HP Firewalls and UTM Devices Network Management Configuration Guide Part number: 5998-4164 Software version: F1000-A-EI: Feature 3722 F1000-S-EI: Feature 3722 F5000: Feature 3211 F1000-E: Feature 3174 Firewall module: Feature 3174 Enhanced firewall module: ESS 3807 U200-A: ESS 5132 U200-S: ESS 5132 Document version: 6PW100-20121228
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Managing interfaces ···················································································································································· 1 Overview············································································································································································ 1 Managing interfaces in the web interface ············································································································
Configuring VLANs at the CLI ······································································································································· 40 Configuring basic VLAN settings ························································································································· 40 Configuring basic settings of a VLAN interface ································································································· 41 Configuring port-based VLANs ··········
Configuring edge ports········································································································································· 89 Configuring path costs of ports ···························································································································· 90 Configuring the port priority ································································································································ 92 Configuring the port link t
Configuring inline forwarding in the Web interface ······················································································· 138 Configuring inline forwarding at the CLI ·········································································································· 140 Configuration guidelines ···································································································································· 142 Configuring inter-VLAN Layer 2 forwarding ·············
DHCP relay agent support for Option 82 ········································································································ 188 Configuring the DHCP relay agent in the Web interface ························································································ 189 Recommended configuration procedure ··········································································································· 189 Enabling DHCP and configuring advanced parameters for the DHCP relay
Specifying the source interface for DNS packets ···························································································· 224 Displaying and maintaining IPv4 DNS ············································································································· 224 IPv4 DNS configuration examples ····························································································································· 225 Static domain name resolution configuration example ···
Common proxy ARP configuration example ···································································································· 258 Local proxy ARP configuration example in case of port isolation ································································· 259 Layer 3 forwarding configuration ·························································································································· 261 Layer 3 subinterface forwarding··········································
Configuring traffic policing ···································································································································· 312 Overview······································································································································································· 312 Traffic evaluation and token buckets ················································································································· 312 Traffic pol
Troubleshooting RIP ······················································································································································ 368 No RIP updates received ···································································································································· 368 Route oscillation occurred ·································································································································· 368 Configuring O
Tuning and optimizing IS-IS networks ························································································································ 437 Configuration prerequisites ································································································································ 437 Specifying intervals for sending IS-IS hello and CSNP packets ····································································· 437 Specifying the IS-IS hello multiplier ···············
BGP confederation configuration example······································································································· 519 BGP path selection configuration example······································································································· 523 BFD for BGP configuration example ················································································································· 526 Troubleshooting BGP ·············································
No membership information exists on the receiver-side router ······································································ 591 Membership information is inconsistent on the routers on the same subnet ················································· 592 Configuring PIM ······················································································································································ 593 Overview·····································································
Configuring basic MSDP functions ····························································································································· 642 Configuration prerequisites ································································································································ 642 Enabling MSDP ···················································································································································· 642 Creating an MSDP peer
Controlling sending ICMPv6 packets ························································································································· 688 Configuring the maximum ICMPv6 error packets sent in an interval ···························································· 688 Enabling replying to multicast echo requests ··································································································· 688 Enabling sending ICMPv6 time exceeded messages ·························
Configuration guidelines ············································································································································· 725 Configuration procedure ············································································································································· 725 Displaying and maintaining the DHCPv6 relay agent ····························································································· 726 DHCPv6 relay agent conf
Advertising a default route ································································································································· 752 Configuring a RIPng route filtering policy········································································································· 753 Configuring a priority for RIPng ························································································································· 753 Configuring RIPng route redistribution
Troubleshooting OSPFv3 configuration ····················································································································· 794 No OSPFv3 neighbor relationship established ································································································ 794 Incorrect routing information ······························································································································ 795 839H 1927H 840H 1928H Configuring IPv6 IS-I
Configuring IPv6 BGP community ····················································································································· 821 Configuring an IPv6 BGP route reflector··········································································································· 822 Configuring BFD for IPv6 BGP ···································································································································· 822 Displaying and maintaining IPv6 BGP·······
Configuration prerequisites ································································································································ 862 Enabling IPv6 PIM-DM ········································································································································ 862 Enabling state-refresh capability ························································································································ 862 Configuring state refresh para
Enabling MLD fast-leave processing ·················································································································· 914 Enabling the MLD host tracking function ·········································································································· 915 Configuring MLD SSM mapping ································································································································ 915 Configuration prerequisites ··················
Configuration procedure ···································································································································· 948 Configuring an SSL client policy ································································································································ 949 Displaying SSL ······························································································································································ 950 Trouble
Managing interfaces 1B All configuration tasks in this chapter are independent and optional. You can perform these configuration tasks in any order. Overview 60B An interface is the point of interaction or communication between devices. It is used for exchanging data between devices. A physical interface is an interface that materially exists and is supported by a device. For example, an Ethernet interface is a physical interface.
subinterface sends and receives VLAN-tagged packets, see Layer 2—LAN Switching Configuration Guide. • VLAN interface—Virtual Layer 3 interface used for Layer 3 communications between VLANs. Each VLAN interface corresponds to a VLAN. You can assign an IP address to a VLAN interface and specify it as the gateway of the corresponding VLAN to forward traffic destined for an IP network segment different from that of the VLAN.
Figure 1 Interface management 2. Click the interface name in the Name column to view the statistics of an interface.
Creating an interface 364B 1. Select Device Management > Interface from the navigation tree. 2. Click Add to enter the page for creating an interface. Figure 3 Creating an interface 3. Configure the interface information as described in Table 1. 4. Click Apply. 215H Table 1 Configuration items Item Description Set the name for the interface or its subinterface.
Item Description Set the VLAN ID associated with the subinterface. VID This parameter is available on a subinterface of a Layer 3 Ethernet interface and a RAGG interface in the previous step. MTU Set the MTU of the interface. TCP MSS Set the maximum segment size for TCP on the interface. Set how the interface obtains an IP address: • None—Does not set an IP address for the interface. • Static Address—Manually assigns an IP address to the interface.
Figure 4 Modifying interface information 3. Modify the interface as described in Table 2 and Table 1. 4. Click Apply. 215H 2153H Table 2 Configuration items Item Description Interface Type Set the interface type, which can be None. Display and set the interface status: • Connected—Indicates that the current interface is up and connected, click the Disable button to shut down the interface.
Item Description Configure the interface to operate in bridge mode or router mode. A loopback interface operates only in router mode. Working Mode Before configuring an IP address for the interface, make sure the interface is configured to operate in router mode. Interface management configuration example 36B Network requirements 1063B As shown in Figure 5, Firewall connects Host A and Host B through its interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2, respectively.
Figure 6 Modifying interface GigabitEthernet 0/1 2. Change the operating mode of GigabitEthernet 0/2 into bridge. The configuration here is the same as that for GigabitEthernet 0/1. 3. Create VLAN-interface 1: By default, VLAN 1 exists, and all ports are untagged members of VLAN 1. a. Click Add on the interface management page. b. Set the interface name to Vlan-interface1, select Static Address for IP Config, enter IP address 1.1.2.1, and select 24 (255.255.255.255) as the network mask. c.
Figure 7 Creating VLAN-interface 1 4. Assign VLAN-interface 1 to a security zone (depending on the network environment): For example, you can assign VLAN-interface 1 to security zone Trust. a. Select Device Management > Zone from the navigation tree. b. Click the icon for zone Trust. c. Select Vlan-interface1 from the Interface Name field. d. Click Apply.
Figure 8 Assigning VLAN-interface 1 to a security zone Host A and Host B can access the firewall. 5. Display the statistics on interface GigabitEthernet 0/1: a. Select Device Management > Interface from the navigation tree. b. Click interface name GigabitEthernet0/1 to view its statistics.
Figure 9 Displaying interface statistics 6. Shut down interface GigabitEthernet 0/1: a. Click Back on the Port Statistics page. b. Click the c. icon for GigabitEthernet0/1. Click Disable at the end of the Interface Status line. GigabitEthernet 0/1 is shut down, and Host A cannot access the firewall. Managing interfaces at the CLI 62B Performing general configurations 367B This section describes the settings common to Layer 2 and Layer 3 Ethernet interfaces or subinterfaces.
Hardware Feature compatible F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Overview 1065B A combo interface is a logical interface that comprises one fiber port and one copper port. The two ports share one forwarding channel and one interface view, so they cannot work simultaneously. When you enable one port, the other port is automatically disabled.
• Half-duplex mode (half)—Interfaces that operate in this mode cannot send and receive packets simultaneously. • Auto-negotiation mode (auto)—Interfaces that operate in this mode negotiate a duplex mode with their peers. You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its peer. To configure an Ethernet interface: Step Command Remarks 4. Enter system view. system-view N/A 5. Enter Ethernet interface view.
Shutting down an Ethernet interface or subinterface 370B CAUTION: Use this command with caution. After you manually shut down an Ethernet interface, the Ethernet interface cannot forward packets even if it is physically connected. You might need to shut down and then bring up an Ethernet interface or subinterface to activate some configuration changes, for example, the speed or duplex mode changes. To shut down an Ethernet interface or subinterface: Step Command Remarks 14. Enter system view.
Configuration restrictions and guidelines 107B • On an interface that is physically down, you can only perform internal loopback testing. On an interface administratively shut down, you cannot perform internal or external loopback testing. • The speed, duplex, mdi, and shutdown commands are not available during loopback testing. • During loopback testing, the Ethernet interface operates in full duplex mode. When you disable loopback testing, the port returns to its duplex setting.
Step Command 27. Change the link mode of the Ethernet interface.
Hardware Feature compatible Firewall module Yes U200-A No U200-S Yes CAUTION: Use this function with caution, because it might consume a large amount of system resources. After you enable subinterface rate statistics collection on an Ethernet interface, the device periodically refreshes the rate statistics on the subinterfaces of this Ethernet interface. You can use the display interface command to view the rate statistics.
Step 38. Set the unknown unicast suppression threshold ratio. Command Remarks Optional. unicast-suppression ratio By default, unknown unicast traffic is allowed to pass through an interface. To set storm suppression thresholds for an Ethernet subinterface: Step Command Remarks 39. Enter system view. system-view N/A 40. Enter Ethernet subinterface view. interface interface-type interface-number.subnumber N/A 41. Set the broadcast suppression threshold ratio.
• When a crossover cable is used, set the interface to operate in the same MDI mode as its peer, or set either end to operate in auto mode. To set the MDI mode of an Ethernet interface: Step Command Remarks 44. Enter system view. system-view N/A 45. Enter Ethernet interface view. interface interface-type interface-number N/A 46. Set the MDI mode of the Ethernet interface.
Configuring a loopback interface 378B Introduction 1078B A loopback interface is a virtual interface. The physical layer state and link layer protocols of a loopback interface are always up unless the loopback interface is manually shut down. A loopback interface is widely used in the following scenarios: • A loopback interface address can be configured as the source address of the IP packets that the device generates.
For example, by executing the ip route-static 92.101.0.0 255.255.0.0 null 0 command (which configures a static route leading to null interface 0), you can have all the packets destined to the network segment 92.101.0.0/16 discarded. Only one null interface, Null 0, is supported on your device. You cannot remove or create a null interface. Configuration procedure 108B To enter null interface view: Step Command Remarks 58. Enter system view. system-view N/A 59. Enter null interface view.
Bulk configuring interfaces 2B Bulk configuring interfaces can be configured only at the CLI. You can enter interface range view to bulk configure multiple interfaces with the same feature instead of configuring them one by one. For example, you can perform the shutdown command in interface range view to shut down a range of interfaces. Command application failure on one member interface does not affect the application of the command on the other member interfaces.
Step Command Remarks 65. Perform available commands to configure the interfaces. Available commands vary by interface. N/A 66. Verify the configuration. display this Optional.
Configuring IPv4 addresses 3B The IPv4 address configuration can be configured in the web interface and at the CLI. This chapter only describes the IPv4 address configuration at the CLI. For the IPv4 address configuration in the web interface, see "Configuring interface management." For the IPv6 address configuration, see "Configuring IPv6 basics." This chapter describes IP addressing basic and manual IP address assignment for interfaces.
Class Address range Remarks B 128.0.0.0 to 191.255.255.255 N/A C 192.0.0.0 to 223.255.255.255 N/A D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255. Special IP addresses 381B The following IP addresses are for special use and cannot be used as host IP addresses. • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.
• Without subnetting—65534 hosts (216 – 2). (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.) • With subnetting—Using the first 9 bits of the host-id for subnetting provides 512 (29) subnets. However, only 7 bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of 64512 hosts (512 × 126).
Task Command Remarks Display brief IP configuration information for a specific Layer 3 interface or all Layer 3 interfaces. display ip interface [ interface-type [ interface-number ] ] brief [ | { begin | exclude | include } regular-expression ] Available in any view. IP addressing configuration example 69B Network requirements 1082B As shown in Figure 12, GigabitEthernet 0/1 on the firewall is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring VLANs 4B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Overview 70B Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full of collisions and broadcasts. As a result, the LAN performance is degraded or even the LAN becomes unavailable.
VLAN frame encapsulation 385B In order that a network device can identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation. The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999. As shown in Figure 14, in the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address (DA&SA) field is the Type field, which indicates the upper layer protocol type.
VLAN types 386B You can implement VLANs based on the following criteria: • Port • MAC address • Protocol • IP subnet • Policy • Other criteria Among these types of VLANs, the device only supports configuring port-based VLANs. This chapter describes only port-based VLANs. Introduction to port-based VLAN 387B Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN.
Figure 16 Network diagram VLAN 2 VLAN 2 VLAN 3 Device A Device B Device C Access links are required Trunk links are reuqired VLAN 3 Hybrid links are required PVID 1085B By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as required. When you configure the PVID on a port, use the following guidelines: • An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.
Actions Access Trunk Hybrid • Receives the frame if Incoming tagged frame its VLAN ID is the same as the PVID. • Receives the frame if its VLAN is permitted on the port. • Drops the frame if its • Drops the frame if its VLAN is not permitted on the port. VLAN ID is different from the PVID. • Removes the tag and sends Outgoing frames Removes the VLAN tag and sends the frame. the frame if the frame carries the PVID tag and the port belongs to the PVID.
Figure 17 VLAN configuration page On the page shown in Figure 17, you can enter a VLAN range in the VLAN Range field and click Select to display the VLANs matching the VLAN range in the VLAN list below. When you query VLANs, the VLANs are query in the specified VLAN range. This facilitates VLAN operations when a large number of VLANs exist. If you input a VLAN range in the VLAN Range field and click Remove, the VLANs matching the VLAN range will be deleted. 217H 2.
Figure 19 Modifying a VLAN 3. Modify the member ports of the VLAN as described in Table 4. 4. Click Apply. 2176H Table 4 Configuration items Item Description ID Displays the ID of the VLAN to be modified. Set the description of the VLAN. Description Untagged Member Tagged Member By default, the description of a VLAN is its VLAN vlan-id, where vlan-id is the ID of the VLAN. For example, the default description of VLAN 100 is VLAN 0100. Set the member type of the port to be modified in the VLAN.
Figure 21 Modifying a port 3. Modify the VLANs for the port as described in Table 5. 4. Click Apply. 2179H Table 5 Configuration items Item Description Port Displays the port to be modified. Untagged Member VLAN Displays the VLANs to which the port belongs as an untagged member. Tagged Member VLAN Displays the VLANs to which the port belongs as a tagged member. Untagged Set the target member type of the port. Tagged Select the Untagged, Tagged, or Not a Member option.
Figure 22 Network diagram Configuring Device A 108B 1. Create VLAN 2, VLANs 6 through 50, and VLAN 100: a. Select Network > VLAN > VLAN from the navigation tree. b. Click Add. The page as shown in Figure 23 appears. 218H c. Enter VLAN IDs 2, 6-50, and 100. d. Click Apply. Figure 23 Creating VLANs 2. Configure VLAN 100 as the PVID of GigabitEthernet 0/1 (By default, all ports are access ports and their PVIDs are all VLAN 1.): a. Select Network > VLAN > Port from the navigation tree. b.
a. Click the icon for GigabitEthernet 0/1 in the Operation column. The page as shown in Figure 25 appears. 2183H b. Select the Untagged option for Member Type. c. Enter VLAN IDs 2, 6-50. d. Click Apply. A dialog box appears telling you that the access port will be changed into a hybrid port. e. Click OK in the dialog box. Figure 25 Assigning GigabitEthernet 0/1 to VLAN 2 and VLANs 6 through 50 as an untagged member 4. Assign GigabitEthernet 0/1 to VLAN 100 as a tagged member: a.
Figure 27 Assigning GigabitEthernet 0/1 to VLAN 100 as a tagged member 5. Configure the security zone for GigabitEthernet 0/1, VLAN 2, VLANs 6 through 50, and VLAN 100. (Details not shown.) Configuring Device B 1089B Configure Device B as you configure Device A. Verifying the configuration 109B Display the port statistics of GigabitEthernet 0/1 on Device A: 1. Select Device Management > Interface from the navigation tree. 2. Click GigabitEthernet0/1 on the page that appears.
Figure 28 Displaying the port statistics of GigabitEthernet 0/1 Configuring VLANs at the CLI 72B Configuring basic VLAN settings 394B Configuration restrictions and guidelines 109B • As the default VLAN, VLAN 1 cannot be created or removed. • You cannot manually create or remove VLANs reserved for special purposes. • To remove a protocol reserved VLAN, remove the configuration from the VLAN first, and execute the undo vlan command.
Step Command Remarks 75. Enter VLAN view. vlan vlan-id Required only when you create VLANs in bulk. 76. Configure a name for the VLAN. 77. Configure a description for the VLAN. Optional. The default name is VLAN vlan-id, which is the ID of the VLAN. For example, the name of VLAN 100 is VLAN 0100 by default. name text Optional. The default description is VLAN vlan-id, which is the ID of the VLAN. For example, the description of VLAN 100 is VLAN 0100 by default.
Step Command Remarks Optional. 85. Cancel the action of manually shutting down the VLAN interface. undo shutdown By default, a VLAN interface is not manually shut down. The VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down. VLAN interface configuration example 1094B 1. Network requirements As shown in Figure 29, PC A is assigned to VLAN 5. PC B is assigned to VLAN 10.
[Firewall-Vlan-interface10] ip address 192.168.1.20 24 [Firewall-Vlan-interface10] return b. Configure the default gateway of PC A as 192.168.0.10. c. 3. Configure the default gateway of PC B as 192.168.1.20. Verifying the configuration a. The PCs can ping each other. b. Display brief information about Layer 3 interfaces on Firewall to verify the configuration.
Step Command Remarks Use one of the commands. • The configuration made in Layer 2 Ethernet • Enter Layer 2 Ethernet interface view: interface interface-type interface-number 90. Enter interface view or port group view. • Enter Layer 2 aggregate 91. Configure the link type of the ports as access. port link-type access 92. Assign the access ports to a VLAN. port access vlan vlan-id interface view: interface bridge-aggregation interface-number interface view applies only to the port.
To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type to access first. After configuring the PVID for a trunk port, you must use the port trunk permit vlan command to configure the trunk port to allow packets from the PVID to pass through. Assigning a hybrid port to a VLAN 1097B A hybrid port can carry multiple VLANs. You can assign it to a VLAN in interface view. Before assigning a hybrid port to a VLAN, create the VLAN first.
Task Command Display VLAN interface information. Display hybrid ports or trunk ports on the device. Remarks display interface [ vlan-interface ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface vlan-interface vlan-interface-id [ brief ] [ | { begin | exclude | include } regular-expression ] display port { hybrid | trunk } [ | { begin | exclude | include } regular-expression ] Available in any view. Available in any view.
[FirewallA-vlan200] port gigabitethernet 0/2 [FirewallA-vlan200] quit # Configure port GigabitEthernet 0/3 as a trunk port, and assign it to VLANs 100 and 200, to enable GigabitEthernet 0/3 to forward traffic of VLANs 100 and 200 to Firewall B. [FirewallA] interface gigabitethernet 0/3 [FirewallA] port link-mode bridge [FirewallA-GigabitEthernet0/3] port link-type trunk [FirewallA-GigabitEthernet0/3] port trunk permit vlan 100 200 Please wait... Done. 2. Configure Firewall B as you configure Firewall A.
Configuring the MAC address table 5B This document covers only the configuration of unicast MAC address entries, including static, dynamic, and destination blackhole MAC address entries. The MAC address table configuration tasks can be performed in any order. The MAC address table can contain only Layer 2 Ethernet ports (excluding Layer 2 subinterfaces) and Layer 2 aggregate interfaces.
from the one to which the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead. To improve port security, you can bind specific user devices to the port by manually adding MAC address entries to the MAC address table of the device. Types of MAC address entries 40B A MAC address table can contain the following types of entries: • Static entries—Manually added and never age out.
Figure 31 MAC address table displaying page 2. Click Add to enter the page shown in Figure 32. 2190H Figure 32 Adding a MAC address entry 3. Configure MAC address entry information, as shown in Table 6. 4. Click Apply. 219H Table 6 Configuration items Item Description MAC MAC address to be added. Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out.
Setting the aging time for MAC address entries 403B 1. Select Network > MAC > Configuration from the navigation tree. The page shown in Figure 33 appears. 219H Figure 33 Setting the aging time for MAC address entries 2. Set the aging time for MAC address entries. If you select No-aging, MAC address entries do not age out. 3. Click Apply.
1. Create a static MAC address entry: a. Select Network > MAC > MAC from the navigation tree. b. Click Add. c. Enter MAC address 000f-e235-dc71. Select static from the Type list. Select 1 from the VLAN list. Select GigabitEthernet0/1 from the Port list. d. Click Apply. Figure 35 Creating a static MAC address entry 2. Create a blackhole MAC address entry: a. Click Add. b. Enter MAC address 000f-e235-abcd. Select blackhole from the Type list. Select 1 from the VLAN list. c. Click Apply.
Figure 37 Setting the aging time for dynamic MAC address entries Configuring the MAC address table at the CLI 75B Configuring static, dynamic, and destination blackhole MAC address entries 405B To prevent MAC address spoofing attacks and improve port security, manually add MAC address entries to bind ports with MAC addresses. You can also configure destination blackhole MAC address entries to filter out packets with certain destination MAC addresses.
Step Command Remarks 107. Add or modify a static or dynamic MAC address entry. mac-address { dynamic | static } mac-address vlan vlan-id By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN. Configuring a destination blackhole MAC address entry 107B Step Command Remarks 108. Enter system view. system-view N/A 109. Add or modify a destination blackhole MAC address entry.
Hardware Feature compatible F5000 No Firewall module No U200-A Yes U200-S Yes As the MAC address table grows, the forwarding performance of your device might degrade. To prevent the MAC address table from getting so large that the forwarding performance degrades, you can limit the number of MAC addresses that a port can learn. To configure the MAC learning limit on a Layer 2 Ethernet interface or Layer 2 aggregate interface: Step Command Remarks 112. Enter system view. system-view N/A 113.
• The MAC address of Host B is 000f-e235-abcd and belongs to VLAN 1. For security, because this host once behaved suspiciously on the network, add a destination blackhole MAC address entry for the host MAC address, so all packets destined for the host are dropped. • Set the aging timer for dynamic MAC address entries to 500 seconds. Figure 38 Network diagram Configuration procedure 109B # Add a static MAC address entry.
Configuring spanning tree protocols 6B As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, putting them in a standby state, which still allows for link redundancy. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). STP 76B STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a LAN.
Basic concepts in STP 41B Root bridge 10B A tree network must have a root bridge. There is only one root bridge in the entire network. The entire network contains only one root bridge. All the other bridges in the network are called "leaf nodes." The root bridge is not permanent, but can change when the network topology changes. Upon initialization of a network, each device generates and periodically sends configuration BPDUs with itself as the root bridge.
STP algorithm 412B The spanning tree calculation process described in the following sections is a simplified process for example only. The STP algorithm uses the following calculation process: 1. Initialize the state. Upon initialization of a device, each port generates a BPDU with the device as the designated port, the device as the root bridge, 0 as the root path cost, and the device ID as the designated bridge ID. 2. Select the root bridge.
Step Actions 2 The device compares the configuration BPDUs of all ports and chooses the optimum configuration BPDU. The following are the principles of configuration BPDU comparison: • The configuration BPDU with the lowest root bridge ID has the highest priority. • If configuration BPDUs have the same root bridge ID, their root path costs are compared. For example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S.
Device Device C 5. Port name Configuration BPDU on the port Port C1 {2, 0, 2, Port C1} Port C2 {2, 0, 2, Port C2} Compare BPDUs on each device. In Table 11, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.
Device Configuration BPDU on ports after comparison Comparison process • Device C compares the configuration BPDUs of all its ports, decides that the configuration BPDU of Port C1 is the optimum, and selects Port C1 as the root port with the configuration BPDU unchanged. • Based on the configuration BPDU and path cost of the root port, Device C calculates the configuration BPDU of Port C2 {0, 10, 2, Port C2}, and compares it with the existing configuration BPDU of Port C2 {1, 0, 1, Port B2}.
The configuration BPDU forwarding mechanism of STP 413B The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
When connecting to a point-to-point link, a designated port enters the forwarding state immediately after the device receives a handshake response from the directly connected device. MSTP 78B STP and RSTP limitations 415B STP does not support rapid state transition of ports. A newly elected port must wait twice the forward delay time before it transitions to the forwarding state, even if it connects to a point-to-point link or is an edge port.
Figure 42 Basic concepts in MSTP VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs MST region 1 MST region 4 MST region 2 MST region 3 VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs CST VLAN 1 MSTI 1 MSTI 2 VLAN 2&3 MSTI 0 Other VLANs Figure 43 Network diagram and topology of MST region 3 To MST region 2 To MST region 4 Device A MST region 3 A B A D C B Device B C MSTI 1 A D MSTI 2 B Regional root Device C Device D C D MSTI MSTI 0 VLAN
• Same VLAN-to-instance mapping configuration. • Same MSTP revision level. • Physically linked together. Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. In Figure 42, the switched network comprises MST region 1 through MST region 4, and all devices in each MST region have the same MST region configuration.
Port roles 12B A port can play different roles in different MSTIs. As shown in Figure 44, an MST region comprises Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other MST regions. Port D3 of Device D directly connects to a host.
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user traffic. • Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user traffic. Learning is an intermediate port state. • Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward user traffic. When in different MSTIs, a port can be in different states. A port state is not exclusively associated with a port role.
• Root bridge hold • Root bridge backup • Root guard • BPDU guard • Loop guard • TC-BPDU guard Protocols and standards 79B • IEEE 802.1d, Media Access Control (MAC) Bridges • IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration • IEEE 802.
Figure 45 MSTP region 2. Click Modify. The MSTP Region Configuration page as shown in Figure 46 appears. 21H Figure 46 Modifying an MSTP region 3. Configure the MST region information as described in Table 13. 4. Click Activate. 2H Table 13 Configuration items Item Description Region Name Set the MST region name. Revision Level Set the revision level of the MST region.
Configuring MSTP globally 42B 1. Select Network > MSTP > Global from the navigation tree. The Global MSTP Configuration page as shown in Figure 47 appears. 23H Figure 47 Configuring MSTP globally 2. Configure the global MSTP configuration as described in Table 14. 3. Click Apply. 24H Table 14 Configuration items Item Description Specify whether to enable STP globally: Enable STP Globally • Enable—Enables STP globally. • Disable—Disables STP globally.
Item Description Specify whether to enable BPDU guard globally: • Enable—Enables BPDU guard globally. • Disable—Disables BPDU guard globally. BPDU Protection BPDU guard can protect the device from malicious BPDU attacks, making the network topology stable. Configure STP to operate in STP mode, RSTP mode, or MSTP mode: • STP mode—All ports of the device send out STP BPDUs. • RSTP mode—All ports of the device send out RSTP BPDUs.
Item Description Set the Hello time. The Hello time is the interval at which the device sends hello packets to the surrounding devices to make sure the paths are fault-free. Hello Time An appropriate hello time setting enables the device to timely detect link failures on the network without using excessive network resources. If the hello time is set too long, the device takes packet loss as a link failure and triggers a new spanning tree calculation process.
Figure 48 MSTP configuration of a port 2. Click the icon for a port. The MSTP Port Configuration page of the port as shown in Figure 49 appears. 26H Figure 49 MSTP port configuration 3. Configure the MSTP port configuration as described in Table 15. 4. Click Apply. 27H Table 15 Configuration items Item Description Port Number Specify the port number. Specify whether to enable STP on the port: STP Status • Enable—Enable STP on the port. • Disable—Disable STP on the port.
Item Description Specify the type of protection enabled on the port: • Not Set—No protection is enabled on the port. • Edged Port—Set the port as an edge port. Some ports of access layer devices are directly connected to PCs or file servers, which cannot generate BPDUs. You can set these ports as edge ports to achieve fast transition for these ports.
Network requirements 126B As shown in Figure 50, all devices on the network are in the same MST region, Device A and Device B work on the distribution layer, and Device C and Device D work on the access layer. 28H Configure MSTP so that packets of different VLANs are forwarded along different spanning trees: Packets of VLAN 10 are forwarded along MSTI 1, those of VLAN 30 are forwarded along MSTI 3, those of VLAN 40 are forwarded along MSTI 4, and those of VLAN 20 are forwarded along MSTI 0.
{ Set the VLAN ID to 10. { Click Apply to map MSTI 1 to VLAN 10. { Select 3 from the Instance ID list. { Set the VLAN ID to 30. { Click Apply to map MSTI 3 to VLAN 30. { Select 4 from the Instance ID list. { Set the VLAN ID to 40. { Click Apply to map MSTI 4 to VLAN 40. d. Click Activate. Figure 51 Configuring an MST region on Device A 2. Enable MSTP globally and configure the current device as the root bridge of MSTI 1: a. Select Network > MSTP > Global from the navigation tree. b.
Figure 52 Configuring global MSTP parameters on Device A Configuring Device B 128B 1. Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. (The procedure here is the same as that of configuring an MST region on Device A.) 2. Enable MSTP globally and configure the current device as the root bridge of MSTI 3: a. Select Network > MSTP > Global from the navigation tree. b.
Configuring Device C 129B 1. Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0. (The procedure here is the same as that of configuring an MST region on Device A.) 2. Enable MSTP globally and configure the current device as the root bridge of MSTI 4: a. Select Network > MSTP > Global from the navigation tree. b.
3. 3 GigabitEthernet0/1 DESI FORWARDING NONE 3 GigabitEthernet0/3 DESI FORWARDING NONE Display brief spanning tree information on Device C. [DeviceC] display stp brief MSTID 4.
Configuring MSTP at the CLI 81B Spanning tree configuration task lists 425B Configuration prerequisites 132B Before configuring a spanning tree, you must determine the spanning tree protocol to be used (STP, RSTP, or MSTP) and plan device roles (the root bridge or leaf node). Configuration restrictions and guidelines 13B • The spanning tree configurations made in system view take effect globally. Configurations made in Ethernet interface view take effect on the interface only.
Task Remarks Configuring path costs of ports Optional. Configuring the port priority Optional. Configuring the mode a port uses to recognize and send MSTP packets Optional. Enabling the spanning tree feature Required. 248H 249H 250H 251H Configuring protection functions Optional. 25H RSTP configuration task list 135B Task Remarks Required. Setting the spanning tree mode 253H Configure the device to operate in RSTP mode. Configuring the root bridge or a secondary root bridge Optional.
Task Remarks Performing mCheck Optional. Configuring protection functions Optional. 274H 275H MSTP configuration task list 136B Task Remarks Optional. Setting the spanning tree mode By default, the device operates in MSTP mode. Configuring an MST region Required. Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the maximum hops of an MST region Optional. Configuring the network diameter of a switched network Optional.
Task Remarks Configuring digest snooping Optional. Configuring No Agreement Check Optional. Configuring protection functions Optional. 2301H 230H 230H Setting the spanning tree mode 426B The spanning tree modes include the following: • STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device of a port supports only STP. • RSTP mode—All ports of the device send RSTP BPDUs.
Step Command Remarks Optional. instance instance-id vlan vlan-list By default, all VLANs are mapped to the CIST (MSTI 0). For information about the value range for the instance-id argument, see Network Management Command Reference. 123. Configure the VLAN-to-instance mapping table. Or 124. Configure the MSTP revision level of the MST region. revision-level level 125. Display the MST region configurations that are not activated yet. check region-configuration Optional. 126.
Step 129. Configure the current device as the root bridge. Command Remarks • In STP/RSTP mode: Use one of the commands. stp root primary • In MSTP mode: stp [ instance instance-id ] root primary By default, a device is not a root bridge. For information about the value range for the instance-id argument, see Network Management Command Reference. Configuring the current device as a secondary root bridge of a specific spanning tree 138B Step Command Remarks 130. Enter system view.
count in BPDUs that it propagates. When the hop count of a BPDU reaches 0, it is discarded by the device that received it. This prevents devices beyond the reach of the maximum hop from participating in spanning tree calculation, so the size of the MST region is limited. Make this configuration on the root bridge only. All other devices in the MST region use the maximum hop value set for the root bridge. To configure the maximum number of hops of an MST region: Step Command Remarks 134.
HP does not recommend manually setting the spanning tree timers. Instead, HP recommends specifying the network diameter and using the automatically calculated timers based on the network diameter. If the network diameter uses the default value, the timers also use their default values. Configure timers on the root bridge only. Timer settings on the root bridge apply to all devices on the entire switched network.
resources. In a stable network, you can prevent undesired spanning tree calculations by setting the timeout factor to 5, 6, or 7, resulting in a longer timeout time. To configure the timeout factor: Step Command Remarks 142. Enter system view. system-view N/A 143. Configure the timeout factor of the device. stp timer-factor factor The default setting is 3.
Step Command Remarks 147. Enter system view. system-view N/A 148. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A 149. Configure the current ports as edge ports. stp edged-port enable All ports are non-edge ports by default. Configuring path costs of ports 436B Path cost is a parameter related to the rate of a port. On a spanning tree device, a port can have different path costs in different MSTIs.
Path cost Link speed 100 Mbps 1000 Mbps 10 Gbps Port type IEEE 802.1d-1998 IEEE 802.
Configuring path costs of ports 14B When the path cost of a port changes, the system re-calculates the role of the port and initiates a state transition. To configure the path cost of ports: Step Command Remarks 152. Enter system view. system-view N/A 153. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A • In STP/RSTP mode: 154. Configure the path cost of the ports.
Step 157. Configure the port priority. Command Remarks • In STP/RSTP mode: Use one of the commands. stp port priority priority • In MSTP mode: stp [ instance instance-id ] port priority priority The default setting is 128. For information about the value range for the instance-id argument, see Network Management Command Reference. Configuring the port link type 438B A point-to-point link directly connects two devices.
You can configure the MSTP packet format on a port. When operating in MSTP mode after the configuration, the port sends and receives only MSTP packets of the format that you have configured to communicate with devices that send packets of the same format. MSTP provides MSTP packet format incompatibility guard.
• The STP device is shut down or removed. • The STP device transitions to MSTP or RSTP mode. Suppose Device A running STP, Device B with no spanning tree feature enabled, and Device C running RSTP or MSTP are connected in order. Device B will transparently transmit STP BPDUs, and the port on Device C and connecting to Device B will transition to the STP mode.
• With the digest snooping feature enabled, in-the-same-region verification does not need comparison of configuration digest, so the VLAN-to-instance mappings must be the same on associated ports. • When digest snooping is globally enabled, if you modify the VLAN-to-instance mapping or use the undo stp region-configuration command to restore the default MST region configuration, traffic may be interrupted because the local VLAN-to-instance mapping is different from that on a neighbor device.
Figure 54 Network diagram 2. Configuration procedure # Enable digest snooping on GigabitEthernet 0/1 of Firewall A and enable global digest snooping on Firewall A. system-view [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] stp config-digest-snooping [FirewallA-GigabitEthernet0/1] quit [FirewallA] stp config-digest-snooping # Enable digest snooping on GigabitEthernet 0/1 of Firewall B and enable global digest snooping on Firewall B.
Figure 55 Rapid state transition of an MSTP designated port Figure 56 Rapid state transition of an RSTP designated port If the upstream device is a third-party device, the rapid state transition implementation might be limited.
Step Command Remarks 178. Enter system view. system-view N/A 179. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A 180. Enable No Agreement Check. stp no-agreement-check By default, No Agreement Check is disabled. No Agreement Check configuration example 15B 1. Network requirements As shown in Figure 57: 2308H { { Firewall A connects to a third-party firewall (Firewall B) that has a different spanning tree implementation.
system closes these ports and notifies the NMS that they have been closed by the spanning tree protocol. The device will reactivate closed ports after the port status detection timer expires. For more information about the port status detection timer, see Getting Started Guide. Configure BPDU guard on a device with edge ports configured. BPDU guard does not take effect on loopback testing-enabled ports. For more information about loopback testing, see Network Management Configuration Guide.
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives BPDUs, its state transitions normally. Otherwise, it stays in the discarding state to prevent temporary loops. 1. Configuration restrictions and guidelines • Configure loop guard on the root port and alternate ports of a device. • Do not enable loop guard on a port that connects user terminals. Otherwise, the port will stay in the discarding state in all MSTIs because it cannot receive BPDUs.
Displaying and maintaining the spanning tree 45B Task Command Remarks Display information about ports blocked by spanning tree protection functions. display stp abnormal-port [ | { begin | exclude | include } regular-expression ] Available in any view. Display BPDU statistics on ports. display stp bpdu-statistics [ interface interface-type interface-number [ instance instance-id ] ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 58 Network diagram MST region Device A Device B Permit: all VLAN GE0/3 GE 0/2 GE0/3 0/2 GE Permit: VLAN 10, 20 G /2 E0 P 0, N1 LA V it: erm 20 Permit: VLAN 20, 30 Pe rm it: V LA N 20 ,3 GE0/3 0 GE 0/2 GE0/3 Permit: VLAN 20, 40 Device C Device D Configuration procedure 16B 1. Configure VLANs and VLAN member ports: (Details not shown.) Create VLAN 10, VLAN 20, and VLAN 30 on Device A and Device B, respectively.
[DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration. [DeviceB-mst-region] active region-configuration [DeviceB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [DeviceB] stp instance 3 root primary # Enable the spanning tree feature globally. [DeviceB] stp enable 4.
6. Verify the configuration: In this example, suppose Device B has the lowest root bridge ID. As a result, Device B is elected as the root bridge of MSTI 0. You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A.
Figure 59 MSTIs mapped to different VLANs A B A C B C MSTI 1 mapped to VLAN 10 A MSTI 0 mapped to VLAN 20 B D C MSTI 3 mapped to VLAN 30 Root bridge D D MSTI 4 mapped to VLAN 40 Normal link Blocked link Configuration guidelines 82B Follow these guidelines when you configure MSTP: • Two or more spanning tree-enabled devices belong to the same MST region only if the following are true: { { They are configured with the same format selector (0 by default, not configurable), MST region name
Configuring PPP 7B PPP can be configured only at the CLI.
Figure 60 PPP link establishment process Dead Up Establish Opened Fail Down Authenticate Fail Terminate Closing Success /None Network 1. Initially, PPP is in Link Dead phase. After the physical layer goes up, PPP enters the Link Establishment phase (Establish). 2. In the Link Establishment phase, the LCP negotiation is performed.
Two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP authentication. In one-way CHAP authentication, the authenticator may or may not be configured with a username. HP recommends that you configure a username for the authenticator, which makes it easier for the supplicant to verify the identity of the authenticator.
Enabling PPP encapsulation on an interface 450B The following matrix shows the feature and hardware compatibility: Hardware Feature compatible F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No Firewall module No U200-A Yes U200-S Yes To enable PPP encapsulation on an interface: Step Command Remarks 192. Enter system view. system-view N/A 193. Enter interface view. interface interface-type interface-number N/A 194. Enable PPP encapsulation on the interface. Optional.
Step Command Remarks For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. 198. Configure local or remote AAA authentication. For more information about AAA authentication, see Access Control Configuration Guide. 2.
Step Command Remarks For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. 206. Configure local or remote AAA authentication. For more information about AAA authentication, see Access Control Configuration Guide. The username configured for the supplicant must be the same as that configured on the supplicant.
Step Command Remarks For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. 214. Configure local or remote AAA authentication. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. For more information about AAA authentication, see Access Control Configuration Guide. The username configured for the supplicant must be the same as that configured on the supplicant.
Step 222. Assign a username to the MS-CHAP or MS-CHAP-V2 authenticator. Command Remarks ppp chap user username The username you assign to the authenticator here must be the same as the local username you assign to the authenticator on the supplicant. For local AAA authentication, the username and password of the supplicant must be configured on the authenticator. For remote AAA authentication, the username and password of the supplicant must be configured on the remote AAA server. 223.
Step Command Remarks 228. Enter system view. system-view N/A 229. Enter interface view. interface interface-type interface-number N/A 230. Configure the polling interval. timer hold seconds Optional. The default setting is 10 seconds.
Step Command Remarks 235. Enter interface view. interface interface-type interface-number N/A 236. Enable IP address negotiation. ip address ppp-negotiate N/A 2. Configuring the local end as the server To configure the local end as the server (for cases where PPP authentication is not enabled): Step Command Remarks 237. Enter system view. system-view N/A • (Approach 1) Define a global address pool and bind it to the interface: 238.
host can access the Internet directly using domain names. For a PPP link established between a device and the access server of a carrier, the DNS server address is usually allocated by the access server so that the device can resolve domain names by using the allocated address. Configure DNS server settings depending on the role of your device in PPP negotiation. 1.
