HP Load Balancing Module Network Management Configuration Guide Part number: 5998-4217 Software version: Feature 3221 Document version: 6PW100-20130326
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring interfaces ················································································································································· 1 Overview············································································································································································ 1 Managing interfaces in the web interface ············································································································
Configuration restrictions and guidelines ··········································································································· 38 Configuration procedure ······································································································································ 38 Displaying and maintaining inline Layer 2 forwarding ···················································································· 38 Forward-type inline Layer 2 forwarding configuration exa
Enabling common proxy ARP ······································································································································· 77 Enabling local proxy ARP·············································································································································· 77 Displaying and maintaining proxy ARP······················································································································· 78 Proxy ARP configur
Configuring NAT at the CLI ········································································································································ 114 NAT configuration task list ································································································································· 114 Configuring static NAT ······································································································································· 114 Configuring dynamic
Configuring IPv4 DNS ············································································································································ 142 Overview······································································································································································· 142 Static domain name resolution··························································································································· 142 Dynamic d
Configuring OSPF ··················································································································································· 195 Configuring OSPF in the Web interface···················································································································· 195 Recommended configuration procedure ··········································································································· 195 Configuring OSPF globally ···········
Configuring a policy ··········································································································································· 321 Configuring PBR ·················································································································································· 322 Displaying and maintaining PBR ······················································································································· 323 Local PBR based on packet
Network requirements ········································································································································· 362 Configuration procedure ···································································································································· 363 Dynamic domain name resolution configuration example ······················································································ 363 Network requirements ·······················
Configuring a priority for OSPFv3 ···················································································································· 390 Configuring OSPFv3 route redistribution ·········································································································· 390 Tuning and optimizing OSPFv3 networks ················································································································· 391 Configuration prerequisites ······················
Configuring IPv6 BGP peer group····················································································································· 421 Configuring IPv6 BGP community ····················································································································· 422 Configuring an IPv6 BGP route reflector··········································································································· 423 Displaying and maintaining IPv6 BGP····················
Support and other resources ·································································································································· 455 Contacting HP ······························································································································································ 455 Subscription service ············································································································································ 455 Relate
Configuring interfaces All configuration tasks in this chapter are independent and optional. You can perform these configuration tasks in any order. You can use the interface management feature to view interface information, create/remove logical interfaces, change interface status, and reset interface parameters. Overview An interface is the point of interaction or communication between devices. It is used for exchanging data between devices.
• VT interface—Template used for configuring VA interfaces. Managing interfaces in the web interface Displaying the information and statistics of an interface 1. Select System > Interface from the navigation tree. The page shows the name, IP address, mask, and status of each interface. The security zone of a Layer 2 Ethernet interface is not displayed on the page. Figure 1 Interface management 2. Click an interface name in the Name column to view the statistics of the interface.
Figure 2 Statistics of an interface Creating an interface 1. Select System > Interface from the navigation tree. 2. Click Add to enter the page for creating an interface.
Figure 3 Creating an interface 3. Configure the interface information as described in Table 1. 4. Click Apply. Table 1 Configuration items Item Description Set the name for the interface or its subinterface. • If you select a logical interface type from the list, such as LoopBack, Interface Name Vlan-interface, and Virtual-Template, set the interface number in the box behind to create the logical interface.
Item Description Set how the interface obtains an IP address: • None—Does not set an IP address for the interface. • Static Address—Manually assigns an IP address to the interface. After selecting this option, you need to manually set the IP Address and Mask items. • • • • IP Config DHCP—The interface gets an IP address through DHCP. BOOTP—The interface gets an IP address through BOOTP. PPP Negotiate—The interface gets an IP address through PPP negotiation.
Figure 4 Modifying interface information 3. Modify the interface as described in Table 2 and Table 1. 4. Click Apply. Table 2 Configuration items Item Description Interface Type Set the interface type, which can be Electrical port, Optical port, or None. Display and set the interface status: • Connected—Indicates that the current interface is up and connected, click the Disable button to shut down the interface.
Interface management configuration example Network requirements As shown in Figure 5, LB connects Host A and Host B through its interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2, respectively. Configure the two interfaces as shown in Figure 5, so that both Host A and Host B can access LB. Then, shut down GigabitEthernet 0/1 so that Host A will not be able to access LB. Figure 5 Network diagram Vlan-int1 GE0/1 1.1.2.1/24 LB Vlan-int1 GE0/2 1.1.2.1/24 Host A Host B Configuring LB 1.
Figure 6 Modifying interface GigabitEthernet 0/1 2. Change the operating mode of GigabitEthernet 0/2 into bridge. The configuration here is the same as that for GigabitEthernet 0/1. 3. Create VLAN-interface 1: By default, VLAN 1 exists, and all ports are untagged members of VLAN 1. a. Click Add on the interface management page. b. Set the interface name to Vlan-interface1, select Static Address for IP Config, enter IP address 1.1.2.1, and select 24 (255.255.255.255) as the network mask. c.
Figure 7 Creating VLAN-interface 1 4. Assign VLAN-interface 1 to a security zone (depending on the network environment): For example, you can assign VLAN-interface 1 to security zone Trust. a. Select Security > Zone from the navigation tree. b. Click the icon for zone Trust. c. Select Vlan-interface1 from the Interface Name field. d. Click Apply.
Figure 8 Assigning VLAN-interface 1 to a security zone Host A and Host B can access LB. 5. Display the statistics on interface GigabitEthernet 0/1: a. Select System > Interface from the navigation tree. b. Click interface name GigabitEthernet0/1 to view its statistics.
Figure 9 Displaying interface statistics 6. Shut down interface GigabitEthernet 0/1: a. Click Back on the Port Statistics page. b. Click the c. icon for GigabitEthernet0/1. Click Disable at the end of the Interface Status line. GigabitEthernet 0/1 is shut down, and Host A cannot access LB. Managing interfaces at the CLI Performing general configurations This section describes the settings common to Layer 2 and Layer 3 Ethernet interfaces or subinterfaces.
The fiber combo port and the copper combo port share one interface view, in which you can activate the fiber or copper combo port, and configure other port attributes such as the interface rate and duplex mode. 1. Configuration prerequisites Before you configure combo interfaces, complete the following tasks: • Determine the combo interfaces on your device by checking the product specifications and identify the two physical interfaces that compose each combo interface.
Step Command Remarks Optional. Set the interface description. 3. By default, the description of an interface is in the format of interface-name Interface. For example, GigabitEthernet0/1 Interface. description text Optional. By default, the duplex mode is auto for other Ethernet interfaces. Set the duplex mode of the interface. duplex { auto | full | half } 5. Set the port speed. speed { 10 | 100 | 1000 | auto } Optional. 6. Restore the default settings for the interface. default Optional.
Step Command Remarks • Enter Ethernet interface view: Enter Ethernet interface or subinterface view. 2. interface interface-type interface-number • Enter Ethernet subinterface view: Use one of the commands. interface interface-type interface-number.subnumber Shut down the Ethernet interface or subinterface. 3. By default, Ethernet interfaces and subinterfaces are up.
• During loopback testing, the Ethernet interface operates in full duplex mode. When you disable loopback testing, the port returns to its duplex setting. • When a Layer 3 Ethernet interface operates in bridge mode (as a Layer 2 Ethernet interface) or in promiscuous mode, the interface does not support loopback testing. 2. Configuration procedure To enable loopback testing on an Ethernet interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view.
Setting a statistics polling interval You can configure an interface statistics polling interval. To display the interface statistics collected in the last polling interval, use the display interface or display counters rate command. The interface statistics polling interval takes effect on all Ethernet interfaces. To set the statistics polling interval: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the statistics polling interval.
Step 2. Enter Ethernet interface view or Ethernet subinterface view. Command Remarks • Enter Ethernet interface view: Use one of the commands. • Enter Ethernet subinterface To configure storm suppression on an Ethernet interface, enter Ethernet interface view. interface interface-type interface-number view: interface interface-type interface-number.subnumber To configure storm suppression on an Ethernet subinterface, enter Ethernet subinterface view. Optional. 3.
To set the MDI mode of an Ethernet interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view. interface interface-type interface-number N/A 3. Set the MDI mode of the Ethernet interface. mdi { across | auto | normal } By default, a copper Ethernet interface operates in auto mode to negotiate pin roles with its peer.
• A loopback interface address can be configured as the source address of the IP packets that the device generates. Because loopback interface addresses are stable unicast addresses, they are usually used as device identifications. When you configure a rule on an authentication or security server to permit or deny packets that a device generates, you can simplify the rule by configuring it to permit or deny packets carrying the loopback interface address that identifies the device.
Configuration procedure To enter null interface view: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter null interface view. interface null 0 The Null 0 interface is the default null interface on your device. It cannot be manually created or removed. 3. Set the interface description. description text By default, the description of a null interface is interface name Interface. 4. Restore the default settings for the null interface. default Optional. Optional.
Bulk configuring interfaces You can enter interface range view to bulk configure multiple interfaces with the same feature instead of configuring them one by one. For example, you can perform the shutdown command in interface range view to shut down a range of interfaces. Command application failure on one member interface does not affect the application of the command on the other member interfaces.
Step 5. Verify the configuration. Command Remarks display this Optional.
Configuring IPv4 addressing • The device supports configuring IPv4 addressing in the Web interface and at the CLI. For information on configuring IPv4 addressing in the Web interface, see "Configuring interfaces." This chapter describes configuring IPv4 addressing at the CLI. • For information about configuring IPv6 addressing, see "Configuring IPv6 basics." Overview This section describes the IP addressing basics. IP addressing uses a 32-bit address to identify each host on a network.
Class Address range Remarks C 192.0.0.0 to 223.255.255.255 N/A D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses. • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.
With subnetting—Using the first 9 bits of the host-id for subnetting provides 512 (29) subnets. However, only 7 bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of 64512 hosts (512 × 126). • Assigning an IP address to an interface You can assign an interface one primary address and multiple secondary addresses. Generally, you only need to assign the primary address to an interface. In some cases, you must assign secondary IP addresses to the interface.
Configuration example Network requirements As shown in Figure 12, GigabitEthernet 0/1 on LB is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two subnets to communicate with the external network through LB, and to enable the hosts on the two subnets to communicate with each other: • Assign a primary IP address and a secondary IP address to GigabitEthernet 0/1 on LB.
Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms The output shows that LB can communicate with the host on subnet 172.16.1.0/24. # Ping a host on subnet 172.16.2.0/24 from LB to verify the connectivity. ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.2.
Configuring the MAC address table This document covers only the configuration of unicast MAC address entries, including static, dynamic, and destination blackhole entries. The MAC address table configuration tasks can be performed in any order. Overview To reduce single-destination packet flooding in a switched LAN, an Ethernet device uses a MAC address table for forwarding frames. This table describes from which port a MAC address (or host) can be reached.
To improve port security, you can bind specific user devices to the port by manually adding MAC address entries to the MAC address table of the device. Types of MAC address table entries A MAC address table can contain the following types of entries: • Static entries—Manually added and never age out. • Dynamic entries—Manually added or dynamically learned, and might age out. • Destination blackhole entries—Manually configured and never age out.
Figure 14 Adding a MAC address entry 3. Configure MAC address entry information, as shown in Table 4. 4. Click Apply. Table 4 Configuration items Item Description MAC MAC address to be added. Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out. • Blackhole—Blackhole MAC address entries that never age out.
Figure 15 Setting the aging time for MAC address entries 2. Set the aging time for MAC address entries. If you select No-aging, MAC address entries do not age out. 3. Click Apply. MAC address table configuration example Network requirements The MAC address of Host A, which is connected to GigabitEthernet 0/1 of the device and belongs to VLAN 1, is 000f-e235-dc71. The MAC address of Host B, which belongs to VLAN 1, is 000f-e235-abcd.
c. Enter MAC address 000f-e235-dc71. Select static from the Type list. Select 1 from the VLAN list. Select GigabitEthernet0/1 from the Port list. d. Click Apply. Figure 17 Creating a static MAC address entry 2. Create a blackhole MAC address entry: a. Click Add. b. Enter MAC address 000f-e235-abcd. Select blackhole from the Type list. Select 1 from the VLAN list. c. Click Apply. Figure 18 Creating a blackhole MAC address entry 3. Set the aging time for dynamic MAC address entries: a.
Figure 19 Setting the aging time for dynamic MAC address entries Configuring a MAC address entry at the CLI Configuring static, dynamic, and blackhole MAC address table entries To prevent MAC address spoofing attacks and improve port security, manually add MAC address table entries to bind ports with MAC addresses. You can also configure destination blackhole MAC address entries to filter out packets with certain destination MAC addresses. The MAC address table can contain only Layer 2 Ethernet interfaces.
Configuring a destination blackhole MAC address entry Step 1. 2. Enter system view. Add or modify a blackhole MAC address entry. Command Remarks system-view N/A mac-address blackhole mac-address vlan vlan-id By default, no MAC address entry is configured. Make sure you have created the VLAN. Configuring the aging timer for dynamic MAC address entries The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space.
MAC address table configuration example Network requirements As shown in Figure 20: • The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 0/1 of the device. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the device. • The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1.
# View the aging time of dynamic MAC address entries.
Configuring Layer 2 forwarding Layer 2 forwarding can be configured only at the CLI. Layer 2 forwarding falls into the following categories: • Normal • Inline Configuring normal Layer 2 forwarding If the destination MAC address of an incoming packet matches the MAC address of the receiving Layer 3 interface, the device forwards the packet through that interface. If not, the device performs normal Layer 2 forwarding through a Layer 2 interface.
Configuration restrictions and guidelines • An interface can only belong to one inline forwarding entry, and the last configured port inline-interfaces id command on an Ethernet interface takes effect. • Subinterfaces can be assigned to inline Layer 2 forwarding entries. To make these entries take effect, the main interface must be assigned to the VLAN of which the ID is used as the subinterface number. For example, if the subinterface GigabitEthernet 0/1.
Configuration procedure # Create forward-type inline Layer 2 forwarding entry 1. system-view [Sysname] inline-interfaces 1 # Assign GigabitEthernet 0/1 to forward-type inline Layer 2 forwarding entry 1. [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] port inline-interfaces 1 [Sysname-GigabitEthernet0/1] quit # Assign GigabitEthernet 0/2 to forward-type inline Layer 2 forwarding entry 1.
Configuring VLANs Overview Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full of collisions and broadcasts. As a result, the LAN performance is degraded or even the LAN becomes unavailable. You can deploy bridges or Layer 2 switches in the LAN to reduce the collisions, but this cannot confine broadcasts.
The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999. As shown in Figure 22, in the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address (DA&SA) field is the Type field, which indicates the upper layer protocol type. Figure 22 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag between the DA&SA field and the Type field to identify the VLAN information, as shown in Figure 23.
• IP subnet • Policy • Other criteria Among these types of VLANs, the device only supports configuring port-based VLANs in the Web interface. This chapter describes only port-based VLANs. Introduction to port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. Port link type You can configure the link type of a port as access, trunk, or hybrid.
Figure 24 Network diagram VLAN 2 VLAN 2 VLAN 3 Device B Device A Device C Access links are required Trunk links are reuqired VLAN 3 Hybrid links are required PVID By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as required. When you configure the PVID on a port, use the following guidelines: • An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.
Actions Access Trunk Hybrid • Receives the frame Incoming tagged frame if its VLAN ID is the same as the PVID. • Drops the frame if its VLAN ID is different from the PVID. • Receives the frame if its VLAN is permitted on the port. • Drops the frame if its VLAN is not permitted on the port. • Removes the tag and Outgoing frames sends the frame if the frame carries the PVID tag and the port belongs to the PVID. Removes the VLAN tag and sends the frame.
Figure 25 VLAN configuration page On the page shown in Figure 25, you can enter a VLAN range in the VLAN Range field and click Select to display the VLANs matching the VLAN range in the VLAN list below. When you query VLANs, the VLANs are query in the specified VLAN range. This facilitates VLAN operations when a large number of VLANs exist. If you input a VLAN range in the VLAN Range field and click Remove, the VLANs matching the VLAN range will be deleted. 2.
Figure 27 Modifying a VLAN 3. Modify the member ports of the VLAN as described in Table 5. 4. Click Apply. Table 5 Configuration items Item Description ID Displays the ID of the VLAN to be modified. Set the description of the VLAN. Description Untagged Member Tagged Member Port By default, the description of a VLAN is its VLAN vlan-id, where vlan-id is the ID of the VLAN. For example, the default description of VLAN 100 is VLAN 0100. Set the member type of the port to be modified in the VLAN.
Figure 29 Modifying a port 3. Modify the VLANs for the port as described in Table 6. 4. Click Apply. Table 6 Configuration items Item Description Port Displays the port to be modified. Untagged Member VLAN Displays the VLANs to which the port belongs as an untagged member. Tagged Member VLAN Displays the VLANs to which the port belongs as a tagged member. Untagged Set the target member type of the port. Select the Untagged, Tagged, or Not a Member option.
Figure 30 Network diagram Configuring Device A 1. Create VLAN 2, VLANs 6 through 50, and VLAN 100: a. Select Network > VLAN from the navigation tree. b. Click Add. The page as shown in Figure 31 appears. c. Enter VLAN IDs 2, 6-50, and 100. d. Click Apply. Figure 31 Creating VLANs 2. Configure VLAN 100 as the PVID of GigabitEthernet 0/1 (By default, all ports are access ports and their PVIDs are all VLAN 1.): a. Select Network > VLAN from the navigation tree, and then click the Port tab. b.
a. Click the icon for GigabitEthernet 0/1 in the Operation column. The page as shown in Figure 33 appears. b. Select the Untagged option for Member Type. c. Enter VLAN IDs 2, 6-50. d. Click Apply. A dialog box appears telling you that the access port will be changed into a hybrid port. e. Click OK in the dialog box. Figure 33 Assigning GigabitEthernet 0/1 to VLAN 2 and VLANs 6 through 50 as an untagged member 4. Assign GigabitEthernet 0/1 to VLAN 100 as a tagged member: a.
Figure 35 Assigning GigabitEthernet 0/1 to VLAN 100 as a tagged member 5. Configure the security zone for GigabitEthernet 0/1, VLAN 2, VLANs 6 through 50, and VLAN 100. (Details not shown.) Configuring Device B Configure Device B as you configure Device A. Verifying the configuration Display the port statistics of GigabitEthernet 0/1 on Device A: 1. Select System > Interface from the navigation tree. 2. Click GigabitEthernet0/1 on the page that appears.
Figure 36 Displaying the port statistics of GigabitEthernet 0/1 Configuring VLANs at the CLI Configuring basic VLAN settings Configuration restrictions and guidelines • As the default VLAN, VLAN 1 cannot be created or removed. • You cannot manually create or remove VLANs reserved for special purposes. Configuration procedure To configure basic VLAN settings: Step Command Remarks N/A 1. Enter system view. system-view 2. Create a VLAN and enter its view, or create VLANs in batch.
Step Command Remarks Optional. 4. Configure a name for the VLAN. The default name is VLAN vlan-id, which is the ID of the VLAN. For example, the name of VLAN 100 is VLAN 0100 by default. name text Optional. 5. Configure a description for the VLAN. The default description is VLAN vlan-id, which is the ID of the VLAN. For example, the description of VLAN 100 is VLAN 0100 by default.
VLAN interface configuration example 1. Network requirements As shown in Figure 37, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10. The PCs belong to different IP subnets and cannot communicate with each other. Configure VLAN interfaces on LB and configure PC A and PC B to enable Layer 3 communication between them. Figure 37 Network diagram LB GE0/1 Vlan-Int5 192.168.0.10/ 24 GE0/2 Vlan-Int10 192.168.1.20/ 24 PC A PC B 192. 168.0.1/24 192. 168.1.1/24 VLAN 5 2.
b. Display brief information about Layer 3 interfaces on LB to verify the configuration. display ip interface brief *down: administratively down (s): spoofing Interface Physical Protocol IP Address Description Vlan-interface5 up up 192.168.0.10 Vlan-inte... Vlan-interface10 up up 192.168.1.20 Vlan-inte... Configuring port-based VLANs Assigning an access port to a VLAN You can assign an access port to a VLAN in VLAN view or interface view.
