HP Switch Software IPv6 Configuration Guide K/KA/KB.15.15 Abstract This switch software guide is intended for network administrators and support personnel, and applies to the switch models listed on this page unless otherwise noted. This guide does not provide information about upgrading or replacing switch hardware. The information in this guide is subject to change without notice.
© Copyright 2008, 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents 1 IPv6 Addressing Configuration...................................................................11 Introduction............................................................................................................................11 General configuration steps.....................................................................................................11 Configuring IPv6 addressing....................................................................................................
Using outbound Telnet to another device...............................................................................38 Viewing the current telnet activity on a switch.........................................................................39 Enabling or disabling inbound Telnet access.........................................................................40 Viewing the current inbound Telnet configuration....................................................................
Viewing the current MLD status.................................................................................................73 Configuring the current MLD.....................................................................................................74 Listing ports currently joined.....................................................................................................75 Viewing MLD statistics...............................................................................................
Assignment of an ACL to an interface............................................................................114 Assignment of an ACL name to an interface....................................................................114 Creating an ACL using the CLI................................................................................................114 General ACE rules................................................................................................................
Enable IPv6 ACL "Deny" or “Permit” logging.......................................................................157 Requirements for using IPv6 ACL logging........................................................................157 ACL logging operation.................................................................................................157 IPv6 counter operation with multiple interface assignments.........................................................
Configuring DHCPv6 service requirements..........................................................................186 Configuring the range for intervals between RA transmissions on a VLAN...............................187 Setting or changing the hop-limit for host-generated packets.............................................188 Setting or changing the default router lifetime.................................................................188 Changing the reachable time duration for neighbors...............
Retransmit interval per interface.........................................................................................222 Transit delay per interface.................................................................................................222 Configuring a virtual link.......................................................................................................222 Adjusting a dead interval on a virtual link...........................................................................
About influencing route choices by changing the administrative distance default (optional).............259 About enforcing strict LSA operation for graceful restart helper mode (optional).............................259 About adjusting performance by changing the VLAN interface settings (optional)..........................260 About configuring an ABR to use a virtual link to the backbone..................................................
1 IPv6 Addressing Configuration NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. More information, see “Viewing the current IPv6 addressing configuration” (page 21), (page 23). Introduction In the default configuration, IPv6 operation is disabled on the switch. This section describes the general steps and individual commands for enabling IPv6 operation.
3. 4. If an IPv6 router is connected on the VLAN, enable IPv6 address autoconfiguration to automatically configure global unicast addresses with prefixes included in advertisements received from the router. The interface identifier used in addresses configured by this method is the same as the interface identifier in the current link-local address. If needed, statically configure IPv6 unicast addressing on the VLAN interface as needed.
Example HP-Switch# show ipv6 source-interface detail Protocol : Radius Admin Policy : Outgoing Interface Oper Policy : Outgoing Interface Source IPv6 Interface : vlan- 1 Source IPv6 Address : 192.168.1.2 Source Interface State : N/A Shows the source IPv6 configuration, status or detailed information. In this example the command is invoked without parameters therefore it shows the configuration information for all protocols. • If status is specified the operational status information will be shown.
Enabling autoconfiguration of a global unicast address and a default router identity on a VLAN Enabling autoconfig or rebooting the switch with autoconfig enabled on a VLAN causes the switch to configure IPv6 addressing on the VLAN using RAs and an EUI-64 interface identifier. Syntax: [no] ipv6 address autoconfig Implements unicast address autoconfiguration as follows: • If IPv6 is not already enabled on the VLAN, enables IPv6 and generates a link-local ( EUI-64) address.
Default IPv6 Gateway Instead of using static or DHCPv6 configuration, a default IPv6 gateway for an interface (VLAN or tunnel) is determined from the default router list of reachable or probably reachable routers the switch detects from periodic multicast router advertisements (RAs) received on the interface. For a given interface, there can be multiple default gateways, with different nodes on the link using different gateways.
Authenticating the DHCPv6 client DHCPv6 client authentication allows the configuration of authentication options such as mode and key-chain. For more information, see “DHCPv6 client” (page 29). Syntax: [no] ipv6 dhcp-client authentication [ mode [ md5 ] | key-chain chain-name-str ] Allows the configuration of authentication options. The authentication information carried in the option can be used to identify the source of a DHCPv6 message and to confirm the message has not been tampered with.
Example 1 DHCP client authentication show command for all VLANs HP Switch(config)# show ipv6 dhcp-client authentication DHCPv6 Authentication Information Vlan Name Authentication Authentication mode Key-Chain Key-Id : : : : : DEFAULT_VLAN Enabled HMAC-MD5 DHCP10 1 Vlan Name Authentication Authentication mode Key-Chain Key-Id : : : : : VLAN2 Enabled HMAC-MD5 DHCP10 1 Example 2 DHCP client authentication show command for a specific VLAN HP Switch(config)# show ipv6 dhcp-client authentication vlan 1 DHCP
Commands are executed in VLAN context. • You must disable the DHCPv6 client before disabling DHCPv6 authentication. • You must create a key chain with an ID and a duration before configuring DHCPv6 client authentication with a key-chain name. • The DHCPv6 client and DHCPv4 Relay can be enabled on the same interface and operate at the same time. Viewing configured DHCPv6 addresses To view the current IPv6 DHCPv6 settings per-VLAN, use show run.
Where a static link-local address is already configured, a new, autoconfigured global unicast addresses assignment uses the same interface identifier as the link-local address. NOTE: An existing link-local address is replaced, and is not deprecated, when a static replacement is configured. The prefix for a statically configured link-local address is always 64 bits, with all blocks after fe80 set to zero. That is: fe80:0:0:0.
Viewing the currently configured static IPv6 addresses per-VLAN To view the currently configured static IPv6 addresses per-VLAN, use show run. To view all currently configured IPv6 unicast addresses, use the following: • show ipv6 (Lists IPv6 addresses for all VLANs configured on the switch.) • show ipv6 vlan vid (Lists IPv6 addresses configured on VLAN vid.) • show ipv6 tunnel tunnel-id (Lists IPv6 addresses configured on tunnel tunnel-id.
Example 5 Configuring an IPv6 address on a loopback interface HP Switch(config)# interface loopback 1 HP Switch(lo-1)# IPv6 address 2001:db8::1 NOTE: • You can configure a loopback interface only from the CLI; you cannot configure a loopback interface from the Menu interface. • IPv6 loopback interfaces share the same IPv6 address space with VLAN configurations.
VLAN Name Lists the name of a VLAN statically configured on the switch. VLAN Name Lists the name of a VLAN statically configured on the switch. IPv6 Status For the indicated VLAN, shows whether IPv6 is disabled (the default) or enabled. See “Configuring IPv6 addressing” (page 12). Address Origin Autoconfig The address was configured using SLAAC. In this case, the interface identifier for global unicast addresses copied from the current link-local unicast address.
Example 6 show IPv6 command output HP Switch(tunnel-3)# show ipv6 Internet (IPv6) Service IPv6 Routing ND DAD DAD Attempts : Enabled : Enabled : 3 Interface Name IPv6 Status Layer 3 Status VLAN Interfaces : DEFAULT_VLAN : Disabled : Enabled Interface Name IPv6 Status Layer 3 Status : VLAN22 : Enabled : Enabled Address Origin ---------autoconfig | | IPv6 Address/Prefix Length + ---------------------------------| fe80::218:71ff:feb9:8500/64 Address Status --------tentative Tunnel Interfaces Interface
Displays IP and IPv6 global configuration settings, the IPv6 status for the specified VLAN, the IPv6 addresses (with prefix lengths) configured on the specified VLAN, and the expiration data (Expiry) for each address. IPv6 Routing For software releases K.13.01 through K.14.01, this setting is always Disabled. Default Gateway Lists the IPv4 default gateway, if any, configured on the switch. This is a globally configured router gateway address and is not configured per-VLAN ND DAD Shows whether ND is enabled.
Example 8 show IPv6 VLAN vid output HP Switch# show ipv6 vlan 10 Internet (IPv6) Service IPv6 Routing Default Gateway ND DAD DAD Attempts : : : : Disabled fe80::213:c4ff:fedd:14b0%vlan10 Enabled 3 Vlan Name IPv6 Status : VLAN10 : Enabled IPv6 Address/Prefixlength Expiry --------------------------------- -----------------------2001:db8:a03:e102::1:101/64 Fri May 19 11:51:15 2009 fe80::1:101/64 permanent Syntax: show run In addition to the other elements of the current configuration, this command lists
Example 9 show run output listing the current IPv6 addressing commands HP Switch(config)# show run Running configuration: . . . vlan 10 name "VLAN10" untagged 1-12 ipv6 address fe80::1:101 link-local 1 ipv6 address dhcp full rapid-commit 2 . . . 1 2 Statically configured IPv6 addresses appear in the show run output. Commands for automatic IPv6 address configuration appear in the show run output, but the addresses resulting from these commands do not appear in the output.
Example 10 show IPv6 route output Examples of addresses in ouput: “Unknown” Address Dest : ::/0 Gateway : fe80::213:c4ff:fedd:14b0%vlan10 Type : static Dist. : 40 Metric : 0 Loopback Address Dest : ::1/128 Gateway : lo0 Type : connected Dist. : 0 Metric : 1 Global Unicast Address Configured on the Switch Dest : 2001:db8:a03:e102::/64 Gateway : VLAN10 Type : connected Dist. : 0 Metric : 1 Link-Local Address Configured on the Switch Dest : fe80::%vlan10 Gateway : VLAN10 Type : connected Dist.
Prefix Advertised Lists the prefix and prefix size (number of leftmost bits in an address) originating with the indicated router. Valid Lifetime The total time the address is available, including the preferred lifetime and the additional time (if any) allowed for the address to exist in the deprecated state. See “Valid lifetime” (page 28). Preferred Lifetime The length of time during which the address can be used freely as both a source and a destination address for traffic exchanges with other devices.
before the address became deprecated. However, in this time frame, the address should no longer be used for new communications. If this time expires without the deprecated address being refreshed, the address becomes invalid and may be assigned to another interface.
About disabling IPv6 on a VLAN While one IPv6-enabling command is configured on a VLAN, IPv6 remains enabled on that VLAN. In this case, removing the only IPv6-enabling command from the configuration disables IPv6 operation on the VLAN.
When a pair of IPv6 devices in a VLAN exchange communication, they enter each other's IPv6 and corresponding MAC addresses in their respective neighbor caches. These entries are maintained for a time after communication ceases and then dropped. To view or clear the content of the neighbor cache, see “Viewing the neighbor cache” (page 36). For related information, see RFC 2461: "Neighbor Discovery for IP Version 6 (IPv6).
performed while DAD is disabled, the duplicate address check is not performed on any IPv6 addresses configured on the switch. Default: 3 (enabled); 0 (disabled); Range: 0 - 255 (0 = disabled) The no form of the command restores the default setting (3). NOTE: Software version K.14.xx supports a dad-attempts range of 0 to 600. However, software version K.15.xx or greater supports a range of 0 to 255. If dad-attempts is set higher than 255, updating from K.14.xx to K.15.
• If a previously configured unicast address is changed, a neighbor advertisement is sent on the VLAN to notify other devices and for duplicate address detection. • If DAD is disabled when an address is configured, the address is assumed to be unique and is assigned to the interface. Router access and default router selection Traffic can be routed between destinations on different VLANs configured on the switch or to a destination on an off-switch VLAN.
Example 12 Suppressing the inclusion of RDNSS and SNSSL in outgoing RAs globally HP Switch(config)# ipv6 nd suppress-ra-dns IP interface configuration This example shows the command that suppresses the inclusion of RDNSS and SNSSL in outgoing Router Advertisements for an IP interface. The command is executed in VLAN context.
the initial router solicitation, the switch sends up to three additional solicitations at intervals of four seconds. If an RA is received, the sending router is added to the switch's default router list and the switch stops sending router solicitations. If an RA is not received, IPv6 traffic on that VLAN cannot be routed, and the only usable unicast IPv6 address on the VLAN is the link-local address.
2 IPv6 Management Features NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. This chapter focuses on the IPv6 application of management features that support both IPv6 and IPv4 operation. For additional information on these features, see the current Management and Configuration Guide for your switch. Viewing the neighbor cache Neighbor discovery occurs when there is communication between the switch and another, reachable IPv6 device on the same VLAN.
INCMP (Incomplete): Neighbor address resolution is in progress, but has not yet been determined. REACH (Reachable): The neighbor is known to have been reachable recently. STALE A timeout has occurred for reachability of the neighbor, and an unsolicited discovery packet has been received from the neighbor address. If the path to the neighbor is then used successfully, this state is restored to REACH. DELAY Indicates waiting for a response to traffic sent recently to the neighbor address.
Example 18 Clearing the IPv6 neighbors cache HP Switch(config)# clear ipv6 neighbors HP Switch(config)# show ipv6 neighbors HP Switch# show ipv6 neighbors IPv6 ND Cache Entries IPv6 Address MAC Address State Type Port --------------------------- ------------- ----- ------- ---fe80::213:c4ff:fedd:14b0 000000-000000 INCMP dynamic 1 1 For an active-route next-hop, the MAC address and source port data is removed, and the State is set to “Incomplete” (INCMP) until the route is refreshed in the neighbor cache.
Example 19 Telnet to another device To Telnet to another IPv6 device having a link-local address of fe80::215:60ff:fe79:8980 and on the same VLAN interface (VLAN 10), use the following command: HP Switch(config)# telnet fe80::215:60ff:fe79:980%vlan10 If the switch is receiving RAs from an IPv6 default gateway router, you can Telnet to a device on the same VLAN or another VLAN or subnet by using its global unicast address.