Hardware Feature compatible F5000 No Firewall module No U200-A No U200-S Yes The escape mechanism is implemented to transparently transmit asynchronous control characters on asynchronous links. This is to avoid payloads being treated as control characters when the payloads contain the same characters as the control characters. The length of each asynchronous control character is one byte. PPP uses the escape mechanism to map all one-byte asynchronous control characters into two-byte characters.
Hardware Feature compatible Firewall module No U200-A No U200-S Yes By default, in a PPP packet, the address field is fixed to 0xFF, and the control field is fixed to 0x03. The fixed values make it easy to compress these two fields. ACFC negotiation notifies the peer that the local end can receive packets carrying compressed address and control fields. ACFC negotiation is implemented at the LCP negotiation stage.
Hardware Feature compatible F1000-A-EI/F1000-S-EI No F1000-E No F5000 No Firewall module No U200-A No U200-S Yes By default, the length of the protocol field in a PPP packet is 2 bytes. Because data protocols are typically assigned protocol field values less than 256, the PPP protocol field can be compressed from 2 bytes to 1 byte to indicate protocol types. PFC negotiation notifies the peer that the local end can receive the packets with single-byte protocol fields.
Step Command Remarks • Configure the local end to accept PFC requests 267. Configure how the local end handles the PFC requests received from the peer. received from the peer and to perform PFC on frames sent to the peer: ppp pfc remote apply • Configure the local end to accept PFC requests received from the peer, but not to perform PFC on frames sent to the peer: ppp pfc remote ignore • Configure the local end to reject PFC requests Optional.
Configuring PPP user binding 456B This function binds users in different domains with VT interfaces without knowing the domains of the users. This feature is implemented in the following steps: • Without knowing user domains, you must first authenticate users. If a user passes the authentication, you can obtain the user domain name. The domain name varies with authentication results. For more information, see authentication modes in "Configuring PPP authentication.
PPP configuration examples 87B Typically, PPP works together with PPPoE and L2TP. For configuration examples, see "Configuring PPPoE" and VPN Configuration Guide. 230H Troubleshooting PPP configuration 8B Symptom 1 457B PPP authentication always fails, preventing the link from going up. Solution 17B This problem may occur if the parameters for authentication are incorrect.
Configuring PPPoE 8B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices The firewalls only support acting as a PPPoE client. Feature and hardware compatibility 89B Hardware PPPoE compatible F1000-A-EI/F1000-S-EI Yes F1000-E No F5000 No Firewall module No U200-A Yes U200-S Yes Overview 90B Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP packets encapsulated in Ethernet over point-to-point links.
Figure 61 Network structure 1 DSLAM Carrier device PPPoE server Internet Router B Modem Client device Router A Host A • PPPoE client Host B Host C As shown in Figure 62, the PPPoE session is established between each host (PPPoE client) and the carrier router (PPPoE server). The service provider assigns an account to each host for billing and control. The host must be installed with PPPoE client dialup software. This network structure is applicable to campus and residential environments.
Dialer interfaces created by selecting Device Management > Interface Management can be displayed, modified, and removed in the PPPoE client page. However, they cannot establish PPPoE client sessions. Figure 63 PPPoE client information 2. Click Add to enter the page for creating a PPPoE client. Figure 64 Creating a PPPoE client 3. Configure the PPPoE client information, as described in Table 17. 4. Click Apply.
Task Remarks Configure the way the dialer interface gets its IP address: IP Config • None—Does not configure IP address. • Static Address—Statically configures an IP address and subnet mask for the interface. • PPP Negotiate—Gets an IP address through PPP negotiation. • Unnumbered—Borrows the IP address of another interface on the same device. IP Address Configure an IP address and subnet mask for the dialer interface.
Figure 66 PPPoE session summary Table 18 Field description for the PPPoE session statistics Field Description Interface Ethernet interface where the PPPoE session belongs. Session Number PPPoE session ID. Received Packets Number of received packets in the PPPoE session. Received Bytes Number of received bytes in the PPPoE session. Dropped Packets (Received) Number of dropped packets which are received in the PPPoE session. Sent Packets Number of transmitted packets in the PPPoE session.
PPPoE client configuration example 463B Network requirements 174B Configure the PPPoE client on the device, and enable the PPPoE client to communicate with the PPPoE server, as shown in Figure 67. 238H Figure 67 Network diagram Configuring the PPPoE client 175B 1. Create a PPPoE client: a. Select Network > PPPoE > Client from the navigation tree. b. Click Add. c. Enter 1 for the dialer interface name, user1 for the username, and password1 for the password.
You must enable the PPPoE protocol on the PPPoE server, configure the PPPoE username and password, and assign an IP address to the peer end of the PPP connection. (Details not shown.) Verifying the configuration 176B View the summary about PPPoE client sessions on the PPPoE client: 1. a. Select Network > PPPoE > Session from the navigation tree. b. Select Summary Information from the Information Type list. Figure 69 shows that the status of the PPPoE client session is PPPUP .
Hardware PPPoE client compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No PPPoE client configuration includes dialer interface configuration and PPPoE session configuration. Configuring a dialer interface 46B Before establishing a PPPoE session, you must first create a dialer interface and configure a dialer bundle on the interface.
Configuring a PPPoE session 465B PPPoE sessions fall into these categories: • Permanent PPPoE session—Established immediately when the line is physically up. It remains valid till a user terminates it explicitly. • Packet-triggered PPPoE session—Established when there is a demand for data transmitting. It is terminated when idled for a specific period of time. That is, a packet-triggered PPPoE session may not be established even if the line is physically up.
Figure 71 Network diagram Configuring PAP authentication 180B 1. Configure Router as the PPPoE server: # Add a PPPoE user. system-view [Router] local-user user2 [Router-luser-user2] password simple hello [Router-luser-user2] service-type ppp [Router-luser-user2] quit # Configure virtual template 1. [Router] interface virtual-template 1 [Router-Virtual-Template1] ppp authentication-mode pap [Router-Virtual-Template1] ip address 1.1.1.1 255.0.0.0 [Router-Virtual-Template1] remote address 1.1.1.
[Router] interface virtual-template 1 [Router-Virtual-Template1] ppp authentication-mode chap [Router-Virtual-Template1] ppp chap user user1 [Router-Virtual-Template1] ip address 1.1.1.1 255.0.0.0 [Router-Virtual-Template1] remote address 1.1.1.2 [Router-Virtual-Template1] quit # Configure the PPPoE server. [Router] interface gigabitethernet 0/1 [Router-GigabitEthernet0/1] pppoe-server bind virtual-template 1 2.
Figure 72 Network diagram Configuration procedure 183B 1. Configure Firewall as a PPPoE client: # Configure a dialer interface. system-view [Firewall] dialer-rule 1 ip permit [Firewall] interface dialer 1 [Firewall-Dialer1] dialer-group 1 [Firewall-Dialer1] dialer bundle 1 [Firewall-Dialer1] ip address ppp-negotiate [Firewall-Dialer1] ppp pap local-user user1 password cipher 123456 [Firewall-Dialer1] quit # Configure a PPPoE session.
# Configure ATM 1/0 interface. [Router] interface atm 1/0 [Router-Atm1/0] pvc 0/32 [Router-atm-pvc-Atm1/0-0/32] map bridge virtual-ethernet 1 [Router-atm-pvc-Atm1/0-0/32] quit [Router-Atm1/0] quit # Enable PPPoE server on the virtual Ethernet interface. [Router] interface virtual-ethernet 1 [Router-Virtual-Ethernet1] pppoe-server bind virtual-template 1 [Router-Virtual-Ethernet1] quit # Configure virtual template 1.
Configuring Layer 2 forwarding 9B Layer 2 forwarding falls into the following categories: • Normal • Inline • Inter-VLAN Configuring normal Layer 2 forwarding 93B Normal Layer 2 forwarding can be configured only at the CLI. If the destination MAC address of an incoming packet matches the MAC address of the receiving Layer 3 interface, the device forwards the packet through that interface. If not, the device performs normal Layer 2 forwarding through a Layer 2 interface.
The inline Layer 2 forwarding feature is supported on the high-end firewall series, and comprises the following types: • Forward type—A packet coming from one interface goes out of another. The packet is forwarded through the specified incoming and outgoing interfaces, rather than through looking up the MAC address table. A complete configuration contains an ID, which uniquely identifies an inline Layer 2 forwarding entry, and two interfaces.
Figure 74 Adding an inline forwarding policy 3. Configure the inline forwarding policy as described in Table 20. 4. Click Apply. 23H Table 20 Configuration items Item Description Policy ID Set the ID for identifying an inline forwarding policy. Policy Type Select the inline forwarding type, which can be forward, blackhole, or reflect. Port 1 Assign a port to the inline forwarding policy. Port 2 Assign a port to the inline forwarding policy when the forwarding type is Forward.
Figure 75 Adding a forward-type inline forwarding policy Blackhole-type inline forwarding configuration example 186B 1. Network requirements Packets coming from GigabitEthernet 0/1 must be discarded. Configure blackhole-type inline forwarding on GigabitEthernet 0/1. Before configuration, make sure the GigabitEthernet 0/1 interface operates in bridge mode and has been added to a zone. 2. Adding a blackhole-type inline forwarding policy a. Select Network > Forwarding from the navigation tree. b.
Step Command Remarks 295. Enter system view. system-view N/A 296. Configure an inline Layer 2 forwarding entry. inline-interfaces id [ blackhole | reflect ] N/A 297. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 298. Assign an interface to the inline Layer 2 forwarding entry. By default, an interface does not belong to any inline Layer 2 forwarding entry.
# Assign GigabitEthernet 0/1 to blackhole-type inline Layer 2 forwarding entry 1. [Sysname] interface gigabitethernet 0/1 [Sysname-GigabitEthernet0/1] port inline-interfaces 1 Configuration guidelines 47B When you configure inline forwarding, follow these guidelines: • Inline forwarding is applicable to Layer 2 Ethernet interfaces and subinterfaces. • An interface can be assigned to only one inline forwarding policy. If you assign an interface to multiple policies, the last configuration takes effect.
Configuration procedure 476B To achieve Layer 2 forwarding between VLANs, you can create these VLANs on the switch and configure the same number of subinterfaces for the ten-GigabitEthernet interface on the firewall module. Perform the following configurations to achieve Layer 2 forwarding between two VLANs: 1. Configure the switch: { { 2. Create two VLANs. Assign the two access ports to different VLANs.
Step Command Remarks 309. Create a VLAN for the firewall module and enter VLAN view. vlan vlan-id N/A 310. Exit to system view. quit N/A 311. Enter the view of the ten-GigabitEthernet interface that connects to the switch. interface ten-gigabitethernet interface-number N/A 312. Configure the operating mode of the interface as Layer 2. port link-mode bridge The default operating mode depends on the device model. 313. Configure the link type of the ten-GigabitEthernet interface as trunk.
Displaying and maintaining inter-VLAN Layer 2 forwarding 47B Task Command Remarks Display VLAN information. display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | interface interface-type interface-number.subnumber | reserved | static ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display brief interface/subinterface information. display interface [ interface-type [ interface-number | interface-number.
Figure 78 Network diagram XGE0/0 XGE2/0/1 IP network IP network GE3/0/1 GE3/0/2 Configuration procedure 194B 1. Configure the switch: # Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103.
[Firewall-Ten-GigabitEthernet0/0.102] port link-type access [Firewall-Ten-GigabitEthernet0/0.102] port access vlan 1000 [Firewall-Ten-GigabitEthernet0/0.102] quit [Firewall] interface ten-gigabitethernet 0/0.103 [Firewall-Ten-GigabitEthernet0/0.103] port link-mode bridge [Firewall-Ten-GigabitEthernet0/0.103] port link-type access [Firewall-Ten-GigabitEthernet0/0.
DHCP overview 10B The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent.
Dynamic IP address allocation process 482B Figure 81 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For related information, see "DHCP message format." 239H 3.
DHCP message format 98B Figure 82 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. 2340H Figure 82 DHCP message format • op—Message type defined in option field. 1 = REQUEST, 2 = REPLY • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled.
DHCP options 9B DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 83 DHCP option format Common DHCP options 48B The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option.
• Service provider identifier, which is acquired by the Customer Premises Equipment (CPE) from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see System Management and Maintenance Configuration Guide. • Preboot Execution Environment (PXE) server address, which is used to obtain the bootfile or other control information from the PXE server. 1.
Relay agent option (Option 82) 196B Option 82 is the relay agent option in the option field of the DHCP message. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server. The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting.
{ Sub-option 1—Contains the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received the client's request. The VLAN ID field has a fixed length of 2 bytes. All other padding contents of sub-option 1 are length variable. See Figure 89.
{ Sub-option 1—Contains the VLAN ID of the interface that received the client's request, module (subcard number of the receiving port on a centralized device or slot number of the receiving port on a distributed device) and port (number of the receiving port). The value of the sub-option type is 1, and the value of the circuit ID type is 0. Figure 93 Sub-option 1 in standard padding format { Sub-option 2—Contains the MAC address of the DHCP snooping device that received the client's request.
Configuring the DHCP server 1B Overview 10B The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and most users must acquire IP addresses dynamically. • Most hosts do not need fixed IP addresses.
2. If the receiving interface has an extended address pool referenced, the DHCP server assigns an IP address from this address pool. If no IP address is available in the address pool, the DHCP server fails to assign an address to the client. For the configuration of such an address pool, see "Configuring dynamic address allocation for an extended address pool." 2348H 3.
Configuring the DHCP server in the Web interface 102B Recommended configuration procedure 489B Step Remarks Required. 323. Enabling DHCP 2350H Enable DHCP globally. By default, global DHCP is disabled. Use either approach. IMPORTANT: 324. Creating an address pool for the DHCP server: a. Creating a static address pool for the DHCP server 2351H b.
Figure 94 DHCP configuration page Creating a static address pool for the DHCP server 491B 1. From the navigation tree, select Network > DHCP > DHCP Server. The DHCP configuration page shown in Figure 94 appears. 2356H 2. Select the Static option in the Address Pool field to view all static address pools. 3. Click Add. The page for creating a static address pool appears.
Figure 95 Creating a static address pool 4. Configure the static address pool as described in Table 21. 5. Click Apply. 2357H Table 21 Configuration items Item Description IP Pool Name Enter the name of the static address pool. Enter an IP address and a mask. IP Address Mask Client MAC Address The IP address cannot be the IP address of any interface on the DHCP server. Otherwise, an IP address conflict may occur and the bound client cannot obtain an IP address correctly.
Item Description Enter the domain name suffix for the client. Client Domain Name With the suffix assigned, the client only needs to input part of a domain name, and the system adds the domain name suffix for name resolution. Enter the gateway addresses for the client. Gateway Address A DHCP client that wants to access an external host needs to send requests to a gateway.
4. Configure the dynamic address pool as described in Table 22. 5. Click Apply. 2359H Table 22 Configuration items Item Description IP Pool Name Enter the name of a dynamic address pool. IP Address Enter an IP address segment for dynamic allocation. Mask To avoid address conflicts, the DHCP server excludes the IP addresses used by gateways or FTP servers from dynamic allocation. You can Enter a mask length or a mask in dotted decimal notation.
Figure 97 Configuring a DHCP server interface 3. Select the Enable option. 4. Click Apply. Table 23 Configuration items Item Description Interface Name This field displays the name of a specific interface. Enable or disable the DHCP server on the interface. DHCP Server Upon receiving a DHCP request from a client, the interface with the DHCP server disabled neither assigns an IP address to the client, nor serves as a DHCP relay agent to forward the request.
Figure 98 Network diagram Gateway 10.1.1.126/25 GE0/1 10.1.1.1/25 10.1.1.2/25 Firewall DHCP server DNS server Eth1/1 Eth1/1 Router A Router B DHCP Client BOOTP Client Configuring Firewall 120B 1. Specify IP addresses for interfaces and create security zones. (Details not shown.) 2. Enable DHCP: a. From the navigation tree, select Network > DHCP > DHCP Server. b. Select the Enable option for DHCP Service.
3. Configure the static address pool 0 to assign a static IP address to Router A: a. Click Add in the Address Pool area. b. In the Address Pool area, the Static option is selected by default. Clicking Add guides you to create a static address pool. Figure 100 Creating a static address pool c. Enter 0 for IP Pool Name, enter 10.1.1.5 for IP Address, enter 25 for Mask, select Client ID option, and enter the client ID: 3030-3066-2e65-3230-302e-3030-3032-2d45-7468-6572-6e65-7430-2f30. d. Enter 10.1.1.
Figure 101 Creating a static address pool 5. Enable the DHCP server on GigabitEthernet 0/1. With DHCP enabled, interfaces operate in the DHCP server mode: a. In the Interface Configuration field, click the icon next to GigabitEthernet 0/1. Figure 102 Enabling DHCP server on interface GigabitEthernet 0/1 b. On the DHCP Server Interface Config page, select the Enable option. c. Click Apply.
Address pool 10.1.1.0/25 has the address lease duration ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, WINS server address 10.1.1.4/25, and gateway address 10.1.1.126/25. Address pool 10.1.1.128/25 has the address lease duration five days, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, and gateway address 10.1.1.254/25 and has no WINS server address. The domain name suffix and DNS server address in address pools 10.1.1.0/25 and 10.1.1.
Figure 104 Enabling the DHCP service b. Select the Enable option in the DHCP Service field. c. Configure DHCP parent address pool 0 (network segment, client domain name suffix, and DNS server address): d. Select the Dynamic option in the Address Pool field. e. Click Add.
Figure 105 Configuring DHCP parent address pool 0 f. Enter pool0 for IP Pool Name, 10.1.1.0 for IP Address, 255.255.255.0 for Mask, aabbcc.com for Client Domain Name, and 10.1.1.2 for DNS Server Address. g. Click Apply. 3. Configure DHCP child address pool 1 (network segment, gateway, lease duration, and WINS server address): a. Click Add in the address pool field. (The Dynamic option must be selected.) Figure 106 Configure DHCP child address pool 1 b. Enter pool1 for IP Pool Name, enter 10.1.1.
Figure 107 Configuring DHCP child address pool 2 b. Enter pool2 for IP Pool Name, 10.1.1.128 for IP Address, and 255.255.255.128 for Mask, set Lease Duration to 5 days, 0 hours, 0 minutes, and 0 seconds, and enter 10.1.1.254 for Gateway Address. c. Click Apply. Verifying the configuration 1204B After the preceding configuration is complete, clients in subnets 10.1.1.0/25 and 10.1.1.128/25 can obtain corresponding IP addresses and other configuration information from the DHCP server Firewall.
Configuring an address pool on the DHCP server 498B Configuration task list 1205B Task Remarks Creating a DHCP address pool Required. 2374H Configuring address allocation mode for a common address pool Configuring static address allocation 2375H 2376H Configuring dynamic address allocation 237H Required to configure either of the two for the common address pool configuration. Required for the extended address pool configuration.
Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for such a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client.
To avoid address conflicts, configure the DHCP server to exclude IP addresses used by the gateway or FTP server from dynamic allocation. Follow these guidelines when you configure dynamic address allocation: { { { In common address pool view, using the network or network ip range command repeatedly overwrites the previous configuration.
Step Command Remarks 343. Specify the IP address range. network ip range min-address max-address Not specified by default. 344. Specify the IP address mask. network mask mask Not specified by default. 345. Specify the IP address range for the DHCP clients of a specific vendor. vendor-class-identifier hex-string&<1-255> ip range min-address max-address Optional. 346. Specify the address lease duration. expired { day day [ hour hour [ minute minute [ second second ] ] ] | unlimited } Optional.
Configuring WINS servers and NetBIOS node type for the client 12B A Microsoft DHCP client using NetBIOS protocol must contact a Windows Internet Naming Service (WINS) server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool. Specify a NetBIOS node type for the clients to approach name resolution. There are four NetBIOS node types: • b (broadcast)-node—A b-node client sends the destination name in a broadcast message.
Step Command Remarks 362. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 363. Specify gateways. gateway-list ip-address&<1-8> No gateway is specified by default. You can specify up to eight gateways in a DHCP address pool. Configuring the TFTP server and bootfile name for the client 124B For the DHCP server to support client auto-configuration, specify the IP address or name of a TFTP server and the bootfile name in the DHCP address pool.
Step Command Remarks 370. Specify the IP address of a server. next-server ip-address Not specified by default. Configuring self-defined DHCP options 126B CAUTION: Be careful when configuring self-defined DHCP options because such configuration may affect DHCP operation. By configuring self-defined DHCP options, you can • Define new DHCP options. New configuration options come out with DHCP development. To support these new options, you can add them into the attribute list of the DHCP server.
Enabling DHCP 49B Enable DHCP to validate other DHCP configurations. To enable DHCP: Step Command Remarks 374. Enter system view. system-view N/A 375. Enable DHCP. dhcp enable The default setting is disabled by default. Enabling the DHCP server on an interface 50B Perform this task to enable the DHCP server on an interface. Upon receiving a DHCP request on the interface, the DHCP server assigns an IP address and other configuration parameters from the DHCP address pool to the DHCP client.
then an IP address from the specified address pool. If no IP address is available in this address pool, address allocation fails, and the DHCP server does not assign the client any IP address from other address pools. Only an extended address pool can be applied on the interface. The address pool to be referenced must already exist. To apply an extended address pool on an interface: Step Command Remarks 379. Enter system view. system-view N/A 380. Enter interface view.
To configure IP address conflict detection: Step Command Remarks 384. Enter system view. system-view N/A 385. Specify the maximum number of ping packets to be sent for conflict detection. dhcp server ping packets number 386. Configure the ping timeout time. dhcp server ping timeout milliseconds Optional. The default setting is one. The value 0 disables IP address conflict detection. Optional. The default setting is 500 ms. The value 0 disables IP address conflict detection.
To support Option 82 requires configuring both the DHCP server and relay agent (or the device enabled with DHCP snooping). Specifying the threshold for sending trap messages 50B Configuration prerequisites 124B Before you perform the configuration, use the snmp-agent target-host command to specify the destination address of the trap messages. For more information about the command, see System Management and Maintenance Command Reference.
Task Command Remarks Display information about bindings. display dhcp server ip-in-use { all | ip ip-address | pool [ pool-name ] } [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about DHCP server statistics. display dhcp server statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display tree organization information about address pools.
2. Configure the DHCP server: # Enable DHCP. [Firewall] dhcp enable # Enable the DHCP server on GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] dhcp select server global-pool [Firewall-GigabitEthernet0/1] quit # Create DHCP address pool 0, and configure a static binding, DNS server and gateway in it. [Firewall] dhcp server ip-pool 0 [Firewall-dhcp-pool-0] static-bind ip-address 10.1.1.5.
Figure 109 Network diagram Configuration procedure 1230B 1. Specify IP addresses for interfaces. (Details not shown.) 2. Configure the DHCP server: # Enable DHCP. system-view [Firewall] dhcp enable # Enable the DHCP server on GigabitEthernet 0/1 and GigabitEthernet 0/2.
[Firewall] dhcp server ip-pool 2 [Firewall-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [Firewall-dhcp-pool-2] expired day 5 [Firewall-dhcp-pool-2] gateway-list 10.1.1.254 Verifying the configuration 123B After the preceding configuration is complete, clients on networks 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and other network parameters from Firewall. You can use the display dhcp server ip-in-use command on the DHCP server to view the IP addresses assigned to the clients.
Verifying the configuration 1234B After the preceding configuration is complete, Router can obtain its IP address on 10.1.1.0/24 and the PXE server addresses from Firewall. You can use the display dhcp server ip-in-use command on the DHCP server to view the IP addresses assigned to the clients. Troubleshooting DHCP server configuration 104B Symptom 1235B A client's IP address obtained from the DHCP server conflicts with another IP address.
Configuring the DHCP relay agent 12B The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. Overview 105B The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet, centralizes management, and reduces investment.
1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. 2. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response to the relay agent, and the relay agent conveys it to the client.
Configuring the DHCP relay agent in the Web interface 106B Recommended configuration procedure 512B Step Remarks 394. Enabling DHCP and configuring advanced parameters for the DHCP relay agent 2397H Required. Enable DHCP globally and configure advanced DHCP parameters, including unauthorized DHCP server detection and periodic refresh of dynamic client entries. By default, global DHCP is disabled. Required. 395.
Figure 113 DHCP relay agent configuration page 4. Configure advanced parameters for the DHCP relay agent as described in Table 27. 5. Click Apply. 240H Table 27 Configuration items Item Description DHCP Service Enable or disable global DHCP.
Item Description Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses. Unauthorized Server Detect With this feature enabled, the DHCP relay agent checks whether a request contains Option 54 (Server Identifier Option). If it does, the DHCP relay agent records in the option the IP address of the DHCP server that assigned an IP address to the client and records the receiving interface.
Table 28 Configuration items Item Server Group ID Description Enter the ID of a DHCP server group. You can create up to 20 DHCP server groups. Enter the IP address of a server in the DHCP server group. IP Address The server IP address cannot be on the same subnet as the IP address of the DHCP relay agent. Otherwise, the client cannot obtain an IP address. Enabling the DHCP relay agent on an interface 51B 1. From the navigation tree, select Network > DHCP > DHCP Relay.
Configuring and displaying clients' IP-to-MAC bindings 516B 1. From the navigation tree, select Network > DHCP > DHCP Relay. The DHCP relay agent configuration page shown in Figure 113 appears. 2407H 2. In the User Information field, click the User Information button to view static and dynamic bindings, as shown in Figure 116. 2408H 3. Click Add. The page for creating a static IP-to-MAC binding as shown in Figure 117 appears.
Figure 118 Network diagram DHCP client DHCP client GE0/1 10.10.1.1/24 GE0/2 10.1.1.2/24 Eth1/1 10.1.1.1/24 Firewall DHCP relay DHCP client Router DHCP server DHCP client Configuring Firewall 1239B You must also configure the DHCP server on Router. For more information about DHCP server configuration, see "Configuring the DHCP server.
Figure 119 Enabling the DHCP service b. Select the Enable option in the DHCP Service field. c. 3. Click Apply. Configure a DHCP server group: a. In the Server Group field, click Add. Figure 120 Creating a DHCP server group b. Enter 1 for Server Group ID. c. Enter 10.1.1.1 for IP Address. d. Click Apply. 4. Enable the DHCP relay agent on GigabitEthernet 0/1: a. In the Interface Config field, click the 195 icon of GigabitEthernet 0/1.
Figure 121 Enabling DHCP relay agent on interface GigabitEthernet 0/1 b. Select the Enable option in the DHCP Relay field. c. Select 1 for Server Group ID. d. Click Apply. After the preceding configuration is complete, DHCP clients can obtain IP addresses and other configuration information from the DHCP server through the DHCP relay agent. Configuring the DHCP relay agent at the CLI 107B DHCP relay agent configuration task list 518B Task Remarks Enabling DHCP Required.
An IP address pool that contains the IP address of the DHCP relay agent interface must be configured on the DHCP server. Otherwise, the DHCP clients connected to the relay agent cannot obtain correct IP addresses. To enable the DHCP relay agent on an interface: Step Command Remarks 400. Enter system view. system-view N/A 401. Enter interface view. interface interface-type interface-number N/A 402. Enable the DHCP relay agent on the current interface.
With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the DHCP relay agent so that users can access external networks by using fixed IP addresses. Upon receiving a packet from a host, the DHCP relay agent checks the source IP and MAC addresses in the packet against the recorded dynamic and static bindings.
Step Command Remarks 411. Enter system view. system-view N/A 412. Enable periodic refresh of dynamic client entries. dhcp relay security refresh enable Optional. 413. Configure the refresh interval. dhcp relay security tracker { interval | auto } Enabled by default. Optional. • The default setting is auto. The auto interval is calculated by the relay agent according to the number of client entries.
Step Command Remarks 418. Enable MAC address check. dhcp relay check mac-address The default setting is disabled. A DHCP relay agent changes the source MAC addresses of DHCP packets before forwarding them out. Therefore, enable MAC address check only on the DHCP relay agent directly connected to the DHCP clients. If you enable this feature on an intermediate relay agent, it may discard valid DHCP packets and the sending clients do not obtain IP addresses.
If the handling strategy of the DHCP relay agent is configured as replace, you must configure a padding format for Option 82. If the handling strategy is keep or drop, you need not configure any padding format. The system name (sysname) if padded in sub-option 1 (node identifier) of Option 82 must not contain spaces. Otherwise, the DHCP relay agent drops the message. 2. Configuration procedure To configure the DHCP relay agent to support Option 82: Step Command Remarks 424. Enter system view.
Task Command Remarks Display Option 82 configuration information on the DHCP relay agent. display dhcp relay information { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about bindings of DHCP relay agents. display dhcp relay security [ ip-address | dynamic | static ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuration procedure 1248B # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. system-view [Firewall] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1 [Firewall] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] dhcp select relay # Correlate GigabitEthernet 0/1 to DHCP server group 1.
NOTE: To use Option 82, you must also enable the DHCP server to handle Option 82. Troubleshooting DHCP relay agent configuration 108B Symptom 523B DHCP clients cannot obtain any configuration parameters through the DHCP relay agent. Analysis 524B Some problems may occur with the DHCP relay agent or server configuration. Solution 52B To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information.
Configuring DHCP client 13B The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. You cannot configure an interface of an aggregation group as a DHCP client. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
Displaying and maintaining the DHCP client 527B Task Command Remarks Display specified configuration information. display dhcp client [ verbose ] [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. DHCP client configuration example 528B Network requirements 125B As shown in Figure 124, Firewall contacts the DHCP server through GigabitEthernet 0/1 to obtain an IP address, DNS server address, and static route information.
[RouterA] dhcp enable # Exclude an IP address from automatic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02 2.
Configuring BOOTP client 14B BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces, and VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. You cannot configure an interface of an aggregation group as a BOOTP client.
Configuring the BOOTP client at the CLI 16B Configuring an interface to dynamically obtain an IP address through BOOTP 529B Step Command Remarks 433. Enter system view. system-view N/A 434. Enter interface view. interface interface-type interface-number N/A 435. Configure an interface to dynamically obtain an IP address through BOOTP. ip address bootp-alloc By default, an interface does not use BOOTP to obtain an IP address.
# Configure GigabitEthernet 0/1 to dynamically obtain an IP address by using BOOTP. system-view [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address bootp-alloc # Use the display bootp client command to view the IP address assigned to the BOOTP client.
Configuring IPv4 DNS 15B Overview 17B Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address.
The DNS client comprises the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store the latest mappings between domain names and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query next time.
Figure 127 DNS proxy networking application A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3.
• The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established through the dial-up interface, the device dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the DNS server, if it cannot find a match in the local domain name resolution table.
Static name resolution table configuration task list 1258B Task Configuring static name resolution entries 2431H Remarks Required. By default, no name-IP address mapping exists in a static name resolution table. Dynamic domain name resolution configuration task list 1259B Task Remarks Required. Configuring dynamic domain name resolution This function is disabled by default. 243H Required. Configuring DNS server addresses Not configured by default. 243H Optional.
Figure 130 Creating a static domain name resolution entry 3. Type the name and IP address. (Each name corresponds to one IP address only. If you configure multiple IP addresses for a host name, the one last configured takes effect.) 4. Click Apply. Configuring dynamic domain name resolution 538B 1. From the navigation tree, select Network > DNS > Dynamic. The dynamic domain name resolution configuration page appears, as shown in Figure 131. 240H 2. Select the Enable option for Dynamic DNS.
Configuring DNS server addresses 540B 1. From the navigation tree, select Network > DNS > Dynamic. The dynamic domain name resolution configuration page appears, as shown in Figure 131. 24H 2. Click Add IP. The page for configuring a DNS server address appears. 3. Enter the IP address of the DNS server. 4. Click Apply. Figure 132 Configuring a DNS server address Configuring domain name suffixes 541B 1. From the navigation tree, select Network > DNS > Dynamic.
Dynamic domain name resolution configuration example 543B Network requirements 126B The IP address of the DNS server is 2.1.1.2/16 and the domain name suffix is com. Firewall serving as a DNS client uses dynamic domain name resolution to access the host with the domain name host.com and the IP address 3.1.1.1/16, as shown in Figure 134.
2. Create a mapping between host name and IP address: Figure 136 Adding a host a. In Figure 136, right-click zone com. 248H b. Select New Host. A dialog box as shown in Figure 137 appears. 249H c. Enter host name host and IP address 3.1.1.1. d. Click Add Host.
Figure 137 Adding a mapping between domain name and IP address Configuring the DNS client 1263B 1. Enable dynamic domain name resolution: a. From the navigation tree, select Network > DNS > Dynamic. Figure 138 Enabling dynamic domain name resolution b. Select the Enable option for Dynamic DNS. c. 2. Click Apply. Configure the DNS server address: a. Click Add IP.
Figure 139 Configuring a DNS server address b. Enter 2.1.1.2 for DNS Server IP Address. c. 3. Click Apply. Configure the domain name suffix: a. Click Add Suffix. Figure 140 Configure the domain name suffix b. Enter com for DNS Domain Name Suffix. c. Click Apply. Verifying the configuration 1264B On the DNS client, ping the host name host: 1. From the navigation tree, select Network > Diagnostic Tools. The Ping operation page appears. 2. Enter the destination host name host. 3. Click Start. 4.
Figure 141 Result of the ping operation Configuring IPv4 DNS at the CLI 19B Configuring the IPv4 DNS client 54B Configuring static domain name resolution 1265B Configuring static domain name resolution refers to specifying the mappings between host names and IPv4 addresses. Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses. To configure static domain name resolution: Step Command Remarks 436. Enter system view.
1. Configuration guidelines Follow these guidelines when you configure dynamic domain name resolution: { { { 2. You can configure up to six DNS servers, including those with IPv6 addresses, in system view, and up to six DNS servers on all interfaces of a device. A DNS server configured in system view has a higher priority than one configured in interface view. A DNS server configured earlier has a higher priority than one configured later in the same view.
Step Command Remarks • Approach 1 (In system view): dns server ip-address 444. Specify a DNS server. • Approach 2 (In interface view): a. interface interface-type interface-number Use at least one approach. No DNS server is specified by default. b. dns server ip-address Configuring DNS spoofing 546B DNS spoofing is effective only when: • The DNS proxy is enabled on the device. • No DNS server or route to any DNS server is specified on the device.
Task Command Remarks Display DNS suffixes. display dns domain [ dynamic ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about the dynamic IPv4 domain name cache. display dns host ip [ | { begin | exclude | include } regular-expression ] Available in any view. Clear information about the dynamic IPv4 domain name cache. reset dns host ip Available in user view.
round-trip min/avg/max = 1/2/4 ms Dynamic domain name resolution configuration example 50B Network requirements 1269B As shown in Figure 143, the firewall wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain, which stores the mapping between domain name host and IP address 3.1.1.
Figure 144 Creating a zone c. On the DNS server configuration page, right-click zone com, and select New Host. Figure 145 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1 e. Click Add Host. The mapping between the IP address and host name is created.
Figure 146 Adding a mapping between domain name and IP address Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [Firewall] dns resolve # Specify the DNS server 2.1.1.2. [Firewall] dns server 2.1.1.2 # Configure com as the name suffix.
DNS proxy configuration example 51B Network requirements 127B When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function. As shown in Figure 147: 245H • Specify Firewall as the DNS server of Device (the DNS client). Firewall acts as a DNS proxy. The IP address of the real DNS server is 4.1.1.1. • Configure the IP address of the DNS proxy on Device.
[Device] dns server 2.1.1.2 Verifying the configuration 1274B # Execute the ping host.com command on Device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1. [Device] ping host.com Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2) PING host.com (3.1.1.1): 56 data bytes, press CTRL_C to break Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms Reply from 3.1.1.
Configuring DDNS 16B Overview 12B Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
With the DDNS client configured, a device can dynamically update the latest mapping between its domain name and IP address on the DNS server through DDNS servers at www.3322.org or www.oray.cn for example. The DDNS update process does not have a unified standard but depends on the DDNS server that the DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn (also known as the PeanutHull server), and www.dyndns.com.
Figure 150 Creating a DDNS entry 3. Configure DDNS as shown in Table 31. 4. Click Apply. 2461H Table 31 Configuration items Item Description Domain Name Specify the DDNS entry name, which is the only identifier of the DDNS entry. Server Provider Select the DDNS server provider, which can be 3322.org or PeanutHull. Specify the DDNS server name. After the server provider is selected, a DDNS server name appears automatically:. • If the server provider is 3322.org, the server name is members.3322.
Item Description Select an interface to which the DDNS policy is applied. Associated Interface The IP address in the host name-to-IP address mapping for update is the primary IP address of the interface. IMPORTANT: You can apply at most two DDNS policies to one interface, and at most six to a host through DHCP. Specify the FQDN in the IP-to-FQDN mapping for update. Other settings The FQDN is the only identification of a node in the network.
1. Enable dynamic domain name resolution: a. From the navigation tree, select Network > DNS > Dynamic. Figure 152 Enabling dynamic domain name resolution b. Select the Enable option for Dynamic DNS. c. 2. Click Apply. Configure the DNS server address: a. From the navigation tree, select Network > DNS > Dynamic. b. Click Add IP. Figure 153 Configuring the DNS server address c. Enter 1.1.1.1 for DNS Server IP Address. d. Click Apply. 3. Configure DDNS: a.
Figure 154 Configuring DDNS c. Enter 3322 for Domain Name, select 3322.org from the Server Provider list, enter steven for Username, enter nevets for Password, select GigabitEthernet0/1 from the Associated Interface list, and enter whatever.3322.org for FQDN. d. Click Apply. Verifying the configuration 1279B After the preceding configuration is completed, Firewall notifies the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.
http://username:password@members.3322.org/dyndns/update?system=dyndns&hostname=&myip= • When a DDNS client contacts a PeanutHull DDNS server by using TCP, the URL address for update requests should be configured as: oray://username:password@phservice2.oray.net Replace the parameters username and password in the URL with your actual login ID and password registered at the DDNS service provider's website. members.3322.org and phservice2.oray.net are the domain names of DDNS servers.
The URL address for an update request can start with http://, https://, or oray://. • http:// indicates the HTTP-based DDNS server. • https:// indicates the HTTPS-based DDNS server. • oray:// indicates the TCP-based PeanutHull server.
Firewall acquires the IP address through DHCP. Through DDNS service provided by www.3322.org, Firewall informs the DNS server of the latest mapping between its domain name and IP address. The IP address of the DNS server is 1.1.1.1. Firewall uses the DNS server to translate www.3322.org into the corresponding IP address. Figure 155 Network diagram www.3322.org DDNS server GE0/1 IP network Firewall DDNS client 1.1.1.
DDNS configuration example 2 560B Network requirements 1286B As shown in Figure 156, Firewall is a Web server with domain name whatever.gicp.cn. 2467H Firewall acquires the IP address through DHCP. Through the PeanutHull server, Firewall informs the DNS server of the latest mapping between its domain name and IP address. The IP address of the DNS server is 1.1.1.1. Firewall uses the DNS server to translate www.oray.cn into the corresponding IP address. Figure 156 Network diagram www.oray.
After the preceding configuration is completed, Firewall notifies the DNS server of its new domain name-to-IP address mapping through the PeanutHull server, whenever the IP address of Firewall changes. Therefore, Firewall can always provide Web service at whatever.gicp.cn.
Configuring ARP 17B This chapter describes how to configure the Address Resolution Protocol (ARP). The term "router" in this document refers to both routers, routing-capable firewalls, and UTM devices. Overview 126B ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format 561B ARP uses two types of messages, ARP request and ARP reply.
1. Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B. 2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request.
Dynamic ARP entry 128B ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry 1289B A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry.
Creating a static ARP entry 56B 1. From the navigation tree, select Firewall > ARP Management > ARP Table. The ARP Table configuration page shown in Figure 159 appears. 2471H 2. Click Add. The New Static ARP Entry page appears. Figure 160 Adding a static ARP entry 3. Configure a static ARP entry as described in Table 32. 4. Click Apply. 247H Table 32 Configuration items Item Description IP Address Enter an IP address for the static ARP entry.
Figure 161 Dynamic entry management page 2. Click Disable all to disable all interfaces in the list from learning dynamic ARP entries. 3. Select the boxes in front of the interfaces and click Disable selected to disable the selected interfaces from learning dynamic ARP entries. 4. Click Enable all to enable all interfaces in the list to learn dynamic ARP entries. 5. Select the boxes in front of the interfaces and click Enable selected to enable the selected interfaces to learn dynamic ARP entries.
Figure 163 Network diagram Configuring Firewall 129B Before the following configurations, if the operating mode of interface GigabitEthernet 0/1 is router mode, select Device Management > Interface from the navigation tree and change the operating mode of the interface to bridge mode. 1. Create VLAN 10: a. From the navigation tree, select Network > VLAN > VLAN. b. Click Add. The VLAN configuration page appears. c. Enter 10 for VLAN ID. d. Click Apply. Figure 164 Creating a VLAN 2.
Figure 165 Modifying VLAN configuration 3. Configure a security zone for interface GigabitEthernet 0/1 and VLAN 10. (Details not shown.) 4. Create VLAN-interface 10, and assign an IP address to it: a. From the navigation tree, select Device Management > Interface. b. Click Add. c. Set the interface name to Vlan-interface 10, select Static Address for IP Config, enter 192.168.1.2 for IP Address, and enter 24(255.255.255.0) for Mask. d. Click Apply. Figure 166 Creating an interface 5.
b. Click Add. c. Enter 192.168.1.1 for IP Address, enter 00e0-fc01-0000 for MAC Address, select the Advanced Options box, enter 10 for VLAN ID, and select GigabitEthernet0/1 for Port. d. Click Apply. Figure 167 Creating an ARP entry Configuring ARP at the CLI 128B Configuring a static ARP entry 568B A static ARP entry is effective when the device works normally.
