ProCurve Series 6120 Switches IPv6 Configuration Guide November 2010 Version Z.14.
HP ProCurve 6120G/XG Switch 6120XG Switch November 2010 Z.14.
© Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change with out notice. All Rights Reserved. Warranty This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of HewlettPackard.
Contents Product Publications and IPv6 Command Index About Your Switch Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Printed Publications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Electronic Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi IPv6 Command Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii 1 Getting Started Contents . . . . . . . . . . . . . .
Connecting to Devices Supporting IPv6 Over IPv4 Tunneling . . . . . . 2-5 Information Sources for Tunneling IPv6 Over IPv4 . . . . . . . . . . . 2-5 Use Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Adding IPv6 Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Supported IPv6 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Configuration and Management . . . . .
3 IPv6 Addressing Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 IPv6 Address Structure and Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Address Notation . . . . . . . . . . . . . . . . . . . . . .
Overview of the Multicast Operation in IPv6 . . . . . . . . . . . . . . . . . . . . 3-21 IPv6 Multicast Address Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22 Multicast Group Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22 Solicited-Node Multicast Address Format . . . . . . . . . . . . . . . . . . 3-23 Loopback Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24 The Unspecified Address . . . . . . . . . .
Operating Notes for Neighbor Discovery . . . . . . . . . . . . . . . . . . . 4-20 View the Current IPv6 Addressing Configuration . . . . . . . . . . . . . . 4-22 Router Access and Default Router Selection . . . . . . . . . . . . . . . . . . . 4-29 Router Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29 Router Solicitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29 Default IPv6 Router . . . . . . . . . . . . . . . . . .
Using Auto-TFTP for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22 SNMP Management for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 SNMP Features Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 SNMP Configuration Commands Supported . . . . . . . . . . . . . . . . . . . . 5-24 SNMPv1 and V2c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-24 SNMPv3 . . . . . . . . . . . . . .
Debug/Syslog for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Configuring Debug and Event Log Messaging . . . . . . . . . . . . . . . . . . . 7-11 Debug Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-12 Configuring Debug Destinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-13 Logging Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
x
Product Publications and IPv6 Command Index About Your Switch Manual Set Note For the latest version of switch documentation, please visit any of the follow ing websites: www.hp.com/networking/support www.hp.com/go/bladesystem/documentation h18004.www1.hp.com/products/blades/components/c-class-tech-installing.html Printed Publications The publication listed below is printed and shipped with your switch.
■ IPv6 Configuration Guide—Describes the IPv6 protocol operations that are supported on the switch. ■ Release Notes—Describe new features, fixes, and enhancements that become available between revisions of the main product guide. IPv6 Command Index This index provides a tool for locating descriptions of individual IPv6 com mands covered in this guide. Note A link-local address must include %vlan< vid > without spaces as a suffix. For example: fe80::110:252%vlan20 The index begins on the next page.
Command Min.
Command Min.
1 Getting Started Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Command Syntax Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Command Prompts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Screen Simulations . . . . . . . . . . . . . . . . .
Getting Started Introduction Introduction This guide is intended for use with the HP ProCurve 6120G/XG and 6120GX switches. It describes how to use the command line interface (CLI) to configure, manage, monitor, and troubleshoot switch operation. For an overview of other product documentation for the above switches, refer to “Product Documen tation” on page xi. You can download documentation from the following web sites: www.procurve.com/manuals www.hp.com/go/bladesystem/documentation h18004.www1.hp.
Getting Started Conventions Command Prompts In the default configuration, your switch displays a CLI prompt similar to the following examples: ProCurve 6120G/XG Blade Switch# ProCurve 6120XG Blade Switch# To simplify recognition, this guide uses ProCurve to represent command prompts for all switch models. For example: ProCurve# (You can use the hostname command to change the text in the CLI prompt.) Screen Simulations Displayed Text.
Getting Started Sources for More Information Configuration and Operation Examples Keys Simulations of actual keys use a bold, sans-serif typeface with square brackets. For example, the Tab key appears as [Tab] and the “Y” key appears as [Y]. Sources for More Information This guide covers features related to IPv6 operation, and includes an IPv6 command index on page xii. For information about switch operation and features not covered in this guide, refer to the switch publications listed in this section.
Getting Started Sources for More Information • • • • • • ■ ■ Advanced Traffic Management Guide—Use this guide for information on topics such as: • VLANs: Static port-based and protocol VLANs, and dynamic GVRP VLANs • spanning-Tree: 802.1D (STP), 802.1w (RSTP), and 802.
Getting Started Sources for More Information Getting Documentation From the Web To obtain the latest versions of documentation and release notes for your switch, please see the following web sites: www.procurve.com/manuals www.hp.com/go/bladesystem/documentation h18004.www1.hp.com/products/blades/components/c-class-tech-installing.html If you need further information on ProCurve switch technology, visit the ProCurve Networking web site at www.procurve.
Getting Started Sources for More Information Command Line Interface If you need information on a specific command in the CLI, type the command name followed by help. For example: ProCurve# write help Usage: write Description: View or save the running configuration of the switch. write terminal - displays the running configuration of the switch on the terminal write memory - saves the running configuration of the switch to flash.
Getting Started To Set Up and Install the Switch in Your Network Note To access the online Help for the ProCurve web browser interface, you need either ProCurve Manager (version 1.5 or greater) installed on your network or an active connection to the World Wide Web. Otherwise, Online help for the web browser interface will not be available. Online help is also accessible by logging into the Onboard Administrator. The Help Button Figure 1-5.
2 Introduction to IPv6 Contents Migrating to IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 IPv6 Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Dual-Stack Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Connecting to Devices Supporting IPv6 Over IPv4 Tunneling . . . . . . 2-5 Information Sources for Tunneling IPv6 Over IPv4 . . . . . . . . . . .
Introduction to IPv6 Contents Ping6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 Traceroute6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 Debug/Syslog Enhancements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-13 Domain Name System (DNS) Resolution . . . . . . . . . . . . . . . . . . . . . . . 2-13 IPv6 Neighbor Discovery (ND) Controls . . . . . . . . . . . . . . . . .
Introduction to IPv6 Migrating to IPv6 Migrating to IPv6 To successfully migrate to IPv6 involves maintaining compatibility with the large installed base of IPv4 hosts and routers for the immediate future. To achieve this purpose, the software supports dual-stack (IPv4/IPv6) operation and connections to IPv6-aware routers for routing IPv6 traffic between VLANs and across IPv4 networks.
Introduction to IPv6 Migrating to IPv6 IPv6 Propagation IPv6 is currently in the early stages of deployment worldwide, involving a phased-in migration led by the application of basic IPv6 functionality. In these applications, IPv6 traffic is switched among IPv6-capable devices on a given LAN, and routed between LANs using IPv6-capable routers.
Introduction to IPv6 Migrating to IPv6 Connecting to Devices Supporting IPv6 Over IPv4 Tunneling The switches covered by this guide can interoperate with IPv6/IPv4 devices capable of tunneling IPv6 traffic across an IPv4 infrastructure. Some examples include: Note ■ traffic between IPv6/IPv4 routers (router/router) ■ traffic between an IPv6/IPv4 router and an IPv6/IPv4 host capable of tunneling (router/host) Tunneling requires an IPv6-capable router.