Example 20 show telnet output with three sessions active HP Switch# show telnet Telnet Activity ---------------------------------------------------Session : 1 Privilege: Manager From : Console To : 10.0.10.
This command shows the current configuration of IPv4 and IPv6 inbound Telnet permissions, as well as other information. For both protocols, the default setting allows inbound sessions.
Example 23 Configuring link-local and global unicast SNTP server addresses To configure link-local and global unicast SNTP server addresses of: • fe80::215:60ff:fe7a:adc0 (on VLAN 10, configured on the switch) • 2001:db8::215:60ff:fe79:8980 as the priority "1" and "2" SNTP servers, respectively, using version 7, you would enter these commands at the global config level, as shown below.
Example 24 show sntp output with both an IPv6 and an IPv4 server address configured The show sntp output for the proceeding sntp server command example would appear as follows: HP Switch(config)# show sntp SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Broadcast Poll Interval (sec) [720] : 719 Priority -------1 2 NOTE: SNTP Server Address ----------------------------------2001:db8::215:60ff:fe79:8980 10.255.5.
Syntax: ip timep dhcp interval 1 - 9999 ip timep manual { ipv6-addr | ipv4-addr } [ interval 1 - 9999 ] [ oobm ] Used at the global config level to configure a Timep server address. NOTE: The switch allows one Timep server configuration. timep dhcp Configures the switch to obtain the address of a Timep server from an IPv4 or IPv6 DHCP server. timep manual Specifies static configuration of a Timep server address. ipv6-addr Specifies the IPv6 address of an SNTP server. See the preceding Note.
Poll Interval (min) [ 720 ] Indicates the interval between consecutive time requests to the configured Timep server.
The no form of the command disables the client or server functionality. Default: TFTP client and server functionality enabled NOTE: To disable all TFTP client or server operation on the switch except for the auto-TFTP feature, enter the no tftp [ client | server ] command. To re-enable TFTP client or server operation, re-enter the tftp [ client | server ] command. (Entering no tftp without specifying client or server affects only the client functionality.
config filename Copies the contents of a file on a remote host to a configuration file on the switch. flash [ primary | secondary ] Copies a software file stored on a remote host to primary or secondary flash memory on the switch. To run a newly downloaded software image, enter the reload or boot system flash command. pub-key-file Copies a public-key file to the switch. startup-config Copies a configuration file on a remote host to the startup configuration file on the switch.
ipv6-addr If this is a link-local address, use this IPv6 address format: fe80::device-id %vlan vid For example: fe80::123%vlan10 If this is a global unicast address, use this IPv6 format: ipv6-addr For example: 2001:db8::123 oobm For switches that have a separate OOBM port, specifies that the transfer will be through the OOBM interface. (Default is transfer through the data interface.
SNMPv1 and v2c Syntax: snmp-server host [ ipv6-addr | ipv4-addr ] [ community-name ] [ none | all | non-info | critical | debug ] [ inform [ retries count ] [ timeout interval ]] Executed at the global config level to configure an SNMP trap receiver to receive SNMPv1 and SNMPv2c traps, SNMPv2c informs, and (optionally) Event Log messages.
Example 27 show snmp-server command output with IPv6 address HP Switch(config)# show snmp-server SNMP Communities Community Name -------------------public marker MIB View -------Manager Manager Write Access -----------Unrestricted Unrestricted Trap Receivers Link-Change Traps Enabled on Ports [All] : All Traps Category ---------------------------SNMP Authentication Password change Login failures Port-Security Authorization Server Contact DHCP-Snooping Dynamic ARP Protection Address --------------------15
Example 28 snmpv3 targetaddress command output with IPv6 address HP Switch(config)# show snmpv3 targetaddress snmpTargetAddrTable [rfc2573] Target Name ---------------1 2 PP.217 PP.218 1 IP Address ----------------------15.29.17.218 15.29.17.219 15.29.17.
subnet mask, and gateway address. All other configuration settings in the downloaded configuration file are applied. • If the switch's current IPv6 address for VLAN 1 was assigned from a DHCP server and not statically configured, IP preserve is suspended. The IPv6 addressing specified in the downloaded configuration file is implemented when the switch copies the file and reboots.
at the source verifying that traffic has been received at the destination. The neighbor cache retains data for a given neighbor until the entry times out. You can view and clear the contents of the neighbor cache using the commands described in this section. For more on this topic, see “Neighbor discovery” (page 30). Clear the neighbor cache When there is an event such as a topology change or an address change, the neighbor cache may have too many entries to allow efficient use.
TFTP file transfers over IPv6 You can use TFTP copy commands over IPv6 to upload or download files to and from a physically connected device or a remote TFTP server, including: • Switch software • Software images • Switch configurations • ACL command files • Diagnostic data (crash data, crash log, and event log) For information on how to configure TFTP file transfers between the switch and a TFTP server or other host device on the network, see the "File Transfers" appendix in the Management and Co
3 IPv6 Management Security Features This chapter describes management security features that are IPv6 counterparts of IPv4 management security features on the switches. NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax.
of FFFF is 1111 1111 1111 1111, where 1 requires the same "on" or "off" setting in an authorized address.) Example 31 Configuring single station access As shown in Table 2 (page 56), if you configure a link-local IPv6 address of FE80::202:B3FF:FE1E:8329 with a mask of FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF, only a station having an IPv6 address of FE80::202:B3FF:FE1E:8329 has management access to the switch.
Example 32 show ipv6 authorized-managers HP Switch# show ipv6 authorized-managers IPv6 Authorized Managers --------------------------------------Address : 2001:db8:0:7::5 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access : Manager Address : 2001:db8::a:1c:e3:3 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe Access : Manager Address : 2001:db8::214:c2ff:fe4c:e480 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access : Manager Address : 2001:db8::10 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff00 Access : O
Example 33 Default IPv6 mask HP Switch# ipv6 authorized-managers 2001:db8::a8:1c:e3:69 HP Switch# show ipv6 authorized-managers IPv6 Authorized Managers -------------------------Address : 2001:db8::a8:1c:e3:69 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access : Manager NOTE: If you do not enter a value for ipv6-mask in the ipv6 authorized-managers command, the default mask of FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF: is applied.
Example 35 Deleting an authorized IP manager entry HP Switch(config)# no ipv6 authorized-managers 2001:db8::231:17ff:fec5:3e61 Configuring SSH for IPv6 For more information on SSH configuration, see “Secure shell (SSH) for IPv6” (page 66). By default, SSH is automatically enabled for IPv4 and IPv6 connections on a switch.
mac MAC-type Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1–96 • hmac-md5–96 Default: All MAC types are available. Use the no form of the command to disable a MAC type. port [ 1 - 65535 | default ] TCP port number used for SSH sessions in IPv4 and IPv6 connections Default: 22. Valid port numbers are from 1 to 65535, except for port numbers 23, 49, 80, 280, 443, 1506, 1513, and 9999, which are reserved for other subsystems.
For more information on OOBM, see the "Network Out-of-Band Management" Appendix in the Management and Configuration Guide. The listen parameter is not available on switches that do not have a separate OOBM port. NOTE: For both IPv4 and IPv6, the switch supports only SSH version 2. You cannot set up an SSH session with a client device running SSH version 1.
Authorized IP managers for IPv6 The authorized IP managers feature uses IP addresses and masks to determine which stations (PCs or workstations) can access the switch through the network.
About using a mask to configure authorized management stations The ipv6-mask parameter controls how the switch uses an IPv6 address to determine the IPv6 addresses of authorized manager stations on your network. For example, you can specify a mask that authorizes: • Single station access • Multiple station access NOTE: Mask configuration is a method for determining the valid IPv6 addresses that are authorized for management access to the switch.
Example 37 Configuring multiple station access Table 5 (page 64) shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D. The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC.
Table 7 Mask for configuring a single authorized IPv6 manager station (continued) Other authorized IPv6 addresses 1st block 2nd block 3rd block 4th block 5th block 6th block 7th block 8th block 2001 DB8 0000 0000 244 17FF FEB6 D37C 2001 DB8 0000 0000 244 17FF FEB6 D37E 2001 DB8 0000 0000 244 17FF FEB6 D37F Table 2 (page 56) shows an example in which a mask is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D/64.
Table 9 (page 66) shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of 244:17FF:FEB6:D37D reside.
SSH for IPv6 provides the same Telnet-like functions through encrypted, authenticated transactions as SSH for IPv4. SSH for IPv6 provides CLI (console) access and secure file transfer functionality. The following types of transactions are supported: • Client public-key authentication Public keys from SSH clients are stored on the switch. Access to the switch is granted only to a client whose private key matches a stored public key.
4 Multicast Listener Discovery (MLD) Snooping NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. Overview Multicast addressing allows one-to-many or many-to-many communication among hosts on a network. Typical applications of multicast communication include audio and video streaming, desktop conferencing, collaborative computing, and similar applications. MLD is an IPv6 protocol used on a local link for multicast group management.
MLDv2 is disabled by default. enable: Enables MLDv2 on a VLAN. disable: Disables MLDv2 on a VLAN. The last-saved or the default MLD configuration is saved, whichever is most recent.
The default value of the filter is auto. NOTE: This command must be issued in a VLAN context.
Example 41 Configuring the querier To disable the switch from acting as querier on VLAN 8: HP Switch(vlan-8)# no ipv6 mld querier To enable the switch to act as querier on VLAN 8: HP Switch(vlan-8)# ipv6 mld querier Configuring the Query Interval To specify the number of seconds between membership queries, enter this command with the desired interval. Syntax [no] ipv6 mld query-interval 60 - 31744 NOTE: This command must be issued in a VLAN context.
Default: 2 Example 44 To set the number of times to retry a query to 4 on ports on VLAN 8: HP Switch(vlan-8)# ipv6 mld robustness 4 Configuring the Last Member Query Interval You can specify the amount of time that the querier waits to receive a response from members to a group-specific query message by entering this command. Syntax [no] ipv6 mld last-member-query-interval 1 - 2 NOTE: This command must be issued in a VLAN context.
Syntax: [no] ipv6 mld fastleave port-list Enables the fast leave function on the specified ports in a VLAN. The no form disables the fast leave function on the specified ports in a VLAN. Default: Enabled NOTE: This command must be issued in a VLAN context.
Example 49 Displaying the MLD Configuration for a VLAN on the Switch, Version 2: HP Switch# show ipv6 mld vlan 8 MLD Service Protocol Info VLAN ID : 8 MLD Version Name : VLAN8 : 2 MLD Interface State : Querier Querier Address : fe80::218:71ff:fec4:2f00 [this switch] Version : 2 Up Time : 0h:5m:3s Expires : 1h:14m:55s Ports with multicast routers : Active Group Addresses -------------------------ff3e:30:2001:db8:8:0:7:101 ff3e:30:2001:db8:8:0:7:102 Tracking -------Filtered Standard Vers ---2 2 Mode ---E
Example 51 Configuring the current MLD The general form of the command might look like this: HP Switch# show ipv6 mld config MLD Service Config Control Unknown Multicast : Yes Forced Fast Leave Timeout (deci-seconds) : 4 deci-seconds VLAN ID ------8 9 VLAN NAME ---------VLAN8 VLAN9 MLD Enabled ----------Yes Yes Querier Allowed --------------Yes Yes MLD Version ----------2 1 Listing ports currently joined Syntax: show ipv6 mld vlan vid group Lists the ports currently joined for all IPv6 multicast group
Example 52 Ports Joined to Multicast Groups in a Specific VLAN, Version 1 The general form of the command is:. HP Switch# show ipv6 mld vlan 9 group ff33::00 MDL Service Protocol Group Info VLAN ID : 9 VLAN Name : VLAN9 Group Address : ff33:: Last Reporter : fe80::7061:4b38:dbea:2c4f Group Type : Filtered Port ---3 5 Uptime --------1h 45m 1h 9m Expires --------4m 34s 4m 34s . . .
Viewing MLD statistics Syntax: show ipv6 mld statistics Shows MLD statistics for all MLD-enabled VLANs show ipv6 mld vlan vid statistics Shows MLD statistics for the specified VLAN. vid VLAN ID The general form the of the command shows the total number of MLD-enabled VLANs and a count of multicast groups currently joined. Both forms of the command show VLAN IDs and names, as well as the number of filtered and standard multicast groups and the total number of multicast groups.
Example 54 MLD Statistics for all VLANs Configured, Version 2 HP Switch# show ipv6 mld statistics MLD Service Statistics Mulitcast Groups Joined :4 (EXCLUDE Mode : 2 INCLUDE Mode : 2) MLD Joined Groups Statistics VLAN ID ------8 9 VLAN NAME ---------VLAN8 VLAN9 filtered -------2 2 standard --------0 0 total -----2 2 Example 55 MLD Statistics for a Single VLAN Version 2 HP Switch# show ipv6 mld vlan 8 statistics MLD Statistics VLAN ID : 8 VLAN NAME: VLAN8 Number of Filtered Groups : 4 Number of Sta
Example 57 MLD counters for a single VLAN HP Switch# show ipv6 mld vlan 8 counters MLD Service Vlan Counters VLAN ID : 8 Name : VLAN8 V1 All Hosts Query V2 All Hosts Query V1 Group Specific Query V2 Group Specific Query Group and Source Specific Query V2 Member Report V1 Member Join V1 Member Leave Forward to Routers Forward to VLAN Rx ---55 0 0 0 0 15 15 30 83 48 Tx ---888 0 0 0 0 0 0 0 0 0 Errors: Unknown MLD Type 2 Unknown Packet 3 Malformed Packet 0 Bad Checksum 0 Martian Source 0 Packet Received on
For example, if several employees engage in a desktop conference across the network, they all need application software on their computers. At the start of the conference, the software on all the computers determines a multicast address of, for example, FF3E:30:2001:DB8::101 for the conference. Then any traffic sent to that address can be received by all computers listening on that address. General operation Multicast communication can take place without MLD, and by default, MLD is disabled.