Configuring the maximum number of dynamic ARP entries for an interface 569B An interface can dynamically learn ARP entries, so it may hold too many ARP entries. To solve this problem, you can set the maximum number of dynamic ARP entries that an interface can learn. When the maximum number is reached, the interface stops learning ARP entries. A Layer 2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached.
With this feature enabled, the device calculates the subnet address by using the default mask of the class A network where 10.10.10.5/24 resides. Because 10.10.10.5/24 is on the same class A network as 10.11.11.1/8, VLAN-interface 10 can learn the sender IP and MAC addresses in the request. To enable natural mask support for ARP requests: Step Command Remarks 464. Enter system view. system-view N/A 465. Enable natural mask support for ARP requests. naturemask-arp enable Disabled by default.
Figure 168 Network diagram Configuration procedure 1293B # Create VLAN 10. system-view [Firewall] vlan 10 [Firewall-vlan10] quit # Add interface GigabitEthernet 0/1 to VLAN 10. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] port link-type trunk [Firewall-GigabitEthernet0/1] port trunk permit vlan 10 [Firewall-GigabitEthernet0/1] quit # Create interface VLAN-interface 10 and configure its IP address.
Configuring gratuitous ARP 18B Overview 129B In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a change of its MAC address.
virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group. Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.
• Periodic sending of gratuitous ARP packets takes effect only when the link of the enabled interface goes up and an IP address has been assigned to the interface. • If you change the interval for sending gratuitous ARP packets, the configuration is effective at the next sending interval.
Configuring proxy ARP 19B Proxy ARP can be configured only at the CLI. Overview 132B Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP—Allows communication between hosts that connect to different Layer-3 interfaces and reside in different broadcast domains.
Figure 171 Application environment of local proxy ARP Firewall GE0/2 VLAN 2 Vlan-int2 192.168.10.100/16 VLAN 2 port-isolate group 2 GE0/2 uplink-port GE0/3 GE0/1 Host A Switch Host B 192.168.10.200/16 192.168.10.99/16 Enable local proxy ARP when hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3.
Displaying and maintaining proxy ARP 135B Task Command Remarks Display whether proxy ARP is enabled. display proxy-arp [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display whether local proxy ARP is enabled. display local-proxy-arp [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view.
# Configure the IP address of interface GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 0/1. [Firewall-GigabitEthernet0/1] proxy-arp enable [Firewall-GigabitEthernet0/1] quit After completing preceding configurations, use the ping command to verify the connectivity between Host A and Host D.
[Switch-vlan2] port gigabitethernet 0/1 [Switch-vlan2] port gigabitethernet 0/2 [Switch-vlan2] quit [Switch] interface gigabitethernet 0/3 [Switch-GigabitEthernet0/3] port-isolate enable group 2 [Switch-GigabitEthernet0/3] interface gigabitethernet 0/1 [Switch-GigabitEthernet0/1] port-isolate enable group 2 [Switch-GigabitEthernet0/1] interface gigabitethernet 0/2 [Switch-GigabitEthernet0/2] port-isolate uplink-port group 2 2. Configure the firewall: # Specify the IP address of GigabitEthernet 0/2.
Layer 3 forwarding configuration 20B NOTE: For the configurations on a switch in a network that contains firewall modules and switches, see "Configuring Layer 3 subinterface forwarding." 2483H Layer 3 forwarding involves Layer 3 subinterface forwarding and inter-VLAN Layer 3 forwarding.
Inter-VLAN Layer 3 forwarding 581B If the destination MAC address of an incoming packet matches the MAC address of a VLAN interface, the firewall module removes the Layer 2 header and delivers the packet to the Layer 3 forwarding engine. The following prerequisites are necessary for inter-VLAN Layer 3 forwarding: • The ingress interface and egress interface on the switch belong to different VLANs.
• Create two subinterfaces for the firewall module's Ten-GigabitEthernet port. Associate them with the VLANs created on the switch and set the encapsulation type as dot1q. • Assign IP addresses for the two subinterfaces. • Add these two subinterfaces to security zones. NOTE: To achieve Layer 3 forwarding between VLANs, you can create these VLANs on the swtich and configure the same number of subinterfaces for the Ten-GigabitEthernet interface on the firewall module.
Step Command Remarks 489. Create a subinterface of the Ten-GigabitEthernet interface and enter subinterface view. interface ten-gigabitethernet interface-number.subnumber N/A 490. Set the encapsulation type and associate the subinterface with a VLAN. vlan-type dot1q vid vid The subinterface receives packets with the vid. 491. Assign an IP address to the subinterface. ip address ip-address { mask | mask-length } [ sub ] By default, no IP address is configured for the subinterface. • Approach 1 a.
Displaying and maintaining Layer 3 subinterface forwarding 583B Task Command Remarks Display brief interface information. display brief interface [ interface-type [ interface-number | interface-number.subnumber ] ] [ | { begin | include | exclude } text ] Available in any view. Display interface/subinterface state and related information. display interface [ interface-type [interface-number | interface-number.subnumber ] ] Available in any view. Clear interface/subinterface statistics.
Configure the ports of the switch 1302B Step Command Remarks 497. Enter system view. system-view N/A 498. Create a VLAN and enter VLAN view. vlan vlan-id N/A 499. Assign access ports to the VLAN. port interface-list By default, all ports belong to VLAN 1. 500. Create another VLAN and enter VLAN view. vlan vlan-id N/A 501. Assign access ports to the VLAN. port interface-list By default, all ports belong to VLAN 1. 502.
Step Command… Remarks • Approach 1 a. Enter security zone view from system view: zone name zone-name [ id zone-id ] 515. Add the interface and the VLAN interface to a security zone. b. Add the subinterface to the security zone: import interface interface-type interface-number [ vlan vlan-id ] Use either approach. This zone is for incoming packets. • Approach 2 Enter the Web page and select System > Zone.
Displaying and maintaining inter-VLAN Layer 3 forwarding 58B Task Command Remarks Display brief interface information. display brief interface [ interface-type [ interface-number | interface-number.subnumber ] ] [ | { begin | include | exclude } text ] Available in any view. Display interface/subinterface state and related information. display interface [ interface-type [interface-number | interface-number.subnumber ] ] Available in any view. Clear interface/subinterface statistics.
Figure 175 Network diagram for Layer 3 subinterface forwarding Configuration procedure 1305B 1. Configure the ports on the switch. # Create VLAN 102 and VLAN 103. Assign GigabitEthernet 3/0/1 to VLAN 102 and GigabitEthernet 3/0/2 to VLAN 103.
[Firewall-zone-Trust] quit # Add Ten-GigabitEthernet 0/0.2 to security zone Untrust. [Firewall] zone name Untrust [Firewall-zone-Untrust] import interface ten-gigabitethernet 0/0.2 Inter-VLAN Layer 3 forwarding configuration example 140B Network requirements 1306B As shown in the Figure 176, traffic between GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 is filtered by a firewall module, and inter-VLAN Layer 3 forwarding needs to be configured.
# Configure the link type of Ten-GigabitEthernet 2/0/1 as trunk. Assign the port to VLAN 102 and VLAN 103. [Switch] interface ten-gigabitethernet 2/0/1 [Switch-Ten-GigabitEthernet2/0/1] port link-type trunk [Switch-Ten-GigabitEthernet2/0/1] port trunk permit vlan 102 103 2. Configure the firewall module. # Create VLAN 102 and VLAN 103. system-view [Firewall] vlan 102 to 103 # Configure the operating mode of Ten-GigabitEthernet 0/0 as Layer 2.
Configuring flow classification 21B Overview 14B Flow classification organizes packets with different characteristics into different classes by using certain match criteria. It is the basis for providing differentiated services. For a multi-core device, the control plane and data plane run on different kernels and threads respectively. The data plane processes packets based on flows. A flow identifies packets with the same characteristics (identical quintuple) and processing procedure.
QoS overview 2B In data communications, Quality of Service (QoS) is a network's ability to provide differentiated service guarantees for diversified traffic in terms of bandwidth, delay, jitter, and drop rate. Network resources are scarce. The contention for resources requires that QoS prioritize important traffic flows over trivial ones. For example, when bandwidth is fixed, more bandwidth for one traffic flow means less bandwidth for the other traffic flows.
QoS techniques overview 145B The QoS techniques include traffic classification, traffic policing, traffic shaping, line rate, congestion management, and congestion avoidance. The following section briefly introduces these QoS techniques.
perform traffic policing for incoming traffic, traffic shaping for outgoing traffic, congestion avoidance before congestion occurs, and congestion management when congestion occurs.
Non-MQC approach 593B In the non-MQC approach, you configure QoS service parameters without using a QoS policy. For example, you can use the line rate feature to set a rate limit on an interface without using a QoS policy. Traffic policing 147B Traffic policing limits the traffic rate and resource usage according to traffic specifications. Once a particular flow exceeds its specifications, such as assigned bandwidth, the flow is policed to make sure it is under the specifications.
Figure 179 Traffic policing Traffic policing is widely used in policing traffic entering the networks of ISPs. It can classify the policed traffic and take predefined policing actions on each packet depending on the evaluation result, for example: • Forwarding the packet if the evaluation result is "conforming." • Dropping the packet if the evaluation result is "excess." Line rate 148B Line rate also uses token buckets to evaluate traffic specifications for traffic control.
Figure 180 Line rate implementation In the token bucket approach to traffic control, bursty traffic can be transmitted as long as enough tokens are available in the token bucket. If tokens are inadequate, packets cannot be transmitted until the system generates the required number of tokens in the token bucket. The traffic rate is restricted to the rate for generating tokens. The traffic rate is limited, and bursty traffic is allowed.
Recommended QoS policy configuration procedure 597B Step Remarks Optional. This task creates a class and configures classification rules for the class. 16. Configuring a class. 249H The system-defined classes include default-class, ef, af1, af2, af3, af4, ip-prec0, ip-prec1, ip-prec2, ip-prec3, ip-prec4, ip-prec5, ip-prec6, ip-prec7, mpls-exp0, mpls-exp1, mpls-exp2, mpls-exp3, mpls-exp4, mpls-exp5, mpls-exp6, and mpls-exp7. You cannot modify or delete a system-defined class.
Hardware System-defined classes compatible U200-A No U200-S No Table 35 System-defined traffic behaviors and hardware compatibility Hardware System-defined traffic behaviors compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Table 36 System-defined policy and hardware compatibility Hardware System-defined policy compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 Yes Firewall module Yes U200-A No U200-S No Configuring a class
Figure 181 Classes 2. Click Add to enter the page for creating a class. Figure 182 Creating a class 3. Configure the class name and the operation type as described in Table 37. 4. Click Apply. 250H Table 37 Configuration items Item Classifier Name Description Specify a name for the classifier to be created. Make sure the name is different from those of the system-defined classifiers, if any.
Item Description Specify the logical relationship between rules in the classifier: • And—Specifies the relationship between the rules in a class as logical AND. The device considers a packet as belonging to a class only when the packet matches all the rules in the class. Operation Type • Or—Specifies the relationship between the rules in a class as logical OR. The device considers a packet as belonging to a class as long as the packet matches one of the rules in the class.
Figure 184 Creating a classification rule for a class 3. Configure the classification rule as described in Table 38. 4. Click Apply. 2501H Table 38 Configuration items Item Description Classifier Name Displays the name of the class you are configuring. Define an ACL-based match criterion, and specify the ACL by number. ACL You can select or enter an ACL number. The available ACLs are those configured in Firewall > ACL.
Configuring a traffic behavior 59B To configure a traffic behavior, create it first, and then configure actions for it. Creating a traffic behavior 132B 1. Select Firewall > QoS > Behavior from the navigation tree to enter the behavior displaying page. Figure 185 Behavior configuration page 2. Click Add to enter the page for creating a behavior.
Figure 186 Creating a behavior 3. Specify a name for the traffic behavior. Make sure the name is different from those of the system-defined traffic behaviors, if any. 4. Click Apply. Configuring actions for the traffic behavior 13B 1. Click the icon in the Operation column for the traffic behavior to be configured. Figure 187 Configuring actions for a traffic behavior 2. Configure actions for the behavior as described in Table 39. 3. Click Apply.
4. Click Close when the dialog box prompts that the configuration succeeds. Table 39 Configuration items Item Description Behavior Name Name of the traffic behavior being configured. CAR Configure CAR for data packets. Enable/Disable Enable or disable CAR. CIR Set the CIR, the average traffic rate. CBS Set the CBS, number of bits that can be sent in each interval. CAR For bursty traffic to be handled effectively, make sure the ratio of CBS to CIR is at least 100:16.
Item Description WFQ Configure WFQ by entering the total number of fair queues, which must equal two to the power of an integer. A traffic behavior configured with WFQ can only be associated a system-defined class. Configure the packet filtering action for data packets: Filter • Permit—Forwards the packet. • Deny—Drops the packet. • Not Set—Cancels the packet filtering action. Configuring a policy 60B To configure a policy, create it first and then configure class-behavior associations for it.
3. Enter a policy name. Make sure the name is different from those of the system-defined policies, if any. 4. Click Apply. Associating the classifier and the behavior in the policy 135B 1. Select the policy to be configured from the Policy Name list. Figure 190 Selecting a policy name 2. Click Add Relation. Figure 191 Associating a classifier with a behavior 3. Associate a class with a behavior.
Figure 192 QoS policies applied to interfaces 2. Click Apply Policy to enter the page for applying a QoS policy to an interface. Figure 193 Applying a QoS policy to an interface 3. Apply the QoS policy to an interface as described in Table 40. 4. Click Apply. 2503H Table 40 Configuration items Item Description Interface Name Specify the interface to which the policy is to be applied. Policy Name Select the QoS policy to be applied. Specify the direction in which the policy is to be applied.
Hardware Feature compatible U200-A Yes U200-S Yes Configuring port bandwidth limit is to set the maximum available bandwidth on a port. This setting is used in place of actual physical port bandwidth for bandwidth check when CBQ enqueues packets. If no maximum available bandwidth is configured for an interface, the bandwidth used for CBQ calculation varies by the interface type following these rules: • If the interface is a physical one, the actual baudrate or rate applies.
Configuring a QoS policy at the CLI 150B Figure 195 shows how to configure a QoS policy. 250H Figure 195 QoS policy configuration procedure Defining a class 603B Step Command Remarks 21. Enter system view. system-view N/A By default, the operator of a class is AND. 22. Create a class and enter class view. traffic classifier classifier-name [ operator { and | or } ] The operator of a class can be AND or OR.
Defining a policy 605B Configuring a policy 136B You associate a behavior with a class in a QoS policy to perform the actions defined in the behavior for the class of packets. To associate a class with a behavior in a policy: Step Command Remarks 27. Enter system view. system-view N/A 28. Create a policy and enter policy view. qos policy policy-name N/A 29. Associate a class with a behavior in the policy.
Displaying and maintaining QoS policies 60B Task Command Remarks Available in any view. Display traffic class configuration. display traffic classifier { system-defined | user-defined } [ classifier-name ] [ | { begin | exclude | include } regular-expression ] display traffic behavior { system-defined | user-defined } [ behavior-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display traffic behavior configuration.
Figure 196 Configuring line rate on a port 3. Configure the line rate as described in Table 42. 4. Click Apply. 2506H Table 42 Configuration items Item Description Please select an interface type Select the interface type to be configured with line rate. Rate Limit Enable or disable line rate on the specified port. Select a direction in which the line rate is to be applied. Direction • Inbound—Limits the rate of packets received on the specified port.
QoS configuration examples 152B CAR configuration example 607B Network requirements 138B As shown in Figure 197, Server and Host can access the Internet through Firewall. Perform traffic control on GigabitEthernet 0/1 of Firewall for traffic received from Server and Host, respectively. 2507H • Limit the rate of traffic from Server to 54 kbps to transmit the conforming traffic but drop the exceeding traffic.
f. Click Add. g. Select Permit from the Operation list. Select the Source IP Address box, enter 1.1.1.1 as the source IP address, and 0.0.0.0 as the source wildcard. h. Click Apply. Figure 199 Configuring rules for ACL 2000 2. Configure ACL 2001 to match traffic from Host: a. Click Back on the page displaying the rules of ACL 2000. b. Click Add. c. Enter 2001 as the ACL number. d. Click Apply. e. Click the f. icon for ACL 2001 on the ACL list. Click Add. g. Select Permit from the Operation list.
h. Click Apply. Figure 201 Configuring rules for class classifier_server 4. Create a class named classifier_host, and reference ACL 2001 in the class: a. Click Back on the page displaying the rules of class classifier_server. b. Click Add. c. Enter classifier_host as the classifier name. d. Click Apply. e. Click the f. icon for classifier_host on the classifier list. Click Add. g. Select the ACL option, and then select 2001 from the list. h. Click Apply. 5.
The configuration progress dialog box appears. h. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 203 Configuring actions for behavior behavior_server 6. Create a behavior named behavior_host, and configure CAR for the behavior: a. On the page displaying behaviors, click Add. b. Enter behavior_host as the behavior name. c. Click Apply. d. Click the icon for behavior_host on the behavior list. e. Select the CAR box. Enter 8 in the CIR field.
a. Select Firewall > QoS > Policy from the navigation tree. b. Click Add. c. Enter policy as the policy name. d. Click Apply. Figure 204 Creating a policy named policy e. Select policy from the Policy Name list. f. Click Add Relation. g. Select classifier_server from the Classifier Name list. Select behavior_server from the Behavior Name list. h. Click Apply. Figure 205 Configuring class-behavior associations for the policy named policy i. Select policy from the Policy Name list. j.
Figure 206 Applying the policy named policy to the incoming packets of GigabitEthernet 0/1 Priority marking configuration example 608B Network requirements 1320B As shown in Figure 207, the enterprise network of a company interconnects hosts with servers through Firewall. The network is described as follows: 2508H • Host A and Host B are connected to GigabitEthernet 0/1 of Firewall. • The data server, mail server, and file server are connected to GigabitEthernet 0/2 of Firewall.
Figure 208 Creating ACL 3000 e. Click the f. icon for ACL 3000 on the ACL list. Click Add. g. Select Permit in the Operation list. h. Select the Destination IP Address box, and enter IP address 192.168.0.1 and destination wildcard 0.0.0.0. i. Click Apply. Figure 209 Configuring rules for ACL 3000 2. Configure ACL 3001 to match packets with destination address 192.168.0.2. a. Click Back on the page displaying the rules of ACL 3000. b. Click Add.
c. Enter the ACL number 3001. d. Click Apply. e. Click the f. icon for ACL 3001 on the ACL list. Click Add. g. Select Permit in the Operation list. Select the Destination IP Address box, and enter IP address 192.168.0.2 and destination wildcard 0.0.0.0. h. Click Apply. 3. Configure ACL 3002 to match packets with destination address 192.168.0.3: a. Click Back on the page displaying the rules of ACL 3001. b. Click Add. c. Enter the ACL number 3002. d. Click Apply. e. Click the f.
Figure 211 Configuring rules for class classifier_dbserver 5. Configure class classifier_mserver to match packets based on ACL 3001: a. Click Back on the page displaying the rules of class classifier_dbserver. b. Click Add. c. Enter the class name classifier_mserver. d. Click Apply. e. Select classifier_mserver on the classifier list and click its f. icon. Click Create. g. Select the ACL option and select ACL 3001. h. Click Apply. 6.
Figure 212 Creating traffic behavior behavior_dbserver e. Click the f. icon for behavior_dbserver on the behavior list. Select the Dot1p box, and then select 4 in its list. g. Click Apply. The configuration progress dialog box appears. h. Click Close when the progress dialog box prompts that the configuration succeeds. Figure 213 Configuring actions for traffic behavior behavior_dbserver 8. Configure traffic behavior behavior_mserver to mark packets with local precedence 3: a.
b. Click Add. c. Enter the behavior name behavior_mserver. d. Click Apply. e. Click the f. icon for behavior_mserver on the behavior list. Select the Dot1p box, and then select 3 in its list. g. Click Apply. The configuration progress dialog box appears. h. Click Close when the progress dialog box prompts that the configuration succeeds. 9. Configure traffic behavior behavior_fserver to mark packets with local precedence value 2: a. On the page display traffic behaviors, click Add. b.
Figure 215 Configuring class-behavior associations for policy policy_server i. Select policy_server from the Policy Name list above the policy list. j. Click Add Relation. k. Select class_mserver in the Classifier Name list. Select behavior_mserver in the Behavior Name list. l. Click Apply. m. Select policy_server from the Policy Name list above the policy list. n. Click Add Relation. o. Select class_fserver in the Classifier Name list. Select behavior_fserver in the Behavior Name list. p.
Figure 217 Network diagram Configuring the firewall 132B 1. Create ACL 3000, and configure a rule to match packets whose TCP source port is not 21: a. Select Firewall > ACL from the navigation tree. b. Click Add. c. Enter 3000 as the ACL number. d. Click Apply. Figure 218 Creating ACL 3000 Click the icon for ACL 3000 on the ACL list. a. Click Add. b. Select Permit from the Operation list. Select 6 TCP from the Protocol list.
Figure 219 Configuring rules for ACL 3000 2. Create a class named classifier_1, and reference ACL 3000 in the class: a. Select Firewall > QoS > Classifier from the navigation tree. b. Click Add. c. Enter classifier_1 as the classifier name. d. Click Apply. Figure 220 Creating a class named classifier_1 Click the icon for classifier_1 on the classifier list. a. Click Add. b. Select the ACL option, and then select 3000 from the list. c. Click Apply.
Figure 221 Configuring rules for class classifier_1 3. Create a behavior named behavior_1, and configure the packet filtering action for the behavior to drop packets: a. Select Firewall > QoS > Behavior from the navigation tree. b. Click Add. c. Enter behavior_1 as the behavior name. d. Click Apply. Figure 222 Creating a traffic behavior named behavior_1 Click the icon for behavior_1 on the behavior list. a. Select the Packet Filter box, and then select Deny. b. Click Apply.
Figure 223 Configuring actions for behavior behavior_1 4. Create a policy named policy, and configure class-behavior associations in the policy: a. Select Firewall > QoS > Policy from the navigation tree. b. Click Add. c. Enter policy as the policy name. d. Click Apply. Figure 224 Creating a policy named policy Select policy from the Policy Name list. a. Click Add Relation.
b. Select classifier_1 from the Classifier Name list. Select behavior_1 from the Behavior Name list. c. Click Apply. Figure 225 Configuring class-behavior associations for the policy named policy 5. Apply the policy named policy to the incoming packets of GigabitEthernet 0/1: a. Select Firewall > Traffic Policing > Apply from the navigation tree. b. Click Apply Policy. c. Select GigabitEthernet 0/1 from the Interface Name list. Select policy from the Policy Name list.
Configuring traffic policing 23B Overview 153B Traffic policing, traffic shaping, and line rate are QoS techniques that help assign network resources, such as assign bandwidth. They increase network performance and user satisfaction. For example, you can configure a flow to use only the resources committed to it in a certain time range. This avoids network congestion caused by burst traffic. Traffic policing limits the traffic rate and resource usage according to traffic specifications.
• EBS—Size of bucket E, which specifies the transient burst of traffic that bucket E can forward. CBS is implemented with bucket C, and EBS with bucket E. In each evaluation, packets are measured against the following bucket scenarios: • If bucket C has enough tokens, packets are colored green. • If bucket C does not have enough tokens but bucket E has enough tokens, packets are colored yellow. • If neither bucket C nor bucket E has sufficient tokens, packets are colored red.
Configuring traffic policing in the Web interface 154B Recommended traffic policing configuration procedure 612B Step Remarks 33. Creating a CAR list. Required. 251H Create an IP network segment-based CAR list. Required. 34. Applying a CAR list to an interface. 251H Apply the CAR policy to the specified interface. You can configure multiple CAR policies on an interface, and these CAR policies are executed in the order they are configured. Creating a CAR list 613B 1.
Table 43 Configuration items Item Description CAR List Index Specify the CAR list index. IP Type Configure a source IP-based CAR list or destination IP-based CAR list. Define the way of specifying a set of IP addresses. Two options are available: • Subnet—Specifies a network segment by specifying an IP address and a IP Set subnet mask. • IP Range—Specifies an IP address range by specifying a start IP address and an end IP address. IP Address Specify an IP address and a subnet mask.
Figure 231 Applying a CAR list to an interface 3. Apply the CAR list to an interface as described in Table 44. 4. Click Apply. 2514H Table 44 Configuration items Item Description Interface Name Specify the interface to which a CAR list is to be applied. Specify the direction in which a CAR list is to be applied. Direction • Inbound—Applies the CAR list to the packets received on the specified interface. • Outbound—Applies the CAR list to the packets sent out of the specified interface.
Item Description Set the CIR. If you apply an IP network segment-based CAR list to an interface, the CIR you defined takes on different meanings depending on the configurations of the per-IP address rate limiting function and the shared bandwidth mode for the CAR list. • If the per-IP address rate limiting function is not enabled, the CIR specifies the total bandwidth for the network segment and will be allocated to each IP address based on its traffic size.
Figure 232 Network diagram Configuring the firewall 1328B 1. Configure a CAR list: a. Select Firewall > Traffic Policing > CAR List from the navigation tree. b. Click Add. c. Enter 1 as the CAR list index. d. Select Source IP from the IP Type list. e. Select IP Range from the IP Set list. f. Enter 2.1.1.1 as the start IP address. g. Enter 2.1.1.100 as the end IP address. h. Select Enable from the Limit Rate Per IP Address list. i. Select Enable from the Share Bandwidth list. j. Click Apply.
d. Select Inbound from the Direction list. e. Enter 1 in the CAR List Index field. f. Enter 50 in the CIR field. g. Select the Pass option for Green. h. Select the Discard option for Red. i. Click Apply. Figure 234 Applying the CAR list to the interface Configuring traffic policing at the CLI 15B Configure traffic policing by using either policy approach or non-policy approach.
Step Command 43. Associate the class with the traffic behavior in the QoS policy. classifier classifier-name behavior behavior-name 44. Return to system view. quit 45. Apply the QoS policy to an interface. Applying the QoS policy to an interface 2516H Configuring traffic policing by using non-policy approach 617B Configuring CAR-list-based traffic policing 1329B Step Command Remarks 46. Enter system view. system-view N/A 47. Configure a CAR list.
56. Configure a CAR action for all traffic on the interface. qos car { inbound | outbound } any cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ green action ] [ red action ] N/A Displaying and maintaining traffic policing 618B Task Command Remarks Display CAR list information. display qos carl [ carl-index ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the CAR information on the specified interface.
Figure 235 Network diagram Configuration procedure 13B 1. Configure Firewall: # Configure GTS on GigabitEthernet 0/3, shaping the packets when the sending rate exceeds 500 kbps to decrease the packet loss rate of GigabitEthernet 0/1 of Router. system-view [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] qos gts any cir 500 [Firewall-GigabitEthernet0/3] quit # Configure ACLs to permit the packets from Server and Host A.
323
Basic forwarding on the device 24B Upon receiving a packet, a device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and uses the matching entry to forward the packet. FIB table 156B A router selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next-hop IP address and output interface for packets destined for a specific subnet or host.
Task Command Remarks Display FIB information matching the specified destination IP address. display fib [ vpn-instance vpn-instance-name ] ip-address [ mask | mask-length ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring IP forwarding mode 25B Feature and hardware compatibility 158B Hardware Traffic forwarding mode compatible F1000-A-EI/F1000-S-EI No F1000-E Yes F5000 No Firewall module Yes U200-A Yes U200-S Yes Overview 159B The device supports two IP forwarding modes: flow-based and packet-based.
IP routing basics 26B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. IP routing directs IP packet forwarding on routers based on a routing table. A router maintains at least two routing tables: a global routing table and a FIB. The FIB table contains only the optimal routes, and the global routing table contains all routes. The router uses the FIB table to forward packets. For more information about the FIB table, see Appendix Protocol References.
Configuring static routing 27B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Static routes are manually configured. If a network's topology is simple, you only need to configure static routes for the network to work properly. Static routes cannot adapt to network topology changes. If a fault or a topological change occurs in the network, the network administrator must modify the static routes manually.
Table 46 Configuration items Item Description Destination IP Address Enter the destination IP address in dotted decimal notation. IMPORTANT: You can enter 0.0.0.0 for both Destination IP Address and Mask to configure a default route. A default route is used to forward packets that match no route entry in the routing table. Mask Enter the destination IP address mask. Next Hop Enter the next hop IP address in dotted decimal notation. Outbound Interface Enter the outbound interface.
c. Enter 0.0.0.0 as the destination IP address, select 0.0.0.0 from the mask list, and enter 1.1.4.2 as the next hop. d. Click Apply. Figure 239 Configuring a static route on Device A 4. Configure a static route to Device A and a static route to Device C on Device B: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. c. Enter 1.1.2.0 as the destination IP address, select 255.255.255.0 from the mask list, and enter 1.1.4.1 as the next hop. d. Click Apply.
Ping statistics for 1.1.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms 2. Traceroute Host A on Host B: C:\Documents and Settings\Administrator>tracert 1.1.2.2 Tracing route to 1.1.2.2 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 1.1.6.1 2 <1 ms <1 ms <1 ms 1.1.4.1 3 1 ms <1 ms <1 ms 1.1.2.2 Trace complete.
Step Command Remarks 61. Configure the default preference for static routes. ip route-static default-preference default-preference-value Optional. 62. Delete all static routes, including the default route. delete [ vpn-instance vpn-instance-name ] static-routes all 60 by default. Optional. To delete one static route, use the undo ip route-static command.
Step Command Remarks • Approach 1: 64. Configure BFD control mode for a static route.
Step Command Remarks • Approach 1: 69. Configure BFD echo mode for a static route.
system-view [FirewallB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1 [FirewallB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6 # Configure a default route on Firewall C. system-view [FirewallC] ip route-static 0.0.0.0 0.0.0.0 1.1.5.5 3. Configure the default gateways of Host A, Host B, and Host C as 1.1.2.3, 1.1.6.1, and 1.1.3.1. (Details not shown.) 4. Verify the configuration: # Display the IP routing table on Firewall A.
Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Reply from 1.1.2.2: bytes=32 time=1ms TTL=126 Ping statistics for 1.1.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms # Use the tracert command on Host B to test the reachability of Host A. C:\Documents and Settings\Administrator>tracert 1.1.2.2 Tracing route to 1.1.2.
Figure 241 Network diagram Device Interface Firewall A Router IP address Device Interface IP address GE 1/1 12.1.1.1/24 Firewall B GE 1/1 12.1.1.2/24 GE 1/2 10.1.1.102/24 GE 1/2 13.1.1.1/24 GE 1/1 10.1.1.100/24 GE 1/2 13.1.1.2/24 Configuration procedure 1342B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure static routes and BFD: # Configure static routes on Firewall A and enable BFD control mode for the static route that traverses the Layer 2 switch.
[Router] ip route-static 121.1.1.0 24 gigabitethernet 1/1 10.1.1.102 3. Verify the configuration: # Display BFD sessions on Firewall A. display bfd session Total Session Num: 1 Init Mode: Active Session Working Under Ctrl Mode: LD/RD SourceAddr DestAddr State Holdtime Interface 4/7 12.1.1.1 12.1.1.2 Up 2000ms GigabitEthernet1/1 The output shows that the BFD session has been created. # Display static routes on Firewall A.
Summary Count : 1 Destination/Mask Proto Pre 120.1.1.0/24 Static 65 Cost NextHop Interface 0 10.1.1.100 GE1/2 Cost NextHop Interface 0 12.1.1.2 GE1/1 Static Routing table Status : < Inactive> Summary Count : 1 Destination/Mask Proto Pre 120.1.1.0/24 Static 60 The output shows that Firewall A communicates with Firewall B through Router.
Figure 242 Network diagram Device Interface IP address Device Interface IP address Firewall A GE1/1 12.1.1.1/24 Firewall B GE1/1 11.1.1.2/24 GE1/2 10.1.1.102/24 GE1/2 13.1.1.1/24 Loop1 2.2.2.9/32 GE1/1 12.1.1.2/24 GE1/2 11.1.1.1/24 Router A Loop1 1.1.1.9/32 GE1/1 10.1.1.100/24 GE1/2 13.1.1.2/24 Router B Configuration procedure 134B 1. Configure IP addresses for interfaces. (Details not shown.) 2.
# Configure static routes on Router A. system-view [RouterA] ip route-static 120.1.1.0 24 gigabitethernet 1/2 13.1.1.1 [RouterA] ip route-static 121.1.1.0 24 gigabitethernet 1/1 10.1.1.102 # Configure static routes on Router B. system-view [RouterB] ip route-static 120.1.1.0 24 gigabitethernet 1/2 11.1.1.2 [RouterB] ip route-static 121.1.1.0 24 gigabitethernet 1/1 12.1.1.1 3. Verify the configuration: # Display the BFD session information on Firewall A.
Public Routing Table : Static Summary Count : 2 Static Routing table Status : Summary Count : 1 Destination/Mask Proto 120.1.1.0/24 Static 65 Pre Cost NextHop Interface 0 10.1.1.100 GE1/2 Cost NextHop Interface 0 2.2.2.9 Static Routing table Status : Summary Count : 1 Destination/Mask Proto 120.1.1.0/24 Static 60 Pre The output shows that Firewall A communicates with Firewall B through Router A.
Configuring a default route 28B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. A default route is used to forward packets that match no entry in the routing table. Without a default route, a packet that does not match any routing entries is discarded. A default route can be configured in either of the following ways: • The network administrator can configure a default route with both destination and mask being 0.0.0.0.
Configuring RIP 29B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Routing Information Protocol (RIP) is a distance-vector simple interior gateway protocol suited to small-sized networks. It employs UDP to exchange route information through port 520. RIP uses a hop count to measure the distance to a destination. The hop count from a router to a directly connected network is 0. The hop count from a router to a directly connected router is 1.
2. Configure RIP globally as described in Table 47. 3. Click Apply. 257H Table 47 Configuration items Item Description Enable RIP (enable all interfaces automatically) Enable RIP on all interfaces. Import static routes Configure RIP to redistribute active static routes. Configuring interface RIP 629B 1. Select Network > Routing Management > RIP from the navigation tree. The RIP configuration page appears. If RIP is enabled, the More button is displayed. 2. Click More.
Figure 245 RIP interface configuration page 4. Configure RIP interface as described in Table 48. 5. Click Apply. 258H Table 48 Configuration items Item Description Interface Displays the RIP interface name. Set whether to allow the receiving/sending of RIP packets on the interface: Work State • On—Allows the receiving/sending of RIP packets on the interface. • Off—Disallows the receiving/sending of RIP packets on the interface.
Item Description Authentication Mode Set the authentication mode and parameters for authenticating RIP packets on a RIPv2 interface: Key String • If the Authentication Mode is null, the interface does not authenticate RIP packets, and the Key String and Key ID are not required. • If Simple is specified for Authentication Mode, the interface authenticates RIP packets using simple text key. You need to configure a Key String in simple text.
Configuring Device B 1347B 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown) 2. Enable RIP: a. Select Network > Routing Management > RIP from the navigation tree. b. Select the Enable RIP(Enable all interfaces automatically) box. c. Click Apply. Verifying the configuration 1348B 1. Display active routes of Device A: Select Network > Routing Management > Routing Info from the navigation tree to display learned RIP route destined for 10.0.0.0/8.
Configuring RIP at the CLI 165B RIP configuration task list 631B Task Remarks Configuring basic RIP Required 2530H Configuring an additional routing metric Optional Configuring RIPv2 route summarization Optional Disabling host route reception Optional Advertising a default route Optional Configuring received/redistributed route filtering Optional Configuring a preference for RIP Optional Configuring RIP route redistribution Optional Configuring RIP timers Optional Configuring split ho
Step Command Remarks 72. Enter system view. system-view N/A 73. Enable a RIP process and enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] By default, the RIP process is disabled. 74. Enable RIP on the interface attached to the specified network. network network-address By default, RIP is disabled on interfaces. Configuring the interface behavior 1350B Step Command Remarks 75. Enter system view. system-view N/A 76. Enter RIP view.
Step Command Remarks Optional. By default, if an interface has an interface-specific RIP version, the version takes precedence over the global one. If no interface-specific RIP version is specified, the interface can send RIPv1 broadcasts, and receive RIPv1 broadcasts and unicasts, and RIPv2 broadcasts, multicasts, and unicasts. 84. Specify a global RIP version. version { 1 | 2 } 85. Return to system view. quit N/A 86. Enter interface view. interface interface-type interface-number N/A Optional.
Configuring RIPv2 route summarization 135B Perform this task to summarize contiguous subnets into a summary network and sends the network to neighbors. The smallest metric among all summarized routes is used as the metric of the summary route. 1. Enabling RIPv2 automatic route summarization Automatic summarization enables RIPv2 to generate a natural network for contiguous subnets. For example, suppose there are three subnet routes 10.1.1.0/24, 10.1.2.0/24, and 10.1.3.0/24.
Step Command Remarks 101. Enter system view. system-view N/A 102. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A 103. Disable RIP from receiving host routes. undo host-route By default, RIP receives host routes. Advertising a default route 135B You can advertise a default route on all RIP interfaces in RIP view or a specific RIP interface in interface view. The interface view setting takes precedence over the RIP view settings.
Step Command Remarks 112. Configure the filtering of received routes. filter-policy { acl-number | gateway ip-prefix-name | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] } import [ interface-type interface-number ] 113. Configure the filtering of redistributed routes. filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] | interface-type interface-number ] By default, the filtering of received routes is not configured.
Tuning and optimizing RIP networks 634B Configuration prerequisites 1359B Before you tune and optimize RIP networks, complete the following tasks: • Configure IP addresses for interfaces to ensure IP connectivity between neighboring nodes. • Configure basic RIP. Configuring RIP timers 1360B You can change the RIP network convergence speed by adjusting RIP timers. Based on network performance, configure identical RIP timer settings to avoid unnecessary traffic or route flapping.
2. Enabling poison reverse Poison reverse allows RIP to send routes through the interface where the routes were learned, but the metric of these routes is always set to 16 (unreachable) to avoid routing loops between neighbors. To enable poison reverse: Step Command Remarks 127. Enter system view. system-view N/A 128. Enter interface view. interface interface-type interface-number N/A 129. Enable poison reverse. rip poison-reverse By default, poison reverse is disabled.
Upon receiving a message on an Ethernet interface, RIP compares the source IP address of the message with the IP address of the interface. If they are not in the same network segment, RIP discards the message. Upon receiving a message on a serial interface, RIP checks whether the source address of the message is the IP address of the peer interface. If not, RIP discards the message. IMPORTANT: Disable the source IP address check feature if the RIP neighbor is not directly connected.
Step Command Remarks 143. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A 144. Specify a RIP neighbor. peer ip-address N/A 145. Disable source address check on incoming RIP updates. undo validate-source-address By default, this function is not disabled. Configuring RIP-to-MIB binding 1367B This task allows you to enable a specific RIP process to receive SNMP requests. To bind RIP to MIB: Step Command Remarks 146. Enter system view. system-view N/A 147.
Hardware Feature compatible U200-S No BFD for RIP provides the following link detection modes: • Single-hop echo detection mode for a directly connected RIP neighbor. In this mode, a BFD session is established only when the neighbor has route information to send. • Single-hop echo detection mode for a specific destination. In this mode, a BFD session is established to the specified RIP neighbor only when the RIP-enabled interface is up.
Step Command Remarks By default, BFD for RIP is disabled. rip bfd enable destination ip-address 158. Enable BFD for RIP. The rip bfd enable destination command and the rip bfd enable command are mutually exclusive and cannot be configured on a device at the same time. Configuring bidirectional control detection 137B This feature only works for RIP neighbors that are directly connected (one hop away from each other).
RIP version configuration example 637B In this example, Router A is the firewall. Network requirements 1372B As shown in Figure 250, enable RIPv2 on all interfaces on Router A and Router B. 253H Figure 250 Network diagram Configuration procedure 137B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic RIP: # Configure Router A. system-view [RouterA] rip [RouterA-rip-1] network 1.0.0.0 [RouterA-rip-1] network 2.0.0.0 [RouterA-rip-1] network 3.0.0.
[RouterB] rip [RouterB-rip-1] version 2 [RouterB-rip-1] undo summary # Display the RIP routing table on Router A. [RouterA] display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------------------Peer 1.1.1.2 on GigabitEthernet0/1 Destination/Mask Flags Sec 10.0.0.0/8 Nexthop 1.1.1.2 Cost 1 Tag 0 RA 87 10.1.1.0/24 1.1.1.2 1 0 RA 19 10.2.1.0/24 1.1.1.
[RouterA-rip-100] quit # Enable RIP 100 and RIP 200, and configure RIPv2 on Firewall. system-view [Firewall] rip 100 [Firewall-rip-100] network 11.0.0.0 [Firewall-rip-100] version 2 [Firewall-rip-100] undo summary [Firewall-rip-100] quit [Firewall] rip 200 [Firewall-rip-200] network 12.0.0.0 [Firewall-rip-200] version 2 [Firewall-rip-200] undo summary [Firewall-rip-200] quit # Enable RIP 200 and configure RIPv2 on Router B. system-view [RouterB] rip 200 [RouterB-rip-200] network 12.0.
4. 16.4.1.0/24 Direct 0 0 16.4.1.1 GE0/2 16.4.1.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 Configure RIP to filter redistributed routes: # Configure ACL 2000 on Firewall to not advertise routes redistributed from RIP 100 to Router B. [Firewall] acl number 2000 [Firewall-acl-basic-2000] rule deny source 10.2.1.1 0.0.0.