Introduction to IPv6 Use Model Use Model Adding IPv6 Capability IPv6 was designed by the Internet Engineering Task Force (IETF) to improve on the scalability, security, ease of configuration, and network management capabilities of IPv4. IPv6 provides increased flexibility and connectivity for existing networked devices, addresses the limited address availability inherent in IPv4, and the infrastructure for the next wave of Internet devices, such as PDAs, mobile phones and appliances.
Introduction to IPv6 Configuration and Management Configuration and Management This section outlines the configurable management features supporting IPv6 operation on your ProCurve IPv6-ready switch. Management Features The software provides host-based IPv6 features that enable the switches covered by this guide to be managed from an IPv6 management station and to operate in both IPv6 and IPv4/IPv6 network environments.
Introduction to IPv6 Configuration and Management traffic on a VLAN to be routed to other VLANs supporting IPv6-aware devices. (An external, IPv6-aware router is required to forward traffic between VLANs.) Multiple, global unicast addresses can be configured on a VLAN that receives RAs specifying different prefixes. DHCPv6 (Stateful) Address Configuration The IPv6 counterpart to DHCP client for IPv4 operation is DHCPv6.
Introduction to IPv6 Configuration and Management Refer to “Default IPv6 Router” on page 4-30 and “View IPv6 Gateway, Route, and Router Neighbors ” on page 4-31. Neighbor Discovery (ND) in IPv6 The IPv6 Neighbor Discovery protocol operates in a manner similar to the IPv4 ARP protocol to provide for discovery of IPv6 devices such as other switches, routers, management stations, and servers on the same interface.
Introduction to IPv6 Configuration and Management IPv6 Management Features The switch's IPv6 management features support operation in an environment employing IPv6 servers and management stations.With a link to a properly configured IPv6 router, switch management extends to routed traffic solu tions. (Refer to the documentation provided for the IPv6 router.) Otherwise, IPv6 management for the switches covered by this guide are dependent on switched management traffic solutions.
Introduction to IPv6 Configurable IPv6 Security IP Preserve IP Preserve operation preserves both the IPv4 and IPv6 addresses configured on VLAN 1 (the default VLAN) when a configuration file is downloaded to the switch using TFTP. Refer to “IP Preserve for IPv6” on page 5-27.
Introduction to IPv6 Configurable IPv6 Security The switch supports up to six inbound sessions of the following types in any combination at any given time: ■ SSHv2 ■ SSHv2 IPv6 ■ Telnet-server ■ Telnet6-server ■ SFTP/SCP (One SFTP or SCP session allowed at a given time.) ■ Console (serial RS-232 connection) For more information, refer to “Secure Shell (SSH) for IPv6” on page 6-15.
Introduction to IPv6 Diagnostic and Troubleshooting Diagnostic and Troubleshooting The software includes the IPv6 diagnostic and troubleshooting features listed in this section. Ping6 Implements the Ping protocol for IPv6 destinations, and includes the same options as are available for IPv4 Ping, including DNS hostnames. Refer to “Ping for IPv6 (Ping6)” on page 7-2.
Introduction to IPv6 Diagnostic and Troubleshooting Note If an IPv6 DNS server address is configured on the switch, at least one VLAN on the switch (and in the path to the DNS server) must be configured with an IPv6 address. For information on configuring DNS resolution on the switch, refer to “DNS Resolver for IPv6” on page 7-8.
Introduction to IPv6 IPv6 Scalability IPv6 Scalability The switches covered by this guide support the following: ■ Dual stack operation (IPv4 and IPv6 addresses on the same VLAN). ■ Maximum of 2048 active IPv6 addresses on the switch, in addition to a maximum of 2048 IPv4 addresses. (“Active IPv6 addresses” includes the total of all preferred and non-preferred addresses configured statically, through DHCPv6, and through stateless auto configuration.
Introduction to IPv6 IPv6 Scalability 2-16
3 IPv6 Addressing Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 IPv6 Address Structure and Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Address Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Address Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 Network Prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Addressing Contents Prefixes in Routable IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18 Unique Local Unicast IPv6 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19 Anycast Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-20 Multicast Application to IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . 3-21 Overview of the Multicast Operation in IPv6 . . . . . . . . . . . . . . . . . . . .
IPv6 Addressing Introduction Introduction IPv6 supports multiple addresses on an interface, and uses them in a manner comparable to subnetting an IPv4 VLAN. For example, where the switch is configured with multiple VLANs and each is connected to an IPv6 router, each VLAN will have a single link-local address and one or more global unicast addresses. This section describes IPv6 addressing and outlines the options for configuring IPv6 addressing on the switch.
IPv6 Addressing IPv6 Address Structure and Format An IPv6 address includes a network prefix and an interface identifier. Network Prefix The network prefix (high-order bits) in an IPv6 address begins with a wellknown, fixed prefix for defining the address type.
IPv6 Addressing IPv6 Addressing Options IPv6 Addressing Options IPv6 Address Sources IPv6 addressing sources provide a flexible methodology for assigning addresses to VLAN interfaces on the switch.
IPv6 Addressing IPv6 Addressing Options Stateful Address Autoconfiguration. This method allows use of a DHCPv6 server to automatically configure IPv6 addressing on a host in a manner similar to stateful IP addressing with a DHCPv4 server. A DHCPv6 server can provide routable IPv6 addressing and NTP (timep) server addresses.
IPv6 Addressing IPv6 Address Sources IPv6 Address Sources IPv6 addressing sources provide a flexible methodology for assigning addresses to VLAN interfaces on the switch.
IPv6 Addressing IPv6 Address Sources servers. These lifetimes cannot be reset using control from the switch console or SNMP methods. Refer to “Preferred and Valid Address Lifetimes” on page 3 25. Stateful (DHCPv6) Address Configuration Stateful addresses are defined by a system administrator or other authority, and automatically assigned to the switch and other devices through the Dynamic Host Configuration Protocol (DHCPv6).
IPv6 Addressing IPv6 Address Sources Static Address Configuration Generally, static address configuration should be used when you want specific, non-default addressing to be assigned to a VLAN interface.
IPv6 Addressing Address Types and Scope Address Types and Scope Address Types IPv6 uses these IP address types: Note ■ Unicast: Identifies a specific IPv6 interface. Traffic having a unicast destination address is intended for a single interface. Like IPv4 addresses, unicast addresses can be assigned to a specific VLAN on the switch and to other IPv6 devices connected to the switch. At a minimum, a given interface must have at least a link-local address.
IPv6 Addressing Address Types and Scope Address Scope The address scope determines the area (topology) in which a given IPv6 address is used. This section provides an overview of IPv6 address types. For more information, refer to the chapter titled “IPv6 Addressing”. Link-Local Address. Limited to a given interface (VLAN). Enabling IPv6 on a given VLAN automatically generates a link-local address used for switched traffic on the VLAN. Global Unicast Address.
IPv6 Addressing Address Types and Scope In binary notation, the fixed prefix for link-local prefixes is: 1111 1110 10 = fe80/10 For more on link-local addresses, refer to “Link-Local Unicast Address” on page 3-13. Routable Global Unicast Prefix. This well-known 3-bit fixed-prefix indi cates a routable address used to identify a device on a VLAN interface that is accessible by routing from multiple networks. The complete prefix is 64 bits, followed by a 64-bit interface identifier.
IPv6 Addressing Link-Local Unicast Address Other Prefix Types.
