configure NSSA area Area 1: a. Click Add on the Area Configuration tab. b. Enter 1 for Area ID, select NSSA for Area Type, enter 10.2.1.
b. Enter 2 for Area ID, select Normal for Area Type, enter 10.3.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Enter 10.5.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. d. Click Apply. Verifying the configuration 1. Display OSPF neighbor information of Device A: a. Select Network > Routing Management > OSPF from the navigation tree of Device A. b. Click Show Peer in the Show Information field.
Complete the following tasks to configure OSPF: Task Remarks Enabling OSPF Required Configuring a stub area Configuring OSPF areas Configuring an NSSA area Optional Configuring a virtual link Configuring OSPF network types Configuring OSPF route control Tuning and optimizing OSPF networks Configuring the broadcast network type for an interface Optional Configuring the NBMA network type for an interface Optional Configuring the P2MP network type for an interface Optional Configuring the P2P
Task Remarks Configuring BFD for OSPF Optional Enabling OSPF Enable OSPF before you perform other OSPF configuration tasks. Configuration prerequisites Configure the link layer protocol and IP addresses for interfaces to ensure IP connectivity between neighboring nodes.
Step Command Remarks Configure a description for the OSPF process. description description 5. Configure an OSPF area and enter OSPF area view. area area-id 6. Configure a description for the area. description description Specify a network to enable the interface attached to the network to run the OSPF process in the area. network ip-address wildcard-mask 4. 7. Optional. Not configured by default. Not configured by default. Optional. Not configured by default. Not configured by default.
Step Command Remarks Not configured by default. 4. 5. Configure the area as a stub area. stub [ default-route-advertise-al ways | no-summary ] * You cannot configure the backbone area as a stub or totally stub area. A stub or totally stub area cannot have an ASBR because external routes cannot be distributed into the area. Optional. Specify a cost for the default route advertised to the stub area. The default cost is 1.
You can configure virtual links to ensure the connectivity when physical links are not enough. Virtual links cannot transit a stub area or totally stub areas. To configure a virtual link: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3. Enter area view. area area-id N/A Configure a virtual link.
Configuring the broadcast network type for an interface Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the OSPF network type for the interface as broadcast. ospf network-type broadcast By default, the network type of an interface depends on the link layer protocol. Configure a router priority for the interface. ospf dr-priority priority 4. Optional. The default router priority is 1.
Step Enter interface view. 2. Command Remarks interface interface-type interface-number N/A By default, the network type of an interface depends on the link layer protocol. After you configure the OSPF network type for an interface as P2MP unicast, all packets are unicast over the interface. The interface cannot broadcast hello packets to discover neighbors, so you must manually specify the neighbors. Configure the OSPF network type for the interface as P2MP. ospf network-type p2mp [ unicast ] 4.
Route summarization reduces the routing information exchanged between areas and the sizes of routing tables, improving router performance. 1. Configuring route summarization on an ABR After you configure a summary route on an ABR, the ABR generates a summary LSA instead of more specific LSAs so that the scale of LSDBs on routers in other areas and the influence of topology changes are reduced. For example, three internal routes 19.1.1.0/24, 19.1.2.0/24, and 19.1.3.0/24 are available within an area.
• Use an ACL or IP prefix list to filter routing information by destination address and meanwhile use the gateway keyword to filter routing information by next hop. • Use a routing policy to filter routing information. For more information about IP prefix list and routing policy, see "Configuring routing policies." To configure inbound route filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view.
Step Command Remarks Optional. 3. Configure an OSPF cost for the interface. The default cost depends on the interface type: 1 for a VLAN interface and 0 for a loopback interface, computed according to the bandwidth for other interfaces. ospf cost value To configure a bandwidth reference value: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3.
Configuring OSPF route redistribution Only active routes can be redistributed. Use the display ip routing-table protocol command to view route state information. 1. Configuring OSPF to redistribute routes from other routing protocols On a router running OSPF and other routing protocols, you can configure OSPF to redistribute routes from other protocols such as RIP, BGP, static, and direct, and advertise them in Type-5 LSAs or Type-7 LSAs.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3. Configure the default parameters for redistributed routes (cost, upper limit, tag, and type). Optional. default { cost cost | limit limit | tag tag | type type } * The default cost is 1, the default maximum number of routes redistributed per time is 1000, the default tag is 1, and default type of redistributed routes is Type-2.
small can cause unnecessary LSA retransmissions. This interval is typically set bigger than the round-trip time of a packet between two neighbors. To configure timers for OSPF packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A Optional. 3. Specify the hello interval.
When network changes are not frequent, the minimum-interval is adopted. If network changes become frequent, the SPF calculation interval is incremented by incremental-interval × 2n-2 (n is the number of calculation times) each time a calculation occurs until the maximum-interval is reached. To configure SPF calculation interval: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3.
Step Command Remarks Optional. Configure the LSA generation interval. 3. lsa-generation-interval maximum-interval [ initial-interval [ incremental-interval ] ] By default, the maximum interval is 5 seconds, the minimum interval is 0 milliseconds, and the incremental interval is 5000 milliseconds.
After authentication is configured, OSPF only receives packets that pass authentication. Failed packets cannot establish neighboring relationships. You must configure the same area authentication mode on all the routers in an area. In addition, the authentication mode and password for all interfaces attached to the same area must be identical. To configure OSPF authentication: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view.
Enabling compatibility with RFC 1583 RFC 1583 specifies a different method than RFC 2328 for selecting an external route from multiple LSAs. This task enables RFC 2328 to be compatible with RFC 1583 so that the intra-area route in the backbone area is preferred. If they are not compatible, the intra-area route in a non-backbone area is preferred to reduce the burden of the backbone area.
Step Command Remarks Optional. 2. 3. Bind OSPF MIB to an OSPF process. ospf mib-binding process-id Enable OSPF trap generation.
Step 2. Configure OSPF to give priority to receiving and processing hello packets. Command Remarks ospf packet-process prioritized-treatment Not configured by default. Configuring the LSU transmit rate Sending large numbers of LSU packets affects router performance and consumes too much network bandwidth. You can configure the router to send LSU packets at a proper interval and limit the maximum number of LSU packets sent out of an OSPF interface each time.
BFD provides a single mechanism to quickly detect and monitor the connectivity of links between OSPF neighbors, reducing network convergence time. For more information about BFD, see High Availability Configuration Guide. OSPF supports the following BFD detection methods: • Bidirectional control detection, which requires BFD configuration to be made on both OSPF routers on the link. • Single-hop echo detection, which requires BFD configuration to be made on one OSPF router on the link.
Task Command Remarks Display OSPF neighbor information. display ospf [ process-id ] peer [ verbose ] [ interface-type interface-number ] [ neighbor-id ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display neighbor statistics of OSPF areas. display ospf [ process-id ] peer statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display next hop information.
Figure 270 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.1] quit [RouterA-ospf-1] quit # Configure Router B.
[Firewall-ospf-1] area 2 [Firewall-ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.2] network 10.5.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.2] quit [Firewall-ospf-1] quit 3. Verify the configuration: # Display the OSPF neighbors of Router A. [RouterA] display ospf peer verbose OSPF Process 1 with Router ID 10.2.1.1 Neighbors Area 0.0.0.0 interface 10.1.1.1(GigabitEthernet0/1)'s neighbors Router ID: 10.3.1.1 State: Full DR: 10.1.1.1 Address: 10.1.1.
[RouterA] display ospf lsdb OSPF Process 1 with Router ID 10.2.1.1 Link State Database Area: 0.0.0.0 Type LinkState ID AdvRouter Age Len Sequence Router 10.2.1.1 10.2.1.1 1069 36 80000012 Metric 0 Router 10.3.1.1 10.3.1.1 780 36 80000011 0 Network 10.1.1.1 10.2.1.1 1069 32 80000010 0 Sum-Net 10.5.1.0 10.3.1.1 780 28 80000003 1 Sum-Net 10.2.1.0 10.2.1.1 1069 28 8000000F 2 Sum-Net 10.3.1.0 10.3.1.1 780 28 80000014 2 Sum-Net 10.4.1.0 10.2.1.
--- 10.4.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms OSPF route redistribution configuration example Network requirements • Enable OSPF on all the routers. • Split the AS into three areas. • Configure Router A and Router B as ABRs. • Configure Firewall as an ASBR to redistribute external routes (static routes). Figure 271 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.
Inter 10.4.1.1 0.0.0.2 22 10.3.1.1 ASBR # Display the OSPF routing table on Router C. display ospf routing OSPF Process 1 with Router ID 10.5.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10.2.1.0/24 22 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.3.1.0/24 10 Transit 10.3.1.2 10.3.1.1 0.0.0.2 10.4.1.0/24 25 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.5.1.0/24 10 Stub 10.5.1.1 10.5.1.1 0.0.0.2 10.1.1.0/24 12 Inter 10.3.1.1 10.3.1.1 0.0.0.
Figure 272 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure Firewall. system-view [Firewall] ospf [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.
[RouterD-ospf-1] area 0 [RouterD-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit 3.
5. Configure route summarization: # Configure route summarization on Firewall to advertise a single route 0.0.0.0/8. [Firewall-ospf-1] asbr-summary 10.0.0.0 8 # Display the IP routing table on Router A. [RouterA] display ip routing-table Routing Tables: Public Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost NextHop Interface 10.0.0.0/8 O_ASE 150 2 11.2.1.1 GE0/1 11.2.1.0/24 Direct 0 0 11.2.1.2 GE0/1 11.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.
[RouterC] ospf [RouterC-ospf-1] import-route static [RouterC-ospf-1] quit # Display ABR/ASBR information on Firewall. display ospf abr-asbr OSPF Process 1 with Router ID 10.4.1.1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10.2.1.1 0.0.0.1 3 10.2.1.1 ABR Inter 10.3.1.1 0.0.0.1 5 10.2.1.1 ABR Inter 10.5.1.1 0.0.0.1 7 10.2.1.1 ASBR # Display OSPF routing information on Firewall.
[Firewall-ospf-1-area-0.0.0.1] quit [Firewall-ospf-1] quit # Display OSPF routing information on Firewall. [Firewall] display ospf routing OSPF Process 1 with Router ID 10.4.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0.0.0.0/0 4 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.2.1.0/24 3 Transit 10.2.1.2 10.2.1.1 0.0.0.1 10.3.1.0/24 7 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.4.1.0/24 3 Stub 10.4.1.1 10.4.1.1 0.0.0.1 10.5.1.0/24 17 Inter 10.2.1.1 10.2.
• Configure Router A and Router B as ABRs to forward routing information between areas. • Configure Area 1 as an NSSA area and configure Firewall as an ASBR to redistribute static routes into the AS. Figure 274 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configuring basic OSPF (see "Basic OSPF configuration example"). 3. Configure Area 1 as an NSSA area: # Configure Router A.
Routing for Network Destination Cost Type 10.2.1.0/24 3 10.3.1.0/24 7 10.4.1.0/24 10.5.1.0/24 10.1.1.0/24 NextHop AdvRouter Area Transit 10.2.1.2 10.4.1.1 0.0.0.1 Inter 10.2.1.1 10.2.1.1 0.0.0.1 3 Stub 10.4.1.1 10.4.1.1 0.0.0.1 17 Inter 10.2.1.1 10.2.1.1 0.0.0.1 5 Inter 10.2.1.1 10.2.1.1 0.0.0.1 Total Nets: 5 Intra Area: 2 4. Inter Area: 3 ASE: 0 NSSA: 0 Configure route redistribution: # Configure OSPF to redistribute the static route on Firewall.
Figure 275 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Firewall. system-view [Firewall] router id 1.1.1.1 [Firewall] ospf [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit # Configure Router A. system-view [RouterA] router id 2.2.2.
[RouterC-ospf-1] return # Display neighbor information on Firewall. [Firewall] display ospf peer verbose OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 192.168.1.1(GigabitEthernet0/1)'s neighbors Router ID: 2.2.2.2 State: 2-Way Address: 192.168.1.2 Mode: None DR: 192.168.1.4 Priority: 1 BDR: 192.168.1.3 Dead timer due in 38 GR State: Normal MTU: 0 sec Neighbor is up for 00:01:31 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full Address: 192.168.1.
Neighbors Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet0/1)'s neighbors Router ID: 1.1.1.1 State: Full Address: 192.168.1.1 Mode:Nbr is DR: 192.168.1.4 Slave Priority: 100 BDR: 192.168.1.3 Dead timer due in 31 GR State: Normal MTU: 0 sec Neighbor is up for 00:11:17 Authentication Sequence: [ 0 ] Router ID: 2.2.2.2 State: Full Address: 192.168.1.2 Mode:Nbr is DR: 192.168.1.4 Slave BDR: 192.168.1.
Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full Address: 192.168.1.3 Mode: Nbr is Slave DR: 192.168.1.1 BDR: 192.168.1.3 Dead timer due in 39 GR State: Normal Priority: 2 MTU: 0 sec Neighbor is up for 00:01:41 Authentication Sequence: [ 0 ] The output shows that Firewall becomes the DR and Router B becomes the BDR. The full neighbor state means an adjacency has been established. The 2-way neighbor state means the two routers are not the DR or BDR, and they do not exchange LSAs.
Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf 1 router-id 1.1.1.1 [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B. system-view [RouterB] ospf 1 router-id 2.2.2.2 [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.
Area 0 has no direct connection to Area 2, so the OSPF routing table of Router B has no route to Area 2. 3. Configure a virtual link: # Configure Router B. [RouterB] ospf [RouterB-ospf-1] area 1 [RouterB-ospf-1-area-0.0.0.1] vlink-peer 3.3.3.3 [RouterB-ospf-1-area-0.0.0.1] quit [RouterB-ospf-1] quit # Configure Firewall. [Firewall] ospf [Firewall-ospf-1] area 1 [Firewall-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2 [Firewall-ospf-1-area-0.0.0.1] quit # Display OSPF routing information on Router B.
Figure 277 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF (see "Basic OSPF configuration example"). 3. Configure OSPF to redistribute routes: # On Firewall, configure a static route destined for network 3.1.1.0/24. system-view [Firewall] ip route-static 3.1.1.0 24 10.4.1.2 # On Firewall, configure a static route destined for network 3.1.2.0/24. [Firewall] ip route-static 3.1.2.0 24 10.4.1.
4. Configure Firewall to filter out the route 3.1.3.0/24: # Configure the IPv4 prefix list. [Firewall] ip ip-prefix prefix1 index 1 deny 3.1.3.0 24 [Firewall] ip ip-prefix prefix1 index 2 permit 3.1.1.0 24 [Firewall] ip ip-prefix prefix1 index 3 permit 3.1.2.0 24 # Reference the prefix list to filter out the route 3.1.3.0/24. [Firewall] ospf 1 [Firewall-ospf-1] filter-policy ip-prefix prefix1 export static # Display the OSPF routing table of Router A.
10.1.1.0/24 Direct 0 0 10.1.1.1 GE0/1 10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.2.1.0/24 Direct 0 0 10.2.1.1 GE0/2 10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.3.1.0/24 OSPF 10 4 10.1.1.2 GE0/1 10.4.1.0/24 OSPF 10 13 10.2.1.2 GE0/2 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 The route to 10.5.1.1/24 is filtered out.
Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Enable OSPF: # Configure Firewall A. system-view [FirewallA] ospf [FirewallA-ospf-1] area 0 [FirewallA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] network 121.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.
[FirewallB-GigabitEthernet1/1] bfd min-transmit-interval 500 [FirewallB-GigabitEthernet1/1] bfd min-receive-interval 500 [FirewallB-GigabitEthernet1/1] bfd detect-multiplier 6 4. Verify the configuration: # Display the BFD information on Firewall A. display bfd session Total Session Num: 1 Init Mode: Active Session Working Under Ctrl Mode: LD/RD SourceAddr DestAddr State Holdtime Interface 3/1 192.168.0.102 192.168.0.100 Up 1700ms GE1/1 # Display routes destined for 120.1.1.
*0.50673830 FirewallA BFD/8/SCM:Sess[192.168.0.102/192.168.0.100,GE1/1], Oper: Del application(OSPF) *0.50673831 FirewallA BFD/8/SCM:No application in session, delete session[192.168.0.102/192.168.0.100,GE1/1] *0.50673831 FirewallA BFD/8/SCM:Sess[192.168.0.102/192.168.0.100,GE1/1], Oper: Delete *0.50673832 FirewallA BFD/8/SCM:Delete send-packet timer *0.50673833 FirewallA BFD/8/SCM:Delete session entry *0.50673833 FirewallA BFD/8/SCM:Delete session from IP hash table *0.
Solution 1. Use the display ospf peer command to verify OSPF neighbor information. 2. Use the display ospf interface command to verify OSPF interface information. 3. Ping the neighbor router's IP address to verify that the connectivity is normal. 4. Verify OSPF timers. The dead interval on an interface must be at least four times the hello interval. 5. On an NBMA network, use the peer ip-address command to manually specify the neighbor. 6.
Configuring IS-IS The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. IS-IS can be configured only at the CLI.
Task Configuring IS-IS routing information control Configuring a DIS priority for an interface Enhancing IS-IS network security Remarks Configuring IS-IS link cost Optional Specifying a preference for IS-IS Required Configuring the maximum number of ECMP routes Optional Configuring IS-IS route summarization Optional Advertising a default route Optional Configuring IS-IS route redistribution Optional Configuring IS-IS route filtering Optional Configuring IS-IS route leaking Optional Speci
Enabling IS-IS Step Command Remarks 1. Enter system view. system-view N/A 2. Enable an IS-IS routing process and enter its view. isis [ process-id ] [ vpn-instance vpn-instance-name ] By default, the IS-IS routing process is disabled. 3. Assign a NET. network-entity net By default, NET is not assigned. 4. Return to system view. quit N/A 5. Enter interface view. interface interface-type interface-number N/A 6. Enable an IS-IS process on the interface.
Interfaces with different network types operate differently. For example, broadcast interfaces on a network must elect the DIS and flood CSNP packets to synchronize the LSDBs, but P2P interfaces on a network do not need to elect the DIS, and have a different LSDB synchronization mechanism. If only two routers exist on a broadcast network, configure the network type of attached interfaces as P2P to avoid DIS election and CSNP flooding, saving network bandwidth and speeding up network convergence.
Interface bandwidth Interface cost ≤ 2500 Mbps 20 > 2500 Mbps 10 If none of the above costs is used, a default cost of 10 applies. Configuring an IS-IS cost for an interface Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A Optional. 3. Specify an IS-IS cost style. cost-style { narrow | wide | wide-compatible | { compatible | narrow-compatible } [ relax-spf-limit ] } 4. Return to system view.
Step 5. Command Configure a bandwidth reference value for automatic IS-IS cost calculation. Remarks Optional. bandwidth-reference value The default setting is 100 Mbps. Specifying a preference for IS-IS If multiple routing protocols find routes to the same destination, the route found by the routing protocol that has the highest preference is selected as the optimal route. Perform this task to assign a preference to IS-IS directly or by using a routing policy.
Step Command Remarks 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Configure IS-IS route summarization. summary ip-address { mask | mask-length } [ avoid-feedback | generate_null0_route | [ level-1 | level-1-2 | level-2 | tag tag ] * By default, route summarization is not configured. Advertising a default route IS-IS cannot redistribute a default route to its neighbors. This task enables IS-IS to advertise a default route of 0.0.0.
Configuring IS-IS route filtering You can use an ACL, IP prefix list, or routing policy to filter routes calculated using the received LSPs and routes redistributed from other routing protocols. Filtering routes calculated from received LSPs IS-IS saves LSPs received from neighbors in the LSDB, uses the SPF algorithm to calculate the shortest path tree with itself as the root, and installs the routes into the IS-IS routing table. Perform this task to filter calculated routes.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable IS-IS route advertisement from Level-2 to Level-1. import-route isis level-2 into level-1 [ filter-policy { acl-number | ip-prefix ip-prefix-name | route-policy route-policy-name } | tag tag ] * By default, IS-IS does not advertise routes from Level-2 to Level-1.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify the number of hello packets a neighbor must miss before declaring the router is down. isis timer holding-multiplier value [ level-1 | level-2 ] Optional. he default setting is 3. Configuring a DIS priority for an interface On a broadcast network, ISIS must elect a router as the DIS at a routing level.
If a PPP interface's peer IP address is on a different network segment, disable the hello source address check for the PPP interface to establish the neighbor relationship with the peer. To enable neighbor relationships over different network segments: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Disable hello source address check for the PPP interface.
Each router needs to refresh LSPs generated by itself at a configurable interval and send them to other routers to prevent valid routes from being aged out. A smaller refresh interval speeds up network convergence but consumes more bandwidth. When the network topology changes, for example, a neighbor is down or up, or the interface metric, system ID, or area ID is changed, the router generates an LSP after a configurable interval.
If the IS-IS routers have different interface MTUs, HP recommends configuring the maximum size of generated LSP packets to be smaller than the smallest interface MTU in this area. Otherwise, the routers must dynamically adjust the LSP packet size to fit the smallest interface MTU, which takes time and affects other services. To specify LSP lengths: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3.
Limiting LSP flooding In NBMA networks such as ATM, FR, many P2P links exist. As shown in Figure 279, Router A, Router B, Router C and Router D run IS-IS. When Router A generates an LSP, it floods the LSP out of Ethernet 1/1, Ethernet 1/2 and Ethernet 1/3. After Router D receives the LSP from Ethernet 1/3, Router D floods it out of Ethernet 1/1 and Ethernet 1/2 to Router B and Router C. However, Router B and Router C have already received the LSP from Router A.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Configure the SPF calculation interval. timer spf maximum-interval [ initial-interval [ second-wait-interval ] ] Optional. The default SPF calculation interval is 10 seconds. Configuring convergence priorities for specific routes A topology change causes IS-IS routing convergence.
Configuring system ID to host name mappings A 6-byte system ID in dotted decimal notation uniquely identifies a router or host uniquely. This format makes system IDs not straightforward. To solve the issue, the system allows you to use host names to identify devices and provides mappings between system IDs and host names. The mappings can be configured manually or dynamically.
Step Command Remarks Optional. By default, no name is configured. Configure a DIS name. 6. isis dis-name symbolic-name This command takes effect only on a router enabled with dynamic system ID to host name mapping. This command is not available on P2P interfaces. Enabling the logging of neighbor state changes With this feature enabled, the router delivers information about neighbor state changes to the terminal for display. To enable the logging of neighbor state changes: Step Command Remarks 1.
• If you configure an authentication mode and a password without specifying a level, the authentication mode and password apply to both Level-1 and Level-2. • If neither ip nor osi is specified, the OSI related fields in LSPs are checked. To configure neighbor relationship authentication: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify the authentication mode and password.
Enabling IS-IS SNMP trap This task enables IS-IS to generate traps and send them to the information center of the device. The information center determines whether to output the traps and where to output. For more information about information center, see Network Management and Monitoring Configuration Guide. To enable IS-IS SNMP trap: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable SNMP trap.
Task Command Remarks Display IS-IS LSDB information. display isis lsdb [ [ l1 | l2 | level-1 | level-2 ] | [ lsp-id lspid | lsp-name lspname ] | local | verbose ] * [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IS-IS mesh group information. display isis mesh-group [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 280 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure IS-IS: # Configure Router A. system-view [RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface gigabitethernet 1/1 [RouterA-GigabitEthernet1/1] isis enable 1 [RouterA-GigabitEthernet1/1] quit # Configure Router B.
[Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] isis enable 1 [Firewall-GigabitEthernet1/3] quit # Configure Router C. system-view [RouterC] isis 1 [RouterC-isis-1] is-level level-2 [RouterC-isis-1] network-entity 20.0000.0000.0004.
[Firewall] display isis lsdb Database information for ISIS(1) -------------------------------- Level-1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL -----------------------------------------------------------------------0000.0000.0001.00-00 0x0000000d 0xc57a 991 68 0/0/0 0000.0000.0002.00-00 0x0000000c 0xef4d 1025 68 0/0/0 0000.0000.0003.
IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE1/1 Direct D/L/- 10.1.2.0/24 20 NULL GE1/1 10.1.1.1 R/-/- 192.168.0.0/24 20 NULL GE1/1 10.1.1.1 R/-/- 0.0.0.0/0 10 NULL GE1/1 10.1.1.
10.1.1.0/24 20 NULL GE1/2 192.168.0.1 R/-/- 10.1.2.0/24 20 NULL GE1/2 192.168.0.1 R/-/- 172.16.0.0/16 10 NULL GE1/1 Direct D/L/- Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set The output shows that the routing table of Level-1 routers contains a default route with the next hop being the Level-1-2 router, and the routing table of Level-2 router contains all Level-1 and Level-2 routes.