2. Configure basic RIP: # Configure Firewall. system-view [Firewall] rip [Firewall-rip-1] network 1.0.0.0 [Firewall-rip-1] version 2 [Firewall-rip-1] undo summary [Firewall-rip-1] quit # Configure Router A. system-view [RouterA] rip [RouterA-rip-1] network 1.0.0.0 [RouterA-rip-1] version 2 [RouterA-rip-1] undo summary # Configure Router B. system-view [RouterB] rip [RouterB-rip-1] network 1.0.0.0 [RouterB-rip-1] version 2 [RouterB-rip-1] undo summary # Configure Router C.
[Firewall-GigabitEthernet0/2] display rip 1 database 1.0.0.0/8, cost 0, ClassfulSumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, Rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, Rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 2, nexthop 1.1.1.2 1.1.5.0/24, cost 2, nexthop 1.1.1.2 The output shows only one RIP route destined for network 1.1.5.0/24, with the next hop as Router A (1.1.1.2) and a cost of 2.
[RouterB-ospf-1-area-0.0.0.0] network 10.6.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit # Configure Firewall. system-view [Firewall] ospf [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit 3. Configure basic RIP: # Configure Firewall. [Firewall] rip 1 [Firewall-rip-1] network 11.3.1.
[Firewall-GigabitEthernet0/2] rip summary-address 10.0.0.0 8 # Display the IP routing table on Router C. [RouterC] display ip routing-table Routing Tables: Public Destinations : 7 Routes : 7 Destination/Mask Proto Pre Cost NextHop Interface 10.0.0.0/8 RIP 100 1 11.3.1.1 GE0/1 11.3.1.0/24 Direct 0 0 11.3.1.2 GE0/1 11.3.1.2/32 Direct 0 0 127.0.0.1 InLoop0 11.4.1.0/24 Direct 0 0 11.4.1.2 GE0/2 11.4.1.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.
Configuring OSPF 30B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Unless otherwise stated, OSPF refers to OSPFv2 throughout this chapter. Overview 167B Open Shortest Path First (OSPF) is a link state IGP developed by the OSPF working group of the IETF. OSPF version 2 is used for IPv4. OSPF has the following features: • Wide scope—Supports various network sizes and up to several hundred routers in an OSPF routing domain.
Step Remarks Required. Enable OSPF, and configure OSPF to redistribute static routes. 164. Configuring OSPF globally NOTE: 257H OSPF multiprocess is not supported in the Web interface. Enabling OSPF creates process 1, and disabling OSPF removes process 1. Required. Configure an OSPF area, specify the network segment included in the area, so as to enable OSPF on the interface attached to the specified network segment. NOTE: 165.
Table 49 Configuration items Item Description Enable OSPF Enable OSPF. Import static routes Configure OSPF to redistribute active static routes (except default routes) and advertise them in Type-5 LSAs or Type-7 LSAs. Configuring OSPF areas 645B 1. Select Network > Routing Management > OSPF from the navigation tree. The OSPF configuration page appears. After you enable OSPF, the Area Configuration tab is displayed. Figure 255 Tabs on the OSPF area configuration page 2.
Figure 256 OSPF area configuration page 3. Configure an OSPF area as described in Table 50. 4. Click Apply. 2563H Table 50 Configuration items Item Description Area ID Enter an area ID. Select an area type, including Normal, Stub, and NSSA. Area Type IMPORTANT: The type of a backbone area (with area ID 0) can only be configured as Normal. Enable all interfaces Network Address Network Items Network Mask Set whether to enable OSPF on all the interfaces.
Configuring OSPF interfaces 64B 1. Select Network > Routing Management > OSPF from the navigation tree. The OSPF configuration page appears. 2. After you complete OSPF area configurations, click More. The hidden OSPF interface list is displayed. Figure 257 OSPF interface list page 3. Click the icon. The page for configuring the specified OSPF interface appears. Figure 258 OSPF interface configuration page 4. Configure the specified OSPF interface as described in Table 51. 5. Click Apply.
Table 51 Configuration items Item Description Interface Displays the OSPF interface name. Set the interval for sending hello packets. The hello interval must be identical on OSPF neighbors. Hello Interval The hello interval on P2P, Broadcast interfaces defaults to 10 seconds and defaults to 30 seconds on P2MP and NBMA interfaces. The smaller the hello interval is, the faster the network converges and the more network resources are consumed.
Item Description To prevent leakage of routing information and guard against attacks to OSPF routers, OSPF provides the packet authentication function. To establish neighboring relationship with a router, an OSPF router sends packets containing the preconfigured password for authentication. OSPF only receives packets that pass authentication. Failed packets cannot establish neighboring relationships.
Table 52 Field description Field Description Interface Name Interface name. IP Address IP address of the interface. In case of IP unnumbered, the IP address of the borrowed interface is displayed. Area ID ID of the area to which the interface belongs. Cost Cost for the interface. Network Type Network type for the interface. DR Priority DR priority for the interface. Current state of the interface: • Down—Indicates that no packet is sent or received through the interface.
Field Description Current state of the neighbor: • Down—Indicates the initial state of the neighboring relationship. • Init—Indicates that a Hello packet is received from the neighbor before the neighbor is down, but it does not contain the router ID. In such cases, bidirectional communication is not available. • Attempt—Which is available the neighbor of an NBMA network only. It indicates that the State router receives no information from the neighbor, but it still attempts to contact the neighbor.
Figure 262 Enabling OSPF c. Click Apply. The Area Configuration tab is displayed. Figure 263 Web page displayed after OSPF is enabled 3. Configure Normal area Area 0: a. Click Add on the Area Configuration tab. b. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Click Apply.
Figure 264 Configuring area 0 4. Configure NSSA area Area 1: a. Click Add on the Area Configuration tab. b. Enter 1 for Area ID, select NSSA for Area Type, enter 10.2.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Click Apply.
Figure 265 Configuring area 1 Configuring Device B 138B 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown.) 2. Enable OSPF: a. Select Network > Routing Management > OSPF from the navigation tree of Device B. b. Select the Enable OSPF box. c. 3. Click Apply. Configure Normal area Area 0: a. Click Add on the Area Configuration tab. b. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.
Configuring Device C 1389B 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown.) 2. Enable OSPF, and configure OSPF to redistribute static routes: a. Select Network > Routing Management > OSPF from the navigation tree of Device C. b. Select the Enable OSPF and the Import static routes boxes. c. 3. Click Apply. Configure NSSA area Area 1: a. Click Add on the Area Configuration tab. b. Enter 1 for Area ID, select NSSA for Area Type, enter 10.2.1.
b. Enter 2 for Area ID, select Normal for Area Type, enter 10.3.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. c. Enter 10.5.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. d. Click Apply. Verifying the configuration 139B 1. Display OSPF neighbor information of Device A: a. Select Network > Routing Management > OSPF from the navigation tree of Device A. b. Click Show Peer in the Show Information field.
Task Remarks Enabling OSPF Required 256H Configuring a stub area 2567H Configuring OSPF areas Configuring an NSSA area 256H 2568H Optional Configuring a virtual link 2569H Configuring the broadcast network type for an interface Optional Configuring the NBMA network type for an interface Optional Configuring the P2MP network type for an interface Optional Configuring the P2P network type for an interface Optional Configuring OSPF route summarization Optional Configuring OSPF inbound rou
Task Remarks Configuring BFD for OSPF Optional 2603H Enabling OSPF 651B Enable OSPF before you perform other OSPF configuration tasks. Configuration prerequisites 1392B Configure the link layer protocol and IP addresses for interfaces to ensure IP connectivity between neighboring nodes.
Step Command Remarks 172. Configure a description for the OSPF process. description description 173. Configure an OSPF area and enter OSPF area view. area area-id 174. Configure a description for the area. description description 175. Specify a network to enable the interface attached to the network to run the OSPF process in the area. network ip-address wildcard-mask Optional. Not configured by default. Not configured by default. Optional. Not configured by default. Not configured by default.
Step Command Remarks Not configured by default. 179. Configure the area as a stub area. stub [ default-route-advertise-al ways | no-summary ] * You cannot configure the backbone area as a stub or totally stub area. A stub or totally stub area cannot have an ASBR because external routes cannot be distributed into the area. Optional. 180. Specify a cost for the default route advertised to the stub area. The default cost is 1.
You can configure virtual links to ensure the connectivity when physical links are not enough. Virtual links cannot transit a stub area or totally stub areas. To configure a virtual link: Step Command Remarks 186. Enter system view. system-view N/A 187. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 188. Enter area view. area area-id N/A 189. Configure a virtual link.
Configuring the broadcast network type for an interface 140B Step Command Remarks 190. Enter system view. system-view N/A 191. Enter interface view. interface interface-type interface-number N/A 192. Configure the OSPF network type for the interface as broadcast. ospf network-type broadcast By default, the network type of an interface depends on the link layer protocol. 193. Configure a router priority for the interface. ospf dr-priority priority Optional. The default router priority is 1.
Configuring the P2MP network type for an interface 1402B Step Command Remarks 201. Enter system view. system-view N/A 202. Enter interface view. interface interface-type interface-number N/A By default, the network type of an interface depends on the link layer protocol. After you configure the OSPF network type for an interface as P2MP unicast, all packets are unicast over the interface. The interface cannot broadcast hello packets to discover neighbors, so you must manually specify the neighbors.
Configuring OSPF route summarization 1405B Configure route summarization on an ABR or ASBR to summarize routes with the same prefix into a single route and distribute it to other areas. Route summarization reduces the routing information exchanged between areas and the sizes of routing tables, improving router performance. 1.
• Use the gateway keyword to filter routing information by next hop. • Use an ACL or IP prefix list to filter routing information by destination address and meanwhile use the gateway keyword to filter routing information by next hop. • Use a routing policy to filter routing information. For more information about IP prefix list and routing policy, see "Configuring routing policies." To configure inbound route filtering: Step Command Remarks 217. Enter system view. system-view N/A 218.
Step Command Remarks Optional. 226. Configure an OSPF cost for the interface. The default cost depends on the interface type: 1 for a VLAN interface and 0 for a loopback interface, computed according to the bandwidth for other interfaces. ospf cost value To configure a bandwidth reference value: Step Command Remarks 227. Enter system view. system-view N/A 228. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 229.
Configuring OSPF route redistribution 14B Only active routes can be redistributed. Use the display ip routing-table protocol command to view route state information. 1. Configuring OSPF to redistribute routes from other routing protocols On a router running OSPF and other routing protocols, you can configure OSPF to redistribute routes from other protocols such as RIP, BGP, static, and direct, and advertise them in Type-5 LSAs or Type-7 LSAs.
Step Command Remarks 243. Enter system view. system-view N/A 244. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 245. Configure the default parameters for redistributed routes (cost, upper limit, tag, and type). Optional. default { cost cost | limit limit | tag tag | type type } * The default cost is 1, the default maximum number of routes redistributed per time is 1000, the default tag is 1, and default type of redistributed routes is Type-2.
small can cause unnecessary LSA retransmissions. This interval is typically set bigger than the round-trip time of a packet between two neighbors. To configure timers for OSPF packets: Step Command Remarks 250. Enter system view. system-view N/A 251. Enter interface view. interface interface-type interface-number N/A Optional. 252. Specify the hello interval.
When network changes are not frequent, the minimum-interval is adopted. If network changes become frequent, the SPF calculation interval is incremented by incremental-interval × 2n-2 (n is the number of calculation times) each time a calculation occurs until the maximum-interval is reached. To configure SPF calculation interval: Step Command Remarks 259. Enter system view. system-view N/A 260. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 261.
Step Command Remarks Optional. 267. Configure the LSA generation interval. lsa-generation-interval maximum-interval [ initial-interval [ incremental-interval ] ] By default, the maximum interval is 5 seconds, the minimum interval is 0 milliseconds, and the incremental interval is 5000 milliseconds.
Configuring OSPF authentication 142B Configure OSPF packet authentication to ensure the security of packet exchange. After authentication is configured, OSPF only receives packets that pass authentication. Failed packets cannot establish neighboring relationships. You must configure the same area authentication mode on all the routers in an area. In addition, the authentication mode and password for all interfaces attached to the same area must be identical.
Step Command 287. Specify the maximum number of external LSAs in the LSDB. lsdb-overflow-limit number Remarks Optional. Not specified by default. Enabling compatibility with RFC 1583 142B RFC 1583 specifies a different method than RFC 2328 for selecting an external route from multiple LSAs. This task enables RFC 2328 to be compatible with RFC 1583 so that the intra-area route in the backbone area is preferred.
To configure OSPF network management: Step Command Remarks 294. Enter system view. system-view N/A Optional. 295. Bind OSPF MIB to an OSPF process. ospf mib-binding process-id 296. Enable OSPF trap generation.
Step Command Remarks 303. Enter system view. system-view N/A 304. Configure OSPF to give priority to receiving and processing hello packets. ospf packet-process prioritized-treatment Not configured by default. Configuring the LSU transmit rate 1430B Sending large numbers of LSU packets affects router performance and consumes too much network bandwidth.
Hardware Feature compatible U200-S No BFD provides a single mechanism to quickly detect and monitor the connectivity of links between OSPF neighbors, reducing network convergence time. For more information about BFD, see High Availability Configuration Guide. OSPF supports the following BFD detection methods: • Bidirectional control detection, which requires BFD configuration to be made on both OSPF routers on the link.
Task Command Remarks Display Link State Database information. display ospf [ process-id ] lsdb [ brief | [ { ase | router | network | summary | asbr | nssa | opaque-link | opaque-area | opaque-as } [ link-state-id ] ] [ originate-router advertising-router-id | self-originate ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display OSPF neighbor information.
Basic OSPF configuration example 658B Network requirements 143B • Enable OSPF on all devices, and split the AS into three areas. • Configure Router A and Router B as ABRs. Figure 269 Network diagram Configuration procedure 1435B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.
[RouterC-ospf-1-area-0.0.0.1] network 10.4.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] quit [RouterC-ospf-1] quit # Configure Firewall. system-view [Firewall] ospf [Firewall-ospf-1] area 2 [Firewall-ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.2] network 10.5.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.2] quit [Firewall-ospf-1] quit 3. Verify the configuration: # Display the OSPF neighbors of Router A.
10.1.1.0/24 1 Transit 10.1.1.1 10.2.1.1 0.0.0.0 Total Nets: 5 Intra Area: 3 Inter Area: 2 ASE: 0 NSSA: 0 # Display the Link State Database on Router A. [RouterA] display ospf lsdb OSPF Process 1 with Router ID 10.2.1.1 Link State Database Area: 0.0.0.0 Type LinkState ID AdvRouter Age Len Sequence Router 10.2.1.1 10.2.1.1 1069 36 80000012 Metric 0 Router 10.3.1.1 10.3.1.1 780 36 80000011 0 Network 10.1.1.1 10.2.1.1 1069 32 80000010 0 Sum-Net 10.5.1.0 10.3.1.
Reply from 10.4.1.1: bytes=56 Sequence=2 ttl=253 time=1 ms Reply from 10.4.1.1: bytes=56 Sequence=3 ttl=253 time=1 ms Reply from 10.4.1.1: bytes=56 Sequence=4 ttl=253 time=1 ms Reply from 10.4.1.1: bytes=56 Sequence=5 ttl=253 time=1 ms --- 10.4.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms OSPF route redistribution configuration example 659B Network requirements 1436B • Enable OSPF on all the devices.
OSPF Process 1 with Router ID 10.5.1.1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10.3.1.1 0.0.0.2 10 10.3.1.1 ABR Inter 10.4.1.1 0.0.0.2 22 10.3.1.1 ASBR # Display the OSPF routing table on Router C. display ospf routing OSPF Process 1 with Router ID 10.5.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10.2.1.0/24 22 Inter 10.3.1.1 10.3.1.1 0.0.0.2 10.3.1.0/24 10 Transit 10.3.1.2 10.3.1.1 0.
Figure 271 Network diagram Configuration procedure 1439B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure Firewall. system-view [Firewall] ospf [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.
[RouterD-ospf-1] area 0 [RouterD-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit 3.
5. Configure route summarization: # Configure route summarization on Firewall to advertise a single route 0.0.0.0/8. [Firewall-ospf-1] asbr-summary 10.0.0.0 8 # Display the IP routing table on Router A. [RouterA] display ip routing-table Routing Tables: Public Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost NextHop Interface 10.0.0.0/8 O_ASE 150 2 11.2.1.1 GE0/1 11.2.1.0/24 Direct 0 0 11.2.1.2 GE0/1 11.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.
[RouterC] ospf [RouterC-ospf-1] import-route static [RouterC-ospf-1] quit # Display ABR/ASBR information on Firewall. display ospf abr-asbr OSPF Process 1 with Router ID 10.4.1.1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10.2.1.1 0.0.0.1 3 10.2.1.1 ABR Inter 10.3.1.1 0.0.0.1 5 10.2.1.1 ABR Inter 10.5.1.1 0.0.0.1 7 10.2.1.1 ASBR # Display OSPF routing information on Firewall.
[Firewall-ospf-1-area-0.0.0.1] quit [Firewall-ospf-1] quit # Display OSPF routing information on Firewall. [Firewall] display ospf routing OSPF Process 1 with Router ID 10.4.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0.0.0.0/0 4 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.2.1.0/24 3 Transit 10.2.1.2 10.2.1.1 0.0.0.1 10.3.1.0/24 7 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.4.1.0/24 3 Stub 10.4.1.1 10.4.1.1 0.0.0.1 10.5.1.0/24 17 Inter 10.2.1.1 10.2.
• Configure Router A and Router B as ABRs to forward routing information between areas. • Configure Area 1 as an NSSA area and configure Firewall as an ASBR to redistribute static routes into the AS. Figure 273 Network diagram Configuration procedure 143B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configuring basic OSPF (see "Basic OSPF"). 3. Configure Area 1 as an NSSA area: 260H # Configure Router A.
Routing for Network Destination Cost Type 10.2.1.0/24 3 10.3.1.0/24 7 10.4.1.0/24 10.5.1.0/24 10.1.1.0/24 NextHop AdvRouter Area Transit 10.2.1.2 10.4.1.1 0.0.0.1 Inter 10.2.1.1 10.2.1.1 0.0.0.1 3 Stub 10.4.1.1 10.4.1.1 0.0.0.1 17 Inter 10.2.1.1 10.2.1.1 0.0.0.1 5 Inter 10.2.1.1 10.2.1.1 0.0.0.1 Total Nets: 5 Intra Area: 2 4. Inter Area: 3 ASE: 0 NSSA: 0 Configure route redistribution: # Configure OSPF to redistribute the static route on Firewall.
Figure 274 Network diagram Configuration procedure 145B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Firewall. system-view [Firewall] router id 1.1.1.1 [Firewall] ospf [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit # Configure Router A. system-view [RouterA] router id 2.2.2.
[RouterC-ospf-1] return # Display neighbor information on Firewall. [Firewall] display ospf peer verbose OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 192.168.1.1(GigabitEthernet0/1)'s neighbors Router ID: 2.2.2.2 State: 2-Way Address: 192.168.1.2 Mode: None DR: 192.168.1.4 Priority: 1 BDR: 192.168.1.3 Dead timer due in 38 GR State: Normal MTU: 0 sec Neighbor is up for 00:01:31 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full Address: 192.168.1.
Neighbors Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet0/1)'s neighbors Router ID: 1.1.1.1 State: Full Address: 192.168.1.1 Mode:Nbr is DR: 192.168.1.4 Slave Priority: 100 BDR: 192.168.1.3 Dead timer due in 31 GR State: Normal MTU: 0 sec Neighbor is up for 00:11:17 Authentication Sequence: [ 0 ] Router ID: 2.2.2.2 State: Full Address: 192.168.1.2 Mode:Nbr is DR: 192.168.1.4 Slave BDR: 192.168.1.
Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full Address: 192.168.1.3 Mode: Nbr is Slave DR: 192.168.1.1 BDR: 192.168.1.3 Dead timer due in 39 GR State: Normal Priority: 2 MTU: 0 sec Neighbor is up for 00:01:41 Authentication Sequence: [ 0 ] The output shows that Firewall becomes the DR and Router B becomes the BDR. The full neighbor state means an adjacency has been established. The 2-way neighbor state means the two routers are not the DR or BDR, and they do not exchange LSAs.
Configuration procedure 147B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF: # Configure Router A. system-view [RouterA] ospf 1 router-id 1.1.1.1 [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B. system-view [RouterB] ospf 1 router-id 2.2.2.2 [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.
Area 0 has no direct connection to Area 2, so the OSPF routing table of Router B has no route to Area2. 3. Configure a virtual link: # Configure Router B. [RouterB] ospf [RouterB-ospf-1] area 1 [RouterB-ospf-1-area-0.0.0.1] vlink-peer 3.3.3.3 [RouterB-ospf-1-area-0.0.0.1] quit [RouterB-ospf-1] quit # Configure Firewall. [Firewall] ospf [Firewall-ospf-1] area 1 [Firewall-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2 [Firewall-ospf-1-area-0.0.0.1] quit # Display OSPF routing information on Router B.
Figure 276 Network diagram Configuration procedure 149B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic OSPF (see "Basic OSPF"). 3. Configure OSPF to redistribute routes: 2608H # On Firewall, configure a static route destined for network 3.1.1.0/24. system-view [Firewall] ip route-static 3.1.1.0 24 10.4.1.2 # On Firewall, configure a static route destined for network 3.1.2.0/24. [Firewall] ip route-static 3.1.2.0 24 10.4.1.
4. Configure Firewall to filter out the route 3.1.3.0/24: # Configure the IPv4 prefix list. [Firewall] ip ip-prefix prefix1 index 1 deny 3.1.3.0 24 [Firewall] ip ip-prefix prefix1 index 2 permit 3.1.1.0 24 [Firewall] ip ip-prefix prefix1 index 3 permit 3.1.2.0 24 # Reference the prefix list to filter out the route 3.1.3.0/24. [Firewall] ospf 1 [Firewall-ospf-1] filter-policy ip-prefix prefix1 export static # Display the OSPF routing table of Router A.
10.1.1.0/24 Direct 0 0 10.1.1.1 GE0/1 10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.2.1.0/24 Direct 0 0 10.2.1.1 GE0/2 10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.3.1.0/24 OSPF 10 4 10.1.1.2 GE0/1 10.4.1.0/24 OSPF 10 13 10.2.1.2 GE0/2 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 The route to 10.5.1.1/24 is filtered out.
Configuration procedure 145B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Enable OSPF: # Configure Firewall A. system-view [FirewallA] ospf [FirewallA-ospf-1] area 0 [FirewallA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] network 121.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.
[FirewallB-GigabitEthernet1/1] bfd min-transmit-interval 500 [FirewallB-GigabitEthernet1/1] bfd min-receive-interval 500 [FirewallB-GigabitEthernet1/1] bfd detect-multiplier 6 4. Verify the configuration: # Display the BFD information on Firewall A. display bfd session Total Session Num: 1 Init Mode: Active Session Working Under Ctrl Mode: LD/RD SourceAddr DestAddr State Holdtime Interface 3/1 192.168.0.102 192.168.0.100 Up 1700ms GE1/1 # Display routes destined for 120.1.1.
*0.50673830 FirewallA BFD/8/SCM:Sess[192.168.0.102/192.168.0.100,GE1/1], Oper: Del application(OSPF) *0.50673831 FirewallA BFD/8/SCM:No application in session, delete session[192.168.0.102/192.168.0.100,GE1/1] *0.50673831 FirewallA BFD/8/SCM:Sess[192.168.0.102/192.168.0.100,GE1/1], Oper: Delete *0.50673832 FirewallA BFD/8/SCM:Delete send-packet timer *0.50673833 FirewallA BFD/8/SCM:Delete session entry *0.50673833 FirewallA BFD/8/SCM:Delete session from IP hash table *0.
Solution 145B 1. Use the display ospf peer command to verify OSPF neighbor information. 2. Use the display ospf interface command to verify OSPF interface information. 3. Ping the neighbor router's IP address to verify that the connectivity is normal. 4. Verify OSPF timers. The dead interval on an interface must be at least four times the hello interval. 5. On an NBMA network, use the peer ip-address command to manually specify the neighbor. 6.
Configuring IS-IS 31B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. IS-IS can be configured only at the CLI. Feature and hardware compatibility 17B Hardware IS-IS compatible F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes Firewall module No U200-A No U200-S No Overview 172B Intermediate System-to-Intermediate System (IS-IS) is a dynamic routing protocol designed by the ISO to operate on the connectionless network protocol (CLNP).
Task Remarks Configuring IS-IS route leaking Optional Specifying intervals for sending IS-IS hello and CSNP packets Optional Specifying the IS-IS hello multiplier Optional Configuring a DIS priority for an interface Optional Disabling an interface from sending/receiving IS-IS packets Optional Disabling hello source address check for a PPP interface Optional Enabling an interface to send small hello packets Optional Configuring LSP parameters Optional Configuring SPF parameters Optional Co
Step Command Remarks 322. Enter interface view. interface interface-type interface-number N/A 323. Enable an IS-IS process on the interface. isis enable [ process-id ] By default, no IS-IS process is enabled. Configuring the IS level and circuit level 671B If only one area exists, perform the following operations: • Configure the IS level of all routers as Level-1 or Level-2 rather than different levels because the routers do not need to maintain two identical LSDBs.
Step Command Remarks 330. Enter system view. system-view N/A 331. Enter interface view. interface interface-type interface-number N/A 332. Configure the network type for the interface as P2P. Optional. isis circuit-type p2p By default, the network type of an interface depends on the physical media. Configuring IS-IS routing information control 175B Perform the tasks in this section to affect IS-IS route selection.
Step Command Remarks 334. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A cost-style { narrow | wide | wide-compatible | { compatible | narrow-compatible } [ relax-spf-limit ] } Optional. 335. Specify an IS-IS cost style. 336. Return to system view. quit N/A 337. Enter interface view. interface interface-type interface-number N/A 338. Specify a cost for the interface. isis cost value [ level-1 | level-2 ] By default, the IS-IS cost type is narrow. Optional.
To configure the priority of IS-IS: Step Command Remarks 348. Enter system view. system-view N/A 349. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 350. Specify a priority for IS-IS. preference { route-policy route-policy-name | preference } * The default setting is 15. Configuring the maximum number of ECMP routes 67B Perform this task to implement load sharing over ECMP routes. To configure the maximum number of ECMP routes: Step Command Remarks 351.
Step Command Remarks 357. Enter system view. system-view N/A 358. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 359. Advertise a default route. default-route-advertise [ route-policy route-policy-name | [ level-1 | level-1-2 | level-2 ] ] * By default, IS-IS does not advertise a default route. Configuring IS-IS route redistribution 679B Perform this task to redistribute routes from other routing protocols into IS-IS.
Step Command Remarks 365. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 366. Filter routes calculated from received LSPs. filter-policy { acl-number | ip-prefix ip-prefix-name | route-policy route-policy-name } import By default, IS-IS accepts all routes calculated using received LSPs.
Tuning and optimizing IS-IS networks 176B Configuration prerequisites 682B Before the configuration, complete the following tasks: • Configure IP addresses for all interfaces to ensure IP connectivity between neighboring nodes. • Enable IS-IS. Specifying intervals for sending IS-IS hello and CSNP packets 683B Step Command Remarks 373. Enter system view. system-view N/A 374. Enter interface view. interface interface-type interface-number N/A Optional. 375.
Configuring a DIS priority for an interface 685B On a broadcast network, ISIS must elect a router as the DIS at a routing level. You can specify a DIS priority at a level for an interface. The greater the interface's priority, the more likely it becomes the DIS. If multiple routers in the broadcast network have the same highest DIS priority, the router with the highest MAC address becomes the DIS. To specify a DIS priority for an interface: Step Command Remarks 380. Enter system view.
Step Command Remarks 388. Disable hello source address check for the PPP interface. isis peer-ip-ignore The command only applies to the PPP interface. By default, hello source address check is enabled. Enabling an interface to send small hello packets 68B IS-IS messages cannot be fragmented at the IP layer because they are directly encapsulated into frames. Any two IS-IS neighboring routers must negotiate a common MTU.
Step Command Remarks 395. Enter system view. system-view N/A 396. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 397. Specify the LSP refresh interval. timer lsp-refresh seconds 398. Specify the LSP generation interval. timer lsp-generation maximum-interval [ initial-interval [ second-wait-interval ] ] [ level-1 | level-2 ] 3. Optional. The default interval is 900 seconds. Optional. The default interval is 2 seconds.
Step Command Remarks 405. Specify the maximum length of generated Level-1 LSPs or Level-2 LSPs. lsp-length originate size [ level-1 | level-2 ] By default, the maximum length of generated Level-1 LSPs or Level-2 LSPs is 1497 bytes. 406. Specify the maximum length of received LSPs. lsp-length receive size By default, the maximum length of received LSPs is 1497 bytes. Enabling LSP flash flooding 1465B Changed LSPs can trigger SPF recalculation.
Figure 278 Network diagram of a fully meshed network Router D Router A Eth1/1 Eth1/3 Eth1/1 Eth1/2 Eth1/2 Eth1/3 Eth1/3 Eth1/2 Eth1/1 Eth1/1 Eth1/2 Eth1/3 Router B Router C To avoid this problem, you can add some interfaces to a mesh group or block some interfaces. • An interface in a mesh group floods a received LSP only to interfaces not in the mesh group. • A blocked interface sends LSPs only after receiving LSP requests.
Configuring convergence priorities for specific routes 691B A topology change causes IS-IS routing convergence. To achieve faster routing convergence, you can assign different convergence priorities to specific IS-IS routes. To assign convergence priorities to specific IS-IS routes: Step Command Remarks 420. Enter system view. system-view N/A 421. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A Optional. 422. Assign convergence priorities to specific IS-IS routes.
Configuring a static system ID to host name mapping 1468B Step Command Remarks 426. Enter system view. system-view N/A 427. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 428. Configure a system ID to host name mapping for a remote IS. is-name map sys-id map-sys-name A system ID can only correspond to a host name.
Step Command Remarks 435. Enter system view. system-view N/A 436. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 437. Enable the logging of neighbor state changes. log-peer-change By default, the logging of neighbor state is enabled. Enhancing IS-IS network security 17B To enhance the security of an IS-IS network, you can configure IS-IS authentication.
Configuring area authentication 697B Area authentication enables a router not to install routing information from untrusted routers into the Level-1 LSDB. The router encapsulates the authentication password in the specified mode into Level-1 packets (LSP, CSNP, and PSNP) and check the password in received Level-1 packets. Routers in a common area must have the same authentication mode and password. To configure area authentication: Step Command Remarks 441. Enter system view. system-view N/A 442.
Step Command Remarks 449. Enable SNMP trap. is-snmp-traps enable By default, SNMP trap is enabled. Binding an IS-IS process with MIBs 179B This task allows you to bind MIB with an IS-IS process to send and collect information. For more information about MIB, see Network Management and Monitoring Configuration Guide. To bind an IS-IS process with MIBs: Step Command Remarks 450. Enter system view. system-view N/A 451. Enter IS-IS view.
Task Command Remarks Display IS-IS IPv4 routing information. display isis route [ ipv4 ] [ [ level-1 | level-2 ] | verbose ] * [ process-id ] | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IS-IS SPF calculation log information. display isis spf-log [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IS-IS statistics.
[RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface gigabitethernet 1/1 [RouterA-GigabitEthernet1/1] isis enable 1 [RouterA-GigabitEthernet1/1] quit # Configure Router B. system-view [RouterB] isis 1 [RouterB-isis-1] is-level level-1 [RouterB-isis-1] network-entity 10.0000.0000.0002.
-------------------------------- Level-1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL -------------------------------------------------------------------------0000.0000.0001.00-00* 0x0000000d 0xb184 879 68 0/0/0 0000.0000.0002.00-00 0x0000000c 0xcf65 493 68 0/0/0 0000.0000.0003.
0000.0000.0004.00-00 0x00000005 0xd086 904 84 0/0/0 *-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload [RouterC] display isis lsdb Database information for ISIS(1) -------------------------------Level-2 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL -----------------------------------------------------------------------0000.0000.0003.00-00 0x00000013 0xbb56 910 100 0/0/0 0000.0000.0004.
192.168.0.0/24 10 NULL GE1/2 Direct D/L/- Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set ISIS(1) IPv4 Level-2 Forwarding Table ------------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE1/1 Direct D/L/- 10.1.2.0/24 10 NULL GE1/3 Direct D/L/- 192.168.0.0/24 10 NULL GE1/2 Direct D/L/- 172.16.0.0/16 20 NULL GE1/2 192.
Figure 280 Network diagram Firewall L1/L2 Router A L1/L2 GE1/1 10.1.1.1/24 Eth1/1 10.1.1.3/24 Eth1/1 10.1.1.2/24 Eth1/1 10.1.1.4/24 Router B L1 Router C L2 Configuration procedure 1473B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Enable IS-IS: # Configure Firewall. system-view [Firewall] isis 1 [Firewall-isis-1] network-entity 10.0000.0000.0001.
[RouterC] isis 1 [RouterC-isis-1] network-entity 10.0000.0000.0004.00 [RouterC-isis-1] is-level level-2 [RouterC-isis-1] quit [RouterC] interface ethernet 1/1 [RouterC-Ethernet1/1] isis enable 1 [RouterC-Ethernet1/1] quit # Display information about IS-IS neighbors of Firewall. [Firewall] display isis peer Peer information for ISIS(1) ---------------------------- System Id: 0000.0000.0002 Interface: GigabitEthernet1/1 Circuit Id: 0000.0000.0003.
--------------------------------Interface: Ethernet1/1 Id IPV4.State 001 Up IPV6.State Down MTU Type DIS 1497 L1/L2 No/Yes The output shows that when the default DIS priority is used, Router B is the Level-1 DIS, and Router C is the Level-2 DIS. The pseudonodes of Level-1 and Level-2 are 0000.0000.0003.01 and 0000.0000.0004.01, respectively. 3. Configure the DIS priority: # Configure the DIS priority of Firewall.
---------------------------- System Id: 0000.0000.0001 Interface: Ethernet1/1 Circuit Id: 0000.0000.0001.01 State: Up Type: L1 HoldTime: 7s PRI: 100 System Id: 0000.0000.0002 Interface: Ethernet1/1 Circuit Id: 0000.0000.0001.01 State: Up Type: L1 HoldTime: 23s PRI: 64 [RouterC] display isis interface Interface information for ISIS(1) --------------------------------Interface: Ethernet1/1 Id IPV4.State IPV6.
Figure 281 Network diagram Configuration procedure 1475B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic IS-IS: # Configure Router A. system-view [RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface gigabitethernet 1/1 [RouterA-GigabitEthernet1/1] isis enable 1 [RouterA-GigabitEthernet1/1] quit # Configure Router B.
[RouterC] interface gigabitethernet 1/3 [RouterC-GigabitEthernet1/3] isis enable 1 [RouterC-GigabitEthernet1/3] quit # Configure Firewall. system-view [Firewall] isis 1 [Firewall-isis-1] is-level level-2 [Firewall-isis-1] network-entity 20.0000.0000.0004.00 [Firewall-isis-1] quit [Firewall] interface gigabitethernet 1/2 [Firewall-GigabitEthernet1/2] isis enable 1 [Firewall-GigabitEthernet1/2] quit # Display IS-IS routing information on each router.
------------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE1/1 Direct D/L/- 10.1.2.0/24 10 NULL GE1/3 Direct D/L/- 192.168.0.
ISIS(1) IPv4 Level-1 Forwarding Table ------------------------------------IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE1/1 Direct D/L/- 10.1.2.0/24 10 NULL GE1/3 Direct D/L/- 192.168.0.
Figure 282 Network diagram Configuration procedure 147B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure basic IS-IS: # Configure Device A. system-view [Device A] isis 1 [DeviceA-isis-1] network-entity 10.0000.0000.0001.00 [DeviceA-isis-1] is-level level-1 [DeviceA-isis-1] quit [DeviceA] interface gigabitethernet 1/1 [DeviceA-GigabitEthernet1/1] isis enable 1 [DeviceA-GigabitEthernet1/1] quit # Configure Device B.
[DeviceC] interface gigabitethernet 1/3 [DeviceC-GigabitEthernet1/3] isis enable 1 [DeviceC-GigabitEthernet1/3] quit # Configure Device D. system-view [DeviceD] isis 1 [DeviceD-isis-1] network-entity 20.0000.0000.0001.00 [DeviceD-isis-1] quit [DeviceD] interface gigabitethernet 1/1 [DeviceD-GigabitEthernet1/1] isis enable 1 [DeviceD-GigabitEthernet1/1] quit 3.
5. Configure the routing domain authentication mode as MD5 and set the password to 1020Sec on Device C and Device D.
Configuring BGP 32B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Feature and hardware compatibility 182B Hardware BGP compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 183B Border Gateway Protocol (BGP) is an exterior gateway protocol (EGP).
To enable a router to run BGP, you must specify a router ID, the unique identifier of the router in the AS. By default, if no global router ID is configured, the highest loopback interface IP address, if any, is used as the router ID. If no loopback interface IP address is available, the highest physical interface IP address is used, regardless of the interface status. Use loopback interface IP address as a router ID to increase the network availability. Configuring BGP globally 704B 1.
Figure 284 Tabs on the BGP peer configuration page 2. Click Add on the Peer Configuration tab. The BGP peer configuration page appears. Figure 285 Creating a BGP peer 3. Configure the parameters as described in Table 56. 4. Click Apply. 265H Table 56 Configuration items Item Description Peer IP Address Configure the IP address of the BGP peer. Peer AS Specify the AS number of the BGP peer. Displaying BGP peer information 706B 1.
2. After you complete BGP peer configurations, click Show Peer on the Show Information tab. The page for displaying the BGP peer information appears. Figure 286 Displaying BGP peer information Table 57 Field description Field Description Peer IP Address IP address of the BGP peer. Peer AS AS number of the BGP peer. Version BGP version. State Current state of the BGP peer. BGP configuration example 70B In this example, Device A is the firewall.
Figure 288 Enabling BGP Figure 289 Web page displayed after you enable BGP b. Select the Enable BGP box, and enter 65008 for AS. c. 3. Click Apply. Configure EBGP connections: a. Click Add in the Peer Configuration field. The BGP peer configuration page appears. Figure 290 Adding a BGP peer b. Enter 200.1.1.1 for Peer IP Address and 65009 for Peer AS.
c. Click Apply. Configuring Device B 1480B See the configuration pages of Device A for reference. 1. Configure IP addresses for interfaces and add interfaces to the security zones. (Details not shown.) 2. Enable BGP: a. Select Network > Routing Management > BGP from the navigation tree of Device B. The BGP global configuration page appears. b. Select the Enable BGP box, and enter 65009 for AS. c. 3. Click Apply. Configure IBGP connections: a. Click Add in the Peer Configuration field. b. Enter 9.1.
b. Select the Enable BGP box, and enter 65009 for AS. c. 3. Click Apply. Configure IBGP connections: a. Click Add in the Peer Configuration field. b. Enter 9.1.1.1 for Peer IP Address and 65009 for Peer AS. c. Click Apply. d. Click Add in the Peer Configuration field. e. Enter 9.1.2.1 for Peer IP Address and 65009 for Peer AS. f. Click Apply. Verifying the configuration 1483B 1. Select Network > Routing Management > BGP from the navigation tree of Device B. 2.
Task Remarks Specifying the source interface for TCP connections Optional. Injecting a local network Required. Redistributing IGP routes Use at least one approach. 2657H Generating BGP routes 2659H 2658H 260H Configuring BGP route summarization 26H Advertising a default route to a peer or peer group 263H Configuring BGP route distribution/reception filtering policies Controlling route distribution and reception 264H 261H Optional.
Configuring basic BGP 709B This section describes the tasks required for a BGP network to work. Enabling BGP 148B A router ID is the unique identifier of a BGP router in an AS. • To ensure the uniqueness of a router ID and enhance availability, you can specify in BGP view the IP address of a local loopback interface as the router ID. • If no router ID is specified in BGP view, the global router ID is used.
Step Command 463. Enable the default use of IPv4 unicast address family for the peers that are established using the peer as-number command. default ipv4-unicast 464. Enable a peer. peer ip-address enable 465. Configure a description for a peer. peer ip-address description description-text Remarks Optional. Enabled by default. This command is not supported in BGP-VPN instance view. Optional. Enabled by default. Optional. By default, no description is configured for a peer.
If peers in an EBGP group belong to the same external AS, the EBGP peer group is a pure EBGP peer group. If not, it is a mixed EBGP peer group. Use one of the following approaches to configure an EBGP peer group: { { { Approach 1—Create an EBGP peer group, specify its AS number, and add peers into it. All the added peers have the same AS number. You can specify an AS number for a peer before adding it into the peer group. The AS number must be the same as that of the peer group.
Step Command Remarks • Enter BGP view: bgp as-number 480. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either approach. b. ipv4-family vpn-instance vpn-instance-name 481. Create an EBGP peer group group group-name external N/A 482. Create a BGP peer and specify its AS number. peer ip-address as-number as-number N/A 483. Add a peer into the EBGP peer group.
Specifying the source interface for TCP connections 1487B By default, BGP uses the output interface of the optimal route to a peer or peer group as the source interface for establishing TCP connections to the peer or peer group, and it uses the primary IP address of the output interface as the source IP address of TCP connections.
Step Command Remarks 496. Enter system view. system-view N/A • Enter BGP view: bgp as-number 497. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either approach. b. ipv4-family vpn-instance vpn-instance-name Optional. 498. Inject a local network to the BGP routing table. network ip-address [ mask | mask-length ] [ route-policy route-policy-name ] Not injected by default.