Step Command Remarks 3. Configure the link type of the ports as trunk. port link-type trunk By default, all ports are access ports. 4. Assign the trunk ports to the specified VLANs. port trunk permit vlan { vlan-list | all } By default, a trunk port carries only VLAN 1. 5. Configure the PVID of the trunk ports. port trunk pvid vlan vlan-id Optional. By default, the PVID is VLAN 1.
Figure 38 Network diagram 2. Configuration procedure a. Configure LB A: # Create VLAN 100, and assign port GigabitEthernet 0/1 to VLAN 100. system-view [LBA] interface gigabitethernet 0/1 [LBA-GigabitEthernet0/1] port link-mode bridge [LBA-GigabitEthernet0/1]quit [LBA] vlan 100 [LBA-vlan100] port gigabitethernet 0/1 [LBA-vlan100] quit # Create VLAN 200, and assign port GigabitEthernet 0/2 to VLAN 200.
Description: VLAN 0100 Name: VLAN 0100 Tagged Ports: GigabitEthernet0/3 Untagged Ports: GigabitEthernet0/1 [LBA-GigabitEthernet0/3] display vlan 200 VLAN ID: 200 VLAN Type: static Route Interface: not configured Description: VLAN 0200 Name: VLAN 0200 Tagged Ports: GigabitEthernet0/3 Untagged Ports: GigabitEthernet0/2 Displaying and maintaining VLAN Task Command Remarks Display VLAN information.
Configuring an isolate-user-VLAN Isolate-user-VLAN can be configured only at the CLI. An isolate-user-VLAN uses a two-tier VLAN structure. In this approach, an isolate-user-VLAN and secondary VLANs are configured on the same device. The following are characteristics of the isolate-user-VLAN implementation: • Isolate-user-VLANs are mainly used for upstream data exchange. An isolate-user-VLAN can be associated with multiple secondary VLANs.
b. Configure the downlink ports, for example, the ports connecting Device B to hosts in Figure 39, to operate in host mode, so that downlink ports can be automatically added to the isolate-user-VLAN associated with the secondary VLAN. For more information about the promiscuous and host mode commands, see Network Management Command Reference. 4. Associate the isolate-user-VLAN with the specified secondary VLANs.
Step Command a. Enter Layer 2 Ethernet interface view: interface interface-type interface-number 7. Configure the uplink port. 8. Return to system view. b. Configure the port to operate in promiscuous mode in a specific VLAN: port isolate-user-vlan vlan-id promiscuous Remarks By default, a port does not operate in promiscuous mode in a VLAN. N/A quit a. Enter Layer 2 Ethernet interface view: interface interface-type interface-number b. (Optional.
Displaying and maintaining isolate-user-VLAN Task Command Remarks Display the mapping between an isolate-user-VLAN and its secondary VLANs. display isolate-user-vlan [ isolate-user-vlan-id ] [ | { begin | exclude | include } regular-expression ] Available in any view. Isolate-user-VLAN configuration example (approach 1) Network requirements As shown in Figure 41, connect the device to downstream devices LB A and LB B.
[LBA] vlan 2 to 3 # Configure uplink port GigabitEthernet 0/3 to operate in promiscuous mode in VLAN 5. [LBA] interface gigabitethernet 0/3 [LBA-GigabitEthernet0/3] port link-mode bridge [LBA-GigabitEthernet0/3] port isolate-user-vlan 5 promiscuous [LBA-GigabitEthernet0/3] quit # Assign downlink ports GigabitEthernet 0/1 and GigabitEthernet 0/2 to VLAN 3 and VLAN 2, respectively, and configure the ports to operate in host mode.
Verifying the configuration # Display the isolate-user-VLAN configuration on LB A.
Configure VLAN 6 on LB B as an isolate-user-VLAN, assign uplink port GigabitEthernet 0/3 to VLAN 6, and associate VLAN 6 with secondary VLANs VLAN 3 and VLAN 4. Assign GigabitEthernet 0/1 to VLAN 3 and GigabitEthernet 0/2 to VLAN 4. As far as the device is concerned, LB A has only VLAN 5 and LB B has only VLAN 6. Figure 41 Network diagram Configuration procedure The following procedure provides only the details about the configuration on LB A and LB B. 1. Configure LB A: # Configure the isolate-user-VLAN.
[LBA-GigabitEthernet0/2] port hybrid pvid vlan 2 [LBA-GigabitEthernet0/2] quit # Associate the isolate-user-VLAN with the secondary VLANs. [LBA] isolate-user-vlan 5 secondary 2 to 3 2. Configure LB B: # Configure the isolate-user-VLAN. system-view [LBB] vlan 6 [LBB-vlan6] isolate-user-vlan enable [LBB-vlan6] quit # Create secondary VLANs. [LBB] vlan 3 to 4 # Configure uplink port GigabitEthernet 0/3.
Tagged Ports: none Untagged Ports: GigabitEthernet0/1 GigabitEthernet0/2 VLAN ID: 2 VLAN Type: static Isolate-user-VLAN type : secondary Route Interface: not configured Description: VLAN 0002 Name: VLAN 0002 Tagged Ports: none Untagged Ports: GigabitEthernet0/2 GigabitEthernet0/3 VLAN ID: 3 VLAN Type: static Isolate-user-VLAN type : secondary Route Interface: not configured Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: GigabitEthernet0/1 GigabitEthernet0/3 66 Gigabit
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). The term "router" in this document refers to both routers and LB modules. ARP can be configured only at the CLI. Overview ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format ARP uses two types of messages, ARP request and ARP reply.
1. Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B. 2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request.
Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry. Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
Configuring the maximum number of dynamic ARP entries for an interface An interface can dynamically learn ARP entries, so it may hold too many ARP entries. To solve this problem, you can set the maximum number of dynamic ARP entries that an interface can learn. When the maximum number is reached, the interface stops learning ARP entries. A Layer 2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached.
subnet mask of the receiving interface is not in the subnet 10.10.10.5/24, VLAN-interface 10 cannot process the ARP packet. With this feature enabled, the device calculates the subnet address by using the default mask of the class A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as 10.11.11.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request. To enable natural mask support for ARP requests: Step Command Remarks 1. Enter system view.
Figure 44 Network diagram Configuration procedure # Create VLAN 10. system-view [LB] vlan 10 [LB-vlan10] quit # Add interface GigabitEthernet 0/1 to VLAN 10. [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] port link-mode bridge [LB-GigabitEthernet0/1] port trunk permit vlan 10 [LB-GigabitEthernet0/1] quit # Create interface VLAN-interface 10 and configure its IP address. [LB] interface vlan-interface 10 [LB-vlan-interface10] ip address 192.168.1.
Configuring gratuitous ARP Gratuitous ARP can be configured only at the CLI. Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a change of its MAC address.
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network, so that the hosts can update local ARP entries and avoid using the virtual IP address of the VRRP group. If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router.
Step Command Optional. Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet. gratuitous-arp-sending enable 4. Enter interface view. interface interface-type interface-number 5. Enable periodic sending of gratuitous ARP packets and set the sending interval. arp send-gratuitous-arp [ interval milliseconds ] 3.
Configuring proxy ARP Proxy ARP can be configured only at the CLI. Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP—Allows communication between hosts that connect to different Layer-3 interfaces and reside in different broadcast domains.
Figure 46 Application environment of local proxy ARP Enable local proxy ARP in one of the following cases: • Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3. • If an isolate-user-VLAN is configured, hosts in different secondary VLANs of the isolate-user-VLAN need to communicate at Layer 3. Enabling common proxy ARP You can enable common proxy ARP in VLAN interface view/Layer 3 Ethernet interface view/Layer 3 Ethernet subinterface view.
Displaying and maintaining proxy ARP Task Command Remarks Display whether proxy ARP is enabled. display proxy-arp [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display whether local proxy ARP is enabled. display local-proxy-arp [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view.
# Configure the IP address of interface GigabitEthernet 0/1. [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 0/1. [LB-GigabitEthernet0/1] proxy-arp enable [LB-GigabitEthernet0/1] quit After completing preceding configurations, use the ping command to verify the connectivity between Host A and Host D.
[Switch-Ethernet1/3] port-isolate enable group 2 [Switch-Ethernet1/3] interface ethernet 1/1 [Switch-Ethernet1/1] port-isolate enable group 2 [Switch-Ethernet1/1] interface ethernet 1/2 [Switch-Ethernet1/2] port-isolate uplink-port group 2 2. Configure LB: # Specify the IP address of GigabitEthernet 0/2. system-view [LB] interface gigabitethernet 0/2 [LB-GigabitEthernet0/2] ip address 192.168.10.100 255.255.0.
[Switch-vlan5] isolate-user-vlan enable [Switch-vlan5] quit # Configure secondary VLANs. [Switch] vlan 2 [Switch-vlan2] quit [Switch] vlan 3 [Switch-vlan3] quit # Configure uplink port Ethernet 1/2. [Switch] interface ethernet 1/2 [Switch-Ethernet1/2] port link-type hybrid [Switch-Ethernet1/2] port hybrid vlan 2 3 5 untagged [Switch-Ethernet1/2] port hybrid pvid vlan 5 [Switch-Ethernet1/2] quit # Configure downlink ports Ethernet 1/1 and Ethernet 1/3.
Basic forwarding on the device Basic forwarding can be configured only at the CLI. Upon receiving a packet, a device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and uses the matching entry to forward the packet. FIB table A router selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next-hop IP address and output interface for packets destined for a specific subnet or host.
Displaying and maintaining the FIB table Task Command Remarks Display FIB information. display fib [ vpn-instance vpn-instance-name ] [ acl acl-number | ip-prefix ip-prefix-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display FIB information matching the specified destination IP address. display fib [ vpn-instance vpn-instance-name ] ip-address [ mask | mask-length ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring IP forwarding mode IP forwarding mode can be configured only at the CLI. Overview The device supports two IP forwarding modes: flow-based and packet-based. • Flow-based forwarding—Forwards flows with the same 5-tuple elements (source IP address, destination IP address, source port number, destination port number, and protocol number) to a same CPU for processing. This mode takes the first-in first-out rule.
Configuring Layer 3 forwarding This chapter takes LB module as an example to describe Layer 3 forwarding on LB modules. For the configurations on the switches involved in the configuration examples, see the configuration on the switch in the Layer 3 subinterface forwarding configuration example. Layer 3 forwarding can be configured only at the CLI. Overview Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding.
Configuration prerequisites • The ingress interface and egress interface on the switch belong to different VLANs. • The two ten-GigabitEthernet interfaces at both ends of the link between the switch and the LB module are configured as trunk. • The operating mode of the LB module's ten-GigabitEthernet port that connects to the switch is configured as Layer 2. • Configure VLAN interfaces with the same numbers as VLANs created on the switch for the LB module.
Step Command Remarks Enter the view of the ten-GigabitEthernet interface that connects to the switch. interface Ten-GigabitEthernet interface-number N/A Configure the operating mode of the interface as Layer 3. port link-mode route Create a subinterface of the ten-GigabitEthernet interface and enter subinterface view. interface Ten-GigabitEthernet interface-number.subnumber N/A Set the encapsulation type and associate the subinterface with a VLAN.
• The switch's ten-GigabitEthernet interface that connects to the LB module is configured as trunk. • The operating mode of the LB module's ten-GigabitEthernet port that connects to the switch is configured as Layer 3. • Subinterfaces are configured for the LB module's ten-GigabitEthernet port. Associate them with VLANs created on the switch and set the encapsulation type to dot1q.
Step Command Remarks Enter the view of the ten-GigabitEthernet interface that connects to the switch. interface Ten-GigabitEthernet interface-number N/A Configure the operating mode of the interface as Layer 2. port link-mode bridge The default operating mode is Layer 3. Configure the link type of the ten-GigabitEthernet interface as trunk. port link-type trunk N/A 7. Assign the trunk port to the specified VLANs.
Layer 3 subinterface forwarding configuration example Network requirements As shown in Figure 50, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by an LB module, and Layer 3 subinterface forwarding needs to be configured. Figure 50 Network diagram for Layer 3 subinterface forwarding VLAN 102 XGE2/0/1 XGE0/0.2 XGE0/0 XGE0/0.
[LB-Ten-GigabitEthernet0/0.1] ip address 102.0.0.3 24 [LB-Ten-GigabitEthernet0/0.1] interface ten-gigabitethernet0/0.2 [LB-Ten-GigabitEthernet0/0.2] vlan-type dot1q vid 103 [LB-Ten-GigabitEthernet0/0.2] ip address 103.0.0.3 24 Inter-VLAN Layer 3 forwarding configuration example Network requirements As shown in Figure 51, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by an LB module, and inter-VLAN Layer 3 forwarding needs to be configured.
[LB] vlan 102 to 103 # Configure the operating mode of ten-GigabitEthernet 0/0 as Layer 2. [LB] interface ten-gigabitethernet 0/0 [LB-Ten-GigabitEthernet0/0] port link-mode bridge [LB-Ten-GigabitEthernet0/0] port link-type trunk [LB-Ten-GigabitEthernet0/0] port trunk permit vlan 102 to 103 # Create two VLAN interfaces for ten-GigabitEthernet 0/0, VLAN-interface 102, and VLAN-interface 103. [LB-Ten-GigabitEthernet0/0] interface vlan-interface 102 [LB-Vlan-interface102] ip address 102.0.0.
Configuring NAT Overview Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to another IP address. NAT enables a large number of private users to access the Internet by using a small number of public IP addresses. NAT effectively alleviates the depletion of IP addresses. A private IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique.
The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT hides the private network from the external networks. Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT also has the following disadvantages: • Because NAT involves translation of IP addresses, the IP headers cannot be encrypted.
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers. Figure 53 NAPT operation Host A 192.168.1.2 Direction Before NAT After NAT Outbound 192.168.1.2:1111 20.1.1.1:1001 Outbound 192.168.1.2:2222 20.1.1.1:1002 Outbound 192.168.1.3:1111 20.1.1.1:1003 Packet 1 Src : 192.168.1.2:1111 Packet 1 Src : 20.1.1.1:1001 Packet 2 Src : 192.168.1.2:2222 192.168.1.
You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like 20.1.1.12:8080 as an internal Web server's external address and port number.
Easy IP Easy IP uses the public IP address of an interface on the device as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed. NAT support for VPNs NAT allows users from different VPNs to access external networks through the same outbound interface, and allows the VPN users to use the same private address space. 1.
For more information about stateful failover, see High Availability Configuration Guide. Configuration guidelines • An address pool can contain a maximum of 255 addresses. • On certain types of devices, an address pool cannot include addresses in other address pools, IP addresses of interfaces with Easy IP enabled, or public addresses of internal servers.
Creating an address pool 1. From the navigation tree, select Security > NAT. By default, the dynamic NAT configuration page appears. Figure 56 Dynamic NAT configuration page TIP: You can click the ID link of an ACL to view details about the ACL, and create and delete ACL rules. For more information about ACL configuration, see Security Configuration Guide. 2. In the Address Pool area, click Add. The Add NAT Address Pool page appears. Figure 57 Adding NAT Address Pool page 3.
Item End IP Address Description Specify the end IP address of the address pool. The end IP address must be identical to or higher than the start IP address. Configure the address pool as a low-priority or a non low-priority address pool. Low priority IMPORTANT: This configuration item is applicable for asymmetric-path stateful failover only. The low priority settings for the local and peer devices must be different. Configuring dynamic NAT 1. From the navigation tree, select Security > NAT.
Item Description Select an address translation mode: • PAT—Refers to NAPT. In this mode, associating an ACL with an address pool translates both IP addresses and port numbers. Address Transfer • No-PAT—Refers to many-to-many NAT. In this mode, associating an ACL with an address pool translates only IP addresses. • Easy IP—In this mode, the NAT gateway directly uses an interface's public IP address as the translated IP address, and uses an ACL to match IP packets.
2. In the Static Address Mapping area where static address mappings are displayed, click Add to enter the Add Static Address Mapping page. Figure 60 Adding Static Address Mapping page 3. Configure a static address mapping as described in Table 9. 4. Click Apply. Table 9 Configuration item Item Description Specify a name of the VPN instance to which the internal IP addresses belong.
Figure 61 Enabling Interface Static Translation page 3. Enable static NAT on an interface as described in Table 10. 4. Click Apply. Table 10 Configuration items Item Description Interface Name Select an interface to which static NAT is applied. Enable track to VRRP Configure whether to associate static NAT on an interface with a VRRP group, and specify the VRRP group to be associated if you associate static NAT on an interface with a VRRP group.
Figure 62 Internal server configuration page 2. In the Internal Server area, click Add. The Add Internal Server page appears. Figure 63 Adding Internal Server page 3. Configure the internal server as described in Table 11. 4. Click Apply.
Configure advanced internal server settings 1. Click Advanced in the page shown in Figure 63. The Advanced Configuration page appears. Figure 64 Internal server advanced configuration 2. Configure the internal server as described in Table 11. 3. Click Apply. Table 11 Configuration items Item Description Interface Specify an interface to which the internal server policy is applied. Select the protocol to be carried by IP (only supported by advanced configuration).
Item Description Specify the global port numbers for the internal server. This option is available when 6(TCP) or 17(UDP) is selected as the protocol type. You can: • For common configuration—Use the single box to specify a global port. 0 represents Global Port the default port of the specified service type. If the selected service type is any(TCP) or any(UDP), the global port is any port.
Configuring ACL-based NAT on the internal server 1. From the navigation tree, select Security > NAT, and click the Internal Server tab. The internal server configuration page as shown in Figure 62 appears. 2. In the Internal Server Based on ACL area, click Add. Figure 65 Internal server based on ACL configuration 3. Configure an internal server based on ACL as described in Table 12. 4. Click Apply.
Figure 66 Adding DNS-MAP page 3. Configure a DNS mapping as shown in Table 13. 4. Click Apply. Table 13 Configuration items Item Description Protocol Select the protocol supported by an internal server. Global IP Specify the external IP address of the internal server. Global Port Specify the port number of the internal server. Domain Specify the domain name of the internal server.
c. Enter 2001 in ACL Number, and click Apply. Figure 68 Defining ACL 2001 d. Click the icon in the operation column corresponding to ACL 2001 to enter the ACL 2001 configuration page. e. Click Add. f. On the page that appears, select Permit in Operation. Select the Source IP Address box and enter 10.110.10.0. Enter 0.0.0.255 in Source Wildcard and click Apply. g. Click Add. Figure 69 Configuring ACL 2001 to permit users on network 10.110.10.0/24 to access the Internet h. Click Add on the ACL 2001.
b. Click Add. c. On the page that appears as shown in Figure 71, enter 0 in Index, enter 202.38.1.2 in Start IP Address and enter 202.38.1.3 in End IP Address. d. Click Apply. Figure 71 Configuring NAT address pool 0 3. Configure dynamic NAT: a. Click Add in the Dynamic NAT area. b. On the page that appears, select GigabitEthernet0/1 for Interface and enter 2001 for ACL. c. Select PAT for Address Transfer. d. Enter 0 for Address Pool Index. e. Click Apply.
• External hosts can access internal servers using public address 202.38.1.1/24. • Port 8080 is used for Web server 2. Figure 73 Network diagram Configuring the internal server 1. Configure the FTP server: a. From the navigation tree, select Security > NAT, and click the Internal Server tab. b. Click Add in the Internal Server area. c. On the page that appears, select GigabitEthernet0/1 for Interface. d. Select the Assign IP Address option, and enter 202.38.1.1. e.
Figure 74 Configuring an internal FTP server 2. Configure the Web server 1: a. Click Add in the Internal Server area. b. On the page that appears, select GigabitEthernet0/1 for Interface. c. Select the Assign IP Address option, and enter 202.38.1.1. d. Select the first option for Global Port and enter 80. e. Enter 10.110.10.1 in the Internal IP field. f. Select the service type www. g. Click Apply.
Figure 75 Configuring internal Web server 1 3. Configure the Web server 2: a. Click Add in the Internal Server area. b. On the page that appears, select GigabitEthernet0/1 for Interface. Select the Assign IP Address option, and enter 202.38.1.1. Select the first option for Global Port and enter 8080. Enter 10.110.10.2 in the Internal IP field. Select the service type www. c. Click Apply.