[RouterA] isis 1 [RouterA-isis-1] network-entity 10.0000.0000.0002.00 [RouterA-isis-1] quit [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] isis enable 1 [RouterA-Ethernet1/1] quit # Configure Router B. system-view [RouterB] isis 1 [RouterB-isis-1] network-entity 10.0000.0000.0003.00 [RouterB-isis-1] is-level level-1 [RouterB-isis-1] quit [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] isis enable 1 [RouterB-Ethernet1/1] quit # Configure Router C.
Interface information for ISIS(1) --------------------------------Interface: GigabitEthernet1/1 Id IPV4.State IPV6.State MTU Type DIS 001 Up Down 1497 L1/L2 No/No # Display IS-IS interfaces of Router B. [RouterB] display isis interface Interface information for ISIS(1) --------------------------------Interface: Ethernet1/1 Id IPV4.State 001 Up IPV6.State Down MTU Type DIS 1497 L1/L2 Yes/No # Display information about IS-IS interfaces of Router C.
Interface: GigabitEthernet1/1 Circuit Id: 0000.0000.0001.01 State: Up Type: L2 HoldTime: 22s PRI: 64 # Display information about IS-IS interfaces of Firewall. [Firewall] display isis interface Interface information for ISIS(1) --------------------------------Interface: GigabitEthernet1/1 Id IPV4.State 001 Up IPV6.State Down MTU Type DIS 1497 L1/L2 Yes/Yes The output shows that after the DIS priority configuration, Firewall is the DIS for Level-1-2, and the pseudonode is 0000.0000.0001.01.
Interface information for ISIS(1) --------------------------------Interface: Ethernet1/1 Id IPV4.State IPV6.State MTU Type DIS 001 Up Down 1497 L1/L2 No/No IS-IS route redistribution configuration example Network requirements As shown in Figure 282, Router A, Router B, Router C, and Firewall reside in the same AS. They use IS-IS to interconnect. Router A and Router B are Level-1 routers, Firewall is a Level-2 router, and Router C is a Level-1-2 router.
[RouterB] interface gigabitethernet 1/1 [RouterB-GigabitEthernet1/1] isis enable 1 [RouterB-GigabitEthernet1/1] quit # Configure Router C. system-view [RouterC] isis 1 [RouterC-isis-1] network-entity 10.0000.0000.0003.
----------------------------- ISIS(1) IPv4 Level-1 Forwarding Table ------------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE1/1 Direct D/L/- 10.1.2.0/24 10 NULL GE1/3 Direct D/L/- 192.168.0.
[RouterD] rip 1 [RouterD-rip-1] network 10.0.0.0 [RouterD-rip-1] version 2 [RouterD-rip-1] undo summary # Configure route redistribution from RIP to IS-IS on Firewall. [Firewall-rip-1] quit [Firewall] isis 1 [Firewall–isis-1] import-route rip level-2 # Display IS-IS routing information on Router C.
Configure neighbor relationship authentication between neighbors. Configure area authentication in Area 10 to prevent untrusted routes from entering into the area. Configure routing domain authentication on Device C and Device D to prevent untrusted routes from entering the routing domain. Figure 283 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic IS-IS: # Configure Device A.
[DeviceC] interface gigabitethernet 1/2 [DeviceC-GigabitEthernet1/2] isis enable 1 [DeviceC-GigabitEthernet1/2] quit [DeviceC] interface gigabitethernet 1/3 [DeviceC-GigabitEthernet1/3] isis enable 1 [DeviceC-GigabitEthernet1/3] quit # Configure Device D. system-view [DeviceD] isis 1 [DeviceD-isis-1] network-entity 20.0000.0000.0001.00 [DeviceD-isis-1] quit [DeviceD] interface gigabitethernet 1/1 [DeviceD-GigabitEthernet1/1] isis enable 1 [DeviceD-GigabitEthernet1/1] quit 3.
[DeviceC] isis 1 [DeviceC-isis-1] area-authentication-mode md5 10Sec [DeviceC-isis-1] quit 5. Configure the routing domain authentication mode as MD5 and set the password to 1020Sec on Device C and Device D.
Configuring BGP The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Overview Border Gateway Protocol (BGP) is an exterior gateway protocol (EGP). It is called internal BGP (IBGP) when it runs within an autonomous system (AS) and called external BGP (EBGP) when it runs between ASs. The current version in use is BGP-4 (RFC 4271). BGP refers to BGP-4 in this chapter.
Figure 284 BGP global configuration page 2. Configure BGP globally as described in Table 51. 3. Click Apply. Table 51 Configuration items Item Description Enable BGP Enable BGP. AS Specify a local AS number. Import static routes Configure BGP to redistribute active static routes (except default routes). Configuring BGP peer 1. Select Network > Routing Management > BGP from the navigation tree. The BGP configuration page appears. Figure 285 Tabs on the BGP peer configuration page 2.
Figure 286 Creating a BGP peer 3. Configure the parameters as described in Table 52. 4. Click Apply. Table 52 Configuration items Item Description Peer IP Address Configure the IP address of the BGP peer. Peer AS Specify the AS number of the BGP peer. Displaying BGP peer information 1. Select Network > Routing Management > BGP from the navigation tree. The BGP configuration page appears. 2. After you complete BGP peer configurations, click Show Peer on the Show Information tab.
BGP configuration example In this example, Device A is the firewall. Network requirements In the following figure are all BGP devices. Between Device A and Device B is an EBGP connection. IBGP speakers Device B, Device C, and Device D are fully meshed. Figure 288 Network diagram Configuring Device A 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown.) 2. Enable BGP: a. Select Network > Routing Management > BGP from the navigation tree of Device B.
Figure 290 Web page displayed after you enable BGP b. Select the Enable BGP box, and enter 65008 for AS. c. Click Apply. 3. Configure EBGP connections: a. Click Add in the Peer Configuration field. The BGP peer configuration page appears. Figure 291 Adding a BGP peer b. Enter 200.1.1.1 for Peer IP Address and 65009 for Peer AS. c. Click Apply. Configuring Device B See the configuration pages of Device A for reference. 1. Configure IP addresses for interfaces and add interfaces to the security zones.
c. Click Apply. 3. Configure IBGP connections: a. Click Add in the Peer Configuration field. b. Enter 9.1.1.2 for Peer IP Address and 65009 for Peer AS. c. Click Apply. d. Click Add in the Peer Configuration field. e. Enter 9.1.3.2 for Peer IP Address and 65009 for Peer AS. f. Click Apply. 4. Configure EBGP connections: a. Click Add in the Peer Configuration field. b. Enter 200.1.1.2 for Peer IP Address and 65008 for Peer AS. c. Click Apply.
f. Click Apply. Verifying the configuration 1. Select Network > Routing Management > BGP from the navigation tree of Device B. 2. Click Show Peer in the Show Information field. BGP connections are established from Device B to other devices. Figure 292 BGP configuration result Configuring BGP at the CLI BGP configuration task list In a basic BGP network, you only need to perform the following configurations: • Enable BGP. • Configure BGP peers or peer groups. • Control BGP route generation.
Task Configuring basic BGP Generating BGP routes Remarks Enabling BGP Required. Configuring a BGP peer Required. Configuring a BGP peer group HP recommends configuring BGP peer groups on large scale BGP networks for easy configuration and maintenance. Specifying the source interface for TCP connections Optional. Injecting a local network Required. Redistributing IGP routes Use at least one method.
Task Remarks Enabling trap Optional. Enabling logging of session state changes Optional. Configuring BFD for BGP Optional. Configuring basic BGP This section describes the tasks required for a BGP network to work. Enabling BGP A router ID is the unique identifier of a BGP router in an AS. • To ensure the uniqueness of a router ID and enhance availability, you can specify in BGP view the IP address of a local loopback interface as the router ID.
Step Command Remarks • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name 3. Create a BGP peer and specify its AS number. 4. Enable the default use of IPv4 unicast address family for the peers that are established using the peer as-number command. default ipv4-unicast 5. Enable a peer. peer ip-address enable 6. Configure a description for a peer.
Step 2. Command 5. Enable a peer. peer ip-address enable 6. Configure a description for a peer group. peer group-name description description-text Remarks Optional. Enabled by default. Optional. By default, no description is configured for the peer group. Configuring an EBGP peer group If peers in an EBGP group belong to the same external AS, the EBGP peer group is a pure EBGP peer group. If not, it is a mixed EBGP peer group.
Step 7. Command Configure a description for a peer group. peer group-name description description-text Remarks Optional. By default, no description is configured for the peer group. To configure an EBGP peer group by using Method 2: Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name 3.
Step Command Remarks 3. Create an EBGP peer group. group group-name external N/A 4. Add a peer into the EBGP peer group. peer ip-address group group-name as-number as-number N/A 5. Enable a peer. peer ip-address enable 6. Configure a description for a peer group. peer group-name description description-text Optional. Enabled by default. Optional. By default, no description is configured for the peer group.
Generating BGP routes BGP can generate routes can be done in the following ways: • Advertise local networks. • Redistribute IGP routes. Configuration prerequisites Create and configure a routing policy. For more information, see "Configuring routing policies." Injecting a local network Perform this task to inject a network in the local routing table to the BGP routing table, so that BGP can advertise the network to BGP peers. The ORIGIN attribute of BGP routes advertised in this way is IGP.
Step Command Remarks • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name Not enabled by default. 3. Enable route redistribution from IGP into BGP. import-route protocol [ { process-id | all-processes } [ allow-direct | med med-value | route-policy route-policy-name ] * ] The allow-direct keyword is available only when the specified routing protocol is OSPF. 4.
change the priority of the summary or the specific route to make the specific route the optimal route. To configure BGP manual route summarization: Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: 2. 3. bgp as-number Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b.
2. Configuring BGP route distribution filtering policies You can use the following methods to configure BGP route distribution filtering policies: Use ACL or IP prefix list to filter routing information advertised to all peers. { Use routing policy, ACL, AS path list, or IP prefix list to filter routing information advertised to the specified peer or peer group. { You can configure a filtering policy as needed.
Use routing policy, ACL, AS path list, or IP prefix list to filter routing information received by the specified peer or peer group. { If several filtering policies are configured, they are applied in the following sequence: a. filter-policy import b. peer filter-policy import c. peer as-path-acl import d. peer ip-prefix import e. peer route-policy import Only routes passing all the configured policies can be received. To configure BGP route reception filtering policies: Step 1. Enter system view. 2.
forwards the packet to Router C through route recursion. Router C does not know the route 8.0.0.0/8, so it discards the packet. Figure 293 BGP and IGP synchronization in an AS For this example, if synchronization is enabled, and the route 8.0.0.0/24 received from Router B is available in its IGP routing table, Router D advertises the IBGP route when the following conditions are met: • The next hop of the route is reachable.
Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: Use either method. a. bgp as-number b. ipv4-family vpn-instance vpn-instance-name 3. Specify the maximum number of routes that a router can receive from a peer or peer group.
Step Command Remarks • Enter BGP view: bgp as-number 2. • Enter BGP-VPN instance view: Enter BGP view or BGP-VPN instance view. a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name 3. Specify a preferred value for routes received from a peer or peer group. peer { group-name | ip-address } preferred-value value Optional. By default, the preferred value is 0.
Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name 3. Configure the default local preference. Optional. default local-preference value The default local preference is 100. Configuring the MED attribute MED is used to determine the best route for traffic going into an AS.
Figure 294 Route selection based on MED As shown in Figure 294, Router D learns network 10.0.0.0 from both Router A and Router B. Because Router B has a smaller router ID, the route learned from it is optimal. Network *>i 10.0.0.0 * i NextHop MED LocPrf PrefVal Path/Ogn 2.2.2.2 50 0 300e 3.3.3.3 50 0 200e When Router D learns network 10.0.0.0 from Router C, it compares the route with the optimal route in its routing table.
Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name 3. 4. Enable the comparison of MEDs for routes on a per-AS basis. bestroute compare-med Optional. Not enabled by default.
If a BGP router has two peers on a common broadcast network, it does not set itself as the next hop for routes sent to an EBGP peer by default. As shown in Figure 296, Router A and Router B establish an EBGP neighbor relationship, and Router B and Router C establish an IBGP neighbor relationship. They are on the same broadcast network 1.1.1.0/24. When Router B sends EBGP routes to Router A, it does not set itself as the next hop by default. However, you can configure Router B to set it as the next hop (1.1.
Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: bgp as-number 2. 3. 2. Enter BGP view or BGP-VPN instance view. Permit local AS number to appear in routes from a peer or peer group and specify the appearance times. • Enter BGP-VPN instance view: a. bgp as-number b. Use either method. pv4-family vpn-instance vpn-instance-name Optional.
Step 3. 4. Command Specify a fake AS number for a peer or peer group. Remarks Optional. peer { group-name | ip-address } fake-as as-number Not specified by default. This command is only applicable to an EBGP peer or peer group. Configuring AS number substitution Use AS number substitution only in the specific scenario. Improper configuration can result in routing loops. To configure AS number substitution for a peer or peer group: Step 1. Enter system view.
For some network applications, a BGP router does not add its own AS number to the AS_PATH attribute. In this case, you must configure the ignore-first-as command on the EBGP peer to ignore the first AS number of EBGP route updates. To ignore the first AS number of EBGP route updates: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view or BGP-VPN instance view. bgp as-number N/A 3. Configure BGP to ignore the first AS number of EBGP route updates.
Step Command Remarks • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: Use either method. a. bgp as-number b. ipv4-family vpn-instance vpn-instance-name • Configure the global keepalive interval 3. Configure BGP keepalive interval and holdtime.
Step Command Remarks • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name 3. Allow the establishment of EBGP session to an indirectly connected peer or peer group, and specify the maximum hop count.
Table 54 Description of the both, send, and receive parameters and the negotiation result Local parameter Peer parameter Negotiation result send • receive • both The local end can only send ORF information, and the peer end can only receive ORF information. receive • send • both The local end can only receive ORF information, and the peer end can only send ORF information. both both Both the local and peer ends can send and receive ORF information.
Step Command Remarks • Enter BGP view: bgp as-number • Enter BGP-VPN instance view: Enter BGP view or BGP-VPN instance view. 2. a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name Enable quick reestablishment of direct EBGP session. 3. ebgp-interface-sensitive Optional. Not enabled by default.
Forbidding session establishment with a peer or peer group This task allows you to temporarily tear down the BGP session to a specific peer or peer group. To recover the session, execute the undo peer ignore command. In this way, you can implement network upgrade and maintenance without deleting and then configuring the peer or peer group. To forbid session establishment with a peer or peer group: Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: bgp as-number 2.
Step Command Remarks • Enter BGP view: 2. 3. 2. Enter BGP view or BGP-VPN instance view. Enable BGP route refresh for a peer or peer group. bgp as-number • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name peer { group-name | ip-address } capability-advertise route-refresh Optional. Enabled by default. Saving updates To save all route updates from a peer or peer group: Step 1. Enter system view.
Configuring a large scale BGP network In a large-scale BGP network, configuration and maintenance might become difficult due to large numbers of BGP peers. To facilitate configuration, you can configure peer group, community, route reflector, or confederation as needed. For information about configuring a peer group, see "Configuring a BGP peer group." Configuration prerequisites Peering nodes are accessible to each other at the network layer.
To configure a BGP route reflector: Step 1. Enter system view. Command Remarks system-view N/A • Enter BGP view: bgp as-number 2. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either method. b. ipv4-family vpn-instance vpn-instance-name 3. 4. 5. Configure the router as a route reflector and specify a peer or peer group as its client. peer { group-name | ip-address } reflect-client Enable route reflection between clients.
2. Configuring confederation compatibility If some other routers in the confederation do not comply with RFC 3065, you must enable confederation compatibility to allow the router to work with those routers. Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enable compatibility with routers not compliant with RFC 3065 in the confederation. confederation nonstandard Optional. Not enabled by default.
Configuring BFD for BGP The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No BGP maintains neighbor relationships based on the keepalive timer and hold timer in seconds. It requires that the hold time must be at least three times the keepalive interval. This mechanism makes link failure detection slow.
Task Command Remarks Display BGP peer or peer group information. display bgp peer [ ip-address { log-info | verbose } | group-name log-info | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the prefix information in the ORF message from the specified BGP peer. display bgp peer ip-address received ip-prefix [ | { begin | exclude | include } regular-expression ] Available in any view. Display BGP routing information.
Resetting BGP session Task Command Remarks Reset the specified BGP session. reset bgp { as-number | ip-address | all | external | group group-name | internal } Available in user view. Reset all IPv4 unicast BGP sessions. reset bgp ipv4 all Available in any view. Clearing BGP information Task Command Remarks Clear dampened BGP routing information and release suppressed routes. reset bgp dampening [ ip-address [ mask | mask-length ] ] Available in user view.
2. Configure IBGP: # Configure Firewall. system-view [Firewall] bgp 65009 [Firewall-bgp] router-id 2.2.2.2 [Firewall-bgp] peer 3.3.3.3 as-number 65009 [Firewall-bgp] peer 3.3.3.3 connect-interface loopback 0 [Firewall-bgp] quit [Firewall] ospf 1 [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0 [Firewall-ospf-1-area-0.0.0.0] network 9.1.1.1 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit # Configure Router B.
[Firewall-bgp] peer 3.1.1.2 as-number 65008 [Firewall-bgp] quit # Display BGP peer information on Firewall. [Firewall] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 3.3.3.3 65009 12 10 0 3 00:09:16 Established 3.1.1.
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn i 8.1.1.0/24 3.1.1.2 0 100 0 65008i The output shows that Router A has learned no route to AS 65009, and Router B has learned network 8.1.1.0 but the next hop 3.1.1.2 is unreachable, and thus the route is invalid. 4.
* i 9.1.1.0/24 2.2.2.2 0 100 0 ? The output shows that the route 8.1.1.0 becomes valid with the next hop as Router A. 5. Verify the configuration: # Ping 8.1.1.1 on Router B. [RouterB] ping 8.1.1.1 PING 8.1.1.1: 56 data bytes, press CTRL_C to break Reply from 8.1.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 8.1.1.1: bytes=56 Sequence=2 ttl=254 time=2 ms Reply from 8.1.1.1: bytes=56 Sequence=3 ttl=254 time=2 ms Reply from 8.1.1.1: bytes=56 Sequence=4 ttl=254 time=2 ms Reply from 8.1.1.
[Firewall-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0 [Firewall-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit # Configure Router B. system-view [RouterB] ospf 1 [RouterB-ospf-1] import-route direct [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit 3. Configure the EBGP connection: Configure the EBGP connection and inject network 8.1.1.
*> 9.1.2.0/24 3.1.1.1 1 0 65009? # Display the routing table on Router B. [RouterB] display ip routing-table Routing Tables: Public Destinations : 9 5. Routes : 9 Destination/Mask Proto Pre Cost NextHop Interface 2.2.2.2/32 OSPF 10 1 9.1.1.1 GE0/1 3.3.3.3/32 Direct 0 0 127.0.0.1 InLoop0 8.1.1.0/24 O_ASE 1 9.1.1.1 GE0/1 9.1.1.0/24 Direct 0 0 9.1.1.2 GE0/1 9.1.1.2/32 Direct 0 0 127.0.0.1 InLoop0 9.1.2.0/24 Direct 0 0 9.1.2.1 GE0/2 9.1.2.1/32 Direct 0 0 127.0.0.
BGP load balancing configuration example Network requirements As shown in Figure 299, all routers run BGP, Firewall resides in AS 65008, and Router B and Router A reside in AS 65009. EBGP runs between Firewall and Router B, and between Firewall and Router C. IBGP runs between Router B and Router A. Configure two routes on Firewall for load balancing.
system-view [RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 3.1.1.2 as-number 65008 [RouterB-bgp] peer 3.3.3.3 as-number 65009 [RouterB-bgp] peer 3.3.3.3 connect-interface loopback 0 [RouterB-bgp] network 9.1.1.0 24 [RouterB-bgp] quit [RouterB] ip route-static 3.3.3.3 32 9.1.1.2 # Configure Router A. system-view [RouterA] bgp 65009 [RouterA-bgp] router-id 3.3.3.3 [RouterA-bgp] peer 3.1.2.2 as-number 65008 [RouterA-bgp] peer 2.2.2.
# Display the BGP routing table on Firewall. [Firewall] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 1.1.1.1 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *> *> 8.1.1.0/24 9.1.1.0/24 *> { { NextHop MED 0.0.0.0 LocPrf PrefVal Path/Ogn 0 0 i 3.1.1.1 0 0 65009i 3.1.2.1 0 0 65009i The output shows two valid routes to the destination 9.1.1.
2. Configure static routing between Router A and Router B: # Configure a default route with the next hop 192.168.212.1 on Router A. system-view [RouterA] ip route-static 0.0.0.0 0 192.168.212.1 # Configure static routes to 192.168.64.0/24, 192.168.74.0/24, and 192.168.99.0/24 with the same next hop 192.168.212.161 on Router B. system-view [RouterB] ip route-static 192.168.64.0 24 192.168.212.161 [RouterB] ip route-static 192.168.74.0 24 192.168.212.161 [RouterB] ip route-static 192.
4. Configure BGP between Firewall and Router C, and configure BGP on Firewall to redistribute OSPF routes: # On Firewall, enable BGP, specify Router C as an EBGP peer, and configure BGP to redistribute OSPF routes. [Firewall] bgp 65106 [Firewall-bgp] router-id 3.3.3.3 [Firewall-bgp] peer 10.220.2.217 as-number 64631 [Firewall-bgp] import-route ospf # Configure Firewall as an EBGP peer on Router C. [RouterC] bgp 64631 [RouterC-bgp] router-id 4.4.4.4 [RouterC-bgp] peer 10.220.2.
10.220.2.16/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.17.100.0/24 Direct 0 0 172.17.100.2 GE0/2 172.17.100.2/32 Direct 0 0 127.0.0.1 InLoop0 192.168.64.0/18 BGP 130 0 127.0.0.1 NULL0 192.168.64.0/24 O_ASE 150 1 172.17.100.1 GE0/2 192.168.74.0/24 O_ASE 150 1 172.17.100.1 GE0/2 192.168.99.0/24 O_ASE 150 1 172.17.100.1 GE0/2 The output shows that Firewall has a summary route 192.168.64.
Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure EBGP connections: # Configure Firewall. system-view [Firewall] bgp 10 [Firewall-bgp] router-id 1.1.1.1 [Firewall-bgp] peer 200.1.2.2 as-number 20 [Firewall-bgp] network 9.1.1.0 255.255.255.0 [Firewall-bgp] quit # Configure Router B. system-view [RouterB] bgp 20 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.2.1 as-number 10 [RouterB-bgp] peer 200.1.3.
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Network NextHop MED 9.1.1.0/24 200.1.3.1 0 LocPrf PrefVal Path/Ogn 0 20 10i Router A has learned the route to the destination 9.1.1.0/24 from Router B. 3. Configure BGP COMMUNITY attribute: # Configure a routing policy.
Figure 302 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure BGP connections: # Configure Router A. system-view [RouterA] bgp 100 [RouterA-bgp] peer 192.1.1.2 as-number 200 # Inject network 1.0.0.0/8 to the BGP routing table. [RouterA-bgp] network 1.0.0.0 [RouterA-bgp] quit # Configure Router B. system-view [RouterB] bgp 200 [RouterB-bgp] peer 192.1.1.1 as-number 100 [RouterB-bgp] peer 193.1.1.
4. Verify the configuration: # Display the BGP routing table on Router B. [RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 200.1.2.2 Status codes : * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Network NextHop MED 1.0.0.0 192.1.1.1 0 LocPrf PrefVal Path/Ogn 0 100i # Display the BGP routing table on Router C.
Figure 303 Network diagram Device Interface IP address Device Interface IP address Router A S2/1 200.1.1.1/24 Router D GE0/1 10.1.5.1/24 GE0/1 10.1.2.1/24 GE0/2 10.1.3.2/24 GE0/2 10.1.3.1/24 GE0/3 10.1.4.1/24 GE0/4 10.1.1.1/24 Router B GE0/1 10.1.1.2/24 Router C GE0/1 10.1.2.2/24 Firewall Router E Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure the BGP confederation: # Configure Router A.
system-view [RouterC] bgp 65003 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] confederation id 200 [RouterC-bgp] confederation peer-as 65001 65002 [RouterC-bgp] peer 10.1.2.1 as-number 65001 [RouterC-bgp] quit 3. Configure IBGP connections in AS 65001: # Configure Router A. [RouterA] bgp 65001 [RouterA-bgp] peer 10.1.3.2 as-number 65001 [RouterA-bgp] peer 10.1.3.2 next-hop-local [RouterA-bgp] peer 10.1.4.2 as-number 65001 [RouterA-bgp] peer 10.1.4.
[RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 2.2.2.2 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *>i NextHop 9.1.1.0/24 MED LocPrf 0 100 10.1.1.1 PrefVal Path/Ogn 0 (65001) 100i [RouterB] display bgp routing-table 9.1.1.0 BGP local router ID : 2.2.2.
AS-path : 100 Origin : igp Attribute value : MED 0, localpref 100, pref-val 0, pre 255 State : valid, internal, best, Not advertised to any peers yet The output indicates the following: { { Router E can send route information to Router B and Router C through the confederation by establishing only an EBGP connection with Router A. Router B and Router D are in the same confederation, but belong to different sub-ASs.
[RouterB-ospf] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf] area 0 [RouterC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit # Configure Firewall.
4. Configure different attribute values for the route 1.0.0.0/8 to make Firewall give priority to the route learned from Router C: { (Method I.) Specify a higher MED value for the route 1.0.0.0/8 advertised to 192.1.1.2 to make Firewall give priority to the route learned from Router C. # Define ACL 2000 to permit the route 1.0.0.0/8 [RouterA] acl number 2000 [RouterA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.
[RouterC-route-policy] if-match acl 2000 [RouterC-route-policy] apply local-preference 200 [RouterC-route-policy] quit # Apply the routing policy localpref to the route from the peer 193.1.1.1 on Router C. [RouterC] bgp 200 [RouterC-bgp] peer 193.1.1.1 route-policy localpref import [RouterC-bgp] quit # Display the BGP routing table on Firewall. [Firewall] display bgp routing-table Total Number of Routes: 2 BGP Local router ID is 194.1.1.
Figure 305 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Run OSPF on AS 200 so that Firewall A and Firewall B can reach each other. Configure OSPF to redistribute routes from BGP on Firewall A. (Details not shown.) 3. Configure BGP on Firewall A: # Establish two IBGP connections to Firewall B, and specify Firewall A as the next hop for routes sent to the IBGP peers. system-view [FirewallA] bgp 200 [FirewallA-bgp] peer 3.0.2.
[FirewallA] bgp 200 [FirewallA-bgp] peer 3.0.2.2 route-policy apply_med_50 export [FirewallA-bgp] peer 2.0.2.2 route-policy apply_med_100 export # Enable BFD for peer 3.0.2.2. [FirewallA-bgp] peer 3.0.2.2 bfd # Establish an EBGP connection to Router C. [FirewallA-bgp] peer 30.1.1.2 as-number 100 [FirewallA-bgp] quit 4. Configure BGP on Firewall B: # Establish two IBGP connections to Firewall A. system-view [FirewallB] bgp 200 [FirewallB-bgp] peer 3.0.1.1 as-number 200 [FirewallB-bgp] peer 3.
[FirewallB] interface gigabitethernet 1/1 [FirewallB-GigabitEthernet1/1] bfd min-transmit-interval 500 [FirewallB-GigabitEthernet1/1] bfd min-receive-interval 500 [FirewallB-GigabitEthernet1/1] bfd detect-multiplier 7 [FirewallB-GigabitEthernet1/1] bfd authentication-mode simple 1 ibgpbfd [FirewallB-GigabitEthernet1/1] return 7. Verify the configuration: # Display detailed BFD session information on Firewall B.
IpPrecedence: QosLcId: NextHop: 3.0.1.1 BkNextHop: 0.0.0.0 Interface: GigabitEthernet0/1 BkInterface: RelyNextHop: 3.0.2.1 Neighbor : 3.0.1.1 Tunnel ID: 0x0 Label: NULL BKTunnel ID: 0x0 BKLabel: NULL State: Active Adv GotQ Age: 00h05m57s Tag: 0 Destination: 1.1.1.0/24 Protocol: BGP Process ID: 0 Preference: 140 Cost: 100 IpPrecedence: NextHop: 2.0.1.1 BkNextHop: 0.0.0.0 RelyNextHop: 2.0.2.1 QosLcId: Interface: GigabitEthernet0/2 BkInterface: Neighbor : 2.0.1.
debugging bfd scm debugging bfd event debugging bgp bfd terminal monitor terminal debugging terminal logging %Nov 5 11:42:24:172 2009 RouterC BFD/5/BFD_CHANGE_FSM: Sess[3.0.2.2/3.0.1.1,13/17,GE1/1,Ctrl], Sta: UP->DOWN, Diag: 1 %Nov 5 11:42:24:172 2009 RouterC BGP/5/BGP_STATE_CHANGED: 3.0.1.1 state is changed from ESTABLISHED to IDLE. *Nov 5 11:42:24:187 2009 RouterC RM/6/RMDEBUG: BGP_BFD: Recv BFD DOWN msg, Src IP 3.0.2.2, Dst IP 3.0.1.
Troubleshooting BGP Symptom Display BGP peer information by using the display bgp peer command. The state of the connection to a peer cannot become established. Analysis To become BGP peers, any two routers must establish a TCP session using port 179 and exchange Open messages successfully. Solution 1. Use the display current-configuration command to verify that the peer's AS number is correct. 2. Use the display bgp peer command to verify that the peer's IP address is correct. 3.
Displaying and maintaining an IPv4 routing table You can display an IPv4 routing table in the Web interface or at the CLI to help you locate routing problems. Displaying an IPv4 routing table in the Web interface You can view only active routes on the route display page. Select Network > Routing Management > Routing Info from the navigation tree to enter the route display page.
Displaying and maintaining an IPv4 routing table at the CLI Task Command Remarks Display routing table information. display ip routing-table [ vpn-instance vpn-instance-name ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about routes permitted by an IPv4 basic ACL. display ip routing-table [ vpn-instance vpn-instance-name ] acl acl-number [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring policy-based routing Overview Different from destination-based routing, policy-based routing (PBR) uses user-defined policies to route packets based on the source address, packet length, and other criteria. A policy can specify the output interface, next hop, default output interface, default next hop, and other parameters for packets that match specific criteria such as ACLs or have specific lengths.
Table 56 Priorities and meanings of apply clauses Clause Meaning Priority apply output-interface and apply ip-address next-hop Sets the output interface and sets the next hop. The apply output-interface clause takes precedence over the apply ip-address next-hop clause. Only the apply output-interface clause is executed when both are configured. apply default output-interface and apply ip-address default next-hop Sets the default output interface and sets the default next hop.
Configuring PBR in the Web interface Recommended configuration procedure Step Description Required. 1. Configuring a policy Create a policy and configure the policy node. By default, no policy is created. Required. You can configure local PBR or interface PBR. • Only one policy can be referenced when local PBR is enabled. Local PBR is 2. Applying a policy not configured by default. • Only one policy can be referenced when interface PBR is enabled. Interface PBR is not configured by default.
Figure 308 Creating a policy 3. Create a policy and a policy node as described in Table 57. 4. Click Apply. Table 57 Configuration items Item Description Enter a policy name. Policy Name IMPORTANT: Any spaces entered at the beginning or end of a policy name will be ignored. A policy name containing only spaces is considered as null. Node Index Enter a node index of the policy. The node with a smaller number has a higher priority and is matched first.
Item Description Enter the outbound interface. (This option is available after you click Show Advanced.) Outbound Interface Default Outbound Interface Non-P2P interfaces (broadcast and NBMA interfaces, such as Ethernet and virtual-template interfaces) might have multiple next hops, and packets might not be forwarded successfully. Enter the default outbound interface. (This option is available after you click Show Advanced.
Figure 310 Creating a policy node Applying a policy 1. Select Network > Routing Management > Policy Routing from the navigation tree. 2. Click the Application tab. The PBR application page appears. Figure 311 PBR application page 3. Click Add. The page for applying a policy appears.
Figure 312 Applying a policy 4. Enable local PBR or interface PBR as described in Table 59. 5. Click Apply. Table 59 Configuration items Item Description Apply to • Local—Enable local PBR. Unless otherwise required, do not enable local PBR. • Interface—Enable interface PBR. Apply the policy on a selected interface. Policy Name Enter the name of the policy to be applied. Specify the policy application mode: PBR configuration example In this example, Device A is the firewall.
Figure 313 Network diagram Configuring Device A 1. Configure IP addresses for interfaces and add interfaces to security zones. (Details not shown.) 2. Create ACL 3101 to match TCP packets: a. Select Firewall > ACL from the navigation tree. b. Click Add. The page for creating ACL 3101 appears. c. Enter 3101 for ACL Number, and select Config for Match Order. d. Click Apply. Figure 314 Creating ACL 3101 e. Click the icon of ACL 3101 in the ACL list page. f. Click Add.
Figure 315 Defining rules for ACL 3101 3. Create node 5 for policy aaa and specify 1.1.2.2 as the next hop of all TCP packets: a. Select Network > Routing Management > Policy Routing from the navigation tree. b. Click Add. The default policy configuration page appears. c. Enter aaa as the policy name and 5 as node index, set the mode to permit, enter 3101 as the number of the ACL for matching TCP packets, and enter 1.1.2.2 as next hop. d. Click Apply.
Figure 316 Creating node 5 for policy aaa 4. Apply policy aaa to GigabitEthernet 0/3 to process packets received on the interface: a. Click the Application tab. b. Click Add. The page appears. c. Select the Interface box and select GigabitEthernet 0/3, and select aaa as the policy name. d. Click Apply.
Configuring Device B and Device C Configure IP addresses of interfaces on Device B and Device C, and configure static routes to network 10.110.0.0/24. (Details not shown.) Verifying the configuration Configure the IP address of Host A as 10.110.0.20/24, and specify its gateway address as 10.110.0.10. On Host A, Telnet to Device B. The operation succeeds. On Host A, Telnet to Device C. The operation fails. Ping Device C from Host A. The operation succeeds. Telnet uses TCP and ping uses ICMP.
Step Command Remarks 2. Enter policy node view. policy-based-route policy-name [ deny | permit ] node node-number N/A 3. Configure an ACL match criterion. if-match acl acl-number Optional. 4. Configure a packet length match criterion. if-match packet-length min-len max-len Optional. Configuring actions for a node Step Command Remarks 1. Enter system view. system-view N/A 2. Enter policy node view. policy-based-route policy-name [ deny | permit ] node node-number N/A 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Apply a policy locally. ip local policy-based-route policy-name Not applied by default. Configuring interface PBR Configure PBR by applying a policy on an interface. PBR uses the policy to guide the forwarding of packets received on the interface. You can apply only one policy to an interface. If you perform the ip policy-based-route command multiple times, only the last specified policy takes effect.
As shown in Figure 318, configure local PBR on Firewall to forward all locally generated TCP packets via GigabitEthernet 0/1. Firewall forwards other packets according to the routing table. Figure 318 Network diagram 2. Configuration procedure a. Configure Firewall: # Configure ACL 3101 to match TCP packets.
Configuring interface PBR based on packet type 1. Network requirements As shown in Figure 319, configure interface PBR on Firewall to forward all TCP packets received on GigabitEthernet 0/3 via GigabitEthernet 0/1. Firewall forwards other packets according to the routing table. Figure 319 Network diagram Router B Router A GE0/1 1.1.2.2/24 GE0/1 1.1.2.1/24 Firewall GE0/2 1.1.3.2/24 GE0/2 1.1.3.1/24 GE0/3 10.110.0.10/24 Subnet 10.110.0.0/24 Host A Host B 10.110.0.20/24 Gateway: 10.110.0.10 2.
[Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 1.1.3.1 255.255.255.0 b. Configure Router B: # Configure a static route to subnet 10.110.0.0/24. system-view [RouterB] ip route-static 10.110.0.0 24 1.1.2.1 # Configure the IP address of the GigabitEthernet interface. [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ip address 1.1.2.2 255.255.255.0 c.
Figure 320 Network diagram 2. Configuration procedure a. Configure Firewall: # Configure RIP. system-view [Firewall] rip [Firewall-rip-1] network 192.1.1.0 [Firewall-rip-1] network 150.1.0.0 [Firewall-rip-1] network 151.1.0.0 [Firewall-rip-1] quit # Configure Node 10 for policy lab1 to forward packets with a length of 64 to 100 bytes to the next hop 150.1.1.2, and packets with a length of 101 to 1000 bytes to the next hop 151.1.1.2.
[RouterA-rip-1] network 10.0.0.0 [RouterA-rip-1] network 150.1.0.0 [RouterA-rip-1] network 151.1.0.0 # Configure the IP addresses of the GigabitEthernet interfaces. [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ip address 150.1.1.2 255.255.255.0 [RouterA-GigabitEthernet0/1] quit [RouterA] interface gigabitethernet0/2 [RouterA-GigabitEthernet0/2] ip address 151.1.1.2 255.255.255.0 [RouterA-GigabitEthernet0/2] quit # Configure the loopback interface address.
Pinging 10.1.1.1 with 200 bytes of data: Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Ping statistics for 10.1.1.
system-view [Firewall] interface gigabitethernet 0/1.1 [Firewall-GigabitEthernet0/1.1] ip address dhcp-alloc [Firewall-GigabitEthernet0/1.1] vlan-type dot1q vid 1 [Firewall-GigabitEthernet0/1.1] quit # Configure ACL 3000 to match SNMP packets and SNMP traps.
Multicast overview As a technique that coexists with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission over a network, multicast greatly saves network bandwidth and reduces network load.
Configuring multicast routing and forwarding Overview In multicast implementations, the following types of tables implement multicast routing and forwarding: • Multicast routing table of a multicast routing protocol—Each multicast routing protocol has its own multicast routing table, such as the PIM routing table. • General multicast routing table—The multicast routing information of different multicast routing protocols forms a general multicast routing table.
Displaying multicast routing table Multicast routing tables are the basis of multicast forwarding. You can view the establishment state of an (S, G) entry by checking the multicast routing table. To display multicast routing table: 1. From the navigation tree, select Network > Routing Management > Multicast Routing. 2. Click the Multicast Routing Table tab. 3. The page for multicast routing table appears. Figure 323 Multicast routing table 4.
Configuring multicast routing and forwarding at the CLI Configuration task list Task Remarks Enabling IP multicast routing Required. Configuring multicast routing and forwarding Configuring static multicast routes Optional. Configuring a multicast routing policy Optional. Configuring a multicast forwarding range Optional. Configuring the multicast forwarding table size Optional. Tracing a multicast path Optional. IP multicast does not support secondary IP addresses.
use the undo ip rpf-route-static command. If you want to remove all static multicast routes, use the delete ip rpf-route-static command. To configure a static multicast route: Step Command Remarks Enter system view. system-view N/A No static multicast route configured by default. 2. Configure a static multicast route.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure a multicast forwarding boundary. multicast boundary group-address { mask | mask-length } No forwarding boundary by default. Configuring the multicast forwarding table size The router maintains the corresponding forwarding entry for each multicast packet that it receives.
Displaying and maintaining multicast routing and forwarding CAUTION: The reset commands might cause multicast transmission failures. To display and maintain multicast routing and forwarding: Task Command Remarks Display multicast boundary information. display multicast boundary [ group-address [ mask | mask-length ] ] [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display multicast forwarding table information.
Changing an RPF route 1. Network requirements PIM-DM runs in the network. All devices in the network support multicast. Router A, Router B, and the firewall run OSPF. Typically, the receiver can receive the multicast data from the source through the path Router A to the firewall, which is the same as the unicast route. Receiver can receive the multicast data from the source through the path: Router A to Router B to the firewall, which is different from the unicast route.
# On Router A, enable IP multicast routing globally, and enable PIM-DM on each interface. system-view [RouterA] multicast routing-enable [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] pim dm [RouterA-Ethernet1/1] quit [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] pim dm [RouterA-Ethernet1/2] quit [RouterA] interface ethernet 1/3 [RouterA-Ethernet1/3] pim dm [RouterA-Ethernet1/3] quit # Enable IP multicast routing and PIM-DM on Router B in the same way. (Details not shown.
Figure 326 Network diagram 2. Configuration procedure a. Assign an IP address and subnet mask to each interface according to Figure 326. (Details not shown.) b. Enable OSPF on Router B and the firewall to make sure they are interoperable at the network layer and they can dynamically update their routing information. (Details not shown.) c.
[Firewall] display multicast rpf-info 50.1.1.100 No information is displayed. It indicates that that no RPF route to Source 2 exists on Router B and the firewall. d. Configure a static multicast route: # Configure a static multicast route on Router B, specifying Router A as its RPF neighbor on the route to Source 2. [RouterB] ip rpf-route-static 50.1.1.100 24 30.1.1.2 # Configure a static multicast route on the firewall, specifying Router B as its RPF neighbor on the route to Source 2.
2. Configuration procedure a. Assign an IP address and mask to each interface according to Figure 327. (Details not shown.) b. Configure a GRE tunnel: # Create Tunnel 0 on Router A and configure the IP address and mask for the interface. system-view [RouterA] interface tunnel 0 [RouterA-Tunnel0] ip address 50.1.1.1 24 # On Router A, specify the tunnel encapsulation mode as GRE over IPv4 and assign the source and destination addresses to the interface.
[Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit d. Enable IP multicast routing, PIM-DM, and IGMP: # Enable multicast routing on Router A and enable PIM-DM on each interface.
1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:04:25, Expires: never (10.1.1.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:06:14 Upstream interface: Tunnel0 Upstream neighbor: 50.1.1.1 RPF prime neighbor: 50.1.1.
Multicast data fails to reach receivers Symptom The multicast data can reach some routers but fails to reach the last-hop router. Analysis If you have configured a multicast forwarding boundary by using the multicast boundary command, any multicast packet will be kept from crossing the boundary. Solution 1. Use the display pim routing-table command to verify that the corresponding (S, G) entries exist on the router. If so, the router has received the multicast data.
Configuring IGMP As a TCP/IP protocol responsible for IP multicast group member management, the IGMP is used by IP hosts and adjacent multicast routers to establish and maintain their multicast group memberships. The term "router" in this document refers to both routers and routing-capable firewalls. Configuring IGMP in the Web interface Before you configure IGMP, complete the following tasks: • Configure a unicast routing protocol so that all devices in the domain are interoperable at the network layer.
Figure 328 IGMP interfaces configuration page 2. Click the icon for a specified IGMP interface. Figure 329 Modifying the specified interface 3. Select Enable for the IGMP list, and specify the IGMP version. 4. Click Apply. Displaying IGMP multicast group information 1. From the navigation tree, select Network > Routing Management > IGMP. 2. Click the Groups tab. You can display brief information about IGMP groups. Figure 330 IGMP multicast group information 3.
Figure 331 IGMP multicast group information Table 61 Field description Field Description Interface Name of the interface that has joined the multicast group. Group address Multicast group address. Group uptime Length of time since the multicast group was reported. Group remaining lifetime Remaining lifetime of the multicast group. Null means that the multicast group times out when all multicast sources of this group time out. Source address Multicast source address.
Figure 332 Network diagram Receiver PIM network Host A GE0/2 Device A N1 GE0/1 10.110.1.1/24 Host B Querier GE0/1 10.110.2.1/24 GE0/2 Receiver Host C Device B GE0/1 10.110.2.
Figure 334 Enabling PIM-DM 3. Enable IGMP on GigabitEthernet 0/1: a. From the navigation tree, select Network > Routing Management > IGMP. b. Click the icon for GigabitEthernet 0/1. c. Select Enable for IGMP. d. Specify the IGMP version to 2. e. Click Apply. Figure 335 Enabling IGMP Configuring Device B 1. Enable multicast routing: a. From the navigation tree, select Network > Routing Management > Multicast Routing. b. Select Enable from the list. c. Click Apply. 2.
e. Click Apply. Configuring Device C 1. Enable multicast routing: a. From the navigation tree, select Network > Routing Management > Multicast Routing. b. Select Enable from the list. c. Click Apply. 2. Enable PIM-DM on all interfaces: a. From the navigation tree, select Network > Routing Management > PIM. b. Click the icon for GigabitEthernet 0/1. c. Select PIM-DM from the list. d. Click Apply. e. Click the icon for GigabitEthernet 0/2. f. Select PIM-DM from the list. g. Click Apply. 3.
Configuring IGMP at the CLI IGMP configuration task list For the configuration tasks in this section, the following rules apply: • The configurations made in IGMP view are effective on all interfaces. The configurations made in interface view are effective only on the current interface. • A configuration made in interface view always has priority over the same global configuration in IGMP view.
Determine the maximum number of multicast groups that an interface can join. • Enabling IGMP To configure IGMP, you must enable IGMP on the interface where the multicast group memberships will be established and maintained. To enable IGMP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IP multicast routing. multicast routing-enable Disabled by default. 3. Enter interface view. interface interface-type interface-number N/A 4. Enable IGMP.
To configure an interface as a static member interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the interface as a static member interface. igmp static-group group-address [ source source-address ] An interface is not a static member of any multicast group or multicast source and group by default.
Configuration prerequisites Before adjusting IGMP performance, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Configure basic IGMP functions. • Determine the startup query interval. • Determine the startup query count. • Determine the IGMP general query interval. • Determine the IGMP querier's robustness variable. • Determine the maximum response time for IGMP general queries.
Step 3. 4. Command Remarks Configure the interface to discard any IGMP message that does not carry the Router-Alert option. igmp require-router-alert By default, the device does not check the Router-Alert option. Enable insertion of the Router-Alert option into IGMP messages. igmp send-router-alert By default, IGMP messages carry the Router-Alert option.
Step 2. Enter public network IGMP view. Command Remarks igmp N/A 2 by default. A higher robustness variable makes the IGMP querier more robust, but results in longer multicast group timeout time. 3. Configure the IGMP querier's robustness variable. robust-count robust-value 4. Configure the startup query interval. startup-query-interval interval By default, the startup query interval is one-quarter of the "IGMP general query interval." 5. Configure the startup query count.
Step Command Remarks 8. Configure the IGMP last member query interval. igmp last-member-query-interval interval 1 second by default. 9. Configure the other querier present interval. igmp timer other-querier-present interval By default, the other querier present interval is [ IGMP general query interval ] × [ IGMP robustness variable ] + [ maximum response time for IGMP general queries ] / 2.
Step Enable the IGMP host tracking function globally. 3. Command Remarks host-tracking Disabled by default. To enable the IGMP host tracking function on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the IGMP host tracking function on the interface. igmp host-tracking Disabled by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network IGMP view. igmp N/A 3. Configure an IGMP SSM mapping. ssm-mapping group-address { mask | mask-length } source-address No IGMP mappings are configured by default. Configuring IGMP proxying This section describes how to configure IGMP proxying.
On a multi-access network with more than one IGMP proxy device, you cannot enable multicast forwarding on any other non-querier downstream interface after one of the downstream interfaces of these IGMP proxy devices has been elected as the querier. Otherwise, duplicate multicast flows might be received on the multi-access network. To enable multicast forwarding on a downstream interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Task Command Remarks Available in user view. Remove all the dynamic IGMP group entries of a specified IGMP group or all IGMP groups. reset igmp group { all | interface interface-type interface-number { all | group-address [ mask { mask | mask-length } ] [ source-address [ mask { mask | mask-length } ] ] } } Clear IGMP SSM mappings.
a. Assign an IP address and subnet mask to each interface according to Figure 332. (Details not shown.) b. Configure OSPF on the routers on the PIM network to make sure they are interoperable at the network layer and they can dynamically update their routing information. (Details not shown.) c. Enable IP multicast routing, IGMP and PIM-DM: # On Firewall A, enable IP multicast routing globally, enable IGMP on GigabitEthernet 0/1, and enable PIM-DM on each interface.
Total 1 IGMP Group reported SSM mapping configuration example 1. Network requirements The PIM-SM domain applies both the ASM model and SSM model for multicast delivery. The interface GigabitEthernet 0/3 on the firewall serves as the C-BSR and C-RP. The SSM group range is 232.1.1.0/24. IGMPv3 runs on GigabitEthernet 0/1 on the firewall. The receiver host runs IGMPv2, and does not support IGMPv3. Therefore, the receiver host cannot specify expected multicast sources in its membership reports.
b. Configure OSPF on the routers in the PIM-SM domain to make sure they are interoperable at the network layer and they can dynamically update their routing information. (Details not shown.) c. Enable IP multicast routing, enable PIM-SM on each interface, and enable IGMP and IGMP SSM mapping on the host-side interface: # On the firewall, enable IP multicast routing globally, enable IGMPv3 and IGMP SSM mapping on GigabitEthernet 0/1, and enable PIM-SM on each interface.
[Firewall-pim] quit # Configure the SSM group range on Router A, Router B and Router C in the same way. (Details not shown.) f. Configure IGMP SSM mappings on the firewall. [Firewall] igmp [Firewall-igmp] ssm-mapping 232.1.1.0 24 133.133.1.1 [Firewall-igmp] ssm-mapping 232.1.1.0 24 133.133.3.1 [Firewall-igmp] quit g. Verifying the configuration # Display IGMP SSM mapping information for multicast group 232.1.1.1 on the public network on the firewall. [Firewall] display igmp ssm-mapping 232.1.1.
Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:13:25, Expires: - IGMP proxying configuration example 1. Network requirements PIM-DM runs on the core network. Host A and Host C in the stub network receive VOD information sent to multicast group 224.1.1.1. Configure the IGMP proxying feature on the firewall so that the firewall can maintain group memberships and forward multicast traffic without running PIM-DM.
[Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] igmp enable [Firewall-GigabitEthernet0/2] quit c. Verifying the configuration # Display IGMP information on GigabitEthernet 0/1 of the firewall. [Firewall] display igmp interface gigabitethernet 0/1 verbose GigabitEthernet0/1(192.168.1.
Solution 1. Use the display igmp interface command to verify that the networking, interface connection, and IP address configuration are correct. If no information is output, the interface is in an abnormal state. The reason might be that you have configured the shutdown command on the interface, that the interface is not correctly connected, or that the IP address configuration is not correctly completed. 2. Use the display current-configuration command to verify that multicast routing is enabled.
Configuring PIM Overview PIM provides IP multicast forwarding by leveraging unicast static routes or unicast routing tables generated by any unicast routing protocol, such as RIP, OSPF, IS-IS, or BGP. Independent of the unicast routing protocols running on the device, multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes. PIM uses the RPF mechanism to implement multicast forwarding.
Recommended configuration procedure for PIM-SM Step Remarks Required. 1. Globally enable multicast routing Globally enable multicast routing after selecting Network > Routing Management > Multicast Routing. For more information, see "Configuring multicast routing and forwarding." By default, multicast routing is globally disabled. Required. Enable PIM-SM on an interface. 2.
Configuring PIM interfaces 1. From the navigation tree, select Network > Routing Management > PIM. Figure 340 PIM interfaces configuration page 2. Click the icon corresponding to a specific PIM interface. Figure 341 Modifying the specified PIM interface 3. Select the operating mode for the interface. If you do not specify any operating mode, no PIM modes are enabled on the interface. 4. Click Apply. Configuring advanced PIM features 1.
Table 63 Configuration items Item Description Enable or disable auto-RP. IMPORTANT: Auto-RP Auto-RP announcement and discovery messages are addressed to the multicast group addresses 224.0.1.39 and 224.0.1.40, respectively. With auto-RP enabled on a device, the device can receive these two types of messages and record the RP information carried in such messages. Calculate the register message checksum based on the entire register messages or the header parts.
Figure 343 PIM neighbor information Table 64 Field description Field Description Interface Name of the interface connecting to a PIM neighbor. Neighbor address IP address of a PIM neighbor. Uptime Length of time for which the PIM neighbor has been up, where a "01:02:11:32:18" value means that the neighbor has been up for 1 week, 2 days, 11 hours, 32 minutes, and 18 seconds.
Figure 344 Network diagram N1 Receiver GE0/1 10.1.1.1/24 GE0/3 192.168.1.1/24 GE0/1 192.168.2.1/24 Host A GE0/3 10.1.1.2/24 Host B GE0/2 10.1.2.1/24 Receiver Device C GE0/1 192.168.3.1/24 GE0/3 10.1.2.2/24 192.168.1.16/24 Host C N2 Device B Ethernet Source Ethernet Device A Ethernet PIM-DM Host D Table 65 Interface and IP address assignment Device Interface IP address Device A GigabitEthernet 0/1 192.168.2.1/24 Device A GigabitEthernet 0/3 10.1.1.
2. Enable IGMP on GigabitEthernet 0/1 that connects to the stub network: a. From the navigation tree, select Network > Routing Management > IGMP. b. Click the icon for GigabitEthernet 0/1. c. Select Enable from the list to enable IGMP. d. Specify the IGMP version as 2. e. Click Apply. Figure 346 Enabling IGMP 3. Enable PIM-DM on each interface: a. From the navigation tree, select Network > Routing Management > PIM. b. Click the icon for GigabitEthernet 0/1. c. Specify the operating mode as PIM-DM. d.
c. Specify the operating mode as PIM-DM. d. Click Apply. e. Click the icon for GigabitEthernet 0/1. f. Specify the operating mode as PIM-DM. g. Click Apply. h. Click the icon corresponding to GigabitEthernet 0/2. i. Specify the operating mode as PIM-DM. j. Click Apply. Verifying the configuration To display PIM neighbor information on Device C: 1. From the navigation tree, select Network > Routing Management > PIM. 2. Click the Neighbor Information tab.
• Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Determine the interval between state-refresh messages. • Determine the minimum time to wait before receiving a new refresh message. • Determine the TTL value of state-refresh messages. • Determine the graft retry period. Enabling PIM-DM When PIM-DM is enabled, a router sends hello messages periodically to discover PIM neighbors and processes messages from the PIM neighbors.
A router might receive multiple state-refresh messages within a short time. Some messages might be duplicated messages. To keep a router from receiving such duplicated messages, you can configure the time that the router must wait before it receives next state-refresh message. If the router receives a new state-refresh message within the waiting time, it discards the message.
Configuring PIM-SM at the CLI This section describes how to configure PIM-SM. PIM-SM configuration task list Task Remarks Enabling PIM-SM Required. Configuring an RP Configuring a BSR Configuring administrative scoping Configuring a static RP Required. Configuring a C-RP Use any method. Enabling auto-RP Configuring C-RP timers globally Optional. Configuring a C-BSR Required. Configuring a PIM domain border Optional. Configuring global C-BSR parameters Optional.
• Determine the hash mask length. • Determine the ACL rule defining a legal BSR address range. • Determine the BS period. • Determine the BS timeout timer. • Determine the ACL rule for register message filtering. • Determine the register suppression time. • Determine the register probe time. • Determine the multicast traffic rate threshold, ACL rule, and sequencing rule for a switchover to SPT. • Determine the interval of checking the traffic rate threshold before a switchover to SPT.
Configuring a C-RP In a PIM-SM domain, you can configure routers that intend to become the RP as C-RPs. The BSR collects the C-RP information by receiving the C-RP-Adv messages from C-RPs or auto-RP announcements from other routers and organizes the information into an RP-set, which is flooded throughout the entire network. Then, the other routers in the network calculate the mappings between specific group ranges and the corresponding RPs based on the RP-set.
Configure the C-RP timers on C-RP routers. To configure C-RP timers globally: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view. pim N/A 3. Configure the C-RP-Adv interval. c-rp advertisement-interval interval Configure C-RP timeout timer. c-rp holdtime interval 4. Optional. 60 seconds by default. Optional. 150 seconds by default. For more information about the configuration of other timers in PIM-SM, see "Configuring common PIM timers.
Because a bootstrap message has a TTL value of 1, the whole network will not be affected as long as the neighbor router discards these bootstrap messages. Therefore, with a legal BSR address range configured on all routers in the entire network, all these routers will discard bootstrap messages from out of the legal address range. These preventive measures can partially protect the security of BSRs in a network. However, if an attacker controls a legal BSR, the problem still exists.
The following rules apply to the hash mask length and C-BSR priority: • You configure the hash mask length and C-BSR priority globally, in an admin-scoped zone, and in the global-scoped zone. • The values configured in the global-scoped zone or admin-scoped zone have preference over the global values. • If you do not configure these parameters in the global-scoped zone or admin-scoped zone, the corresponding global values will be used.
Step Command Remarks Optional. Configure the BS timeout timer. 4. c-bsr holdtime interval By default, the BS timeout timer is determined by the formula "BS timeout timer = BS period × 2 + 10." The default BS period is 60 seconds, so the default BS timeout timer = 60 × 2 + 10 = 130 (seconds). NOTE: If you configure the BS period or the BS timeout timer, the system uses the configured one instead of the default one.
into multiple admin-scoped zones. Each admin-scoped zone maintains a BSR, which serves a specific multicast group range. The global-scoped zone also maintains a BSR, which serves all the remaining multicast groups. Enabling administrative scoping Before you configure an admin-scoped zone, you must enable administrative scoping. Perform the following configuration on all routers in the PIM-SM domain. To enable administrative scoping: Step Command Remarks 1. Enter system view. system-view N/A 2.
For configuration of global C-BSR parameters, see "Configuring global C-BSR parameters." Configure C-BSRs for each admin-scoped zone and the global-scoped zone. Perform the following configuration on the routers that you want to configure as C-BSRs in admin-scoped zones. To configure a C-BSR for an admin-scoped zone: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view. pim N/A Configure a C-BSR for an admin-scoped zone.
message during the register probe time, it will reset its register-stop timer. Otherwise, the DR starts sending register messages with encapsulated data again when the register-stop timer expires. The register-stop timer is set to a random value chosen uniformly from the interval (0.5 times register_suppression_time, 1.5 times register_suppression_time) minus register_probe_time.
Step Command Configure the interval of checking the traffic rate threshold before initiating a switchover to SPT. 4. Remarks timer spt-switch interval Optional. 15 seconds by default. Configuring PIM-SSM at the CLI PIM-SSM needs the support of IGMPv3. Be sure to enable IGMPv3 on PIM routers with multicast receivers. PIM-SSM configuration task list Complete these tasks to configure PIM-SSM: Task Remarks Enabling PIM-SM Required. Configuring the SSM group range Optional.
Configuring the SSM group range Whether the PIM-SSM model or the PIM-SM model delivers the information from a multicast source the receivers depends on whether the group address in the (S, G) packets that the receivers request is in the SSM group range. All PIM-SM-enabled interfaces assume the PIM-SSM model for multicast groups within this address range. Configuration guidelines • Perform the following configuration on all routers in the PIM-SSM domain.
Configuration prerequisites Before you configure common PIM features, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Configure PIM-DM, or PIM-SM, or PIM-SSM. • Determine the ACL rule for filtering multicast data. • Determine the ACL rule defining a legal source address range for hello messages. • Determine the priority for DR election (global value/interface level value).
Configuring a hello message filter Along with the wide applications of PIM, the security requirement for the protocol is becoming increasingly demanding. The establishment of correct PIM neighboring relationship is the prerequisite for secure application of PIM. To guard against PIM message attacks, you can configure a legal source address range for hello messages on interfaces of routers to ensure the correct PIM neighboring relationship. To configure a hello message filter: Step Command Remarks 1.
Generation ID—A router generates a generation ID for hello messages when an interface is enabled with PIM. The generation ID is a random value, but only changes when the status of the router changes. If an PIM router finds that the generation ID in a hello message from the upstream router has changed, it assumes that the status of the upstream router has changed. In this case, it sends a join message to the upstream router for status update.
Setting the prune delay timer The prune delay timer on an upstream router on a shared-media network can make the upstream router not perform the prune action immediately after it receives the prune message from its downstream router. Instead, the upstream router maintains the current forwarding state for a period of time that the prune delay timer defines. In this period, if the upstream router receives a join message from the downstream router, it cancels the prune action.
Step Command 4. Configure the join/prune interval. timer join-prune interval 5. Configure the join/prune timeout timer. holdtime join-prune interval 6. Configure assert timeout timer. holdtime assert interval 7. Configure the multicast source lifetime. source-lifetime interval Remarks Optional. 60 seconds by default. Optional. 210 seconds by default. Optional. 180 seconds by default. Optional. 210 seconds by default. To configure common PIM timers on an interface: Step Command Remarks 1.
Step 3. 4. Command Configure the maximum size of each join/prune message. jp-pkt-size packet-size Configure the maximum number of (S, G) entries in each join/prune message. jp-queue-size queue-size Remarks Optional. 8100 bytes by default. Optional. 1020 by default. Displaying and maintaining PIM Task Command Remarks Display information about the BSR in the PIM-SM domain and the locally configured C-RP.
PIM configuration examples This section provides examples of configuring PIM on routers. PIM-DM configuration example Network requirements As shown in Figure 344, the receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire PIM domain is operating in the dense mode. Host A and Host C are multicast receivers in two stub networks N1 and N2.
2. Device Interface IP address Firewall GigabitEthernet 0/4 192.168.3.2/24 Configuration procedure a. Assign an IP address and subnet mask to each interface according to Figure 344. (Details not shown.) b. Configure OSPF on the routers in the PIM-DM domain to make sure they are interoperable at the network layer. (Details not shown.) c. Enable IP multicast routing, IGMP, and PIM-DM: # On Router A, enable IP multicast routing globally, enable IGMP on Ethernet 1/1, and enable PIM-DM on each interface.
GE0/3 1 30 1 192.168.2.2 (local) GE0/4 1 30 1 192.168.3.2 (local) Use the display pim neighbor command to display PIM neighboring relationship among the routers. For example: # Display PIM neighboring relationship on the firewall. [Firewall] display pim neighbor VPN-Instance: public net Total Number of Neighbors = 3 Neighbor Interface Uptime Expires Dr-Priority 192.168.1.1 GE0/2 00:02:22 00:01:27 1 192.168.2.1 GE0/3 00:00:22 00:01:29 3 192.168.3.
Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 225.1.1.
Table 67 Interface and IP address assignment 2. Device Interface IP address Device Interface IP address Router A Eth1/1 10.110.1.1/24 Firewall GE0/1 10.110.5.1/24 Router A Eth1/2 192.168.1.1/24 Firewall GE0/2 192.168.1.2/24 Router A POS5/0 192.168.9.1/24 Firewall GE0/3 192.168.4.2/24 Router B Eth1/1 10.110.2.1/24 Router D POS5/0 192.168.3.2/24 Router B POS5/0 192.168.2.1/24 Router D POS5/1 192.168.2.2/24 Router C Eth1/1 10.110.2.2/24 Router D POS5/2 192.168.9.
[Firewall-pim] c-rp gigabitethernet 0/3 group-policy 2005 [Firewall-pim] quit # On Router D, configure the service scope of RP advertisements, specify a C-BSR and a C-RP, and set the hash mask length to 32 and the priority of the C-BSR to 20. system-view [RouterD] acl number 2005 [RouterD-acl-basic-2005] rule permit source 225.1.1.0 0.0.0.255 [RouterD-acl-basic-2005] quit [RouterD] pim [RouterD-pim] c-bsr pos 5/2 32 20 [RouterD-pim] c-rp pos 5/2 group-policy 2005 [RouterD-pim] quit e.
Candidate RP: 192.168.4.2(GigabitEthernet0/3) Priority: 192 HoldTime: 150 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:34 # Display information about the BSR and locally configured C-RP on Router D. [RouterD] display pim bsr-info VPN-Instance: public net Elected BSR Address: 192.168.9.2 Priority: 20 Hash mask length: 32 State: Elected Scope: Not scoped Uptime: 00:01:18 Next BSR message scheduled at: 00:01:52 Candidate BSR Address: 192.168.9.
path have an (S, G) entry. You can use the display pim routing-table command to display the PIM routing table information on the routers. For example: # Display PIM routing table information on Router A. [RouterA] display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entry (*, 225.1.1.0) RP: 192.168.9.2 Protocol: pim-sm, Flag: WC UpTime: 00:13:46 Upstream interface: Pos5/0 Upstream neighbor: 192.168.9.2 RPF prime neighbor: 192.168.9.
[RouterD] display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 0 (S, G) entry (*, 225.1.1.0) RP: 192.168.9.2 (local) Protocol: pim-sm, Flag: WC UpTime: 00:13:16 Upstream interface: Register Upstream neighbor: 192.168.4.2 RPF prime neighbor: 192.168.4.2 Downstream interface(s) information: Total number of downstreams: 1 1: Pos5/2 Protocol: pim-sm, UpTime: 00:13:16, Expires: 00:03:22 PIM-SM admin-scoped zone configuration example 1.
Figure 351 Network diagram Admin-scope 1 Eth1/1 Receiver Host A Source 1 Eth1/1 Router F S2/1 Source 3 S2/1 GE0/1 Eth1/2 GE0/3 Eth1/1 Router E GE0/2 / E0 G Router G S2/1 /2 h1 Et Router H POS5/1 4 Firewall ZBR Router A POS5/1 POS5/1 S2/1 POS5/2 Router C ZBR S2/1 /2 S2 Et h1 / /1 h1 Et 1 S2/1 Router B ZBR S2/2 Source 2 /1 S2 Receiver Host C Receiver Host B Eth1/1 S2/2 Router D PIM-SM Admin-scope 2 Global-scope Table 68 Interface and IP address assignment Device Interface
2. Configuration procedure a. Assign an IP address and subnet mask to each interface according to Figure 351. (Details not shown.) b. Configure OSPF on the routers in the PIM-SM domain to make sure they are interoperable at the network layer. (Details not shown.) c. Enable IP multicast routing and administrative scoping, enable IGMP and PIM-SM: # On Router A, enable IP multicast routing and administrative scoping, enable IGMP on the host-side interface Ethernet 1/1, and enable PIM-SM on each interface.
[Firewall-GigabitEthernet0/3] multicast boundary 239.0.0.0 8 [Firewall-GigabitEthernet0/3] quit [Firewall] interface gigabitethernet 0/4 [Firewall-GigabitEthernet0/4] multicast boundary 239.0.0.0 8 [Firewall-GigabitEthernet0/4] quit # On Router B, configure Ethernet 1/2 and POS 5/2 as the boundary of admin-scoped zone 2. system-view [RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] multicast boundary 239.0.0.
f. Verifying the configuration # Display information about the BSR and locally configured C-RP on the firewall. [Firewall] display pim bsr-info VPN-Instance: public net Elected BSR Address: 10.110.9.1 Priority: 64 Hash mask length: 30 State: Accept Preferred Scope: Global Uptime: 00:01:45 Expires: 00:01:25 Elected BSR Address: 10.110.1.2 Priority: 64 Hash mask length: 30 State: Elected Scope: 239.0.0.0/8 Uptime: 00:04:54 Next BSR message scheduled at: 00:00:06 Candidate BSR Address: 10.110.1.
Hash mask length: 30 State: Elected Scope: 239.0.0.0/8 Candidate RP: 10.110.4.2(Serial2/1) Priority: 192 HoldTime: 150 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:10 # Display information about the BSR and locally configured C-RP on Router E. [RouterE] display pim bsr-info VPN-Instance: public net Elected BSR Address: 10.110.9.1 Priority: 64 Hash mask length: 30 State: Elected Scope: Global Uptime: 00:11:11 Next BSR message scheduled at: 00:00:49 Candidate BSR Address: 10.110.9.
[RouterC] display pim rp-info VPN-Instance: public net PIM-SM BSR RP information: Group/MaskLen: 224.0.0.0/4 RP: 10.110.9.1 Priority: 192 HoldTime: 150 Uptime: 00:03:42 Expires: 00:01:48 Group/MaskLen: 239.0.0.0/8 RP: 10.110.4.2 (local) Priority: 192 HoldTime: 150 Uptime: 00:06:54 Expires: 00:02:41 # Display RP information on Router E. [RouterE] display pim rp-info VPN-Instance: public net PIM-SM BSR RP information: Group/MaskLen: 224.0.0.0/4 RP: 10.110.9.
Et h1 /2 G E0 /2 Figure 352 Network diagram Table 69 Interface and IP address assignment 2. Device Interface IP address Device Interface IP address Firewall GE0/1 10.110.1.1/24 Router C Eth1/1 10.110.5.1/24 Firewall GE0/2 192.168.1.1/24 Router C Eth1/2 192.168.1.2/24 Firewall GE0/3 192.168.9.1/24 Router C POS5/0 192.168.4.2/24 Router A Eth1/1 10.110.2.1/24 Router D POS5/0 192.168.3.2/24 Router A POS5/0 192.168.2.1/24 Router D POS5/1 192.168.2.
[Firewall-GigabitEthernet0/1] igmp version 3 [Firewall-GigabitEthernet0/1] pim sm [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] pim sm [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] pim sm [Firewall-GigabitEthernet0/3] quit # Enable IP multicast routing, IGMP and PIM-SM on Router A and Router B in the same way. (Details not shown.
Upstream interface: GigabitEthernet0/2 Upstream neighbor: 192.168.1.2 RPF prime neighbor: 192.168.1.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:13:25, Expires: 00:03:25 # Display PIM routing table information on Router C. [RouterC] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 232.1.1.
interface and the next hop will be taken as the RPF neighbor. The RPF interface completely relies on the existing unicast route and is independent of PIM. The RPF interface must be PIM-enabled, and the RPF neighbor must also be a PIM neighbor. If PIM is not enabled on the router where the RPF interface or the RPF neighbor resides, the establishment of a multicast distribution tree will surely fail, causing abnormal multicast forwarding.
Solution 1. Use the display current-configuration command to verify the multicast forwarding boundary settings. Use the multicast boundary command to change the multicast forwarding boundary settings. 2. Use the display current-configuration command to verify the multicast filter configuration. Change the ACL rule defined in the source-policy command so that the source/group address of the multicast data can pass ACL filtering.
Solution 1. Use the display ip routing-table command to verify that routes to the RP and the BSR are available on each router and that a route between the RP and the BSR is available. Make sure each C-RP has a unicast route to the BSR, the BSR has a unicast route to each C-RP, and all the routers in the entire network have a unicast route to the RP. 2. PIM-SM needs the support of the RP and BSR.
Configuring MSDP Overview MSDP is an inter-domain multicast solution that addresses the interconnection of protocol independent multicast sparse mode (PIM-SM) domains. It discovers multicast source information in other PIM-SM domains. In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain, and the multicast source information about a domain is isolated from that of another domain.
Configuring basic MSDP functions All the configuration tasks should be performed on RPs in PIM-SM domains, and each of these RPs acts as an MSDP peer. Configuration prerequisites Before you configure basic MSDP functions, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Configure PIM-SM to enable intra-domain multicast forwarding. • Determine the IP addresses of MSDP peers.
To configure a static RPF peer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network MSDP view. msdp N/A 3. Configure a static RPF peer. static-rpf-peer peer-address [ rp-policy ip-prefix-name ] No static RPF peer configured by default. NOTE: If only one MSDP peer is configured on a router, this MSDP peer is registered as a static RPF peer. Configuring an MSDP peer connection This section describes how to configure an MSDP peer connection.
Configuring an MSDP mesh group An AS can contain multiple MSDP peers. You can use the MSDP mesh group mechanism to avoid SA message flooding among these MSDP peers and optimize the multicast traffic. An MSDP peer in an MSDP mesh group forwards SA messages from outside the mesh group that passed the RPF check to the other members in the mesh group. A mesh group member accepts SA messages from inside the group without performing an RPF check, and does not forward the message within the mesh group.
To configure MSDP peer connection control: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network MSDP view. msdp N/A 3. Deactivate an MSDP peer. shutdown peer-address 4. Configure the interval between MSDP peer connection retries. timer retry interval Configure a password for MD5 authentication used by both MSDP peers to establish a TCP connection. peer peer-address password { cipher cipher-password | simple simple-password } 5. Optional. Active by default.
The MSDP peers deliver SA messages to one another. After receiving an SA message, a router performs RPF check on the message. If the router finds that the remote RP address is the same as the local RP address, it discards the SA message. However, in the Anycast RP application, you must configure RPs with the same IP address on two or more routers in the same PIM-SM domain and configure these routers as MSDP peers to one another.
A filtering rule for receiving or forwarding SA messages enables the router to filter the (S, G) forwarding entries to be advertised when the router receives or forwards an SA message. This controls the propagation of multicast source information at SA message reception or forwarding.
To configure the SA message cache: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network MSDP view. msdp N/A 3. Enable the SA cache mechanism. cache-sa-enable 4. Configure the maximum number of (S, G) entries learned from the specified MSDP peer that the router can cache. peer peer-address sa-cache-maximum sa-limit Optional. Enabled by default. Optional. 8192 by default.
Configure Loopback 0 as the C-BSR and C-RP of the related PIM-SM domain on Router B, Router C, and the firewall. Set up MSDP peering relationships between the RPs of the PIM-SM domains to share multicast source information among the PIM-SM domains. Figure 353 Network diagram Et h1 / 3 /2 h1 Et /1 h1 Et Et h1 / 2 /1 h1 Et Table 70 Interface and IP address assignment Device Interface IP address Device Interface IP address Router A Eth1/1 10.110.1.2/24 Router D Eth1/1 10.110.4.
b. Configure OSPF on the routers to make sure the routers are interoperable at the network layer in each AS, and they can dynamically update routing information. (Details not shown.) 2. Enable IP multicast routing, enable PIM-SM and IGMP, and configure a PIM-SM domain border: # On Router A, enable IP multicast routing, enable PIM-SM on each interface, and enable IGMP on the host-side interface Ethernet 1/3.