Controlling route distribution and reception 71B Configuring BGP route summarization 149B To reduce the number of routes to be redistributed and the routing table size on medium and large BGP networks, configure route summarization on BGP routers. BGP supports the following summarization modes: automatic and manual. Manual summary routes have a higher priority than automatic ones. 1.
Step Command Remarks 508. Configure manual route summarization. aggregate ip-address { mask | mask-length } [ as-set | attribute-policy route-policy-name | detail-suppressed | origin-policy route-policy-name | suppress-policy route-policy-name ]* Not configured by default. Advertising a default route to a peer or peer group 1492B Perform this task to advertise a default BGP route with the next hop being the advertising router to a peer or peer group.
{ peer ip-prefix export { peer route-policy export Only routes passing the first policy can go to the next, and only routes passing all the configured policies can be advertised. To configure BGP route distribution filtering policies: Step Command Remarks 512. Enter system view. system-view N/A • Enter BGP view: 513. Enter BGP view or BGP-VPN instance view. bgp as-number • Enter BGP-VPN instance view: a. bgp as-number Use either approach. b.
Only routes passing all the configured policies can be received. To configure BGP route reception filtering policies: Step Command Remarks 515. Enter system view. system-view N/A • Enter BGP view: 516. Enter BGP view or BGP-VPN instance view. bgp as-number • Enter BGP-VPN instance view: Use either approach. a. bgp as-number b.
Figure 292 BGP and IGP synchronization in an AS For this example, if synchronization is enabled, and the route 8.0.0.0/24 received from Router B is available in its IGP routing table, Router D advertises the IBGP route when the following conditions are satisfied: • The next hop of the route is reachable. • An active route with the same destination network segment is available in the IGP routing table (use the display ip routing-table protocol command to check the IGP route state).
Step Command Remarks 521. Enter system view. system-view N/A • Enter BGP view: bgp as-number 522. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: Use either approach. a. bgp as-number b. ipv4-family vpn-instance vpn-instance-name 523. Specify the maximum number of routes that a router can receive from a peer or peer group.
Step Command Remarks • Enter BGP view: bgp as-number • Enter BGP-VPN instance view: 528. Enter BGP view or BGP-VPN instance view. a. bgp as-number Use either approach. b. ipv4-family vpn-instance vpn-instance-name 529. Specify a preferred value for routes received from a peer or peer group. peer { group-name | ip-address } preferred-value value Optional. By default, the preferred value is 0.
Step Command Remarks 534. Enter system view. system-view N/A • Enter BGP view: bgp as-number 535. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either approach. b. ipv4-family vpn-instance vpn-instance-name 536. Configure the default local preference. default local-preference value Optional. The default local preference is100. Configuring the MED attribute 150B MED is used to determine the best route for traffic going into an AS.
Figure 293 Route selection based on MED As shown in Figure 293, Router D learns network 10.0.0.0 from both Router A and Router B. Because Router B has a smaller router ID, the route learned from it is optimal. 2694H Network *>i 10.0.0.0 * i NextHop MED LocPrf PrefVal Path/Ogn 2.2.2.2 50 0 300e 3.3.3.3 50 0 200e When Router D learns network 10.0.0.0 from Router C, it compares the route with the optimal route in its routing table.
Step Command Remarks 543. Enter system view. system-view N/A • Enter BGP view: bgp as-number • Enter BGP-VPN instance view: 544. Enter BGP view or BGP-VPN instance view. a. bgp as-number Use either approach. b. ipv4-family vpn-instance vpn-instance-name 545. Enable the comparison of MEDs for routes on a per-AS basis. 4. bestroute compare-med Optional. Not enabled by default.
If a BGP router has two peers on a common broadcast network, it does not set itself as the next hop for routes sent to an EBGP peer by default. As shown in Figure 295, Router A and Router B establish an EBGP neighbor relationship, and Router B and Router C establish an IBGP neighbor relationship. They are on the same broadcast network 1.1.1.0/24. When Router B sends EBGP routes to Router A, it does not set itself as the next hop by default. However, you can configure Router B to set it as the next hop (1.1.
Step Command Remarks 552. Enter system view. system-view N/A • Enter BGP view: bgp as-number 553. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number b. 554. Permit local AS number to appear in routes from a peer or peer group and specify the appearance times. 2. Use either approach. pv4-family vpn-instance vpn-instance-name Optional.
4. Configuring AS number substitution Use AS number substitution only in the specific scenario. Improper configuration can result in routing loops. To configure AS number substitution for a peer or peer group: Step Command Remarks 561. Enter system view. system-view N/A • Enter BGP view: bgp as-number • Enter BGP-VPN instance view: 562. Enter BGP view or BGP-VPN instance view. Use either approach. a. bgp as-number b. ipv4-family vpn-instance vpn-instance-name 563.
Step Command Remarks 569. Configure BGP to ignore the first AS number of EBGP route updates. ignore-first-as By default, BGP checks the first AS number of EBGP route updates. Tuning and optimizing BGP networks 713B Configuring the BGP keepalive interval and holdtime 1503B After establishing a BGP session, two routers send keepalive messages at the specified keepalive interval to each other to keep the session.
Step Command Remarks • Configure the global keepalive interval 572. Configure BGP keepalive interval and holdtime. and holdtime: timer keepalive keepalive hold holdtime • Configure the keepalive interval and holdtime for a peer or peer group: peer { group-name | ip-address } timer keepalive keepalive hold holdtime Optional. By default, the keepalive interval is 60 seconds, and holdtime is 180 seconds.
Step Command Remarks 578. Allow the establishment of EBGP session to an indirectly connected peer or peer group, and specify the maximum hop count. peer { group-name | ip-address } ebgp-max-hop [ hop-count ] By default, the EBGP session to an indirectly connected peer or peer group is not allowed to be established. Enabling the BGP ORF capability 1506B The BGP Outbound Route Filtering (ORF) feature allows a BGP speaker to send its BGP peer a set of ORFs through route-refresh messages.
Local parameter Peer parameter Negotiation result receive • send • both The local end can only receive ORF information, and the peer end can only send ORF information. both both Both the local and peer ends can send and receive ORF information.
Step Command 589. Enable quick reestablishment of direct EBGP session. ebgp-interface-sensitive Remarks Optional. Not enabled by default. Enabling MD5 authentication for BGP peers 1509B You can enable MD5 authentication to enhance security in the following ways: • Perform MD5 authentication when establishing TCP connections. Only the two parties that have the same password configured can establish TCP connections.
Step Command Remarks 596. Enter system view. system-view N/A • Enter BGP view: bgp as-number 597. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either approach. b. ipv4-family vpn-instance vpn-instance-name 598. Forbid session establishment with a peer or peer group. peer { group-name | ip-address } ignore Not forbidden by default.
2. Saving updates To save all route updates from a peer or peer group: Step Command Remarks 602. Enter system view. system-view N/A • Enter BGP view: bgp as-number • Enter BGP-VPN instance view: 603. Enter BGP view or BGP-VPN instance view. Use either approach. a. bgp as-number b. ipv4-family vpn-instance vpn-instance-name 604. Save all route updates from a peer or peer group. 3. peer { group-name | ip-address } keep-all-routes Not saved by default.
Configuring BGP community 154B By default, a router does not send the community or extended community attribute to its peers or peer groups. When the router receives a route carrying the community or extended community attribute, it removes the attribute before advertising the route to its peers or peer groups. This task allows you to enable a router to advertise the community or extended community attribute to its peers, so that you can implement route filtering and control.
Step Command Remarks • Enter BGP view: bgp as-number 615. Enter BGP view or BGP-VPN instance view. • Enter BGP-VPN instance view: a. bgp as-number Use either approach. b. ipv4-family vpn-instance vpn-instance-name 616. Configure the router as a route reflector and specify a peer or peer group as its client. peer { group-name | ip-address } reflect-client 617. Enable route reflection between clients. reflect between-clients 618. Configure the cluster ID of the route reflector.
2. Configuring confederation compatibility If some other routers in the confederation do not comply with RFC 3065, you must enable confederation compatibility to allow the router to work with those routers. Step Command Remarks 623. Enter system view. system-view N/A 624. Enter BGP view. bgp as-number N/A 625. Enable compatibility with routers not compliant with RFC 3065 in the confederation. confederation nonstandard Optional. Not enabled by default.
Configuring BFD for BGP 71B The following matrix shows the feature and hardware compatibility: Hardware Feature compatible F1000-A-EI/F1000-S-EI No F1000-E No F5000 Yes Firewall module No U200-A No U200-S No BGP maintains neighbor relationships based on the keepalive timer and hold timer in seconds. It requires that the hold time must be at least three times the keepalive interval. This mechanism makes link failure detection slow.
Task Command Remarks Display BGP peer or peer group information. display bgp peer [ ip-address { log-info | verbose } | group-name log-info | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the prefix information in the ORF message from the specified BGP peer. display bgp peer ip-address received ip-prefix [ | { begin | exclude | include } regular-expression ] Available in any view. Display BGP routing information.
Resetting BGP session 158B Task Command Remarks Reset the specified BGP session. reset bgp { as-number | ip-address | all | external | group group-name | internal } Available in user view. Reset all IPv4 unicast BGP sessions. reset bgp ipv4 all Available in any view. Clearing BGP information 159B Task Command Remarks Clear dampened BGP routing information and release suppressed routes. reset bgp dampening [ ip-address [ mask | mask-length ] ] Available in user view.
Configuration procedure 152B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure IBGP: # Configure Firewall. system-view [Firewall] bgp 65009 [Firewall-bgp] router-id 2.2.2.2 [Firewall-bgp] peer 3.3.3.3 as-number 65009 [Firewall-bgp] peer 3.3.3.3 connect-interface loopback 0 [Firewall-bgp] quit [Firewall] ospf 1 [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0 [Firewall-ospf-1-area-0.0.0.0] network 9.1.1.1 0.0.0.
# Configure Firewall. [Firewall] bgp 65009 [Firewall-bgp] peer 3.1.1.2 as-number 65008 [Firewall-bgp] quit # Display BGP peer information on Firewall. [Firewall] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 3.3.3.3 65009 12 10 0 3 00:09:16 Established 3.1.1.
Total Number of Routes: 1 BGP Local router ID is 3.3.3.3 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn i 8.1.1.0/24 3.1.1.2 0 100 0 65008i The output shows that Router A has learned no route to AS 65009, and Router B has learned network 8.1.1.0 but the next hop 3.1.1.2 is unreachable, and thus the route is invalid. 4.
i 2.2.2.2/32 2.2.2.2 0 100 0 ? *>i 3.1.1.0/24 2.2.2.2 0 100 0 ? *>i 8.1.1.0/24 3.1.1.2 0 100 0 65008i * i 9.1.1.0/24 2.2.2.2 0 100 0 ? The output shows that the route 8.1.1.0 becomes valid with the next hop as Router A. 5. Verify the configuration: # Ping 8.1.1.1 on Router B. [RouterB] ping 8.1.1.1 PING 8.1.1.1: 56 data bytes, press CTRL_C to break Reply from 8.1.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 8.1.1.1: bytes=56 Sequence=2 ttl=254 time=2 ms Reply from 8.1.1.
system-view [Firewall] ospf 1 [Firewall-ospf-1] area 0 [Firewall-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0 [Firewall-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit # Configure Router B. system-view [RouterB] ospf 1 [RouterB-ospf-1] import-route direct [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit 3.
Network NextHop MED LocPrf PrefVal Path/Ogn *> 3.3.3.3/32 3.1.1.1 1 0 65009? *> 8.1.1.0/24 0.0.0.0 0 0 i *> 9.1.2.0/24 3.1.1.1 1 0 65009? # Display the routing table on Router B. [RouterB] display ip routing-table Routing Tables: Public Destinations : 9 5. Routes : 9 Destination/Mask Proto Pre Cost NextHop Interface 2.2.2.2/32 OSPF 10 1 9.1.1.1 GE0/1 3.3.3.3/32 Direct 0 0 127.0.0.1 InLoop0 8.1.1.0/24 O_ASE 1 9.1.1.1 GE0/1 9.1.1.0/24 Direct 0 0 9.1.1.
round-trip min/avg/max = 2/2/2 ms BGP load balancing configuration example 721B Network requirements 1526B As shown in Figure 298, all routers run BGP, Firewall resides in AS 65008, and Router B and Router A reside in AS 65009. EBGP runs between Firewall and Router B, and between Firewall and Router C. IBGP runs between Router B and Router A. Configure two routes on Firewall for load balancing.
# Configure Router B. system-view [RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 3.1.1.2 as-number 65008 [RouterB-bgp] peer 3.3.3.3 as-number 65009 [RouterB-bgp] peer 3.3.3.3 connect-interface loopback 0 [RouterB-bgp] network 9.1.1.0 24 [RouterB-bgp] quit [RouterB] ip route-static 3.3.3.3 32 9.1.1.2 # Configure Router A. system-view [RouterA] bgp 65009 [RouterA-bgp] router-id 3.3.3.3 [RouterA-bgp] peer 3.1.2.2 as-number 65008 [RouterA-bgp] peer 2.2.2.
4. Verify the configuration: # Display the BGP routing table on Firewall. [Firewall] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 1.1.1.1 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *> *> 8.1.1.0/24 9.1.1.0/24 *> { { NextHop MED 0.0.0.0 LocPrf PrefVal Path/Ogn 0 0 i 3.1.1.1 0 0 65009i 3.1.2.
Configuration procedure 1530B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure static routing between Router A and Router B: # Configure a default route with the next hop 192.168.212.1 on Router A. system-view [RouterA] ip route-static 0.0.0.0 0 192.168.212.1 # Configure static routes to 192.168.64.0/24, 192.168.74.0/24, and192.168.99.0/24 with the same next hop 192.168.212.161 on Router B. system-view [RouterB] ip route-static 192.168.64.0 24 192.168.212.
The output shows that Firewall has learned routes to 192.168.64.0/24, 192.168.74.0/24, and 192.168.99.0/24 through OSPF. 4. Configure BGP between Firewall and Router C, and configure BGP on Firewall to redistribute OSPF routes: # On Firewall, enable BGP, specify Router C as an EBGP peer, and configure BGP to redistribute OSPF routes. [Firewall] bgp 65106 [Firewall-bgp] router-id 3.3.3.3 [Firewall-bgp] peer 10.220.2.
Destination/Mask Proto 3.3.3.3/32 10.220.2.0/24 Pre Cost NextHop Interface Direct 0 0 127.0.0.1 InLoop0 Direct 0 0 10.220.2.16 GE0/1 10.220.2.16/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 172.17.100.0/24 Direct 0 0 172.17.100.2 GE0/2 172.17.100.2/32 Direct 0 0 127.0.0.1 InLoop0 192.168.64.0/18 BGP 130 0 127.0.0.1 NULL0 192.168.64.0/24 O_ASE 150 1 172.17.100.1 GE0/2 192.168.74.
Figure 300 Network diagram Configuration procedure 1532B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure EBGP connections: # Configure Firewall. system-view [Firewall] bgp 10 [Firewall-bgp] router-id 1.1.1.1 [Firewall-bgp] peer 200.1.2.2 as-number 20 [Firewall-bgp] network 9.1.1.0 255.255.255.0 [Firewall-bgp] quit # Configure Router B. system-view [RouterB] bgp 20 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.2.
Origin : igp Attribute value : MED 0, pref-val 0, pre 255 State : valid, external, best, Advertised to such 1 peers: 200.1.3.2 Router B has advertised the route to Router A in AS 30. # Display BGP routing table information on Router A. [RouterA] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 3.3.3.
BGP route reflector configuration example 724B Network requirements 153B As shown in Figure 301, all routers run BGP. 2705H • EBGP runs between Router A and Router B. IBGP runs between Firewall and Router B, and between Firewall and Router C. • Firewall is a route reflector with clients Router B and Router C. • Router C can learn route 1.0.0.0/8 from Firewall. Figure 301 Network diagram Configuration procedure 1534B 1. Configure IP addresses for interfaces. (Details not shown.) 2.
system-view [RouterC] bgp 200 [RouterC-bgp] peer 194.1.1.1 as-number 200 [RouterC-bgp] quit 3. Configure Firewall as the route reflector. [Firewall] bgp 200 [Firewall-bgp] peer 193.1.1.2 reflect-client [Firewall-bgp] peer 194.1.1.2 reflect-client [Firewall-bgp] quit 4. Verify the configuration: # Display the BGP routing table on Router B. [RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 200.1.2.
Figure 302 Network diagram Device Interface IP address Device Interface IP address Router A S2/1 200.1.1.1/24 Router D GE0/1 10.1.5.1/24 GE0/1 10.1.2.1/24 GE0/2 10.1.3.2/24 GE0/2 10.1.3.1/24 Firewall GE0/1 10.1.5.2/24 GE0/3 10.1.4.1/24 GE0/2 10.1.4.2/24 GE0/4 10.1.1.1/24 Router B GE0/1 10.1.1.2/24 Router C GE0/1 10.1.2.2/24 Router E Configuration procedure 1536B 1. Configure IP addresses for interfaces. (Details not shown.) 2.
system-view [RouterC] bgp 65003 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] confederation id 200 [RouterC-bgp] confederation peer-as 65001 65002 [RouterC-bgp] peer 10.1.2.1 as-number 65001 [RouterC-bgp] quit 3. Configure IBGP connections in AS 65001: # Configure Router A. [RouterA] bgp 65001 [RouterA-bgp] peer 10.1.3.2 as-number 65001 [RouterA-bgp] peer 10.1.3.2 next-hop-local [RouterA-bgp] peer 10.1.4.2 as-number 65001 [RouterA-bgp] peer 10.1.4.
[RouterB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 2.2.2.2 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *>i NextHop 9.1.1.0/24 MED LocPrf 0 100 10.1.1.1 PrefVal Path/Ogn 0 (65001) 100i [RouterB] display bgp routing-table 9.1.1.0 BGP local router ID : 2.2.2.
AS-path : 100 Origin : igp Attribute value : MED 0, localpref 100, pref-val 0, pre 255 State : valid, internal, best, Not advertised to any peers yet The output indicates the following: Router E can send route information to Router B and Router C through the confederation by establishing only an EBGP connection with Router A. { Router B and Router D are in the same confederation, but belong to different sub-ASs.
[RouterB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf] area 0 [RouterC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit # Configure Firewall.
{ (Method I.) Specify a higher MED value for the route 1.0.0.0/8 advertised to 192.1.1.2 to make Firewall give priority to the route learned from Router C. # Define ACL 2000 to permit the route 1.0.0.0/8 [RouterA] acl number 2000 [RouterA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [RouterA-acl-basic-2000] quit # Define routing policy apply_med_50 that sets the MED value of route 1.0.0.0/8 to 50, and routing policy apply_med_100 that sets the MED value of route 1.0.0.0/8 to 100.
[RouterC-route-policy] quit # Apply the routing policy localpref to the route from the peer 193.1.1.1 on Router C. [RouterC] bgp 200 [RouterC-bgp] peer 193.1.1.1 route-policy localpref import [RouterC-bgp] quit # Display the BGP routing table on Firewall. [Firewall] display bgp routing-table Total Number of Routes: 2 BGP Local router ID is 194.1.1.
Figure 304 Network diagram Configuration procedure 1540B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure OSPF so that Firewall A and Firewall B can reach each other. (Details not shown.) 3. Configure BGP on Firewall A: # Establish two IBGP connections to Firewall B. system-view [FirewallA] bgp 200 [FirewallA-bgp] peer 3.0.2.2 as-number 200 [FirewallA-bgp] peer 2.0.2.2 as-number 200 [FirewallA-bgp] quit # Create ACL 2000 to permit 1.1.1.0/24 to pass.
[FirewallA-bgp] quit 4. Configure BGP on Firewall B: system-view [FirewallB] bgp 200 [FirewallB-bgp] peer 3.0.1.1 as-number 200 [FirewallB-bgp] peer 3.0.1.1 bfd [FirewallB-bgp] peer 2.0.1.1 as-number 200 [FirewallB-bgp] quit 5. Configure BFD parameters (you can use default BFD parameters instead): # Configure Firewall A. { Configure active-mode BFD on GigabitEthernet 1/2.
Running Up for: 00:00:06 Auth mode: Simple Protocol: BGP Diag Info: No Diagnostic The output shows that a BFD session is established between GigabitEthernet 1/2 of Firewall A and GigabitEthernet 1/1 of Firewall B and that BFD runs properly. # Display BGP peer information on Firewall B. display bgp peer BGP local router ID : 1.1.1.1 Local AS number : 200 Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 2.0.1.
debugging bfd event debugging bgp bfd terminal monitor terminal debugging %Nov 5 11:42:24:172 2009 RouterC BFD/5/BFD_CHANGE_FSM: Sess[3.0.2.2/3.0.1.1,13/17,GE1/1,Ctrl], Sta: UP->DOWN, Diag: 1 %Nov 5 11:42:24:172 2009 RouterC BGP/5/BGP_STATE_CHANGED: 3.0.1.1 state is changed from ESTABLISHED to IDLE. *Nov 5 11:42:24:187 2009 RouterC RM/6/RMDEBUG: BGP_BFD: Recv BFD DOWN msg, Src IP 3.0.2.2, Dst IP 3.0.1.1, Instance ID 0.
5. If the peer ttl-security hops command is configured, verify that the command is configured on the peer, and the hop-count values configured on them are greater than the number of hops between them. 6. Verify that a valid route to the peer is available. 7. Use the ping command to verify the connectivity to the peer. 8. Use the display tcp status command to verify the TCP connection. 9. Verify whether an ACL is applied to disable TCP port 179.
Displaying and maintaining an IPv4 routing table 3B You can display an IPv4 routing table in the Web interface or at the CLI to help you locate routing problems. Displaying an IPv4 routing table in the Web interface 187B You can view only active routes on the route display page. Select Network > Routing Management > Routing Info from the navigation tree to enter the route display page.
Displaying and maintaining an IPv4 routing table at the CLI 18B Task Command Remarks Display routing table information. display ip routing-table [ vpn-instance vpn-instance-name ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about routes permitted by an IPv4 basic ACL. display ip routing-table [ vpn-instance vpn-instance-name ] acl acl-number [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring policy-based routing 34B Overview 189B Different from destination-based routing, policy-based routing (PBR) uses user-defined policies to route packets based on the source address, packet length, and other criteria. A policy can specify the output interface, next hop, default output interface, default next hop, and other parameters for packets that match specific criteria such as ACLs or have specific lengths.
Table 60 Priorities and meanings of apply clauses Clause Meaning Priority apply output-interface and apply ip-address next-hop Sets the output interface and sets the next hop. The apply output-interface clause takes precedence over the apply ip-address next-hop clause. Only the apply output-interface clause is executed when both are configured.
PBR and track 729B You can use track to monitor the output interface, default output interface, next hop, and default next hop for PBR so that PBR can discover link failures faster. PBR takes effect when the status of the associated track entry is positive or invalid. For more information about track-PBR collaboration, see High Availability Configuration Guide. Configuring PBR in the Web interface 190B Recommended configuration procedure 730B Step Description a. Required. 636. Configuring a policy b.
Figure 307 Creating a policy 3. Create a policy and a policy node as described in Table 61. 4. Click Apply. 271H Table 61 Configuration items Item Description Enter a policy name. Policy Name IMPORTANT: Any spaces entered at the beginning or end of a policy name will be ignored. A policy name containing only spaces is considered as null. Node Index Enter a node index of the policy. The node with a smaller number has a higher priority and is matched first.
Item Description Default Next Hop Enter the default next hop IP address. Enter the outbound interface. (This option is available after you click Show Advanced.) Outbound Interface Non-P2P interfaces (broadcast and NBMA interfaces, such as Ethernet and virtual-template interfaces) may have multiple next hops, and packets may not be forwarded successfully. Enter the default outbound interface. (This option is available after you click Show Advanced.
Figure 308 Policy node list page Figure 309 Creating a policy node Applying a policy 732B 1. Select Network > Routing Management > Policy Routing from the navigation tree. 2. Click the Application tab. The PBR application page appears.
Figure 310 PBR application page 3. Click Add. The page for applying a policy appears. Figure 311 Applying a policy 4. Enable local PBR or interface PBR as described in Table 63. 5. Click Apply. 270H Table 63 Configuration items Item Description Specify the policy application mode: Apply to • Local—Enable local PBR. Unless otherwise required, do not enable local PBR. • Interface—Enable interface PBR. Apply the policy on a selected interface.
Figure 312 Network diagram Configuring Device A 150B 1. Configure IP addresses for interfaces and add interfaces to security zones. (Details not shown.) 2. Create ACL 3101 to match TCP packets: a. Select Firewall > ACL from the navigation tree. b. Click Add. The page for creating ACL 3101 appears. c. Enter 3101 for ACL Number, and select Config for Match Order. d. Click Apply. Figure 313 Creating ACL 3101 e. Click the f. icon of ACL 3101 in the ACL list page. Click Add.
h. Click Apply. Figure 314 Defining rules for ACL 3101 3. Create node 5 for policy aaa and specify 1.1.2.2 as the next hop of all TCP packets: a. Select Network > Routing Management > Policy Routing from the navigation tree. b. Click Add. The default policy configuration page appears. c. Enter aaa as the policy name and 5 as node index, set the mode to permit, enter 3101 as the number of the ACL for matching TCP packets, and enter 1.1.2.2 as next hop. d. Click Apply.
Figure 315 Creating node 5 for policy aaa 4. Apply policy aaa to GigabitEthernet 0/3 to process packets received on the interface: a. Click the Application tab. b. Click Add. The page appears. c. Select the Interface box and select GigabitEthernet 0/3, and select aaa as the policy name. d. Click Apply.
Configuring Device B and Device C 15B Configure IP addresses of interfaces on Device B and Device C, and configure static routes to network 10.110.0.0/24. (Details not shown.) Verifying the configuration 152B Configure the IP address of Host A as 10.110.0.20/24, and specify its gateway address as 10.110.0.10. On Host A, Telnet to Device B. The operation succeeds. On Host A, Telnet to Device C. The operation fails. Ping Device C from Host A. The operation succeeds. Telnet uses TCP and ping uses ICMP.
Step Command Remarks 641. Enter policy node view. policy-based-route policy-name [ deny | permit ] node node-number N/A 642. Configure an ACL match criterion. if-match acl acl-number Optional. 643. Configure a packet length match criterion. if-match packet-length min-len max-len Optional. Configuring actions for a node 15B Step Command Remarks 644. Enter system view. system-view N/A 645. Enter policy node view. policy-based-route policy-name [ deny | permit ] node node-number N/A 646.
Step Command Remarks 651. Enter system view. system-view N/A 652. Apply a policy locally. ip local policy-based-route policy-name Not applied by default. Configuring interface PBR 157B Configure PBR by applying a policy on an interface. PBR uses the policy to guide the forwarding of packets received on the interface. You can apply only one policy to an interface. If you perform the ip policy-based-route command multiple times, only the last specified policy takes effect.
As shown in Figure 317, configure local PBR on Firewall to forward all locally generated TCP packets via GigabitEthernet 0/1. Firewall forwards other packets according to the routing table. 279H Figure 317 Network diagram 2. Configuration procedure a. Configure Firewall: # Configure ACL 3101 to match TCP packets.
Configuring interface PBR based on packet type 159B 1. Network requirements As shown in Figure 318, configure interface PBR on Firewall to forward all TCP packets received on GigabitEthernet 0/3 via GigabitEthernet 0/1. Firewall forwards other packets according to the routing table. 2730H Figure 318 Network diagram Router B Router A GE0/1 1.1.2.2/24 GE0/1 1.1.2.1/24 Firewall GE0/2 1.1.3.2/24 GE0/2 1.1.3.1/24 GE0/3 10.110.0.10/24 Subnet 10.110.0.0/24 Host A Host B 10.110.0.20/24 Gateway: 10.
[Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 1.1.3.1 255.255.255.0 b. Configure Router B: # Configure a static route to subnet 10.110.0.0/24. system-view [RouterB] ip route-static 10.110.0.0 24 1.1.2.1 # Configure the IP address of the GigabitEthernet interface. [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ip address 1.1.2.2 255.255.255.0 c.
Figure 319 Network diagram 2. Configuration procedure a. Configure Firewall: # Configure RIP. system-view [Firewall] rip [Firewall-rip-1] network 192.1.1.0 [Firewall-rip-1] network 150.1.0.0 [Firewall-rip-1] network 151.1.0.0 [Firewall-rip-1] quit # Configure Node 10 for policy lab1 to forward packets with a length of 64 to 100 bytes to the next hop 150.1.1.2, and packets with a length of 101 to 1000 bytes to the next hop 151.1.1.2.
[RouterA-rip-1] network 10.0.0.0 [RouterA-rip-1] network 150.1.0.0 [RouterA-rip-1] network 151.1.0.0 # Configure the IP addresses of the GigabitEthernet interfaces. [RouterA] interface gigabitethernet 0/1 [RouterA-GigabitEthernet0/1] ip address 150.1.1.2 255.255.255.0 [RouterA-GigabitEthernet0/1] quit [RouterA] interface gigabitethernet0/2 [RouterA-GigabitEthernet0/2] ip address 151.1.1.2 255.255.255.0 [RouterA-GigabitEthernet0/2] quit # Configure the loopback interface address.
Pinging 10.1.1.1 with 200 bytes of data: Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Reply from 10.1.1.1: bytes=200 time<1ms TTL=255 Ping statistics for 10.1.1.
system-view [Firewall] interface gigabitethernet 0/1.1 [Firewall-GigabitEthernet0/1.1] ip address dhcp-alloc [Firewall-GigabitEthernet0/1.1] vlan-type dot1q vid 1 [Firewall-GigabitEthernet0/1.1] quit # Configure ACL 3000 to match SNMP packets and SNMP traps.
Multicast overview 35B As a technique that coexists with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission over a network, multicast greatly saves network bandwidth and reduces network load.
Configuring multicast routing and forwarding 36B Overview 192B In multicast implementations, the following types of tables implement multicast routing and forwarding: • Multicast routing table of a multicast routing protocol—Each multicast routing protocol has its own multicast routing table, such as the PIM routing table. • General multicast routing table—The multicast routing information of different multicast routing protocols forms a general multicast routing table.
Displaying multicast routing table 740B Multicast routing tables are the basis of multicast forwarding. You can view the establishment state of an (S, G) entry by checking the multicast routing table. To display multicast routing table: 1. From the navigation tree, select Network > Routing Management > Multicast Routing. 2. Click the Multicast Routing Table tab. 3. The page for multicast routing table appears. Figure 322 Multicast routing table 4.
Configuring multicast routing and forwarding at the CLI 194B Configuration task list 741B Task Remarks Enabling IP multicast routing Required. 273H Configuring static multicast routes Optional. Configuring a multicast routing policy Optional. Configuring a multicast forwarding range Optional. Configuring the multicast forwarding table size Optional. Tracing a multicast path Optional.
use the undo ip rpf-route-static command. If you want to remove all static multicast routes, use the delete ip rpf-route-static command. To configure a static multicast route: Step Command Remarks 658. Enter system view. system-view N/A No static multicast route configured by default. 659. Configure a static multicast route.
Step Command Remarks 664. Enter system view. system-view N/A 665. Enter interface view. interface interface-type interface-number N/A 666. Configure a multicast forwarding boundary. multicast boundary group-address { mask | mask-length } No forwarding boundary by default. Configuring the multicast forwarding table size 156B The router maintains the corresponding forwarding entry for each multicast packet that it receives.
Displaying and maintaining multicast routing and forwarding 74B CAUTION: The reset commands might cause multicast transmission failures. To display and maintain multicast routing and forwarding: Task Command Remarks Display multicast boundary information. display multicast boundary [ group-address [ mask | mask-length ] ] [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display multicast forwarding table information.
Changing an RPF route 1568B 1. Network requirements PIM-DM runs in the network. All devices in the network support multicast. Router A, Router B, and the firewall run OSPF. Typically, the receiver can receive the multicast data from the source through the path Router A to the firewall, which is the same as the unicast route. Receiver can receive the multicast data from the source through the path: Router A to Router B to the firewall, which is different from the unicast route.
# On Router A, enable IP multicast routing globally, and enable PIM-DM on each interface. system-view [RouterA] multicast routing-enable [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] pim dm [RouterA-Ethernet1/1] quit [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] pim dm [RouterA-Ethernet1/2] quit [RouterA] interface ethernet 1/3 [RouterA-Ethernet1/3] pim dm [RouterA-Ethernet1/3] quit # Enable IP multicast routing and PIM-DM on Router B in the same way. (Details not shown.
Figure 325 Network diagram 2. Configuration procedure a. Assign an IP address and subnet mask to each interface according to Figure 325. (Details not 2741H shown.) b. Enable OSPF on Router B and the firewall to make sure they are interoperable at the network layer and they can dynamically update their routing information. (Details not shown.) c.
[Firewall] display multicast rpf-info 50.1.1.100 No information is displayed. It indicates that that no RPF route to Source 2 exists on Router B and the firewall. d. Configure a static multicast route: # Configure a static multicast route on Router B, specifying Router A as its RPF neighbor on the route to Source 2. [RouterB] ip rpf-route-static 50.1.1.100 24 30.1.1.2 # Configure a static multicast route on the firewall, specifying Router B as its RPF neighbor on the route to Source 2.
2. Configuration procedure a. Assign an IP address and mask to each interface according to Figure 326. (Details not shown.) 274H b. Configure a GRE tunnel: # Create Tunnel 0 on Router A and configure the IP address and mask for the interface. system-view [RouterA] interface tunnel 0 [RouterA-Tunnel0] ip address 50.1.1.1 24 # On Router A, specify the tunnel encapsulation mode as GRE over IPv4 and assign the source and destination addresses to the interface.
[Firewall-ospf-1-area-0.0.0.0] quit [Firewall-ospf-1] quit d. Enable IP multicast routing, PIM-DM, and IGMP: # Enable multicast routing on Router A and enable PIM-DM on each interface.
1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:04:25, Expires: never (10.1.1.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:06:14 Upstream interface: Tunnel0 Upstream neighbor: 50.1.1.1 RPF prime neighbor: 50.1.1.
Multicast data fails to reach receivers 746B Symptom 1574B The multicast data can reach some routers but fails to reach the last-hop router. Analysis 157B If you have configured a multicast forwarding boundary by using the multicast boundary command, any multicast packet will be kept from crossing the boundary. Solution 1576B 1. Use the display pim routing-table command to verify that the corresponding (S, G) entries exist on the router. If so, the router has received the multicast data.
Configuring IGMP 37B As a TCP/IP protocol responsible for IP multicast group member management, the IGMP is used by IP hosts and adjacent multicast routers to establish and maintain their multicast group memberships. The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices.
Figure 327 IGMP interfaces configuration page 2. Click the icon for a specified IGMP interface. Figure 328 Modifying the specified interface 3. Select Enable for the IGMP list, and specify the IGMP version. 4. Click Apply. Displaying IGMP multicast group information 749B 1. From the navigation tree, select Network > Routing Management > IGMP. 2. Click the Groups tab. You can display brief information about IGMP groups. Figure 329 IGMP multicast group information 3.
Figure 330 IGMP multicast group information Table 65 Field description Field Description Interface Name of the interface that has joined the multicast group. Group address Multicast group address. Group uptime Length of time since the multicast group was reported. Group remaining lifetime Remaining lifetime of the multicast group. Null means that the multicast group times out when all multicast sources of this group time out. Source address Multicast source address.
Figure 331 Network diagram Receiver PIM network Host A GE0/2 Device A GE0/1 10.110.1.1/24 N1 Host B Querier GE0/1 10.110.2.1/24 GE0/2 Receiver Host C Device B GE0/1 10.110.2.
g. Click Apply. Figure 333 Enabling PIM-DM 3. Enable IGMP on GigabitEthernet 0/1: a. From the navigation tree, select Network > Routing Management > IGMP. b. Click the c. icon for GigabitEthernet 0/1. Select Enable for IGMP. d. Specify the IGMP version to 2. e. Click Apply. Figure 334 Enabling IGMP Configuring Device B 1580B 1. Enable multicast routing: a. From the navigation tree, select Network > Routing Management > Multicast Routing. b. Select Enable from the list. c. 2. Click Apply.
d. Specify the IGMP version to 2. e. Click Apply. Configuring Device C 158B 1. Enable multicast routing: a. From the navigation tree, select Network > Routing Management > Multicast Routing. b. Select Enable from the list. c. 2. Click Apply. Enable PIM-DM on all interfaces: a. From the navigation tree, select Network > Routing Management > PIM. b. Click the c. icon for GigabitEthernet 0/1. Select PIM-DM from the list. d. Click Apply. e. Click the f. icon for GigabitEthernet 0/2.
Configuring IGMP at the CLI 198B IGMP configuration task list 751B For the configuration tasks in this section, the following rules apply: • The configurations made in IGMP view are effective on all interfaces. The configurations made in interface view are effective only on the current interface. • A configuration made in interface view always has priority over the same global configuration in IGMP view.
Determine the maximum number of multicast groups that an interface can join. • Enabling IGMP 1584B To configure IGMP, you must enable IGMP on the interface where the multicast group memberships will be established and maintained. To enable IGMP: Step Command Remarks 673. Enter system view. system-view N/A 674. Enable IP multicast routing. multicast routing-enable Disabled by default. 675. Enter interface view. interface interface-type interface-number N/A 676. Enable IGMP.
To configure an interface as a static member interface: Step Command Remarks 683. Enter system view. system-view N/A 684. Enter interface view. interface interface-type interface-number N/A 685. Configure the interface as a static member interface. igmp static-group group-address [ source source-address ] An interface is not a static member of any multicast group or multicast source and group by default.
Configuration prerequisites 1589B Before adjusting IGMP performance, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Configure basic IGMP functions. • Determine the startup query interval. • Determine the startup query count. • Determine the IGMP general query interval. • Determine the IGMP querier's robustness variable. • Determine the maximum response time for IGMP general queries.
Step Command Remarks 699. Enable insertion of the Router-Alert option into IGMP messages. igmp send-router-alert By default, IGMP messages carry the Router-Alert option. Configuring IGMP query and response parameters 159B On startup, the IGMP querier sends IGMP general queries at the startup query interval, which is one-quarter of the IGMP general query interval. The number of queries, or the startup query count, is user configurable.
Step Command Remarks 2 by default. 702. Configure the IGMP querier's robustness variable. robust-count robust-value 703. Configure the startup query interval. startup-query-interval interval By default, the startup query interval is one-quarter of the "IGMP general query interval." 704. Configure the startup query count. startup-query-count value By default, the startup query count is the same as the IGMP querier's robustness variable. 705. Configure the IGMP general query interval.
Step Command Remarks 717. Configure the other querier present interval. igmp timer other-querier-present interval By default, the other querier present interval is [ IGMP general query interval ] × [ IGMP robustness variable ] + [ maximum response time for IGMP general queries ] / 2. Enabling IGMP fast-leave processing 1592B In some applications, such as ADSL dial-up networking, only one multicast receiver host is attached to a port of the IGMP querier.
To enable the IGMP host tracking function on an interface: Step Command Remarks 727. Enter system view. system-view N/A 728. Enter interface view. interface interface-type interface-number N/A 729. Enable the IGMP host tracking function on the interface. igmp host-tracking Disabled by default. Configuring IGMP SSM mapping 754B Because of some possible restrictions, some receiver hosts on an SSM network might run IGMPv1 or IGMPv2.
Step Command Remarks 735. Configure an IGMP SSM mapping. ssm-mapping group-address { mask | mask-length } source-address No IGMP mappings are configured by default. Configuring IGMP proxying 75B This section describes how to configure IGMP proxying. Configuration prerequisites 1597B Before you configure the IGMP proxying feature, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer.
To enable multicast forwarding on a downstream interface: Step Command Remarks 739. Enter system view. system-view N/A 740. Enter interface view. interface interface-type interface-number N/A 741. Enable multicast forwarding on a non-querier downstream interface. igmp proxying forwarding Disabled by default. Displaying and maintaining IGMP 756B Task Command Remarks Display IGMP group information.
Task Command Remarks Available in user view. Remove all the dynamic IGMP group entries of a specified IGMP group or all IGMP groups. reset igmp group { all | interface interface-type interface-number { all | group-address [ mask { mask | mask-length } ] [ source-address [ mask { mask | mask-length } ] ] } } Clear IGMP SSM mappings.
a. Assign an IP address and subnet mask to each interface according to Figure 331. (Details not 2765H shown.) b. Configure OSPF on the routers on the PIM network to make sure they are interoperable at the network layer and they can dynamically update their routing information. (Details not shown.) c. Enable IP multicast routing, IGMP and PIM-DM: # On Firewall A, enable IP multicast routing globally, enable IGMP on GigabitEthernet 0/1, and enable PIM-DM on each interface.
Total 1 IGMP Group reported SSM mapping configuration example 160B 1. Network requirements The PIM-SM domain applies both the ASM model and SSM model for multicast delivery. The interface GigabitEthernet 0/3 on the firewall serves as the C-BSR and C-RP. The SSM group range is 232.1.1.0/24. IGMPv3 runs on GigabitEthernet 0/1 on the firewall. The receiver host runs IGMPv2, and does not support IGMPv3. Therefore, the receiver host cannot specify expected multicast sources in its membership reports.
[Firewall] multicast routing-enable [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] igmp enable [Firewall-GigabitEthernet0/1] igmp version 3 [Firewall-GigabitEthernet0/1] igmp ssm-mapping enable [Firewall-GigabitEthernet0/1] pim sm [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] pim sm [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] pim sm [Firewall-GigabitEthernet0/3] q
g. Verifying the configuration # Display IGMP SSM mapping information for multicast group 232.1.1.1 on the public network on the firewall. [Firewall] display igmp ssm-mapping 232.1.1.1 Vpn-Instance: public net Group: 232.1.1.1 Source list: 133.133.1.1 133.133.3.1 # Display information about the multicast groups created based on the configured IGMP SSM mappings on the public network on the firewall. [Firewall] display igmp ssm-mapping group Total 1 IGMP SSM-mapping Group(s).