Figure 76 Configuring internal Web server 2 Configuring NAT at the CLI NAT configuration task list Task Remarks Configure address translation: • Configuring static NAT • Configuring dynamic NAT Either is required. Configuring an internal server Required. Configuring DNS mapping Optional.
Configuring one-to-one static NAT One-to-one static NAT translates a private IP address into a public IP address. To configure one-to-one static NAT: Step Command 1. Enter system view. system-view 2. Configure a one-to-one static NAT mapping. nat static [ acl-number ] local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] 3. Enter interface view. interface interface-type interface-number 4. Enable static NAT on the interface.
Configure an address group that can contain several members. Each member specifies an address pool that consists of a set of consecutive addresses. The address pools of members may not be consecutive. • The NAT device selects an IP address from a specific NAT address pool as the source address of a packet. To configure an address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an address pool.
Step 3. Command Configure No-PAT by associating an ACL with an IP address pool on the outbound interface for translating only IP addresses.
Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure a common internal server. nat server [ acl-number ] protocol pro-type global global-address global-port1 global-port2 [ vpn-instance global-name ] inside local-address1 local-address2 local-port [ vpn-instance local-name ] To configure a common internal server (2): Step Command 1. Enter system view. system-view 2. Enter interface view.
Step Command 1. Enter system view. system-view 2. Configure a DNS mapping. nat dns-map domain domain-name protocol pro-type ip global-ip port global-port Displaying and maintaining NAT Task Command Remarks Display information about NAT address pools. display nat address-group [ group-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display all NAT configuration information.
[LB-GigabitEthernet0/2] quit Dynamic NAT configuration example Network requirements As shown in Figure 78, a company has three public IP addresses ranging from 202.38.1.1/24 to 202.38.1.3/24, and a private network segment of 10.110.0.0/16. Specifically, the company requires that the internal users in subnet 10.110.10.0/24 can access the Internet through NAT. Figure 78 Network diagram Configuration procedure # As shown in Figure 78, specify IP addresses for the interfaces. (Details not shown.
Common internal server configuration example Network requirements As shown in Figure 79, a company provides two Web servers, one FTP server, and one SMTP server for external users to access. The internal network address is 10.110.0.0/16. The internal address for the FTP server is 10.110.10.3/16, for Web server 1 is 10.110.10.1/16, for Web server 2 is 10.110.10.2/16, and for the SMTP server is 10.110.10.4/16. The company has three public IP addresses ranging from 202.38.1.1/24 to 202.38.1.3/24.
NAT DNS mapping configuration example Network requirements As shown in Figure 80, a company provides Web and FTP services to external users, and uses internal IP network segment 10.110.0.0/16. The IP addresses of the Web and FTP servers are 10.110.10.1/16 and 10.110.10.2/16, respectively. The company has three public addresses 202.38.1.1/24 through 202.38.1.3/24. The DNS server is at 202.38.1.4/24. • The public IP address 202.38.1.2 is used to provide services to external users.
Global-port: 80(www) Protocol : 6(TCP) Domain-name: ftp.server.com Global-IP : 202.38.1.2 Global-port: 21(ftp) Protocol : 6(TCP) Host A and Host B can use the domain name www.server.com to access the Web server, and use ftp.server.com to access the FTP server. Troubleshooting NAT Symptom 1 Abnormal translation of IP addresses. Solution 1. Enable debugging for NAT. Try to locate the problem based on the debugging display. 2. Use other commands, if necessary, to further identify the problem.
Configuring NAT-PT NAT-PT can be configured only at the CLI. NAT-PT is not supported on VLAN interfaces and does not support VPN instances, IPv4 fragments, or ICMPv6 fragments. Overview Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation – Protocol Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network.
port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address translation and save IPv4 addresses. NAT-PT prefix The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases: • Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet.
Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT device swaps the source and destination IPv4 addresses according to the stored mappings and forwards the packet to the IPv6 host. Session initiated by an IPv4 host The NAT-PT implementation process for a session initiated by an IPv4 host is as follows: 1. Determines whether to perform NAT-PT.
NAT-PT configuration task list Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task Remarks Enabling NAT-PT Required. Configuring a NAT-PT prefix Required. Configuring IPv4/IPv6 address mappings on the IPv6 side Required. Optional. Configuring a static mapping on the IPv4 side If no static IPv4/IPv6 address mapping is configured, the lowest 32 bits of the destination IPv6 address is used as the translated destination IPv4 address.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable NAT-PT on the interface. natpt enable Disabled by default. Configuring a NAT-PT prefix Follow these guidelines when you configure a NAT-PT prefix: • The NAT-PT prefix must be different from the IPv6 address prefix of a local interface. Otherwise, incoming packets matching the prefix get lost due to NAT-PT translation.
Configuring a dynamic mapping policy on the IPv6 side A dynamic IPv4/IPv6 mapping policy on the IPv6 side is that if the source IPv6 address matches a specific IPv6 ACL or the destination IPv6 address is the same as the specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in a specified NAT-PT address pool or the IPv4 address of a specific interface. For ACL configuration, see Security Configuration Guide.
If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses, and the end IPv4 address in the address pool is used for NAPT-PT. Configuring IPv4/IPv6 address mappings on the IPv4 side IPv4/IPv6 address mappings on the IPv4 side can be static or dynamic.
Setting the ToS field after NAT-PT translation You can set the ToS field in IPv4 packets translated from IPv6 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used. To set the ToS field in packets after NAT-PT translation: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the ToS field in IPv4 packets translated from IPv6 packets to 0.
IPv6 address and port number of the server. • To configure a static NAPT-PT mapping for an IPv6 server: Step Command 1. Enter system view. system-view 2. Configure a static address and port number mapping for an IPv6 server. natpt v4bound static v6server protocol protocol-type ipv4-address ipv4-port-number ipv6-address ipv6-port-number Displaying and maintaining NAT-PT Task Command Remarks Display all NAT-PT configuration information.
Figure 83 Network diagram Configuration procedure 1. Configure LB (NAT-PT device): # Configure interface addresses and enable NAT-PT on the interfaces. system-view [LB] ipv6 [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ip address 8.0.0.1 255.255.255.
Verifying the configuration Use the ping ipv6 3001::0800:0002 command on Router B, response packets can be received. Configuring static mappings on the IPv4 side and the IPv6 side Network requirements As shown in Figure 84, Router B with IPv6 address 2001::2/64 on an IPv6 network can communicate with Router A with IPv4 address 8.0.0.2/24 on an IPv4 network.
[RouterA] ip route-static 9.0.0.0 24 8.0.0.1 3. Configure Router B on the IPv6 side: # Enable IPv6. system-view [RouterB] ipv6 # Configure an IP address for GigabitEthernet 0/1. [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ipv6 address 2001::2/64 [RouterB-GigabitEthernet0/1] quit # Configure a static route to the subnet with the NAT-PT prefix. [RouterB] ipv6 route-static 3001:: 16 2001::1 Verifying the configuration Using the ping 9.0.0.
Configuring ALG This feature can be configured only at the CLI. Application Level Gateway (ALG) processes the payload information of application layer packets to make sure data connections can be established. Usually NAT translates only IP address and port information in packet headers and does not analyze fields in application layer payloads. However, the packet payloads of some protocols may contain IP address or port information, which may cause problems if not translated.
As shown in Figure 85, the host on the external network accesses the FTP server on the internal network in passive mode through the ALG-enabled device. Figure 85 Network diagram for ALG-enabled FTP application in passive mode The communication process includes the following steps: 1. Establishing a control connection. The host sends a TCP connection request to the server. If a TCP connection is established, the server and the host enter the user authentication stage. 2. Authenticating the user.
Enabling ALG Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ALG. alg { all | dns | ftp | h323 | ils | msn | nbt | pptp | qq | rtsp | sccp | sip | sqlnet | tftp } Optional. By default, ALG is enabled only for FTP. FTP ALG configuration example The example describes only ALG-related configurations, assuming other required configurations on the server and client have been done. Network requirements As shown in Figure 86, a company uses the private network segment 192.168.1.
Configure NAT and ALG to enable SIP UA 1 and SIP UA 2 to communicate by using their aliases, and to enable SIP UA 1 to select an IP address from the range 5.5.5.9 to 5.5.5.11 when registering with the SIP server on the external network. Figure 87 Network diagram Configuration procedure # Configure the address pool and ACL. system-view [LB] nat address-group 1 5.5.5.9 5.5.5.11 [LB] acl number 2001 [LB-acl-basic-2001] rule permit source 192.168.1.0 0.0.0.
Figure 88 Network diagram Configuration procedure # Configure a static NAT entry. system-view [LB] nat static 192.168.1.3 5.5.5.9 # Enable ALG for NBT. [LB] alg nbt # Configure NAT. [LB] interface gigabitethernet 0/2 [LB-GigabitEthernet0/2] nat outbound static # Configure the internal WINS server. [LB-GigabitEthernet0/2] nat server protocol udp global 5.5.5.10 137 inside 192.168.1.2 137 [LB-GigabitEthernet0/2] nat server protocol udp global 5.5.5.10 138 inside 192.168.1.
Configuring flow classification Flow classification can be configured only at the CLI. Overview Flow classification organizes packets with different characteristics into different classes by using certain match criteria. It is the basis for providing differentiated services. For a multi-core device, the control plane and data plane run on different kernels and threads respectively. The data plane processes packets based on flows.
Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address.
The DNS client comprises the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store the latest mappings between domain names and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query next time.
Figure 90 DNS proxy networking application A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3.
• The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established through the dial-up interface, the device dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the DNS server, if it cannot find a match in the local domain name resolution table.
Static name resolution table configuration task list Task Configuring static name resolution entries Remarks Required. By default, no name-IP address mapping exists in a static name resolution table. Dynamic domain name resolution configuration task list Task Remarks Required. Configuring dynamic domain name resolution This function is disabled by default. Required. Configuring DNS server addresses Not configured by default. Optional. Configuring domain name suffixes Not configured by default.
Figure 93 Creating a static domain name resolution entry 3. Type the name and IP address. (Each name corresponds to one IP address only. If you configure multiple IP addresses for a host name, the one last configured takes effect.) 4. Click Apply. Configuring dynamic domain name resolution NOTE: The device can revolve a maximum of four IP addresses for a domain name. 1. From the navigation tree, select Network > DNS, and click the Dynamic tab.
Configuring DNS proxy 1. From the navigation tree, select Network > DNS, and click the Dynamic tab. The dynamic domain name resolution configuration page appears, as shown in Figure 94. 2. Select the Enable option for DNS Proxy. 3. Click Apply. Configuring DNS server addresses 1. From the navigation tree, select Network > DNS, and click the Dynamic tab. The dynamic domain name resolution configuration page appears, as shown in Figure 94. 2. Click Add IP.
2. Click the Dynamic tab. The dynamic domain name resolution configuration page as shown in Figure 94 appears. 3. Select the box for Clear Dynamic DNS cache. 4. Click Apply. Dynamic domain name resolution configuration example Network requirements The IP address of the DNS server is 2.1.1.2/16 and the domain name suffix is com. The LB module serving as a DNS client uses dynamic domain name resolution to access the host with the domain name host.com and the IP address 3.1.1.1/16, as shown in Figure 97.
Figure 98 Creating a zone 2. Create a mapping between host name and IP address: Figure 99 Adding a host a. In Figure 99, right-click zone com. b. Select New Host. A dialog box as shown in Figure 100 appears.
c. Enter host name host and IP address 3.1.1.1. d. Click Add Host. Figure 100 Adding a mapping between domain name and IP address Configuring the DNS client 1. Enable dynamic domain name resolution: a. From the navigation tree, select Network > DNS, and click the Dynamic tab. Figure 101 Enabling dynamic domain name resolution b. Select the Enable option for Dynamic DNS. c. Click Apply.
2. Configure the DNS server address: a. Click Add IP. Figure 102 Configuring a DNS server address b. Enter 2.1.1.2 for DNS Server IP Address. c. 3. Click Apply. Configure the domain name suffix: a. Click Add Suffix. Figure 103 Configure the domain name suffix b. Enter com for DNS Domain Name Suffix. c. Click Apply. Verifying the configuration On the DNS client, ping the host name host. The communication between the LB module and the host is normal and the corresponding destination IP address is 3.
Step Command Remarks Not configured by default. Configure a mapping between a host name and an IPv4 address. 2. ip host hostname ip-address The IPv4 address you last assign to the host name overwrites the previous one if there is any. You may create up to 50 static mappings between domain names and IPv4 addresses. Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure a DNS server.
Step Command Remarks Optional. Configure a DNS suffix. 4. dns domain domain-name By default, no DNS suffix is configured and only the provided domain name is resolved. Configuring DNS proxy You can specify multiple DNS servers. Upon receiving a name query request from a client, the DNS proxy forwards the request to the DNS server that has the highest priority. If having not received a reply, it forwards to the request to a DNS server that has the second highest priority, and thus in turn.
To specify the source interface for DNS packets: Step 1. 2. Enter system view. Specify the source interface for DNS packets. Command Remarks system-view N/A dns source-interface interface-type interface-number By default, no source interface for DNS packets is specified. The device uses the primary IP address of the output interface of the matching route as the source IP address of a DNS request.
# Use the ping host.com command to verify that LB can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [LB] ping host.com PING host.com (10.1.1.2): 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=128 time=4 ms Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=128 time=3 ms Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=128 time=2 ms Reply from 10.1.1.
b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com. Figure 106 Creating a zone c. On the DNS server configuration page, right-click zone com, and select New Host. Figure 107 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created.
Figure 108 Adding a mapping between domain name and IP address Configure the DNS client: • # Enable dynamic domain name resolution. system-view [LB] dns resolve # Specify the DNS server 2.1.1.2. [LB] dns server 2.1.1.2 # Configure com as the name suffix. [LB] dns domain com Verifying the configuration # Use the ping host command on LB to verify that the communication between LB and the host is normal and that the corresponding destination IP address is 3.1.1.1.
DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function. As shown in Figure 109: • Specify LB as the DNS server of Device (the DNS client). LB acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. • Configure the IP address of the DNS proxy on Device.
[Device] dns server 2.1.1.2 Verifying the configuration # Execute the ping host.com command on Device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1. [Device] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2) PING host.com (3.1.1.1): 56 data bytes, press CTRL_C to break Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms Reply from 3.1.1.
IP routing basics IP routing directs IP packet forwarding on routers based on a routing table. This book focuses on unicast routing protocols. The term "router" in this document refers to both routers and LB modules. Routing table A router maintains at least two routing tables: a global routing table and a FIB. The FIB table contains only the optimal routes, and the global routing table contains all routes. The router uses the FIB table to forward packets.
• NextHop—Next hop. • Interface—Output interface.
Configuring static routing Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually. The term "router" in this document refers to both routers and LB modules. Configuring static routing in the Web interface Configuring static routes 1.
Table 15 Configuration items Item Description Destination IP Address Enter the destination IP address in dotted decimal notation. IMPORTANT: You can enter 0.0.0.0 for both Destination IP Address and Mask to configure a default route. A default route is used to forward packets that match no route entry in the routing table. Mask Enter the destination IP address mask. Next Hop Enter the next hop IP address in dotted decimal notation. Outbound Interface Enter the outbound interface.
c. Enter 0.0.0.0 as the destination IP address, select 0.0.0.0 from the mask list, and enter 1.1.4.2 as the next hop. d. Click Apply. Figure 113 Configuring a static route on Device A 4. Configure a static route to Device A and a static route to Device C on Device B: a. Select Network > Static Routing from the navigation tree. b. Click Add. c. Enter 1.1.2.0 as the destination IP address, select 255.255.255.0 from the mask list, and enter 1.1.4.1 as the next hop. d. Click Apply. e. Click Add. f.
Ping statistics for 1.1.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms 2. Traceroute Host A on Host B: C:\Documents and Settings\Administrator>tracert 1.1.2.2 Tracing route to 1.1.2.2 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 1.1.6.1 2 <1 ms <1 ms <1 ms 1.1.4.1 3 1 ms <1 ms <1 ms 1.1.2.2 Trace complete.
Step 3. 4. Command Remarks Configure the default preference for static routes. ip route-static default-preference default-preference-value Optional. Delete all static routes, including the default route. delete [ multiple-topology topology-name | vpn-instance vpn-instance-name ] static-routes all 60 by default. Optional. To delete one static route, use the undo ip route-static command. Displaying and maintaining static routes Task Command Remarks Display static route information.
# Configure a default route on LB C. system-view [LBC] ip route-static 0.0.0.0 0.0.0.0 1.1.5.5 3. Configure the default gateways of Host A, Host B, and Host C as 1.1.2.3, 1.1.6.1, and 1.1.3.1. (Details not shown.) 4. Verify the configuration: # Display the IP routing table on LB A. [LBA] display ip routing-table Routing Tables: Public Destinations : 7 Destination/Mask Proto 0.0.0.0/0 Routes : 7 Pre Cost NextHop Interface Static 60 0 1.1.4.2 GE0/2 1.1.2.0/24 Direct 0 0 1.1.2.
Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Ping statistics for 1.1.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms # Use the tracert command on Host B to test the reachability of Host A. C:\Documents and Settings\Administrator>tracert 1.1.2.2 Tracing route to 1.1.2.2 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 1.1.6.1 2 <1 ms <1 ms <1 ms 1.1.4.1 3 1 ms <1 ms <1 ms 1.1.2.
Configuring a default route A default route is used to forward packets that match no entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded. A default route can be configured in either of the following ways: • The network administrator can configure a default route with both destination and mask being 0.0.0.0. For more information, see "Configuring a static route.
Configuring RIP The term "router" in this document refers to both routers and LB modules. Routing Information Protocol (RIP) is a distance-vector simple interior gateway protocol suited to small-sized networks. It employs UDP to exchange route information through port 520. Overview RIP uses a hop count to measure the distance to a destination. The hop count from a router to a directly connected network is 0. The hop count from a router to a directly connected router is 1.
Figure 115 RIP global configuration page 2. Configure RIP globally as described in Table 16. 3. Click Apply. Table 16 Configuration items Item Description Enable RIP (enable all interfaces automatically) Enable RIP on all interfaces. Import static routes Configure RIP to redistribute active static routes. Configuring interface RIP 1. Select Network > RIP from the navigation tree. The RIP configuration page appears. If RIP is enabled, the More button is displayed. 2. Click More.
Figure 117 RIP interface configuration page 4. Configure RIP interface as described in Table 17. 5. Click Apply. Table 17 Configuration items Item Description Interface Displays the RIP interface name. Set whether to allow the receiving/sending of RIP packets on the interface: Work State • On—Allows the receiving/sending of RIP packets on the interface. • Off—Disallows the receiving/sending of RIP packets on the interface.
RIP configuration example In this example, Device A is the LB module. Network requirements As shown in Figure 118, enable RIP on all interfaces on Device A and Device B. Figure 118 Network diagram Configuring Device A 1. Configure IP addresses for interfaces. (Details not shown) 2. Enable RIP: a. Select Network > RIP from the navigation tree. b. Select the Enable RIP(Enable all interfaces automatically) box. c. Click Apply. Figure 119 Enabling RIP Configuring Device B 1.
Figure 120 RIP configuration result I 2. Display active routes of Device B: Select Network > Routing Info from the navigation tree to display learned RIP routes destined for 2.0.0.0/8 and 3.0.0.0/8. Figure 121 RIP configuration result II Configuring RIP at the CLI RIP configuration task list Task Remarks Configuring basic RIP Required. Configuring RIP route control Configuring an additional routing metric Optional. Configuring RIPv2 route summarization Optional.
Task Remarks Tuning and optimizing RIP networks Configuring RIP timers Optional. Configuring split horizon and poison reverse Optional. Configuring the maximum number of ECMP routes Optional. Enabling zero field check on incoming RIPv1 messages Optional. Enabling source IP address check on incoming RIP updates Optional. Configuring RIPv2 message authentication Optional. Specifying a RIP neighbor Optional. Configuring RIP-to-MIB binding Optional.