[RouterB] ospf 1 [RouterB-ospf-1] import-route bgp [RouterB-ospf-1] quit # Redistribute BGP routing information into OSPF on Router C. [RouterC] ospf 1 [RouterC-ospf-1] import-route bgp [RouterC-ospf-1] quit 5. Configure MSDP peers: # Configure an MSDP peer on Router B. [RouterB] msdp [RouterB-msdp] peer 192.168.1.2 connect-interface pos 5/0 [RouterB-msdp] quit # Configure MSDP peers on Router C. [RouterC] msdp [RouterC-msdp] peer 192.168.1.1 connect-interface pos 5/0 [RouterC-msdp] peer 192.168.3.
Total Number of Routes: 5 BGP Local router ID is 2.2.2.2 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED 1.1.1.1/32 192.168.1.1 0 0 100? * >i 2.2.2.2/32 0.0.0.0 0 0 ? * > 192.168.1.0 0.0.0.0 0 0 ? * > 192.168.1.1/32 0.0.0.0 0 0 ? * > 192.168.1.2/32 0.0.0.
State: Up Up/down time: 00:15:47 Resets: 0 Connection interface: Pos5/0 (192.168.1.
Figure 354 Network diagram AS 100 AS 200 PIM-SM 3 Receiver Eth1/1 Et h1 /2 /0 S2 Router E Loop0 Router F Eth1/1 /2 h1 Et Loop0 /0 S2 Receiver Eth1/2 Eth1/1 /1 h1 Et Router A Router C PIM-SM 2 /1 h1 Et Firewall Eth1/3 GE0/2 Router D GE0/1 Eth1/1 Router B Source 1 Loop0 Et h1 /2 Eth1/2 Source 2 PIM-SM 1 BGP peers Table 71 Interface and IP address assignment Device Interface IP address Device Interface IP address Source 1 - 192.168.1.100/24 Firewall GE0/1 10.110.5.
# on Router C, enable IP multicast routing globally, enable PIM-SM on each interface, and enable IGMP on the host-side interface Ethernet 1/2.
[RouterC-bgp] peer 10.110.4.2 as-number 200 [RouterC-bgp] import-route ospf 1 [RouterC-bgp] quit # Configure an eBGP peer, and redistribute OSPF routing information on Router E. [RouterE] bgp 200 [RouterE-bgp] router-id 3.3.3.1 [RouterE-bgp] peer 10.110.4.1 as-number 100 [RouterE-bgp] import-route ospf 1 [RouterE-bgp] quit # Redistribute BGP routing information into OSPF on Router B.
Verifying the configuration Use the display bgp peer command to display the BGP peering relationships between the routers. Router A does not display any information, which means that no BGP peering relationship has been established between Router A and the firewall, or between Router A and Router F. When the multicast source in PIM-SM 1 (Source 1) and the multicast source in PIM-SM 2 (Source 2) send multicast information, receivers in PIM-SM 1 and PIM-SM 3 can receive the multicast data.
Lo op 2 Lo op 0 0 op Lo 20 op Lo 0 GE 0/2 0/3 GE /0 S2 PO S5 /0 1/1 Eth PO S5 /0 /0 S2 Eth 1/2 Figure 355 Network diagram Table 72 Interface and IP address assignment Device Interface IP address Device Interface IP address Source 1 — 10.110.5.100/24 Router C POS5/0 192.168.1.2/24 Source 2 — 10.110.6.100/24 Router C Eth1/1 192.168.2.2/24 Router A Eth1/1 10.110.5.1/24 Firewall GE0/1 10.110.3.1/24 Router A S2/0 10.110.2.2/24 Firewall GE0/2 10.110.4.
system-view [RouterB] multicast routing-enable [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] igmp enable [RouterB-Ethernet1/1] pim sm [RouterB-Ethernet1/1] quit [RouterB] interface serial 2/0 [RouterB-Serial2/0] pim sm [RouterB-Serial2/0] quit [RouterB] interface pos 5/0 [RouterB-Pos5/0] pim sm [RouterB-Pos5/0] quit [RouterB] interface loopback 0 [RouterB-LoopBack0] pim sm [RouterB-LoopBack0] quit [RouterB] interface loopback 10 [RouterB-LoopBack10] pim sm [RouterB-LoopBack10] quit [Route
1 1 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 2.2.2.2 Up 00:10:17 ? 0 0 # Display brief information about MSDP peers on the firewall. [Firewall] display msdp brief MSDP Peer Brief Information of VPN-Instance: public net Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 1.1.1.1 Up 00:10:18 ? 0 0 When Source 1 10.110.5.100/24 sends multicast data to multicast group G 225.1.1.
Host A has left multicast group G, and Source 1 has stopped sending multicast data to multicast group G. When Source 2 10.110.6.100/24 sends multicast data to G, Host B joins G. By comparing the PIM routing information displayed on Router B with that displayed on the firewall, you can see that the firewall acts now as the RP for Source 2 and Host B. # Display the PIM routing information on Router B. [RouterB] display pim routing-table No information is output on Router B.
Source 1 sends multicast data to multicast groups 225.1.1.0/30 and 226.1.1.0/30, and Source 2 sends multicast data to multicast group 227.1.1.0/30. Configure SA message filtering rules so that receivers Host A and Host B can receive only the multicast data addressed to multicast groups 225.1.1.0/30 and 226.1.1.0/30, and Host can receive only the multicast data addressed to multicast groups 226.1.1.0/30 and 227.1.1.0/30.
# On Router A, enable IP multicast routing globally, enable IGMP on the host-side interface, Ethernet 1/1, and enable PIM-SM on each interface.
[RouterC-msdp] quit # Configure an MSDP peer on the firewall. [Firewall] msdp [Firewall-msdp] peer 10.110.5.1 connect-interface gigabitethernet 0/3 [Firewall-msdp] quit 5. Configure SA message filtering rules: # Configure an SA message filter on Router C so that Router C will not forward SA messages for (Source 1, 225.1.1.0/30) to the firewall. [RouterC] acl number 3001 [RouterC-acl-adv-3001] rule deny ip source 10.110.3.100 0 destination 225.1.1.0 0.0.0.
(10.110.3.100, 226.1.1.0) 1.1.1.1 ? ? 00:32:53 00:05:07 (10.110.3.100, 226.1.1.1) 1.1.1.1 ? ? 00:32:53 00:05:07 (10.110.3.100, 226.1.1.2) 1.1.1.1 ? ? 00:32:53 00:05:07 (10.110.3.100, 226.1.1.3) 1.1.1.1 ? ? 00:32:53 00:05:07 Troubleshooting MSDP This section describes common MSDP problems and how to troubleshoot them. MSDP peers stay in down state Symptom The configured MSDP peers stay in down state.
2. Verify that a unicast route is available between the two routers that will become MSDP peers to each other. 3. Verify the configuration of the import-source command and its acl-number argument and make sure the ACL rule can filter appropriate (S, G) entries. No SA entries exist in the router's SA cache Symptom RPs fail to exchange their locally registered (S, G) entries with one another in the Anycast RP application.
Configuring basic IPv6 settings IPv6 basics can be configured only at the CLI. Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. IPv6 features Simplified header format IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header.
Address autoconfiguration To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration: • Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server). • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
IMPORTANT: A double colon can appear once or not at all in an IPv6 address. This limit allows the device to determine how many zeros the double colon represents, and correctly convert it to zeros to restore a 128-bit IPv6 address. An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address respectively.
• Link-local addresses are used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links. • Site-local unicast addresses are similar to private IPv4 addresses. Packets with site-local source or destination addresses are not forwarded out of the local site (or a private network). • A loopback address is 0:0:0:0:0:0:0:1 (or ::1).
Figure 358 Converting a MAC address into an EUI-64 address-based interface identifier • On a tunnel interface The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For more information about tunnels, see VPN Configuration Guide.
Figure 359 Address resolution The address resolution operates as follows: 1. Host A multicasts an NS message. The source address of the NS message is the IPv6 address of the sending interface of Host A and the destination address is the solicited-node multicast address of Host B. The NS message contains the link-layer address of Host A. 2. After receiving the NS message, Host B determines whether the destination address of the packet is its solicited-node multicast address.
3. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from Host B. If receiving no NA message, Host A decides that the IPv6 address is not in use and uses this address. Router/prefix discovery and address autoconfiguration Router/prefix discovery enables a node to locate the neighboring routers and to learn from the received RA message configuration parameters such as the prefix of the network where the node is located.
Figure 361 Path MTU discovery process 1. The source host compares its MTU with the packet to be sent, performs necessary fragmentation, and sends the resulting packet to the destination host. 2. If the MTU supported by a forwarding interface is smaller than the packet, the device discards the packet and returns an ICMPv6 error packet containing the interface MTU to the source host. 3.
Protocols and standards Protocols and standards related to IPv6 include: • RFC 1881, IPv6 Address Allocation Management • RFC 1887, An Architecture for IPv6 Unicast Address Allocation • RFC 1981, Path MTU Discovery for IP version 6 • RFC 2375, IPv6 Multicast Address Assignments • RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses • RFC 2894, Router Renumbering for IPv6
Task Remarks Configuring IPv6 FIB load sharing Optional. Controlling sending ICMPv6 packets Configuring the maximum ICMPv6 error packets sent in an interval Optional. Enabling replying to multicast echo requests Optional. Enabling sending ICMPv6 time exceeded messages Optional. Enabling sending ICMPv6 destination unreachable messages Optional. Enabling sending ICMPv6 redirect messages Optional.
A manually configured global unicast address takes precedence over an automatically generated one. If a global unicast address has been automatically generated on an interface when you manually configure another one with the same address prefix, the latter overwrites the previous. The overwritten automatic global unicast address is not restored even if the manual one is removed.
• Use the ipv6 prefix command to create a static IPv6 prefix. • Configure the device to use DHCPv6 for prefix acquisition. The client generates an IPv6 prefix with a specific ID based on the prefix obtained from the DHCPv6 server. For more information, see the ipv6 dhcp client pd command in Layer 3—IP Services Command Reference. To apply an IPv6 prefix to an interface to generate an IPv6 address: Step Enter system view. 1.
Step Command Remarks Optional. 3. Configure the interface to automatically generate an IPv6 link-local address. ipv6 address auto link-local By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically. To manually configure an IPv6 link-local address: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Configuring IPv6 ND Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry by the neighbor's IPv6 address and the local Layer 3 interface number. You can configure a static neighbor entry by using either of the following methods.
Setting the age timer for ND entries in stale state ND entries in stale state have an age timer. If an ND entry in stale state is not refreshed before the timer expires, it transits to the delay state. If it is still not refreshed in 5 seconds, the ND entry transits to the probe state, and the device sends an NS message for detection. If no response is received, the device removes the ND entry. To set the age timer for ND entries in stale state: Step Command Remarks 1. Enter system view.
Parameters Description Reachable Time If the neighbor reachability detection shows that a neighbor is reachable, the device considers the neighbor reachable within the specified reachable time. If the device must send a packet to the neighbor after the specified reachable time expires, the device reconfirms whether the neighbor is reachable.
Step 5. Command Remarks Optional. Turn off the MTU option in RA messages. ipv6 nd ra no-advlinkmtu Set the M flag bit to 1. ipv6 nd autoconfig managed-address-flag By default, RA messages contain the MTU option. Optional. 6. By default, the M flag bit is set to 0 and hosts acquire IPv6 addresses through stateless autoconfiguration. Optional. 7. Set the O flag bit to 1. ipv6 nd autoconfig other-flag 8. Configure the router lifetime in RA messages.
Step 3. Command Configure the number of attempts to send an NS message for DAD. Remarks Optional. ipv6 nd dad attempts value 1 by default. When the value argument is set to 0, DAD is disabled. Enabling ND proxy ND proxy supports the NS and NA messages only.
Figure 363 Application environment of local ND proxy Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they are isolated at Layer 2. To solve this problem, enable local ND proxy on GigabitEthernet 0/2 of the firewall so that the firewall can forward messages between Host A and Host B.
Configuring the interface MTU IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the packet size is greater than the MTU of the forwarding interface, the router discards the packet. Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message. The source host fragments the packet according to the MTU and resends it.
Configuring IPv6 TCP properties You can configure the following IPv6 TCP properties: • synwait timer—When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails. • finwait timer—When the IPv6 TCP connection status is FIN_WAIT_2, the finwait timer is triggered. If no packet is received before the finwait timer expires, the IPv6 TCP connection is terminated.
Configuring the maximum ICMPv6 error packets sent in an interval If too many ICMPv6 error packets are sent within a short period of time in a network, network congestion might occur. To avoid network congestion, you can control the maximum number of ICMPv6 error packets sent within a specific time by adopting the token bucket algorithm. You can set the capacity of a token bucket to determine the number of tokens in the bucket.
Upon receiving the first fragment of an IPv6 datagram with the destination IP address being the local address, the device starts a timer. If the timer expires before all fragments arrive, an ICMPv6 Fragment Reassembly Timeout message is sent to the source. • If large quantities of malicious packets are received, the performance of a device degrades greatly because it must send back ICMP Time Exceeded messages. You can disable sending ICMPv6 Time Exceeded messages.
To enable sending ICMPv6 redirect messages: Step 1. Enter system view 2. Enable sending ICMPv6 redirect messages Command Remarks system-view N/A ipv6 redirects enable Optional. By default, this function is disabled. Displaying and maintaining IPv6 basics Task Command Remarks Display IPv6 FIB entries. display ipv6 fib [ vpn-instance vpn-instance-name ] [ acl6 acl6-number | ipv6-prefix ipv6-prefix-name ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Task Command Remarks Display IPv6 TCP connection status information. display tcp ipv6 status [ | { begin | exclude | include } regular-expression ] Available in any view. Display the statistics of IPv6 UDP packets. display udp ipv6 statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Clear IPv6 neighbor information. reset ipv6 neighbors { all | dynamic | interface interface-type interface-number | static } Available in user view. Clear the path MTU values.
[FirewallA-GigabitEthernet0/2] undo ipv6 nd ra halt [FirewallA-GigabitEthernet0/2] quit 2. Configure Firewall B: # Enable IPv6. system-view [FirewallB] ipv6 # Assign a global unicast address for interface GigabitEthernet 0/1. [FirewallB] interface gigabitethernet 0/1 [FirewallB-GigabitEthernet0/1] ipv6 address 3001::2/64 [FirewallB-GigabitEthernet0/1] quit # Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1.
Verifying the configuration # Display the IPv6 interface information on Firewall A. All IPv6 global unicast addresses configured on the interface are displayed.
[FirewallA] display ipv6 interface gigabitethernet 0/2 GigabitEthernet0/2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF00:1 FF02::1:FF00:1C0 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is
# Display the IPv6 interface settings on Firewall B. All IPv6 global unicast addresses configured on the interface are displayed.
NOTE: To ping a link-local address, use the –i parameter to specify an interface for the link-local address. [FirewallB] ping ipv6 -c 1 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 2 ms --- 3001::1 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.
DHCPv6 overview DHCPv6 can be configured only at the CLI. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. Basic concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all DHCPv6 servers on the site-local scope, and uses the multicast address FF02::1:2 to identify all DHCPv6 servers and relay agents on the link-local scope.
Binding The DHCPv6 server uses bindings to record the configuration information assigned to DHCPv6 clients, including the IPv6 address/prefix, client DUID, IAID, valid lifetime, preferred lifetime, and lease expiration time. PD The DHCPv6 server creates a Prefix Delegation (PD) for each assigned prefix to record the IPv6 prefix, client DUID, IAID, valid lifetime, preferred lifetime, and lease expiration time.
The assignment involving four messages operates as follows: 1. The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. 2.
For more information about the valid lifetime and the preferred lifetime, see "Configuring IPv6 basics." Stateless DHCPv6 configuration After obtaining an IPv6 address/prefix, a device can use stateless DHCPv6 to obtain other configuration parameters from a DHCPv6 server. This application is called stateless DHCPv6 configuration.
Configuring the DHCPv6 server DHCPv6 server can be configured only at the CLI. Overview A DHCPv6 server can assign IPv6 addresses or IPv6 prefixes to DHCPv6 clients. IPv6 address assignment As shown in Figure 371, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients.
Figure 372 IPv6 prefix assignment DHCPv6 address pool The DHCP server selects IPv6 addresses, IPv6 prefixes, DNS server addresses, and other parameters from an address pool and assigns them to the DHCP clients.
2. If the receiving interface has an address pool, the DHCP server selects an IPv6 address or prefix and other configuration parameters from this address pool. 3.
Apply a prefix pool to an address pool—The DHCPv6 server dynamically assigns an IPv6 prefix from the address pool to a DHCPv6 client. • Configuration guidelines • To configure multiple static IPv6 prefix bindings, use the static-bind prefix command repeatedly. • An IPv6 prefix can be bound to only one DHCPv6 client. You cannot use the static-bind prefix command to modify the DUID, IAID, preferred lifetime, and valid lifetime of an existing static IPv6 prefix binding.
Step Command Remarks • Configure a static prefix binding: Configure static or dynamic prefix assignment. 5. static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] • Apply the prefix pool to the address pool: prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] Use at least one command. By default, no static or dynamic prefix assignment is configured for an address pool.
Step Command Description By default, no DHCPv6 address pool exists. 2. Create a DHCPv6 address pool and enter its view. ipv6 dhcp pool pool-number [ vpn-instance vpn-instance-name ] 3. Create a static binding. static-bind address ipv6-address/addr-prefix-length duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] • Specify an IPv6 subnet for dynamic assignment: Configure dynamic address allocation. 4.
Configuration parameters in the address pool take precedence over these in the DHCPv6 option group. You can configure up to eight DNS server addresses, one domain name suffix, eight SIP server addresses, and eight SIP server domain names in an address pool or a DHCPv6 option group. Configuring parameters in a DHCPv6 address pool Step Command Remarks 1. Enter system view. system-view N/A 2. Create a DHCPv6 address pool and enter its view.
Step Command Remarks By default, no static DHCPv6 option group exists. 2. Create a static DHCPv6 option group and enter its view. ipv6 dhcp option-group option-group-number 3. Configure a DNS server address. dns-server ipv6-address Optional. By default, no DNS server address is configured. Optional. 4. Configure a domain name suffix. domain-name domain-name By default, no domain name suffix is configured. 5. Configure the IPv6 address or domain name of a SIP server.
To enable the DHCPv6 server on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCPv6 server on the interface. ipv6 dhcp server [ allow-hint | apply pool pool-number | preference preference-value | rapid-commit ] * Disabled by default. Displaying and maintaining the DHCPv6 server Task Command Remarks Display the DUID of the local device.
Task Command Remarks Clear information for IPv6 address conflicts. reset ipv6 dhcp server conflict [ all | [ vpn-instance vpn-instance-name ] [ address ipv6-address | pool pool-number ] ] Available in user view. Clear binding information for lease-expired IPv6 addresses. reset ipv6 dhcp server expired [ all | [ vpn-instance vpn-instance-name ] [ address ipv6-address | pool pool-number ] ] Available in user view. Clear information for IPv6 address bindings.
Figure 373 Network diagram Configuration procedure # Enable IPv6 and DHCPv6 server. system-view [Firewall] ipv6 [Firewall] ipv6 dhcp server enable # Configure the IPv6 address of GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 1::1/64 [Firewall-GigabitEthernet0/1] quit # Create and configure prefix pool 1. [Firewall] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48 # Create address pool 1.
[Firewall-GigabitEthernet0/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit Verifying the configuration # Display DHCPv6 server configuration information on GigabitEthernet 0/1. [Firewall-GigabitEthernet0/1] display ipv6 dhcp server interface gigabitethernet 0/1 Using pool: 1 Preference value: 255 Allow-hint: Enabled Rapid-commit: Enabled # Display information about DHCPv6 address pool 1.
Prefix Type 2001:410:201::/48 Static(C) 1 Pool Expiration time Jul 10 2011 19:45:01 2001:410::/48 Auto(C) Jul 10 2011 20:44:05 1 IPv6 address and configuration parameters assignment configuration example Network requirements As shown in Figure 374, the firewall at 1::1/64 serves as a DHCPv6 server, and assigns IPv6 addresses, DNS server address, domain name suffix, SIP server address, and SIP server domain name to DHCPv6 clients.
[Firewall-GigabitEthernet0/1] ipv6 address 12:34:56::1/48 [Firewall-GigabitEthernet0/1] quit # Create a static DHCPv6 option group 1. [Firewall] ipv6 dhcp option-group 1 # Specify the DNS server address as 2:2::3. [Firewall-dhcp6-option-group1] dns-server 2:2::3 # Specify the domain name suffix as aaa.com. [Firewall-dhcp6-option-group1] domain-name aaa.com # Specify the SIP server address as 2:2::4, and the domain name of the SIP server as bbb.com.
Domain names: aaa.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display information about DHCPv6 address pool 1.
The DNS server address is 2:2::3. The domain name suffix is aaa.com. The SIP server address is 2:2::4, and the domain name of the SIP server is bbb.com. Configuration considerations • Enable IPv6 and DHCPv6 server. • Create a static IPv6 prefix. • Create a static DHCPv6 option group, and configure parameters in the group. • Specify the static prefix to create a prefix pool. • Create an address pool.
# Specify the SIP server address as 2:2::4, and the domain name of the SIP server as bbb.com. [Firewall-dhcp6-option-group1] sip-server address 2:2::4 [Firewall-dhcp6-option-group1] sip-server domain-name bbb.com [Firewall-dhcp6-option-group1] quit # Create prefix pool 1 that contains the prefix with the ID 1 and specify the length of prefixes to be assigned as 48. Prefix pool 1 can assign prefixes in the range of 12:34::/48 to 12:34:FFFF::/48.
DNS server addresses: 2:2::3 Domain names: aaa.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # After a client obtains an IPv6 prefix, display IPv6 prefix binding information. [Firewall] display ipv6 dhcp server pd-in-use all Total number: 1 VPN instance: Public network Prefix Type Pool Expiration time 12:34::/48 Auto(C) 1 Apr 29 2011 17:07:38 # After a client obtains an IPv6 address, display IPv6 address binding information.
• To configure Firewall B that serves as the DHCPv6 server: h. Enable the DHCPv6 server. i. Specify the dynamic prefix to create a prefix pool. j. Create an address pool. Apply the prefix pool to the address pool so that the DHCPv6 server can dynamically select a prefix from the prefix pool and assign it to a client. Apply the dynamic prefix to the network subnet so that the server can assign an IP address to the client.
[FirewallA-dhcp6-pool-1] sip-server domain-name bbb.com [FirewallA-dhcp6-pool-1] quit # Enable the DHCPv6 server on GigabitEthernet 0/1, apply address pool 1 to the interface, enable the desired address/prefix assignment and rapid address/prefix assignment, and set the precedence to the highest. [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit [FirewallA-GigabitEthernet0/1] quit 2.
Verifying the configuration # Display DHCPv6 server configuration on GigabitEthernet 0/1 of Firewall A. Similar output is displayed if you display the DHCPv6 configuration on GigabitEthernet 1/1 of Firewall B. display ipv6 dhcp server interface gigabitethernet 0/1 Using pool: 1 Preference value: 255 Allow-hint: Enabled Rapid-commit: Enabled # After Firewall B obtains an IPv6 prefix and network configurations, display IPv6 prefix information.
Configuring the DHCPv6 relay agent DHCPv6 relay agent can be configured only at the CLI. Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 377, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server through a DHCPv6 relay agent, so you do not need to deploy a DHCPv6 server on each subnet.
Figure 378 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server (1) Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply Configuration prerequisites Before you configure the DHCPv6 relay agent, enable IPv6 by using the ipv6 command in system view. Configuration guidelines • Executing the ipv6 dhcp relay server-address command repeatedly can specify multiple DHCPv6 servers. Up to eight DHCPv6 servers can be specified for an interface.
Displaying and maintaining the DHCPv6 relay agent Task Command Remarks Display the DUID of the local device. display ipv6 dhcp duid [ | { begin | exclude | include } regular-expression ] Available in any view. Display DHCPv6 server addresses specified on the DHCPv6 relay agent. display ipv6 dhcp relay server-address { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display packet statistics on the DHCPv6 relay agent.
system-view [Firewall] ipv6 # Configure the IPv6 addresses of GigabitEthernet 0/1 and GigabitEthernet 0/2 respectively. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ipv6 address 2::1 64 [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 1::1 64 # Enable DHCPv6 relay agent and specify the DHCPv6 server address on interface GigabitEthernet 0/1.
Configuring the DHCPv6 client DHCPv6 client can be configured only at the CLI. With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IPv6 address, an IPv6 prefix from the DHCP server. A DHCPv6 client can use DHCPv6 to complete the following: • Obtain an IPv6 address and configuration parameters, and create a DHCPv6 option group for the parameters. • Obtain an IPv6 prefix and configuration parameters, and create a DHCPv6 option group for the parameters.