IGMP proxying configuration example 1602B 1. Network requirements PIM-DM runs on the core network. Host A and Host C in the stub network receive VOD information sent to multicast group 224.1.1.1. Configure the IGMP proxying feature on the firewall so that the firewall can maintain group memberships and forward multicast traffic without running PIM-DM. Figure 338 Network diagram Proxy & Querier Firewall GE0/2 192.168.2.1/24 GE0/1 192.168.1.2/24 Receiver Host A 2. Eth1/1 192.168.1.
c. Verifying the configuration # Display IGMP information on GigabitEthernet 0/1 of the firewall. [Firewall] display igmp interface gigabitethernet 0/1 verbose GigabitEthernet0/1(192.168.1.2): IGMP proxy is enabled Current IGMP version is 2 Multicast routing on this interface: enabled Require-router-alert: disabled Version1-querier-present-timer-expiry: 00:00:20 # Display IGMP group information on Router A. [RouterA] display igmp group Total 1 IGMP Group(s).
2. Use the display current-configuration command to verify that multicast routing is enabled. If not, use the multicast routing-enable command in system view to enable IP multicast routing. In addition, check that IGMP is enabled on the corresponding interfaces. 3. Use the display igmp interface command to verify that the IGMP version on the interface is lower than that on the host. 4.
Configuring PIM 38B Overview 20B PIM provides IP multicast forwarding by leveraging unicast static routes or unicast routing tables generated by any unicast routing protocol, such as RIP, OSPF, IS-IS, or BGP. Independent of the unicast routing protocols running on the device, multicast routing can be implemented as long as the corresponding multicast routing entries are created through unicast routes. PIM uses the RPF mechanism to implement multicast forwarding.
Recommended configuration procedure for PIM-SM 761B Step Remarks Required. 745. Globally enable multicast routing Globally enable multicast routing after selecting Network > Routing Management > Multicast Routing. For more information, see "Configuring multicast routing and forwarding." 271H By default, multicast routing is globally disabled. Required. Enable PIM-SM on an interface. 746.
Configuring PIM interfaces 763B 1. From the navigation tree, select Network > Routing Management > PIM. Figure 339 PIM interfaces configuration page 2. Click the icon corresponding to a specific PIM interface. Figure 340 Modifying the specified PIM interface 3. Select the operating mode for the interface. If you do not specify any operating mode, no PIM modes are enabled on the interface. 4. Click Apply. Configuring advanced PIM features 764B 1.
Table 66 Configuration items Item Description Enable or disable auto-RP. IMPORTANT: Auto-RP Auto-RP announcement and discovery messages are addressed to the multicast group addresses 224.0.1.39 and 224.0.1.40, respectively. With auto-RP enabled on a device, the device can receive these two types of messages and record the RP information carried in such messages. Calculate the register message checksum based on the entire register messages or the header parts.
Figure 342 PIM neighbor information Table 67 Field description Field Description Interface Name of the interface connecting to a PIM neighbor. Neighbor address IP address of a PIM neighbor. Uptime Length of time for which the PIM neighbor has been up, where a "01:02:11:32:18" value means that the neighbor has been up for 1 week, 2 days, 11 hours, 32 minutes, and 18 seconds.
Figure 343 Network diagram N1 Receiver GE0/1 10.1.1.1/24 GE0/3 192.168.1.1/24 GE0/1 192.168.2.1/24 GE0/3 10.1.1.2/24 Host A Host B GE0/2 10.1.2.1/24 Receiver Device C GE0/1 192.168.3.1/24 GE0/3 10.1.2.2/24 192.168.1.16/24 Host C N2 Device B Ethernet Source Ethernet Device A Ethernet PIM-DM Host D Device Interface IP address Device Interface IP address Device A GE0/1 192.168.2.1/24 Device C GE0/1 10.1.1.1/24 GE0/3 10.1.1.2/24 GE0/2 10.1.2.1/24 GE0/1 192.168.3.
e. Click Apply. Figure 345 Enabling IGMP 3. Enable PIM-DM on each interface: a. From the navigation tree, select Network > Routing Management > PIM. b. Click the c. icon for GigabitEthernet 0/1. Specify the operating mode as PIM-DM. d. Click Apply. e. Click the f. icon corresponding to GigabitEthernet 0/3. Specify the operating mode as PIM-DM. g. Click Apply. Figure 346 Enabling PIM-DM Configuring Device B 16B Configure Device B in the same way as you configure Device A.
i. Specify the operating mode as PIM-DM. j. Click Apply. Verifying the configuration 163B To display PIM neighbor information on Device C: 1. From the navigation tree, select Network > Routing Management > PIM. 2. Click the Neighbor Information tab. Figure 347 PIM neighbor information Configuring PIM at the CLI 20B Configuring PIM-DM at the CLI 203B This section describes how to configure PIM-DM. PIM-DM configuration task list 76B Task Remarks Enabling PIM-DM Required.
Enabling PIM-DM 769B When PIM-DM is enabled, a router sends hello messages periodically to discover PIM neighbors and processes messages from the PIM neighbors. When you deploy a PIM-DM domain, enable PIM-DM on all non-border interfaces of the routers. PIM-DM does not work with multicast groups in the SSM group range. To enable PIM-DM: Step Command Remarks 753. Enter system view. system-view N/A 754. Enable IP multicast routing. multicast routing-enable Disabled by default. 755.
To configure state-refresh parameters: Step Command Remarks 760. Enter system view. system-view N/A 761. Enter public network PIM view. pim N/A 762. Configure the interval between state-refresh messages. state-refresh-interval interval 763. Configure the time to wait before receiving a new state-refresh message. state-refresh-rate-limit interval 764. Configure the TTL value of state-refresh messages. state-refresh-ttl ttl-value Optional. 60 seconds by default. Optional. 30 seconds by default.
Task Remarks Configuring C-RP timers globally Optional. Configuring a C-BSR Required. Configuring a PIM domain border Optional. Configuring global C-BSR parameters Optional. Configuring C-BSR timers Optional. Disabling BSM semantic fragmentation Optional. Enabling administrative scoping Optional. Configuring an admin-scope zone boundary Optional. Configuring C-BSRs for each admin-scope zone and the global-scope zone Optional.
Enabling PIM-SM 75B With PIM-SM enabled, a router sends hello messages periodically to discover PIM neighbors and processes messages from the PIM neighbors. To deploy a PIM-SM domain, enable PIM-SM on all non-border interfaces of the routers. To enable PIM-SM: Step Command Remarks 768. Enter system view. system-view N/A 769. Enable IP multicast routing. multicast routing-enable Disabled by default. 770. Enter interface view. interface interface-type interface-number N/A 771. Enable PIM-SM.
When configuring a C-RP, ensure a relatively large bandwidth between this C-RP and the other devices in the PIM-SM domain. To configure a C-RP: Step Command Remarks 775. Enter system view. system-view N/A 776. Enter public network PIM view. pim N/A 777. Configure an interface to be a C-RP for PIM-SM. c-rp interface-type interface-number [ group-policy acl-number | priority priority | holdtime hold-interval | advertisement-interval adv-interval ] * No C-RPs are configured by default. 778.
Step Command 784. Configure the C-RP-Adv interval. c-rp advertisement-interval interval 785. Configure C-RP timeout timer. c-rp holdtime interval Remarks Optional. 60 seconds by default. Optional. 150 seconds by default. For more information about the configuration of other timers in PIM-SM, see "Configuring common PIM timers." 2807H Configuring a BSR 7B A PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be configured as a C-BSR.
Because the BSR and the other devices exchange a large amount of information in the PIM-SM domain, provide a relatively large bandwidth between the C-BSRs and the other devices. For C-BSRs interconnected through a GRE tunnel, configure static multicast routes to make sure the next hop to a C-BSR is a tunnel interface. For more information about static multicast routes, see "Configuring multicast routing and forwarding." 280H To configure a C-BSR: Step Command Remarks 786. Enter system view.
• If you do not configure these parameters in the global scope zone or admin-scope zone, the corresponding global values will be used. For information about how to configure C-BSR parameters for an admin-scope zone and global scope zone, see "Configuring C-BSRs for each admin-scope zone and the global-scope zone." 2809H Perform the following configuration on C-BSR routers. To configure C-BSR parameters: Step Command Remarks 793. Enter system view. system-view N/A 794. Enter public network PIM view.
NOTE: If you configure the BS period or the BS timeout timer, the system uses the configured one instead of the default one. Disabling BSM semantic fragmentation 162B Generally, a BSR periodically distributes the RP-set information in bootstrap messages within the PIM-SM domain. It encapsulates a BSM in an IP datagram and might split the datagram into fragments if the message exceeds the MTU. In respect of such IP fragmentation, loss of a single IP fragment leads to unavailability of the entire message.
Step Command Remarks 804. Enter system view. system-view N/A 805. Enter public network PIM view. pim N/A 806. Enable administrative scoping. c-bsr admin-scope Disabled by default. Configuring an admin-scope zone boundary 1624B ZBRs form the boundary of each admin-scope zone. Each admin-scope zone maintains a BSR, which serves a specific multicast group range.
Step Command Remarks 810. Enter system view. system-view N/A 811. Enter public network PIM view. pim N/A 812. Configure a C-BSR for an admin-scope zone. c-bsr group group-address { mask | mask-length } [ hash-length hash-length | priority priority ] * No C-BSRs are configured for an admin-scope zone by default. The group-address { mask | mask-length } argument can specify the multicast groups that the C-BSR serves, in the range of 239.0.0.0/8.
Step Command Remarks 816. Enter system view. system-view N/A 817. Enter public network PIM view. pim N/A 818. Configure a filtering rule for register messages. register-policy acl-number Optional. No register filtering rule by default. Optional. 819. Configure the device to calculate the checksum based on the entire register messages. register-whole-checksum By default, the checksum is calculated based on the header of register messages. 820. Configure the register suppression time.
PIM-SSM configuration task list 781B Complete these tasks to configure PIM-SSM: Task Remarks Enabling PIM-SM Required. Configuring the SSM group range Optional. Configuring common PIM features at the CLI Optional. 281H 281H 2813H Configuration prerequisites 782B Before you configure PIM-SSM, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Determine the SSM group range.
2. Configuration procedure To configure an SSM multicast group range: Step Command Remarks 830. Enter system view. system-view N/A 831. Enter public network PIM view. pim N/A 832. Configure the SSM group range. ssm-policy acl-number Optional. 232.0.0.0/8 by default. Configuring common PIM features at the CLI 206B For the configuration tasks in this section, the following rules apply: • The configurations made in PIM view are effective on all interfaces.
• Determine the maximum delay between hello message (interface level value). • Determine the assert timeout timer (global value/interface value). • Determine the join/prune interval (global value/interface level value). • Determine the join/prune timeout (global value/interface value). • Determine the multicast source lifetime. • Determine the maximum size of join/prune messages. • Determine the maximum number of (S, G) entries in each join/prune message.
Step Command Remarks No hello message filter by default. 838. Configure a hello message filter. pim neighbor-policy acl-number When the hello message filter is configured, if hello messages of an existing PIM neighbor fail to pass the filter, the PIM neighbor will be removed automatically when it times out.
Step Command Remarks 841. Set the DR priority. hello-option dr-priority priority 842. Set the neighbor lifetime. hello-option holdtime interval 843. Set the prune message delay. hello-option lan-delay interval 844. Set the override interval. hello-option override-interval interval Optional. 845. Enable the neighbor tracking function. hello-option neighbor-tracking Disabled by default. Optional. 1 by default. Optional. 105 seconds by default. Optional. 500 milliseconds by default.
Step Command Remarks 855. Enter public network PIM view. pim N/A 856. Set the prune delay timer. prune delay interval Optional. By default, the prune delay timer is not configured. Configuring common PIM timers 791B PIM routers discover PIM neighbors and maintain PIM neighboring relationship with other routers by periodically sending hello messages.
Step Command Remarks 864. Enter system view. system-view N/A 865. Enter interface view. interface interface-type interface-number N/A 866. Configure the hello interval. pim timer hello interval 867. Configure the maximum delay between hello messages. pim triggered-hello-delay interval 868. Configure the join/prune interval. pim timer join-prune interval 869. Configure the join/prune timeout timer. pim holdtime join-prune interval 870. Configure assert timeout timer.
Task Command Remarks Display the number of PIM control messages. display pim control-message counters [ message-type { probe | register | register-stop } | [ interface interface-type interface-number | message-type { assert | bsr | crp | graft | graft-ack | hello | join-prune | state-refresh } ] * ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about unacknowledged PIM-DM graft messages.
Figure 348 Network diagram Receiver Host A Router A Et h1 /2 Eth1/1 Host B G E0 /2 Receiver GE0/1 GE0/3 Firewall /4 E0 G Source Eth1/2 Eth1/1 Router B Host C /2 h1 Et 10.110.5.100/24 Eth1/1 PIM-DM Router C Host D Device Interface IP address Device Interface IP address Router A Eth1/1 10.110.1.1/24 Firewall GE0/1 10.110.5.1/24 Eth1/2 192.168.1.1/24 GE0/2 192.168.1.2/24 Eth1/1 10.110.2.1/24 GE0/3 192.168.2.2/24 Eth1/2 192.168.2.1/24 GE0/4 192.168.3.2/24 Eth1/1 10.
# Enable IP multicast routing on the firewall, and enable PIM-DM on each interface.
Total 1 (*, G) entry; 1 (S, G) entry (*, 225.1.1.1) Protocol: pim-dm, Flag: WC UpTime: 00:04:25 Upstream interface: NULL Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: Ethernet1/1 Protocol: igmp, UpTime: 00:04:25, Expires: never (10.110.5.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:06:14 Upstream interface: Ethernet1/2 Upstream neighbor: 192.168.1.2 RPF prime neighbor: 192.168.1.
Both POS 5/0 on Router D and GigabitEthernet 0/3 on the firewall act as C-BSRs and C-RPs. The C-BSR on Router D has a higher priority. The range of multicast groups served by the C-RP is 225.1.1.0/24. Modify the hash mask length to map a certain number of consecutive group addresses within the range to the two C-RPs. IGMPv2 runs between Router A and N1 and between Router B, Router C, and N2.
[RouterA-Ethernet1/1] igmp enable [RouterA-Ethernet1/1] pim sm [RouterA-Ethernet1/1] quit [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] pim sm [RouterA-Ethernet1/2] quit [RouterA] interface pos 5/0 [RouterA-Pos5/0] pim sm [RouterA-Pos5/0] quit # Enable IP multicast routing, IGMP, and PIM-SM on Router B and Router C in the same way. (Details not shown.) # Enable IP multicast routing and PIM-SM on Router D and the firewall in the same way. (Details not shown.) d.
Elected BSR Address: 192.168.9.2 Priority: 20 Hash mask length: 32 State: Accept Preferred Scope: Not scoped Uptime: 00:40:40 Expires: 00:01:42 # Display information about the BSR and locally configured C-RP on the firewall. [Firewall] display pim bsr-info VPN-Instance: public net Elected BSR Address: 192.168.9.2 Priority: 20 Hash mask length: 32 State: Accept Preferred Scope: Not scoped Uptime: 00:05:26 Expires: 00:01:45 Candidate BSR Address: 192.168.4.
# Display RP information on Router A. [RouterA] display pim rp-info VPN-Instance: public net PIM-SM BSR RP information: Group/MaskLen: 225.1.1.0/24 RP: 192.168.4.2 Priority: 192 HoldTime: 150 Uptime: 00:51:45 Expires: 00:02:22 RP: 192.168.9.2 Priority: 192 HoldTime: 150 Uptime: 00:51:45 Expires: 00:02:22 Assume that Host A needs to receive information addressed to multicast group G 225.1.1.0.
Downstream interface(s) information: Total number of downstreams: 1 1: Ethernet1/1 Protocol: pim-sm, UpTime: 00:00:42, Expires: 00:03:06 The information on Router B and Router C is similar to that on Router A. # Display PIM routing table information on the firewall. [Firewall] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 225.1.1.0) RP: 192.168.9.
GigabitEthernet 0/2 of the firewall acts as a C-BSR and C-RP of admin-scope zone 1, which serve the multicast group range 239.0.0.0/8. Serial 2/1 of Router C acts as a C-BSR and C-RP of admin-scope zone 2, which also serve the multicast group range 239.0.0.0/8. Serial 2/1 of Router E acts as a C-BSR and a C-RP of the global scope zone, which serve all the multicast groups other than those in the 239.0.0.0/8 range. IGMPv2 runs between Router A, Router D, Router H, and their respective receivers.
2. Configuration procedure a. Assign an IP address and subnet mask to each interface according to Figure 350. (Details not 285H shown.) b. Configure OSPF on the routers in the PIM-SM domain to make sure they are interoperable at the network layer. (Details not shown.) c.
[Firewall-GigabitEthernet0/3] multicast boundary 239.0.0.0 8 [Firewall-GigabitEthernet0/3] quit [Firewall] interface gigabitethernet 0/4 [Firewall-GigabitEthernet0/4] multicast boundary 239.0.0.0 8 [Firewall-GigabitEthernet0/4] quit # On Router B, configure Ethernet 1/2 and POS 5/2 as the boundary of admin-scope zone 2. system-view [RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] multicast boundary 239.0.0.
# Display information about the BSR and locally configured C-RP on the firewall. [Firewall] display pim bsr-info VPN-Instance: public net Elected BSR Address: 10.110.9.1 Priority: 64 Hash mask length: 30 State: Accept Preferred Scope: Global Uptime: 00:01:45 Expires: 00:01:25 Elected BSR Address: 10.110.1.2 Priority: 64 Hash mask length: 30 State: Elected Scope: 239.0.0.0/8 Uptime: 00:04:54 Next BSR message scheduled at: 00:00:06 Candidate BSR Address: 10.110.1.
State: Elected Scope: 239.0.0.0/8 Candidate RP: 10.110.4.2(Serial2/1) Priority: 192 HoldTime: 150 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:10 # Display information about the BSR and locally configured C-RP on Router E. [RouterE] display pim bsr-info VPN-Instance: public net Elected BSR Address: 10.110.9.1 Priority: 64 Hash mask length: 30 State: Elected Scope: Global Uptime: 00:11:11 Next BSR message scheduled at: 00:00:49 Candidate BSR Address: 10.110.9.
VPN-Instance: public net PIM-SM BSR RP information: Group/MaskLen: 224.0.0.0/4 RP: 10.110.9.1 Priority: 192 HoldTime: 150 Uptime: 00:03:42 Expires: 00:01:48 Group/MaskLen: 239.0.0.0/8 RP: 10.110.4.2 (local) Priority: 192 HoldTime: 150 Uptime: 00:06:54 Expires: 00:02:41 # Display RP information on Router E. [RouterE] display pim rp-info VPN-Instance: public net PIM-SM BSR RP information: Group/MaskLen: 224.0.0.0/4 RP: 10.110.9.
Et h1 /2 G E0 /2 Figure 351 Network diagram Device Interface IP address Device Interface IP address Firewall GE0/1 10.110.1.1/24 Router C Eth1/1 10.110.5.1/24 GE0/2 192.168.1.1/24 Eth1/2 192.168.1.2/24 GE0/3 192.168.9.1/24 POS5/0 192.168.4.2/24 Eth1/1 10.110.2.1/24 POS5/0 192.168.3.2/24 POS5/0 192.168.2.1/24 POS5/1 192.168.2.2/24 Eth1/1 10.110.2.2/24 Eth1/1 192.168.9.2/24 POS5/0 192.168.3.1/24 POS5/3 192.168.4.1/24 Router A Router B 2.
[Firewall-GigabitEthernet0/2] pim sm [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] pim sm [Firewall-GigabitEthernet0/3] quit # Enable IP multicast routing, IGMP and PIM-SM on Router A and Router B in the same way. (Details not shown.) # Enable IP multicast routing and PIM-SM on Router C and Router D in the same way. (Details not shown.) d. Configure the SSM group range: # Configure the SSM group range to be 232.1.1.0/24 on the firewall.
Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:13:25, Expires: 00:03:25 # Display PIM routing table information on Router C. [RouterC] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 232.1.1.
• Because a hello message does not carry the PIM mode information, a router that is running PIM cannot identify what PIM mode its PIM neighbor is running. If different PIM modes are enabled on the RPF interface and on the corresponding interface of the RPF neighbor router, the establishment of a multicast distribution tree will fail, causing abnormal multicast forwarding. • The same PIM mode must run on the entire network.
RPs cannot join SPT in PIM-SM 79B Symptom 163B An RPT cannot be established correctly, or the RPs cannot join the SPT to the multicast source. Analysis 1637B • As the core of a PIM-SM domain, the RPs serve specific multicast groups. Multiple RPs can coexist in a network. Make sure the RP information on all routers is exactly the same and that a specific group is mapped to the same RP. Otherwise, multicast forwarding fails.
3. Use the display pim neighbor command to verify that the normal PIM neighboring relationship have been established among the routers.
Configuring MSDP 39B Overview 208B MSDP is an inter-domain multicast solution that addresses the interconnection of protocol independent multicast sparse mode (PIM-SM) domains. It discovers multicast source information in other PIM-SM domains. In the basic PIM-SM mode, a multicast source registers only with the RP in the local PIM-SM domain, and the multicast source information about a domain is isolated from that of another domain.
Configuring basic MSDP functions 210B All the configuration tasks should be performed on RPs in PIM-SM domains, and each of these RPs acts as an MSDP peer. Configuration prerequisites 79B Before you configure basic MSDP functions, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Configure PIM-SM to enable intra-domain multicast forwarding. • Determine the IP addresses of MSDP peers.
Step Command Remarks 881. Enter system view. system-view N/A 882. Enter public network MSDP view. msdp N/A 883. Configure a static RPF peer. static-rpf-peer peer-address [ rp-policy ip-prefix-name ] No static RPF peer configured by default. NOTE: If only one MSDP peer is configured on a router, this MSDP peer is registered as a static RPF peer. Configuring an MSDP peer connection 21B This section describes how to configure an MSDP peer connection.
inside the group without performing an RPF check, and does not forward the message within the mesh group. This mechanism not only avoids SA flooding but also simplifies the RPF check mechanism because you do not need to run BGP or MBGP between these MSDP peers. By configuring the same mesh group name for multiple MSDP peers, you can create a mesh group that contains these MSDP peers. Before grouping multiple routers into an MSDP mesh group, make sure these routers are interconnected with one another.
Step Command 892. Deactivate an MSDP peer. shutdown peer-address 893. Configure the interval between MSDP peer connection retries. timer retry interval 894. Configure a password for MD5 authentication used by both MSDP peers to establish a TCP connection. peer peer-address password { cipher cipher-password | simple simple-password } Remarks Optional. Active by default. Optional. 30 seconds by default. Optional. By default, MD5 authentication is not performed before a TCP connection is established.
To configure the SA message content: Step Command Remarks 895. Enter system view. system-view N/A 896. Enter public network MSDP view. msdp N/A 897. Enable encapsulation of multicast data in SA messages. encap-data-enable 898. Configure the interface address as the RP address in SA messages. originating-rp interface-type interface-number Optional. Disabled by default. Optional. PIM RP address by default.
{ • If the TTL value is greater than or equal to the threshold, the router encapsulates the multicast data in an SA message and sends the SA message. After receiving an SA message with an encapsulated multicast data packet, the router decreases the TTL value of the multicast packet by 1 and then checks the TTL value: { { If the TTL value is less than the threshold, the router does not forward the SA message to the designated MSDP peer.
Step Command Remarks 911. Configure the maximum number of (S, G) entries learned from the specified MSDP peer that the router can cache. peer peer-address sa-cache-maximum sa-limit Optional. 8192 by default. Displaying and maintaining MSDP 213B Task Command Remarks Display brief information about MSDP peers. display msdp brief [ state { connect | down | listen | shutdown | up } ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 352 Network diagram Et h1 / 3 /2 h1 Et h1 Et /1 Et h1 /2 /1 h1 Et Device Interface IP address Device Interface IP address Router A Eth1/1 10.110.1.2/24 Router D Eth1/1 10.110.4.2/24 Eth1/2 10.110.2.1/24 Eth1/2 10.110.5.1/24 Eth1/3 10.110.3.1/24 GE0/1 10.110.6.1/24 Eth1/1 10.110.1.1/24 GE0/2 192.168.3.2/24 POS5/0 192.168.1.1/24 Loop0 3.3.3.3/32 Loop0 1.1.1.1/32 Eth1/1 10.110.6.2/24 Eth1/1 10.110.4.1/24 Eth1/2 10.110.7.1/24 Eth1/2 192.168.3.
[RouterA-Ethernet1/2] pim sm [RouterA-Ethernet1/2] quit [RouterA] interface ethernet 1/3 [RouterA-Ethernet1/3] igmp enable [RouterA-Ethernet1/3] pim sm [RouterA-Ethernet1/3] quit # Enable IP multicast routing, PIM-SM, and IGMP on Router B, Router C, Router D, the firewall, and Router E in the same way. (Details not shown.) # Configure a PIM domain border on Router B.
[RouterB-msdp] quit # Configure MSDP peers on Router C. [RouterC] msdp [RouterC-msdp] peer 192.168.1.1 connect-interface pos 5/0 [RouterC-msdp] peer 192.168.3.2 connect-interface ethernet 1/2 [RouterC-msdp] quit # Configure an MSDP peer on the firewall. [Firewall] msdp [Firewall-msdp] peer 192.168.3.1 connect-interface gigabitethernet 0/2 [Firewall-msdp] quit Verifying the configuration 164B # Display information about BGP peering relationship on Router B.
* > 192.168.1.1/32 0.0.0.0 0 0 ? * > 192.168.1.2/32 0.0.0.0 0 0 ? When the multicast sources (Source 1 and Source 2) in PIM-SM 1 and PIM-SM 2 send multicast information, receivers in PIM-SM 1 and PIM-SM 3 can receive the multicast data. # Display the brief information about MSDP peering relationship on Router B.
Sending SA-Requests status: disable Minimum TTL to forward SA with encapsulated data: 0 SAs learned from this peer: 0, SA-cache maximum for the peer: none Input queue size: 0, Output queue size: 0 Counters for MSDP message: Count of RPF check failure: 0 Incoming/outgoing SA messages: 0/0 Incoming/outgoing SA requests: 0/0 Incoming/outgoing SA responses: 0/0 Incoming/outgoing data packets: 0/0 Inter-AS multicast configuration by leveraging static RPF peers 813B Network requirements 1645B As shown in Figur
Figure 353 Network diagram AS 100 AS 200 PIM-SM 3 Receiver Eth1/1 Et h1 /2 /0 S2 Router E Loop0 Router F Eth1/1 /2 h1 Et Loop0 /0 S2 Receiver Eth1/2 Eth1/1 /1 h1 Et Router A Router C PIM-SM 2 /1 h1 Et Firewall Eth1/3 GE0/2 Router D GE0/1 Eth1/1 Router B Source 1 Loop0 Et h1 /2 Eth1/2 Source 2 PIM-SM 1 BGP peers Device Interface IP address Device Interface IP address Source 1 - 192.168.1.100/24 Firewall GE0/1 10.110.5.1/24 Source 2 - 192.168.3.100/24 GE0/2 10.110.
[RouterC] interface ethernet 1/2 [RouterC-Ethernet1/2] igmp enable [RouterC-Ethernet1/2] pim sm [RouterC-Ethernet1/2] quit [RouterC] interface serial 2/0 [RouterC-Serial2/0] pim sm [RouterC-Serial2/0] quit # Enable IP multicast routing, PIM-SM, and IGMP on Router A, Router B, Router D, Router E, Router F, and the firewall in the same way. (Details not shown.) # Configure PIM domain borders on Router B.
[RouterE-bgp] import-route ospf 1 [RouterE-bgp] quit # Redistribute BGP routing information into OSPF on Router B. [RouterB] ospf 1 [RouterB-ospf-1] import-route bgp [RouterB-ospf-1] quit # Redistribute BGP routing information into OSPF on the firewall. [Firewall] ospf 1 [Firewall-ospf-1] import-route bgp [Firewall-ospf-1] quit # Redistribute BGP routing information into OSPF on Router C.
the display msdp brief command to display brief information about MSDP peering relationship between the routers. For example: # Display brief information about MSDP peers on Router A. [RouterA] display msdp brief MSDP Peer Brief Information of VPN-Instance: public net Configured Up Listen Connect Shutdown Down 2 2 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 10.110.3.2 Up 01:07:08 ? 8 0 10.110.6.
Lo op 2 Lo op 0 0 op Lo 20 op Lo 0 GE 0/2 0/3 GE /0 S2 PO S5 /0 1/1 Eth PO S5 /0 /0 S2 Eth 1/2 Figure 354 Network diagram Device Interface IP address Device Interface IP address Source 1 — 10.110.5.100/24 Router C POS5/0 192.168.1.2/24 Source 2 — 10.110.6.100/24 Eth1/1 192.168.2.2/24 Router A Eth1/1 10.110.5.1/24 GE0/1 10.110.3.1/24 S2/0 10.110.2.2/24 GE0/2 10.110.4.1/24 Eth1/1 10.110.1.1/24 GE0/3 192.168.2.1/24 S2/0 10.110.2.1/24 Loop0 2.2.2.2/32 POS5/0 192.
[RouterB] interface serial 2/0 [RouterB-Serial2/0] pim sm [RouterB-Serial2/0] quit [RouterB] interface pos 5/0 [RouterB-Pos5/0] pim sm [RouterB-Pos5/0] quit [RouterB] interface loopback 0 [RouterB-LoopBack0] pim sm [RouterB-LoopBack0] quit [RouterB] interface loopback 10 [RouterB-LoopBack10] pim sm [RouterB-LoopBack10] quit [RouterB] interface loopback 20 [RouterB-LoopBack20] pim sm [RouterB-LoopBack20] quit # Enable IP multicast routing, IGMP, and PIM-SM on Router A, Router C, the firewall, and Router D i
MSDP Peer Brief Information of VPN-Instance: public net Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 1.1.1.1 Up 00:10:18 ? 0 0 When Source 1 10.110.5.100/24 sends multicast data to multicast group G 225.1.1.1, Host A joins multicast group G. By comparing the PIM routing information displayed on Router B with that displayed on the firewall, you can see that Router B acts now as the RP for Source 1 and Host A.
No information is output on Router B. # Display PIM routing information on the firewall. [Firewall] display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entry (*, 225.1.1.1) RP: 10.1.1.1 (local) Protocol: pim-sm, Flag: WC UpTime: 00:12:07 Upstream interface: Register Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:12:07, Expires: (10.110.6.100, 225.1.1.1) RP: 10.
Figure 355 Network diagram PIM-SM 1 PIM-SM 2 Loop0 PIM-SM 3 Source 2 Eth1/1 Receiver Host A Router A S2/1 PO S5 /1 Loop0 PO S5 /1 GE0/1 Router C GE0/3 Eth1/2 /2 S5 PO Source 1 S2/1 Eth1/1 Firewall GE0/2 /1 S5 PO Eth1/1 Router B Receiver Host B Receiver Host C MSDP peers Device Interface IP address Device Interface IP address Source 1 — 10.110.3.100/24 Router C Eth1/1 10.110.4.1/24 Source 2 — 10.110.6.100/24 Eth1/2 10.110.5.1/24 Router A Eth1/1 10.110.1.
[RouterA-Serial2/1] quit [RouterA] interface pos 5/1 [RouterA-Pos5/1] pim sm [RouterA-Pos5/1] quit [RouterA] interface loopback 0 [RouterA-LoopBack0] pim sm [RouterA-LoopBack0] quit # Enable IP multicast routing, IGMP, and PIM-SM on Router B, Router C and the firewall in the same way. (Details not shown.) # Configure PIM domain borders on Router C.
[RouterC-acl-adv-3001] rule deny ip source 10.110.3.100 0 destination 225.1.1.0 0.0.0.3 [RouterC-acl-adv-3001] rule permit ip source any destination any [RouterC-acl-adv-3001] quit [RouterC] msdp [RouterC-msdp] peer 10.110.5.2 sa-policy export acl 3001 [RouterC-msdp] quit # Configure an SA message filter on the firewall so that the firewall will not create SA messages for Source 2. [Firewall] acl number 2001 [Firewall-acl-basic-2001] rule deny source 10.110.6.
MSDP peers stay in down state 816B Symptom 1654B The configured MSDP peers stay in down state. Analysis 165B • A TCP connection–based MSDP peering relationship is established between the local interface address and the MSDP peer after the configuration. • The TCP connection setup will fail if the local interface address is not consistent with the MSDP peer address configured on the peer router. • If no route is available between the MSDP peers, the TCP connection setup will fail. 1.
Analysis 16B • In the Anycast RP application, RPs in the same PIM-SM domain are configured to be MSDP peers to achieve load balancing among the RPs. • An MSDP peer address must be different from the Anycast RP address, and the C-BSR and C-RP must be configured on different devices or interfaces. • If you configure the originating-rp command, MSDP replaces the RP address in the SA messages with the address of the interface specified in the command.
Configuring basic IPv6 settings 40B IPv6 basics can be configured only at the CLI. Feature and hardware compatibility 216B Hardware IPv6 basics compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 217B IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
Figure 356 IPv4 packet header format and basic IPv6 packet header format Larger address space 164B The source and destination IPv6 addresses are 128 bits (16 bytes) long. IPv6 can provide 3.4 x 1038 addresses to meet the requirements of hierarchical address division and the allocation of public and private addresses. Hierarchical address structure 165B IPv6 uses the hierarchical address structure to speed up route lookups and reduce the IPv6 routing table size through route aggregation.
Internet Control Message Protocol version 4 (ICMPv4) Router Discovery messages, and ICMPv4 Redirect messages and provides a series of other functions. Flexible extension headers 1670B IPv6 eliminates the Options field in the header and introduces optional extension headers to provide scalability and improve efficiency. The Options field in the IPv4 packet header contains up to 40 bytes, whereas the IPv6 extension headers are restricted to the maximum size of IPv6 packets.
Table 68 Mappings between address types and format prefixes Type Format prefix (binary) IPv6 prefix ID Unspecified address 00...0 (128 bits) ::/128 Loopback address 00...1 (128 bits) ::1/128 Link-local address 1111111010 FE80::/10 Site-local address 1111111011 FEC0::/10 Global unicast address Other forms N/A Multicast address 11111111 FF00::/8 Anycast address Anycast addresses use the unicast address space and have the identical structure of unicast addresses.
of a solicited-node multicast address is FF02:0:0:0:0:1:FFXX:XXXX. FF02:0:0:0:0:1:FF is fixed and consists of 104 bits, and XX:XXXX is the last 24 bits of an IPv6 unicast address or anycast address. EUI-64 address-based interface identifiers 1675B An interface identifier is 64 bits and uniquely identifies an interface on a link. Interfaces generate EUI-64 (64-bit Extended Unique Identifier) address-based interface identifiers differently.
ICMPv6 message Type Neighbor Advertisement (NA) message 136 Router Solicitation (RS) message 133 Function Responds to an NS message. Notifies the neighboring nodes of link layer changes. Requests an address prefix and other configuration information for autoconfiguration after startup. Responds to an RS message. Router Advertisement (RA) message 134 Redirect message 137 Advertises information, such as the Prefix Information options and flag bits.
Duplicate address detection 1678B After Host A acquires an IPv6 address, it performs Duplicate Address Detection (DAD) to check whether the address is being used by any other node (similar to the gratuitous ARP function in IPv4). DAD is accomplished through NS and NA message exchanges. Figure 359 shows the DAD process. 2853H Figure 359 Duplicate address detection 1.
The gateway sends an ICMPv6 Redirect message when the following conditions are satisfied: • The receiving interface is the forwarding interface. • The selected route itself is not created or modified by an ICMPv6 Redirect message. • The selected route is not the default route. IPv6 path MTU discovery 82B The links that a packet passes from a source to a destination may have different MTUs.
transition technologies. However, it does not solve the IPv4 address depletion issue because each dual stack node must have a globally unique IP address. Tunneling 1682B Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets of another network protocol and transfer them over the network. For more information about tunneling, see VPN Configuration Guide.
Task Remarks Configuring a static neighbor entry Optional. Configuring the maximum number of neighbors dynamically learned Optional. Setting the age timer for ND entries in stale state Optional. Configuring parameters related to RA messages Optional. Configuring the maximum number of attempts to send an NS message for DAD Optional. Enabling ND proxy Optional. Configuring the interface MTU Optional. Configuring a static path MTU for a specific IPv6 address Optional.
Step Command Remarks 913. Enable IPv6. ipv6 Disabled by default. Configuring an IPv6 global unicast address 826B Configure an IPv6 global unicast address by using the following options: • EUI-64 IPv6 addressing—The IPv6 address prefix of an interface is manually configured, and the interface identifier is generated automatically by the interface. • Manual configuration—The IPv6 global unicast address is configured manually.
Step Command Remarks 920. Enter system view. system-view N/A 921. Enter interface view. interface interface-type interface-number N/A 922. Configure an IPv6 address to be generated through stateless address autoconfiguration. By default, no IPv6 global unicast address is configured on an interface. ipv6 address auto Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses automatically generated on the interface.
• If you first use automatic generation and then manual assignment, the manually assigned link-local address overwrites the automatically generated one. • If you first use manual assignment and then automatic generation, the automatically generated link-local address does not take effect and the link-local address is still the manually assigned one. If you delete the manually assigned address, the automatically generated link-local address is validated.
Configure an IPv6 anycast address 82B Step Command Remarks 933. Enter system view. system-view N/A 934. Enter interface view. interface interface-type interface-number N/A 935. Configure an IPv6 anycast address. ipv6 address ipv6-address/prefix-length anycast Optional. By default, no IPv6 anycast address is configured on an interface.
To configure the maximum number of neighbors dynamically learned: Step Command Remarks 938. Enter system view. system-view N/A 939. Enter interface view. interface interface-type interface-number N/A 940. Configure the maximum number of neighbors which can be dynamically learned by an interface. Optional. ipv6 neighbors max-learning-num number By default, a Layer 2 interface does not limit the number of neighbors dynamically learned.
Parameters Description Determines whether hosts use the stateful autoconfiguration to acquire IPv6 addresses. M flag If the M flag is set to 1, hosts use the stateful autoconfiguration (for example, through a DHCP server) to acquire IPv6 addresses. Otherwise, hosts use the stateless autoconfiguration to acquire IPv6 addresses and generate IPv6 addresses according to their own link-layer addresses and the obtained prefix information.
Configuring parameters related to RA messages 1689B Step Command Remarks 947. Enter system view. system-view N/A 948. Configure the hop limit. ipv6 nd hop-limit value 949. Enter interface view. interface interface-type interface-number Optional. 64 by default. N/A Optional. 950. Configure the prefix information in RA messages. ipv6 nd ra prefix { ipv6-prefix prefix-length | ipv6-prefix/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig | off-link ] * 951.
Configuring the maximum number of attempts to send an NS message for DAD 83B An interface sends an NS message for DAD after acquiring an IPv6 address. If the interface does not receive a response within a specific time (determined by the ipv6 nd ns retrans-timer command), it continues to send an NS message. If the interface still does not receive a response after the number of sent attempts reaches the threshold (specified with the ipv6 nd dad attempts command), the acquired address is considered usable.
• Local ND proxy As shown in Figure 362, both Host A and Host B belong to VLAN 2, but they connect to GigabitEthernet 0/3 and GigabitEthernet 0/1 respectively, which are isolated at Layer 2. 281H Figure 362 Application environment of local ND proxy Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they are isolated at Layer 2.
Configuring path MTU discovery 21B This section describes how to configure path MTU discovery. Configuring the interface MTU 835B IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the packet size is greater than the MTU of the forwarding interface, the router discards the packet. Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message. The source host fragments the packet according to the MTU and resends it.
Step Command Remarks 971. Enter system view. system-view N/A 972. Configure the aging time for dynamic path MTUs. ipv6 pathmtu age age-time Optional. 10 minutes by default. Configuring IPv6 TCP properties 2B You can configure the following IPv6 TCP properties: • synwait timer—When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails.
Step 978. Configure the IPv6 FIB load sharing mode. Command Remarks • Configure load sharing based on the hash Optional. algorithm: ipv6 fib-loadbalance-type hash-based • Configure load sharing based on polling: undo ipv6 fib-loadbalance-type hash-based By default, load sharing based on polling is adopted and ECMP routes are used in turn to forward packets. Controlling sending ICMPv6 packets 24B This section describes how to configure ICMPv6 packet sending.
Step Command Remarks 981. Enter system view. system-view N/A 982. Enable replying to multicast echo requests. ipv6 icmpv6 multicast-echo-reply enable The device is disabled from replying to multicast echo requests.
Step Command Remarks 985. Enter system view. system-view N/A 986. Enable sending ICMPv6 destination unreachable messages. ipv6 unreachables enable Disabled by default. Enabling sending ICMPv6 redirect messages 842B When a device receives a large number of attack packets that require the device to send ICMPv6 redirect packets, the device's performance is degraded for processing these packets.
Task Command Remarks Display the IPv6 path MTU information. display ipv6 pathmtu [ vpn-instance vpn-instance-name ] { ipv6-address | all | dynamic | static } [ | { begin | exclude | include } regular-expression ] Available in any view. Display socket information. display ipv6 socket [ socktype socket-type ] [ task-id socket-id ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the statistics of IPv6 packets and ICMPv6 packets.
system-view [FirewallA] ipv6 # Assign a global unicast address for interface GigabitEthernet 0/1. [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ipv6 address 3001::1/64 [FirewallA-GigabitEthernet0/1] quit # Assign a global unicast addresses for interface GigabitEthernet 0/2 and allow it to advertise RA messages (no interface advertises RA messages by default).