Step Command Remarks 4. Return to system view. quit N/A 5. Enter interface view. interface interface-type interface-number N/A 6. Enable the interface to receive RIP messages. rip input Enable the interface to send RIP messages. rip output 7. Optional. Enabled by default. Optional. Enabled by default. Configuring a RIP version A RIPv1-enabled interface sends RIPv1 broadcasts, and can receive RIPv1 broadcasts and unicasts.
Step Command Remarks Optional. Specify a RIP version for the interface. 6. rip version { 1 | 2 [ broadcast | multicast ] } By default, if an interface has no RIP version specified, the global version takes effect. If no global RIP version is specified, the interface can send RIPv1 broadcasts, and receive RIPv1 broadcasts and unicasts, and RIPv2 broadcasts, multicasts, and unicasts.
To enable RIPv2 automatic route summarization: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A Optional. Enable RIPv2 automatic route summarization. 3. 2. By default, RIPv2 automatic route summarization is enabled. summary If the subnets in the routing table are not contiguous, disable automatic route summarization to advertise more specific routes.
Step 3. Disable RIP from receiving host routes. Command Remarks undo host-route By default, RIP receives host routes. Advertising a default route You can advertise a default route on all RIP interfaces in RIP view or a specific RIP interface in interface view. The interface view setting takes precedence over the RIP view settings. To disable an interface from advertising a default route, use the rip default-route no-originate command on the interface.
Step 3. 4. Command Configure the filtering of inbound routes. filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import [ interface-type interface-number ] Configure the filtering of outbound routes. filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] | interface-type interface-number ] Remarks By default, the filtering of inbound routes is not configured.
Tuning and optimizing RIP networks Configuration prerequisites Before you tune and optimize RIP networks, complete the following tasks: • Configure IP addresses for interfaces to ensure IP connectivity between neighboring nodes. • Configure basic RIP. Configuring RIP timers You can change the RIP network convergence speed by adjusting RIP timers. Based on network performance, configure identical RIP timer settings to avoid unnecessary traffic or route flapping.
To enable poison reverse: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable poison reverse. rip poison-reverse By default, poison reverse is disabled. Configuring the maximum number of ECMP routes Perform this task to implement load sharing over ECMP routes. To configure the maximum number of ECMP routes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view.
IMPORTANT: Disable the source IP address check feature if the RIP neighbor is not directly connected. To enable source IP address check on incoming RIP updates: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable source IP address check on incoming RIP messages. validate-source-address Optional. By default, this function is enabled.
Step 4. Disable source address check on incoming RIP updates. Command Remarks undo validate-source-address By default, this function is not disabled. Configuring RIP-to-MIB binding This task allows you to enable a specific RIP process to receive SNMP requests. To bind RIP to MIB: Step 1. Enter system view. Command Remarks system-view N/A Optional. 2. Bind RIP to MIB. rip mib-binding process-id By default, MIB is bound to RIP process 1.
Task Command Remarks Display routing information about a specified RIP process. display rip process-id route [ ip-address { mask | mask-length } | peer ip-address | statistics ] [ | { begin | exclude | include } regular-expression ] Available in any view. Reset a RIP process. reset rip process-id process Available in user view. Clear the statistics of a RIP process. reset rip process-id statistics Available in user view. RIP configuration examples Configuring RIP version 1.
10.0.0.0/8 1.1.1.2 1 0 RA 9 The output shows that RIPv1 uses natural masks to advertise routing information. • Configure a RIP version: # Configure RIPv2 on LB A. [LBA] rip [LBA-rip-1] version 2 [LBA-rip-1] undo summary [LBA-rip-1] quit # Configure RIPv2 on LB B. [LBB] rip [LBB-rip-1] version 2 [LBB-rip-1] undo summary # Display the RIP routing table on LB A.
• Configure basic RIP: # Enable RIP 100, and configure RIPv2 on Router A. system-view [RouterA] rip 100 [RouterA-rip-100] network 10.0.0.0 [RouterA-rip-100] network 11.0.0.0 [RouterA-rip-100] version 2 [RouterA-rip-100] undo summary [RouterA-rip-100] quit # Enable RIP 100 and RIP 200, and configure RIPv2 on LB. system-view [LB] rip 100 [LB-rip-100] network 11.0.0.0 [LB-rip-100] version 2 [LB-rip-100] undo summary [LB-rip-100] quit [LB] rip 200 [LB-rip-200] network 12.0.0.
# Display the IP routing table on Router B. [RouterB] display ip routing-table Routing Tables: Public Destinations : 8 • Routes : 8 Destination/Mask Proto Pre Cost NextHop Interface 10.2.1.0/24 RIP 100 1 12.3.1.1 GE0/1 11.1.1.0/24 RIP 100 1 12.3.1.1 GE0/1 12.3.1.0/24 Direct 0 0 12.3.1.2 GE0/1 12.3.1.2/32 Direct 0 0 127.0.0.1 InLoop0 16.4.1.0/24 Direct 0 0 16.4.1.1 GE0/2 16.4.1.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.
Figure 124 Network diagram GE0/1 1.1.1.2/24 GE0/1 1.1.1.1/24 GE0/2 1.1.3.1/24 GE0/2 1.1.3.2/24 Router A GE0/1 1.1.4.2/24 LB GE0/2 1.1.2.1/24 Router C GE0/1 1.1.5.2/24 GE0/3 1.1.5.1/24 GE0/2 1.1.4.1/24 GE0/1 1.1.2.2/24 Router B 2. Configuration procedure • Configure IP addresses for the interfaces. (Details not shown.) • Configure basic RIP: # Configure LB. system-view [LB] rip [LB-rip-1] network 1.0.0.0 [LB-rip-1] version 2 [LB-rip-1] undo summary [LB-rip-1] quit # Configure Router A.
[LB] display rip 1 database 1.0.0.0/8, cost 0, ClassfulSumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, Rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, Rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 1, nexthop 1.1.2.2 1.1.5.0/24, cost 2, nexthop 1.1.1.2 1.1.5.0/24, cost 2, nexthop 1.1.2.2 The output shows that two RIP routes can reach network 1.1.5.0/24. Their next hops are Router A (1.1.1.2) and Router B (1.1.2.2), respectively, with the same cost of 2.
• Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B. system-view [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 10.6.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit # Configure LB.
• 10.1.1.0/24 RIP 100 1 11.3.1.1 GE0/1 10.2.1.0/24 RIP 100 1 11.3.1.1 GE0/1 10.5.1.0/24 RIP 100 1 11.3.1.1 GE0/1 10.6.1.0/24 RIP 100 1 11.3.1.1 GE0/1 11.3.1.0/24 Direct 0 0 11.3.1.2 GE0/1 11.3.1.2/32 Direct 0 0 127.0.0.1 InLoop0 11.4.1.0/24 Direct 0 0 11.4.1.2 GE0/2 11.4.1.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.
When all links work properly, route oscillation occurs on the RIP network. After displaying the routing table, you might find some routes intermittently appear and disappear in the routing table. 2. Analysis In the RIP network, make sure that all the same timers within the entire network are identical and have logical relationships between them. For example, the timeout timer value should be greater than the update timer value. 3.
Configuring OSPF The term "router" in this document refers to both routers and LB modules. Open Shortest Path First (OSPF) is a link state IGP developed by the OSPF working group of the IETF. OSPF version 2 is used for IPv4. Unless otherwise stated, OSPF refers to OSPFv2 throughout this chapter. OSPF has the following features: • Wide scope—Supports various network sizes and up to several hundred routers in an OSPF routing domain.
Step Remarks Required. Configure an OSPF area, specify the network segment included in the area, so as to enable OSPF on the interface attached to the specified network segment. NOTE: Configuring OSPF areas 2. This task allows you to configure one or more interfaces in an area. You need to enable OSPF on the interface whose primary IP address belongs to the specified network segment; otherwise, OSPF cannot run on the interface. Optional. 3.
Configuring OSPF areas 1. Select Network > OSPF from the navigation tree. The OSPF configuration page appears. After you enable OSPF, the Area Configuration tab is displayed. Figure 127 Tabs on the OSPF area configuration page 2. Click Add on the Area Configuration tab. The page for configuring OSPF area appears.
Figure 128 OSPF area configuration page 3. Configure an OSPF area as described in Table 19. 4. Click Apply. Table 19 Configuration items Item Description Area ID Enter an area ID. Select an area type, including Normal, Stub, and NSSA. Area Type IMPORTANT: The type of a backbone area (with area ID 0) can only be configured as Normal. Enable all interfaces Network Address Network Items Network Mask Set whether to enable OSPF on all the interfaces.
Configuring OSPF interfaces 1. Select Network > OSPF from the navigation tree. The OSPF configuration page appears. 2. After you complete OSPF area configurations, click More. The hidden OSPF interface list is displayed. Figure 129 OSPF interface list page 3. Click the icon. The page for configuring the specified OSPF interface appears. Figure 130 OSPF interface configuration page 4. Configure the specified OSPF interface as described in Table 20. 5. Click Apply.
Item Description Set the interval for sending hello packets. The hello interval must be identical on OSPF neighbors. Hello Interval The hello interval on P2P, Broadcast interfaces defaults to 10 seconds and defaults to 30 seconds on P2MP and NBMA interfaces. The smaller the hello interval is, the faster the network converges and the more network resources are consumed. The interfaces on a specific network segment must have the same Hello interval. Set the OSPF dead interval.
Item Description authentication. Failed packets cannot establish neighboring relationships. • If the Authentication Mode is null, the interface does not authenticate OSPF packets, and the Key String and Key ID are not required. • If Simple is specified for Authentication Mode, the interface authenticates OSPF packets by using simple text key. You must configure a Key String in simple text. When you view the configuration file, the authentication key is displayed in simple text.
Field Description Area ID ID of the area to which the interface belongs. Cost Cost for the interface. Network Type Network type for the interface. DR Priority DR priority for the interface. Current state of the interface: • Down—No packet is sent or received through the interface. • Loopback—The interface is in loopback state. A loopback interface can only collect interface information.
Field Description Current state of the neighbor: • Down—The initial state of the neighboring relationship. • Init—A Hello packet is received from the neighbor before the neighbor is down, but it does not contain the router ID. In such cases, bidirectional communication is not available. • Attempt—Which is available the neighbor of an NBMA network only. It indicates State that the router receives no information from the neighbor, but it still attempts to contact the neighbor.
Figure 134 Enabling OSPF c. Click Apply. The Area Configuration tab is displayed. Figure 135 Web page displayed after OSPF is enabled 3. Configure Normal area Area 0: a. Click Add on the Area Configuration tab. b. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Click Apply.
Figure 136 Configuring area 0 4. Configure NSSA area Area 1: a. Click Add on the Area Configuration tab. b. Enter 1 for Area ID, select NSSA for Area Type, enter 10.2.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Click Apply.
Figure 137 Configuring area 1 Configuring Device B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Enable OSPF: a. Select Network > OSPF from the navigation tree of Device B. b. Select the Enable OSPF box. c. 3. Click Apply. Configure Normal area Area 0: a. Click Add on the Area Configuration tab. b. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. 4. Click Apply.
Configuring Device C 1. Configure IP addresses for interfaces. (Details not shown.) 2. Enable OSPF, and configure OSPF to redistribute static routes: a. Select Network > OSPF from the navigation tree of Device C. b. Select the Enable OSPF and the Import static routes boxes. c. 3. Click Apply. Configure NSSA area Area 1: a. Click Add on the Area Configuration tab. b. Enter 1 for Area ID, select NSSA for Area Type, enter 10.2.1.0 for Network Address, select 0.0.0.
b. Enter 2 for Area ID, select Normal for Area Type, enter 10.3.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Enter 10.5.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. d. Click Apply. Verifying the configuration 1. Display OSPF neighbor information of Device A: a. Select Network > OSPF from the navigation tree of Device A. b. Click Show Peer in the Show Information field.
Task Remarks Enabling OSPF Required. Configuring a stub area Configuring OSPF areas Configuring an NSSA area Optional. Configuring a virtual link Configuring OSPF network types Configuring OSPF route control Tuning and optimizing OSPF networks Configuring the broadcast network type for an interface Optional. Configuring the NBMA network type for an interface Optional. Configuring the P2MP network type for an interface Optional. Configuring the P2P network type for an interface Optional.
Enabling OSPF Enable OSPF before you perform other OSPF configuration tasks. Configuration prerequisites Configure the link layer protocol and IP addresses for interfaces to ensure IP connectivity between neighboring nodes. Configuration guidelines Complete the following tasks to enable an interface to run an OSPF process in an area: • Enable the OSPF process • Create the area for the OSPF process • Add the network segment where the interface resides to the area.
Step 6. 7. Command Remarks Configure a description for the area. description description Specify a network to enable the interface attached to the network to run the OSPF process in the area. network ip-address wildcard-mask Optional. Not configured by default. Not configured by default. A network segment can belong to only one area. Configuring OSPF areas After you split an OSPF AS into multiple areas, you can configure some areas as stub areas or NSSA areas as needed.
Step Command Remarks Optional. 5. Specify a cost for the default route advertised to the stub area. The default cost is 1. default-cost cost The default-cost command takes effect only on the ABR of a stub area or totally stub area. NOTE: Virtual links cannot transit a stub area or totally stub area. Configuring an NSSA area A stub area cannot import external routes, but an NSSA area can import external routes into the OSPF routing domain while keeping other stub area characteristics.
To configure a virtual link: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3. Enter area view. area area-id N/A Configure this command on both ends of a virtual link. Configure a virtual link.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the OSPF network type for the interface as broadcast. ospf network-type broadcast By default, the network type of an interface depends on the link layer protocol. Configure a router priority for the interface. ospf dr-priority priority 4. Optional. The default router priority is 1.
Step Command Remarks By default, the network type of an interface depends on the link layer protocol. After you configure the OSPF network type for an interface as P2MP unicast, all packets are unicast over the interface. The interface cannot broadcast hello packets to discover neighbors, so you must manually specify the neighbors. Configure the OSPF network type for the interface as P2MP. ospf network-type p2mp [ unicast ] 4. Exit to system view. quit N/A 5. Enter OSPF view.
Route summarization reduces the routing information exchanged between areas and the sizes of routing tables, improving router performance. 1. Configuring route summarization on an ABR After you configure a summary route on an ABR, the ABR generates a summary LSA instead of more specific LSAs so that the scale of LSDBs on routers in other areas and the influence of topology changes are reduced. For example, three internal routes 19.1.1.0/24, 19.1.2.0/24, and 19.1.3.0/24 are available within an area.
• Use an ACL or IP prefix list to filter routing information by destination address and meanwhile use the gateway keyword to filter routing information by next hop. • Use a routing policy to filter routing information. For more information about IP prefix list and routing policy, see "Configuring routing policies." To configure inbound route filtering: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view.
Step Command Remarks Optional. 3. Configure an OSPF cost for the interface. The default cost depends on the interface type: 1 for a VLAN interface and 0 for a loopback interface, computed according to the bandwidth for other interfaces. ospf cost value To configure a bandwidth reference value: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3.
Configuring OSPF route redistribution Only active routes can be redistributed. Use the display ip routing-table protocol command to view route state information. 1. Configuring OSPF to redistribute routes from other routing protocols On a router running OSPF and other routing protocols, you can configure OSPF to redistribute routes from other protocols such as RIP, BGP, static, and direct, and advertise them in Type-5 LSAs or Type-7 LSAs.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A Optional. Configure the default parameters for redistributed routes (cost, upper limit, tag, and type). 3. default { cost cost | limit limit | tag tag | type type } * The default cost is 1, the default maximum number of routes redistributed per time is 1000, the default tag is 1, and default type of redistributed routes is Type-2.
LSA retransmission timer—Interval within which if the interface receives no acknowledgement packets after sending a LSA to the neighbor, it retransmits the LSA. An interval setting that is too small can cause unnecessary LSA retransmissions. This interval is typically set bigger than the round-trip time of a packet between two neighbors. • To configure timers for OSPF packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Specifying SPF calculation interval LSDB changes result in SPF calculations. When the topology changes frequently, a large amount of network and router resources are occupied by SPF calculation. You can adjust the SPF calculation interval to reduce the impact. When network changes are not frequent, the minimum-interval is adopted.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A Configure the LSA generation interval. lsa-generation-interval maximum-interval [ initial-interval [ incremental-interval ] ] Optional. 3. By default, the maximum interval is 5 seconds, the minimum interval is 0 milliseconds, and the incremental interval is 5000 milliseconds.
Configuring OSPF authentication Configure OSPF packet authentication to ensure the security of packet exchange. After authentication is configured, OSPF only receives packets that pass authentication. Failed packets cannot establish neighboring relationships. You must configure the same area authentication mode on all the routers in an area. In addition, the authentication mode and password for all interfaces attached to the same area must be identical.
Step Command Remarks N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * 3. Specify the maximum number of external LSAs in the LSDB. lsdb-overflow-limit number Optional. Not specified by default. Enabling compatibility with RFC 1583 RFC 1583 specifies a different method than RFC 2328 for selecting an external route from multiple LSAs.
The generated traps are sent to the information center of the device. The output rules of the traps (whether to output the traps and the output direction) are determined according to the information center configuration. (For more information about information center, see System Maintenance Configuration Guide.) To configure OSPF network management: Step 1. Enter system view. Command Remarks system-view N/A Optional. 2. 3. Bind OSPF MIB to an OSPF process.
can configure OSPF to give priority to receiving and processing Hello packets to ensure stable neighbor relationships. To configure OSPF to give priority to receiving and processing Hello packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure OSPF to give priority to receiving and processing hello packets. ospf packet-process prioritized-treatment Not configured by default.
Task Command Remarks Display OSPF statistics. display ospf [ process-id ] cumulative [ | { begin | exclude | include } regular-expression ] Available in any view. Display Link State Database information. display ospf [ process-id ] lsdb [ brief | [ { ase | router | network | summary | asbr | nssa | opaque-link | opaque-area | opaque-as } [ link-state-id ] ] [ originate-router advertising-router-id | self-originate ] ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Task Command Remarks Re-enable OSPF route redistribution. reset ospf [ process-id ] redistribution Available in user view. OSPF configuration examples These configuration examples only cover OSPF configuration related commands. Configuring basic OSPF 1. Network requirements • Enable OSPF on all devices, and split the AS into three areas. • Configure Router A and Router B as ABRs. Figure 141 Network diagram 2. Configuration procedure a. Configure IP addresses for interfaces.
[RouterB-ospf-1-area-0.0.0.2] quit [RouterB-ospf-1] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf-1] area 1 [RouterC-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] network 10.4.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] quit [RouterC-ospf-1] quit # Configure LB. system-view [LB] ospf [LB-ospf-1] area 2 [LB-ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [LB-ospf-1-area-0.0.0.2] network 10.5.1.0 0.0.0.255 [LB-ospf-1-area-0.0.0.
Routing Tables Routing for Network Destination Cost Type 10.2.1.0/24 1 10.3.1.0/24 2 10.4.1.0/24 10.5.1.0/24 10.1.1.0/24 NextHop AdvRouter Area Transit 10.2.1.1 10.2.1.1 0.0.0.1 Inter 10.1.1.2 10.3.1.1 0.0.0.0 2 Stub 10.2.1.2 10.4.1.1 0.0.0.1 3 Inter 10.1.1.2 10.3.1.1 0.0.0.0 1 Transit 10.1.1.1 10.2.1.1 0.0.0.0 Total Nets: 5 Intra Area: 3 Inter Area: 2 ASE: 0 NSSA: 0 # Display the Link State Database on Router A.
10.1.1.0/24 2 Inter 10.3.1.1 10.3.1.1 Total Nets: 5 Intra Area: 2 Inter Area: 3 ASE: 0 NSSA: 0 # Ping 10.4.1.1 to test connectivity. [LB] ping 10.4.1.1 PING 10.4.1.1: 56 data bytes, press CTRL_C to break Reply from 10.4.1.1: bytes=56 Sequence=2 ttl=253 time=2 ms Reply from 10.4.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms Reply from 10.4.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms Reply from 10.4.1.1: bytes=56 Sequence=4 ttl=253 time=1 ms Reply from 10.4.1.