Step 3. Configure the interface to use DHCPv6 for IP address acquisition. Command Remarks ipv6 address dhcp-alloc [ option-group group-number | rapid-commit ] * By default, An interface does not use DHCPv6 for IP address acquisition. Configuring prefix acquisition Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the interface to use DHCPv6 for IPv6 prefix acquisition.
DHCPv6 client configuration examples IPv6 prefix acquisition configuration example Network requirements The DHCPv6 client Firewall uses DHCPv6 to obtain an IPv6 prefix, the DNS server address, domain name suffix, SIP server address, and domain name of the SIP server. Configure the client to create an IPv6 prefix based on the obtained prefix and create a DHCPv6 option group for the obtained configuration parameters.
IAID: 0xf0019 Preferred server: Reachable via address: FE80::200:5EFF:FE0A:2303 DUID: 00030001000fe20a0a00 Prefix: 12:34::/32 Preferred lifetime 90 sec, valid lifetime 90 sec T1 45 sec, T2 72 sec Will expire at Jul 18 2011 10:04:03 DNS server addresses: 2000::FF Domain names: example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display Ipv6 prefix information.
Figure 381 Network diagram Configuration procedure Before you make the following configuration, configure the DHCPv6 server. For information about DHCPv6 server, see "Configuring the DHCPv6 server." # Enable IPv6. system-view [Firewall] ipv6 # Configure GigabitEthernet 0/1 to use DHCPv6 to obtain an IPv6 address and configuration parameters, and enable rapid address assignment. With the obtained address and parameters, the client automatically creates a DHCPv6 option group.
SIP server domain names: bbb.com # Display information about dynamic DHCPv6 option group 1. [Firewall-GigabitEthernet0/1] display ipv6 dhcp option-group 1 DHCPv6 option group: 1 Type: Dynamic DNS server addresses: 2000::FF Domain names: example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display IPv6 information.
[FirewallB-GigabitEthernet0/1] ipv6 nd autoconfig other-flag # Enable Firewall B to send RA messages. [FirewallB-Ethernet1/1] undo ipv6 nd ra halt 2. Configure Firewall A: # Enable the IPv6 packet forwarding function. system-view [FirewallA] ipv6 # Enable stateless IPv6 address autoconfiguration on GigabitEthernet 0/1.
Information-request : 5 Release : 0 Decline : 0 740
Configuring IPv6 DNS IPv6 DNS can be configured only at the CLI. IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS. For more information, see "Configuring IPv4 DNS.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable dynamic domain name resolution. dns resolve Disabled by default. Not specified by default. 3. Specify a DNS server. dns server ipv6 ipv6-address [ interface-type interface-number ] 4. Configure a DNS suffix. dns domain domain-name If the IPv6 address of a DNS server is a link-local address, you need to specify the interface-type and interface-number arguments. Optional. Not configured by default.
Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. system-view [Firewall] ipv6 host host.com 1::2 # Enable IPv6. [Firewall] ipv6 # Use the ping ipv6 host.com command to verify that the firewall can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2. [Firewall] ping ipv6 host.com PING host.
Figure 384 Network diagram IP network 2::2/64 DNS server 2::1/64 3::1/64 1::1/64 host.com Firewall DNS client Host Configuration procedure Before performing the following configuration, make sure the firewall and the host are accessible to each other through available routes, and the IPv6 addresses of the interfaces are configured as shown Figure 384. This configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2003.
Figure 386 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type. e. Click Create Record.
Figure 387 Selecting the resource record type f. On the page that appears, enter host name host and IPv6 address 1::1, and then click OK. The mapping between the host name and the IPv6 address is created.
Figure 388 Adding a mapping between domain name and IPv6 address Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [Firewall] dns resolve # Specify the DNS server 2::2. [Firewall] dns server ipv6 2::2 # Configure com as the DNS suffix.
bytes=56 Sequence=2 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring IPv6 static routing The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. IPv6 static routing can be configured only at the CLI. Overview Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work correctly. Static routes cannot adapt to network topology changes.
Displaying and maintaining IPv6 static routes Task Command Remarks Display IPv6 static route information. display ipv6 routing-table protocol static [ inactive | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. IPv6 static routing configuration example Network requirements As shown in Figure 389, configure IPv6 static routes so that hosts can reach one another. Figure 389 Network diagram Configuration procedure 1. Configure IPv6 addresses for all interfaces.
[Router B] ipv6 route-static :: 0 5::2 3. Configure the IPv6 addresses of all the hosts based on the network diagram, and configure the default gateway of Host A as 1::1, Host B as 2::1, and Host C as 3::1. 4. Verify the configuration: # Display the IPv6 routing table on Router A.
Configuring an IPv6 default route The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. An IPv6 default route is used to forward packets that match no entry in the routing table. An IPv6 default route can be configured in either of the following ways: • The network administrator can configure a default route with a destination prefix of ::/0. For more information, see "Configuring IPv6 static routing.
Configuring RIPng The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. RIPng can be configured only at the CLI. Overview RIP next generation (RIPng) is an extension of RIP-2 for IPv4. Most RIP concepts are applicable in RIPng. RIPng for IPv6 has the following basic differences from RIP: • UDP port number—RIPng uses UDP port 521 for sending and receiving routing information.
You must enable RIPng first before you configure other tasks, but it is not necessary for RIPng-related interface configurations, such as assigning an IPv6 address. Configuration prerequisites Before you configure RIPng basic functions, complete the following tasks: • Enable IPv6 packet forwarding. • Configure an IP address for each interface, and make sure all nodes are reachable to one another. Configuration procedure To configure the basic RIPng functions: Step Command Remarks 1.
To configure an inbound or outbound additional routing metric: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify an inbound routing additional metric. ripng metricin value Specify an outbound routing additional metric. ripng metricout value 4. Optional. 0 by default. Optional. 1 by default. Configuring RIPng route summarization Step Command 1. Enter system view. system-view 2.
Step Command Remarks 3. Configure a filter policy to filter incoming routes. filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } import By default, RIPng does not filter incoming routing information. 4. Configure a filter policy to filter outgoing routes. filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } export [ protocol [ process-id ] ] By default, RIPng does not filter outgoing routing information.
Configuring RIPng timers You can adjust RIPng timers to optimize the performance of the RIPng network. When adjusting RIPng timers, consider the network performance, and perform unified configurations on routers running RIPng to avoid unnecessary network traffic or route oscillation. To configure RIPng timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view. ripng [ process-id ] [ vpn-instance vpn-instance-name ] N/A Configure RIPng timers.
Step 3. Enable the poison reverse function. Command Remarks ripng poison-reverse Disabled by default. Configuring zero field check on RIPng packets Some fields in the RIPng packet must be zero, which are called "zero fields." With zero field check on RIPng packets enabled, if such a field contains a non-zero value, the entire RIPng packet is discarded. If you are sure that all packets are reliable, disable the zero field check to reduce the CPU processing time.
Configuration prerequisites Before you apply an IPsec policy for RIPng, complete following tasks: • Create an IPsec proposal. • Create an IPsec policy. For more information about IPsec policy configuration, see Security Configuration Guide. Configuration procedure To apply an IPsec policy in a process: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view. ripng [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Apply an IPsec policy in the process.
RIPng configuration examples Configuring RIPng basic functions Network requirements As shown in Figure 390, all devices learn IPv6 routing information through RIPng. Configure Router A to filter the route (3::/64) learned from Router B, which means the route is not added to the routing table of Router A, and Router B does not forward it to Firewall. Figure 390 Network diagram Configuration procedure 1. Configure the IPv6 address for each interface. (Details not shown.) 2.
[RouterB-GigabitEthernet0/1] ripng 1 enable [RouterB-GigabitEthernet0/1] quit [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ripng 1 enable [RouterB-GigabitEthernet0/2] quit [RouterB] interface gigabitethernet 0/3 [RouterB-GigabitEthernet0/3] ripng 1 enable [RouterB-GigabitEthernet0/3] quit # Display the RIPng routing table of Router A.
Dest 5::/64, via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec [Firewall] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------Peer FE80::20F:E2FF:FE00:1235 on GigabitEthernet0/1 Dest 1::/64, via FE80::20F:E2FF:FE00:1235, cost 1, tag 0, A, 2 Sec Dest 4::/64, via FE80::20F:E2FF:FE00:1235, cost 2, tag 0, A, 2 Sec Dest 5::/64, via FE80::20F:E2FF:FE00:1235, cost 2, tag 0, A, 2 Sec Configuring RIPng route red
[Firewall-GigabitEthernet0/2] ripng 100 enable [Firewall-GigabitEthernet0/2] quit [Firewall] ripng 200 [Firewall-ripng-200] quit [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ripng 200 enable # Enable RIPng 200 on Router B.
[Firewall-ripng-100] quit [Firewall] ripng 200 [Firewall-ripng-200] import-route ripng 100 [Firewall-ripng-200] quit # Display the routing table on Router A.
Figure 392 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure RIPng basic functions: # Configure Router A. system-view [RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ripng 1 enable [RouterA-GigabitEthernet0/1] quit # Configure Router B.
[RouterA-ipsec-policy-manual-policy001-10] transform-set tran1 [RouterA-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 [RouterA-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345 [RouterA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [RouterA-ipsec-policy-manual-policy001-10] quit # On Router B, create an IPsec proposal named tran1, and set the encapsulation mode to transport mode, the s
[RouterB] ripng 1 [RouterB-ripng-1] enable ipsec-policy policy001 [RouterB-ripng-1] quit # Configure Firewall. [Firewall] ripng 1 [Firewall-ripng-1] enable ipsec-policy policy001 [Firewall-ripng-1] quit 5. Verify the configuration: RIPng packets between Router A, Router B and Firewall are protected by IPsec.
Configuring OSPFv3 The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Overview Open Shortest Path First version 3 (OSPFv3) supports IPv6 and complies with RFC 2740 (OSPF for IPv6).
Task Remarks Tuning and optimizing OSPFv3 networks Configuring OSPFv3 timers Optional Configuring a DR priority for an interface Optional Ignoring MTU check for DD packets Optional Disabling interfaces from receiving and sending OSPFv3 packets Optional Enabling the logging of neighbor state changes Optional Configuring BFD for OSPFv3 Optional Applying IPsec policies for OSPFv3 Optional Enabling OSPFv3 Configuration prerequisites Before you enable OSPFv3, complete the following tasks: • Mak
Configuring OSPFv3 area parameters The stub area and virtual link features of OSPFv3 are the same as OSPFv2. Splitting an OSPFv3 AS into multiple areas reduces the number of LSAs and extends OSPFv3 applications. For those non-backbone areas residing on the AS boundary, configure them as stub areas to further reduce the size of routing tables and the number of LSAs. Non-backbone areas exchange routing information through the backbone area.
IMPORTANT: • Both ends of a virtual link are ABRs that must be configured with the vlink-peer command. • Do not configure virtual links in the areas of a GR-capable process. To configure a virtual link: Step Command 1. Enter system view. system-view 2. Enter OSPFv3 view. ospfv3 [ process-id ] 3. Enter OSPFv3 area view. area area-id 4. Configure a virtual link.
Step Command Configure a network type for the OSPFv3 interface. 3. Remarks ospfv3 network-type { broadcast | nbma | p2mp [ non-broadcast ] | p2p } [ instance instance-id ] Optional. The network type of an interface depends on the media type of the interface. Configuring an NBMA or P2MP neighbor For NBMA and P2MP interfaces (only when in unicast mode), you must specify the link-local IP addresses of their neighbors because these interfaces cannot find neighbors through broadcasting hello packets.
Step Command Configure a summary route. 4. Remarks abr-summary ipv6-address prefix-length [ not-advertise ] Not configured by default. The abr-summary command takes effect on ABRs only. Configuring OSPFv3 inbound route filtering According to some rules, you can configure OSPFv3 to filter routes that are computed from received LSAs. To configure OSPFv3 inbound route filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 3.
To configure a bandwidth reference value: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 3. Configure a bandwidth reference value. bandwidth-reference value Optional. 100 Mbps by default. Configuring the maximum number of OSPFv3 ECMP routes Perform this task to implement load sharing over ECMP routes. To configure the maximum number of ECMP routes: Step Command Remarks 1. Enter system view. system-view N/A 2.
The filter-policy export command filters routes redistributed with the import-route command. If the import-route command is not configured, executing the filter-policy export command does not take effect. • To configure OSPFv3 route redistribution: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 3. Specify a default cost for redistributed routes. default cost value Redistribute routes from another protocol or another OSPFv3 process.
Configuring OSPFv3 timers Make sure that the dead interval set on neighboring interfaces is not too short; otherwise, a neighbor is easily considered down. Also, make sure that the LSA retransmission interval is not too short; otherwise, unnecessary retransmissions might occur. To configure OSPFv3 timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the hello interval.
Step Command Configure a DR priority. 3. Remarks ospfv3 dr-priority priority [ instance instance-id ] Optional. Defaults to 1. Ignoring MTU check for DD packets When LSAs are few in DD packets, it is unnecessary to check the MTU in DD packets to improve efficiency. To ignore MTU check for DD packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Ignore MTU check for DD packets.
Configuring BFD for OSPFv3 The following matrix shows the feature and hardware compatibility: Hardware Compatibility F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No Bidirectional forwarding detection (BFD) provides a mechanism to quickly detect the connectivity of links between OSPFv3 neighbors, improving the convergence speed of OSPFv3. For more information about BFD, see High Availability Configuration Guide.
match, the device accepts the packet. Otherwise, it discards the packet and will not establish a neighbor relationship with the sending device. You can configure an IPsec policy for an area, an interface, or a virtual link. • To implement area-based IPsec protection, configure the same IPsec policy on the routers in the target area. • To implement interface-based IPsec protection, configure the same IPsec policy on the interfaces between two neighboring routers.
Step 4. Apply an IPsec policy on a virtual link. Command Remarks vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | instance instance-id | ipsec-policy policy-name ] * Not configured by default. Displaying and maintaining OSPFv3 Task Command Remarks Display OSPFv3 process brief information. display ospfv3 [ process-id ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display OSPFv3 interface information.
Task Command Remarks Display OSPFv3 statistics. display ospfv3 statistics [ | { begin | exclude | include } regular-expression ] Available in any view. OSPFv3 configuration examples Configuring OSPFv3 areas Network requirements In Figure 393, all devices run OSPFv3. The AS is split into three areas, in which, Router B and Router C act as ABRs to forward routing information between areas. Configure Area 2 as a stub area in order to reduce LSAs in the area without affecting route reachability.
[RouterB-ospfv3-1] router-id 2.2.2.2 [RouterB-ospfv3-1] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ospfv3 1 area 0 [RouterB-GigabitEthernet0/1] quit [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ospfv3 1 area 1 [RouterB-GigabitEthernet0/2] quit # Configure Router C. system-view [RouterC] ipv6 [RouterC] ospfv3 1 [RouterC-ospfv3-1] router-id 3.3.3.
2.2.2.2 1 Full/DR 00:00:35 GE0/1 0 OSPFv3 Area ID 0.0.0.2 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface 4.4.4.4 1 Full/Backup 00:00:36 GE0/2 Instance ID 0 # Display OSPFv3 routing information on Firewall. [Firewall] display ospfv3 routing E1 - Type 1 external route, IA - Inter area route, E2 - Type 2 external route, * I - Intra area route - Selected route OSPFv3 Router with ID (4.4.4.
-----------------------------------------------------------------------*Destination: ::/0 Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 11 *Destination: 2001::/64 Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 2 *Destination: 2001:1::/64 Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 3 *Destination: 2001:2::/64 Type : I Cost NextHop : directly-connected Interface: GE0/2 : 1 *Destination: 2001:3::/64 4.
• The priority of Router B is 0, so it cannot become a DR. • Router A has the default priority 1. Figure 394 Network diagram Firewall Router B GE0/1 2001::1/64 GE0/1 2001::3/64 GE0/1 2001::2/64 GE0/1 2001::4/64 Router A Router C Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 basic functions: # Configure Firewall. system-view [Firewall] ipv6 [Firewall] ospfv3 [Firewall-ospfv3-1] router-id 1.1.1.
# Configure Router A. system-view [RouterA] ipv6 [RouterA] ospfv3 [RouterA-ospfv3-1] router-id 4.4.4.4 [RouterA-ospfv3-1] quit [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ospfv3 1 area 0 [RouterA-GigabitEthernet0/1] quit # Display neighbor information on Firewall. [Firewall] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.
2.2.2.2 0 2-Way/DROther 00:00:38 GE0/1 0 3.3.3.3 2 Full/Backup 00:00:32 GE0/1 0 4.4.4.4 1 Full/DR 00:00:36 GE0/1 0 The output shows that DR priorities have been updated, but the DR and BDR are not changed. # Display neighbor information on Router A. [RouterA] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 100 Full/DROther 00:00:33 GE0/1 0 2.
Figure 395 Network diagram GE0/1 2::1/64 GE0/2 1::1/64 GE0/1 4::1/64 GE0/2 3::2/64 Router A Router B Process 2 Area 2 Process 1 Area 2 GE0/2 1::2/64 GE0/1 3::1/64 Firewall Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 basic functions: # Enable OSPFv3 process 1 on Router A. system-view [RouterA] ipv6 [RouterA] ospfv3 1 [RouterA-ospfv3-1] router-id 1.1.1.
[RouterB] interface gigabitethernet0/2 [RouterB-GigabitEthernet0/2] ospfv3 2 area 2 [RouterB-GigabitEthernet0/2] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ospfv3 2 area 2 [RouterB-GigabitEthernet0/1] quit # Display the routing table of Router B. [RouterB] display ipv6 routing-table Routing Table : Destinations : 6 3.
NextHop : ::1 Preference: 0 Interface : InLoop0 Cost : 0 Destination: 1::/64 Protocol : OSPFv3 NextHop : FE80::200:CFF:FE01:1C03 Preference: 150 Interface : GE0/2 Cost : 3 Destination: 2::/64 Protocol : OSPFv3 NextHop : FE80::200:CFF:FE01:1C03 Preference: 150 Interface : GE0/2 Cost : 3 Destination: 3::/64 Protocol : Direct NextHop : 3::2 Preference: 0 Interface : GE0/2 Cost : 0 Destination: 3::2/128 Protocol : Direct NextHop : ::1 Preference: 0 Interface : InLoop0
• Configure OSPFv3 on Firewall A, Firewall B and Router and configure BFD over the link Firewall A<—>L2 Switch<—>Firewall B. • After the link Firewall A<—>L2 Switch<—>Firewall B fails, BFD can quickly detect the failure and notify OSPFv3 of the failure. Then Firewall A and Firewall B communicate through Router.
[FirewallB-GigabitEthernet1/1] quit [FirewallB] interface gigabitethernet 1/2 [FirewallB-GigabitEthernet1/2] ospfv3 1 area 0 [FirewallB-GigabitEthernet1/2] quit # Enable OSPFv3 and set the router ID to 3.3.3.3 on Router. system-view [Router] ipv6 [Router] ospfv3 1 [Router-ospfv3-1] router-id 3.3.3.
display ipv6 routing-table 2001:4::0 64 verbose Routing Table : Summary Count : 2 Destination : 2001:4:: PrefixLength : 64 NextHop : 2001::2 Preference : 10 IpPrecedence : QosLcId : RelayNextHop : :: Tag : 0H Neighbor : :: ProcessID : 0 Interface : GigabitEthernet1/1 Protocol : OSPFv3 State : Active Adv Cost : 1 Tunnel ID : 0x0 Label : NULL Age : 4538sec Destination : 2001:4:: PrefixLength : 64 NextHop : 2001:2::2 Preference : 10 IpPrecedence : QosLcId :
Routing Table : Summary Count : 1 Destination : 2001:4:: PrefixLength : 64 NextHop : 2001:2::2 Preference : 10 IpPrecedence : QosLcId : RelayNextHop : :: Tag : 0H Neighbor : :: ProcessID : 0 Interface : GigabitEthernet1/2 Protocol : OSPFv3 State : Active Adv Cost : 2 Tunnel ID : 0x0 Label : NULL Age : 4610sec The output shows that Firewall A communicates with Firewall B through Router.
system-view [RouterB] ipv6 [RouterB] ospfv3 1 [RouterB-ospfv3-1] router-id 2.2.2.2 [RouterB-ospfv3-1] quit [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ospfv3 1 area 1 [RouterB-GigabitEthernet0/2] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ospfv3 1 area 0 [RouterB-GigabitEthernet0/1] quit # Configure Firewall: enable OSPFv3 and configure the Router ID as 3.3.3.3.
[RouterB] ipsec transform-set tran1 [RouterB-ipsec-transform-set-tran1] encapsulation-mode transport [RouterB-ipsec-transform-set-tran1] transform esp [RouterB-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterB-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterB-ipsec-transform-set-tran1] quit [RouterB] ipsec policy policy001 10 manual [RouterB-ipsec-policy-manual-policy001-10] transform-set tran1 [RouterB-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 [RouterB-i
[RouterA-ospfv3-1-area-0.0.0.1] enable ipsec-policy policy001 [RouterA-ospfv3-1-area-0.0.0.1] quit [RouterA-ospfv3-1] quit # Configure Router B. [RouterB] ospfv3 1 [RouterB-ospfv3-1] area 0 [RouterB-ospfv3-1-area-0.0.0.0] enable ipsec-policy policy002 [RouterB-ospfv3-1-area-0.0.0.0] quit [RouterB-ospfv3-1] area 1 [RouterB-ospfv3-1-area-0.0.0.1] enable ipsec-policy policy001 [RouterB-ospfv3-1-area-0.0.0.1] quit [RouterB-ospfv3-1] quit # Configure Firewall.
Incorrect routing information Symptom OSPFv3 cannot find routes to other areas. Analysis The backbone area must maintain connectivity to all other areas. If a router connects to more than one area, at least one area must be connected to the backbone. The backbone cannot be configured as a stub area. In a stub area, all routers cannot receive external routes, and interfaces connected to the stub area must be associated with the stub area. Solution 1.
Configuring IPv6 IS-IS The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. This chapter describes how to configure IPv6 IS-IS, which supports all IPv4 IS-IS features except that it advertises IPv6 routing information. For information about IS-IS, see "Configuring IS-IS." IPv6 IS-IS can be configured only at the CLI.
• Enable IPv6 globally. • Configure IP addresses for interfaces, and make sure that all neighboring nodes can reach each other. • Enable IS-IS. Configuration procedure To configure basic IS-IS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable an IS-IS process and enter IS-IS view. isis [ process-id ] Not enabled by default. 3. Configure the network entity title for the IS-IS process. network-entity net Not configured by default. 4. Enable IPv6 for the IS-IS process.
Step Command Remarks Optional. 6. Configure IPv6 IS-IS to filter incoming routes. ipv6 filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name | route-policy route-policy-name } import 7. Configure IPv6 IS-IS to redistribute routes from another routing protocol. ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] * 8. 9.
Task Command Remarks Display LSDB information. display isis lsdb [ [ l1 | l2 | level-1 | level-2 ] | [ [ lsp-id lsp-id | lsp-name lspname | local ] | verbose ] * ] * [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IS-IS mesh group information. display isis mesh-group [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 398 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IPv6 IS-IS: # Configure Router A. system-view [RouterA] ipv6 [RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] ipv6 enable [RouterA-isis-1] quit [RouterA] interface gigabitethernet 1/1 [RouterA-GigabitEthernet1/1] isis ipv6 enable 1 [RouterA-GigabitEthernet1/1] quit # Configure Router B.
[Firewall-GigabitEthernet1/1] isis ipv6 enable 1 [Firewall-GigabitEthernet1/1] quit [Firewall] interface gigabitethernet 1/2 [Firewall-GigabitEthernet1/2] isis ipv6 enable 1 [Firewall-GigabitEthernet1/2] quit [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] isis ipv6 enable 1 [Firewall-GigabitEthernet1/3] quit # Configure Router C. system-view [RouterC] ipv6 [RouterC] isis 1 [RouterC-isis-1] is-level level-2 [RouterC-isis-1] network-entity 20.0000.0000.0004.
# Display the IPv6 IS-IS routing table of Router B.
ISIS(1) IPv6 Level-2 Forwarding Table ------------------------------------Destination: 2001:1:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE1/2 : 10 Destination: 2001:2:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE1/1 : 10 Destination: 2001:3:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE1/3 : 10 Destination: 2001:4::1 PrefixLen: 128 Flag : R/-/- Cost Next Hop : FE80::20F:E2FF:FE3E:FA3D Interface: GE1/3 : 10 Flags:
Configuring IPv6 BGP The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. IPv6 BGP can be configured only at the CLI. This chapter describes only configuration for IPv6 BGP. For BGP-related information, see "Configuring BGP." Overview BGP-4 can only carry IPv4 routing information. To support multiple network layer protocols, IETF extended BGP-4 by introducing Multiprotocol Border Gateway Protocol (MP-BGP).