[FirewallA] display ipv6 neighbors interface gigabitethernet 0/2 Type: S-Static D-Dynamic IPv6 Address Link-layer FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 N/A VID Interface GE0/2 STALE D 1238 State T Age 2001::15B:E0EA:3524:E791 0015-e9a6-7d14 N/A GE0/2 STALE D 1248 The output shows that the IPv6 global unicast address that the host obtained is 2001::15B:E0EA:3524:E791. Verifying the configuration 845B # Display the IPv6 interface information on Firewall A.
OutFragCreates: 0 InMcastPkts: 6 InMcastNotMembers: 25747 OutMcastPkts: 48 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 [FirewallA] display ipv6 interface gigabitethernet 0/2 GigabitEthernet0/2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF00:1 FF02::1:FF00:1C0 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number o
OutFragCreates: 0 InMcastPkts: 79 InMcastNotMembers: 65 OutMcastPkts: 938 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Display the IPv6 interface settings on Firewall B. All IPv6 global unicast addresses configured on the interface are displayed.
InMcastNotMembers: 0 OutMcastPkts: 7 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Ping Firewall A and Firewall B from the host, and ping Firewall A and the host from Firewall B to verify that they are connected. CAUTION: When you ping a link-local address, you should use the "–i" parameter to specify an interface for the link-local address.
3. Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 packets to help locate the cause.
DHCPv6 overview 41B DHCPv6 can be configured only at the CLI. Feature and hardware compatibility 28B Hardware DHCPv6 compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts.
Figure 364 Format of DUID-LL IA 1694B Identified by an IAID, an Identity Association (IA) provides a construct through which the obtained addresses, prefixes, and other configuration parameters assigned from a server to a client are managed. A client can have more than one IA assigned to it, for example, one for each of its interfaces, to manage the addresses, prefixes, and other configuration parameters obtained by the interfaces. IAID 1695B An IAID uniquely identifies an IA.
Figure 365 Rapid assignment involving two messages Assignment involving four messages 849B Figure 366 shows the process of IPv6 address/prefix assignment involving four messages. 287H Figure 366 Assignment involving four messages The assignment involving four messages operates as follows: 1. The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. 2.
Figure 367 Using the Renew message for address/prefix lease renewal As shown in Figure 368, if the DHCPv6 client receives no response from the DHCPv6 server after sending out a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2 (that is, when 80% preferred lifetime expires). Then the DHCPv6 server responds with a Reply message, informing the client about whether or not the lease is renewed.
parameters. If not, the client ignores the configuration parameters. If multiple replies are received, the first received reply is used.
Configuring the DHCPv6 server 42B DHCPv6 server can be configured only at the CLI. Feature and hardware compatibility 234B Hardware DHCPv6 server compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 235B A DHCPv6 server can assign IPv6 addresses or IPv6 prefixes to DHCPv6 clients.
IPv6 prefix assignment 851B As shown in Figure 371, the DHCPv6 server assigns an IPv6 prefix to the DHCPv6 client. The client advertises the prefix information in an RA message so that hosts on the subnet can automatically configure their IPv6 addresses by using the prefix. 289H Figure 371 IPv6 prefix assignment DHCPv6 address pool 852B The DHCP server selects IPv6 addresses, IPv6 prefixes, DNS server addresses, and other parameters from an address pool and assigns them to the DHCP clients.
Address/prefix selection 853B The DHCPv6 server observes the following principles to select an IPv6 address or prefix for a client: 1. If there is an address pool where an IPv6 address or prefix is statically bound to the DUID or IAID of the client, the DHCPv6 server selects this address pool and assigns the statically bound IPv6 address or prefix and other configuration parameters to the client. 2.
• Configure a static IPv6 prefix binding in an address pool—If you bind a DUID and an IAID to an IPv6 prefix, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client. If you only bind a DUID to an IPv6 prefix, the DUID in the request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client.
Step Command Remarks • Configure a static prefix binding: 995. Configure static or dynamic prefix assignment. static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] • Apply the prefix pool to the address pool: prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] Use at least one command. By default, no static or dynamic prefix assignment is configured for an address pool.
Step Command Description 997. Create a DHCPv6 address pool and enter its view. ipv6 dhcp pool pool-number [ vpn-instance vpn-instance-name ] By default, no DHCPv6 address pool exists. 998. Create a static binding. static-bind address ipv6-address/addr-prefix-length duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] • Specify an IPv6 subnet for dynamic assignment: 999. Configure dynamic address allocation.
Configuration parameters in the address pool take precedence over these in the DHCPv6 option group. You can configure up to eight DNS server addresses, one domain name suffix, eight SIP server addresses, and eight SIP server domain names in an address pool or a DHCPv6 option group. Configuring parameters in a DHCPv6 address pool 85B Step Command Remarks system-view N/A 1005. Create a DHCPv6 address pool and enter its view.
Step Command Remarks 1013. Create a static DHCPv6 option group and enter its view. ipv6 dhcp option-group option-group-number By default, no static DHCPv6 option group exists. 1014. Configure a DNS server address. dns-server ipv6-address Optional. By default, no DNS server address is configured. Optional. 1015. Configure a domain name suffix. domain-name domain-name By default, no domain name suffix is configured. 1016. Configure the IPv6 address or domain name of a SIP server.
To enable the DHCPv6 server on an interface: Step Command Remarks 1023. Enter system view. system-view N/A 1024. Enter interface view. interface interface-type interface-number N/A ipv6 dhcp server [ allow-hint | apply pool pool-number | preference preference-value | rapid-commit ] * Disabled by default. 1025. Enable the DHCPv6 server on the interface. Displaying and maintaining the DHCPv6 server 243B Task Command Remarks Display the DUID of the local device.
Task Command Remarks Clear information for IPv6 address conflicts. reset ipv6 dhcp server conflict [ all | [ vpn-instance vpn-instance-name ] [ address ipv6-address | pool pool-number ] ] Available in user view. Clear binding information for lease-expired IPv6 addresses. reset ipv6 dhcp server expired [ all | [ vpn-instance vpn-instance-name ] [ address ipv6-address | pool pool-number ] ] Available in user view. Clear information for IPv6 address bindings.
Figure 372 Network diagram Configuration procedure 1702B # Enable IPv6 and DHCPv6 server. system-view [Firewall] ipv6 [Firewall] ipv6 dhcp server enable # Configure the IPv6 address of GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 1::1/64 [Firewall-GigabitEthernet0/1] quit # Create and configure prefix pool 1. [Firewall] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48 # Create address pool 1.
[Firewall-GigabitEthernet0/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit Verifying the configuration 1703B # Display DHCPv6 server configuration information on GigabitEthernet 0/1. [Firewall-GigabitEthernet0/1] display ipv6 dhcp server interface gigabitethernet 0/1 Using pool: 1 Preference value: 255 Allow-hint: Enabled Rapid-commit: Enabled # Display information about DHCPv6 address pool 1.
Prefix Type 2001:410:201::/48 Static(C) 1 Pool Expiration time Jul 10 2011 19:45:01 2001:410::/48 Auto(C) Jul 10 2011 20:44:05 1 IPv6 address and configuration parameters assignment configuration example 861B Network requirements 1704B As shown in Figure 373, the firewall at 1::1/64 serves as a DHCPv6 server, and assigns IPv6 addresses, DNS server address, domain name suffix, SIP server address, and SIP server domain name to DHCPv6 clients.
[Firewall-GigabitEthernet0/1] quit # Create a static DHCPv6 option group 1. [Firewall] ipv6 dhcp option-group 1 # Specify the DNS server address as 2:2::3. [Firewall-dhcp6-option-group1] dns-server 2:2::3 # Specify the domain name suffix as aaa.com. [Firewall-dhcp6-option-group1] domain-name aaa.com # Specify the SIP server address as 2:2::4, and the domain name of the SIP server as bbb.com.
aaa.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display information about DHCPv6 address pool 1.
Configuration considerations 1709B • Enable IPv6 and DHCPv6 server. • Create a static IPv6 prefix. • Create a static DHCPv6 option group, and configure parameters in the group. • Specify the static prefix to create a prefix pool. • Create an address pool. Apply the prefix pool to the address pool so that the DHCPv6 server can dynamically select a prefix from the prefix pool and assign it to a client.
[Firewall-dhcp6-option-group1] sip-server domain-name bbb.com [Firewall-dhcp6-option-group1] quit # Create prefix pool 1 that contains the prefix with the ID 1 and specify the length of prefixes to be assigned as 48. Prefix pool 1 can assign prefixes in the range of 12:34::/48 to 12:34:FFFF::/48. [Firewall] ipv6 dhcp prefix-pool 1 prefix 1 assign-len 48 # Create address pool 1.
Domain names: aaa.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # After a client obtains an IPv6 prefix, display IPv6 prefix binding information. [Firewall] display ipv6 dhcp server pd-in-use all Total number: 1 VPN instance: Public network Prefix Type Pool Expiration time 12:34::/48 Auto(C) 1 Apr 29 2011 17:07:38 # After a client obtains an IPv6 address, display IPv6 address binding information.
i. Specify the dynamic prefix to create a prefix pool. j. Create an address pool. Apply the prefix pool to the address pool so that the DHCPv6 server can dynamically select a prefix from the prefix pool and assign it to a client. Apply the dynamic prefix to the network subnet so that the server can assign an IP address to the client. To achieve network parameters assignment, specify the dynamically crated DHCPv6 option group for the address pool. k.
# Enable the DHCPv6 server on GigabitEthernet 0/1, apply address pool 1 to the interface, enable the desired address/prefix assignment and rapid address/prefix assignment, and set the precedence to the highest. [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit [FirewallA-GigabitEthernet0/1] quit 2. Configure Firewall B as the DHCPv6 client: # Enable IPv6.
Verifying the configuration 175B # Display DHCPv6 server configuration on GigabitEthernet 0/1 of Firewall A. Similar output is displayed if you display the DHCPv6 configuration on GigabitEthernet 0/1 of Firewall B. display ipv6 dhcp server interface gigabitethernet 0/1 Using pool: 1 Preference value: 255 Allow-hint: Enabled Rapid-commit: Enabled # After Firewall B obtains an IPv6 prefix and network configurations, display IPv6 prefix information.
Configuring the DHCPv6 relay agent 43B DHCPv6 relay agent can be configured only at the CLI. Feature and hardware compatibility 245B Hardware DHCPv6 relay agent compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 246B A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters.
3. After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server selects an IPv6 address and other required parameters, and adds them to the reply which is encapsulated within the Relay Message option of a Relay-reply message. The DHCPv6 server then sends the Relay-reply message to the DHCPv6 relay agent. 4. The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the DHCPv6 client.
Step 1027. Enter interface view. 1028. Enable DHCPv6 relay agent on the interface and specify a DHCPv6 server. Command Remarks interface interface-type interface-number N/A ipv6 dhcp relay server-address ipv6-address [ interface interface-type interface-number ] By default, DHCPv6 relay agent is disabled and no DHCPv6 server is specified on the interface. Displaying and maintaining the DHCPv6 relay agent 250B Task Command Remarks Display the DUID of the local device.
Figure 378 Network diagram Configuration procedure 865B Configure Firewall as a DHCPv6 relay agent: 1. # Enable IPv6. system-view [Firewall] ipv6 # Configure the IPv6 addresses of GigabitEthernet 0/1 and GigabitEthernet 0/2 respectively.
Packets received : 14 SOLICIT : 0 REQUEST : 0 CONFIRM : 0 RENEW : 0 REBIND : 0 RELEASE : 0 DECLINE : 0 INFORMATION-REQUEST : 7 RELAY-FORWARD : 0 RELAY-REPLY : 7 : 14 ADVERTISE : 0 RECONFIGURE : 0 REPLY : 7 RELAY-FORWARD : 7 RELAY-REPLY : 0 Packets sent 728
Configuring the DHCPv6 client 4B DHCPv6 client can be configured only at the CLI. Feature and hardware compatibility 25B Hardware DHCPv6 client compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No With DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IPv6 address, an IPv6 prefix from the DHCP server.
DHCPv6 client configuration task list 254B Task Remarks Configuring address acquisition 2905H Use either approach. Configuring prefix acquisition 2906H Enabling the stateless address autoconfiguration 2907H Configuring address acquisition 25B Step Command Remarks 1029. Enter system view. system-view N/A 1030. Enter interface view.
Displaying and maintaining the DHCPv6 client 258B Task Command Remarks Display DHCPv6 client information. display ipv6 dhcp client [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display DHCPv6 client statistics. display ipv6 dhcp client statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the DUID of the local device.
[Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 1::2/48 # Configure GigabitEthernet 0/1 to use DHCPv6 to obtain an IPv6 prefix and configuration parameters, and enable rapid prefix assignment. With the obtained prefix and parameters, the client automatically creates a DHCPv6 option group.
bbb.com IPv6 address acquisition configuration example 86B Network requirements 179B The DHCPv6 client Firewall uses DHCPv6 to obtain an IPv6 prefix, the DNS server address, domain name suffix, SIP server address, and domain name of the SIP server. Configure the client to create a DHCPv6 option group for the obtained configuration parameters. Figure 380 Network diagram Configuration procedure 1720B Before you make the following configuration, configure the DHCPv6 server.
Preferred lifetime 60 sec, valid lifetime 60 sec T1 30 sec, T2 48 sec Will expire at Jul 18 2011 10:06:57 DNS server addresses: 2000::FF Domain names: example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display information about dynamic DHCPv6 option group 1. [Firewall-GigabitEthernet0/1] display ipv6 dhcp option-group 1 DHCPv6 option group: 1 Type: Dynamic DNS server addresses: 2000::FF Domain names: example.com SIP server addresses: 2:2::4 SIP server domain names: bbb.
Configuration procedure 1723B 1. Configure Firewall B: # Enable the IPv6 packet forwarding function. system-view [FirewallB] ipv6 # Configure the IPv6 address of GigabitEthernet 0/1. [FirewallB] interface gigabitethernet 0/1 [FirewallB-GigabitEthernet0/1] ipv6 address 1::1 64 # Set the O flag in the RA messages to 1. [FirewallB-GigabitEthernet0/1] ipv6 nd autoconfig other-flag # Enable Firewall B to send RA messages. [FirewallB-GigabitEthernet0/1] undo ipv6 nd ra halt 2.
Reply : 1 Advertise : 0 Reconfigure : 0 Invalid : 0 Packets Sent : 5 Solicit : 0 Request : 0 Confirm : 0 Renew : 0 Rebind : 0 Information-request : 5 Release : 0 Decline : 0 736
Configuring IPv6 DNS 45B IPv6 DNS can be configured only at the CLI. Feature and hardware compatibility 260B Hardware IPv6 DNS compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution.
Configuring dynamic domain name resolution 871B To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure a DNS server. In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. Follow these guidelines when you configure dynamic domain name resolution: • You can configure up to six DNS servers, including those with IPv4 addresses on a device.
Static domain name resolution configuration example 263B Network requirements 872B As shown in Figure 382, the firewall wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the firewall so that the firewall can use the domain name host.com to access the host whose IPv6 address is 1::2. 2910H Figure 382 Network diagram 1::1/64 1::2/64 host.
Dynamic domain name resolution configuration example 264B Network requirements 874B As shown in Figure 383, the firewall wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. The IPv6 address of the DNS server is 2::2/64 and the server has a com domain, which stores the mapping between domain name host and IPv6 address 1::1/64.
Figure 384 Creating a zone c. On the DNS configuration page, right-click zone com, and select Other New Records. Figure 385 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type. e. Click Create Record.
Figure 386 Selecting the resource record type f. On the page that appears, enter host name host and IPv6 address 1::1, and then click OK. The mapping between the host name and the IPv6 address is created.
Figure 387 Adding a mapping between domain name and IPv6 address Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [Firewall] dns resolve # Specify the DNS server 2::2. [Firewall] dns server ipv6 2::2 # Configure com as the DNS suffix.
bytes=56 Sequence=2 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring IPv6 static routing 46B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. IPv6 static routing can be configured only at the CLI. Feature and hardware compatibility 265B Hardware IPv6 static routing compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 26B Static routes are manually configured.
Step Command Remarks • Approach 1: 1045. Configure an IPv6 static route. 1046. Delete all IPv6 static routes, including the default route.
Configuration procedure 87B 1. Configure IPv6 addresses for all interfaces. (Details not shown.) 2. Configure IPv6 static routes: # Enable IPv6 and configure the IPv6 default route on Router A. system-view [RouterA] ipv6 [RouterA] ipv6 route-static :: 0 4::2 # Enable IPv6 and configure two IPv6 static routes on Firewall.
Reply from 3::2 bytes=56 Sequence=1 hop limit=62 time = 63 ms Reply from 3::2 bytes=56 Sequence=2 hop limit=62 time = 62 ms Reply from 3::2 bytes=56 Sequence=3 hop limit=62 time = 62 ms Reply from 3::2 bytes=56 Sequence=4 hop limit=62 time = 63 ms Reply from 3::2 bytes=56 Sequence=5 hop limit=62 time = 63 ms --- 3::2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring an IPv6 default route 47B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Feature and hardware compatibility 270B Hardware IPv6 default route compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No An IPv6 default route is used to forward packets that match no entry in the routing table.
Configuring RIPng 48B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. RIPng can be configured only at the CLI. Feature and hardware compatibility 271B Hardware RIPng compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 27B RIP next generation (RIPng) is an extension of RIP-2 for IPv4. Most RIP concepts are applicable in RIPng.
Task Remarks Configuring RIPng timers Optional Configuring split horizon and poison reverse Optional Configuring zero field check on RIPng packets Optional Configuring the maximum number of ECMP routes Optional 295H Tuning and optimizing the RIPng network 296H 294H 297H 298H Applying IPsec policies for RIPng Optional 29H Configuring RIPng basic functions 274B This section presents the information to configure the basic RIPng features.
• Define an IPv6 ACL before using it for route filtering. For related information, see Access Control Configuration Guide. • Define an IPv6 address prefix list before using it for route filtering. For related information, see "Configuring routing policies." Configuring an additional routing metric 81B An additional routing metric can be added to the metric of an inbound or outbound RIP route. The outbound additional metric is added to the metric of a sent route.
Configuring a RIPng route filtering policy 84B You can reference a configured IPv6 ACL or prefix list to filter received or advertised routing information. You can also specify a routing protocol to filter outbound routes redistributed from the protocol. To configure a RIPng route filtering policy: Step Command Remarks 1062. Enter system view. system-view N/A 1063. Enter RIPng view. ripng [ process-id ] [ vpn-instance vpn-instance-name ] N/A 1064.
Tuning and optimizing the RIPng network 276B This section describes how to tune and optimize the performance of the RIPng network, as well as applications under special network environments. Before tuning and optimizing the RIPng network, complete the following tasks: • Configure a network layer address for each interface. • Configure the basic RIPng functions. Configuring RIPng timers 87B You can adjust RIPng timers to optimize the performance of the RIPng network.
Configuring poison reverse 1726B The poison reverse function enables a route learned from an interface to be advertised through the interface. However, the metric of the route is set to 16, which means the route is unreachable. To configure poison reverse: Step Command Remarks 1079. Enter system view. system-view N/A 1080. Enter interface view. interface interface-type interface-number N/A ripng poison-reverse Disabled by default. 1081. Enable the poison reverse function.
match, the device accepts the packet. Otherwise, it discards the packet and does not establish a neighbor relationship with the sending device. You can configure an IPsec policy for a RIPng process or interface. The IPsec policy configured for a process applies to all packets in the process. The IPsec policy configured on an interface applies to packets on the interface. If an interface and its process each have an IPsec policy configured, the interface uses its own IPsec policy.
Task Command Remarks Display RIPng interface information. display ripng process-id interface [ interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Reset a RIPng process. reset ripng process-id process Available in user view. Clear statistics of a RIPng process. reset ripng process-id statistics Available in user view.
[RouterA] interface gigabitethernet 0/2 [RouterA-GigabitEthernet0/2] ripng 1 enable [RouterA-GigabitEthernet0/2] quit # Configure Router B.
Dest 1::/64, via FE80::20F:E2FF:FE23:82F5, cost 1, tag 0, A, 2 Sec Dest 2::/64, via FE80::20F:E2FF:FE23:82F5, cost Peer FE80::20F:E2FF:FE00:100 1, tag 0, A, 2 Sec on GigabitEthernet0/2 Dest 4::/64, via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec Dest 5::/64, via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec [Firewall] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------- Peer FE80::20F:E2FF:FE00:1
[RouterA-GigabitEthernet0/1] quit [RouterA] interface gigabitethernet 0/2 [RouterA-GigabitEthernet0/2] ripng 100 enable # Enable RIP 100 and RIP 200 on Firewall.
3. Destination: FE80::/10 Protocol NextHop : :: Preference: 0 : Direct Interface : NULL0 Cost : 0 Configure RIPng route redistribution: # Configure route redistribution between the two RIPng processes on Firewall. [Firewall] ripng 100 [Firewall-ripng-100] default cost 3 [Firewall-ripng-100] import-route ripng 200 [Firewall-ripng-100] quit [Firewall] ripng 200 [Firewall-ripng-200] import-route ripng 100 [Firewall-ripng-200] quit # Display the routing table on Router A.
Configuring RIPng IPsec policies 893B Network requirements 173B As shown in the following figure, • Configure RIPng on the devices. • Configure IPsec policies on the devices to authenticate and encrypt protocol packets. Figure 391 Network diagram Configuration procedure 1734B 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure RIPng basic functions: # Configure Router A.
[RouterA] ipsec transform-set tran1 [RouterA-ipsec-transform-set-tran1] encapsulation-mode transport [RouterA-ipsec-transform-set-tran1] transform esp [RouterA-ipsec-transform-set-tran1] esp encryption-algorithm des [RouterA-ipsec-transform-set-tran1] esp authentication-algorithm sha1 [RouterA-ipsec-transform-set-tran1] quit [RouterA] ipsec policy policy001 10 manual [RouterA-ipsec-policy-manual-policy001-10] transform-set tran1 [RouterA-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 [RouterA-i
[Firewall-ipsec-policy-manual-policy001-10] quit 4. Apply the IPsec policies in the RIPng process: # Configure Router A. [RouterA] ripng 1 [RouterA-ripng-1] enable ipsec-policy policy001 [RouterA-ripng-1] quit # Configure Router B. [RouterB] ripng 1 [RouterB-ripng-1] enable ipsec-policy policy001 [RouterB-ripng-1] quit # Configure Firewall. [Firewall] ripng 1 [Firewall-ripng-1] enable ipsec-policy policy001 [Firewall-ripng-1] quit 5.
Configuring OSPFv3 49B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Feature and hardware compatibility 280B Hardware OSPFv3 compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 281B Open Shortest Path First version 3 (OSPFv3) supports IPv6 and complies with RFC 2740 (OSPF for IPv6).
Task Remarks Configuring OSPFv3 route summarization Optional Configuring OSPFv3 inbound route filtering Optional Configuring an OSPFv3 cost for an interface Optional Configuring the maximum number of OSPFv3 ECMP routes Optional Configuring a priority for OSPFv3 Optional Configuring OSPFv3 route redistribution Optional Configuring OSPFv3 timers Optional Configuring a DR priority for an interface Optional Ignoring MTU check for DD packets Optional Disabling interfaces from receiving and sen
Step 1097. Enter interface view. 1098. Enable an OSPFv3 process on the interface. Command Remarks interface interface-type interface-number N/A ospfv3 process-id area area-id [ instance instance-id ] Not enabled by default. Configuring OSPFv3 area parameters 284B The stub area and virtual link features of OSPFv3 are the same as OSPFv2. Splitting an OSPFv3 AS into multiple areas reduces the number of LSAs and extends OSPFv3 applications.
Configuring an OSPFv3 virtual link 89B You can configure a virtual link to maintain connectivity between a non-backbone area and the backbone, or in the backbone itself. IMPORTANT: • Both ends of a virtual link are ABRs that must be configured with the vlink-peer command. • Do not configure virtual links in the areas of a GR-capable process. To configure a virtual link: Step Command 1104. Enter system view. system-view 1105. Enter OSPFv3 view. ospfv3 [ process-id ] 1106. Enter OSPFv3 area view.
Step Command Remarks 1109. Enter interface view. interface interface-type interface-number N/A 1110. Configure a network type for the OSPFv3 interface. ospfv3 network-type { broadcast | nbma | p2mp [ non-broadcast ] | p2p } [ instance instance-id ] Optional. The network type of an interface depends on the media type of the interface.
Step Command Remarks 1117. Configure a summary route. abr-summary ipv6-address prefix-length [ not-advertise ] Not configured by default. The abr-summary command takes effect on ABRs only. Configuring OSPFv3 inbound route filtering 904B According to some rules, you can configure OSPFv3 to filter routes that are computed from received LSAs. To configure OSPFv3 inbound route filtering: Step Command Remarks 1118. Enter system view. system-view N/A 1119. Enter OSPFv3 view.
To configure a bandwidth reference value: Step Command Remarks 1124. Enter system view. system-view N/A 1125. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 1126. Configure a bandwidth reference value. Optional. bandwidth-reference value 100 Mbps by default. Configuring the maximum number of OSPFv3 ECMP routes 906B Perform this task to implement load sharing over ECMP routes. To configure the maximum number of ECMP routes: Step Command Remarks 1127. Enter system view.
• The filter-policy export command filters routes redistributed with the import-route command. If the import-route command is not configured, executing the filter-policy export command does not take effect. To configure OSPFv3 route redistribution: Step Command Remarks 1133. Enter system view. system-view N/A 1134. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 1135. Specify a default cost for redistributed routes. default cost value 1136.
Configuring OSPFv3 timers 910B Make sure that the dead interval set on neighboring interfaces is not too short; otherwise, a neighbor is easily considered down. Also, make sure that the LSA retransmission interval is not too short; otherwise, unnecessary retransmissions might occur. To configure OSPFv3 timers: Step Command Remarks 1139. Enter system view. system-view N/A 1140. Enter interface view. interface interface-type interface-number N/A Optional. 1141. Configure the hello interval. 1142.
Step Command Remarks 1149. Enter system view. system-view N/A 1150. Enter interface view. interface interface-type interface-number N/A 1151. Configure a DR priority. ospfv3 dr-priority priority [ instance instance-id ] Optional. Defaults to 1. Ignoring MTU check for DD packets 912B When LSAs are few in DD packets, it is unnecessary to check the MTU in DD packets to improve efficiency. To ignore MTU check for DD packets: Step Command Remarks 1152. Enter system view.
Step 1159. Enter OSPFv3 view. 1160. Enable the logging of neighbor state changes. Command Remarks ospfv3 [ process-id ] N/A log-peer-change Enabled by default.
Applying IPsec policies for OSPFv3 289B To protect routing information and defend attacks, OSPFv3 can authenticate protocol packets by using an IPsec policy. Outbound OSPFv3 packets carry the Security Parameter Index (SPI) defined in the relevant IPsec policy. A device uses the SPI carried in a received packet to match against the configured IPsec policy. If they match, the device accepts the packet. Otherwise, it discards the packet and will not establish a neighbor relationship with the sending device.
To apply an IPsec policy on a virtual link: Step Command Remarks 1175. Enter system view. system-view N/A 1176. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 1177. Enter OSPF area view. area area-id N/A 1178. Apply an IPsec policy on a virtual link. vlink-peer router-id [ hello seconds | retransmit seconds | trans-delay seconds | dead seconds | instance instance-id | ipsec-policy policy-name ] * Not configured by default.
Task Command Remarks Display OSPFv3 link state retransmission list information. display ospfv3 [ process-id ] retrans-list [ { external | inter-prefix | inter-router | intra-prefix | link | network | router } [ link-state-id ] [ originate-router ip-address ] | statistics ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display OSPFv3 statistics. display ospfv3 statistics [ | { begin | exclude | include } regular-expression ] Available in any view.
# Configure Router B. system-view [RouterB] ipv6 [RouterB] ospfv3 1 [RouterB-ospfv3-1] router-id 2.2.2.2 [RouterB-ospfv3-1] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ospfv3 1 area 0 [RouterB-GigabitEthernet0/1] quit [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ospfv3 1 area 1 [RouterB-GigabitEthernet0/2] quit # Configure Router C. system-view [RouterC] ipv6 [RouterC] ospfv3 1 [RouterC-ospfv3-1] router-id 3.3.3.
[RouterC] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface 2.2.2.2 1 Full/DR 00:00:35 GE0/1 Instance ID 0 OSPFv3 Area ID 0.0.0.2 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface 4.4.4.4 1 Full/Backup 00:00:36 GE0/2 Instance ID 0 # Display OSPFv3 routing information on Firewall.
E1 - Type 1 external route, IA - Inter area route, E2 - Type 2 external route, * I - Intra area route - Selected route OSPFv3 Router with ID (4.4.4.
Configuring OSPFv3 DR election 916B Network requirements 1739B • In Figure 393, the priority of Firewall is 100, the highest priority on the network, so it becomes the DR. • The priority of Router C is 2, the second highest priority on the network, so it becomes the BDR. • The priority of Router B is 0, so it cannot become a DR. • Router A has the default priority 1.
[RouterC] ipv6 [RouterC] ospfv3 [RouterC-ospfv3-1] router-id 3.3.3.3 [RouterC-ospfv3-1] quit [RouterC] interface gigabitethernet 0/1 [RouterC-GigabitEthernet0/1] ospfv3 1 area 0 [RouterC-GigabitEthernet0/1] quit # Configure Router A. system-view [RouterA] ipv6 [RouterA] ospfv3 [RouterA-ospfv3-1] router-id 4.4.4.
[RouterC-GigabitEthernet0/1] ospfv3 dr-priority 2 [RouterC-GigabitEthernet0/1] quit # Display neighbor information on Firewall. [Firewall] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.2 0 2-Way/DROther 00:00:38 GE0/1 0 3.3.3.3 2 Full/Backup 00:00:32 GE0/1 0 4.4.4.
• OSPFv3 process 1 and OSPFv3 process 2 are enabled on Firewall. Firewall communicates with Router A and Router B through OSPFv3 process 1 and OSPFv3 process 2, respectively. • Configure OSPFv3 process 2 to redistribute direct routes and the routes from OSPFv3 process 1 on Firewall, and set the default metric for redistributed routes to 3. Router B can then learn the routes destined for 1::0/64 and 2::0/64, and Router A cannot learn the routes destined for 3::0/64 or 4::0/64.
# Enable OSPFv3 process 2 on Router B. system-view [RouterB] ipv6 [RouterB] ospfv3 2 [RouterB-ospfv3-2] router-id 4.4.4.4 [RouterB-ospfv3-2] quit [RouterB] interface gigabitethernet0/2 [RouterB-GigabitEthernet0/2] ospfv3 2 area 2 [RouterB-GigabitEthernet0/2] quit [RouterB] interface gigabitethernet 0/1 [RouterB-GigabitEthernet0/1] ospfv3 2 area 2 [RouterB-GigabitEthernet0/1] quit # Display the routing table of Router B.
# Display the routing table of Router B.
Hardware Example applicable U200-S No Network requirements 1743B As shown in Figure 395: 2956H • Configure OSPFv3 on Firewall A, Firewall B and Router and configure BFD over the link Firewall A<—>L2 Switch<—>Firewall B. • After the link Firewall A<—>L2 Switch<—>Firewall B fails, BFD can quickly detect the failure and notify OSPFv3 of the failure. Then Firewall A and Firewall B communicate through Router.
[FirewallB] ipv6 [FirewallB] ospfv3 1 [FirewallB-ospfv3-1] router-id 2.2.2.2 [FirewallB-ospfv3-1] quit [FirewallB] interface gigabitethernet 1/1 [FirewallB-GigabitEthernet1/1] ospfv3 1 area 0 [FirewallB-GigabitEthernet1/1] quit [FirewallB] interface gigabitethernet 1/2 [FirewallB-GigabitEthernet1/2] ospfv3 1 area 0 [FirewallB-GigabitEthernet1/2] quit # Enable OSPFv3 and set the router ID to 3.3.3.3 on Router. system-view [Router] ipv6 [Router] ospfv3 1 [Router-ospfv3-1] router-id 3.3.3.
Source IP: FE80::20F:FF:FE00:1202(link-local address of GigabitEthernet 1/1 on Firewall A) Destination IP: FE80::20F:FF:FE00:1200(link-local address of GigabitEthernet 1/1 on Firewall B) Session State: Up Hold Time: Interface: GE1/1 / # Display routes destined for 2001:4::0/64 on Firewall A.
# Display the BFD information of Firewall A. display bfd session The output shows that Firewall A has removed its neighbor relationship with Firewall B and therefore no information is output. # Display routes destined for 2001:4::0/64 on Firewall A.
[RouterA-ospfv3-1] router-id 1.1.1.1 [RouterA-ospfv3-1] quit [RouterA] interface gigabitethernet 0/2 [RouterA-GigabitEthernet0/2] ospfv3 1 area 1 [RouterA-GigabitEthernet0/2] quit # Configure Router B: enable OSPFv3 and configure the Router ID as 2.2.2.2. system-view [RouterB] ipv6 [RouterB] ospfv3 1 [RouterB-ospfv3-1] router-id 2.2.2.
proposal tran1, set the SPIs of the inbound and outbound SAs to 12345, and the keys for the inbound and outbound SAs using ESP to abcdefg. Create an IPsec proposal named tran2, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1.
[Firewall-ipsec-policy-manual-policy002-10] quit 4. Apply the IPsec policies in areas: # Configure Router A. [RouterA] ospfv3 1 [RouterA-ospfv3-1] area 1 [RouterA-ospfv3-1-area-0.0.0.1] enable ipsec-policy policy001 [RouterA-ospfv3-1-area-0.0.0.1] quit [RouterA-ospfv3-1] quit # Configure Router B. [RouterB] ospfv3 1 [RouterB-ospfv3-1] area 0 [RouterB-ospfv3-1-area-0.0.0.0] enable ipsec-policy policy002 [RouterB-ospfv3-1-area-0.0.0.0] quit [RouterB-ospfv3-1] area 1 [RouterB-ospfv3-1-area-0.0.0.
Incorrect routing information 921B Symptom 175B OSPFv3 cannot find routes to other areas. Analysis 1752B The backbone area must maintain connectivity to all other areas. If a router connects to more than one area, at least one area must be connected to the backbone. The backbone cannot be configured as a stub area. In a stub area, all routers cannot receive external routes, and interfaces connected to the stub area must be associated with the stub area. Solution 1753B 1.
Configuring IPv6 IS-IS 50B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. This chapter describes how to configure IPv6 IS-IS, which supports all IPv4 IS-IS features except that it advertises IPv6 routing information. For information about IS-IS, see "Configuring IS-IS." IPv6 IS-IS can be configured only at the CLI.
• Configure IP addresses for interfaces, and make sure that all neighboring nodes can reach each other. • Enable IS-IS. Configuration procedure 923B To configure basic IS-IS: Step Command Remarks system-view N/A 1180. Enable an IS-IS process and enter IS-IS view. isis [ process-id ] Not enabled by default. 1181. Configure the network entity title for the IS-IS process. network-entity net Not configured by default. 1182. Enable IPv6 for the IS-IS process. ipv6 enable Disabled by default.
Step Command Remarks 1192. Configure IPv6 IS-IS to redistribute routes from another routing protocol. ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] * Optional. Optional. 1193. Configure the maximum number of redistributed Level 1/Level 2 IPv6 routes. ipv6 import-route limit number 1194. Configure the filtering of outgoing redistributed routes.
Task Command Remarks Display LSDB information. display isis lsdb [ [ l1 | l2 | level-1 | level-2 ] | [ [ lsp-id lsp-id | lsp-name lspname | local ] | verbose ] * ] * [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IS-IS mesh group information. display isis mesh-group [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 397 Network diagram Configuration procedure 175B 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IPv6 IS-IS: # Configure Router A. system-view [RouterA] ipv6 [RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] ipv6 enable [RouterA-isis-1] quit [RouterA] interface gigabitethernet 1/1 [RouterA-GigabitEthernet1/1] isis ipv6 enable 1 [RouterA-GigabitEthernet1/1] quit # Configure Router B.
[Firewall-GigabitEthernet1/1] isis ipv6 enable 1 [Firewall-GigabitEthernet1/1] quit [Firewall] interface gigabitethernet 1/2 [Firewall-GigabitEthernet1/2] isis ipv6 enable 1 [Firewall-GigabitEthernet1/2] quit [Firewall] interface gigabitethernet 1/3 [Firewall-GigabitEthernet1/3] isis ipv6 enable 1 [Firewall-GigabitEthernet1/3] quit # Configure Router C. system-view [RouterC] ipv6 [RouterC] isis 1 [RouterC-isis-1] is-level level-2 [RouterC-isis-1] network-entity 20.0000.0000.0004.
# Display the IPv6 IS-IS routing table of Router B.
ISIS(1) IPv6 Level-2 Forwarding Table ------------------------------------Destination: 2001:1:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE1/2 : 10 Destination: 2001:2:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE1/1 : 10 Destination: 2001:3:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE1/3 : 10 Destination: 2001:4::1 PrefixLen: 128 Flag : R/-/- Cost Next Hop : FE80::20F:E2FF:FE3E:FA3D Interface: GE1/3 : 10 Flags:
Configuring IPv6 BGP 51B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. IPv6 BGP can be configured only at the CLI. This chapter describes only configuration for IPv6 BGP. For BGP-related information, see "Configuring BGP.
Task Remarks Specifying the source interface for establishing TCP connections Optional Allowing the establishment of an indirect EBGP connection Optional Configuring a description for an IPv6 peer or peer group Optional Disabling session establishment to an IPv6 peer or peer group Optional Logging IPv6 peer or peer group state changes Optional Configuring IPv6 BGP route redistribution Optional Configuring IPv6 BGP route summarization Optional Advertising a default route to an IPv6 peer or pee
Specifying an IPv6 BGP peer 926B Step Command Remarks 1197. Enter system view. system-view N/A 1198. Enter BGP view. bgp as-number N/A 1199. Specify a router ID. router-id router-id Optional. 1200. Enter IPv6 address family view or IPv6 BGP-VPN instance view. 1201. Specify an IPv6 peer. Required, if no IP addresses are configured for any interfaces.
Step Command Remarks 1209. Configure a preferred value for routes received from an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } preferred-value value By default, the preferred value is 0. IPv6 BGP-VPN instance view does not support the ipv6-group-name argument. Specifying the source interface for establishing TCP connections 92B IPv6 BGP uses TCP as the transport layer protocol.
Configuring a description for an IPv6 peer or peer group 931B Step Command Remarks 1218. Enter system view. system-view N/A 1219. Enter BGP view. bgp as-number N/A 1220. Enter IPv6 address family view. ipv6-family N/A 1221. Configure a description for an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } description description-text Optional. Not configured by default. The peer group to be configured with a description must have been created.
• Enable IPv6. • Configure IPv6 BGP basic functions. Configuring IPv6 BGP route redistribution 935B IMPORTANT: If the default-route imported command is not configured, using the import-route command cannot redistribute an IGP default route. To configure IPv6 BGP route redistribution: Step Command Remarks 1231. Enter system view. system-view N/A 1232. Enter BGP view. bgp as-number N/A 1233. Enter IPv6 address family view or IPv6 BGP-VPN instance view.
Step Command Remarks 1242. Enter IPv6 address family view. ipv6-family N/A 1243. Advertise a default route to an IPv6 peer or peer group. peer { ipv6-group-name | ipv6-address } default-route-advertise [ route-policy route-policy-name ] Not advertised by default.
NOTE: IPv6 BGP advertises routes passing the specified policy to peers. Using the protocol argument can filter only the routes redistributed from the specified protocol. If no protocol is specified, IPv6 BGP filters all routes to be advertised, including redistributed routes and routes imported with the network command. Configuring inbound route filtering 93B Only routes passing the configured filtering can be added into the local IPv6 BGP routing table.
IGP route with the same destination network segment before it can advertise the IBGP route (use the display ipv6 routing-table protocol command to check the IGP route state). To configure IPv6 BGP and IGP route synchronization: Step Command Remarks 1261. Enter system view. system-view N/A 1262. Enter BGP view. bgp as-number N/A 1263. Enter IPv6 address family view. ipv6-family N/A synchronization Not enabled by default. 1264. Enable route synchronization between IPv6 BGP and IGP.
Configuring IPv6 BGP preference and default LOCAL_PREF and NEXT_HOP attributes 943B To ensure an IBGP peer can find the correct next hop, you can configure routes advertised to the IPv6 IBGP peer or peer group to use the local router as the next hop. If BGP load balancing is configured, the local router specifies itself as the next hop of routes sent to an IPv6 IBGP peer or peer group regardless of whether the peer next-hop-local command is configured.
Step Command 1279. Enable the comparison of MED for routes from different EBGP peers. 1280. Enable the comparison of MED for routes from each AS. 1281. Enable the comparison of MED for routes from confederation peers. Remarks Optional. compare-different-as-med Not enabled by default. The IPv6 BGP-VPN instance view does not support this command. Optional. bestroute compare-med Disabled by default. The IPv6 BGP-VPN instance view does not support this command. Optional.