Figure 2 With MLD snooping, traffic is sent to MLD hosts MLD snooping enabled Listener (MLD host) Switch Source Listener (MLD host) MLD snooping operates on a single VLAN (though there can be multiple VLANs, each running MLD snooping). Cross-VLAN traffic is handled by a multicast router. Forwarding in MLD snooping When MLD snooping is active, a multicast packet is handled by the switch as shown in the following list.
Forward The switch forwards all IPv6 multicast packets through the port. This includes IPv6 multicast data and MLD protocol packets. Block The switch drops all MLD packets received by the port and blocks all outgoing IPv6 multicast packets through the port, except those packets destined for well-known IPv6 multicast addresses. This has the effect of preventing IPv6 multicast traffic from moving through the port.
Fast leaves and forced fast leaves The fast leave and forced fast leave functions can help to prune unnecessary multicast traffic when an MLD host issues a leave request from a multicast address. Fast leave is enabled by default, and forced fast leave is disabled by default. Both functions are applied to individual ports.
• Ports with multicast routers Ports on the VLAN that lead toward multicast routers (if any). • Multicast group address information For each active group on the VLAN, including: • • Multicast group address. • Type of tracking for multicast joins: standard or filtered. • If MLD snooping is enabled, port-level tracking results in filtered groups. • If MLD snooping is not enabled, joins result in standard groups being tracked by this device.
Example 58 MLD configuration for a specific VLAN HP Switch# show ipv6 mld vlan 8 config MLD Service Vlan Config VLAN ID : VLAN NAME : MLD Enable : Querier Allowed : MLD Version : Strict Mode : Last Member Query Interval(seconds): Query Interval(seconds) : Query Max.
• whether Forced Fast Leave is enabled or disabled • whether Fast Leave is enabled or disabled • whether Fast Learn is enabled or disabled - not in sw commands Counters The following information is shown: • VLAN number and name • For each VLAN, number of: • • 86 ◦ general queries(MLDv1) received and sent ◦ general queries (MLDv2) received and sent ◦ version 1 group-specific queries received and sent ◦ version 2 group-specific queries received and sent ◦ group and source-specific querie
5 IPv6 Access Control Lists (ACLs) NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. Introduction An access control list (ACL) contains one or more access control entries (ACEs) specifying the criteria the switch uses to either permit (forward) or deny (drop) IP packets traversing the switch's interfaces.
The ACLs described in this chapter can filter IPv6 traffic to or from a host, a group of contiguous hosts, or entire subnets. CAUTION: The ACLs described in this chapter can enhance network security by blocking selected IPv6 traffic and can serve as part of your network security program. However, because ACLs do not provide user or device authentication or protection from malicious manipulation of data carried in IPv6 packet transmissions, they should not be relied upon for a complete security solution.
1 TCP only 2 TCP flag (control bit) options for destination TCP 3 The log function applies to both “deny” and “permit” ACLs, and generates a message when there is either a “deny” match or a “permit” match.
IPv6 ACL includes layer- 3 IPv6 source and destination criteria and IPv6 protocol-specific criteria. IPv6 ACLs can be applied in any of the following ways: RACL An ACL assigned to filter routed IPv6 traffic entering or leaving the switch on a VLAN or tunnel. (Separate assignments are required for inbound and outbound IPv6 traffic.
Empty ACL An ACL that is not populated with any explicit ACEs, and functions only as a placeholder. An ACL exists in this state if any one of the following occurs: • An ACL identifier has been created in the running config file with the ipv6 access-list [ name-str ] command, but no explicit ACEs exist in the ACL. • An ACL identifier has been assigned to an interface without first populating the ACL with ACEs.
name-str The term used in ACL syntax statements to represent the “name string”; the alphanumeric string used to identify the ACL. A name string allows up to 64 alphanumeric characters. See also identifier, ACL ID. Outbound Traffic For defining the points where the switch applies an RACL (Routed ACL) to filter traffic, outbound traffic is routed traffic leaving the switch through an IP routing interface (or a subnet in a multinetted VLAN).
bits—those to the right of the bits specified by the prefix length—comprise a wildcard and can be either on or off. See also Prefix Length. Overview Types of IPv6 ACLs A permit or deny policy for IPv6 traffic you want to filter is based on source and destination IPv6 address, plus other IPv6 protocol factors such as TCP/UDP, ICMP, and DSCP. Concurrent IPv4 and IPv6 ACLs The switches support concurrent configuration and operation of IPv4 and IPv6 ACLs.
Example 59 RACL filter applications on routed IPv6 Traffic In Figure 3 (page 94): • You would assign either an inbound ACL on VLAN 1 or an outbound ACL on VLAN 2 to filter a packet routed between subnets on different VLANs, that is, a packet sent from the workstation 2001:db8:0:111::2 on VLAN 1 to the server at 2001:db8:0:222::25 on VLAN 2. (An outbound ACL on VLAN 1 or an inbound ACL on VLAN 2 would not filter the packet.
Example 60 VACL filter applications on IPv6 traffic In Figure 4 (page 95) ,you would assign a VACL to VLAN 2 to filter all inbound switched or routed IPv6 traffic received from clients on the 2001:db8 :0:222:: network. In this instance, routed IPv6 traffic received on VLAN 2 from VLANs 1 or 3 would not be filtered by the VACL on VLAN 2. Figure 4 Example of VACL filter applications on IPv6 traffic entering the switch NOTE: The switch allows one IPv6 VACL assignment configured per VLAN.
RADIUS authentication response for that client includes a RADIUS-assigned ACL. Clients authenticating without receiving a RADIUS-assigned ACL are immediately de-authenticated. For example, in Figure 5 (page 96), clients A through D authenticate through the same port (B1) on an HP switch running software release K.14.01 or greater. Figure 5 Example of Multiple Clients Authenticating Through a Single Port HP Switch Running K.14.
chapter "Configuring RADIUS Server Support for Switch Services" in the latest Access Security Guide for your switch. • To support authentication of IPv6 clients: • The VLAN to which the port belongs must be configured with an IPv6 address. • Connection to an IPv6-capable RADIUS server must be supported. • For 802.1X or MAC authentication methods, clients can authenticate regardless of their IP version (IPv4 or IPv6). • For the web authentication method, clients must authenticate using IPv4.
4 Be permitted by a VACL configured on a VLAN to which the port is assigned.1 5 Be permitted by a PACL assigned to the port.1 6 For IPv4 traffic only, be permitted by a RACL assigned inbound to the port, if the traffic is subject to RACL rules.Be permitted by a RACL assigned inbound to the port, if the traffic is subject to RACL rules. 1 IPv4 VACLs and PACLs ignore IPv6 traffic, and the reverse.
NOTE: Software release K.15.01 supports connection-rate ACLs for inbound IPv4 traffic, but not for IPv6 traffic. In cases where an RACL and any type of port or VLAN ACL are filtering traffic entering the switch, the switched traffic explicitly permitted by the port or VLAN ACL is not filtered by the RACL (except when the traffic has a destination on the switch itself).
General steps for planning and configuring ACLs 1. Identify the ACL action to apply. Determine the best points at which to apply specific ACL controls. For example, you can improve network performance by filtering unwanted IPv6 traffic at the edge of the network instead of in the core. Also, on the switch itself, you can improve performance by filtering unwanted IPv6 traffic where it is inbound to the switch instead of outbound. 2. 3. 4. 5. 6. 7.
IPv6 routing: To activate an IPv6 RACL to screen inbound traffic for routing between subnets, assign the RACL to the statically configured VLAN on which the traffic enters the switch. Also, ensure that IPv6 routing is enabled. Similarly, to activate an IPv6 RACL to screen routed, outbound traffic, assign the RACL to the statically configured VLAN on which the traffic exits from the switch.
Packet-filtering process When an ACL filters a packet, it sequentially compares each ACE's filtering criteria to the corresponding data in the packet until it finds a match. The action indicated by the matching ACE (deny or permit) is then performed on the packet. Figure 7 Packet-filtering process in an ACL with N entries (ACEs) Test a packet against criteria in first ACE. Is there a match? 1. If a match is not found with the first ACE in an ACL, the switch proceeds to the next ACE and so on.
The following ACL, when assigned to filter inbound traffic on VLAN 100, supports the above case: Example 61 How an ACL filters packets ipv6 access-list "Test-02" 10 permit ipv6 2001:db8:0:fb::11:42/128 ::/0 20 deny tcp 2001:db8:0:fb::11:101/128 eq 23 ::/0 30 permit ipv6 2001:db8:0:fb::11:101/128 ::/0 40 permit tcp 2001:db8:0:fb::11:33/128 ::/0 eq 23 Implicit Deny Any Any Line 10 Permits IPv6 traffic from 2001:db8:0:fb::11:42.
NOTE: IPv6 traffic entering the switch on a given interface is filtered by the ACLs configured for inbound traffic on that interface. For this reason, an inbound packet is denied (dropped) if it has a match with an implicit (or explicit) deny ipv6 any any in any of the inbound ACLs applied to the interface. (This does not apply to IPv6 traffic leaving the switch, because only one type of ACL—RACL—can be applied to outbound traffic, and only to routed IPv6 traffic.
of an ACL. This means that IPv6 traffic not specifically matched by earlier entries in the list will be permitted. Security ACLs can enhance security by blocking IPv6 traffic carrying an unauthorized source IPv6 address.
ACL configuration and operating rules RACLs and routed IPv6 traffic Except for IPv6 traffic with a DA on the switch itself, RACLs filter only routed IPv6 traffic that is entering or leaving the switch on a given VLAN. Thus, if routing is not enabled on the switch, there is no routed IPv6 traffic for RACLs to filter.
"Test-02" replaces VACL "Test-01" as the ACL to use. For example, if you assign an RACL named "Test-01" to filter inbound routed IPv6 traffic on VLAN 20, but later you assign another RACL named "Test-02" to filter inbound routed IPv6 traffic on this same VLAN, RACL "Test-02" replaces RACL "Test-01" as the ACL to use. Static port ACLs These are applied per port, per port list, or per static trunk. Adding a port to a trunk applies the trunk's ACL configuration to the new member.
packet's SA and DA must be an exact match with the same bits in an ACE. The bits to the right of the prefix are "wildcards" and are not used to determine a match.
Prefix usage differences between ACLs and other IPv6 addressing For ACLs, the prefix is used to specify the leftmost bits in an address that are meaningful for a packet match. In other IPv6 usage, the prefix separates network and subnet values from the device identifier in an address.
Permit/deny options You can use the following criteria as options for permitting or denying a packet: • Source IPv6 address • Destination IPv6 address • IPv6 protocol options: • All IPv6 traffic • IPv6 traffic of a specific protocol type (0 to 255) • IPv6 traffic for a specific TCP port or range of ports, including: • Optional control of connection (established) traffic based on whether the initial request should be allowed • TCP flag (control bit) options • IPv6 traffic for a specific UDP po
entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.
[ remark remark-str ] permit | deny 0 - 255 esp ah sctp icmp SA [operator value ] DA [operator value ] [type [code] | icmp-msg ] [dscp | precedence ] ipv6 tcp SA [operator value ] DA [operator value ] [dscp codepoint | precedence] [established] [ack | fin | rst | syn] udp SA [operator value ] DA [operator value ] [log] (Allowed only with “deny” or "permit" ACEs.) . . .
ACL configuration factors The sequence of entries in an ACL is significant When the switch uses an ACL to determine whether to permit or deny a packet, it compares the packet to the criteria specified in the individual ACEs in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet.
Line # Action 50 Any packet from any IPv6 source address to any IPv6 destination address will be permitted (forwarded). The only traffic filtered by this ACE will be packets not specifically permitted or denied by the earlier ACEs. N/A The implicit deny (deny ipv6 any any) is a function the switch automatically adds as the last action in all IPv6 ACLs. It denies (drops) traffic from any source to any destination that has not found a match with earlier entries in the ACL.
2. Enter the text of the ACE without specifying a sequence number. For example, the following pair of commands enter the context of an ACL named "List-1" and add a "permit" ACE to the end of the list. This new ACE permits the IPv6 traffic from the device at 2001:db8:0:a9:8d:100 to go to all destinations.
Example 66 Entering the ACL context HP Switch(config)# ip access-list Sample-List HP Switch(config-ipv6-acl)# Configuring ACEs in an ACL Configuring ACEs is done after using the ipv6 access-list ascii-str command described on page 115 to enter the IPv6 ACL (ipv6_acl) context of an ACL.
host SA Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv6 packets from a single SA. SA prefix-length Specifies packets received from one or more contiguous subnets or contiguous addresses within a single subnet. The prefix length is in CIDR format and defines the number of leftmost bits to use in determining a match. See “Using CIDR notation to enter the IPv6 ACL prefix length” (page 153).
AF DSCPMatch af13 001110 af21 010010 af22 010100 af23 010110 af31 011010 af32 011100 af33 011110 af41 100010 af42 100100 af43 100110 Default Matches with the 000000 (default) DSCP. ef Expedited forwarding (EF; 000000) DSCP match. precedence Supports selection of a precedence setting in the DSCP.