Task Remarks Configuring IPv6 BGP route attributes Tuning and optimizing IPv6 BGP networks Configuring a large-scale IPv6 BGP network Configuring inbound route filtering Optional Configuring IPv6 BGP and IGP route synchronization Optional Configuring route dampening Optional Configuring IPv6 BGP preference and default LOCAL_PREF and NEXT_HOP attributes Optional Configuring the MED attribute Optional Configuring the AS_PATH attribute Optional Configuring IPv6 BGP timers Optional Configurin
Step 4. 5. Command Remarks Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A Specify an IPv6 peer. peer ipv6-address as-number as-number N/A Injecting a local IPv6 route Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A 4.
Specifying the source interface for establishing TCP connections IPv6 BGP uses TCP as the transport layer protocol. By default, IPv6 BGP uses the output interface of the optimal route to a peer or peer group as the source interface for establishing TCP connections to the peer or peer group. If an IPv6 BGP router has multiple links to a peer, and the source interface fails, IPv6 BGP must reestablish TCP connections, causing network oscillation.
Configuring a description for an IPv6 peer or peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A Configure a description for an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } description description-text 4. Optional. Not configured by default. The peer group to be configured with a description must have been created.
• Enable IPv6. • Configure IPv6 BGP basic functions. Configuring IPv6 BGP route redistribution IMPORTANT: If the default-route imported command is not configured, using the import-route command cannot redistribute an IGP default route. To configure IPv6 BGP route redistribution: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view or IPv6 BGP-VPN instance view.
Step Command Remarks 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Advertise a default route to an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } default-route-advertise [ route-policy route-policy-name ] Not advertised by default.
Configuring inbound route filtering Only routes passing the configured filtering can be added into the local IPv6 BGP routing table. Members of a peer group can have different inbound route filtering policies. To configure inbound route filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A 4.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Enable route synchronization between IPv6 BGP and IGP. synchronization Not enabled by default. Configuring route dampening Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Configure IPv6 BGP route dampening parameters.
In a "third party next hop" network where the two IPv6 EBGP peers reside in a common broadcast subnet, the router does not change the next hop for routes sent to the IPv6 EBGP peer or peer group by default, unless the peer next-hop-local command is configured. To perform this configuration: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view or IPv6 BGP-VPN instance view.
Step Command Enable the comparison of MED for routes from confederation peers. 7. Remarks Optional. bestroute med-confederation Disabled by default. The IPv6 BGP-VPN instance view does not support this command. Configuring the AS_PATH attribute Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4.
After modifying a route selection policy, reset IPv6 BGP connections to make the new one take effect. The current IPv6 BGP implementation supports the route-refresh feature that enables dynamic route refresh without needing to disconnect IPv6 BGP links. After this feature is enabled on all IPv6 BGP routers, a router that wants to apply a new route selection policy advertises a route-refresh message to its peers, which then send their routing information to the router.
Configuring IPv6 BGP soft reset Enabling route refresh Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Enable route refresh. peer { ipv6-group-name | ipv6-address } capability-advertise route-refresh Optional. Enabled by default. Performing manual soft-reset Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3.
To enable the BGP ORF capability: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Enable BGP route refresh for a peer or peer group. peer { group-name | ipv6-address } capability-advertise route-refresh Enabled by default. 5. Enable the non-standard ORF capability for a BGP peer or peer group. peer { group-name | ipv6-address } capability-advertise orf non-standard 6.
Step 3. 4. Command Remarks Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A Enable 4-byte AS number suppression. peer { group-name | ip-address } capability-advertise suppress-4-byte-as Disabled by default. IPv6 BGP-VPN instance view does not support the group-name argument. Configuring the maximum number of ECMP routes Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3.
Outbound IPv6 BGP packets carry the Security Parameter Index (SPI) defined in the IPsec policy. A device uses the SPI carried in a received packet to match against the configured IPsec policy. If they match, the device accepts the packet; otherwise, it discards the packet and will not establish a neighbor relationship with the sending device. Configuration prerequisites Before applying an IPsec policy to a peer or peer group, complete the following tasks: • Create an IPsec proposal.
Configuring IPv6 BGP peer group Configuring an IBGP peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Create an IBGP peer group. group ipv6-group-name [ internal ] N/A 5. Add a peer into the group. peer ipv6-address group ipv6-group-name [ as-number as-number ] Not added by default. Command Remarks Creating a pure EBGP peer group Step 1. Enter system view.
NOTE: When creating a mixed EBGP peer group, you must create a peer and specify its AS number, which can be different from AS numbers of other peers; however, you cannot specify an AS number for the EBGP peer group. Configuring IPv6 BGP community Advertising community attribute to an IPv6 peer or peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Configure the router as a route reflector and specify an IPv6 peer or peer group as a client. peer { ipv6-group-name | ipv6-address } reflect-client Not configured by default. Enable route reflection between clients. reflect between-clients Configure the cluster ID of the route reflector. reflector cluster-id cluster-id 5. 6. Optional.
Step 4. Enable BFD for the specified BGP peer. Command Remarks peer ipv6-address bfd By default, BFD is not enabled for any BGP peer by default. Displaying and maintaining IPv6 BGP Displaying BGP Task Command Remarks Display IPv6 BGP peer group information. display bgp ipv6 group [ ipv6-group-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPv6 BGP advertised routing information.
Task Command Remarks Display IPv6 BGP routing flap statistics. display bgp ipv6 routing-table flap-info [ regular-expression as-regular-expression | [ as-path-acl as-path-acl-number | ipv6-address prefix-length [ longer-match ] ] [ | { begin | exclude | include } regular-expression ] ] Available in any view. Display labeled IPv6 BGP routing information. display bgp ipv6 routing-table label [ | { begin | exclude | include } regular-expression ] Available in any view.
IPv6 BGP basic configuration example Network requirements All devices in Figure 399 run IPv6 BGP. Between Router A and Router B is an EBGP connection. Router B, Router C, and Firewall are fully meshed through IBGP connections. Figure 399 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IBGP connections: # Configure Router B. system-view [RouterB] ipv6 [RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.
[Firewall-bgp-af-ipv6] peer 9:1::1 as-number 65009 [Firewall-bgp-af-ipv6] peer 9:2::1 as-number 65009 [Firewall-bgp-af-ipv6] quit [Firewall-bgp] quit 3. Configure the EBGP connection: # Configure Router A. system-view [RouterA] ipv6 [RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] ipv6-family [RouterA-bgp-af-ipv6] peer 10::1 as-number 65009 [RouterA-bgp-af-ipv6] quit [RouterA-bgp] quit # Configure Router B.
IPv6 BGP route reflector configuration example Network requirements In Figure 400, Router B receives an EBGP update and sends it to Firewall, which is configured as a route reflector with two clients: Router B and Router C. Router B and Router C need not establish an IBGP connection because Firewall reflects updates between them. Figure 400 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IPv6 BGP basic functions: # Configure Router A.
[Firewall-bgp-af-ipv6] peer 101::2 as-number 200 [Firewall-bgp-af-ipv6] peer 102::2 as-number 200 # Configure Router C. system-view [RouterC] ipv6 [RouterC] bgp 200 [RouterC-bgp] router-id 4.4.4.4 [RouterC-bgp] ipv6-family [RouterC-bgp-af-ipv6] peer 102::1 as-number 200 3. Configure Firewall as a route reflector, and configure Router B and Router C as its clients. [Firewall-bgp-af-ipv6] peer 101::2 reflect-client [Firewall-bgp-af-ipv6] peer 102::2 reflect-client 4.
[RouterB] bgp 65008 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] ipv6-family [RouterB-bgp-af-ipv6] group ibgp internal [RouterB-bgp-af-ipv6] peer 1::1 group ibgp [RouterB-bgp-af-ipv6] quit [RouterB-bgp] quit 3. Configure the EBGP connection: # Configure Firewall. system-view [Firewall] ipv6 [Firewall] bgp 65009 [Firewall-bgp] router-id 3.3.3.
to SHA1. Create an IPsec policy named policy001, specify the manual mode for it, reference IPsec proposal tran1, set the SPIs of the inbound and outbound SAs to 12345, and the keys for the inbound and outbound SAs using ESP to abcdefg. Create an IPsec proposal named tran2, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1.
[Firewall-ipsec-policy-manual-policy002-10] sa string-key inbound esp gfedcba [Firewall-ipsec-policy-manual-policy002-10] quit 5. Apply IPsec policies to IBGP peers: # Configure Router A. [RouterA] bgp 65008 [RouterA-bgp] ipv6-family [RouterA-bgp-af-ipv6] peer 1::2 ipsec-policy policy001 [RouterA-bgp-af-ipv6] quit [RouterA-bgp] quit # Configure Router B. [RouterB] bgp 65008 [RouterB-bgp] ipv6-family [RouterB-bgp-af-ipv6] peer 1::1 ipsec-policy policy001 [RouterB-bgp-af-ipv6] quit [RouterB-bgp] quit 6.
Maximum allowed prefix number: 4294967295 Threshold: 75% Minimum time between advertisement runs is 30 seconds Optional capabilities: Route refresh capability has been enabled ORF advertise capability based on prefix (type 64): Local: both Negotiated: send Peer Preferred Value: 0 IPsec policy name: policy001, SPI :12345 Routing policy configured: No routing policy is configured BGP Peer is 3::2, remote AS 65009, Type: EBGP link BGP version 4, remote router ID 3.3.3.
Hardware Compatibility F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes F5000-S/F5000-C No VPN firewall modules No 20-Gbps VPN firewall modules No Network requirements • As shown in Figure 402, configure OSPFv3 as the IGP in AS 200. • Establish two IBGP connections between Firewall A and Firewall B. When both links are working, Firewall B adopts the link Firewall A<—>Router A<—>Firewall B to exchange packets with network 1200::0/64. Configure BFD over the link.
# When the two links between Firewall A and Firewall B are both up, Firewall B adopts the link Firewall A<—>Router A<—>Firewall B to exchange packets with network 1200::0/64. (Set a higher MED value for route 1200::0/64 sent to peer 2002::2 on Firewall A.) { Create IPv6 ACL 2000 to permit 1200::0/64 to pass. [FirewallA] acl ipv6 number 2000 [FirewallA-acl6-basic-2000] rule permit source 1200::0 64 [FirewallA-acl6-basic-2000] quit { Create two route policies, apply_med_50 and apply_med_100.
{ Configure the detect multiplier as 7. [FirewallA-GigabitEthernet1/2] bfd detect-multiplier 7 { Configure the BFD authentication mode as plain-text authentication, and set the authentication key to ibgpbfd. [FirewallA-GigabitEthernet1/2] bfd authentication-mode simple 1 ibgpbfd [FirewallA-GigabitEthernet1/2] quit # Configure Firewall B.
Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 2001::1 200 7 10 0 0 00:01:05 Established 3001::1 200 7 10 0 0 00:01:34 Established # Display route 1200::0/64 on Firewall B, and you can see that Firewall A and Firewall B communicate through Router A.
*Nov 5 11:42:24:187 2009 FirewallB RM/6/RMDEBUG: BGP_BFD: Send DELETE msg to BFD, Connection type DIRECT, Src IP 3002::2, Dst IP 3001::1, Instance ID 0. # Display route 1200::0/64 on Firewall B, and you can see that Firewall A and Firewall B communicate through Router B.
Displaying an IPv6 routing table Displaying the routing table is a basic way to troubleshoot routing problems. The device supports displaying the routing table only at the CLI. To displaying the routing table at the CLI: Task Command Display IPv6 routing table information. display ipv6 routing-table [ vpn-instance vpn-instance-name ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Display routing information permitted by a specific IPv6 basic ACL.
Configuring IPv6 policy-based routing IPv6 policy-based routing can be configured only at the CLI. Introduction to IPv6 policy-based routing What is policy-based routing Different from destination-based routing, policy-based routing (PBR) uses user-defined policies to route packets based on the source address, packet length, and other criteria.
Table 79 Priorities and meanings of the apply clauses Clause Meaning Priority apply ipv6-precedence Sets an IP precedence. If configured, this clause will always be executed. apply output-interface and apply ipv6-address next-hop Sets the output interface and sets the next hop. The apply output-interface clause takes precedence over the apply ipv6-address next-hop clause. Only the apply output-interface clause is executed when both are configured.
Configuring an IPv6 policy Creating an IPv6 node Step Command 1. Enter system view. system-view 2. Create an IPv6 policy or policy node and enter IPv6 policy node view. ipv6 policy-based-route policy-name [ deny | permit ] node node-number Configuring match criteria for an IPv6 node An ACL match criterion uses the specified ACL to match packets if the match mode is configured as permit. If the specified ACL does not exist or the match mode is configured as deny, no packet can match the criterion.
Step Command Remarks Optional. 6. Set a default output interface for permitted IPv6 packets. apply default output-interface interface-type interface-number 7. Set a default next hop for permitted IPv6 packets. apply ipv6-address default next-hop ipv6-address You can specify up to five output interfaces to achieve load sharing. Optional. You can specify up to five output interfaces to achieve load sharing.
To configure IPv6 interface PBR: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Apply an IPv6 policy on the interface. ipv6 policy-based-route policy-name Not applied by default. Displaying and maintaining IPv6 PBR configuration Task Command Remarks Display information about IPv6 local PBR and IPv6 interface PBR.
Configuration procedure 1. Configure Firewall: # Configure ACL 3001 to match TCP packets. system-view [Firewall] ipv6 [Firewall] acl ipv6 number 3001 [Firewall-acl6-adv-3001] rule permit tcp [Firewall-acl6-adv-3001] quit # Configure Node 5 of policy aaa, so that TCP packets are forwarded via GigabitEthernet 0/1.
Figure 404 Network diagram Configuration procedure 1. Configure Firewall: # Configure RIPng.
[Firewall-GigabitEthernet0/3] ipv6 address 10::2 64 [Firewall-GigabitEthernet0/3] undo ipv6 nd ra halt [Firewall-GigabitEthernet0/3] ripng 1 enable [Firewall-GigabitEthernet0/3] ipv6 policy-based-route aaa 2. Configure RIPng for Router B. system-view [RouterB] ipv6 [RouterB] ripng 1 [RouterB-ripng-1] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ipv6 address 1::2 64 [RouterB-GigabitEthernet0/1] ripng 1 enable 3. Configure RIPng for Router A.
Figure 405 Network diagram Configuration procedure 1. Configure Firewall: # Configure RIPng.
[RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ipv6 address 150::2 64 [RouterA-GigabitEthernet0/1] ripng 1 enable [RouterA-GigabitEthernet0/1] quit [RouterA] interface gigabitethernet 0/2 [RouterA-GigabitEthernet0/2] ipv6 address 151::2 64 [RouterA-GigabitEthernet0/2] ripng 1 enable [RouterA-GigabitEthernet0/2] quit [RouterA] interface loopback 0 [RouterA-LoopBack0] ipv6 address 10::1 128 [RouterA-LoopBack0] ripng 1 enable 3.
g success : POLICY_ROUTEMAP_IPV6 : lab1, Node : 10, Packet sent with next-hop 0150::0002 *Jun 7 16:03:31:949 2009 Firewall PBR6/7/IPv6-POLICY-ROUTING: IPv6 Policy routin g success : POLICY_ROUTEMAP_IPV6 : lab1, Node : 10, Packet sent with next-hop 0150::0002 The preceding information shows that Firewall sets the next hop for the received packets to 150::2 according to PBR. The packets are forwarded via GigabitEthernet 0/1. # Ping Loopback 0 of Router A from Host A, and set the data length to 200 bytes.
Configuring IPv6 multicast routing and forwarding Feature and hardware compatibility Overview In IPv6 multicast implementations, the following types of tables implement multicast routing and forwarding: • Multicast routing table of an IPv6 multicast routing protocol—Each IPv6 multicast routing protocol has its own multicast routing table, such as the IPv6 PIM routing table.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6 multicast routing. multicast ipv6 routing-enable Disabled by default. Configuring IPv6 multicast routing and forwarding This section describes how to configure IPv6 multicast routing and forwarding.
forwarding. A multicast forwarding boundary sets the boundary condition for the IPv6 multicast groups in the specified range or scope. If the destination address of an IPv6 multicast packet matches the set boundary condition, the packet will not be forwarded. Once an IPv6 multicast boundary is configured on an interface, this interface can no longer forward IPv6 multicast packets (including those sent from the local device) or receive IPv6 multicast packets.
Displaying and maintaining IPv6 multicast routing and forwarding CAUTION: The reset commands might cause IPv6 multicast transmission failures. To display and maintain IPv6 multicast routing and forwarding: Task Command Remarks Display IPv6 multicast boundary information. display multicast ipv6 boundary { group [ ipv6-group-address [ prefix-length ] ] | scope [ scope-id ] } [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view.
IPv6 multicast forwarding configuration example This section provides an example of configuring IPv6 multicast forwarding over a GRE tunnel. Network requirements IPv6 multicast routing and IPv6 PIM-DM are enabled on Router A and the firewall. Router B does not support IPv6 multicast. OSPFv3 is running on Router A, Router B, and the firewall. Configure a GRE tunnel so that the receiver can receive the IPv6 multicast data from the source. Figure 406 Network diagram Configuration procedure 1.
[Firewall-Tunnel0] quit 3. Configure OSPFv3: # Configure OSPFv3 on Router A. [RouterA] ospfv3 1 [RouterA-ospfv3-1] router-id 1.1.1.1 [RouterA-ospfv3-1] quit [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ospfv3 1 area 0 [RouterA-Ethernet1/1] quit [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ospfv3 1 area 0 [RouterA-Ethernet1/2] quit [RouterA] interface tunnel 0 [RouterA-Tunnel0] ospfv3 1 area 0 [RouterA-Tunnel0] quit # Configure OSPFv3 on Router B.
[RouterA-Ethernet1/2] quit [RouterA] interface tunnel 0 [RouterA-Tunnel0] pim ipv6 dm [RouterA-Tunnel0] quit # On the firewall, enable IPv6 multicast routing globally, enable MLD on GigabitEthernet 0/1, and enable IPv6 PIM-DM on each interface.
The output shows that Router A is the RPF neighbor of the firewall and the IPv6 multicast data from Router A is delivered over a GRE tunnel to the firewall. Troubleshooting abnormal termination of IPv6 multicast data Symptom • A host sends an MLD report announcing its joining an IPv6 multicast group (G). However, no member information about the IPv6 multicast group (G) exists on the intermediate router.
Configuring IPv6 PIM Feature and hardware compatibility Overview IPv6 PIM provides IPv6 multicast forwarding by leveraging IPv6 unicast static routes or IPv6 unicast routing tables generated by any IPv6 unicast routing protocol, such as RIPng, OSPFv3, IS-ISv6, or BGP4+. IPv6 PIM uses an IPv6 unicast routing table to perform RPF check to implement IPv6 multicast forwarding.
Configuration prerequisites Before you configure IPv6 PIM-DM, complete the following tasks: • Enable IPv6 forwarding and configure an IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Determine the interval between state refresh messages. • Determine the minimum time to wait before receiving a new refresh message. • Determine the hop limit value of state-refresh messages. • Determine the graft retry period.
Configuring state refresh parameters The router directly connected with the multicast source periodically sends state-refresh messages. You can configure the interval for sending such messages. A router might receive multiple state-refresh messages within a short time. Some messages might be duplicated messages. To keep a router from receiving such duplicated messages, you can configure the time that the router must wait before receiving the next state-refresh message.
For more information about the configuration of other timers in IPv6 PIM-DM, see "Configuring common IPv6 PIM timers." Configuring IPv6 PIM-SM This section describes how to configure IPv6 PIM-SM. IPv6 PIM-SM configuration task list Task Remarks Enabling IPv6 PIM-SM Required. Configuring a static RP Configuring an RP Configuring a BSR Configuring IPv6 administrative scoping Configuring a C-RP Enabling embedded RP Required. Use any method. Configuring C-RP timers globally Optional.
• Determine the C-BSR priority. • Determine the hash mask length. • Determine the IPv6 ACL rule defining a legal BSR address range. • Determine the BS period. • Determine the BS timeout timer. • Determine the IPv6 ACL rule for register message filtering. • Determine the register suppression time. • Determine the register probe time. • Determine the IPv6 multicast traffic rate threshold, IPv6 ACL rule, and sequencing rule for initiating an SPT switchover.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A 3. Configure a static RP for IPv6 PIM-SM. static-rp ipv6-rp-address [ acl6-number ] [ preferred ] By default, no static RP is configured. Configuring a C-RP In an IPv6 PIM-SM domain, you can configure routers that intend to become the RP as C-RPs.
Step Enter IPv6 PIM view. 2. Command Remarks pim ipv6 N/A Optional. Enable embedded RP. 3. embedded-rp [ acl6-number ] By default, embedded RP is enabled for IPv6 multicast groups in the default embedded RP address scopes. Configuring C-RP timers globally To enable the BSR to distribute the RP-set information within the IPv6 PIM-SM domain, C-RPs must periodically send C-RP-Adv messages to the BSR.
address to replace its own BSR address and no longer assumes itself to be the BSR, and the winner keeps its own BSR address and continues to assume itself to be the BSR. Configuring a legal range of BSR addresses enables filtering of bootstrap messages based on the address range, thereby preventing a maliciously configured host from masquerading as a BSR. You must make the same configuration on all routers in the IPv6 PIM-SM domain.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configuring an IPv6 PIM domain border. pim ipv6 bsr-boundary No IPv6 PIM domain border is configured by default. Configuring C-BSR parameters globally In each IPv6 PIM-SM domain, a unique BSR is elected from C-BSRs. The C-RPs in the IPv6 PIM-SM domain send advertisement messages to the BSR.
Step Command Remarks Optional. Configure the BS timeout timer. 4. By default, the BS timeout timer is determined by the formula "BS timeout timer = BS period × 2 + 10." The default BS period is 60 seconds, so the default BS timeout timer is 60 × 2 + 10 = 130 (seconds). c-bsr holdtime interval NOTE: If yon configure the BS period or the BS timeout timer, the system uses the configured one instead of the default one.
maintains a BSR, which serves a specific IPv6 multicast group range. The IPv6 global-scoped zone also maintains a BSR, which serves the IPv6 multicast groups with the Scope field in the group addresses being 14. Enabling IPv6 administrative scoping Before you configure an IPv6 admin-scoped zone, you must enable IPv6 administrative scoping. Perform the following configuration on all routers in the IPv6 PIM-SM domain. To enable IPv6 administrative scoping: Step Command Remarks 1. Enter system view.
To configure a C-BSR for an IPv6 admin-scoped zone: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A 3. Configure a C-BSR for an IPv6 admin-scoped zone. c-bsr scope { scope-id | admin-local | global | organization-local | site-local } [ hash-length hash-length | priority priority ] * No C-BSRs are configured for an IPv6 admin-scoped zone by default.
Step 5. 6. Command Remarks Configure the register suppression time. register-suppression-timeout interval Optional. Configure the register probe time. probe-interval interval 60 seconds by default. Optional. 5 seconds by default. Configuring switchover to SPT Both the receiver-side DR and the RP can periodically check the traffic rate of passing-by IPv6 multicast packets and thus trigger a switchover from RPT to SPT.
Enabling IPv6 PIM-SM The implementation of the SSM model is based on some subsets of IPv6 PIM-SM. Therefore, you must enable IPv6 PIM-SM before configuring IPv6 PIM-SSM. When you deploy an IPv6 PIM-SSM domain, enable IPv6 PIM-SM on all non-border interfaces of routers. IMPORTANT: All the interfaces on a device must be enabled with the same IPv6 PIM mode. To enable IPv6 PIM-SSM: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6 multicast routing.
• The configurations made in IPv6 PIM view are effective on all interfaces. The configurations made in interface view are effective only on the current interface. • A configuration made in interface view always has priority over the same configuration made in IPv6 PIM view, regardless of the configuration sequence. Configuration task list Task Remarks Configuring an IPv6 multicast data filter Optional. Configuring a hello message filter Optional. Configuring IPv6 PIM hello options Optional.
multicast data. In other words, IPv6 PIM routers can act as IPv6 multicast data filters. These filters can help implement traffic control and also control the information available to downstream receivers to enhance data security. Generally, a smaller distance from the filter to the IPv6 multicast source results in a more remarkable filtering effect. To configure an IPv6 multicast data filter: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A 3.