IPv6 Addressing Link-Local Unicast Address Because all VLANs configured on the switch use the same MAC address, all automatically generated link-local addresses on the switch will have the same link-local address. However, since the scope of a link-local address includes only the VLAN on which it was generated, this should not be a problem.
IPv6 Addressing Link-Local Unicast Address MAC Address IPv6 I/F Identifier Full Link-Local Unicast Address 00-15-60-7a-ad-c0 215:60ff:fe7a:adc0 fe80::215:60ff:fe7a:adc0/64 09-c1-8a-44-b4-9d 11c1:8aff:fe44:b49d fe80::11c1:8aff:fe44:b49d/64 00-1a-73-5a-7e-57 21a:73ff:fe5a:7e57 fe80::21a:73ff:fe5a:7e57/64 The EUI method of generating a link-local address is automatically imple mented on the switches covered by this guide when IPv6 is enabled on a VLAN interface.
IPv6 Addressing Global Unicast Address Global Unicast Address A global unicast address is required for unicast traffic to be routed across VLANs within an organization as well as across the public internet. To support subnetting, a VLAN can be configured with multiple global unicast addresses.
IPv6 Addressing Global Unicast Address ■ generate a link-local address on the VLAN as described in the preceding section (page 3-13). ■ transmit a router solicitation on the VLAN, and to listen for advertise ments from any IPv6 routers on the VLAN. For each unique router advertisement (RA) the switch receives from any router(s), the switch configures a unique, global unicast address.
IPv6 Addressing Global Unicast Address Prefixes in Routable IPv6 Addresses In routable IPv6 addresses, the prefix uniquely identifies an entity and a unicast subnet within that entity, and is defined by a length value specifying the number of leftmost contiguous (high-order) bits comprising the prefix. For an automatically generated global unicast address, the default prefix length is 64 bits. (Practically speaking, the entire prefix in a /64 address defines the subnet.
IPv6 Addressing Unique Local Unicast IPv6 Address Unique Local Unicast IPv6 Address A unique local unicast address is an address that falls within a specific range, but is used only as a global unicast address within an organization. Traffic having a source address within the defined range should not be allowed beyond the borders of the intended domain or onto the public internet. The current prefix for specifically identifying unique local unicast addresses is fd00/8.
IPv6 Addressing Anycast Addresses Anycast Addresses Network size, traffic loads and the potential for network changes make it desirable to build in redundancy for some network services to provide increased service reliability. Anycast addressing provides this capability for applications where it does not matter which source is actually used to provide a service that is offered on multiple sources.
IPv6 Addressing Multicast Application to IPv6 Addressing For related information, refer to: ■ RFC 4291: “IP Version 6 Addressing Architecture” ■ RFC 2526: “Reserved IPv6 Subnet Anycast Addresses” Multicast Application to IPv6 Addressing Multicast is used to reduce traffic for applications that have more than one recipient for the same data.
IPv6 Addressing Multicast Application to IPv6 Addressing IPv6 Multicast Address Format The multicast address format has three principal sections in the leading 16 bits: ■ identifier: ff (bits 1-8) ■ flags: 0xxx (bits 9-12) ■ scope: 0001 - 1110 (bits 13-16) For related information, refer to RFC 4291. Multicast Group Identification Multicast ID, Flags and Scope (16 bits) 1111 1111 0xxx xxxx : x...x : x...x : x...x : x...x : x...x : x...x : x...
IPv6 Addressing Multicast Application to IPv6 Addressing Bit Use 0 reserved 1 interface-local (loopback) 2 link-local (same topology as the corresponding link-local unicast scope) 3 reserved 4 admin-local (smallest administratively configured scope) 5 site-local (single site) 6 unassigned 7 unassigned 8 organization-local (multiple sites within the same organization) 9 unassigned A unassigned B unassigned C unassigned D unassigned E global F reserved For example, the follo
IPv6 Addressing Loopback Address ■ RFC 3306: Unicast-Prefix-based IPv6 Multicast Addresses ■ RFC 3956: Embedding the Rendezvous Point (RP) Address in an IPv6 Multicast Address ■ RFC 3177: IAB/IESG Recommendations on IPv6 Address Allocations to Sites ■ RFC 4007: IPv6 Scoped Address Architecture ■ RFC 4291: IP Version 6 Addressing Architecture ■ “Internet Protocol Version 6 Multicast Addresses” (at www.iana.
IPv6 Addressing IPv6 Address Deprecation IPv6 Address Deprecation Preferred and Valid Address Lifetimes Autoconfigured IPv6 global unicast addresses acquire their valid and preferred lifetime assignments from router advertisements. A valid lifetime is the time period during which an address is allowed to remain available and usable on an interface. A preferred lifetime is the length of time an address is intended for full use on an interface, and must be less than or equal to the address's valid lifetime.
IPv6 Addressing IPv6 Address Deprecation Related Information 3-26 ■ RFC 2462: “IPv6 Stateless Address Autoconfiguration” ■ RFC 4291: “IP Version 6 Addressing Architecture”
4 IPv6 Addressing Configuration Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 General Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 Configuring IPv6 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Enabling IPv6 with an Automatically Configured Link-Local Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Addressing Configuration Contents Router Solicitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-29 Default IPv6 Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30 Router Redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-30 View IPv6 Gateway, Route, and Router Neighbors . . . . . . . . . . . . . 4-31 Viewing Gateway and IPv6 Route Information . . . . . . . . . . . . . . . .
IPv6 Addressing Configuration Introduction Introduction Feature Default CLI Enable IPv6 with a Link-Local Address disabled 4-6 Configure Global Unicast Autoconfig disabled 4-7 Configure DHCPv6 Addressing disabled 4-9 Configure a Static Link-Local Address None 4-12 Configure a Static Global Unicast Address None 4-13 Configure an Anycast Address None 4-14 3 4-18 n/a 4-22 Change DAD Attempts View Current IPv6 Addressing In the default configuration, IPv6 operation is disabled on the
IPv6 Addressing Configuration General Configuration Steps General Configuration Steps The IPv6 configuration includes global and per-VLAN settings. This section provides an overview of the general configuration steps for enabling IPv6 on a given VLAN and can be enabled by any one of several commands. The following steps provide a suggested progression for getting started.
IPv6 Addressing Configuration Configuring IPv6 Addressing • statically replacing the automatically generated link-local address • statically adding global unicast, unique local unicast, and/or anycast addresses Configuring IPv6 Addressing In the default configuration on a VLAN, any one of the following commands enables IPv6 and creates a link-local address.
IPv6 Addressing Configuration Enabling IPv6 with an Automatically Configured Link-Local Address Enabling IPv6 with an Automatically Configured Link-Local Address This command enables automatic configuration of a link-local address .
IPv6 Addressing Configuration Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN Enabling autoconfig or rebooting the switch with autoconfig enabled on a VLAN causes the switch to configure IPv6 addressing on the VLAN using router advertisements and an EUI-64 interface identifier (page 3-14).
IPv6 Addressing Configuration Enabling Autoconfiguration of a Global Unicast Address and a Default Router Identity on a VLAN — Continued from the previous page. — After verification of uniqueness by DAD, an IPv6 address assigned to a VLAN by autoconfiguration is set to the preferred and valid lifetimes specified by the RA used to generate the address, and is configured as a preferred address. (Refer to “IPv6 Address Deprecation” on page 3-25.) Default: Disabled.