Table 12 DSCP codepoints with decimal equivalents (continued) DSCP bits Decimal DSCP bits Decimal DSCP bits Decimal 000011 3 011001 25 101110 46 (71) 000100 4 011010 26 (42) 101111 47 000101 5 011011 27 110000 48 000110 6 011100 28 (42) 110001 49 000111 7 011101 29 110010 50 2 001000 8 011110 30 (5 ) 110011 51 001001 9 011111 31 110100 52 001010 10 (12) 100000 32 110101 53 001011 11 100001 33 110110 54 001100 12 (12) 100010 34 (62) 110111 55
#deny tcp host fe80::119 eq 23 host fe80::155 established #permit tcp host 2001:db8::10.100 host 2001:db8::15:12 eq telnet #deny udp 2001:db8::ad5:1f4 host 2001:db8::ad0:ff3 range 161 162 [ comparison-operator tcp/udp-src-port ] To specify a TCP or UDP source port number in an ACE: 1. Select a comparison operator from the following list. 2. Enter the port number or a well-known port name.
These are the same as those used with the TCP/UDP source-port options and are listed earlier in this command description. Comparison operators and well-known port names [ established ] This option applies only where TCP is the configured IPv6 protocol type. It blocks the synchronizing packet associated with establishing a new TCP connection, while allowing all other IPv6 traffic for existing connections.
Example 67 Showing two ACEs entered in an ACL context: #permit icmp any any 1 3 #permit icmp any any destination-unreachable [ icmp-type [ icmp-code ]] This option identifies an individual ICMP packet type as criteria for permitting or denying that type of ICMP traffic in an ACE. • icmp-type—This value is in the range of 0 to 255 and corresponds to an ICMP packet type. • icmp-code—This value corresponds to an ICMP code for an ICMP packet type.
Assigns an ACL to a VLAN as an RACL to filter routed IP traffic entering or leaving the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove an RACL. vid VLAN identification number tunnel tunnel-id Tunnel Identification identifier The alphanumeric name by which the ACL can be accessed.
Assigns an ACL as a VACL to a VLAN to filter switched or routed IPv6 traffic entering the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove a VACL. vid VLAN identification number. identifier The alphanumeric name by which the ACL can be accessed. An identifier can have up to 64 characters. The no form of the command removes the ACL assignment from the interface. NOTE: The switch allows you to assign an "empty" ACL identifier to a VLAN.
NOTE: The switch allows you to assign an "empty" ACL identifier to an interface. If you later populate the empty ACL with one or more ACEs, it automatically becomes active on the assigned interfaces. Also, if you delete an assigned ACL from the running config file without also using the no form of this command to remove the assignment to an interface, the ACL assignment remains and automatically activates any new ACL you create with the same identifier.
1 - 2147483647 The range of valid sequence numbers for an ACL. ipv6-ACE-criteria The various traffic selection options described earlier in this chapter. NOTE: Entering an ACE that would result in an out-of-range sequence number is not allowed. Use the resequence command to free up ACE numbering availability in the ACL. Example 71 Inserting a New ACE in an Existing ACL From the global configuration context: 1.
2. From within the context of an IPv6 ACL named "List-01", insert a new ACE between two existing ACEs. In this example, the first command creates a new ACL and enters the ACL context. The next two ACEs entered become lines 10 and 20 in the list. The third ACE entered is inserted between lines 10 and 20 by using the sequence command with a sequence number of 11.
Example 72 Deleting an ACE from an IPv6 ACL HP Switch(config)# show access-list My-List config 1 ipv6 access-list "My-List" 10 permit ipv6 fe80::100/128 ::/0 20 deny ipv6 fe80::110/128 fe80::/124 30 deny ipv6 fe80::111/128 fe80::/124 40 permit ipv6 ::/0 ::/0 exit HP Switch(config)# ipv6 access-list My-List 2 HP Switch(config-ipv6-acl)# no 30 3 HP Switch(config-ipv6-acl)# show access-list My-List config 4 ipv6 10 20 40 exit access-list "My-List" permit ipv6 fe80::100/128 ::/0 deny ipv6 fe80::110/128 fe80:
Example 73 Viewing and Resequencing an ACL This example resequences the "My-List" ACL at the bottom of Example 72 (page 128) so that the list begins with line 100 and uses a sequence interval of 100.
The no form of the command deletes the indicated remark, but does not affect the related ACE. Appending remarks and related ACEs to the end of an ACL To include a remark for an ACE that will be appended to the end of the current ACL: 1. Enter the remark first. 2. Then enter the related ACE. This results in the remark and the subsequent ACE having the same sequence number.
1 2 The above two commands insert a remark with its corresponding ACE (same sequence number) between two previously configured ACEs Inserting a remark for an ACE that already exists in an ACL If an ACE already exists in a given ACL, you can insert a remark for that ACE by simply configuring the remark to have the same sequence number as the ACE. Replacing an existing remark 1. 2. Use ipv6 access-list identifier to enter the desired ACL context.
130 permit ipv6 ::/0 ::/0 exit • Entering either an unnumbered remark followed by a manually numbered ACE (using 1 2147483647 ), or the reverse (an unnumbered ACE followed by a manually numbered remark) can result in an "orphan" remark. • Configuring two remarks without including either sequence numbers or an intervening, unnumbered ACE results in the second remark overwriting the first.
ACL Commands Function Page show access-list resources Displays the currently available per-slot resource availability. See appendix "Monitoring Resources" in the current Management and Configuration Guide for your switch. n/a show access-list radius [ all | port-list ] Lists the IPv4 and IPv6 RADIUS ACLs currently assigned for either all ports and trunks, or for the specified ports and/or trunks.
HP Switch(config)# show access-list Access Control Lists Type ----ext std ext ipv6 ipv6 ipv6 ipv6 Appl Name ---- -----------------------yes 101 1 yes 55 2 yes Marketing 3 no Accounting 4 no List-01-Inbound 5 yes List-02-Outbound yes Test-1 1 IPv4 2 3 4 5 These ACLs exist in the configuration but are not applied to any interfaces and thus do not affect traffic Term Meaning Type Shows whether the listed ACL is an IPv6 (ipv6) ACL or one of two IPv4 ACL types: • std (Standard; source-address only) • ex
Example 77 An ACL configured syntax listing HP Switch(config)# show access-list config ip access-list extended "101" 10 permit tcp 10.30.133.27 0.0.0.0 0.0.0.0 255.255.255.255 20 permit tcp 10.30.155.101 0.0.0.0 0.0.0.0 255.255.255.255 30 deny ip 10.30.133.1 0.0.0.0 0.0.0.0 255.255.255.255 log 40 deny ip 10.30.155.1 0.0.0.255 0.0.0.0 255.255.255.
Example 78 Displaying the IPv4 and IPv6 VACL assignments for a VLAN The following output shows that all inbound IPv6 traffic and the inbound and outbound, routed IPv4 traffic are all filtered on VLAN 20.
Example 79 Viewing the IPv4 and IPv6 RACL and VACL assignments for a VLAN The following output shows that inbound, routed IPv6 traffic and outbound, routed IPv4 traffic are both filtered on VLAN 20.
Example 80 Viewing static port (and trunk) ACL assignments The following output shows IPv4 and IPv6 ACLs configured on various ports and trunks on the switch: HP Switch(config)# show access-list ports all 1 Access Lists for Port 1 Inbound Ipv6: List-01-Inbound 2 Access Lists for Port 12 Inbound : 101 Type : Extended Inbound Ipv6: Accounting 3 Access Lists for Port Trk2 Inbound Ipv6: Accounting 4 Access Lists for Port Trk5 Inbound : Marketing Type : Extended 1 2 3 4 An IPv6 ACL is filtering inbound t
Example 81 Viewing the content of a specific ACL Suppose you configured the following two ACLs in the switch: Identifier Accounting Type Desired action IPv6 • Permit Telnet traffic from these two IPv6 addresses: • 2001:db8:0:1af::10: 14 • 2001:db8:0:1af::10: 24 • Deny Telnet traffic from all other devices in the same subnet. • Permit all other IPv6 traffic from the subnet. • Deny and log any IPv6 traffic from any other source. List-120 IPv4 Extended • Permit any TCP traffic from 10.30.133.
Example 82 Listing an IPv6 ACL HP Switch(config)# show access-list Accounting Access Control Lists Name: Accounting Type: ipv6 Applied: Yes 1 SEQ Entry -------------------------------------------------------10 Action: permit Remark: Telnet Allowed 2 3 Src IP: 2001:db8:0:1af::10:14 4 Prefix Len: 128 5 Dst IP: :: 6 Prefix Len: 0 7 Src Port(s): 8 Dst Port(s): eq 23 9 Proto : TCP Option(s): 10 Dscp : 20 30 40 Action: permit Src IP: 2001:db8:0:1af::10:23 Dst IP: :: Src Port(s): Dst Port(s): eq 23 Proto : TCP
Example 83 Listing an IPv4 extended ACL HP Switch(config)# show access-list List-120 Access Control Lists Name: List-120 Type: Extended Applied: No 1 SEQ Entry ---------------------------------------------------------10 Action: permit 2 Remark: Telnet Allowed 3 Src IP: 10.30.133.27 Mask: 0.0.0.0 Port(s): eq 23 4 Dst IP: 0.0.0.0 Mask: 255.255.255.255 Port(s): 5 6 Proto : TCP (Established) 7 TOS : Precedence: routine 1 2 3 4 6 7 5 20 Action: Src IP: Dst IP: Proto : TOS : deny (log) 10.30.133.1 0.0.0.
Example 84 An ACL listed with the config option Port-1(config)# show access-list List-120 config ip access-list extended "List-120" 10 remark "Telnet Allowed" 10 permit tcp 10.30.133.27 0.0.0.0 eq 23 0.0.0.0 255.255.255.255 precedence 0 established 20 deny ip 10.30.133.1 0.0.0.255 0.0.0.0 255.255.255.255 log 30 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 exit Table 13 Descriptions of data types included in show access-list acl-id output Field Description Name The ACL identifier.
Creating or editing an ACL offline Using the CLI to edit an ACL is applicable in most cases where the ACL is short or there is only a minor editing task to perform. The offline method provides a useful alternative to using the CLI for creating or extensively editing a large ACL. For longer ACLs that may be difficult or time-consuming to accurately create or edit in the CLI, you can use the offline method.
Example of using the offline process Suppose that you want to create an IPv6 ACL for a VACL application and download it to a switch from a TFTP server at FE80::1ad:17. Suppose that you want to create an IPv6 ACL for a RACL application and download it to a switch from a TFTP server at FE80::1ad:17. 1. You would create a .txt file with the content shown in Example 84 (page 142). 2. After you copy the above .
Example 87 Verifying the .txt file download to the switch HP Switch(config)# show run . . . ipv6 access-list "acl-001" 10 remark "Telnet Denied Here" 10 deny tcp ::/0 ::/0 eq 23 30 deny tcp ::/0 ::/0 log 40 deny icmp ::/0 ::/0 134 50 deny icmp ::/0 ::/0 133 60 permit ipv6 ::/0 ::/0 exit . . . vlan 20 1 ipv6 access-group "acl-001" vlan ipv6 access-group "acl-001" in exit . . . 1 As a part of the instruction set included in the .
Example 88 Enabling ACL logging on the switch Suppose that you want to configure the following on a switch receiving IPv6 traffic and configured for IPv4 routing: • For port B1 on VLAN 10, configure an IPv6 ACL with an ACL-ID of "NO-TELNET" and use the PACL in option to deny Telnet traffic entering the switch from IP address FE80::10:3. • Configure the switch to send an ACL log message to the current console session and to a syslog server at 10.10.50.
ipv6 access-list "NO-TELNET" 10 remark "deny fe80::10:3 TELNET TRAFFIC" 10 deny tcp fe80::10:3/128 ::/0 eq 23 log 20 permit ipv6 ::/0 ::/0 exit 1 Assigns the ACL named “NOTELNET” as a VACL to filter Telnet traffic from FE80::10:3 entering the switch on VLAN 10 Enabling ACL logging on the switch 147
Example 90 ACL log application Suppose that you want to configure the following operation: • For VLAN 10, configure an ACL with an ACL-ID of "NO-TELNET" and use the RACL in option to deny Telnet traffic entering the switch from IP address 2001:db8:0:4b1::10:3 to any routed destination. (This assignment will not filter Telnet traffic from 2001:db8:0:4b1::10:3 to destinations on VLAN 10 itself.
event acl log HP Switch(config)# show access-list config ipv6 access-list "NO-TELNET" 10 remark "deny TELNET TRAFFIC IN" 10 deny tcp 2001:db8:0:4b1::10:3/128 ::/0 eq 23 log 20 permit ipv6 ::/0 ::/0 exit 1 Assigns the ACL named “NOTELNET”as an RACL to filter routed Telnet traffic from 2001:db8:0:4b1::10:3 entering the switch on VLAN 10 Monitoring static ACL performance ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switc
Example 92 Both IPv6 and IPv4 ACL activity HP Switch# show statistics aclv6 IPV6-ACL vlan 20 vlan HitCounts for ACL IPV6-ACL Total ( 12) 10 permit icmp ::/0 fe80::20:2/128 128 ( 6) 20 deny tcp ::/0 fe80::20:2/128 eq 23 log ( 41) 30 permit ipv6 ::/0 ::/0 HP Switch# show statistics aclv4 102 vlan 20 vlan HitCounts for ACL 102 Total Delta ( 4) 10 permit icmp 10.10.20.3 0.0.0.0 10.10.20.2 0.0.0.0 8 ( 8) 20 deny icmp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 8 ( 2) 30 permit tcp 10.10.20.3 0.0.0.255 10.10.20.