LAN_Prune_Delay—Delay of forwarding prune messages on a shared-media LAN. This option consists of LAN delay (namely, prune message delay), override interval, and neighbor tracking support (namely, the capability to disable join message suppression). • The prune message delay defines the delay time for a router to forward a received prune message to the upstream routers. The override interval defines a time period for a downstream router to override a prune message.
Step Command Remarks N/A 2. Enter interface view. interface interface-type interface-number 3. Set the DR priority. pim ipv6 hello-option dr-priority priority Optional. 4. Set the neighbor lifetime. pim ipv6 hello-option holdtime interval Optional. 5. Set the prune message delay. pim ipv6 hello-option lan-delay interval Optional. 6. Set the override interval. pim ipv6 hello-option override-interval interval Optional. 7. Enable the neighbor tracking function.
Any router that has lost assert election will prune its downstream interface and maintain the assert state for a period of time. When the assert state times out, the assert loser will resume IPv6 multicast forwarding. When a router fails to receive subsequent IPv6 multicast data from the IPv6 multicast source S, the router does not immediately delete the corresponding (S, G) entry.
Configuring join/prune message sizes A large size of a join/prune message might result in loss of a larger amount of information if a message is lost. You can set a small value for the maximum size of each join/prune message to reduce the impact in case of the loss of a message. By controlling the maximum number of (S, G) entries in each join/prune message, you can effectively reduce the number of (S, G) entries sent per unit of time. To configure join/prune message sizes: Step Command Remarks 1.
Task Command Remarks Display IPv6 PIM neighboring information. display pim ipv6 neighbor [ interface interface-type interface-number | ipv6-neighbor-address | verbose ] * [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about the IPv6 PIM routing table.
Figure 407 Network diagram Receiver Host A Router A Et h1 /2 Eth1/1 Host B G E0 /2 Receiver GE0/1 GE0/3 Firewall /4 E0 G Source Eth1/2 Eth1/1 Router B Host C /2 h1 Et 10.110.5.
system-view [RouterA] multicast ipv6 routing-enable [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] mld enable [RouterA-Ethernet1/1] pim ipv6 dm [RouterA-Ethernet1/1] quit [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] pim ipv6 dm [RouterA-Ethernet1/2] quit # Enable IPv6 multicast routing, MLD, and IPv6 PIM-DM on Router B and Router C in the same way. (Details not shown.) # On the firewall, enable IPv6 multicast routing and enable IPv6 PIM-DM on each interface.
Assume that Host A needs to receive information addressed to IPv6 multicast group G FF0E::101. Once the IPv6 multicast source S 4001::100/64 sends IPv6 multicast packets to the IPv6 multicast group G, an SPT is established through traffic flooding. Router A and the firewall on the SPT path have their (S, G) entries. Host A sends an MLD report to Router A to join IPv6 multicast group G, and a (*, G) entry is generated on Router A.
IPv6 PIM-SM non-scoped zone configuration example Network requirements The receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire IPv6 PIM domain operates in the sparse mode. Host A and Host C are IPv6 multicast receivers in two stub networks, N1 and N2. Both GigabitEthernet 0/3 on the firewall and POS 5/2 on Router D act as C-BSRs and C-RPs.
Device Interface IPv6 address Device Interface IPv6 address Router C POS5/0 3001::1/64 Router D Eth1/1 4002::2/64 Configuration procedure 1. Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing: a. Enable IPv6 forwarding on each router and configure the IPv6 address and prefix length for each interface according to Figure 408. (Details not shown.) b. Configure OSPFv3 on the routers in the IPv6 PIM-DM domain to make sure they are interoperable at the network layer.
[RouterD-pim6] c-bsr 1003::2 128 20 [RouterD-pim6] c-rp 1003::2 group-policy 2005 [RouterD-pim6] quit Verifying the configuration # Display IPv6 PIM information on Router A. [RouterA] display pim ipv6 interface Interface NbrCnt HelloInt DR-Pri DR-Address Eth1/1 0 1 1001::1 30 (local) Eth1/2 1 30 1 1002::2 Pos5/0 1 30 1 1003::2 # Display information about the BSR and locally configured C-RP on Router A.
Hash mask length: 128 State: Elected Candidate RP: 1003::2(Pos5/2) Priority: 192 HoldTime: 130 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:48 # Display RP information on Router A.
Protocol: pim-sm, Flag: SPT ACT UpTime: 00:02:15 Upstream interface: Ethernet1/2 Upstream neighbor: 1002::2 RPF prime neighbor: 1002::2 Downstream interface(s) information: Total number of downstreams: 1 1: Ethernet1/1 Protocol: pim-sm, UpTime: 00:02:15, Expires: 00:03:06 # Display IPv6 PIM multicast routing table information on the firewall.
Source 1 and Source 2 send different multicast information to FF14::101. Host A receives the multicast information from Source 1 only, and Host B receives the multicast information from Source 2 only. Source 3 sends multicast information to FF1E::202. Host C is a multicast receiver for this multicast group. GigabitEthernet 0/2 of the firewall acts as a C-BSR and C-RP of IPv6 admin-scoped zone 1, which serve the IPv6 multicast groups with the Scope field value in their group addresses being 4.
Device Interface IPv6 address Device Interface IPv6 address Router B S2/2 3003::1/64 Router E Eth1/1 2003::2/64 Router B POS5/1 2002::2/64 Router F Eth1/1 9001::1/64 Router B POS5/2 3004::1/64 Router F S2/1 8001::2/64 Router G S2/1 4001::1/64 Source 1 — 2001::100/64 Router G POS5/1 3004::2/64 Source 2 — 3001::100/64 Router H Eth1/1 5001::1/64 Source 3 — 9001::100/64 Router H S2/1 4001::2/64 Configuration procedure 1.
[Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] pim ipv6 sm [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] pim ipv6 sm [Firewall-GigabitEthernet0/3] quit # Enable IPv6 multicast routing and IPv6 administrative scoping, and enable IPv6 PIM-SM on Router B, Router C, Router E, Router F, and Router G in the same way. (Details not shown.) 3.
# On Router E, configure Serial 2/1 as a C-BSR and C-RP in the global-scoped zone. system-view [RouterE] pim ipv6 [RouterE-pim6] c-bsr scope global [RouterE-pim6] c-bsr 8001::1 [RouterE-pim6] c-rp 8001::1 [RouterE-pim6] quit Verifying the configuration # Display information about the BSR and locally configured C-RP on the firewall.
State: Elected Scope: 4 Uptime: 00:03:48 Next BSR message scheduled at: 00:01:12 Candidate BSR Address: 3002::2 Priority: 64 Hash mask length: 126 State: Elected Scope: 4 Candidate RP: 3002::2(Serial2/1) Priority: 192 HoldTime: 130 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:10 # Display information about the BSR and locally configured C-RP on Router E.
HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF2E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF3E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF4E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF5E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF6E::/16
Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF9E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFAE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFBE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFCE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix leng
RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF04::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF14::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF24::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF34::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix
prefix/prefix length: FF64::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF74::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF84::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF94::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFA4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 0
prefix/prefix length: FFD4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFE4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFF4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 # Display RP information on Router E.
HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF4E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF5E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF6E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF7E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF8E::/16
Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFBE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFCE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFDE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFEE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix leng
The SSM group range is FF3E::/64. MLDv2 runs between the firewall and N1, and between Router A, Router B, and N2.
system-view [Firewall] multicast ipv6 routing-enable [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] mld enable [Firewall-GigabitEthernet0/1] mld version 2 [Firewall-GigabitEthernet0/1] pim ipv6 sm [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] pim ipv6 sm [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] pim ipv6 sm [Firewall-GigabitEthernet0/3] quit # Enable
Upstream neighbor: 1002::2 RPF prime neighbor: 1002::2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: mld, UpTime: 00:00:11, Expires: 00:03:25 # Display IPv6 PIM multicast routing table information on Router C.
2. Use the display pim ipv6 interface command to verify the IPv6 PIM information on each interface, especially on the RPF interface. If IPv6 PIM is not enabled on the interface, use the pim ipv6 dm or pim ipv6 sm command to enable IPv6 PIM. 3. Use the display pim ipv6 neighbor command to verify that the RPF neighbor is an IPv6 PIM neighbor. 4. Verify that IPv6 PIM and MLD are enabled on the interfaces directly connecting to the IPv6 multicast source and to the receiver. 5.
• In the case of the static RP mechanism, the same RP address must be configured on all the routers in the entire network, including static RPs, by means of the static RP command. Otherwise, IPv6 multicast will fail. 1. Use the display ipv6 routing-table command to verify that a route to the RP is available on each router. 2. Use the display pim ipv6 rp-info command to verify that the dynamic RP information is consistent on all routers.
Configuring MLD Feature and hardware compatibility Overview An IPv6 router uses the MLD protocol to discover the presence of multicast listeners on the directly attached subnets. Multicast listeners are nodes wishing to receive IPv6 multicast packets. Through MLD, the router can learn whether any IPv6 multicast listeners exist on the directly connected subnets, put corresponding records in the database, and maintain timers related to IPv6 multicast addresses.
Task Remarks Configuring MLD SSM mapping Configuring MLD proxying Enabling MLD SSM mapping Optional. Configuring MLD SSM mapping entries Optional. Enabling MLD proxying Optional. Configuring IPv6 multicast forwarding on a downstream interface Optional. Configuring basic MLD functions This section describes how to configure basic MLD functions.
Configuring an MLD version globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD view. mld N/A 3. Configure an MLD version globally. version version-number MLDv1 by default. Configuring an MLD version on an interface Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an MLD version on the interface. mld version version-number MLDv1 by default.
Configuring an IPv6 multicast group filter To restrict the hosts on the network attached to an interface from joining certain IPv6 multicast groups, you can set an IPv6 ACL rule on the interface so that the interface maintains only the IPv6 multicast groups matching the criteria. To configure an IPv6 multicast group filter: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an IPv6 multicast group filter.
• Determine the startup query interval. • Determine the startup query count. • Determine the MLD query interval. • Determine the MLD querier's robustness variable. • Determine the maximum response delay of MLD general query messages. • Determine the MLD last listener query interval. • Determine the MLD other querier present interval.
Step Enable the insertion of the Router-Alert option into MLD messages. 4. Command Remarks mld send-router-alert By default, MLD messages carry the Router-Alert option. Configuring MLD query and response parameters On startup, the MLD querier sends MLD general queries at the startup query interval, which is one-quarter of the MLD query interval. The number of queries, or the startup query count, is user configurable.
Step Command Remarks 2 by default. A higher robustness variable makes the MLD querier more robust but results in a longer IPv6 multicast group timeout time. 3. Configure the MLD querier's robustness variable. robust-count robust-value 4. Configure the startup query interval. startup-query-interval interval By default, the startup query interval is one-quarter of the "MLD query interval." 5. Configure the startup query count.
Step 7. 8. 9. Command Remarks Configure the maximum response delay for MLD general query messages. mld max-response-time interval 10 seconds by default. Configure the MLD last listener query interval. mld last-listener-query-interval interval 1 second by default.
Enabling the MLD host tracking function With the MLD host tracking function, the router can record the information of the member hosts that are receiving IPv6 multicast traffic, including the host IPv6 address, running duration, and timeout time. You can monitor and manage the member hosts according to the recorded information. Enabling the MLD host tracking function globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD view. mld N/A 3.
NOTE: To ensure SSM service for all hosts on a subnet, regardless of the MLD version running on the hosts, enable MLDv2 on the interface that forwards IPv6 multicast traffic onto the subnet. Configuring MLD SSM mapping entries You can perform this configuration task multiple times to map an IPv6 multicast group to different IPv6 multicast sources. To configure an MLD SSM mapping: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD view. mld N/A 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the MLD proxying feature. mld proxying enable Disabled by default. Configuring IPv6 multicast forwarding on a downstream interface Typically, to avoid duplicate multicast flows, only queriers can forward IPv6 multicast traffic. On MLD proxy devices, a downstream interfaces must be a querier in order to forward IPv6 multicast traffic to downstream hosts.
Task Command Remarks Display MLD information on the specified interface or all MLD-enabled interfaces. display mld interface [ interface-type interface-number ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the information of the MLD proxying groups. display mld proxying group [ group-address ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the information of the MLD routing table.
Figure 411 Network diagram Receiver IPv6 PIM network Host A GE0/2 Firewall A GE0/1 3000::12/64 N1 Host B Querier Receiver Host C GE0/1 3001::10/64 GE0/2 N2 Firewall B Host D Configuration procedure 1. Enable IPv6 forwarding, assign IPv6 addresses, and configure IPv6 unicast routing: a. Enable IPv6 forwarding on each router and assign an IPv6 address and prefix length to each interface according to Figure 411. (Details not shown.) b.
[FirewallB-GigabitEthernet0/2] pim ipv6 dm [FirewallB-GigabitEthernet0/2] quit 3. Configure an IPv6 multicast group filter on Firewall A, so that the hosts connected to GigabitEthernet 0/1 can join IPv6 multicast group FF1E::101 only.
Figure 412 Network diagram Table 84 Interface and IP address assignment Device Interface IPv6 address Device Interface IPv6 address Source 1 — 1001::1/64 Source 3 — 3001::1/64 Source 2 — 2001::1/64 Receiver — 4001::1/64 Router A Eth1/1 1001::2/64 Router C Eth1/1 3001::2/64 Router A Eth1/2 1002::1/64 Router C Eth1/2 3002::1/64 Router A Eth1/3 1003::1/64 Router C Eth1/3 2002::2/64 Router B Eth1/1 2001::2/64 Firewall GE0/1 4001::2/64 Router B Eth1/2 1002::2/64 Fire
[Firewall-GigabitEthernet0/2] pim ipv6 sm [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] pim ipv6 sm [Firewall-GigabitEthernet0/3] quit # On Router A, enable IPv6 multicast routing globally, and enable IPv6 PIM-SM on each interface.
# Display information about the IPv6 multicast groups created based on the configured MLD SSM mappings on the firewall. [Firewall] display mld ssm-mapping group Total 1 MLD SSM-mapping Group(s). Interface group report information GigabitEthernet0/1(4001::2): Total 1 MLD SSM-mapping Group reported Group Address: FF3E::101 Last Reporter: 4001::1 Uptime: 00:02:04 Expires: off # Display IPv6 PIM routing table information on the firewall.
Figure 413 Network diagram Proxy & Querier Firewall GE0/2 3001::1/64 Eth1/1 2001::1/64 Querier Router GE0/1 2001::2/64 Receiver Host A IPv6 PIM-DM S2/1 1001::1/64 Receiver Host C Host B Configuration procedure 1. Enable IPv6 forwarding on each router and assign an IPv6 address and prefix length to each interface according to Figure 413. (Details not shown.) 2.
Current MLD version is 1 Multicast routing on this interface: enabled Require-router-alert: disabled # Display MLD group information on Router . [Router] display mld group Total 1 MLD Group(s).
restrict the host from joining IPv6 multicast group G, the ACL must be modified to allow IPv6 multicast group G to receive report messages. Membership information is inconsistent on the routers on the same subnet Symptom The MLD routers on the same subnet have different membership information. Analysis • A router running MLD maintains multiple parameters for each interface, and these parameters influence one another, forming very complicated relationships.
Configuring routing policies The term "router" in this document refers to both routers and routing-capable firewalls and firewall modules. Routing policy can be configured only at the CLI. Routing policies control routing paths by filtering and modifying routing information. This chapter describes both IPv4 and IPv6 routing policies. Overview Routing policies can filter advertised, received, and redistributed routes, and modify attributes for specific routes. To configure a routing policy: 1.
Community list A community list matches the COMMUNITY attribute of BGP routing information. For more information about community list, see "Configuring BGP." Extended community list An extended community list matches the extended community attribute (Route-Target for VPN and Source of Origin) of BGP routing information. Routing policy A routing policy can comprise multiple nodes, which are in a logical OR relationship. A node with a smaller number is matched first.
For example, the following configuration filters routes 10.1.0.0/16, 10.2.0.0/16, and 10.3.0.0/16, but allows other routes to pass. system-view [Sysname] ip ip-prefix abc index 10 deny 10.1.0.0 16 [Sysname] ip ip-prefix abc index 20 deny 10.2.0.0 16 [Sysname] ip ip-prefix abc index 30 deny 10.3.0.0 16 [Sysname] ip ip-prefix abc index 40 permit 0.0.0.0 0 less-equal 32 Configuring an IPv6 prefix list Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks • Configure a basic community list: Configure a community list. 2. ip community-list { basic-comm-list-num | basic comm-list-name } { deny | permit } [ community-number-list ] [ internet | no-advertise | no-export | no-export-subconfed ] * Use either method. Not configured by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a routing policy and a node and enter routing policy view. route-policy route-policy-name { deny | permit } node node-number By default, no routing policy is created. Configuring if-match clauses Follow these guidelines when you configure if-match clauses: • The if-match clauses of a routing policy node have a logical AND relationship.
Step 5. 6. 7. 8. 9. Command Remarks Optional. Match BGP routing information whose AS_PATH attribute is specified in the AS path lists. if-match as-path AS-PATH-number&<1-16> Match BGP routing information whose COMMUNITY attribute is specified in the community lists. if-match community { { basic-community-list-number | comm-list-name } [ whole-match ] | adv-community-list-number }&<1-16> Match BGP routing information whose extended community attribute is specified in the extended community lists.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter routing policy view. route-policy route-policy-name { deny | permit } node node-number Not created by default. Optional. 3. Set the AS_PATH attribute for BGP routes. 4. Delete the COMMUNITY attribute of BGP routing information using the community list. apply comm-list { comm-list-number | comm-list-name } delete 5. Set the COMMUNITY attribute for BGP routes.
Step Command Remarks Optional. 12. Set the ORIGIN attribute for BGP routes. apply origin { egp as-number | igp | incomplete } 13. Set the preference for the routing protocol. apply preference preference Not set by default. Support for the apply origin command depends on the device model. Optional. Not set by default. Optional. 14. Set a preferred value for BGP routes. Not set by default.
Displaying and maintaining the routing policy Task Command Remarks Display BGP AS path list information. display ip as-path [ as-path-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display BGP community list information. display ip community-list [ basic-community-list-number | adv-community-list-number | comm-list-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display BGP extended community list information.
# Configure IPv6 addresses for interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2. system-view [Firewall] ipv6 [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 10::1 32 [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ipv6 address 11::1 32 [Firewall-GigabitEthernet0/2] quit # Enable RIPng on GigabitEthernet 0/1.
via FE80::7D58:0:CA03:1, cost 1, tag 0, A, 18 Sec Dest 20::/32, via FE80::7D58:0:CA03:1, cost 1, tag 0, A, 8 Sec Dest 40::/32, via FE80::7D58:0:CA03:1, cost 1, tag 0, A, 3 Sec Applying a routing policy to filter received BGP routes Network requirements • All the devices in Figure 415 run BGP. Router C establishes EBGP connections with Router A, Router B, and Firewall. • Configure a routing policy on Firewall to reject routes from AS 200. Figure 415 Network diagram Configuration procedure 1.
[RouterC-bgp] peer 1.1.1.1 as-number 100 [RouterC-bgp] peer 1.1.2.1 as-number 200 [RouterC-bgp] peer 1.1.3.2 as-number 400 # Configure Firewall. system-view [Firewall] bgp 400 [Firewall-bgp] router-id 4.4.4.4 [Firewall-bgp] peer 1.1.3.1 as-number 300 [Firewall-bgp] quit # Inject routes 4.4.4.4/24, 5.5.5.5/24, and 6.6.6.6/24 on Router A. [RouterA-bgp] network 4.4.4.4 24 [RouterA-bgp] network 5.5.5.5 24 [RouterA-bgp] network 6.6.6.6 24 # Inject routes 7.7.7.7/24, 8.8.8.8/24, and 9.9.9.
[Firewall-route-policy] quit # On Firewall, specify routing policy rt1 to filter routes received from peer 1.1.3.1. [Firewall] bgp 400 [Firewall-bgp] peer 1.1.3.1 route-policy rt1 import # Display the BGP routing table information of Firewall. [Firewall-bgp] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 4.4.4.
Solution 1. Use the display ip ipv6-prefix command to display IP prefix list information. 2. Use the display route-policy command to display routing policy information.
Configuring SSL SSL can be configured only at the CLI. Overview Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security for TCP-based application layer protocols such as HTTP. SSL has been widely used in applications such as e-business and online banking to provide secure data transmission over the Internet.
SSL protocol stack SSL includes an SSL record protocol at the lower layer, and an SSL handshake protocol, SSL change cipher spec protocol, and SSL alert protocol at the upper layer. Figure 417 SSL protocol stack • SSL record protocol—Fragments data received from the upper layer, computes and adds MAC to the data, and encrypts the data.
To configure an SSL server policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an SSL server policy and enter its view. ssl server-policy policy-name N/A Optional. By default, no PKI domain is specified for an SSL server policy, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server. 3. Specify a PKI domain for the SSL server policy.
Step 8. Command Configure the server to require certificate-based SSL client authentication. Remarks Optional. client-verify enable By default, the SSL server does not require the client to be authenticated. Optional. 9. Enable SSL client weak authentication. Disabled by default. client-verify weaken This command takes effect only when the client-verify enable command is configured. NOTE: Only TSL1.0 is supported in FIPS mode.
[Firewall-pki-entity-en] fqdn ssl.security.com [Firewall-pki-entity-en] quit # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en. [Firewall] pki domain 1 [Firewall-pki-domain-1] ca identifier ca server [Firewall-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.
HTTPS login using the default certificate configuration example Network requirements As shown in Figure 419, configure the firewall as the HTTPS server that uses an SSL server policy to protect Web login. The firewall and the host use the default certificate for identity authentication. Figure 419 Network diagram Configuration procedure Configuring the firewall in the Web interface 1. Configure the HTTPS service: a. Log in to the Web interface of the firewall. b.
Figure 421 Configuring a local user Configuring the firewall at the CLI 1. Configure the HTTPS service: # Create SSL server policy myssl. System-view [Firewall] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as default. [Firewall-ssl-server-policy-myssl] pki-domain default # Configure the HTTPS service to use SSL server policy myssl. [Firewall] ip https ssl-server-policy myssl # Enable the HTTPS server. [Firewall] ip https enable 2.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an SSL client policy and enter its view. ssl client-policy policy-name N/A Optional. No PKI domain is specified by default. 3. Specify a PKI domain for the SSL client policy. pki-domain domain-name If the SSL server authenticates the SSL client through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain.
Troubleshooting SSL SSL handshake failure Symptom As the SSL server, the device fails to handshake with the SSL client. Analysis SSL handshake failure may result from the following causes: • The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the certificate is not trusted. • The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the certificate is not trusted.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ABCDEFHILMOPQRST Configuring ARP at the CLI,250 A Configuring ARP in the Web interface,245 Address/prefix lease renewal,706 Configuring basic IPv6 IS-IS,799 Adjusting MLD performance,910 Configuring basic IS-IS,435 Applying IPsec policies for OSPFv3,778 Configuring basic MLD functions,908 Applying IPsec policies for RIPng,758 Configuring basic MSDP functions,649 Assigning an IP address to an interface,27 Configuring BFD for IPv6 BGP,825 Assigning IPv6 addresses to interfaces,683 Configur
Configuring IPv6 TCP properties,694 Configuring the MAC address table at the CLI,55 Configuring IS-IS routing information control,437 Configuring the MAC address table in the Web interface,51 Configuring Layer 3 subinterface forwarding,263 Configuring traffic policing at the CLI,322 Configuring MLD proxying,916 Configuring MLD SSM mapping,915 Configuring traffic policing in the Web interface,317 Configuring MSTP at the CLI,83 Configuring VLANs at the CLI,42 Configuring VLANs in the Web interface,35
Inter-VLAN Layer 3 forwarding configuration example,272 Displaying and maintaining PPP,121 Displaying and maintaining proxy ARP,259 Displaying and maintaining RIPng,759 Introduction to DHCP client,205 Displaying and maintaining the DHCPv6 client,734 Introduction to IPv6 policy-based routing,842 Displaying and maintaining the DHCPv6 relay agent,731 IP addressing configuration example,28 IPv4 DNS configuration examples,226 Displaying and maintaining the DHCPv6 server,716 IPv6 basics configuration exam
Overview,434 R Overview,243 Rate limit,281 Overview,254 Related information,950 Overview,232 RIPng configuration examples,760 Overview,50 RIPng configuration task list,753 Overview,212 Routing policy configuration examples,935 Overview,276 RSTP,66 Overview,374 S Overview,25 Stateless DHCPv6 configuration,707 Overview,187 Static domain name resolution configuration example,742 Overview,853 Overview,729 STP,59 Overview,753 Overview,1 T Overview,708 Traffic policing,280 Overview,749 O