IPv6 Addressing Configuration Enabling DHCPv6 Enabling DHCPv6 Enabling the DHCPv6 option on a VLAN allows the switch to obtain a global unicast address and an NTP (network time protocol) server assignment for a Timep server. (If a DHCPv6 server is not needed to provide a global unicast address to a switch interface, the server can still be configured to provide the NTP server assignment. This is sometimes referred to as “stateless DHCPv6”.
IPv6 Addressing Configuration Enabling DHCPv6 — Continued from the previous page. — After verification of uniqueness by DAD, an IPv6 address assigned to the VLAN by an DHCPv6 server is set to the preferred and valid lifetimes specified in a router advertise ment received on the VLAN for the prefix used in the assigned address, and is configured as a preferred address. (Refer to the section titled “Address Lifetimes” on page 4-34.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN ■ DHCPv6 and statically configured global unicast or anycast addresses are mutually exclusive on a given VLAN. That is, configuring DHCPv6 on a VLAN erases any static global unicast or anycast addresses previously configured on that VLAN, and the reverse. (A statically configured linklocal address will not be affected by configuring DHCPv6 on the VLAN.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Statically Configuring a Link-Local Unicast Address Syntax: [no] ipv6 address fe80::< device-identifier > link-local ■ If IPv6 is not already enabled on the VLAN, this command enables IPv6 and configures a static link-local address. ■ If IPv6 is already enabled on the VLAN, then this command overwrites the current, link- local address with the speci fied static address. (One link-local address is allowed per VLAN interface.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Statically Configuring A Global Unicast Address Syntax:.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Operating Notes ■ With IPv6 enabled, the switch determines the default IPv6 router for the VLAN from the router advertisements it receives. (Refer to “Router Access and Default Router Selection” on page 4-29.) ■ If DHCPv6 is configured on a VLAN, then configuring a static global unicast address on the VLAN removes DHCPv6 from the VLAN's config uration and deletes the DHCPv6-assigned global unicast address.
IPv6 Addressing Configuration Configuring a Static IPv6 Address on a VLAN Syntax:.
IPv6 Addressing Configuration Disabling IPv6 on a VLAN Duplicate Address Detection (DAD) for Statically Configured Addresses Statically configured IPv6 addresses are designated as permanent. If DAD determines that a statically configured address duplicates a previously config ured and reachable address on another device belonging to the VLAN, then the more recent, duplicate address is designated as duplicate. For more on this topic, refer to: Note ■ “Duplicate Address Detection (DAD)” on page 4-18.
IPv6 Addressing Configuration Neighbor Discovery (ND) Neighbor Discovery (ND) Neighbor Discovery (ND) is the IPv6 equivalent of the IPv4 ARP for layer 2 address resolution, and uses IPv6 ICMP messages to do the following: ■ Determine the link-layer address of neighbors on the same VLAN inter face. ■ Verify that a neighbor is reachable. ■ Track neighbor (local) routers.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) Note: Neighbor and router solicitations must originate on the same VLAN as the receiving device. To support this operation, IPv6 is designed to discard any incoming neighbor or router solicitation that does not have a value of 255 in the IP Hop Limit field. For a complete list of requirements, refer to RFC 246.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) that includes its link-local address. If the newly configured address is from a static or DHCPv6 source and is found to be a duplicate, it is labelled as duplicate in the “Address Status” field of the show ipv6 command, and is not used.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) Syntax: ipv6 nd ns-interval < milliseconds > Used on VLAN interfaces to reconfigure the neighbor discovery time in milliseconds between DAD neighbor solicitations sent for an unresolved destination, or between duplicate address detection neighbor solicitation requests. Increasing this setting is indicated where neighbor solicitation retries or failures are occurring, or in a “slow” (WAN) network . To view the current setting, use show ipv6 nd.
IPv6 Addressing Configuration Duplicate Address Detection (DAD) ■ If a previously configured unicast address is changed, a neighbor adver tisement is sent on the VLAN to notify other devices, and also for duplicate address detection. ■ If DAD is disabled when an address is configured, the address is assumed to be unique and is assigned to the interface.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Use these commands to view the current status of the IPv6 configuration on the switch. Syntax: show ipv6 Lists the current, global IPv6 settings and per-VLAN IPv6 addressing on the switch. IPv6 Routing: This setting is always Disabled. This is a global setting, and is not configured per-VLAN. (Refer to “Router Access and Default Router Selection” on page 4-29.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Address Origin: ■ Autoconfig: The address was configured using stateless address autoconfiguration (SLAAC). In this case, the device identifier for global unicast addresses copied from the current link-local unicast address. ■ DHCP: The address was assigned by a DHCPv6 server. Note that addresses having a DHCP origin are listed with a 128 bit prefix length. ■ Manual: The address was statically configured on the VLAN.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration For example, figure 4-1 shows the output on a switch having IPv6 enabled on one VLAN.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration Syntax: show ipv6 nd Displays the current IPv6 neighbor discovery settings on the configured VLAN interfaces. For example, figure 4-25 shows the output on a switch having IPv6 enabled on VLANs 1 and 20. ProCurve# show ipv6 nd IPV6 Neighbor Discovery Configuration Current Hop Limit : 0 VLAN Name RCHtime (msecs) ------------ -------DEFAULT_VLAN 30000 VLAN20 30000 NSint (msecs) -------1000 1000 Figure 4-2.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration 4-26 ■ DAD Attempts: Indicates the number of neighbor solicita tions the switch transmits per-address for duplicate (IPv6) address detection. Implemented when a new address is configured or when an interface with config ured addresses comes up (such as after a reboot). The default setting is 3, and the range is 0 - 600. A setting of “0” disables duplicate address detection.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ProCurve# show ipv6 vlan 10 Internet (IPv6) Service IPv6 Routing Default Gateway ND DAD DAD Attempts : : : : Disabled fe80::213:c4ff:fedd:14b0%vlan10 Enabled 3 Vlan Name IPv6 Status : VLAN10 : Enabled IPv6 Address/Prefixlength Expiry ------------------------------------------- ------------------------2001:db8:a03:e102::1:101/64 Fri May 19 11:51:15 2009 fe80::1:101/64 permanent Figure 4-3.
IPv6 Addressing Configuration View the Current IPv6 Addressing Configuration ProCurve(config)# show run Running configuration: . . . vlan 10 name "VLAN10" untagged A1-A12 ipv6 address fe80::1:101 link-local ipv6 address dhcp full rapid-commit . . . Statically configured IPv6 addresses appear in the show run output. Commands for automatic IPv6 address configuration appear in the show run output, but the addresses resulting from these commands do not appear in the output. Figure 4-4.
IPv6 Addressing Configuration Router Access and Default Router Selection Router Access and Default Router Selection Routing traffic between destinations on different VLANs configured on the switch or to a destination on an off-switch VLAN is done by placing the switch on the same VLAN interface or subnet as an IPv6-capable router configured to route traffic to other IPv6 interfaces or to tunnel IPv6 traffic across an IPv4 network.