[LB] ospf 1 [LB-ospf-1] import-route static d. Verify the configuration: # Display ABR/ASBR information on Router C. display ospf abr-asbr OSPF Process 1 with Router ID 10.5.1.1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10.3.1.1 0.0.0.2 10 10.3.1.1 ABR Inter 10.4.1.1 0.0.0.2 22 10.3.1.1 ASBR # Display the OSPF routing table on Router C. display ospf routing OSPF Process 1 with Router ID 10.5.1.
Figure 143 Network diagram 2. Configuration procedure a. Configure IP addresses for interfaces. (Details not shown.) b. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure LB. system-view [LB] ospf [LB-ospf-1] area 0 [LB-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [LB-ospf-1-area-0.0.0.
[RouterD-ospf-1] area 0 [RouterD-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit c. Configure BGP to redistribute OSPF routes and direct routes: # Configure LB.
e. Configure route summarization: # Configure route summarization on LB to advertise a single route 0.0.0.0/8. [LB-ospf-1] asbr-summary 10.0.0.0 8 # Display the IP routing table on Router A. [RouterA] display ip routing-table Routing Tables: Public Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost NextHop Interface 10.0.0.0/8 O_ASE 150 2 11.2.1.1 GE0/1 11.2.1.0/24 Direct 0 0 11.2.1.2 GE0/1 11.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.
[RouterC-ospf-1] quit # Display ABR/ASBR information on LB. display ospf abr-asbr OSPF Process 1 with Router ID 10.4.1.1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10.2.1.1 0.0.0.1 3 10.2.1.1 ABR Inter 10.3.1.1 0.0.0.1 5 10.2.1.1 ABR Inter 10.5.1.1 0.0.0.1 7 10.2.1.1 ASBR # Display OSPF routing information on LB. display ospf routing OSPF Process 1 with Router ID 10.4.1.1 Routing Tables Routing for Network Destination Cost Type 10.
# Display OSPF routing information on LB. [LB] display ospf routing OSPF Process 1 with Router ID 10.4.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0.0.0.0/0 4 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.2.1.0/24 3 Transit 10.2.1.2 10.2.1.1 0.0.0.1 10.3.1.0/24 7 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.4.1.0/24 3 Stub 10.4.1.1 10.4.1.1 0.0.0.1 10.5.1.0/24 17 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.1.1.0/24 5 Inter 10.2.1.1 10.2.1.1 0.0.0.
Figure 145 Network diagram 2. Configuration procedure a. Configure IP addresses for interfaces. (Details not shown.) b. Configuring basic OSPF (see "Configuring basic OSPF"). c. Configure Area 1 as an NSSA area: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] nssa [RouterA-ospf-1-area-0.0.0.1] quit # Configure LB. system-view [LB] ospf [LB-ospf-1] area 1 [LB-ospf-1-area-0.0.0.1] nssa [LB-ospf-1-area-0.0.0.
10.4.1.0/24 3 Stub 10.4.1.1 10.4.1.1 0.0.0.1 10.5.1.0/24 17 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.1.1.0/24 5 Inter 10.2.1.1 10.2.1.1 0.0.0.1 Total Nets: 5 Intra Area: 2 Inter Area: 3 ASE: 0 NSSA: 0 d. Configure route redistribution: # Configure OSPF to redistribute the static route on LB. [LB] ip route-static 3.1.2.1 24 10.4.1.2 [LB] ospf [LB-ospf-1] import-route static [LB-ospf-1] quit # Display routing information on Router C.
Figure 146 Network diagram 2. Configuration procedure a. Configure IP addresses for interfaces. (Details not shown.) b. Configure basic OSPF: # Configure LB. system-view [LB] router id 1.1.1.1 [LB] ospf [LB-ospf-1] area 0 [LB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [LB-ospf-1-area-0.0.0.0] quit [LB-ospf-1] quit # Configure Router A. system-view [RouterA] router id 2.2.2.2 [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.
# Display neighbor information on LB. [LB] display ospf peer verbose OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 192.168.1.1(GigabitEthernet0/1)'s neighbors Router ID: 2.2.2.2 State: 2-Way Address: 192.168.1.2 Mode: None DR: 192.168.1.4 Priority: 1 BDR: 192.168.1.3 Dead timer due in 38 GR State: Normal MTU: 0 sec Neighbor is up for 00:01:31 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full Address: 192.168.1.3 Mode: Nbr is Master DR: 192.168.1.
Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet0/1)'s neighbors Router ID: 1.1.1.1 State: Full Address: 192.168.1.1 Mode:Nbr is DR: 192.168.1.4 Slave Priority: 100 BDR: 192.168.1.3 Dead timer due in 31 GR State: Normal MTU: 0 sec Neighbor is up for 00:11:17 Authentication Sequence: [ 0 ] Router ID: 2.2.2.2 State: Full Address: 192.168.1.2 Mode:Nbr is DR: 192.168.1.4 Slave BDR: 192.168.1.
Router ID: 3.3.3.3 State: Full Address: 192.168.1.3 Mode: Nbr is Slave DR: 192.168.1.1 BDR: 192.168.1.3 Dead timer due in 39 GR State: Normal Priority: 2 MTU: 0 sec Neighbor is up for 00:01:41 Authentication Sequence: [ 0 ] The output shows that LB becomes the DR and Router B becomes the BDR. The full neighbor state means an adjacency has been established. The 2-way neighbor state means the two devices are not the DR or BDR, and they do not exchange LSAs.
system-view [RouterA] ospf 1 router-id 1.1.1.1 [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B. system-view [RouterB] ospf 1 router-id 2.2.2.2 [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] area 1 [RouterB–ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [RouterB–ospf-1-area-0.0.0.
[RouterB-ospf-1] area 1 [RouterB-ospf-1-area-0.0.0.1] vlink-peer 3.3.3.3 [RouterB-ospf-1-area-0.0.0.1] quit [RouterB-ospf-1] quit # Configure LB. [LB] ospf [LB-ospf-1] area 1 [LB-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2 [LB-ospf-1-area-0.0.0.1] quit # Display OSPF routing information on Router B. [RouterB] display ospf routing OSPF Process 1 with Router ID 2.2.2.2 Routing Tables Routing for Network Destination Cost Type AdvRouter Area 10.2.1.0/24 2 Transit 10.2.1.1 NextHop 3.3.3.3 0.0.0.1 10.3.
b. Configure basic OSPF (see "Configuring basic OSPF"). c. Configure OSPF to redistribute routes: # On LB, configure a static route destined for network 3.1.1.0/24. system-view [LB] ip route-static 3.1.1.0 24 10.4.1.2 # On LB, configure a static route destined for network 3.1.2.0/24. [LB] ip route-static 3.1.2.0 24 10.4.1.2 # On LB, configure a static route destined for network 3.1.3.0/24. [LB] ip route-static 3.1.3.0 24 10.4.1.2 # Configure OSPF to redistribute static routes on LB.
Destination/Mask Proto Pre Cost NextHop Interface 3.1.1.0/24 O_ASE 150 1 10.2.1.2 GE0/2 3.1.2.0/24 O_ASE 150 1 10.2.1.2 GE0/2 10.1.1.0/24 Direct 0 0 10.1.1.1 GE0/1 10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.2.1.0/24 Direct 0 0 10.2.1.1 GE0/2 10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.3.1.0/24 OSPF 10 4 10.1.1.2 GE0/1 10.4.1.0/24 OSPF 10 13 10.2.1.2 GE0/2 10.5.1.0/24 OSPF 10 14 10.1.1.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.
Troubleshooting OSPF configuration No OSPF neighbor relationship established 1. Symptom No OSPF neighbor relationship can be established. 2. Analysis If the physical link and lower layer protocols work well, verify OSPF parameters configured on interfaces. Two neighbors must have the same parameters, such as the area ID, network segment, and mask (a P2P or virtual link may have different network segments and masks). 3. Solution a. Use the display ospf peer command to verify OSPF neighbor information.
Configuring BGP The term "router" in this document refers to both routers and LB modules. Border Gateway Protocol (BGP) is an exterior gateway protocol. It is called internal BGP (IBGP) when it runs within an AS and called external BGP (EBGP) when it runs between ASs. The current version in use is BGP-4 (RFC 4271). Unless otherwise stated, BGP refers to BGP-4 in this document.
Figure 149 BGP global configuration page 2. Configure BGP globally as described in Table 23. 3. Click Apply. Table 23 Configuration items Item Description Enable BGP Enable BGP. AS Specify a local AS number. Import static routes Configure BGP to redistribute active static routes (except default routes). Configuring BGP peer 1. Select Network > BGP from the navigation tree. The BGP configuration page appears. Figure 150 Tabs on the BGP peer configuration page 2.
Figure 151 Creating a BGP peer 3. Configure the parameters as described in Table 24. 4. Click Apply. Table 24 Configuration items Item Description Peer IP Address Configure the IP address of the BGP peer. Peer AS Specify the AS number of the BGP peer. Displaying BGP peer information 1. Select Network > BGP from the navigation tree. The BGP configuration page appears. 2. After you complete BGP peer configurations, click Show Peer on the Show Information tab.
BGP configuration example In this example, Device A is the LB module. Network requirements In the following figure are all BGP devices. Between Device A and Device B is an EBGP connection. IBGP speakers Device B, Device C, and Device D are fully meshed. Figure 153 Network diagram Configuring Device A 1. Configure IP addresses for interfaces. (Details not shown.) 2. Enable BGP: d. Select Network > BGP from the navigation tree of Device B. The BGP configuration page appears.
Figure 155 Web page displayed after you enable BGP b. Select the Enable BGP box, and enter 65008 for AS. c. 3. Click Apply. Configure EBGP connections: a. Click Add in the Peer Configuration field. The BGP peer configuration page appears. Figure 156 Adding a BGP peer b. Enter 200.1.1.1 for Peer IP Address and 65009 for Peer AS. c. Click Apply. Configuring Device B See the configuration pages of Device A for reference. 1. Configure IP addresses for interfaces. (Details not shown.) 2. Enable BGP: a.
b. Select the Enable BGP box, and enter 65009 for AS. c. 3. Click Apply. Configure IBGP connections: a. Click Add in the Peer Configuration field. b. Enter 9.1.1.2 for Peer IP Address and 65009 for Peer AS. c. Click Apply. d. Click Add in the Peer Configuration field. e. Enter 9.1.3.2 for Peer IP Address and 65009 for Peer AS. f. 4. Click Apply. Configure EBGP connections: a. Click Add in the Peer Configuration field. b. Enter 200.1.1.2 for Peer IP Address and 65008 for Peer AS. c. Click Apply.
e. Enter 9.1.2.1 for Peer IP Address and 65009 for Peer AS. f. Click Apply. Verifying the configuration 1. Select Network > BGP from the navigation tree of Device B. 2. Click Show Peer in the Show Information field. BGP connections are established from Device B to other devices. Figure 157 BGP configuration result Configuring BGP at the CLI BGP configuration task list In a basic BGP network, you only need to perform the following configurations: • Enable BGP. • Configure BGP peers or peer groups.
Task Remarks Configuring BGP route summarization Advertising a default route to a peer or peer group Controlling route distribution and reception Configuring BGP route distribution/reception filtering policies Optional.
Enabling BGP A router ID is the unique identifier of a BGP router in an AS. • To ensure the uniqueness of a router ID and enhance availability, you can specify in BGP view the IP address of a local loopback interface as the router ID. • If no router ID is specified in BGP view, the global router ID is used. • If the global router ID is used and then the interface that owns the router ID is removed, the router selects a new router ID.
Step Command Configure a description for a peer. 6. peer ip-address description description-text Remarks Optional. By default, no description is configured for a peer. Configuring a BGP peer group In a large-scale network, grouping peers that use the same route selection policy simplifies overall configuration. When you modify the policy of the group, the modification applies to all peers in the group. However, if a peer group already contains peers, you cannot remove or change its AS number.
To configure an EBGP peer group by using Approach 1: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Create an EBGP peer group. group group-name external By default, no EBGP peer group is created. 4. Specify the AS number for the group. peer group-name as-number as-number By default, no AS number is specified. By default, no peer exists in the peer group. 5. Add a peer into the EBGP peer group.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Create an EBGP peer group. group group-name external N/A 4. Add a peer into the EBGP peer group. peer ip-address group group-name as-number as-number N/A 5. Enable a peer. peer ip-address enable 6. Configure a description for a peer group. peer group-name description description-text Optional. Enabled by default. Optional. By default, no description is configured for the peer group.
• Advertise local networks. • Redistribute IGP routes. Configuration prerequisites Create and configure a routing policy. For more information, see "Configuring routing policies." Injecting a local network Perform this task to inject a network in the local routing table to the BGP routing table, so that BGP can advertise the network to BGP peers. The ORIGIN attribute of BGP routes advertised in this way is IGP. You can also use a routing policy to flexibly control route advertisement.
Controlling route distribution and reception Configuring BGP route summarization To reduce the number of routes to be redistributed and the routing table size on medium and large BGP networks, configure route summarization on BGP routers. BGP supports the following summarization modes: automatic and manual. Manual summary routes have a higher priority than automatic ones. 1.
Step Command Remarks 2. Enter BGP view. bgp as-number N/A 3. Advertise a default route to a peer or peer group. peer { group-name | ip-address } default-route-advertise [ route-policy route-policy-name ] Not advertised by default. Configuring BGP route distribution/reception filtering policies 1.
Step Command Remarks • Configure the filtering of redistributed routes advertised to all peers: filter-policy { acl-number | ip-prefix ip-prefix-name } export [ direct | ospf process-id | rip process-id | | static ] • Reference a routing policy to filter advertisements to a peer or peer group: peer { group-name | ip-address } route-policy route-policy-name export Configure BGP route distribution filtering policies. 3.
Step Command Remarks • Reference an ACL or IP prefix list to filter incoming routes from all peers : filter-policy { acl-number | ip-prefix ip-prefix-name } import • Reference a routing policy to filter routing information from a peer or peer group: peer { group-name | ip-address } route-policy route-policy-name import • Reference an ACL to filter routing 3. Configure BGP route reception filtering policies.
For this example, if synchronization is enabled, and the route 8.0.0.0/24 received from Router B is available in its IGP routing table, Router D advertises the IBGP route when the following conditions are satisfied: • The next hop of the route is reachable. • An active route with the same destination network segment is available in the IGP routing table (use the display ip routing-table protocol command to check the IGP route state).
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Configure BGP route dampening. dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling | route-policy route-policy-name ] * Not configured by default. Controlling BGP path selection By configuring BGP path attributes, you can control BGP path selection.
Step Command Increase the preference of a received EBGP route. 4. network ip-address [ mask | mask-length ] short-cut Remarks Optional. By default, an EBGP route received has a preference of 255. Configure the default local preference The local preference is used to determine the best route for traffic leaving the local AS.
Figure 159 Route selection based on MED As shown in Figure 159, Router D learns network 10.0.0.0 from both Router A and Router B. Because Router B has a smaller router ID, the route learned from it is optimal. Network *>i 10.0.0.0 * i NextHop MED LocPrf PrefVal Path/Ogn 2.2.2.2 50 0 300e 3.3.3.3 50 0 200e When Router D learns network 10.0.0.0 from Router C, it compares the route with the optimal route in its routing table.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enable the comparison of MEDs for routes on a per-AS basis. bestroute compare-med 4. Optional. Not enabled by default.
Figure 161 Next_HOP attribute configuration IMPORTANT: If you have configured BGP load balancing, the router sets itself as the next hop for routes sent to an IBGP peer or peer group regardless of whether the peer next-hop-local command is configured. To configure the NEXT_HOP attribute: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A Optional. Specify the router as the next hop of routes sent to a peer or peer group. 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Disable BGP from considering AS_PATH during best route selection. 3. Optional. By default, BGP considers AS_PATH during best route selection. bestroute as-path-neglect Specifying a fake AS number for a peer or peer group When Router A in AS 2 is moved to AS 3, you can configure Router A to specify a fake AS number of 2 for created connections to EBGP peers or peer groups.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Configure BGP to remove private AS numbers from the AS_PATH attribute of updates to a peer or peer group. peer { group-name | ip-address } public-as-only By default, BGP updates carry private AS numbers. 6. Ignoring the first AS number of EBGP route updates Typically, BGP checks the AS_PATH attribute of a route update received from a peer.
• The timer command takes effect for only new BGP sessions. • After you set new intervals with the peer timer command, the existing BGP session is closed at once, and a new session to the peer is negotiated by using the configured holdtime. To configure BGP keepalive interval and holdtime: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A • Configure the global keepalive interval and holdtime: timer keepalive keepalive hold holdtime 3.
Step 3. Allow the establishment of EBGP session to an indirectly connected peer or peer group, and specify the maximum hop count. Command Remarks peer { group-name | ip-address } ebgp-max-hop [ hop-count ] By default, the EBGP session to an indirectly connected peer or peer group is not allowed to be established. Enabling the BGP ORF capability The BGP Outbound Route Filtering (ORF) feature allows a BGP speaker to send its BGP peer a set of ORFs through route-refresh messages.
Enabling 4-byte AS number suppression When a device that supports 4-byte AS numbers sends an Open message for session establishment, the Optional parameters field of the message indicates that the AS number occupies four bytes—in the range of 1 to 4294967295. If the peer device does not support 4-byte AS numbers (for examples, it supports only 2-byte AS numbers), the session cannot be established.
Step Enable MD5 authentication for BGP peers. 3. Command Remarks peer { group-name | ip-address } password { cipher | simple } password Not enabled by default. Configuring BGP load balancing If multiple BGP routes that have the same AS_PATH, ORIGIN, LOCAL_PREF, and MED attributes to a destination exist, you can use the balance command to configure the maximum number of BGP routes for load balancing to improve link utilization. To configure BGP load balancing: Step Command Remarks 1.
Manual soft-reset—Use the refresh bgp command to enable BGP to send local routing information or advertise a route-refresh message to the specified peer so the peer resends its routing information. After receiving the routing information, the router filters the routing information by using the new policy. • This method requires that both the local router and the peer support route refresh. 1. Enabling route-refresh To enable BGP route refresh for a peer or peer group: Step Command Remarks 1.
reflector, or confederation as needed. For how to configure a peer group, see "Configuring a BGP peer group." Configuration prerequisites Peering nodes are accessible to each other at the network layer. Configuring BGP community By default, a router does not send the community or extended community attribute to its peers or peer groups. When the router receives a route carrying the community or extended community attribute, it removes the attribute before advertising the route to its peers or peer groups.
Step Command Remarks bgp as-number N/A 2. Enter BGP view. 3. Configure the router as a route reflector and specify a peer or peer group as its client. peer { group-name | ip-address } reflect-client 4. Enable route reflection between clients. reflect between-clients Configure the cluster ID of the route reflector. 5. Not configured by default. In BGP view, the command enables the router to reflect routes of the public network. Optional. Enabled by default. Optional.
Step Command Remarks N/A 2. Enter BGP view. bgp as-number 3. Enable compatibility with routers not compliant with RFC 3065 in the confederation. confederation nonstandard Optional. Not enabled by default. Enabling trap After trap is enabled for BGP, BGP generates Level-4 traps to report important events. The generated traps are sent to the information center of the device.
Task Command Remarks Display advertised BGP routing information. display bgp network [ | { begin | exclude | include } regular-expression ] Available in any view. Display AS path information. display bgp paths [ as-regular-expression | | { begin | exclude | include } regular-expression ] Available in any view. Display BGP peer or peer group information.
Task Command Remarks Display BGP routing statistics. display bgp routing-table statistic [ | { begin | exclude | include } regular-expression ] Available in any view. Display the global router ID. display router id [ | { begin | exclude | include } regular-expression ] Available in any view. Resetting BGP session Task Command Remarks Reset the specified BGP session. reset bgp { as-number | ip-address | all | external | group group-name | internal } Available in user view.
b. Configure IBGP: { { { To prevent route flapping caused by port state changes, this example uses loopback interfaces to establish IBGP connections. Because loopback interfaces are virtual interfaces, you need to use the peer connect-interface command to specify the loopback interface as the source interface for establishing BGP connections. Enable OSPF in AS 65009 to make sure that LB can communicate with Router B through loopback interfaces. # Configure LB.