Example 94 IPv6 ACL performance monitoring output HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total ( 5) ( 4) ( 136) ( 2) ( 10) ( 8) ( 155) 10 20 30 40 50 60 70 permit icmp ::/0 fe80::20:2/128 128 permit icmp ::/0 fe80::20:3/128 128 permit tcp fe80::20:1/128 ::/0 eq 23 deny icmp ::/0 fe80::20:1/128 128 deny tcp ::/0 ::/0 eq 23 deny icmp ::/0 ::/0 133 permit ipv6 ::/0 ::/0 Example 95 (page 151) shows a sample of performance monitoring output for an IPv4 ACL assigned as a VA
Example 96 IPv6 ACL performance monitoring output HP Switch# show statistics aclv6 V6-02 vlan 20 vlan HitCounts for ACL V6-02 Total ( 5) ( 4) ( 136) ( 2) ( 10) ( 8) ( 155) 10 20 30 40 50 60 70 permit icmp ::/0 fe80::20:2/128 128 permit icmp ::/0 fe80::20:3/128 128 permit tcp fe80::20:1/128 ::/0 eq 23 deny icmp ::/0 fe80::20:1/128 128 deny tcp ::/0 ::/0 eq 23 deny icmp ::/0 ::/0 133 permit ipv6 ::/0 ::/0 HP Switch# clear statistics aclv6 V6-02 vlan 20 vlan HP Switch# show statistics aclv6 V6-02 vlan 20 vl
RADIUS-assigned ACLs A RADIUS-assigned ACL for filtering traffic from a specific client or group of clients is configured on a RADIUS server. When the server authenticates a client associated with that ACL, the ACL is assigned to filter the inbound IP traffic received from the authenticated client through the port on which the client is connected to the switch.
• Filtering for TCP traffic based on whether the subject traffic is initiating a connection ("established" option) • Optional DSCP (IP precedence and ToS) criteria The switch allows up to 2048 ACLs each for IPv4 and IPv6 (with RADIUS-based ACL resources drawn from the IPv4 allocation). The total is determined from the number of unique identifiers in the configuration. For example, configuring two IPv6 ACLs results in an ACL total of two, even if neither is assigned to an interface.
Figure 10 Example of an IPv6 ACL application To implement the policies described above in Figure 10 (page 155), configure ACLs on the switch as shown in Example 97 (page 155).
Sequence numbering in ACLs The ACEs in any ACL are sequentially numbered. In the default state, the sequence number of the first ACE in a list is "10," and subsequent ACEs are numbered in increments of 10.
Remember that show config lists the startup-config file and show running lists the running-config file. Testing and troubleshooting ACLs You can monitor ACL performance by using the logging option (which generates log messages when there is a "deny" or “permit” ACE match) and the ACE statistics counters (which maintain running totals of the packet matches on each ACE in an ACL).
Example 103 Content of messages generated by an ACL-deny action Example Syslog report of the first deny event detected by the switch for this ACE. ACL 12/01/08 10:04:45 List NO-TELNET, seq#10 denied tcp 2001:db8:0:1ae::1a:3(1612) ->2001:db8:0:1ad::1a:2(23) on vlan 1, port A7 Example of subsequent deny events detected by the switch for the same ACE.
Example 104 IPv6 counter operation with multiple interface assignments Suppose that: • An ACL named "V6-01" is configured as shown in Example 105 (page 159) to block Telnet access to a workstation at FE80::20:2, which is connected to a port belonging to VLAN 20.
Example 106 Ping and Telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port B2 HP Switch# ping6 fe80::20:2%vlan20 fe80:0000:0000:0000:0000:0000:0020:0002 is alive, time = 5 ms HP Switch# telnet fe80::20:2%vlan20 Telnet failed: Connection timed out.
Example 108 IPv4 counter operation with multiple interface assignments Suppose that an IPv4 ACL named "Test-1" is configured as shown in Example 109 (page 161) to block Telnet access to a server at 10.10.20.12 on VLAN 20, and that the Test-1 ACL is assigned to VLANs as follows: • VLAN 20: VACL • VLAN 50: RACL • VLAN 70: RACL Example 109 ACL “Test-1” and interface assignment commands HP Switch(config)# show access-list Test1 config ip access-list extended "Test1" 10 deny tcp 0.0.0.0 255.255.255.255 10.
Using the network in Figure 12 (page 161), a device at 10.10.20.4 on VLAN 20 attempting to ping and Telnet to 10.10.20.12 is filtered through the VACL instance of the "Test-1" ACL on VLAN 20 and results in the following: Example 110 Ping and Telnet from 10.10.20.4 to 10.10.20.2 filtered by the assignment of "Test-1" as an IPv4 VACL on VLAN 20 HP Switch(config)# ping 10.10.20.2 10.10.20.2 is alive, time = 5 ms HP Switch(config)# telnet 10.10.20.2 Telnet failed: Connection timed out.
Example 113 Resulting ACE hits on the VLAN 30 IPv4 RACL assignment of the "Test-1" ACL HP Switch(config)# show statistics aclv4 Test-1 vlan 50 in Hit Counts for ACL Test-1 Total ( 6) 10 deny tcp 0.0.0.0 255.255.255.255 10.10.20.2 0.0.0.0 eq 23 log ( 1) 20 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 HP Switch(config)# NOTE: The Total 6 Indicates the same type of data as shown in Example 111 (page 162)for the VACL assignment of the “Test-1” ACL.
configure the last entry in an ACL as an explicit deny or permit statement with a log statement included, and apply the ACL to an appropriate VLAN. • A detailed event will be logged for the first packet that matches a “deny” or “permit” ACL logged entry with the appropriate action specified. Subsequent packets matching ACL logged entries will generate a new event that summarizes the number of packets that matched each specific entry (with the time period).
The no vlan vid ipv6 access-group name-str vlan command does not delete the named ACL if the ACL is currently assigned to an interface.
6 IPv6 Routing Basics NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. IPv6 routing overview Beginning with software release K.15.01, the switches support these IPv6 routing features: • “IPv6 Static Routing” (page 180) • “IPv6 Router Advertisements” (page 186) • “DHCPv6-Relay” (page 203) • “OSPFv3 Routing” (page 209) This chapter covers basic IPv6 routing topics and configuration needed to implement both static and dynamic IPv6 routing.
NOTE: Software license requirements: For the 3500/3500yl, 5400zl, and 8200zl switches, OSPFv3 is included with the Premium software license available from HP. In the 6200yl switches, OSPFv3 is included with the base feature set. IPv6 Routing Features Beginning with software release K.15.
Example 115 Displaying the router ID when OSPFv3 is enabled If a routing switch is using a router ID such as 10.10.10.1: HP Switch(config)# show ipv6 ospf3 OSPFv3 General Status OSPFv3 Protocol Router ID NOTE: : Enabled : 10.10.10.1 If one of the following is true, the router ID is set to 0.0.0.0: • No manual router ID, IPv4 network address, or IPv4 loopback interface address is configured on the routing switch. • No dynamic routing protocol is enabled on the routing switch.
show run show ip ospf (if OSPFv2 is enabled) show ipv6 ospf3 (if OSPFv3 is enabled) Configuring the IPv6 hop limit Syntax: [no] ipv6 hop-limit 1 - 255 Global config operation This global config command sets the maximum number of routers (hops) through which packets originating on the routing switch can pass before being discarded (global hop limit). Each router decrements a packet's hop limit by 1 before forwarding the packet.
distance 1 - 255 Specifies the administrative distance to associate with a static route. Default: 1; Range: 1 - 255 The no form of the command deletes the default route for the specified next-hop destination from the routing table.
Example 117 Viewing the IPv6 routing table HP Switch(config)# show ipv6 route IPv6 Route Entries Destination : ::/0 Gateway : 2001:db8:e::55:2 Type: static Sub-Type: NA Distance: 130 1 Metric: 1 Destination : ::1/128 Gateway : lo0 Type: connected Sub-Type: NA Distance: 0 Metric: 1 Destination : 2001:db8:1::127/128 Gateway : lo6 Type: connected Sub-Type: NA Distance: 0 Metric: 1 Destination : 2001:db8:a::/64 Gateway : fe80::22:1%vlan22 Type: ospf3 Sub-Type: InterArea 2 Distance: 110 Metric: 2 Destina
3. Enable IPv6 routing. (This command enables RA transmission on any VLAN where RAs are not specifically suppressed.) ipv6 unicast-routing 4. For non-default RA operation, configure RAs per-VLAN, including suppression of RAs on any VLANs where you do not want the routing switch to transmit RAs. See “IPv6 Router Advertisements” (page 186). Configure one or more of the following routing features: 5. • IPv6 static routing. See “IPv6 Static Routing” (page 180). • DHCPv6-relay.
2001:0:db8:17fd:218:71ff:fedd:cf00/64 2 1 Prefix 2 VLANs and routing IP Routing Interfaces and Routing. On the routing switches covered by this guide, IPv6 addresses are associated with individual IP routing interfaces. Link-local addresses are used for switching traffic among devices on the same IP routing interface, and global unicast addresses are used for routing traffic between different IP routing interfaces.
IPv6 routing operation A switch moves packets within the same local network or subnet. A router moves packets between networks or subnets. When a router receives a packet, it matches the packet's destination address to a route in its routing table. This route specifies the gateway, or next-hop, through which the router must forward the packet to enable it to move toward its destination.
For more information on this topic, see “IPv6 Router Advertisements” (page 186). DHCPv6-relay When a host on a given VLAN is configured to acquire configuration settings from a DHCPv6 server, it transmits a DHCPv6 request on the VLAN. If there is no DHCPv6 server on the VLAN, you can route the host request to a server on another VLAN by enabling a DHCPv6-relay on the routing switch and configuring a helper address on the VLAN.
Configuring global IPv6 routing parameters Feature Default and range Page IPv6 hop-limit 255 (1 - 255) 169 Default network route None configured 169 Router ID Lowest-numbered address on the lowest-numbered routing interface 176 The following sections describe how to configure the above global IPv6 routing parameters. NOTE: This section describes how to configure IPv6 parameters for routing switches.
Loopback route A static IPv6 route automatically created in the routing table for use if other routes to a destination are not available. The gateway is a loopback interface (lo0) and the destination is ::1/128. Statically configured routes On a given routing switch, one static route can be configured directly into the routing table for each destination. In the default configuration, administrative distance and route metric are both "1". See “About static routing ” (page 182).
in the routing table defines how many leftmost contiguous bits to use when matching a packet's destination address to a destination network prefix. For example, a route table entry of 2001:db8:0:1ad:0:f1:7a:0/112 applies to all packets with a destination address for which the first 112 bits are 2001:db8:0:1ad::f1:7a If a packet matches more than one routing table entry, the router uses the most specific route (the route with the longest prefix), which is assumed to be the most accurate for that packet.
• • To configure administrative distance for a static route, see “Adding static and null routes to IPv6 table” (page 180). • To configure administrative distance for OSPFv3, see “Influencing route choices by changing the administrative distance default” (page 220). Metric The routing switch uses this parameter to compare routes to identical destinations learned by the same routing protocol.
7 IPv6 Static Routing NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. Adding static and null routes to IPv6 table This feature enables you to create static routes (including null routes with or without ICMP notification to the sender) by adding such routes directly to the route table in the routing switch.
Example 118 Configuring static routes HP Switch(config)# ipv6 route 2001:db8:0:1::/64 fe80::10.1 Configures static route to a specific destination network . Notice that the next-hop gateway can be either a link-local or a global unicast address. HP Switch(config)# ipv6 route 2001:db8:0:2::/64 reject Configures a null route to drop traffic for the 2001:db8:0:2::/64 network and return an ICMP notice to the sender.
Example 119 Displaying static routes in the IPv6 routing table HP Switch(config)# show ipv6 route static IPv6 Route Entries Destination : 2620:a::/64 Gateway : 2620:b::22:1 Type : static Sub-Type : NA Distance : 1 Metric : 1 Destination : 2620:c::/64 Gateway : 2620:e::55:2 Type : static Sub-Type : NA Distance : 1 Metric : 1 About static routing Static routes provide tools for restricting and troubleshooting routed traffic flows and in small networks can provide the simplest and most reliable configura
Figure 14 Example of a routing domain Advantages Static routing is relatively reliable and gives you tight control over traffic flow. You determine exactly which connections to use to forward traffic to each destination. In a given VLAN, you can use multiple IPv6 addresses to add multiple static routes in the VLAN.
Configured Provides a route that is used as a backup route for discarding traffic where the primary route is unavailable. A configured null route consists of: • Destination network address or host and a corresponding network mask • Either the reject keyword (traffic dropped with ICMP notification to the sender) or blackhole keyword (traffic dropped without any ICMP notification). Non-default null routes created with the reject or blackhole keywords use a gateway of zero (0).
Figure 15 Example of static routes in an ECMP application VLAN-1 Routing Switch Router 2001:db8:1::1 Router 2001:db8:1::2 Static Routes ipv6 route 2001:db8:5::/64 2001:db8:1::1 VLAN-2 The no ip load-sharing 2 - 4 command enables or disables load-sharing for both IPv4 and IPv6 applications and specifies the number of ECMP routes to allow. In the default configuration, load-sharing is enabled with four ECMP routes allowed. For more information, see “About equal-cost multi-path routing” (page 255).
8 IPv6 Router Advertisements NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. Beginning with software release K.15.01, the routing switches support IPv6 RA configuration and transmission based on RFC 4861, "Neighbor Discovery for IP Version 6 (IPv6)" and RFC 4862, "IPv6 Stateless Address Autoconfiguration.
configuration information for the current VLAN or tunnel interface from a DHCPv6 server. • When the M-bit is enabled, receiving hosts ignore the other-config-flag (O-bit) setting described below. • When the M-bit is disabled (the default), receiving hosts expect to receive their IPv6 addressing and ND configuration settings from the RA unless the O-bit is enabled. other-config-flag Ignored unless the M-bit (above) is disabled in RAs.
Default: 200 seconds; Range: 3 - 1350 seconds Setting or changing the hop-limit for host-generated packets Syntax: [no] ipv6 nd ra hop-limit 0 - 255 hop-limit VLAN context command to specify the hop-limit a host includes in the packets it transmits. A setting of 0 means the hop-limit is unspecified in the RAs originating on the current VLAN. In this case, the hop-limit is determined by the host.