IPv6 Addressing Configuration Router Access and Default Router Selection Note If the switch does not receive a router advertisement after sending the router solicitations, as described above, then no further router solicitations are sent on that VLAN unless a new IPv6 setting is configured, IPv6 on the VLAN is disabled, then re-enabled, or the VLAN itself is disconnected, then recon nected.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors View IPv6 Gateway, Route, and Router Neighbors Use these commands to view the switch's current routing table content and connectivity to routers per VLAN. This includes information received in router advertisements from IPv6 routers on VLANs enabled with IPv6 on the switch.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors ProCurve(config)# show ipv6 route IPv6 Route Entries “Unknown” Address Dest : ::/0 Gateway : fe80::213:c4ff:fedd:14b0%vlan10 Dist. : 40 Type : static Metric : 0 Dest : ::1/128 Gateway : lo0 Dist. : 0 Type : connected Metric : 1 Dist. : 0 Type : connected Metric : 1 Link-Local Address Configured on the Switch Dist. : 0 Type : connected Metric : 1 Link-Local Address Assigned to the Loopback Address Dist.
IPv6 Addressing Configuration View IPv6 Gateway, Route, and Router Neighbors MTU: This is the Maximum Transmission Unit (in bytes) allowed for frames on the path to the indicated router. Hop Limit: The maximum number of router hops allowed. Prefix Advertised: Lists the prefix and prefix size (number of leftmost bits in an address) originating with the indicated router.
IPv6 Addressing Configuration Address Lifetimes Address Lifetimes Every configured IPv6 unicast and anycast address has a lifetime setting that determines how long the address can be used before it must be refreshed or replaced. Some addresses are set as “permanent” and do not expire. Others have both a “preferred” and a “valid” lifetime that specify the duration of their use and availability.
IPv6 Addressing Configuration Address Lifetimes Table 4-1. IPv6 Unicast Addresses Lifetimes Address Source Lifetime Criteria Link-Local Permanent Statically Configured Unicast or Anycast Permanent Autoconfigured Global Finite Preferred and Valid Lifetimes DHCPv6-Configured Finite Preferred and Valid Lifetimes A new, preferred address used as a replacement for a deprecated address can be acquired from a manual, DHCPv6, or autoconfiguration source.
IPv6 Addressing Configuration Address Lifetimes 4-36
5 IPv6 Management Features Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Viewing and Clearing the IPv6 Neighbors Cache . . . . . . . . . . . . . . . . 5-2 Viewing the Neighbor Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 Clearing the Neighbor Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 IPv6 Telnet Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv6 Management Features Introduction Introduction Feature Default CLI n/a 5-3, 5-5 Enabled 5-6, 5-7, 5-9 SNTP Address None 5-11 Timep Address None 5-14 n/a 5-17 None 5-24 Neighbor Cache Telnet6 TFTP SNMP Trap Receivers This chapter focuses on the IPv6 application of management features that support both IPv6 and IPv4 operation. For additional information on these features, refer to the current Management and Configuration Guide for your switch.
IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Viewing the Neighbor Cache Neighbor discovery occurs when there is communication between IPv6 devices on a VLAN. The Neighbor Cache retains data for a given neighbor until the entry times out. For more on this topic, refer to “Neighbor Discovery (ND)” on page 4-17. Syntax: show ipv6 neighbors [vlan < vid >] Displays IPv6 neighbor information currently held in the neighbor cache.
IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache — Continued from previous page. — • STALE: A timeout has occurred for reachability of the neigh bor, and an unsolicited discovery packet has been received from the neighbor address. If the path to the neighbor is then used successfully, this state is restored to REACH. • DELAY: Indicates waiting for a response to traffic sent recently to the neighbor address.
IPv6 Management Features Viewing and Clearing the IPv6 Neighbors Cache Clearing the Neighbor Cache When there is an event such as a topology change or an address change, the neighbor cache may have too many entries to allow efficient use.
IPv6 Management Features IPv6 Telnet Operation IPv6 Telnet Operation This section describes Telnet operation for IPv6 on the switch. For IPv4 Telnet operation, refer to the Management and Configuration Guide for your switch. Outbound Telnet to Another Device Syntax: telnet < link-local-addr >%vlan< vid >[oobm] telnet < global-unicast-addr >[oobm] Outbound Telnet establishes a Telnet session from the switch CLI to another IPv6 device, and includes these options.
IPv6 Management Features IPv6 Telnet Operation ProCurve(config)# telnet fe80::215:60ff:fe79:980%vlan10 If the switch is receiving router advertisements from an IPv6 default gateway router, you can Telnet to a device on the same VLAN or another VLAN or subnet by using its global unicast address.
IPv6 Management Features IPv6 Telnet Operation ProCurve# show telnet Telnet Activity -------------------------------------------------------Session : 1 Privilege: Manager From : Console To : 10.0.10.140 -------------------------------------------------------Session : 2 Privilege: Manager From : 2620:0:260:212::2:219 To : -------------------------------------------------------Session : ** 3 The ** in the “Session: indicates the Privilege: Manager session through which show telnet was run.
IPv6 Management Features IPv6 Telnet Operation Enabling or Disabling Inbound Telnet Access Syntax: [ no ] telnet-server This command is used at the global config level to enable (the default) or disable all (IPv4 and IPv6) inbound Telnet access to the switch. The no form of the command disables inbound telnet.
IPv6 Management Features SNTP and Timep SNTP and Timep Configuring (Enabling or Disabling) the SNTP Mode The software enables configuration of a global unicast address for IPv6 SNTP time server. This section lists the SNTP and related commands, including an example of using an IPv6 address. For the details of configuring SNTP on the switch, refer to the chapter titled “Time Protocols” in the Management and Configuration Guide for your switch.
IPv6 Management Features SNTP and Timep Configuring an IPv6 Address for an SNTP Server Note To use a global unicast IPv6 address to configure an IPv6 SNTP time server on the switch, the switch must be receiving advertisements from an IPv6 router on a VLAN configured on the switch. To use a link-local IPv6 address to configure an IPv6 SNTP time server on the switch, it is necessary to append %vlan followed immediately (without spaces) by the VLAN ID of the VLAN on which the server address is available.
IPv6 Management Features SNTP and Timep For example, to configure link-local and global unicast SNTP server addresses of: ■ fe80::215:60ff:fe7a:adc0 (on VLAN 10, configured on the switch) ■ 2001:db8::215:60ff:fe79:8980 as the priority “1” and “2” SNTP servers, respectively, using version 7, you would enter these commands at the global config level, as shown below.
IPv6 Management Features SNTP and Timep For example, the show sntp output for the proceeding sntp server command example would appear as follows: ProCurve(config)# show sntp This example illustrates the command output when both IPv6 and IPv4 server addresses are configured. SNTP Configuration Time Sync Mode: Sntp SNTP Mode : Broadcast Poll Interval (sec) [720] : 719 Priority -------1 2 SNTP Server Address ---------------------------------------------2001:db8::215:60ff:fe79:8980 10.255.5.
IPv6 Management Features SNTP and Timep ip timep manual < ipv6-addr > Enable Timep operation with a statically configured [ interval < 1 - 9999 >] IPv6 address for a Timep server. Optionally change the interval between time requests. no ip timep Note Disables Timep operation. To re-enable Timep, it is necessary to reconfigure either the DHCP or the static option.
IPv6 Management Features SNTP and Timep where the address is on VLAN 10, configured on the switch, you would enter this command at the global config level, as shown below. ProCurve(config)# ip timep manual fe80::215:60ff:fe7a:adc0%vlan10 Note In the preceding example, using a link-local address requires that you specify the local scope for the address; VLAN 10 in this case. This is always indicated by %vlan followed immediately (without spaces) by the VLAN identifier.