The EBGP peers, Router A and LB (usually belong to different ISPs), are located in different ASs. Typically, their loopback interfaces are not reachable to each other, so directly connected interfaces are used for establishing BGP sessions. { To enable Router B to access the network 8.1.1.0/24 connected directly to Router A, inject network 8.1.1.0/24 to the BGP routing table of Router A. { # Configure Router A. system-view [RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.
BGP Local router ID is 2.2.2.2 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Network NextHop MED 8.1.1.0/24 3.1.1.2 0 LocPrf PrefVal Path/Ogn 0 65008i # Display the BGP routing table on Router B. [RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 3.3.3.
Two routes 2.2.2.2/32 and 9.1.1.0/24 have been added in the routing table of Router A. # Display the BGP routing table on Router B. [RouterB] display bgp routing-table Total Number of Routes: 4 BGP Local router ID is 3.3.3.3 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn i 2.2.2.2/32 2.2.2.2 0 100 0 ? *>i 3.1.1.0/24 2.2.2.
Figure 163 Network diagram AS 65009 AS 65008 Loop0 1.1.1.1/32 Loop0 2.2.2.2/32 GE0/1 8.1.1.1/24 EBGP Router A 2. Loop0 3.3.3.3/32 GE0/2 3.1.1.2/24 GE0/2 3.1.1.1/24 OSPF GE0/1 9.1.1.1/24 LB GE0/1 9.1.1.2/24 GE0/2 9.1.2.1/24 Router B Configuration procedure a. Configure IP addresses for interfaces. (Details not shown.) b. Configure OSPF: Enable OSPF in AS 65009, so that LB can obtain the route to 9.1.2.0/24. # Configure LB. system-view [LB] ospf 1 [LB-ospf-1] area 0 [LB-ospf-1-area-0.0.0.
Configure OSPF to redistribute routes from BGP on LB, so that Router B can obtain the route to 8.1.1.0/24. { # Configure BGP to redistribute routes from OSPF on LB. [LB-bgp] import-route ospf 1 [LB-bgp] quit [LB] ospf 1 [LB-ospf-1] import-route bgp [LB-ospf-1] quit # Display the BGP routing table on Router A. [RouterA] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 1.1.1.
Reply from 9.1.2.1: bytes=56 Sequence=5 ttl=254 time=47 ms --- 9.1.2.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/37/47 ms [RouterB] ping -a 9.1.2.1 8.1.1.1 PING 8.1.1.1: 56 data bytes, press CTRL_C to break Reply from 8.1.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 8.1.1.1: bytes=56 Sequence=2 ttl=254 time=2 ms Reply from 8.1.1.1: bytes=56 Sequence=3 ttl=254 time=2 ms Reply from 8.1.1.
{ { On Router B, establish an EBGP connection with LB and an IBGP connection with Router A; configure BGP to advertise network 9.1.1.0/24 to LB, so LB can access the intranet through Router B; configure a static route to interface loopback 0 on Router A (or use a routing protocol like OSPF) to establish the IBGP connection. On Router A, establish an EBGP connection with LB and an IBGP connection with Router B; configure BGP to advertise network 9.1.1.
*> 8.1.1.0/24 0.0.0.0 0 0 i *> 9.1.1.0/24 3.1.1.1 0 0 65009i 3.1.2.1 0 0 65009i * { { c. The output shows two valid routes to destination 9.1.1.0/24: the route with next hop 3.1.1.1 is marked with a greater-than sign (>), indicating it is the best route; the route with next hop 3.1.2.1 is marked with only an asterisk (*), indicating it is a valid route, but not the best. By using the display ip routing-table command, you can find only one route to 9.1.1.0/24 with next hop 3.1.1.
Figure 165 Network diagram Core layer device Router B Internal network AS 65106 GE0/1 192.168.212.1/24 Loop0 2.2.2.2/32 Loop0 1.1.1.1/32 Distribution layer device Router A GE0/2 172.17.100.1/24 Loop0 3.3.3.3/32 GE0/1 GE0/2 192.168.212.161/24 172.17.100.2/24 Loop0 4.4.4.4/32 GE0/1 10.220.2.16/24 Boundary device LB 192.168.64.0/24 2. 192.168.74.0/24 External network AS 64631 GE0/1 10.220.2.217/24 External network Router C 192.168.99.0/24 Configuration procedure a.
Destinations : 10 Destination/Mask Proto 3.3.3.3/32 10.220.2.0/24 Routes : 10 Pre Cost NextHop Interface Direct 0 0 127.0.0.1 InLoop0 Direct 0 0 10.220.2.16 GE0/1 10.220.2.16/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.17.100.0/24 Direct 0 0 172.17.100.2 GE0/2 172.17.100.2/32 Direct 0 0 127.0.0.1 InLoop0 192.168.64.0/24 O_ASE 150 1 172.17.100.1 GE0/2 192.168.74.0/24 O_ASE 150 1 172.
After the above configurations, ping the hosts on networks 192.168.64.0/24, 192.168.74.0/24, and 192.168.99.0/24 from Router C. The ping operations succeed. e. Summarize 192.168.64.0/24, 192.168.74.0/24, and 192.168.99.0/24 into a single route 192.168.64.0/18 on LB and disable advertisement of the specific routes. [LB-bgp] aggregate 192.168.64.0 18 detail-suppressed [LB-bgp] quit f. Verify the configuration: # Display IP routing table information on LB.
As shown in Figure 166, EBGP runs between Router B and LB, and between Router B and Router A. Configure NO_EXPORT community attribute on LB to make routes from AS 10 not advertised by AS 20 to any other AS. Figure 166 Network diagram 2. Configuration procedure a. Configure IP addresses for interfaces. (Details not shown.) b. Configure EBGP connections: # Configure LB. system-view [LB] bgp 10 [LB-bgp] router-id 1.1.1.1 [LB-bgp] peer 200.1.2.2 as-number 20 [LB-bgp] network 9.1.1.0 255.255.255.
From : 200.1.2.1 (1.1.1.1) Original nexthop: 200.1.2.1 AS-path : 10 Origin : igp Attribute value : MED 0, pref-val 0, pre 255 State : valid, external, best, Advertised to such 1 peers: 200.1.3.2 Router B has advertised the route to Router A in AS 30. # Display BGP routing table information on Router A. [RouterA] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 3.3.3.
You can find the NO_EXPORT community attribute in the output. In this case, the route of 9.1.1.0/24 is not available in the routing table of Router A. BGP route reflector configuration example 1. Network requirements As shown in Figure 167, all routers run BGP. • EBGP runs between Router A and Router B. IBGP runs between LB and Router B, and between LB and Router C. • LB is a route reflector with clients Router B and Router C. • Router C can learn route 1.0.0.0/8 from LB.
# Configure Router C. system-view [RouterC] bgp 200 [RouterC-bgp] peer 194.1.1.1 as-number 200 [RouterC-bgp] quit Configure LB as the route reflector. c. [LB] bgp 200 [LB-bgp] peer 193.1.1.2 reflect-client [LB-bgp] peer 194.1.1.2 reflect-client [LB-bgp] quit d. Verify the configuration: # Display the BGP routing table on Router B. [RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 200.1.2.
Figure 168 Network diagram Device Interface IP address Device Interface IP address Router A S2/1 200.1.1.1/24 Router D GE0/1 10.1.5.1/24 GE0/1 10.1.2.1/24 GE0/2 10.1.3.2/24 GE0/2 10.1.3.1/24 GE0/1 10.1.5.2/24 GE0/3 10.1.4.1/24 GE0/2 10.1.4.2/24 GE0/4 10.1.1.1/24 GE0/1 9.1.1.1/24 Router B GE0/1 10.1.1.2/24 S2/0 200.1.1.2/24 Router C GE0/1 10.1.2.2/24 2. LB Router E Configuration procedure a. Configure IP addresses for interfaces. (Details not shown.) b.
system-view [RouterC] bgp 65003 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] confederation id 200 [RouterC-bgp] confederation peer-as 65001 65002 [RouterC-bgp] peer 10.1.2.1 as-number 65001 [RouterC-bgp] quit c. Configure IBGP connections in AS 65001: # Configure Router A. [RouterA] bgp 65001 [RouterA-bgp] peer 10.1.3.2 as-number 65001 [RouterA-bgp] peer 10.1.3.2 next-hop-local [RouterA-bgp] peer 10.1.4.2 as-number 65001 [RouterA-bgp] peer 10.1.4.
[RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 2.2.2.2 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *>i NextHop 9.1.1.0/24 MED LocPrf 0 100 10.1.1.1 PrefVal Path/Ogn 0 (65001) 100i [RouterB] display bgp routing-table 9.1.1.0 BGP local router ID : 2.2.2.
AS-path : 100 Origin : igp Attribute value : MED 0, localpref 100, pref-val 0, pre 255 State : valid, internal, best, Not advertised to any peers yet The output indicates the following: { { Router E can send route information to Router B and Router C through the confederation by establishing only an EBGP connection with Router A. Router B and Router D are in the same confederation, but belong to different sub-ASs.
# Configure Router B. system-view [RouterB] ospf [RouterB-ospf] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf] area 0 [RouterC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.
[LB-bgp] quit d. Configure different attribute values for the route 1.0.0.0/8 to make LB give priority to the route learned from Router C: { (Method I.) Specify a higher MED value for the route 1.0.0.0/8 advertised to 192.1.1.2 to make LB give priority to the route learned from Router C. # Define ACL 2000 to permit the route 1.0.0.0/8 [RouterA] acl number 2000 [RouterA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.
[RouterC] route-policy localpref permit node 10 [RouterC-route-policy] if-match acl 2000 [RouterC-route-policy] apply local-preference 200 [RouterC-route-policy] quit # Apply the routing policy localpref to the route from the peer 193.1.1.1 on Router C. [RouterC] bgp 200 [RouterC-bgp] peer 193.1.1.1 route-policy localpref import [RouterC-bgp] quit # Display the BGP routing table on LB. [LB] display bgp routing-table Total Number of Routes: 2 BGP Local router ID is 194.1.1.
h. Use the display tcp status command to verify the TCP connection. i. Verify whether an ACL is applied to disable TCP port 179.
Displaying and maintaining an IPv4 routing table You can display an IPv4 routing table in the Web interface or at the CLI to help you locate routing problems. Displaying an IPv4 routing table in the Web interface You can view only active routes on the route display page. Select Network > Routing Info from the navigation tree to enter the route display page. Figure 170 Route display page Table 27 Field description Field Description Destination Destination address or destination network.
Displaying and maintaining an IPv4 routing table at the CLI Task Command Remarks Display routing table information. display ip routing-table [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about routes permitted by an IPv4 basic ACL. display ip routing-table acl acl-number [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about routes to a specific destination address.
Configuring policy-based routing Overview Different from destination-based routing, policy-based routing (PBR) uses user-defined policies to route packets based on the source address, packet length, and other criteria. A policy can specify the output interface, next hop, default output interface, default next hop, and other parameters for packets that match specific criteria such as ACLs or have specific lengths.
Table 28 Priorities and meanings of apply clauses Clause Meaning Priority If this clause is configured, other apply clauses, except the apply ip-df zero clause, are not executed. apply access-vpn vpn-instance Sets VPN instances. apply ip-precedence Sets an IP precedence. If the apply access-vpn vpn-instance clause is not configured, this clause is always executed. apply output-interface and apply ip-address next-hop Sets the output interface and sets the next hop.
Configuring policy-based routing in the Web interface Recommended configuration procedure Step Description Required. 1. Configuring a policy Create a policy and configure the policy node. By default, no policy is created. Required. You can configure local PBR or interface PBR. • Only one policy can be referenced when local PBR is enabled. Local PBR is 2. Applying a policy not configured by default. • Only one policy can be referenced when interface PBR is enabled.
Figure 172 Creating a policy 3. Create a policy and a policy node as described in Table 29. 4. Click Apply. Table 29 Configuration items Item Description Enter a policy name. Policy Name IMPORTANT: Any spaces entered at the beginning or end of a policy name will be ignored. A policy name containing only spaces is considered as null. Node Index Enter a node index of the policy. The node with a smaller number has a higher priority and is matched first.
Item Description Enter the next hop IP address. Next Hop Default Next Hop The Web interface supports setting only one outbound interface, next hop, default outbound interface, or default next hop. If you configure two interfaces or next hops at the CLI, the Web interface displays only one. To display the other interface or next hop, first delete the one that is displayed. Enter the default next hop IP address. Enter the outbound interface. (This option is available after you click Show Advanced.
Figure 173 Policy node list page Figure 174 Creating a policy node Applying a policy 1. Select Network > Policy Routing from the navigation tree. 2. Click the Application tab. The PBR application page appears.
Figure 175 PBR application page 3. Click Add. The page for applying a policy appears. Figure 176 Applying a policy 4. Enable local PBR or interface PBR as described in Table 31. 5. Click Apply. Table 31 Configuration items Item Description Specify the policy application mode: Apply to • Local—Enable local PBR. Unless otherwise required, do not enable local PBR. • Interface—Enable interface PBR. Apply the policy on a selected interface. Policy Name Enter the name of the policy to be applied.
Figure 177 Network diagram Configuring LB 1. Configure IP addresses for interfaces and add interfaces to security zones. (Details not shown.) 2. Create ACL 3101 to match TCP packets: a. Select Security > ACL from the navigation tree. b. Click Add. The page for creating ACL 3101 appears. c. Enter 3101 for ACL Number, and select Config for Match Order. d. Click Apply. Figure 178 Creating ACL 3101 e. Click the f. icon of ACL 3101 in the ACL list page. Click Add.
h. Click Apply. Figure 179 Defining rules for ACL 3101 3. Create node 5 for policy aaa and specify 1.1.2.2 as the next hop of all TCP packets: a. Select Network > Policy Routing from the navigation tree. b. Click Add. The default policy configuration page appears. c. Enter aaa as the policy name and 5 as node index, set the mode to permit, enter 3101 as the number of the ACL for matching TCP packets, and enter 1.1.2.2 as next hop. d. Click Apply.
Figure 180 Creating node 5 for policy aaa 4. Apply policy aaa to GigabitEthernet 0/3 to process packets received on the interface: a. Click the Application tab. b. Click Add. The page appears. c. Select the Interface box and select GigabitEthernet 0/3, and select aaa as the policy name. d. Click Apply.
Configuring Router A and Router B Configure IP addresses of interfaces on Router A and Router B, and configure static routes to network 10.110.0.0/24. (Details not shown.) Verifying the configuration Configure the IP address of Host A as 10.110.0.20/24, and specify its gateway address as 10.110.0.10. On Host A, Telnet to Router A. The operation succeeds. On Host A, Telnet to Router B. The operation fails. Ping Router B from Host A. The operation succeeds. Telnet uses TCP and ping uses ICMP.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter policy node view. policy-based-route policy-name [ deny | permit ] node node-number N/A 3. Configure an ACL match criterion. if-match acl acl-number Optional. 4. Configure a packet length match criterion. if-match packet-length min-len max-len Optional. 5. Configure a reverse input interface match criterion. if-match reverse-input-interface interface-type interface-number Optional.
You can apply only one policy locally. If you perform the ip local policy-based-route command multiple times, only the last specified policy takes effect. If the specified policy does not exist, the local PBR configuration succeeds, but it does not take effect until the policy is created. Do not configure local PBR unless required. To configure local PBR: Step Command Remarks 1. Enter system view. system-view N/A 2. Apply a policy locally.
Task Command Remarks Display PBR statistics. display ip policy-based-route statistics { interface interface-type interface-number | local } [ | { begin | exclude | include } regular-expression ] Available in any view. Clear PBR statistics. reset policy-based-route statistics [ policy-name ] Available in user view.
[RouterA-GigabitEthernet0/1] ip address 1.1.2.2 255.255.255.0 3. Configure IP address for the GigabitEthernet interface of Router B. system-view [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ip address 1.1.3.2 255.255.255.0 4. Verify the configuration: # Telnet to Router A (1.1.2.2/24) from LB. The operation succeeds. # Telnet to Router B (1.1.3.2/24) from LB. The operation fails. # Ping Router B (1.1.3.2/24) from LB. The operation succeeds.
[LB-acl-adv-3101] quit # Configure Node 5 for policy aaa to forward TCP packets through GigabitEthernet 0/1. [LB] policy-based-route aaa permit node 5 [LB-pbr-aaa-5] if-match acl 3101 [LB-pbr-aaa-5] apply ip-address next-hop 1.1.2.2 [LB-pbr-aaa-5] quit # Configure interface PBR by applying the policy aaa on GigabitEthernet 0/3. [LB] interface gigabitethernet 0/3 [LB-GigabitEthernet0/3] ip address 10.110.0.10 255.255.255.
Interface PBR based on packet length configuration example Network requirements As shown in Figure 184, configure interface PBR to guide the forwarding of packets received on GigabitEthernet 0/3 of LB as follows: • Forwards packets with a length of 64 to 100 bytes to the next hop 150.1.1.2/24. • Forwards packets with a length of 101 to 1000 to the next hop 151.1.1.2/24. All other packets are forwarded according to the routing table. Figure 184 Network diagram Configuration procedure 1.
[LB-GigabitEthernet0/1] ip address 150.1.1.1 255.255.255.0 [LB-GigabitEthernet0/1] quit [LB] interface gigabitethernet 0/2 [LB-GigabitEthernet0/2] ip address 151.1.1.1 255.255.255.0 [LB-GigabitEthernet0/2] return 2. Configure Router A: # Configure RIP. system-view [RouterA] rip [RouterA-rip-1] network 10.0.0.0 [RouterA-rip-1] network 150.1.0.0 [RouterA-rip-1] network 151.1.0.0 # Configure the IP addresses of the GigabitEthernet interfaces.
*Jun 7 12:04:35:518 2012 LB PBR/7/POLICY-ROUTING: IP policy based routing success : POLICY_ROUTEMAP : lab1, Node : 10, next-hop : 150.1.1.2 *Jun 7 12:04:36:518 2012 LB PBR/7/POLICY-ROUTING: IP policy based routing success : POLICY_ROUTEMAP : lab1, Node : 10, next-hop : 150.1.1.2 The preceding information shows that LB sets the next hop for the received packets to 150.1.1.2 according to PBR. The packets are forwarded through GigabitEthernet 0/1.
Configuring IPv6 basics IPv6 basics can be configured only at the CLI. Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. IPv6 features Simplified header format IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header.
Address autoconfiguration To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration: • Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server). • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
CAUTION: A double colon may appear once or not at all in an IPv6 address. This limit allows the device to determine how many zeros the double colon represents, and correctly convert it to zeros to restore a 128-bit IPv6 address. An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address respectively.
• Link-local addresses are used for communication among link-local nodes for neighbor discovery and stateless autoconfiguration. Packets with link-local source or destination addresses are not forwarded to other links. • Site-local unicast addresses are similar to private IPv4 addresses. Packets with site-local source or destination addresses are not forwarded out of the local site (or a private network). • A loopback address is 0:0:0:0:0:0:0:1 (or ::1).
Figure 186 Converting a MAC address into an EUI-64 address-based interface identifier • On a tunnel interface The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros.
ICMPv6 message Type Function Redirect message 137 Informs the source host of a better next hop on the path to a particular destination when certain conditions are satisfied. Address resolution This function is similar to the ARP function in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA message exchanges. Figure 187 shows how Host A acquires the link-layer address of Host B on a single link.
Figure 188 Duplicate address detection 1. Host A sends an NS message whose source address is the unspecified address and whose destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message contains the IPv6 address. 2. If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6 address of Host B. 3. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from Host B.
IPv6 path MTU discovery The links that a packet passes from a source to a destination may have different MTUs. In IPv6, when the packet size exceeds the path MTU of a link, the packet is fragmented at the source end of the link to reduce the processing pressure on intermediate devices and to use network resources effectively. The path MTU discovery mechanism is designed to find the minimum MTU of all links in the path between a source and a destination.
NAT-PT Network Address Translation – Protocol Translation (NAT-PT) is usually applied on a device between IPv4 and IPv6 networks to translate between IPv4 and IPv6 packets, allowing communication between IPv4 and IPv6 nodes. It performs IP address translation, and according to different protocols, performs semantic translation for packets. This technology is only suitable for communication between a pure IPv4 node and a pure IPv6 node. For more information about NAT-PT, see "Configuring NAT-PT.