NOTE: If multiple routers on the same VLAN or tunnel are configured to advertise a reachable time, all such routers should use the same reachable-time setting.
Options for valid-lifetime preferred-lifetime: Time in seconds: [ 0 - 4294967295 | 0 - 4294967295 ] Specific date and time [ valid-lifetime preferred-lifetime ] valid-lifetime-MM/DD/YY valid-lifetime-HH:MM:SS preferred-lifetime-MM/DD/YY preferred-lifetime-HH:MM:SS at valid-date preferred-date valid-date - MM/DD/[YY]YY] valid-date - HH:MM[:SS} preferred-date - MM/DD/[YY]YY preferred-date - HH:MM[:SS} VLAN or tunnel context command for specifying prefixes for the routing switch to include in RAs transmitted o
If default is used without the no-advertise, no-autoconfig, or the off-link keyword, the advertisement setting for the absent keyword is returned to its default setting. NOTE: To configure a prefix as off-link or no-autoconfig , you must enter unique valid and preferred lifetimes with the prefix command (instead of the default command). ipv6-prefix / prefix-len Specifies the prefixes to advertise on the subject VLAN or tunnel. A separate instance of the command must be used for each prefix to advertise.
Example 120 Using the default command to configure prefix advertisement content Table 16 (page 192) lists the global unicast addresses configured on a VLAN, with original and updated settings configured using the default command.
Example 121 Using the default command to configure and update prefix advertisements HP HP HP HP HP HP Switch(config)# vlan 100 Switch(vlan-100)# ipv6 address 2001:db8:0:f::f1/64 Switch(vlan-100)# ipv6 address 2001:db8:0:b::b1/64 1 Switch(vlan-100)# ipv6 address 2001:db8:0:c::c1/64 Switch(vlan-100)# ipv6 nd ra prefix default 1296000 1209600 Switch(vlan-100)# show ipv6 nd ra prefix vlan 100 2 IPv6 Neighbor Discovery Prefix Information 3 VLAN Name : VLAN100 IPv6 Prefix Valid Lifetime Preferred Lifetime On-
1 2 Global unicast addresses configured on VLAN 100 To enable advertising prefixes of global unicast addresses configured on the VLAN, the default command sets default lifetime, prefix link status (on or off-link), autoconfiguration (Autonomous Flag) status (on or off), and advertisement setting (on or off). NOTE: Applies only to prefixes in global unicast addresses configured on the VLAN and not uniquely configured by the prefix command.
Restricting IPv6 Router Advertisements The RA Guard feature restricts the ports (or trunks) that can accept IPv6 Router Advertisements (RAs). Additionally, ICMPv6 router redirects are blocked on the configured ports. Only physical ports and trunk ports are supported. Dynamic ports, dynamic trunks, and mesh ports are not supported.
When RA Guard is enabled, there will be one or two lines displayed in the running config file. Figure 18 Running Config File Showing Line for RA-Guard Displaying the Router Advertisement configuration Syntax: show ipv6 nd ra show ipv6 nd ra prefix vlan vid Without the optional keywords, this command displays the global and per-VLAN, and per tunnel router advertisement neighbor discovery configuration on a specific routing switch.
Default: On; Autoconfiguration enabled. Advertise Flag Indicates whether advertisement for the subject prefix is turned on. Default: On.
Example 122 General Output Listing the RA Configuration on a Routing Switch HP Switch(config)# show ipv6 nd ra IPv6 Router Advertisement Configuration Global RA Suppress : No Global Hop Limit : 10 IPv6 Unicast Routing : Enabled Interface ID --------vlan-1 vlan-22 tunnel-3 Supp RA ---Yes No Yes Interval Min/Max -------200/600 200/600 200/600 Lifetime (sec) -------1800 1800 1000 Mngd Flag ---No No No Other Flag ----No No No RCH Time NS Intrvl Hop (ms) (ms) Limit -------- ------- ----0 0 10 0 0 10 0 0 4
Example 124 Detailed prefix configuration data for a specific VLAN HP Switch(config)# show ipv6 nd ra prefix vlan 30 IPv6 Neighbor Discovery Prefix Information VLAN Name : VLAN30 IPv6 Prefix Valid Lifetime Preferred Lifetime On-link Flag Autonomous Flag Advertise Flag : : : : : : Default Infinite Infinite On On On IPv6 Prefix Valid Lifetime Preferred Lifetime On-link Flag Autonomous Flag Advertise Flag : : : : : : 2001:db8:f:1b::/64 11/31/2010 00:00:01 11/01/2010 00:00:01 Off On On IPv6 Prefix Valid L
Advertisement Value Default Page minimum 200 seconds 187 current hop limit 64 188 default lifetime 1800 seconds (3 x max. transmission interval) 188 reachable time Unspecified (0) 188 retransmission timer Unspecified (0) 189 1 Default operation excludes prefixes of stateless autoconfigured addresses. RA basics • Enabling IPv6 unicast routing on a routing switch initiates transmission of RAs on active, IPv6-enabled VLANs unless RA transmission has been suppressed. • RAs are not routed.
The following steps provide a general outline of the steps for configuring the routing switch for non-default RA operation on all IPv6-enabled VLANs or tunnels: 1. Enable IPv6 routing on your network. 2. Enable IPv6 unicast routing. (This must be enabled to allow configuration of other routing protocols). HP Switch(config)# ipv6 unicast-routing (This command enables RA transmission on any VLAN where RAs are not specifically suppressed.) 3. Configure the desired per-VLAN or per-tunnel RA operation: a.
While advertised prefixes can be different, the per-VLAN or per-tunnel RA policy should be the same for all routers transmitting RAs on a given VLAN.
9 DHCPv6-Relay NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. For introductory information on DHCPv6-relay, see “About configuring DHCPv6 relay” (page 206). Configuring DHCPv6-relay DHCPv6-relay is disabled by default. To enable and configure it, use the commands in this section: Syntax: [no] dhcpv6-relay Used in the global config context to enable DHCPv6-relay globally on the routing switch.
Viewing the DHCPv6-relay configuration Syntax: show ipv6 helper-address [ vlan vid ] Displays the DHCPv6-relay configuration on all VLANs configured on the routing switch or on the VLAN you specify.
ipv6 helper-address unicast 2001:db8:0:12::11 exit vlan 14 ipv6 address fe80::1 link-local ipv6 address 2001:db8:0:14::1 exit dhcpv6-relay 1 2 3 4 3 4 Non-Default Hop-Limit Configured IPv6 Unicast Routing Enabled DHCPv6 Helper Address Configured Per-VLAN DHCPv6-Relay Globally Enabled Use the show dhcpv6-relay command to display statistical information about DHCPv6 relay.
• The routing switch supports concurrent, independent operation of DHCPv4 and DHCPv6. • Operating limits: DHCPv6-relay feature Maximum Unique helper addresses supported on the routing switch 321 Unique helper addresses per VLAN interface 321 1 If the same helper address is used on multiple VLANs, it is counted as one address toward these maximums. About configuring DHCPv6 relay Beginning with software release K.15.
1. 2. Ensure that there is a route configured between a DHCPv6 server and the routing switch and that the server is configured to support host requests forwarded from the routing switch. For each VLAN on which you want the routing switch to provide DHCPv6-relay services, determine the helper addresses the relay agent should have for forwarding client DHCPv6 requests to reachable DHCPv6 servers.
In Figure 20 (page 208) , router "X" is a relay agent configured to forward DHCPv6 service requests received from VLAN 10 to the "all-DHCPv6-servers" multicast helper address (FF05::1:3) through VLAN 14. Router "Z" receives the request from router "X" on VLAN 14. Because router "Z" is configured with unicast helper address 2001:db8:0:15::33 on VLAN 14, the service request is relayed to the DHCPv6 server at 2001:db8:0:15::33 on VLAN 15.
10 OSPFv3 Routing NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. OSPFv3 is the IPv6 implementation of open shortest path first protocol. (OSPFv2 is the IPv4 implementation of this protocol.) Beginning with software version K.15.01, the switches can be configured to run OSPFv3 either alone or simultaneously with OSPFv2. (OSPFv3 and OSPFv2 run as independent protocols on the routing switch and do not have any interaction when run simultaneously.
interface loopback Executed at the global or deeper configuration level to assign an IPv4 address to a loopback interface on the routing switch. For more information, see "Loopback Interfaces" in the latest Basic Operation Guide. Enabling IPv6 Routing Syntax: [no] ipv6 unicast-routing Executed at the global configuration level to enable IPv6 routing on the routing switch. Default: Disabled The no form disables IPv6 routing. (Global OSPFv3 routing must be disabled before you disable IPv6 routing.
NOTE: Each ABR must be either directly connected to the backbone area (0) or be configured with a virtual link to the backbone area through another ABR that is directly connected to the backbone area. Configuring an OSPFv3 backbone or normal area Syntax: area [ ospf3-area-id | backbone ] [ normal ] no area [ ospf3-area-id | backbone ] After using router ospf3 to globally enable OSPFv3 and enter the global OSPF3 context, execute this command to assign the routing switch to a backbone or other normal area.
Example 130 Configuring an OSPFv3 backbone or normal area To configure a backbone and a normal area with an ID of "1" (0.0.0.1) on a routing switch: HP Switch(ospf3)# area backbone HP Switch(ospf3)# area 1 To convert an existing NSSA or stub area to a normal area, you would include the normal keyword.
type1 : Calculate external route cost for a type-7-LSA default route as the sum of (1) the external route cost assigned by the ASBR plus (2) the internal cost from the router with traffic for the external route to the ASBR advertising the route. type2 : Use the external route cost assigned by the ASBR advertising the route. Default: Enabled with metric-type type2. NOTE: Different routers in the NSSA can be configured with different metric-type values.
Syntax: vlan vid ipv6 ospf3 [ area ospf3-area-id ] [no] vlan vid ipv6 ospf3 interface tunnel tunnel-id ipv6 ospf3 [ area | ospf3-area-id ] [no] interface tunnel tunnel-id ipv6 ospf3 Executed in a specific VLAN context to assign the VLAN to the specified area. If area is not specified, the command defaults to the backbone area. Requires that the area is already configured on the routing switch. This command assigns all configured networks in the VLAN to the specified OSPFv3 area.
NOTE: The area must already exist, and the loopback interface must already be configured with a minimum of one IPv6 address. An IPv6 loopback interface can be assigned to only one area at any time. When an IPv6 loopback interface is assigned to a given area, the no form removes the interface from that area. Example 133 Assigning IPv6 loopback addresses to an area To assign loopback interface 3 on the routing switch to area 0.0.0.
Syntax: [no] router ospf3 redistribute [ connected | static ] route-map map-name Executed on an ASBR to permit or deny redistribution of static and/or connected routes to the ASBR’s domain, as specified in the named route-map. static Redistribute from manually configured routes. connected Redistribute from locally connected networks. The no form removes the redistribution configuration for the specified route-map.
type2 Specifies the external metric for an external route. Default: type2 Example 137 Modifying the redistribution metric type To change from the default setting on an ASBR to type 1, enter the following command: HP Switch(config)# router ospf3 default-metric-type type1 Enabling redistribution of loopback IPv6 addresses in OSPFv3 when the addresses are not assigned to an OSPFv3 area Enter the redistribute connected command as described in “Enabling route redistribution” (page 215).
Example 140 Verifying OSPFv3 redistribution of loopback interfaces on a neighboring router HP Switch(config)# show ipv6 route ospf3 IPv6 Route Entries Destination : 2001:db8::333/128 Gateway : fe80::55:1%vlan55 Type: ospf3 Sub-Type: External2 1 Distance: 110 Metric: 1 Destination : 2001:db8:1::127/128 Gateway : fe80::55:1%vlan55 Type: ospf3 Sub-Type: IntraArea 2 Distance: 110 Metric: 1 1 2 Indicates a loopback interface configured on a neighbor router with redistribution enabled, but not assigned to
For example, 2001:db8:0:f::/64 defines a range including any address that has 2001:db8:0:f in the leftmost 64 bits. [ type | [ summary [ cost 1 - 16777215 ]] | inter-area | nssa ] [ no-advertise ] Configures the type of route summaries to advertise or block. [summary [ cost 1 - 16777215 ]] Specifies internal routes in the configured range of route advertisements.
Example 141 Assigning a Cost. The cost parameter provides a way to define a fixed, user-assigned cost of an LSA type 3 summarized prefix. To set the summary cost to 100 for area 10 with and address range of 10.10.0.0/ 16, enter the command as shown: HP Switch(ospf3)# area 10 range 10.10.0.0/16 type summary cost 100 To use the standard method for determining the summarized cost, enter the command as shown: HP Switch(ospf3)# area 10 range 10.10.0.
external 1 - 255 Changes the administrative distance for routes between the OSPFv3 domain and other EGP domains. inter-area 1 - 255 Changes the administrative distance for routes between areas within the same OSPFv3 domain. intra-area 1 - 255 Changes the administrative distance for routes within OSPFv3 areas.
Hello interval per interface Syntax: ipv6 ospf3 hello-interval 1 - 65535 Used in the VLAN context to indicate the length of time between the transmission of hello packets from the routing switch to adjacent neighbors on that VLAN. This command assigns the specified Hello interval to all networks configured on the VLAN. Default: 10 seconds Priority per interface Syntax: ipv6 ospf3 priority 1 - 255 Used in the VLAN context to enable changing the priority of an OSPFv3 router.
area-id This must be the same for both ABRs in the link and is the area number of the virtual link transit area in either decimal or 32-bit dotted decimal format. If area-id is not already configured on the routing switch, this command creates it. router-id On an ABR directly connected to the backbone area, this value must be the router ID of an ABR (in the same area) needing a virtual link to the backbone area as a substitute for a direct physical connection.