IPv6 Management Features SNTP and Timep Note that the show management command can also be used to display Timep server information.
IPv6 Management Features TFTP File Transfers Over IPv6 TFTP File Transfers Over IPv6 You can use TFTP copy commands over IPv6 to upload, or download files to and from a physically connected device or a remote TFTP server, including: ■ Switch software ■ Software images ■ Switch configurations ■ Diagnostic data (crash data, crash log, and event log) For complete information on how to configure TFTP file transfers between the switch and a TFTP server or other host device on the network, refer to the “
IPv6 Management Features TFTP File Transfers Over IPv6 Enabling TFTP for IPv6 Client and server TFTP for IPv6 is enabled by default on the switch. However, if it is disabled, you can re-enable it by specifying TFTP client or server functionality with the tftp command. Enter the tftp < client | server> command at the global configuration level.
IPv6 Management Features TFTP File Transfers Over IPv6 Using TFTP to Copy Files over IPv6 Use the TFTP copy commands described in this section to: ■ Download specified files from a TFTP server to a switch on which TFTP client functionality is enabled. ■ Upload specified files from a switch, on which TFTP server functionality is enabled, to a TFTP server.
IPv6 Management Features TFTP File Transfers Over IPv6 . Syntax: copy tftp < ipv6-addr > < filename > < pc | unix >[oobm] Copies (uploads) a source data file on a switch that is enabled with TFTP server functionality to a file on the TFTP server at the specified IPv6 address, where is one of the following values: ■ command-output < cli-command >: Copies the output of a CLI command to the specified file on a remote host.
IPv6 Management Features TFTP File Transfers Over IPv6 < ipv6-addr >: If this is a link-local address, use this IPv6 address format: fe80::< device-id >%vlan< vid > For example: fe80::123%vlan10 If this is a global unicast or anycast address, use this IPv6 format: < ipv6-addr > For example: 2001:db8::123 oobm: For switches that have a separate out-of-band manage ment port, specifies that the transfer will be through the out of-band management interface. (Default is transfer through the data interface.
IPv6 Management Features TFTP File Transfers Over IPv6 Using Auto-TFTP for IPv6 At switch startup, the auto-TFTP for IPv6 feature automatically downloads a software image to the switch from a specified TFTP server, then reboots the switch.
IPv6 Management Features SNMP Management for IPv6 SNMP Management for IPv6 As with SNMP for IPv4, you can manage a switch via SNMP from an IPv6 based network management station by using an application such as ProCurve Manager (PCM) or ProCurve Manager Plus (PCM+). (For more on PCM and PCM+, go to the ProCurve Networking web site at www.procurve.com.
IPv6 Management Features SNMP Management for IPv6 SNMP Configuration Commands Supported IPv6 addressing is supported in the following SNMP configuration commands: For more information on each SNMP configuration procedure, refer to the “Configuring for Network Management Applications” chapter in the current Management and Configuration Guide for your switch. SNMPv1 and V2c Syntax:.
IPv6 Management Features SNMP Management for IPv6 snmp-server trap-source < ipv4-addr | loopback < 0-7 >> snmp-server response-source [dst-ip-of-request | ipv4-addr | loopback < 0-7 >] IPv6 addresses are supported in SNMP show command output as shown in Figure 5-8 and Figure 5-9.
IPv6 Management Features SNMP Management for IPv6 The show snmp-server command displays the current SNMP policy configuration, including SNMP communities, network security notifications, link-change traps, trap receivers (including the IPv4 or IPv6 address) that can receive SNMPv1 and SNMPv2c traps, and the source IP (interface) address used in IP headers when sending SNMP notifications (traps and informs) or responses to SNMP requests.
IPv6 Management Features IP Preserve for IPv6 The show snmpv3 targetaddress command displays the configuration (including the IPv4 or IPv6 address) of the SNMPv3 management stations to which notification messages are sent. ProCurve(config)# show snmpv3 targetaddress snmpTargetAddrTable [rfc2573] Target Name ------------------------1 2 PP.217 PP.218 IP Address ---------------------15.29.17.218 15.29.17.219 15.29.17.
IPv6 Management Features IP Preserve for IPv6 ; 498358-B21 Configuration Editor; Created on release #Z.14.XX hostname "ProCurve" time daylight-time-rule None * * * * * * password manager password operator ip preserve Entering an ip preserve statement as the last line in a configuration file stored on a TFTP server allows you to download and execute the file as the startup-config file on an IPv6 switch.
IPv6 Management Features IP Preserve for IPv6 To verify how IP Preserve was implemented in a switch, after the switch reboots, enter the show run command. Figure 5-11 shows an example in which all configurations settings have been copied into the startup-config file except for the IPv6 address of VLAN 1 (2001:db8::214:c2ff:fe4c:e480) and the default IPv6 gateway (2001:db8:0:7::5), which were retained.
IPv6 Management Features IP Preserve for IPv6 5-30
6 IPv6 Management Security Features Contents IPv6 Management Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Authorized IP Managers for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Usage Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3 Configuring Authorized IP Managers for Switch Access . . . . . . . . . . . 6-5 Using a Mask to Configure Authorized Management Stations . . . . . .
IPv6 Management Security Features IPv6 Management Security IPv6 Management Security This chapter describes management security features that are IPv6 counter parts of IPv4 management security features on the switches covered by this guide.
IPv6 Management Security Features Authorized IP Managers for IPv6 Authorized IP Managers for IPv6 The Authorized IP Managers feature uses IP addresses and masks to deter mine which stations (PCs or workstations) can access the switch through the network.
IPv6 Management Security Features Authorized IP Managers for IPv6 ■ ■ You configure each authorized manager address with Manager or Opera tor-level privilege to access the switch. • Manager privilege allows full access to all web browser and console interface screens for viewing, configuration, and all other operations available in these interfaces. • Operator privilege allows read-only access from the web browser and console interfaces.
IPv6 Management Security Features Authorized IP Managers for IPv6 Configuring Authorized IP Managers for Switch Access To configure one or more IPv6-based management stations to access the switch using the Authorized IP Managers feature, enter the ipv6 authorizedmanagers command Syntax: [no] ipv6 authorized-managers [ipv6-mask] [access ] access-method [all | ssh | telnet | web | snmp | tftp] Configures one or more authorized IPv6 addresses to access the switch, where: ipv6-m
IPv6 Management Security Features Authorized IP Managers for IPv6 Notes If you do not enter a value for the ipv6-mask parameter when you configure an authorized IPv6 address, the switch automatically uses FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF as the default mask (see “Configuring Authorized IP Managers for Switch Access” on page 6-5).
IPv6 Management Security Features Authorized IP Managers for IPv6 Conversely, in a mask, a “0” binary bit means that either the “on” or “off” setting of the corresponding IPv6 bit in an authorized address is valid and does not have to match the setting of the same bit in the specified IPv6 address. Figure 6-2 shows the binary expressions represented by individual hexadeci mal values in an ipv6-mask parameter.