Task Remarks Configuring path MTU discovery Configuring the interface MTU Optional. Configuring a static path MTU for a specified IPv6 address Optional. Configuring the aging time for dynamic path MTUs Optional. Configuring IPv6 TCP properties Optional. Configuring IPv6 FIB load sharing Optional. Configuring ICMPv6 packet sending Configuring the maximum ICMPv6 error packets sent in an interval Optional. Enabling replying to multicast echo requests Optional.
• Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message. • Prefix-generated address—The IPv6 global unicast address is generated automatically based on the applied IPv6 prefix, specified sub-prefix bit, and host bit information. You can configure multiple IPv6 global unicast addresses with different prefixes on an interface.
Step Command Configure an IPv6 address to be generated through stateless address autoconfiguration. 3. Remarks By default, no IPv6 global unicast address is configured on an interface. ipv6 address auto Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses automatically generated on the interface.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the interface to automatically generate an IPv6 link-local address. Optional. ipv6 address auto link-local By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.
Configuring IPv6 ND Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry by the neighbor's IPv6 address and the local Layer 3 interface number. You can configure a static neighbor entry by using either of the following methods.
Setting the age timer for ND entries in stale state ND entries in stale state have an age timer. If an ND entry in stale state is not refreshed before the timer expires, it transits to the delay state. If it is still not refreshed in five seconds, the ND entry transits to the probe state, and the device sends an NS message for detection. If no response is received, the device removes the ND entry. To set the age timer for ND entries in stale state: Step Command Remarks 1. Enter system view.
The maximum interval for sending RA messages should be less than (or equal to) the router lifetime in RA messages, so the router can be updated through an RA message before expiration. The values of the NS retransmission timer and the reachable time configured for an interface are sent to hosts through RA messages. Furthermore, this interface sends NS messages at the interval of the NS retransmission timer and considers a neighbor reachable within the reachable time.
Step Command Remarks Optional. 6. Set the M flag bit to 1. ipv6 nd autoconfig managed-address-flag By default, the M flag bit is set to 0 and hosts acquire IPv6 addresses through stateless autoconfiguration. Optional. 7. Set the O flag bit to 1. ipv6 nd autoconfig other-flag 8. Configure the router lifetime in RA messages. ipv6 nd ra router-lifetime value By default, the O flag bit is set to 0 and hosts acquire other configuration information through stateless autoconfiguration. Optional.
Step 3. Command Configure the number of attempts to send an NS message for DAD. Remarks Optional. ipv6 nd dad attempts value 1 by default. When the value argument is set to 0, DAD is disabled. Enabling ND proxy ND proxy supports the NS and NA messages only.
Figure 191 Application environment of local ND proxy Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they are isolated at Layer 2. To solve this problem, enable local ND proxy on GigabitEthernet 0/2 of LB so that LB can forward messages between Host A and Host B.
Configuring path MTU discovery This section describes how to configure path MTU discovery. Configuring the interface MTU IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the packet size is greater than the MTU of the forwarding interface, the router discards the packet. Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message. The source host fragments the packet according to the MTU and resends it.
Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the aging time for dynamic path MTUs. ipv6 pathmtu age age-time Optional. 10 minutes by default. Configuring IPv6 TCP properties You can configure the following IPv6 TCP properties: • synwait timer—When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails.
Step Command Remarks • Configure load sharing based on 2. Configure the IPv6 FIB load sharing mode. the hash algorithm: ipv6 fib-loadbalance-type hash-based • Configure load sharing based on polling: undo ipv6 fib-loadbalance-type hash-based Optional. By default, load sharing based on polling is adopted and ECMP routes are used in turn to forward packets. Configuring ICMPv6 packet sending This section describes how to configure ICMPv6 packet sending.
To enable replying to multicast echo requests: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable replying to multicast echo requests. ipv6 icmpv6 multicast-echo-reply enable The device is disabled from replying to multicast echo requests.
If an attacker sends abnormal traffic that causes the device to generate ICMPv6 destination unreachable messages, end users may be affected. To prevent such attacks, you can disable the device from sending ICMPv6 destination unreachable messages. To enable sending ICMPv6 destination unreachable messages: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable sending ICMPv6 destination unreachable messages. ipv6 unreachables enable Disabled by default.
Task Command Remarks Display the total number of neighbor entries satisfying the specified conditions. display ipv6 neighbors { all | dynamic | interface interface-type interface-number | static | vlan vlan-id } count [ | { begin | exclude | include } regular-expression ] Available in any view. Display the neighbor information for a specified VPN. display ipv6 neighbors vpn-instance vpn-instance-name [ count ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 192 Network diagram Configuration procedure 1. Configure LB A: # Enable IPv6. system-view [LBA] ipv6 # Assign a global unicast address for interface GigabitEthernet 0/1. [LBA] interface gigabitethernet 0/1 [LBA-GigabitEthernet0/1] ipv6 address 3001::1/64 [LBA-GigabitEthernet0/1] quit # Assign a global unicast addresses for interface GigabitEthernet 0/2 and allow it to advertise RA messages (no interface advertises RA messages by default).
Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 5 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/5 ms # Display the neighbor information of GigabitEthernet 0/2 on LB A.
InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 47 OutRequests: 89 OutForwDatagrams: 48 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 6 InMcastNotMembers: 25747 OutMcastPkts: 48 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 [LBA] display ipv6 interface gigabitethernet 0/2 GigabitEthernet0/2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es):
InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 159 OutRequests: 1012 OutForwDatagrams: 35 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 79 InMcastNotMembers: 65 OutMcastPkts: 938 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Display the IPv6 interface settings on LB B. All the IPv6 global unicast addresses configured on the interface are displayed.
InUnknownProtos: 0 InDelivers: 117 OutRequests: 83 OutForwDatagrams: 0 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 28 InMcastNotMembers: 0 OutMcastPkts: 7 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Ping LB A and LB B from the host, and ping LB A and the host from LB B to verify that they are connected. CAUTION: When you ping a link-local address, you should use the "–i" parameter to specify an interface for the link-local address.
Solution 1. Use the display current-configuration command in any view or the display this command in system view to verify that IPv6 is enabled. For more information about the display current-configuration command, see System Management Configuration Guide. 2. Use the display ipv6 interface command in any view to verify that the IPv6 address of the interface is correct and the interface is up. 3.
Configuring IPv6 DNS IPv6 DNS can be configured only at the CLI. IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS. For more information, see "Configuring IPv4 DNS.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable dynamic domain name resolution. dns resolve Disabled by default. Not specified by default. 3. Specify a DNS server. dns server ipv6 ipv6-address [ interface-type interface-number ] 4. Configure a DNS suffix. dns domain domain-name If the IPv6 address of a DNS server is a link-local address, you need to specify the interface-type and interface-number arguments. Optional. Not configured by default.
Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. system-view [LB] ipv6 host host.com 1::2 # Enable IPv6. [LB] ipv6 # Use the ping ipv6 host.com command to verify that LB can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2. [LB] ping ipv6 host.com PING host.
Figure 194 Network diagram Configuration procedure Before performing the following configuration, make sure LB and the host are accessible to each other through available routes, and the IPv6 addresses of the interfaces are configured as shown Figure 194. This configuration may vary with DNS servers. The following configuration is performed on a PC running Windows Server 2003.
Figure 196 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type. e. Click Create Record.
Figure 197 Selecting the resource record type f. On the page that appears, enter host name host and IPv6 address 1::1, and then click OK. The mapping between the host name and the IPv6 address is created.
Figure 198 Adding a mapping between domain name and IPv6 address Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [LB] dns resolve # Specify the DNS server 2::2. [LB] dns server ipv6 2::2 # Configure com as the DNS suffix. [LB] dns domain com Verifying the configuration # Use the ping ipv6 host command on LB to verify that the communication between LB and the host is normal and that the corresponding destination IP address is 1::1.
bytes=56 Sequence=2 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring IPv6 static routing The term "router" in this document refers to both routers and LB modules. IPv6 static routing can be configured only at the CLI. Overview Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator has to modify the static routes manually.
Displaying and maintaining IPv6 static routes Task Command Remarks Display IPv6 static route information. display ipv6 routing-table protocol static [ inactive | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. IPv6 static routing configuration example Network requirements As shown in Figure 199, configure IPv6 static routes so that hosts can reach one another. Figure 199 Network diagram Configuration procedure 1. Configure IPv6 addresses for all interfaces.
3. Configure the IPv6 addresses of all the hosts based on the network diagram, and configure the default gateway of Host A as 1::1, Host B as 2::1, and Host C as 3::1. 4. Verify the configuration: # Display the IPv6 routing table on Router A.
Configuring an IPv6 default route An IPv6 default route is used to forward packets that match no entry in the routing table. An IPv6 default route can be configured in either of the following ways: • The network administrator can configure a default route with a destination prefix of ::/0. For more information, see "Configuring IPv6 static routing." • Some dynamic routing protocols, such as OSPFv3 and RIPng, can generate an IPv6 default route.
Configuring RIPng The term "router" in this document refers to both routers and LB modules. RIP next generation (RIPng) can be configured only at the CLI. RIPng is an extension of RIP-2 for IPv4. Most RIP concepts are applicable in RIPng. RIPng for IPv6 has the following basic differences from RIP: • UDP port number—RIPng uses UDP port 521 for sending and receiving routing information. • Multicast address—RIPng uses FF02::9 as the link-local-router multicast address.
Configure an IP address for each interface, and make sure all nodes are reachable to one another. • Configuration procedure To configure the basic RIPng functions: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a RIPng process and enter RIPng view. ripng [ process-id ] [ vpn-instance vpn-instance-name ] Not created by default. 3. Return to system view. quit N/A 4. Enter interface view. interface interface-type interface-number N/A 5. Enable RIPng on the interface.
Step 4. Command Specify an outbound routing additional metric. Remarks ripng metricout value Optional. 1 by default. Configuring RIPng route summarization Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Advertise a summary IPv6 prefix.
Configuring a priority for RIPng Routing protocols have their own protocol priorities used for optimal route selection. You can set a priority for RIPng manually. The smaller the value, the higher the priority. To configure a RIPng priority: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view. ripng [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Configure a RIPng priority. preference [ route-policy route-policy-name ] preference Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view. ripng [ process-id ] [ vpn-instance vpn-instance-name ] N/A Optional. 3. Configure RIPng timers. timers { garbage-collect garbage-collect-value | suppress suppress-value | timeout timeout-value | update update-value } * The RIPng timers have the following defaults: • • • • Update timer—30 seconds. Timeout timer—180 seconds. Suppress timer—20 seconds. Garbage-collect timer—20 seconds.
Configuring zero field check on RIPng packets Some fields in the RIPng packet must be zero, which are called "zero fields." With zero field check on RIPng packets enabled, if such a field contains a non-zero value, the entire RIPng packet is discarded. If you are sure that all packets are reliable, disable the zero field check to reduce the CPU processing time. To configure RIPng zero field check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view.
RIPng configuration examples Configuring RIPng basic functions Network requirements As shown in Figure 200, all devices learn IPv6 routing information through RIPng. Configure Router A to filter the route (3::/64) learned from Router B, which means the route is not added to the routing table of Router A, and Router B does not forward it to LB. Figure 200 Network diagram Configuration procedure 1. Configure the IPv6 address for each interface. (Details not shown.) 2.
[RouterB-GigabitEthernet0/1] quit [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ripng 1 enable [RouterB-GigabitEthernet0/2] quit [RouterB] interface gigabitethernet 0/3 [RouterB-GigabitEthernet0/3] ripng 1 enable [RouterB-GigabitEthernet0/3] quit # Display the RIPng routing table of Router A.
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec [LB] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------- Peer FE80::20F:E2FF:FE00:1235 on GigabitEthernet0/1 Dest 1::/64, via FE80::20F:E2FF:FE00:1235, cost 1, tag 0, A, 2 Sec Dest 4::/64, via FE80::20F:E2FF:FE00:1235, cost 2, tag 0, A, 2 Sec Dest 5::/64, via FE80::20F:E2FF:FE00:1235, cost 2, tag 0, A, 2 Sec Configuring RIPng route redistribution Netw
[LB-GigabitEthernet0/2] quit [LB] ripng 200 [LB-ripng-200] quit [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ripng 200 enable # Enable RIPng 200 on Router B. system-view [RouterB] ripng 200 [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ripng 200 enable [RouterB-GigabitEthernet0/1] quit [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ripng 200 enable [RouterB-GigabitEthernet0/2] quit # Display the routing table on Router A.
[LB] ripng 200 [LB-ripng-200] import-route ripng 100 [LB-ripng-200] quit # Display the routing table on Router A.
Configuring OSPFv3 The term "router" in this document refers to both routers and LB modules. Open Shortest Path First version 3 (OSPFv3) can be configured only at the CLI. OSPFv3 supports IPv6 and complies with RFC 2740 (OSPF for IPv6).
Enabling OSPFv3 Configuration prerequisites Before you enable OSPFv3, complete the following tasks: • Make neighboring nodes accessible with each other at the network layer. • Enable IPv6 packet forwarding. Enabling OSPFv3 To enable an OSPFv3 process on a router, you must enable the OSPFv3 process globally, assign the OSPFv3 process a router ID, and enable the OSPFv3 process on related interfaces. A router ID uniquely identifies a router within an AS.
Configure OSPFv3 basic functions. • Configuring an OSPFv3 stub area Follow these guidelines when you configure an OSPFv3 stub area: • You cannot remove an OSPFv3 area directly. The area can be removed only when you remove all configurations in area view and all interfaces attached to the area become down. • All the routers attached to a stub area must be configured with the stub command. The keyword no-summary is only available on the ABR of the stub area.
Configuring OSPFv3 network types OSPFv3 classifies networks into the following types by the link layer protocol: By default, the OSPFv3 interface network types vary with the link layer protocols of the interfaces: • When the link layer protocol is PPP, OSPFv3 considers the network type as P2P by default. • When the link layer protocol is Ethernet, OSPFv3 considers the network type as broadcast by default.
Configuring OSPFv3 routing information control This section describes how to configure the control of OSPF routing information advertisement and reception, and redistribution from other protocols. Configuration prerequisites Before you configure OSPFv3 routing information control, complete the following tasks: • Enable IPv6 packet forwarding. • Configure OSPFv3 basic functions.
Configuring an OSPFv3 cost for an interface You can configure an OSPFv3 cost for an interface with one of the following methods: • Configure the cost value in interface view. • Configure a bandwidth reference value for the interface, and OSPFv3 computes the cost automatically based on the bandwidth reference value: Interface OSPFv3 cost = Bandwidth reference value (100 Mbps) ÷ Interface bandwidth (Mbps).
Configuring a priority for OSPFv3 A router can run multiple routing protocols. The system assigns a priority to each protocol. When these routing protocols find the same route, the route found by the protocol with the highest priority is selected. To configure a priority for OSPFv3: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 3. Configure a priority for OSPFv3.
Tuning and optimizing OSPFv3 networks This section describes configurations of OSPFv3 timers, interface DR priority, MTU check ignorance for DD packets, and disabling interfaces from sending OSPFv3 packets. The following are OSPFv3 timers: • Packet timer—Specified to adjust topology convergence speed and network load. • LSA delay timer—Specified especially for low-speed links. • SPF timer—Specified to protect networks from being over-loaded due to frequent network changes.
Step Command Remarks Optional. 7. Configure the LSA transmission delay. ospfv3 trans-delay seconds [ instance instance-id ] 8. Return to system view. quit N/A 9. Enter OSPFv3 view. ospfv3 [ process-id ] N/A By default, the LSA transmission delay is 1 second. Optional. 10. Configure the SPF timers. spf timers delay-interval hold-interval By default, delay-interval is 5 seconds, and hold-interval is 10 seconds.
Disabling interfaces from receiving and sending OSPFv3 packets Follow these guidelines when you disable interfaces from receiving and sending OSPFv3 packets: • Multiple OSPFv3 processes can disable the same interface from receiving and sending OSPFv3 packets. Using the silent-interface command disables only the interfaces associated with the current process.
Task Command Remarks Display OSPFv3 neighbor information. display ospfv3 [ process-id ] [ area area-id ] peer [ [ interface-type interface-number ] [ verbose ] | peer-router-id ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display OSPFv3 neighbor statistics. display ospfv3 peer statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display OSPFv3 routing table information.
Figure 202 Network diagram Router B OSPFv3 Router C Area 0 GE0/1 2001::1/64 GE0/2 2001:1::1/64 OSPFv3 Area 1 GE0/1 2001::2/64 GE0/2 2001:1::2/64 Router A GE0/1 2001:3::1/64 GE0/2 2001:2::1/64 GE0/2 2001:2::2/64 OSPFv3 Area 2 Stub LB Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 basic functions: # Configure Router A. system-view [RouterA] ipv6 [RouterA] ospfv3 1 [RouterA-ospfv3-1] router-id 1.1.1.
[RouterC-GigabitEthernet0/1] ospfv3 1 area 0 [RouterC-GigabitEthernet0/1] quit [RouterC] interface gigabitethernet 0/2 [RouterC-GigabitEthernet0/2] ospfv3 1 area 2 [RouterC-GigabitEthernet0/2] quit # Configure LB. system-view [LB] ipv6 [LB] ospfv3 1 [LB-ospfv3-1] router-id 4.4.4.4 [LB-ospfv3-1] quit [LB] interface gigabitethernet 0/2 [LB-GigabitEthernet0/2] ospfv3 1 area 2 [LB-GigabitEthernet0/2] quit # Display OSPFv3 neighbor information on Router B. [RouterB] display ospfv3 peer OSPFv3 Area ID 0.
Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 2 *Destination: 2001:1::/64 Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 3 *Destination: 2001:2::/64 Type : I Cost NextHop : directly-connected Interface: GE0/2 : 1 *Destination: 2001:3::/64 3. Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 4 Configure Area 2 as a stub area: # Configure LB. [LB] ospfv3 [LB-ospfv3-1] area 2 [LB-ospfv3-1-area-0.0.0.
NextHop : directly-connected Interface: GE0/2 *Destination: 2001:3::/64 4. Type : IA Cost : 4 NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 Configure Area 2 as a totally stub area to reduce the stub area routing table size: # Configure Area 2 as a totally stub area on Router C. [RouterC-ospfv3-1-area-0.0.0.2] stub no-summary # Display OSPFv3 routing table information on LB.
Figure 203 Network diagram LB Router B GE0/1 2001::1/64 GE0/1 2001::3/64 GE0/1 2001::2/64 GE0/1 2001::4/64 Router A Router C Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 basic functions: # Configure LB. system-view [LB] ipv6 [LB] ospfv3 [LB-ospfv3-1] router-id 1.1.1.1 [LB-ospfv3-1] quit [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ospfv3 1 area 0 [LB-GigabitEthernet0/1] quit # Configure Router B.
[RouterA] ipv6 [RouterA] ospfv3 [RouterA-ospfv3-1] router-id 4.4.4.4 [RouterA-ospfv3-1] quit [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ospfv3 1 area 0 [RouterA-GigabitEthernet0/1] quit # Display neighbor information on LB. [LB] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.2 1 2-Way/DROther 00:00:36 GE0/1 0 3.3.3.
4.4.4.4 1 Full/DR 00:00:36 GE0/1 0 The output shows that DR priorities have been updated, but the DR and BDR are not changed. # Display neighbor information on Router A. [RouterA] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 100 Full/DROther 00:00:33 GE0/1 0 2.2.2.2 0 Full/DROther 00:00:36 GE0/1 0 3.3.3.
Figure 204 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 basic functions: # Enable OSPFv3 process 1 on Router A. system-view [RouterA] ipv6 [RouterA] ospfv3 1 [RouterA-ospfv3-1] router-id 1.1.1.
[RouterB] interface gigabitethernet0/2 [RouterB-GigabitEthernet0/2] ospfv3 2 area 2 [RouterB-GigabitEthernet0/2] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ospfv3 2 area 2 [RouterB-GigabitEthernet0/1] quit # Display the routing table of Router B. [RouterB] display ipv6 routing-table Routing Table : Destinations : 6 3.