Syntax: [no] area area-id virtual-link router-id dead-interval 1 - 65535 In the ospf3 context, this command is used on both ABRs in a virtual link to change the number of seconds that a neighbor router waits for a hello packet from the specified interface before declaring the interface "down." This should be some multiple of the Hello interval. The dead-interval setting must be the same on both ABRs on a given virtual link.
Adjusting the retransmit interval on a virtual link For more information, see “About adjusting virtual link performance by changing the interface settings” (page 261). Syntax: area area-id virtual link router-id retransmit-interval 1 - 3600 In the ospf3 context, used on both ABRs in a virtual link to change the number of seconds between LSA retransmissions on the virtual link. The retransmit-interval setting must be the same on both ABRs on a given virtual link.
Use show ipv6 ospf3 virtual-link ip-address to view the current setting. See the example at “Viewing OSPFv3 virtual link information” (page 243). Default: 1 second Example 144 Adjusting transit-delay on a virtual link To change the hello-interval on the virtual link configured for the network in Figure 21 (page 223) to 60 seconds: • On routing switch “A” (router ID 10.0.0.
Example 147 show ipv6 ospf3 interface command for a specific VLAN with passive configured on an interface HP Switch(config)# show ipv6 ospf3 interface 75 detail OSPFv3 configuration and statistics for VLAN 75 Interface Area ID Priority Type Hello Interval Transit Delay Events Neighbors : : : : : : : : vlan-75 0.0.0.3 1 BCAST 10 1 0 1 Status State Cost Passive Dead Interval Retransmit Interval Designated Router Backup Designated Router : : : : : : : : Enabled WAIT 1 Yes 40 5 15.1.1.2 15.1.4.
Example 148 Neighbor-adjacency change logging HP Switch(ospf3)# show log -r OSPF3: Keys: W=Warning I=Information M=Major D=Debug E=Error ---- Reverse event Log listing: Events Since Boot ---e 05/01/10 15:21:09 02809 OSPF3: ADJCHG: Neighbor 15.255.155.1 on interface vlan-22 moved to Down state, Inactivity Timer e 04/27/10 14:36:48 02809 OSPF3: ADJCHG: Neighbor 10.10.10.
Command syntax Description CLI page reference show ipv6 ospf3 virtual-link [ rtr-id ] [ area area-id ] Virtual Link information 243 show ipv6 ospf3 virtual-neighbor [ rtr-id ] [ area area-id ] Virtual Neighbor information 243 show ipv6 ospf3 spf-log OSPFv3 SPF Statistics 244 Viewing a summary of OSPFv3 configuration information Syntax: show ipv6 ospf3 [ general ] Displays the summary of OSPFv3 information, such as the areas configured, address ranges defined, interface information, timers, and vi
Example 149 Output for show ipv6 ospf3 HP Switch# show ipv6 ospf3 OSPFv3 Configuration Information OSPFv3 Protocol : Enabled Router ID : 10.0.8.35 Currently defined areas: Area ID --------backbone 10.3.16.0 10.3.32.
Example 150 show ipv6 ospf3 general output HP Switch# show ipv6 ospf3 general OSPFv3 General Status OSPFv3 protocol Router ID : enabled : 10.0.8.
Example 151 Output for all OSPFv3 routes in the routing table HP Switch# show ipv6 route ospf3 IPv6 Route Entries Destination : 2001:db8::333/128 Gateway : fe80::55:1%vlan55 Type : ospf3 Sub-Type : External2 Distance : 110 Metric : 1 Destination : 2001:db8:1::12/128 Gateway : fe80::55:1%vlan55 Type : ospf3 Sub-Type : IntraArea Distance : 110 Metric : 1 Example 152 Output for a specific OSPFv3 route in the routing table HP Switch# show ipv route ospf3 2001:db8:1::127 IPv6 Route Entries to 2001:db8:1::1
Displays basic OSPFv3 information related to the VLANs configured on the routing switch. vlan-id Displays information for a specific VLAN. tunnel tunnel-id Displays information for a specific tunnel. loopback lo-id Displays information for a loopback interface. detail Displays additional, VLAN-specific OSPFv3 information.
Example 154 show ipv6 ospf3 interface output HP Switch# show ipv6 ospf3 interface OSPFv3 configuration and statistics for interfaces Interface -----------vlan-55 vlan-75 tunnel-3 Status -------Enabled Enabled Enabled Area ID -----------0.0.0.1 0.0.0.3 0.0.0.
Example 156 show ipv6 ospf3 interface detail Output HP Switch(config)# show ipv6 ospf3 interface detail OSPFv3 configuration and statistics for VLAN 22 Interface : vlan-22 Status : Enabled Area ID Priority Type Hello Interval Transit Delay Events : : : : : : State Cost Passive Dead Interval Retransmit Interval Designated Router : : : : : : Neighbors : 0 Backup Designated Router : 0.0.0.0 1.2.3.4 1 BCAST 10 1 0 DOWN 1 No 890 5 0.0.0.
Syntax: show ipv6 ospf3 neighbor [ router-id ] [ detail ] Displays OSPFv3 information learned for neighbor routers. router-id Displays information for a specific neighbor router. detail Displays additional, neighbor-specific OSPFv3 information. Example 158 show ipv6 ospf3 neighbor output HP Switch(ospf3)# show ipv6 ospf3 neighbor OSPFv3 Neighbor Information Interface --------Vlan-55 Vlan-75 tunnel-3 Router ID --------------15.1.0.1 15.1.1.2 4.3.2.
vlan vid Resets only those counters in the specific VLAN. tunnel tunnel-id Using the tunnel option resets only those counters in the specific tunnel.
lsid lsid-# Subset option to filter displayed LSA database or advertisements to show only the AS-scope data having the specified (32-bit) IP address as a link-state ID. Can also be filtered with the router-id option to further define the source of displayed information. router-id rtr-id-# Subset option to filter displayed LSA database or advertisements to show only the AS-scope data having the specified router-ID.
Example 164 show ipv6 ospf3 link-state as-scope advertise output HP Switch# show ipv6 ospf3 link-state as-scope router-id 15.1.1.
detail Displays additional details for each LSA included in the range of displayed LSAs for any of the above options. advertise Displays the hexadecimal data in LSA packets (advertisements) for the OSPFv3 areas configured on the routing switch. The output can also be filtered by area (area-id), lsid, router-id, and/or type. Default: All OSPFv3 areas on the routing switch. To display OSPFv3 link-state information, enter show ipv6 ospf3 link-state area-scope at any CLI level.
Example 166 Output for show ipv6 ospf3 link-state area-scope advertise HP Switch# show ipv ospf3 link-state area-scope advertise area 1 router-id 1.0.0.4 OSPFv3 Area Scope Link State Database for area 0.0.0.
Example 167 show ipv6 ospf3 link-state link-scope output HP Switch# show ipv6 ospf3 link-state link-scope OSPFv3 Link Scope Link State Database for LS index 599 LSA Type -------Link Link Link Link Advertising Router ID -----------1.1.1.1 15.255.155.1 1.0.0.4 15.255.155.
Displays the route types currently enabled for route redistribution on the routing switch. Example 170 Output for show ipv6 ospf3 redistribute HP Switch# show ipv6 ospf3 redistribute OSPFv3 redistributing Route Type ---------Connected Static RouteMap --------------------Net-01 Net-02 Viewing OSPFv3 virtual link information Syntax: show ipv6 ospf3 virtual-link [ rtr-id ] [ area area-id ] Displays OSPFv3 information learned about all virtual links detected by the routing switch.
rtr-id Displays information for a specific virtual-neighbor router detected by the routing switch. area area-id Displays information learned from a virtual neighbor detected in a specific area. Example 173 Display output for all virtual neighbors detected on the routing switch HP Switch# show ipv6 ospf3 virtual-neighbor OSPFv3 Virtual Interface Neighbor Information Router ID State IPv6 Addr Events ------------- -------- ------------------------- --------1.0.0.
Example 175 Displaying the OSPFv3 SPF log HP Switch(ospf3)# show ipv6 ospf3 spf-log OSPFv3 SPF (SHORTEST PATH FIRST) LOG spf instance --------------1 2 3 4 5 6 7 8 9 10 11 ... Reason --------------------------Router LS Update Router LS Update Generated RTR LSA Generated NTW LSA Network LS Update Network LS Update Generated RTR LSA Router LS Update Generated RTR LSA Re-Init Incremental LS Update ...
Syntax: [no] ip load-sharing 2 - 4 When OSPF is enabled and multiple, equal-cost, next-hop routes are available for traffic destinations on different subnets, this feature, by default, enables load-sharing among up to four next-hop routes. 2 - 4 Specifies the maximum number of equal-cost next-hop paths the router allows.
As shown in Figure 22 (page 246), one possible distribution of traffic to host devices is: • Traffic to host "A" passes through next-hop router "3" • Traffic to host "B" passes through next-hop router "2" • Traffic to host "C" passes through next-hop router "3" • Traffic to host "D" passes through next-hop router "4" IP packet destination Next hop used 2001:db8:0:e::100 2001:db8:0:b::b:10 2001:db8:0:e::110 2001:db8:0:c::c:20 2001:db8:0:e::120 2001:db8:0:b::b:10 2001:db8:0:e::130 2001:db8:0:d
Overview of OSPFv3 Factor Detail Minimum software version K.15.01 Application OSPFv3 applications only; runs independent of the OSPFv2 protocol used for IPv4 OSPFv2 applications. Concurrent IPv4/IPv6 operation Concurrent OSPFv2 and OSPFv3 operation supported on all VLAN interfaces configured on the routing switch. Beginning with software version K.15.01, the routing switches support concurrent operation of both OSPFv2 (for IPv4) and OSPFv3 (for IPv6).
Table 17 OSPFv3 LSA types (continued) LSA type Description Use Flood scope 0x2004 Inter-area-router-LSA Describes the route to an ASBR in another OSPFv3 normal area Area (including the backbone area) of the same AS. (Excludes prefixes for link-local addresses.) Propagated through backbone area to other areas. (Excludes any ASBR in the same area as the router sending the LSA.) 0x2005 AS-external-LSA Describes the route to a destination prefix in another AS (external AS route).
An ABR maintains a separate LSDB for each area to which it belongs. (All routers within the same area have identical LSDBs.) The ABR is responsible for flooding inter-area-prefix-LSAs and inter-area router LSAs between its border areas. You can reduce this LSA flooding by configuring area ranges. An area range enables you to assign an aggregate address to a range of IPv6 addresses. This aggregate address is advertised instead of all the individual addresses it represents.
• Router C Priority: 2 BDR for the 2001:db8:0:5::/64 network. • Router D Priority: 0 Cannot become a DR or BDR. • Router E Priority: 1 Becomes the new BDR if router B becomes unavailable and router C becomes the new DR. Figure 25 Example of designated routers in an OSPFv3 area Area 0 (Backbone) Router "X" 2001:db8:0::1:2/64 ID: 9.1.1.2 Router "A" 2001:db8:0::1:1/64 ID: 9.1.1.1 Router "E" 2001:db8:0:5::10:4/64 ID:10.1.1.4 Priority: 1 Router "D" 2001:db8:0:5::10:5/64 ID:10.1.1.
The DR and BDR election process is performed when one of the following events occurs: • An interface is in a waiting state and the wait time expires • An interface is in a waiting state and a hello packet is received that addresses the BDR • A change in the neighbor state occurs, such as: ◦ A neighbor state transitions from 2 or higher ◦ Communication to a neighbor is lost ◦ A neighbor declares itself to be the DR or BDR for the first time OSPFv3 area types OSPFv3 is built upon a hierarchy of ne
to the AS backbone area through one or more ABRs (physically or through a virtual link). ASBRs are allowed in normal areas. Backbone area Every AS must have one (and only one) backbone area (identified as area 0 or 0.0.0.0). The ABRs of all other areas in the same AS connect to the backbone area, either physically through an ABR or through a configured, virtual link.
Virtual links are not allowed for NSSAs. Reducing AS-external-LSAs and inter-area-prefix-LSAs An OSPFv3 ASBR uses AS-external-LSAs to originate advertisements of a route to another routing domain. These advertisements are: • Flooded in the area in which the ASBR operates. • Injected into the backbone area and then propagated to any other OSPFv3 areas (except stub and NSSA areas) within the local OSPFv3 AS.
When you use no-summary, the change takes effect immediately. If you apply the option to a previously configured area, the switch flushes all of the summary LSAs it has generated (as an ABR) from the area. NOTE: This feature applies only when the routing-switch is configured as an ABR for a stub area or NSSA. To completely prevent summary LSAs from injection into the area, use no-summary to disable the summary LSAs on each OSPFv3 router that is an ABR for the area.
Example 177 show ipv6 route command output with multiple next-hop routes HP Switch(config)# show ipv6 route IPv6 Route Entries Destination : ::1/128 Gateway : lo0 Type: connected Sub-Type: NA Distance: 0 Metric: 1 Destination : 2620:c::/64 Gateway : 2620:e::55:2 Type: static Sub-Type: NA Distance: 200 Metric: 1 Destination : 2620:a::/64 Gateway : fe80::22:3%vlan22 Type: ospf3 Sub-Type: InterArea Distance: 110 1 Metric: 2 Destination : 2620:a::/64 Gateway : fe80::22:5%vlan22 Type: ospf3 Sub-Type: Int
General configuration steps for OSPFv3 To begin using OSPFv3 on the routing switch: 1. Enable IPv6 on at least one VLAN interface. 2. In the global config context, use ipv6 unicast-routing to enable routing 3. Execute router ospf3 enable to enable OSPFv3 routing. 4. Use area in the ospf3 context to assign the areas to which the routing switch will be attached. 5.