IPv6 Management Security Features Authorized IP Managers for IPv6 Example. Figure 6-3 shows an example in which a mask that authorizes switch access to four management stations is applied to the IPv6 address: 2001:DB8:0000:0000:244:17FF:FEB6:D37D. The mask is: FFFF:FFFF:FFFF:FFF8:FFFF:FFFF:FFFF:FFFC.
IPv6 Management Security Features Authorized IP Managers for IPv6 to 0 (“off”) and allow the corresponding bits in an authorized IPv6 address to be either “on” or “off”. As a result, only the four IPv6 addresses shown in Figure 6-5 are allowed access.
IPv6 Management Security Features Authorized IP Managers for IPv6 ■ Each authorized station has the same 64-bit device ID (244:17FF:FEB6:D37D) because the value of the last four blocks in the mask is FFFF (binary value 1111 1111). FFFF requires all bits in each corresponding block of an authorized IPv6 address to have the same “on” or “off” setting as the device ID in the specified IPv6 address.
IPv6 Management Security Features Authorized IP Managers for IPv6 Figure 6-7 shows the bits in the fourth block of the mask that determine the valid subnets in which authorized stations with an IPv6 device ID of 244:17FF:FEB6:D37D reside. FFF8 in the fourth block of the mask means that bits 3 - 15 of the block are fixed and, in an authorized IPv6 address, must correspond to the “on” and “off” settings shown for the binary equivalent 0000 in the fourth block of the IPv6 address.
IPv6 Management Security Features Authorized IP Managers for IPv6 Displaying an Authorized IP Managers Configuration Use the show ipv6 authorized-managers command to list the IPv6 stations authorized to access the switch; for example: ProCurve# show ipv6 authorized-managers IPv6 Authorized Managers --------------------------------------Address : 2001:db8:0:7::5 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff Access : Manager Address : 2001:db8::a:1c:e3:3 Mask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:fffe Access
IPv6 Management Security Features Authorized IP Managers for IPv6 Additional Examples of Authorized IPv6 Managers Configuration Authorizing Manager Access. The following IPv6 commands authorize manager-level access for one link-local station at a time. Note that when you enter a link-local IPv6 address with the ipv6 authorized-managers command, you must also enter a VLAN ID in the format: %vlan.
IPv6 Management Security Features Authorized IP Managers for IPv6 The next IPv6 command authorizes operator-level access for sixty-four IPv6 stations: thirty-two stations in the subnets defined by 0x0006 and 0x0007 in the fourth block of an authorized IPv6 address: ProCurve(config)# ipv6 authorized-managers 2001:db8:0000:0007:231:17ff:fec5:c967 ffff:ffff:ffff:fffe:ffff:ffff:ffff:ffe0 access operator The following ipv6 authorized-managers command authorizes a single, automat ically generated (EUI-64) IPv6
IPv6 Management Security Features Secure Shell (SSH) for IPv6 Secure Shell (SSH) for IPv6 SSH for IPv4 and IPv6 operate simultaneously with the same command set. Both are enabled in the default configuration, and are controlled together by the same command set. Secure Shell (SSH) for IPv6 provides the same Telnet-like functions through encrypted, authenticated transactions as SSH for IPv4. SSH for IPv6 provides CLI (console) access and secure file transfer functionality.
IPv6 Management Security Features Secure Shell (SSH) for IPv6 Syntax:. [no] ip ssh Enables SSH for on the switch for both IPv4 and IPv6, and activates the connection with a configured SSH server (RADIUS or TACACS+). The no form of the command disables SSH on the switch. [cipher < cipher-type >] Specify a cipher type to use for connection. Valid types are: • aes128-cbc • 3des-cbc • aes192-cbc • aes256-cbc • rijndael-cbc@lysator.liu.
IPv6 Management Security Features Secure Shell (SSH) for IPv6 [mac < MAC-type >] Allows configuration of the set of MACs that can be selected. Valid types are: • hmac-md5 • hmac-sha1 • hmac-sha1-96 • hmac-md5-96 Default: All MAC types are available. Use the no form of the command to disable a MAC type. [port < 1-65535 | default >] TCP port number used for SSH sessions in IPv4 and IPv6 connections (Default: 22).
IPv6 Management Security Features Secure Shell (SSH) for IPv6 [listen ] The listen parameter is available only on switches that have a separate out-of-band management port. Values for this parameter are: • • • oobm — inbound SSH access is enabled only on the out-of-band management port. data — inbound SSH access is enabled only on the data ports. both — inbound SSH access is enabled on both the out-of-band management port and on the data ports. This is the default value.
IPv6 Management Security Features Secure Shell (SSH) for IPv6 With SSH running, the switch supports one console session and up to five other SSH and Telnet (IPv4 and IPv6) sessions. Web browser sessions are also supported, but are not displayed in show ip ssh output. ProCurve# show ip ssh Source IPv6 IP addresses of SSH clients are displayed in hexadecimal format.
IPv6 Management Security Features Secure Copy and Secure FTP for IPv6 Secure Copy and Secure FTP for IPv6 You can take advantage of the Secure Copy (SCP) and Secure FTP (SFTP) client applications to provide a secure alternative to TFTP for transferring sensitive switch information, such as configuration files and login informa tion, between the switch and an administrator workstation.
7 IPv6 Diagnostic and Troubleshooting Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Ping for IPv6 (Ping6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 Traceroute for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 DNS Resolver for IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 DNS Configuration .
IPv6 Diagnostic and Troubleshooting Introduction Introduction Feature ping6 traceroute6 Default CLI Enabled n/a The IPv6 ICMP feature enables control over the error and informational message rate for IPv6 traffic, which can help mitigate the effects of a Denial of-service attack. Ping6 enables verification of access to a specific IPv6 device, and traceroute6 enables tracing the route to an IPv6-enabled device on the network.
IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) Syntax: ping6 < ipv6-address | hostname | switch-number > [repetitions < 1 - 10000 >] [timeout < 1 - 60 >] [data-size < 0 - 65507 >] [data-fill < 0 - 1024 >] [source < ipv6-addr | vid >] [oobm] ping6 | hostname | switch-number> [repetitions < 1 - 10000 >] [timeout < 1 - 60 >] [data-size < 0 - 65507 >] [data-fill < 0 - 1024 >] [source < ipv6-addr | vid >][oobm] Pings the specified IPv6 host by sending ICMP version 6 (ICM
IPv6 Diagnostic and Troubleshooting Ping for IPv6 (Ping6) ProCurve# ping6 fe80::2:1%vlan10 fe80:0000:0000:0000:0000:0000:0002:0001 is alive, time = 975 ms ProCurve# ping6 2001:db8::a:1c:e3:3 repetitions 3 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 1, time = 15 ms 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 2, time = 15 ms 2001:0db8:0000:0000:000a:001c:00e3:0003 is alive, iteration 3, time = 15 ms 3 packets transmitted, 3 packets received, 0% packet loss round-trip (ms) min/
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 Traceroute for IPv6 The traceroute6 command enables you to trace the route from a switch to a host device that is identified by an IPv6 address or IPv6 host name. In the command output, information on each (router) hop between the switch and the destination IPv6 address is displayed. To use a traceroute6 command with an IPv6 host name or fully qualified domain names, refer to “DNS Resolver for IPv6” on page 7-8.