NextHop : ::1 Preference: 0 Interface : InLoop0 Cost : 0 Destination: 1::/64 Protocol : OSPFv3 NextHop : FE80::200:CFF:FE01:1C03 Preference: 150 Interface : GE0/2 Cost : 3 Destination: 2::/64 Protocol : OSPFv3 NextHop : FE80::200:CFF:FE01:1C03 Preference: 150 Interface : GE0/2 Cost : 3 Destination: 3::/64 Protocol : Direct NextHop : 3::2 Preference: 0 Interface : GE0/2 Cost : 0 Destination: 3::2/128 Protocol : Direct NextHop : ::1 Preference: 0 Interface : InLoop0
3. Ping the neighbor router's IP address to check connectivity. 4. Check OSPF timers. The dead interval on an interface must be at least four times the hello interval. 5. On a broadcast network, at least one interface must have a DR priority higher than 0. Incorrect routing information Symptom OSPFv3 cannot find routes to other areas. Analysis The backbone area must maintain connectivity to all other areas.
Configuring IPv6 BGP This chapter describes only configuration for IPv6 BGP. For BGP-related information, see "Configuring BGP." The term "router" in this document refers to both routers and LB modules. IPv6 BGP can be configured only at the CLI. IPv6 BGP overview BGP-4 can only carry IPv4 routing information. To support multiple network layer protocols, IETF extended BGP-4 by introducing Multiprotocol Border Gateway Protocol (MP-BGP). MP-BGP for IPv6 is called "IPv6 BGP" for short.
Task Remarks Controlling route distribution and reception Configuring IPv6 BGP route attributes Tuning and optimizing IPv6 BGP networks Configuring a large-scale IPv6 BGP network Configuring IPv6 BGP route redistribution Optional. Configuring IPv6 BGP route summarization Optional. Advertising a default route to an IPv6 peer or peer group Optional. Configuring outbound route filtering Optional. Configuring inbound route filtering Optional.
Step Command Remarks Optional. 3. Specify a router ID. router-id router-id 4. Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A Specify an IPv6 peer. peer ipv6-address as-number as-number N/A 5. Required, if no IP addresses are configured for any interfaces. Injecting a local IPv6 route Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3.
Specifying the source interface for establishing TCP connections IPv6 BGP uses TCP as the transport layer protocol. By default, IPv6 BGP uses the output interface of the optimal route to a peer or peer group as the source interface for establishing TCP connections to the peer or peer group. If an IPv6 BGP router has multiple links to a peer, and the source interface fails, IPv6 BGP must reestablish TCP connections, causing network oscillation.
Configuring a description for an IPv6 peer or peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A Optional. 4. Configure a description for an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } description description-text Not configured by default. The peer group to be configured with a description must have been created.
Controlling route distribution and reception This task includes routing information filtering, routing policy application, and route dampening. Configuration prerequisites Before you configure route distribution and reception control, complete the following tasks: • Enable IPv6. • Configure IPv6 BGP basic functions. Configuring IPv6 BGP route redistribution IMPORTANT: If the default-route imported command is not configured, using the import-route command cannot redistribute an IGP default route.
Advertising a default route to an IPv6 peer or peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Advertise a default route to an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } default-route-advertise [ route-policy route-policy-name ] Not advertised by default.
NOTE: IPv6 BGP advertises routes passing the specified policy to peers. Using the protocol argument can filter only the routes redistributed from the specified protocol. If no protocol is specified, IPv6 BGP filters all routes to be advertised, including redistributed routes and routes imported with the network command. Configuring inbound route filtering Only routes passing the configured filtering can be added into the local IPv6 BGP routing table.
IGP route with the same destination network segment before it can advertise the IBGP route (use the display ipv6 routing-table protocol command to check the IGP route state). To configure IPv6 BGP and IGP route synchronization: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Enable route synchronization between IPv6 BGP and IGP. synchronization Not enabled by default.
Configuring IPv6 BGP preference and default LOCAL_PREF and NEXT_HOP attributes To ensure an IBGP peer can find the correct next hop, you can configure routes advertised to the IPv6 IBGP peer or peer group to use the local router as the next hop. If BGP load balancing is configured, the local router specifies itself as the next hop of routes sent to an IPv6 IBGP peer or peer group regardless of whether the peer next-hop-local command is configured.
Step Command Enable the comparison of MED for routes from different EBGP peers. 5. Remarks Optional. compare-different-as-med Not enabled by default. The IPv6 BGP-VPN instance view does not support this command. Optional. Enable the comparison of MED for routes from each AS. 6. Enable the comparison of MED for routes from confederation peers. 7. bestroute compare-med Disabled by default. The IPv6 BGP-VPN instance view does not support this command. Optional.
After establishing an IPv6 BGP connection, two routers send keepalive messages periodically to each other to maintain the connection. If a router receives no keepalive message from the peer after the holdtime elapses, it tears down the connection. When establishing an IPv6 BGP connection, the two parties compare their holdtimes, taking the shorter one as the common holdtime. If the holdtime is 0, neither keepalive message is sent, nor holdtime is checked.
Step Command Remarks Optional. 5. Configure the interval for sending the same update to an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } route-update-interval interval The interval for sending the same update to an IBGP peer or an EBGP peer defaults to 15 seconds or 30 seconds. Configuring IPv6 BGP soft reset Enabling route refresh Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view.
(if any), to filter updates to the BGP speaker, reducing the number of exchanged update messages and saving network resources. After you enable the BGP ORF capability, the local BGP router negotiates the ORF capability with the BGP peer through Open messages. The local BGP router determines whether to carry ORF information in messages. If yes, it further determines whether to carry non-standard ORF information in the packets.
After you enable the 4-byte AS number suppression function, the peer device can then process the Open message even though it does not support 4-byte AS numbers, and the IPv6 BGP peer relationship can be established. If the peer device supports 4-byte AS numbers, do not enable the 4-byte AS number suppression function. Otherwise, the BGP peer relationship cannot be established. To enable 4-byte AS number suppression: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view.
Step Command Remarks 3. Enter IPv6 address family view. ipv6-family N/A 4. Enable MD5 authentication when establishing a TCP connection to the peer or peer group. peer { ipv6-group-name | ipv6-address } password { cipher | simple } password Not enabled by default. Configuring a large-scale IPv6 BGP network In a large-scale IPv6 BGP network, configuration and maintenance become inconvenient because of too many peers.
Creating a pure EBGP peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Create an EBGP peer group. group ipv6-group-name external N/A 5. Configure the AS number for the peer group. peer ipv6-group-name as-number as-number Not configured by default. 6. Add an IPv6 peer into the peer group. peer ipv6-address group ipv6-group-name Not added by default.
Step Command Remarks 3. Enter IPv6 address family view. ipv6-family N/A 4. Advertise COMMUNITY attribute to an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } advertise-community Not advertised by default. Advertise extended community attribute to an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } advertise-ext-community Not advertised by default. 5.
Step 6. Command Configure the cluster ID of the route reflector. Remarks Optional. reflector cluster-id cluster-id By default, a route reflector uses its router ID as the cluster ID. Displaying and maintaining IPv6 BGP Displaying BGP Task Command Remarks Display IPv6 BGP peer group information. display bgp ipv6 group [ ipv6-group-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPv6 BGP advertised routing information.
Task Command Remarks Display IPv6 BGP routing flap statistics. display bgp ipv6 routing-table flap-info [ regular-expression as-regular-expression | [ as-path-acl as-path-acl-number | ipv6-address prefix-length [ longer-match ] ] [ | { begin | exclude | include } regular-expression ] ] Available in any view. Display BGP routing information to or from an IPv4 or IPv6 peer.
IPv6 BGP basic configuration Network requirements All devices in Figure 205 run IPv6 BGP. Between Router A and Router B is an EBGP connection. Router B, Router C, and LB are fully meshed through IBGP connections. Figure 205 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IBGP connections: # Configure Router B. system-view [RouterB] ipv6 [RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.
[LB-bgp-af-ipv6] peer 9:2::1 as-number 65009 [LB-bgp-af-ipv6] quit [LB-bgp] quit 3. Configure the EBGP connection: # Configure Router A. system-view [RouterA] ipv6 [RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] ipv6-family [RouterA-bgp-af-ipv6] peer 10::1 as-number 65009 [RouterA-bgp-af-ipv6] quit [RouterA-bgp] quit # Configure Router B.
IPv6 BGP route reflector configuration example Network requirements In Figure 206, Router B receives an EBGP update and sends it to LB, which is configured as a route reflector with two clients: Router B and Router C. Router B and Router C need not establish an IBGP connection because LB reflects updates between them. Figure 206 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IPv6 BGP basic functions: # Configure Router A.
[LB-bgp-af-ipv6] peer 102::2 as-number 200 # Configure Router C. system-view [RouterC] ipv6 [RouterC] bgp 200 [RouterC-bgp] router-id 4.4.4.4 [RouterC-bgp] ipv6-family [RouterC-bgp-af-ipv6] peer 102::1 as-number 200 3. Configure LB as a route reflector, and configure Router B and Router C as its clients. [LB-bgp-af-ipv6] peer 101::2 reflect-client [LB-bgp-af-ipv6] peer 102::2 reflect-client 4.
Displaying and maintaining an IPv6 routing table Displaying the routing table is a basic way to troubleshoot routing problems. The device supports displaying the routing table only at the CLI. To displaying the routing table: Task Command Remarks Display IPv6 routing table information. display ipv6 routing-table [ vpn-instance vpn-instance-name ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about routes permitted by an IPv6 basic ACL.
Configuring IPv6 policy-based routing IPv6 policy-based routing can be configured only at the CLI. Introduction to IPv6 policy-based routing What is policy-based routing Different from destination-based routing, policy-based routing (PBR) uses user-defined policies to route packets based on the source address, packet length, and other criteria.
Table 37 Priorities and meanings of the apply clauses Clause Meaning Priority apply ipv6-precedence Sets an IP precedence. If configured, this clause will always be executed. apply output-interface and apply ipv6-address next-hop Sets the output interface and sets the next hop. The apply output-interface clause takes precedence over the apply ipv6-address next-hop clause. Only the apply output-interface clause is executed when both are configured.
Configuring an IPv6 policy Creating an IPv6 node Step Command 1. Enter system view. system-view 2. Create an IPv6 policy or policy node and enter IPv6 policy node view. ipv6 policy-based-route policy-name [ deny | permit ] node node-number Configuring match criteria for an IPv6 node An ACL match criterion uses the specified ACL to match packets if the match mode is configured as permit. If the specified ACL does not exist or the match mode is configured as deny, no packet can match the criterion.
Step Command Remarks Optional. 6. Set a default output interface for permitted IPv6 packets. apply default output-interface interface-type interface-number 7. Set a default next hop for permitted IPv6 packets. apply ipv6-address default next-hop ipv6-address You can specify up to five output interfaces to achieve load sharing. Optional. You can specify up to five output interfaces to achieve load sharing.
To configure IPv6 interface PBR: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Apply an IPv6 policy on the interface. ipv6 policy-based-route policy-name Not applied by default. Displaying and maintaining IPv6 PBR configuration Task Command Remarks Display information about IPv6 local PBR and IPv6 interface PBR.
Configuration procedure 1. Configure LB: # Configure ACL 3001 to match TCP packets. system-view [LB] ipv6 [LB] acl ipv6 number 3001 [LB-acl6-adv-3001] rule permit tcp [LB-acl6-adv-3001] quit # Configure Node 5 of policy aaa, so that TCP packets are forwarded via GigabitEthernet 0/1. [LB] ipv6 policy-based-route aaa permit node 5 [LB-pbr6-aaa-5] if-match acl6 3001 [LB-pbr6-aaa-5] apply ipv6-address next-hop 1::2 [LB-pbr6-aaa-5] quit # Configure IPv6 local PBR by applying policy aaa on LB.
Figure 208 Network diagram Configuration procedure 1. Configure LB: # Configure RIPng. system-view [LB] ipv6 [LB] ripng 1 [LB-ripng-1] quit [LB] interface gigabitethernet 0/1 [LB-GigabitEthernet0/1] ipv6 address 1::1 64 [LB-GigabitEthernet0/1] ripng 1 enable [LB-GigabitEthernet0/1] quit [LB] interface gigabitethernet0/2 [LB-GigabitEthernet0/2] ipv6 address 2::1 64 [LB-GigabitEthernet0/2] ripng 1 enable [LB-GigabitEthernet0/2] quit # Configure ACL 3001 to match TCP packets.
[LB-GigabitEthernet0/3] ipv6 address 10::2 64 [LB-GigabitEthernet0/3] undo ipv6 nd ra halt [LB-GigabitEthernet0/3] ripng 1 enable [LB-GigabitEthernet0/3] ipv6 policy-based-route aaa 2. Configure RIPng for Router B. system-view [RouterB] ipv6 [RouterB] ripng 1 [RouterB-ripng-1] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ipv6 address 1::2 64 [RouterB-GigabitEthernet0/1] ripng 1 enable 3. Configure RIPng for Router A.
Figure 209 Network diagram Configuration procedure 1. Configure LB: # Configure RIPng.
[RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ipv6 address 150::2 64 [RouterA-GigabitEthernet0/1] ripng 1 enable [RouterA-GigabitEthernet0/1] quit [RouterA] interface gigabitethernet 0/2 [RouterA-GigabitEthernet0/2] ipv6 address 151::2 64 [RouterA-GigabitEthernet0/2] ripng 1 enable [RouterA-GigabitEthernet0/2] quit [RouterA] interface loopback 0 [RouterA-LoopBack0] ipv6 address 10::1 128 [RouterA-LoopBack0] ripng 1 enable 3.
g success : POLICY_ROUTEMAP_IPV6 : lab1, Node : 10, Packet sent with next-hop 0150::0002 *Jun 7 16:03:31:949 2012 LB PBR6/7/IPv6-POLICY-ROUTING: IPv6 Policy routin g success : POLICY_ROUTEMAP_IPV6 : lab1, Node : 10, Packet sent with next-hop 0150::0002 The preceding information shows that LB sets the next hop for the received packets to 150::2 according to PBR. The packets are forwarded via GigabitEthernet 0/1. # Ping Loopback 0 of Router A from Host A, and set the data length to 200 bytes.
Configuring routing policies Routing policies control routing paths by filtering and modifying routing information. This chapter describes both IPv4 and IPv6 routing policies. The term "router" in this document refers to both routers and LB modules. Routing policies can be configured only at the CLI. Overview Routing policies can filter advertised, received, and redistributed routes, and modify attributes for specific routes. To configure a routing policy: 1.
For more information about community list, see "Configuring BGP." Extended community list An extended community list matches the extended community attribute (Route-Target for VPN and Source of Origin) of BGP routing information. Routing policy A routing policy can comprise multiple nodes, which are in a logical OR relationship. A node with a smaller number is matched first. A route that matches one node matches the routing policy. A node can comprise a set of if-match, apply, and continue clauses.
system-view [Sysname] ip ip-prefix abc index 10 deny 10.1.0.0 16 [Sysname] ip ip-prefix abc index 20 deny 10.2.0.0 16 [Sysname] ip ip-prefix abc index 30 deny 10.3.0.0 16 [Sysname] ip ip-prefix abc index 40 permit 0.0.0.0 0 less-equal 32 Configuring an IPv6 prefix list Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an IPv6 prefix list.
Step Command Remarks • Configure a basic community list: ip community-list { basic-comm-list-num | basic comm-list-name } { deny | permit } [ community-number-list ] [ internet | no-advertise | no-export | no-export-subconfed ] * Configure a community list. 2. • Configure an advanced community list: Use either approach. Not configured by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a routing policy and a node and enter routing policy view. route-policy route-policy-name { deny | permit } node node-number By default, no routing policy is created. Configuring if-match clauses Follow these guidelines when you configure if-match clauses: • The if-match clauses of a routing policy node have a logical AND relationship.
Step Command Remarks Match BGP routing information whose COMMUNITY attribute is specified in the community lists. if-match community { { basic-community-list-number | comm-list-name } [ whole-match ] | adv-community-list-number }&<1-16> Optional. 7. Match routes having the specified cost. if-match cost value 8. Match BGP routing information whose extended community attribute is specified in the extended community lists.
Step 5. 6. 7. 8. Command Remarks Set the COMMUNITY attribute for BGP routes. apply community { none | additive | { community-number&<1-16> | aa:nn&<1-16> | internet | no-advertise | no-export | no-export-subconfed } * [ additive ] } Set a cost for routing information. apply cost [ + | - ] value Set a cost type for routing information. apply cost-type [ external | internal | type-1 | type-2 ] Optional. Set the extended community attribute for BGP routes.
To configure a continue clause for a routing policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a routing policy and enter routing policy view. route-policy route-policy-name { deny | permit } node node-number Not created by default. Optional. Specify the next node to be matched. 3. continue [ node-number ] Not configured by default. The specified next node must have a larger number than the current node.
• On LB, enable static route redistribution into RIPng and apply a routing policy to permit routes 20::/32 and 40::/32 and deny route 30::/32. Figure 210 Network diagram 20::/32 30::/32 40::/32 GE0/2 11::1/32 GE0/1 10::1/32 GE0/1 10::2/32 LB Router Configuration procedure 1. Configure LB: # Configure IPv6 addresses for interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2.
[Router-GigabitEthernet0/1] ipv6 address 10::2 32 # Enable RIPng on the interface. [Router-GigabitEthernet0/1] ripng 1 enable [Router-GigabitEthernet0/1] quit # Enable RIPng. [Router] ripng # Display RIPng routing table information.
system-view [RouterA] bgp 100 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 1.1.1.2 as-number 300 # Configure Router B. system-view [RouterB] bgp 200 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 1.1.2.2 as-number 300 # Configure Router C. system-view [RouterC] bgp 300 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 1.1.1.1 as-number 100 [RouterC-bgp] peer 1.1.2.1 as-number 200 [RouterC-bgp] peer 1.1.3.2 as-number 400 # Configure LB.
The output shows that LB has learned routes 4.4.4.0/24, 5.5.5.0/24, and 6.6.6.0/24 from AS 100 and 7.7.7.0/24, 8.8.8.0/24, and 9.9.9.0/24 from AS 200. 3. Configure LB to reject the routes from AS 200: # Configure AS path list 1. [LB] ip as-path 1 permit .*200.* # Create routing policy rt1 with node 1, and specify the match mode as deny to deny routes from AS 200.
Solution 1. Use the display ip ip-prefix command to display IP prefix list information. 2. Use the display route-policy command to display routing policy information. IPv6 routing information filtering failure Symptom The routing protocol is running properly, but filtering routing information failed. Analysis At least one item of the IPv6 prefix list must be configured as permit mode, and at least one node of the routing policy must be configured as permit mode. Solution 1.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a security product, such as a firewall, a UTM, or a load-balancing or security card that is installed in a device.
Index ACDEFILMNOPRST Configuring IPv6 PBR,434 A Configuring IPv6 static routing,369 ALG process,136 Configuring IPv6 TCP properties,350 Assigning an IP address to an interface,25 Configuring Layer 3 subinterface forwarding,85 Assigning IPv6 addresses to interfaces,339 Configuring NAT at the CLI,114 C Configuring NAT in the Web interface,98 Configuration example,26 Configuring normal Layer 2 forwarding,37 Configuration guidelines,21 Configuring OSPF at the CLI,208 Configuration guidelines,74
Displaying and maintaining an IPv4 routing table at the CLI,310 IPv6 static routing configuration example,370 Isolate-user-VLAN configuration example (approach 1),61 Displaying and maintaining ARP,71 Displaying and maintaining IP addressing,25 Isolate-user-VLAN configuration example (approach 2),63 Displaying and maintaining IP forwarding mode,84 L Displaying and maintaining flow classification,141 Displaying and maintaining IPv6 basics configuration,353 Layer 3 subinterface forwarding configuration
Routing policy configuration examples,449 T Routing table,161 Troubleshooting IPv6 basics configuration,359 S Troubleshooting IPv6 BGP configuration,429 Setting the aging timer for dynamic ARP entries,70 Troubleshooting NAT,123 Setting the ToS field after NAT-PT translation,131 Troubleshooting NAT-PT,135 Setting the traffic class field after NAT-PT translation,131 Troubleshooting RIP,193 Troubleshooting OSPFv3 configuration,404 Troubleshooting routing policy configuration,453 SIP/H.