NOTE: Before enabling OSPFv3, ensure that ipv6 unicast-routing is enabled. Also, either begin each command with router ospf3, or execute router ospf3 at the global CONFIG level and then execute the individual commands in that context. For example: HP Switch(config)# router ospf3 HP Switch(ospf3)# enable Use the appropriate interface context to set interface level OSPFv3 parameters for the desired interface.
5. Optional: Change the administrative distance setting. NOTE: In the default configuration, redistribution is permitted for all routes from supported sources. Enable redistribution after you have configured route-maps defining the route policies you want to apply to route redistribution in the OSPFv3 domain. Otherwise, your AS may become overloaded with routes that you did not intend to redistribute.
About adjusting performance by changing the VLAN interface settings (optional) The following OSPFv3 interface parameters are automatically set to their default values. No change to the defaults is usually required unless needed for specific network configurations.
About adjusting virtual link performance by changing the interface settings The following OSPFv3 interface parameters are automatically set to their default values for virtual links. No change to the defaults is usually required unless needed for specific network conditions. This is a subset of the parameters described under “Adjusting performance by changing the VLAN interface settings” (page 221).
11 IPv6 Tunneling Over IPv4 Using Manually Configured Tunnels NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. Overview IPv6 over IPv4 tunneling is a way to establish point-to-point tunnels by encapsulating IPv6 packets within IPv4 headers so that they can be carried over the IPv4 routing infrastructure. IPv6 over IPv4 tunneling provides a mechanism for utilizing the existing IPv4 routing infrastructure to carry IPv6 traffic between IPv6 networks.
The decapsulator matches received packets to the tunnels it has configured, and only processes packets where the IPv4 source and destination addresses match the endpoint addresses of the configured tunnels. A tunnel’s IPv4 address must be the same on both the encapsulator and the decapsulator. IPv4 routing switches route the packet based on the IPv4 header. IPv6 traffic can travel the tunnel in either direction.
Syntax [no] tunnel name string Optional; Provides a name for the tunnel. The name must be unique for all existing tunnels. The no form of the command removes the name for the tunnel. Example 178 Creating, Enabling, and Naming a Tunnel HP Switch(config)# interface tunnel 3 HP Switch(tunnel-3)# tunnel enable HP Switch(tunnel-3)# tunnel name Redtunnel Configuring the Tunnel Mode The tunnel mode configures the tunnel encapsulation type. The only mode currently supported is 6in4 mode.
Configures the IPv4 or IPv6 address of the remote end of the tunnel. Must not be the same address as the tunnel source. Tunnel mode must be configured before tunnel destination. Example 180 Configuring Destination and Source Addresses HP Switch(tunnel-3)# tunnel source 20.30.30.3 HP Switch(tunnel-3)# tunnel destination 10.20.20.2 Configuring the Static MTU Only the static tunnel MTU option is supported. Enter this command in tunnel context.
copy When specified, the value of the TTL field from the IPv6 header is used in the IPv4 header. Default : 64 seconds Example 183 Configuring a TTL for the Packet HP Switch(tunnel-3)# tunnel ttl 100 Example: Manual 6in4 Tunneling This example creates an IPv6 6in4 tunnel, which allows IPv6 hosts in one network to exchange IPv6 data with hosts in another IPv6 network by using the IPv4 tunneling infrastructure.
Example 184 Configuring a Tunnel Endpoint HP HP HP HP HP Switch(config)# interface tunnel 1 Switch(tunnel-1)# tunnel mode 6in4 Switch(tunnel-1)# tunnel source 20.0.0.1 Switch(tunnel-1)# tunnel destination 30.0.0.1 Switch(tunnel-1)# ipv6 address 5000::1/64 5000::1/64 IPv6 network assigned to the interface. Enables IPv6 on the interface. 2. Configure VLAN 2 for the IPv6 Hosts on the 3000::/64 Network This step configures IPv6 address 3000::1/64 on VLAN 2.
Configure Switch C Configure Switch C in a manner similar to Switch B, using the appropriate IPv6 and IPv4 addresses. 1. Configure the Tunnel Endpoint for Switch C The tunnel endpoint for Switch C is configured with a mode, IPv4 source address, IPv4 destination address, and an IPv6 interface address. Example 189 Configuring a Tunnel Endpoint (opposite end) HP HP HP HP HP 2. Switch(config)# interface tunnel 1 Switch(tunnel-1)# tunnel mode 6in4 Switch(tunnel-1)# tunnel source 30.0.0.
Example 193 Configuring the IPv4 Default Gateway HP Switch(config)# ip default-gateway 30.0.0.2 Example: Tunneling Using Policy-Based Routing (PBR) The following example uses the configuration shown in Example 193 (page 269). The routing configuration uses PBR to route into the tunnel. The configuration steps are similar to the prior example, with the addition of the PBR configuration. Configure Switch B 1.
Example 198 Configuring IPv6 PBR-Based Routing HP Switch(config)# class ipv6 PBR_Class HP Switch(config-class)# match ipv6 any 4000::/64 HP Switch(config-class)# exit HP HP HP HP Switch(config)# policy pbr PBR_Policy Switch(policy-pbr)# class ipv6 PBR_Class Switch(policy-pbr)# action interface tunnel 1 Switch(policy-pbr)# exit HP Switch(config)# vlan 2 HP Switch(vlan-2)# service-policy PBR_Policy in Configure Switch C 1.
5. Configure IPv6 PBR-Based Routing Execute these steps to configure the IPv6 PBR-based routing to route into the tunnel, and apply it to the inbound VLAN.
Example 204 Tunnel Configuration and Status Information for Multiple Tunnels HP Switch(config)# show interface tunnel 3,4 Tunnel Configuration : Tunnel Tunnel Name Tunnel Status Source Address Destination Address Mode TOS TTL : : : : : : : : tunnel-3 Redtunnel Enabled 120.22.33.44 121.23.34.
This command displays IPv6 neighbor discovery prefix information for the specified tunnel.
Example 206 IPv6 Neighbor Discovery Prefix Information for a Tunnel HP Switch(tunnel-3)# show ipv6 nd ra prefix tunnel 3 IPv6 Neighbor Discovery Prefix Information Tunnel Name IPv6 Prefix Valid Lifetime Preferred Lifetime On-link Flag Autonomous Flag Advertise Flag : : : : : : : Tunnel3 Default 15 days 14 days On On On Show IP Counters for a Tunnel 274 IPv6 Tunneling Over IPv4 Using Manually Configured Tunnels
Example 207 Output Showing Counters for a Tunnel HP Switch(config)# show ip counters tunnel 3 Address Family : IPv4 Interface : Tunnel 3 IP In Datagrams Received IP In Octets Received IP In Datagrams Broadcast Received IP In Octets Broadcast Received IP In Datagrams Multicast Received IP In Octets Multicast Received IP In Datagrams Discarded Datagram Header Error IP In Datagrams Discarded No Route IP In Datagrams Discarded Invalid Address IP In Datagrams Discarded Unknown Protocol IP In Datagrams Discarded
IP Out Datagrams Fragmentation Failed IP Out Datagrams Fragments Created 276 IPv6 Tunneling Over IPv4 Using Manually Configured Tunnels : 0 : 0
12 IPv6 Diagnostic and Troubleshooting NOTE: All commands previously in the Summary of commands table are indexed under the entry Command syntax. Introduction The IPv6 ICMP feature enables control over the error and informational message rate for IPv6 traffic, which can help mitigate the effects of a Denialof- service attack. Ping6 enables verification of access to a specific IPv6 device, and traceroute6 enables tracing the route to an IPv6-enabled device on the network.
bucket-size This optional keyword specifies the maximum number of tokens allowed in the token bucket at any time. Decreasing this value decreases the maximum number of tokens that may be available at any time. Default : 10; Range: 1 - 200 You can change the rate at which ICMP messages are allowed by changing the error-interval with or without a corresponding change in the bucket-size. The no ipv6 icmp error-interval command resets both the error-interval and the bucket-size values to their defaults.
oobm For switches that have a separate out-of-band management (OOBM) port, oobm specifies that the traffic originates from the out-of-band management port. repetitions 1 - 10000 Number of times that IPv6 ping packets are sent to the destination IPv6 host. Default: 1. timeout 1 - 60 Number of seconds within which a response is required from the destination host before the ping test times out. Valid values : 1 - 60. Default: 1 second. data-size 0 - 65471 Size of data (in bytes) to be sent in ping packets.
Replies to each traceroute operation are displayed on the console screen. To stop a traceroute operation before it finishes, press [Ctrl] [C]. For more information about how to configure and use a traceroute operation, see the “Troubleshooting” appendix in the Management and Configuration Guide.
probes Number of times a traceroute is performed to locate the IPv6 device at any hop in the route to the specified host before the operation times out. Default : 3; Range: 1 - 5 source [ ipv6-addr | vid ] The source IPv6 address or VLAN of the traceroute device or the VLAN-ID on which the traceroute packet is being sent. dstport 1 - 34000 Destination port. srcport 1 - 34000 Source port.
DNS Configuration Up to three DNS servers can be configured. The addresses must be prioritized, and can be for any combination of IPv4 and IPv6 DNS servers. NOTE: This section describes the commands for configuring DNS operation for IPv6 DNS applications. For further information and examples on using the DNS feature, see “DNS Resolver” in appendix, “Troubleshooting”, in the current Management and Configuration Guide for your switch.
For example, suppose you want to configure the following on the switch: • the address 2001:db8::127:10 which identifies a DNS server in the domain named mygroup.hpnetworking.net • a priority of 1 for the above server • the domain suffix mygroup.hpnetworking.net Assume that the above, configured DNS server supports an IPv6 device having a host name of “mars-1” (and an IPv6 address of fe80::215:60ff:fe7a:adc0) in the “mygroup.hpnetworking.net” domain.
Configuring Debug and Event Log Messaging To specify the types of debug and Event Log messages that you want to send to an external device: • • Use the debug ipv6...
ospf3 one of the following OSPFv3 message types: (none) all OSPFv3 debug events adj adjacency changes event events flood flooding lsa-generation link state advertisement generation packet one of the following OSPFv3 packet types: (none) all OSPFv3 packets sent or received DD DD packets sent or received Hello Hello packets sent or received LSA LSA packets sent or received LSR LSR packets sent or received LSU LSU packets sent or received retransmission retransmissions spf SPF computations packet all IPv6 pack
debug destination session enables the configured debug message types to be sent to the CLI session that executed this command. The session can be on any one terminal emulation device with serial, Telnet, or SSH access to the CLI at the Manager level prompt. debug destination buffer enables the configured debug message types to be sent to a buffer in switch memory. • Use the logging [ syslog-ipv6-addr ] command to configure the Syslog server at the specified IPv6 destination address.
NOTE: The no logging command does not delete the Syslog server addresses stored in the startup configuration. To delete Syslog addresses in the startup configuration, you must enter the no logging command followed by the write memory command. To verify the deletion of a Syslog server address, display the startup configuration by entering the show config command.
Index Symbols %vlan < vid > link-local address, 41, 43 %vlan< vid > link-local address, 53 ,DAD all-nodes, 31 A ABR, 249 ACL 802.
View assignments, 136 View configuration, 134, 138 Viewing ACL summary, 133 Viewing ACLs and assignments, 156 Viewing assignements VLAN, 135 Viewing static port, 137 ACL, RADIUS-assigned, 95 ACLs RADIUS-assigned, 95 Address configuration link-local autoconfiguration, 13 Authorized IP managers Access privilege, 55 Access-method, 55 Configuration, 55, 64 Configuring access privilege, 62 Feature description, 62 IP masks, 55 Precedence Security settings, 62 Using IP masks, 63 Viewing configuration, 56 Autoconfi
Router ospf3, 210, 216, 218 Show access-list, 133, 134, 135, 136, 137, 138 Show clear statistics, 149 Show console, 40 Show IPv6, 13 Show ipv6, 36 Show ipv6 dhcp-client, 16 Show ipv6 helper-address, 204 Show ipv6 mld, 73 Show ipv6 mld config, 74 Show ipv6 mld statistics, 77 Show ipv6 mld vlan, 75, 78 Show ipv6 nd ra, 196 Show ipv6 ospf3, 229, 232, 236, 237, 239, 241, 242, 243, 244 Show IPv6 route, 26 Show ipv6 route, 170, 181 Show ipv6 route ospf3, 231 Show ipv6 routers, 27 Show IPv6 tunnel, 13 Show IPv6 VL
Global configuration, 33 Interface configuration, 34 Running configuration, 34 Suppressing RDNSS, 34 IPv6 routing Minimum software release, 166 VLAN interface, 172 L Link-local address prefix FE80, 13 Loopback interface Interface configurations, 21 IPv6 address, 20 Loopback interfaces configuration, 29 M Management interface, Routing, 173 MIB Supported MIBs, 54 MLD Auto mode, 81 Blocking multicast packet forwarding, 69, 82 Configuration, 74 configuration, 73 Flooding, 68 Forwarding multicast packets, 69,
Trap receiver, 49 SNTP mode, 42 SNTP server, 44 solicited-node neighbor discovery, 30 SSH, 67 File transfer, 48 SSHv2 restriction, 61 Static and null routes table configuration, 180 Static routing default settings, 184 VLAN states, 184 System router ID Configuration, 176 T Tables Viewing routing tables, 170 Telnet, 38 Enable/Disable, 40 view configuration, 41 Viewing, 39 TFTP Auto-TFTP, 48 Configuration file, 47 Downloading public-key file, 47 Downloading software images, 47 Downloading startup-config file