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 Syntax: traceroute6 < ipv6-address | hostname > [minttl < 1-255 > [maxttl < 1-255 > [timeout < 1 - 60 >] [probes < 1-5 >] [source < ipv6-addr | vid | oobm> traceroute6 | hostname > [minttl < 1-255 >] [maxttl < 1-255 >] [timeout < 1 - 60 >] [probes < 1-5 >] [source < ipv6-addr | vid | oobm> Lists the IPv6 address of each hop in the route to the specified destination host device with the time (in microseconds) required for
IPv6 Diagnostic and Troubleshooting Traceroute for IPv6 timeout: Number of seconds within which a response is required from the IPv6 device at each hop in the route to the destination host before the traceroute operation times out. Default: 5 seconds; Range: 1 - 60. probes: Number of times a traceroute is performed to locate the IPv6 device at any hop in the route to the specified host before the operation times out. Default: 3; Range: 1 - 5.
IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 DNS Resolver for IPv6 The Domain Name System (DNS) resolver is designed for local network domains where it enables use of a host name or fully qualified domain name to support DNS-compatible commands from the switch.
IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 — Continued from the previous page. — The no form of the command removes the specified address from the server address list configured on the switch. < ip-addr >: Specifies the address of an IPv6 or IPv4 DNS server. [oobm]: For switches that have a separate out-of-band manage ment (OOBM) port, this parameter specifies that communica tion with the DNS server goes through that OOBM port Syntax:.
IPv6 Diagnostic and Troubleshooting DNS Resolver for IPv6 Assume that the above, configured DNS server supports an IPv6 device having a host name of “mars-1” (and an IPv6 address of fe80::215:60ff:fe7a:adc0) in the “mygroup.procurve.net” domain. In this case you can use the device's host name alone to ping the device because the mygroup.procurve.net domain has been configured as the domain name on the switch and the address of a DNS server residing in that domain is also configured on the switch.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Debug/Syslog for IPv6 The Debug/System logging (Syslog) for IPv6 feature provides the same logging functions as the IPv4 version, allowing you to record IPv4 and IPv6 Event Log and debug messages on a remote device to troubleshoot switch or network operation. For example, you can send messages about routing misconfigura tions and other network protocol details to an external device, and later use them to debug network-level problems.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 Debug Command Syntax: [no] debug < debug-type > Configures the types of IPv4 and IPv6 messages that are sent to Syslog servers or other debug destinations, where is any of the following event types: all Configures all IPv4 and IPv6 debug message types to be sent to configured debug destinations. (Default: Disabled - No debug messages are sent.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 ip [ rip < database | event | trigger > ] Configures specified IPv4 RIP message types to be sent to configured debug destinations: database— Database changes event— RIP events trigger— Trigger messages ipv6 Configures messages for IPv6 DHCPv6 client and neighbor discovery events to be sent to configured debug destina tions.
IPv6 Diagnostic and Troubleshooting Debug/Syslog for IPv6 • debug destination buffer enables the configured debug message types to be sent to a buffer in switch memory. Logging Command Syntax: [no] logging < syslog-ipv4-addr > Enables or disables Syslog messaging to the specified IPv4 address. You can configure up to six addresses. If you config ure an address when none are already configured, this com mand enables destination logging (Syslog) and the Event debug type.
A IPv6 Terminology DAD Duplicate Address Detection. Refer to “Duplicate Address Detection (DAD)” on page 4-18. Device Identifier The low-order bits in an IPv6 address that identify a specific device. For example, in the link-local address 2001:db8:a10:101:212:79ff:fe88:a100/64, the bits forming 212:79ff:fe88:a100 comprise the device identifier. DoS Denial-of-Service. EUI-64 Extended Unique Identifier. Refer to “Extended Unique Identifier (EUI)” on page 3-14.
IPv6 Terminology A-2
Index Symbols … 4-7, 4-13 %vlan suffix … 5-6, 5-11, 5-14 A address configuration DNS for IPv6 … 2-13 duplicate unicast addresses … 3-6 duplicate unicast addresses on an interface … 2-9, 4-18 IPv6 anycast address … 2-9 IPv6 configuration using web browser … 2-11 IPv6 global unicast … 2-7, 2-8, 3-5, 3-11, 3-16, 3-17, 4-7, 4-13 IPv6 global unicast using DHCPv6 … 2-8, 3-5, 3-6, 3-8, 4-9 IPv6 link-local … 2-8, 3-5, 4-12 IPv6 link-local autoconfiguration … 2-7, 3-5, 3-11, 3-13, 4-6 IPv6 unique local unicast … 3-
crash data file TFTP upload on remote device … 5-20 crash log TFTP upload on remote device … 5-20 D DAD configuration … 4-19 detecting duplicate unicast addresses … 3-6, 4-18 detecting duplicate unicast addresses on an interface … 2-9, 4-5, 4-8, 4-10, 4-12, 4-16 not supported on anycast addresses … 3-20 performed on all IPv6 unicast addresses … 4-20 debug compared to event log … 7-11 forIPv6 … 7-11 sending event log messages … 7-11 using CLI session … 7-13 debug command DHPv6 messages … 7-13 event log mess
TFTP upload on remote device … 5-20 extended unique identifier See EUI.
network prefix … 3-4 omitting zeros in address … 3-3 ping6 … 2-11, 2-13 planning an addressing scheme … 3-6 restrictions … 2-15 routing between different VLANs … 4-29 security features … 2-11 selecting default router on a VLAN … 4-30 single IPv6 link-local address on an interface … 3-13 SNMP support … 2-14, 5-23 SNTP See SNTP server. SSHv2 … 2-11 See also SSH.
neighbor solicitations used in duplicate address detection … 4-19 neighbor, clear cache … 5-2 notifications displaying configuration … 5-26 supported in IPv6 … 5-23 NTP server … 2-8 O oobm listen … 6-18 snmp-server listen … 5-24 traceroute … 7-6 OSPF debug messages … 7-12 outbound Telnet6 … 5-6 P ping6 … 2-13, 7-2 ping6 on web browser … 2-11 preferred address … 4-23 preferred lifetime … 4-23 of global unicast address … 3-7, 3-25, 4-8, 4-10, 4-12 use of IPv6 address as source or destination … 4-34 priority
configuring SNMPv3 management station … 5-24 displaying SNMPv3 management station configuration … 5-27 displaying trap configuration … 5-26 features supported for IPv6 … 5-23 IPv6 support … 2-14 remote monitoring (RMON) … 5-23 SNMPv1 and v2c traps … 5-23 SNMPv2c informs … 5-23 SNMPv3 notifications … 5-23 source IPv6 address in notifications not supported … 5-24 supported MIBs … 5-23 SNTP mode … 5-12 poll interval … 5-12 priority … 5-12 protocol version … 5-12 server address … 5-12 view configuration … 5-12
link-local address manual configuration … 2-8, 3-5, 3-9, 4-12 link-local address prefix … 3-11 neighbor discovery operation … 4-17 router advertisements used in IPv6 … 4-29 selecting default IPv6 router … 4-30 switching IPv4 and IPv6 traffic on same VLAN … 2-3, 3-6 switching IPv6 traffic between different VLANs … 2-3 unique local unicast address configuration … 3-11 unique local unicast address prefix … 3-12 using an external router … 2-4 traffic monitoring sFlow … 5-23 traps displaying configuration … 5-2
8 – Index
Technology for better business outcomes To learn more, visit www.hp.com/go/bladesystem/documentation/ © Copyright 2010 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