• IPv6 BGP timers After establishing an IPv6 BGP connection, two routers send keepalive messages periodically to each other to maintain the connection. If a router receives no keepalive message from the peer after the holdtime elapses, it tears down the connection. When establishing an IPv6 BGP connection, the two parties compare their holdtimes, taking the shorter one as the common holdtime. If the holdtime is 0, neither keepalive message is sent, nor holdtime is checked.
Step Command 1294. Configure the interval for sending the same update to an IPv6 peer or peer group. Remarks Optional. peer { ipv6-group-name | ipv6-address } route-update-interval interval The interval for sending the same update to an IBGP peer or an EBGP peer defaults to 15 seconds or 30 seconds. Configuring IPv6 BGP soft reset 948B Enabling route refresh 1756B Step Command Remarks 1295. Enter system view. system-view N/A 1296. Enter BGP view.
(if any), to filter updates to the BGP speaker, reducing the number of exchanged update messages and saving network resources. After you enable the BGP ORF capability, the local BGP router negotiates the ORF capability with the BGP peer through Open messages. The local BGP router determines whether to carry ORF information in messages. If yes, it further determines whether to carry non-standard ORF information in the packets.
If the peer device supports 4-byte AS numbers, do not enable the 4-byte AS number suppression function. Otherwise, the BGP peer relationship cannot be established. To enable 4-byte AS number suppression: Step Command Remarks 1311. Enter system view. system-view N/A 1312. Enter BGP view. bgp as-number N/A 1313. Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A 1314. Enable 4-byte AS number suppression.
Step Command Remarks 1322. Enable MD5 authentication when establishing a TCP connection to the peer or peer group. peer { ipv6-group-name | ipv6-address } password { cipher | simple } password Not enabled by default. Applying an IPsec policy to an IPv6 BGP peer or peer group 953B To protect routing information and defend attacks, IPv6 BGP can authenticate protocol packets by using an IPsec policy. Outbound IPv6 BGP packets carry the Security Parameter Index (SPI) defined in the IPsec policy.
To ensure connectivity between IBGP peers, make them fully meshed, but it becomes impractical when too many IBGP peers exist. Using route reflectors or confederation can solve this issue. In a large-scale AS, both of them can be used. Confederation configuration of IPv6 BGP is identical to that of BGP4, so it is not mentioned here.
Creating a mixed EBGP peer group 1762B Step Command Remarks 1338. Enter system view. system-view N/A 1339. Enter BGP view. bgp as-number N/A 1340. Enter IPv6 address family view. ipv6-family N/A 1341. Create an EBGP peer group. group ipv6-group-name external N/A 1342. Specify the AS number of an IPv6 peer. peer ipv6-address as-number as-number Not specified by default. 1343. Add the IPv6 peer into the peer group. peer ipv6-address group ipv6-group-name Not added by default.
Step 1351. Enter IPv6 address family view. 1352. Apply a routing policy to routes advertised to an IPv6 peer or peer group. Command Remarks ipv6-family N/A peer { ipv6-group-name | ipv6-address } route-policy route-policy-name export Not applied by default. Configuring an IPv6 BGP route reflector 957B In general, because the route reflector forwards routing information between clients, you are not required to make clients of a route reflector fully meshed.
interval. This mechanism makes the detection of a link failure rather slow and thus causes a large quantity of packets to be dropped especially when the failed link is a high-speed link. You can enable BFD to detect the link to a peer. BFD can quickly detect any link failure and thus reduce network convergence time. Before you configure BFD for IPv6 BGP, you must enable BGP. For more information about BFD, see High Availability Configuration Guide.
Task Command Remarks Display IPv6 BGP routing information with the specified COMMUNITY attribute. display bgp ipv6 routing-table community [ aa:nn<1-13> ] [ no-advertise | no-export | no-export-subconfed ]* [ whole-match ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPv6 BGP routing information matching an IPv6 BGP community list.
Clearing IPv6 BGP information 960B Task Command Remarks Clear dampened IPv6 BGP routing information and release suppressed routes. reset bgp ipv6 dampening [ ipv6-address prefix-length ] Available in user view. Clear IPv6 BGP route flap information. reset bgp ipv6 flap-info [ ipv6-address/prefix-length | as-path-acl as-path-acl-number | regexp as-path-regexp ] Available in user view.
[RouterB-bgp] quit # Configure Router C. system-view [RouterC] ipv6 [RouterC] bgp 65009 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] ipv6-family [RouterC-bgp-af-ipv6] peer 9:3::1 as-number 65009 [RouterC-bgp-af-ipv6] peer 9:2::2 as-number 65009 [RouterC-bgp-af-ipv6] quit [RouterC-bgp] quit # Configure Firewall. system-view [Firewall] ipv6 [Firewall] bgp 65009 [Firewall-bgp] router-id 4.4.4.
9:3::2 65009 2 3 0 0 00:00:40 Established 9:1::2 65009 2 4 0 0 00:00:19 Established # Display IPv6 peer information on Router C. [RouterC] display bgp ipv6 peer BGP local router ID : 3.3.3.3 Local AS number : 65009 Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 9:3::1 65009 4 4 0 0 00:02:18 Established 9:2::2 65009 4 5 0 0 00:01:52 Established Router A and Router B have established an EBGP connection.
# Configure Router B system-view [RouterB] ipv6 [RouterB] bgp 200 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] ipv6-family [RouterB-bgp-af-ipv6] peer 100::1 as-number 100 [RouterB-bgp-af-ipv6] peer 101::1 as-number 200 [RouterB-bgp-af-ipv6] peer 101::1 next-hop-local # Configure Firewall. system-view [Firewall] ipv6 [Firewall] bgp 200 [Firewall-bgp] router-id 3.3.3.
Configuration procedure 170B 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure the IBGP connection: # Configure Router A. system-view [RouterA] ipv6 [RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] ipv6-family [RouterA-bgp-af-ipv6] group ibgp internal [RouterA-bgp-af-ipv6] peer 1::2 group ibgp [RouterA-bgp-af-ipv6] quit [RouterA-bgp] quit # Configure Router B. system-view [RouterB] ipv6 [RouterB] bgp 65008 [RouterB-bgp] router-id 2.2.2.
reference IPsec proposal tran1, set the SPIs of the inbound and outbound SAs to 12345, and the keys for the inbound and outbound SAs using ESP to abcdefg.
[RouterB-ipsec-policy-manual-policy002-10] quit # On Firewall, create an IPsec proposal named tran2, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1. Create an IPsec policy named policy002, specify the manual mode for it, reference IPsec proposal tran2, set the SPIs of the inbound and outbound SAs to 54321, and the keys for the inbound and outbound SAs using ESP to gfedcba.
[RouterB] display bgp ipv6 peer verbose BGP Peer is 1::1, remote AS 65008, Type: IBGP link BGP version 4, remote router ID 1.1.1.
Optional capabilities: Route refresh capability has been enabled ORF advertise capability based on prefix (type 64): Local: both Negotiated: send Peer Preferred Value: 0 IPsec policy name: policy002, SPI :54321 Routing policy configured: No routing policy is configured The output shows that both IBGP and EBGP neighbor relationships have been established, and all protocol packets are protected by IPsec.
Configuration procedure 172B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 to make sure that Firewall A and Firewall B are reachable to each other. (Details not shown.) 3. Configure IPv6 BGP on Firewall A: # Establish two IBGP connections between Firewall A and Firewall B.
[FirewallB-bgp-af-ipv6] peer 3001::1 as-number 200 [FirewallB-bgp-af-ipv6] peer 3001::1 bfd [FirewallB-bgp-af-ipv6] peer 2001::1 as-number 200 [FirewallB-bgp-af-ipv6] quit [FirewallB-bgp] quit 5. Configure BFD parameters (you can use default BFD parameters instead): # Configure Firewall A. [FirewallA] bfd session init-mode active [FirewallA] interface gigabitethernet 1/2 { Configure the minimum interval for transmitting BFD control packets as 500 milliseconds.
Recv Pkt Num: 57 Send Pkt Num: 53 Hold Time: 2200ms Connect Type: Direct Running Up for: 00:00:06 Auth mode: Simple Protocol: BGP6 Diag Info: No Diagnostic The output shows that a BFD session is established between Firewall A's GigabitEthernet 1/2 and Firewall B's GigabitEthernet 1/1 and that BFD runs properly. # Display IPv6 peer information on Firewall B, and you can see that the neighborship between Firewall A and Firewall B is established.
debugging bgp bfd terminal monitor terminal debugging # The following debugging information shows that Firewall B can quickly detect the failure on Router A. %Nov 5 11:42:24:172 2009 FirewallB BFD/5/BFD_CHANGE_FSM: Sess[3002::2/3001::1,13/17,GE1/1,Ctrl], Sta: UP->DOWN, Diag: 1 %Nov 5 11:42:24:172 2009 FirewallB BGP/5/BGP_STATE_CHANGED: 3001::1 state is changed from ESTABLISHED to IDLE.
3. If a loopback interface is used, verify that the loopback interface is specified with the peer connect-interface command. 4. If the peer is not directly connected, verify that the peer ebgp-max-hop command is configured. 5. If the peer ttl-security hops command is configured, verify that the command is configured on the peer, and the hop-count values configured on them are greater than the number of hops between them. 6. Verify that a valid route to the peer is available. 7.
Displaying an IPv6 routing table 52B Feature and hardware compatibility 31B Hardware Feature compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Displaying the routing table is a basic way to troubleshoot routing problems. The device supports displaying the routing table only at the CLI. To displaying the routing table at the CLI: Task Command Display IPv6 routing table information.
Configuring IPv6 policy-based routing 53B IPv6 policy-based routing can be configured only at the CLI.
An IPv6 policy matches nodes in priority order against packets. If a packet satisfies the match criteria on a node, it is processed by the action on the node. Otherwise, it goes to the next node for a match. If the packet does not match the criteria on any node, it is forwarded according to the routing table. if-match clause 176B IPv6 PBR supports the following types of if-match clauses: • if-match acl6—Sets an ACL match criteria. • if-match packet-length—Sets an IPv6 packet length match criterion.
IPv6 PBR configuration task list 314B Task Remarks Creating an IPv6 node 301H Configuring an IPv6 policy Required. Configuring match criteria for an IPv6 node 30H 302H Defining actions for an IPv6 node 30H Configuring IPv6 local PBR Required. Configuring IPv6 interface PBR Perform one of the tasks. Configuring IPv6 PBR 305H 304H 306H Configuring an IPv6 policy 315B Creating an IPv6 node 968B Step 1363. Command Enter system view. system-view 1364.
Step Command Remarks 1370. Enter IPv6 policy node view. ipv6 policy-based-route policy-name [ deny | permit ] node node-number Not created by default. 1371. Set a preference type or value for permitted IPv6 packets. apply ipv6-precedence { type | value } Optional. Optional. 1372. Set an output interface for permitted IPv6 packets. apply output-interface interface-type interface-number 1373. Set a next hop for permitted IPv6 packets.
Configuring IPv6 interface PBR 972B Configure PBR by applying an IPv6 policy on an interface. IPv6 PBR uses the policy to guide the forwarding of packets received on the interface. You can apply only one policy on an interface. If you perform the ipv6 policy-based-route command multiple times, only the last specified policy takes effect. You can apply the same IPv6 policy on multiple interfaces.
IPv6 PBR configuration examples 318B Configuring IPv6 local PBR based on packet type 973B Network requirements 179B As shown in Figure 402, configure IPv6 local PBR on Firewall to forward all locally generated TCP packets through GigabitEthernet 0/1. Router A forwards other IPv6 packets according to the routing table. 307H Figure 402 Network diagram Configuration procedure 1780B 1. Configure Firewall: # Configure ACL 3001 to match TCP packets.
[RouterB] ipv6 [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] ipv6 address 2::2 64 4. Verify the configuration: # Telnet to Router A (1::2/64) from Firewall. The operation succeeds. # Telnet to Router B (2::2/64) from Firewall. The operation fails. # Ping Router B (2::2/64) from Firewall. The operation succeeds. Telnet uses TCP, and ping uses ICMP.
[Firewall-GigabitEthernet0/1] ripng 1 enable [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet0/2 [Firewall-GigabitEthernet0/2] ipv6 address 2::1 64 [Firewall-GigabitEthernet0/2] ripng 1 enable [Firewall-GigabitEthernet0/2] quit # Configure ACL 3001 to match TCP packets. [Firewall] acl ipv6 number 3001 [Firewall-acl6-adv-3001] rule permit tcp [Firewall-acl6-adv-3001] quit # Configure Node 5 for policy aaa to forward TCP packets via GigabitEthernet 0/1.
Telnet uses TCP, and ping uses ICMP. The preceding results show that all TCP packets received on GigabitEthernet 0/3 of Firewall are forwarded to the next hop 1::2, and other packets are forwarded GigabitEthernet 0/2. The IPv6 interface PBR configuration is effective.
[Firewall-pbr6-lab1-20] if-match packet-length 101 1000 [Firewall-pbr6-lab1-20] apply ipv6-address next-hop 151::2 [Firewall-pbr6-lab1-20] quit # Configure IPv6 interface PBR by applying policy lab1 to GigabitEthernet 0/3. [Firewall] interface gigabitethernet0/3 [Firewall-GigabitEthernet0/3] ipv6 address 192::1 64 [Firewall-GigabitEthernet0/3] undo ipv6 nd ra halt [Firewall-GigabitEthernet0/3] ripng 1 enable [Firewall-GigabitEthernet0/3] ipv6 policy-based-route lab1 [Firewall-GigabitEthernet0/3] return 2.
Ping statistics for 10::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 5ms, Average = 2ms The debugging information about PBR displayed on Firewall is as follows: *Jun 7 16:03:28:946 2009 Firewall PBR6/7/IPv6-POLICY-ROUTING: IPv6 Policy routin g success : POLICY_ROUTEMAP_IPV6 : lab1, Node : 10, Packet sent with next-hop 0150::0002 *Jun 7 16:03:29:950 2009 Firewall PBR6/7/IPv6-POLICY-ROUTING: IPv6 Policy routin g
The preceding information indicates that Firewall sets the next hop for the received packets to 151::2 according to PBR. The packets are forwarded through GigabitEthernet 0/2.
Configuring IPv6 multicast routing and forwarding 54B Feature and hardware compatibility 319B Hardware IPv6 multicast routing and forwarding compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 320B In IPv6 multicast implementations, the following types of tables implement multicast routing and forwarding: • Multicast routing table of an IPv6 multicast routing protocol—Each IPv6 multicast routing protocol has its own multicast routing
Task Remarks Configuring an IPv6 multicast routing policy Optional. Configuring an IPv6 multicast forwarding range Optional. Configuring the IPv6 multicast forwarding table size Optional. 3012H Configuring IPv6 multicast routing and forwarding 301H 301H 3014H Enabling IPv6 multicast routing 32B Before you configure any Layer 3 IPv6 multicast functionality, you must enable IPv6 multicast routing. To enable IPv6 multicast routing: Step 1381. Enter system view. 1382.
Step Command Remarks Optional. 1384. Configure the device to select the RPF route based on the longest match. multicast ipv6 longest-match The route with the highest priority is selected as the RPF route by default. 1385. Configure IPv6 multicast load splitting. multicast ipv6 load-splitting {source | source-group } Optional. Disabled by default. Configuring an IPv6 multicast forwarding range 978B IPv6 multicast packets do not travel infinitely in a network.
longer update the newly added downstream nodes for the forwarding entry until the number of existing downstream nodes for the entry decreases below the upper limit. To configure the IPv6 multicast forwarding table size: Step Command Remarks system-view N/A 1390. Configure the maximum number of entries in the IPv6 multicast forwarding table. multicast ipv6 forwarding-table route-limit limit Optional. 1391. Configure the maximum number of downstream nodes for a single IPv6 multicast forwarding entry.
Task Command Clear forwarding entries from the IPv6 multicast forwarding table. Remarks reset multicast ipv6 forwarding-table { { ipv6-source-address [ prefix-length ] | ipv6-group-address [ prefix-length ] | incoming-interface { interface-type interface-number | register } } * | all } Available in user view. When a forwarding entry is removed, the associated routing entry is also removed. Available in user view. Clear routing entries from the IPv6 multicast routing table.
[RouterA-Tunnel0] ipv6 address 5001::1 64 # On Router A, specify the tunnel encapsulation mode as GRE over IPv6 and assign the source and destination addresses to interface Tunnel 0. [RouterA-Tunnel0] tunnel-protocol gre ipv6 [RouterA-Tunnel0] source 2001::1 [RouterA-Tunnel0] destination 3001::2 [RouterA-Tunnel0] quit # Create interface Tunnel 0 on the firewall and assign the IPv6 address and prefix length to interface Tunnel 0.
[Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ospfv3 1 area 0 [Firewall-GigabitEthernet0/1] quit [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ospfv3 1 area 0 [Firewall-GigabitEthernet0/2] quit [Firewall] interface tunnel 0 [Firewall-Tunnel0] ospfv3 1 area 0 [Firewall-Tunnel0] quit 4. Enable IPv6 multicast routing, IPv6 PIM-DM, and MLD: # On Router A, enable IPv6 multicast routing globally, and enable IPv6 PIM-DM on each interface.
RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: igmp, UpTime: 00:04:25, Expires: never (1001::100, FF1E::101) Protocol: pim-dm, Flag: ACT UpTime: 00:06:14 Upstream interface: Tunnel0 Upstream neighbor: 5001::1 RPF prime neighbor: 5001::1 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/1 Protocol: pim-dm, UpTime: 00:04:25, Expires: never The output shows that Router A is the RPF neighbor of t
860
Configuring IPv6 PIM 5B Feature and hardware compatibility 327B Hardware IPv6 PIM compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 328B IPv6 PIM provides IPv6 multicast forwarding by leveraging IPv6 unicast static routes or IPv6 unicast routing tables generated by any IPv6 unicast routing protocol, such as RIPng, OSPFv3, IS-ISv6, or BGP4+.
IPv6 PIM-DM configuration task list 980B Task Remarks Enabling IPv6 PIM-DM Required. Enabling state-refresh capability Optional. Configuring state refresh parameters Optional. Configuring IPv6 PIM-DM graft retry period Optional. Configuring common IPv6 PIM features Optional.
prune timer state of all the routers on the path. A shared-media subnet can have the state-refresh capability only if the state-refresh capability is enabled on all IPv6 PIM routers on the subnet. To enable the state-refresh capability: Step Command Remarks 1396. Enter system view. system-view N/A 1397. Enter interface view. interface interface-type interface-number N/A 1398. Enable the state-refresh capability. Optional. pim ipv6 state-refresh-capable Enabled by default.
configurable interval (namely, graft retry period) until it receives a graft-ack message from the upstream router. To configure the IPv6 PIM-DM graft retry period: Step Command Remarks 1404. Enter system view. system-view N/A 1405. Enter interface view. interface interface-type interface-number N/A 1406. Configure the graft retry period. pim ipv6 timer graft-retry interval Optional. 3 seconds by default.
• Enable IPv6 forwarding and configure an IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Determine the IP address of a static RP and the ACL rule defining the range of IPv6 multicast groups to be served by the static RP. • Determine the C-RP priority and the ACL rule defining the range of IPv6 multicast groups to be served by each C-RP.
Configuring an RP 98B An RP can be manually configured or dynamically elected through the BSR mechanism. For a large IPv6 PIM network, static RP configuration is a tedious job. Generally, static RP configuration is just a backup method for the dynamic RP election mechanism to enhance the robustness and operation manageability of a multicast network.
Enabling embedded RP 1793B When the embedded RP feature is enabled, the router can resolve the RP address directly from the IPv6 multicast group address of an IPv6 multicast packets. This RP can replace the statically configured RP or the RP dynamically calculated based on the BSR mechanism. Thus, the DR does not need to know the RP address beforehand. The default embedded RP address scopes are FF7x::/12 and FFFx::/12. Here "x" refers to any legal address scope.
Configuring a BSR 90B An IPv6 PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising RP information in the IPv6 PIM-SM domain. Configuring a C-BSR 1795B You should configure C-BSRs on routers in the backbone network. When you configure a router as a C-BSR, be sure to specify the IPv6 address of an IPv6 PIM-SM-enabled interface on the router.
Configuring an IPv6 PIM domain border 1796B As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in the form of bootstrap messages to all routers in the IPv6 PIM-SM domain. An IPv6 PIM domain border is a bootstrap message boundary. Each BSR has its specific service scope. IPv6 PIM domain border interfaces partition a network into different IPv6 PIM-SM domains. Bootstrap messages cannot cross a domain border in either direction.
Step Command Remarks 1436. Enter system view. system-view N/A 1437. Enter IPv6 PIM view. pim ipv6 N/A Optional. 1438. Configure the BS period. By default, the BS period is determined by the formula "BS period = (BS timeout timer – 10) / 2." The default BS timeout timer is 130 seconds, so the default BS period is (130 – 10) / 2 = 60 (seconds). c-bsr interval interval The BS period value must be smaller than the BS timeout timer. Optional. 1439. Configure the BS timeout timer.
Step 1441. Enter IPv6 PIM view. 1442. Disable the BSM semantic fragmentation function. Command Remarks pim ipv6 N/A undo bsm-fragment enable By default, the BSM semantic fragmentation function is enabled. Configuring IPv6 administrative scoping 91B With IPv6 administrative scoping disabled, an IPv6 PIM-SM domain has only one BSR. The BSR manages the whole network.
summarizes the advertisement messages to form an RP-set and advertises it to all routers in the specific admin-scope zone. All the routers use the same hash algorithm to get the RP address corresponding to the specific IPv6 multicast group. The following rules apply to the hash mask length and C-BSR priority: • You can configure these parameters globally and for an IPv6 admin-scope zone. • The values of these parameters configured for an IPv6 admin-scope zone have preference over the global values.
Configure a filtering rule for register messages on all C-RP routers and configure them to calculate the checksum based on the entire register messages. Configure the register suppression time and the register probe time on all routers that might become IPv6 source-side DRs. To configure register-related parameters: Step Command Remarks 1452. Enter system view. system-view N/A 1453. Enter IPv6 PIM view. pim ipv6 N/A Optional. 1454. Configure a filtering rule for register messages.
Task Remarks Enabling IPv6 PIM-SM Required. Configuring the IPv6 SSM group range Optional. Configuring common IPv6 PIM features Optional. 304H 304H 3045H Configuration prerequisites 95B Before you configure IPv6 PIM-SSM, complete the following tasks: • Enable IPv6 forwarding and configure an IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Determine the IPv6 SSM group range.
To configure the IPv6 SSM group range: Step Command Remarks 1465. Enter system view. system-view N/A 1466. Enter IPv6 PIM view. pim ipv6 N/A 1467. Configure the IPv6 SSM group range. Optional. ssm-policy acl6-number FF3x::/32 by default, here "x" refers to any legal group scope. Configuring common IPv6 PIM features 32B For the configuration tasks in this section, the following rules apply: • The configurations made in IPv6 PIM view are effective on all interfaces.
• Determine the maximum delay between hello message (interface level value). • Determine the assert timeout timer (global value/interface value). • Determine the join/prune interval (global value/interface level value). • Determine the join/prune timeout (global value/interface value). • Determine the IPv6 multicast source lifetime. • Determine the maximum size of join/prune messages. • Determine the maximum number of (S, G) entries in each join/prune message.
Step Command Remarks No hello message filter by default. 1473. Configure a hello message filter. pim ipv6 neighbor-policy acl6-number When the hello message filter is configured, if the hello messages of an existing IPv6 PIM neighbor fail to pass the filter, the IPv6 PIM neighbor will be removed automatically when it times out.
Step 1476. Command Set the DR priority. hello-option dr-priority priority 1477. Set the neighbor lifetime. hello-option holdtime interval 1478. Set the prune message delay. hello-option lan-delay interval 1479. Set the override interval. 1480. Enable the neighbor tracking function. Remarks Optional. 1 by default. Optional. 105 seconds by default. Optional. 500 milliseconds by default. hello-option override-interval interval Optional. hello-option neighbor-tracking Disabled by default.
Step Command Remarks 1489. Enter system view. system-view N/A 1490. Enter IPv6 PIM view. pim ipv6 N/A 1491. Set the prune delay timer. prune delay interval Optional. By default, no prune delay timer is set. Configuring common IPv6 PIM timers 104B IPv6 PIM routers discover IPv6 PIM neighbors and maintain IPv6 PIM neighboring relationship with other routers by periodically sending hello messages.
Configuring common IPv6 PIM timers on an interface 1806B Step Command Remarks 1499. Enter system view. system-view N/A 1500. Enter interface view. interface interface-type interface-number N/A 1501. Configure the hello interval. pim ipv6 timer hello interval 1502. Configure the maximum delay between hello messages. pim ipv6 triggered-hello-delay interval 1503. Configure the join/prune interval. pim ipv6 timer join-prune interval 1504. Configure the join/prune timeout timer.
Task Command Remarks Display information about the BSR in the IPv6 PIM-SM domain and the locally configured C-RPs in effect. display pim ipv6 bsr-info [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about the IPv6 unicast routes used by IPv6 PIM. display pim ipv6 claimed-route [ ipv6-source-address ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the number of IPv6 PIM control messages.
IPv6 PIM-DM configuration example 106B Network requirements 1807B The receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and at least one receiver host exists in each stub network. The entire IPv6 PIM domain operates in the dense mode. Host A and Host C are IPv6 multicast receivers in two stub networks N1 and N2. MLDv1 runs between Router A and N1 and between Router B, Router C, and N2.
system-view [RouterA] multicast ipv6 routing-enable [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] mld enable [RouterA-Ethernet1/1] pim ipv6 dm [RouterA-Ethernet1/1] quit [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] pim ipv6 dm [RouterA-Ethernet1/2] quit # Enable IPv6 multicast routing, MLD, and IPv6 PIM-DM on Router B and Router C in the same way. (Details not shown.) # On the firewall, enable IPv6 multicast routing and enable IPv6 PIM-DM on each interface.
Assume that Host A needs to receive information addressed to IPv6 multicast group G FF0E::101. Once the IPv6 multicast source S 4001::100/64 sends IPv6 multicast packets to the IPv6 multicast group G, an SPT is established through traffic flooding. Router A and the firewall on the SPT path have their (S, G) entries. Host A sends an MLD report to Router A to join IPv6 multicast group G, and a (*, G) entry is generated on Router A.
IPv6 PIM-SM non-scoped zone configuration example 107B Network requirements 180B The receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire IPv6 PIM domain operates in the sparse mode. Host A and Host C are IPv6 multicast receivers in two stub networks, N1 and N2. Both GigabitEthernet 0/3 on the firewall and POS 5/2 on Router D act as C-BSRs and C-RPs.
a. Enable IPv6 forwarding on each router and configure the IPv6 address and prefix length for each interface according to Figure 407. (Details not shown.) 305H b. Configure OSPFv3 on the routers in the IPv6 PIM-DM domain to make sure they are interoperable at the network layer. (Details not shown.) 2. Enable IPv6 multicast routing, MLD and IPv6 PIM-SM: # On Router A, enable IPv6 multicast routing globally, enable MLD on Ethernet 1/1, and enable IPv6 PIM-SM on each interface.
[RouterA] display pim ipv6 interface Interface NbrCnt HelloInt DR-Pri DR-Address Eth1/1 0 1 1001::1 30 (local) Eth1/2 1 30 1 1002::2 Pos5/0 1 30 1 1003::2 # Display information about the BSR and locally configured C-RP on Router A. [RouterA] display pim ipv6 bsr-info Elected BSR Address: 1003::2 Priority: 20 Hash mask length: 128 State: Accept Preferred Uptime: 00:04:22 Expires: 00:01:46 # Display information about the BSR and locally configured C-RP on the firewall.
HoldTime: 130 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:48 # Display RP information on Router A. [RouterA] display pim ipv6 rp-info PIM-SM BSR RP information: prefix/prefix length: FF0E::101/64 RP: 4002::1 Priority: 192 HoldTime: 130 Uptime: 00:05:19 Expires: 00:02:11 RP: 1003::2 Priority: 192 HoldTime: 130 Uptime: 00:05:19 Expires: 00:02:11 Assume that Host A needs to receive information addressed to IPv6 multicast group G FF0E::100.
Downstream interface(s) information: Total number of downstreams: 1 1: Ethernet1/1 Protocol: pim-sm, UpTime: 00:02:15, Expires: 00:03:06 # Display IPv6 PIM multicast routing table information on the firewall.
with the Scope field value in their group addresses being 4. Serial 2/1 of Router E acts as a C-BSR and a C-RP of the global scope zone, which serve IPv6 multicast groups with the Scope field value in their group addresses being 14. MLDv1 runs between Router A, Router D, Router H, and their respective receivers.
a. Assign an IPv6 address and prefix length to each interface according to Figure 408. (Details 3054H not shown.) b. Configure OSPFv3 on the routers in the IPv6 PIM-SM domain to make sure they are interoperable at the network layer. (Details not shown.) 2.
[Firewall-GigabitEthernet0/3] quit [Firewall] interface gigabitethernet 0/4 [Firewall-GigabitEthernet0/4] multicast ipv6 boundary scope 4 [Firewall-GigabitEthernet0/4] quit # On Router B, configure Ethernet 1/2 and POS 5/2 as the boundary of IPv6 admin-scope zone 2.
State: Accept Preferred Scope: 14 Uptime: 00:01:45 Expires: 00:01:25 Elected BSR Address: 1002::2 Priority: 64 Hash mask length: 126 State: Elected Scope: 4 Uptime: 00:04:54 Next BSR message scheduled at: 00:00:06 Candidate BSR Address: 1002::2 Priority: 64 Hash mask length: 126 State: Elected Scope: 4 Candidate RP: 1002::2(GigabitEthernet0/2) Priority: 192 HoldTime: 130 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:15 # Display information about the BSR and locally configured C-RP on
Next advertisement scheduled at: 00:00:10 # Display information about the BSR and locally configured C-RP on Router E.
HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF4E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF5E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF6E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF7E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF8E::/16
Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFBE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFCE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFDE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFEE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix leng
RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF24::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF34::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF44::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF54::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix
prefix/prefix length: FF84::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF94::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFA4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFB4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFC4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 0
prefix/prefix length: FFF4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 # Display RP information on Router E.
HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF6E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF7E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF8E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF9E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFAE::/16
Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFDE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFEE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFFE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 IPv6 PIM-SSM configuration example 109B Network requirements 186B The receivers receive VOD information through multicast.
Et h1 /2 G E0 /2 Figure 409 Network diagram Device Interface IPv6 address Device Interface IPv6 address Firewall GE0/1 1001::1/64 Router C Eth1/1 4001::1/64 Router A Router B GE0/2 1002::1/64 Eth1/2 1002::2/64 GE0/3 1003::1/64 POS5/0 4002::1/64 Eth1/1 2001::1/64 POS5/0 3001::2/64 POS5/0 2002::1/64 POS5/1 2002::2/64 Eth1/1 2001::2/64 Eth1/1 1003::2/64 POS5/0 3001::1/64 POS5/3 4002::2/64 Router D Configuration procedure 187B 1.
[Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] pim ipv6 sm [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/3 [Firewall-GigabitEthernet0/3] pim ipv6 sm [Firewall-GigabitEthernet0/3] quit # Enable IPv6 multicast routing, MLD and IPv6 PIM-SM on Router A and Router B in the same way. (Details not shown.) # Enable IPv6 multicast routing and IPv6 PIM-SM on Router C and Router D in the same way. (Details not shown.) 3.
[RouterC] display pim ipv6 routing-table Total 0 (*, G) entry; 1 (S, G) entry (4001::100, FF3E::101) Protocol: pim-ssm, Flag: LOC UpTime: 00:08:02 Upstream interface: Ethernet1/1 Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: Ethernet1/2 Protocol: pim-ssm, UpTime: 00:08:02, Expires: 00:03:25 Troubleshooting IPv6 PIM 35B This section describes common IPv6 PIM problems and how to troubleshoot them.
6. Use the display current-configuration command to verify the IPv6 PIM mode information on each interface. Make sure the same IPv6 PIM mode (IPv6 PIM-SM or IPv6 PIM-DM) is enabled on all routers. IPv6 multicast data is abnormally terminated on an intermediate router 10B Symptom 182B An intermediate router can receive IPv6 multicast data successfully, but the data cannot reach the last-hop router.
3. Use the display pim ipv6 rp-info command to verify that the same RP address has been configured on all the routers throughout the network. RPT cannot be established or a source cannot register in IPv6 PIM-SM 103B Symptom 182B C-RPs cannot unicast advertise messages to the BSR. The BSR does not advertise bootstrap messages containing C-RP information and has no unicast route to any C-RP. An RPT cannot be established correctly, or the DR cannot perform source registration with the RP.
Configuring MLD 56B Feature and hardware compatibility 36B Hardware MLD compatible F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Overview 37B An IPv6 router uses the MLD protocol to discover the presence of multicast listeners on the directly attached subnets. Multicast listeners are nodes wishing to receive IPv6 multicast packets.
Task Remarks Configuring an IPv6 multicast group filter Optional. Setting the maximum number of IPv6 multicast groups that an interface can join Optional. Configuring Router-Alert option handling methods Optional. Configuring MLD query and response parameters Optional. Enabling MLD fast-leave processing Optional. Enabling the MLD host tracking function Optional. Enabling MLD SSM mapping Optional. Configuring MLD SSM mapping entries Optional. Enabling MLD proxying Optional.
Configuring the MLD version 107B Because MLD message types and formats vary with MLD versions, the same MLD version should be configured for all routers on the same subnet before MLD can work properly. Configuring an MLD version globally 183B Step Command Remarks 1514. Enter system view. system-view N/A 1515. Enter MLD view. mld N/A version version-number MLDv1 by default. 1516. Configure an MLD version globally.
Configuring an IPv6 multicast group filter 109B To restrict the hosts on the network attached to an interface from joining certain IPv6 multicast groups, you can set an IPv6 ACL rule on the interface so that the interface maintains only the IPv6 multicast groups matching the criteria. To configure an IPv6 multicast group filter: Step Command Remarks 1523. Enter system view. system-view N/A 1524. Enter interface view.
• Determine the startup query interval. • Determine the startup query count. • Determine the MLD query interval. • Determine the MLD querier's robustness variable. • Determine the maximum response delay of MLD general query messages. • Determine the MLD last listener query interval. • Determine the MLD other querier present interval.
Step Command Remarks 1536. Enable the insertion of the Router-Alert option into MLD messages. mld send-router-alert By default, MLD messages carry the Router-Alert option. Configuring MLD query and response parameters 1023B On startup, the MLD querier sends MLD general queries at the startup query interval, which is one-quarter of the MLD query interval. The number of queries, or the startup query count, is user configurable.
Step Command Remarks 2 by default. A higher robustness variable makes the MLD querier more robust but results in a longer IPv6 multicast group timeout time. 1539. Configure the MLD querier's robustness variable. robust-count robust-value 1540. Configure the startup query interval. startup-query-interval interval By default, the startup query interval is one-quarter of the "MLD query interval." 1541. Configure the startup query count.
Step Command Remarks 1552. Configure the maximum response delay for MLD general query messages. mld max-response-time interval 10 seconds by default. 1553. Configure the MLD last listener query interval. mld last-listener-query-interval interval 1 second by default.
Enabling the MLD host tracking function 1025B With the MLD host tracking function, the router can record the information of the member hosts that are receiving IPv6 multicast traffic, including the host IPv6 address, running duration, and timeout time. You can monitor and manage the member hosts according to the recorded information. Enabling the MLD host tracking function globally 1839B Step Command Remarks 1561. Enter system view. system-view N/A 1562. Enter MLD view.
NOTE: To ensure SSM service for all hosts on a subnet, regardless of the MLD version running on the hosts, enable MLDv2 on the interface that forwards IPv6 multicast traffic onto the subnet. Configuring MLD SSM mapping entries 1028B You can perform this configuration task multiple times to map an IPv6 multicast group to different IPv6 multicast sources. To configure an MLD SSM mapping: Step Command Remarks 1570. Enter system view. system-view N/A 1571. Enter MLD view.
Step Command Remarks 1573. Enter system view. system-view N/A 1574. Enter interface view. interface interface-type interface-number N/A mld proxying enable Disabled by default. 1575. Enable the MLD proxying feature. Configuring IPv6 multicast forwarding on a downstream interface 103B Typically, to avoid duplicate multicast flows, only queriers can forward IPv6 multicast traffic.
Task Command Remarks Display MLD information on the specified interface or all MLD-enabled interfaces. display mld interface [ interface-type interface-number ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the information of the MLD proxying groups. display mld proxying group [ group-address ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the information of the MLD routing table.
Figure 410 Network diagram Receiver IPv6 PIM network Host A GE0/2 Firewall A N1 GE0/1 3000::12/64 Host B Querier Receiver Host C GE0/1 3001::10/64 GE0/2 N2 Firewall B Host D Configuration procedure 184B 1. Enable IPv6 forwarding, assign IPv6 addresses, and configure IPv6 unicast routing: a. Enable IPv6 forwarding on each router and assign an IPv6 address and prefix length to each interface according to Figure 410. (Details not shown.) 3074H b.
[FirewallB-GigabitEthernet0/2] pim ipv6 dm [FirewallB-GigabitEthernet0/2] quit 3. Configure an IPv6 multicast group filter on Firewall A, so that the hosts connected to GigabitEthernet 0/1 can join IPv6 multicast group FF1E::101 only.
Figure 411 Network diagram Device Interface IPv6 address Device Interface IPv6 address Source 1 — 1001::1/64 Source 3 — 3001::1/64 Source 2 — 2001::1/64 Receiver — 4001::1/64 Router A Eth1/1 1001::2/64 Router C Eth1/1 3001::2/64 Eth1/2 1002::1/64 Eth1/2 3002::1/64 Eth1/3 1003::1/64 Eth1/1 2001::2/64 Eth1/2 Eth1/3 Router B Eth1/3 2002::2/64 GE0/1 4001::2/64 1002::2/64 GE0/2 3002::2/64 2002::1/64 GE0/3 1003::2/64 Firewall Configuration procedure 1847B 1.
# On Router A, enable IPv6 multicast routing globally, and enable IPv6 PIM-SM on each interface.
GigabitEthernet0/1(4001::2): Total 1 MLD SSM-mapping Group reported Group Address: FF3E::101 Last Reporter: 4001::1 Uptime: 00:02:04 Expires: off # Display IPv6 PIM routing table information on the firewall.
Figure 412 Network diagram Proxy & Querier Firewall GE0/2 3001::1/64 Eth1/1 2001::1/64 Querier Router GE0/1 2001::2/64 Receiver Host A IPv6 PIM-DM S2/1 1001::1/64 Receiver Host C Host B Configuration procedure 1850B 1. Enable IPv6 forwarding on each router and assign an IPv6 address and prefix length to each interface according to Figure 412. (Details not shown.) 3078H 2.
Current MLD version is 1 Multicast routing on this interface: enabled Require-router-alert: disabled # Display MLD group information on Router . [Router] display mld group Total 1 MLD Group(s).
restrict the host from joining IPv6 multicast group G, the ACL must be modified to allow IPv6 multicast group G to receive report messages. Membership information is inconsistent on the routers on the same subnet 1036B Symptom 185B The MLD routers on the same subnet have different membership information. Analysis 1856B • A router running MLD maintains multiple parameters for each interface, and these parameters influence one another, forming very complicated relationships.
Configuring routing policies 57B The term "router" in this document refers to both routers and routing-capable firewalls and UTM devices. Routing policy can be configured only at the CLI. Routing policies control routing paths by filtering and modifying routing information. This chapter describes both IPv4 and IPv6 routing policies.
An IP prefix list matches the destination address of routing information. You can use the gateway option to receive routing information only from specifie routers. For gateway option information, see Network Management Command Reference. An IP prefix list, identified by name, can comprise multiple items. Each item, identified by an index number, specifies a prefix range to match. An item with a smaller index number is matched first. A route that matches one item matches the IP prefix list.
Configuring an IP prefix list 1039B Configuring an IPv4 prefix list 1864B Step Command Remarks 1579. Enter system view. system-view N/A 1580. Configure an IPv4 prefix list. ip ip-prefix ip-prefix-name [ index index-number ] { deny | permit } ip-address mask-length [ greater-equal min-mask-length ] [ less-equal max-mask-length ] Not configured by default. If all the items are set to deny mode, no routes can pass the IPv4 prefix list. Configure the permit 0.0.0.
Hardware Feature compatible F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No You can configure multiple items for an AS path list that is identified by number. The relationship between items is logical OR. A route that matches one item matches the AS path list. To configure an AS path list: Step Command Remarks 1583. Enter system view. system-view N/A 1584. Configure an AS path list. ip as-path as-path-number { deny | permit } regular-expression Not configured by default.
Step Command Remarks • Configure a basic community list: 1586. Configure a community list. ip community-list { basic-comm-list-num | basic comm-list-name } { deny | permit } [ community-number-list ] [ internet | no-advertise | no-export | no-export-subconfed ] * Use either approach. Not configured by default.
• The routing information matching all the if-match clauses of a permit-mode node is handled by the apply clauses of the node, without needing to match against the next node. The routing information that does not match the node goes to the next node for a match. • The apply clauses of a deny-mode node are never executed. The routing information matching all the if-match clauses of the node cannot pass the node, or go to the next node.
Step Command Remarks • Match IPv4 routing information specified in the ACL: if-match acl acl-number • Match IPv4 routing information 1593. Define match criteria for IPv4 routes. specified in the IP prefix list: if-match ip-prefix ip-prefix-name • Match IPv4 routing information Optional. Not configured by default. whose next hop or source is specified in the ACL or IP prefix list: if-match ip { next-hop | route-source } { acl acl-number | ip-prefix ip-prefix-name } 1594.
Step Command Remarks Optional. 1601. Match routing information having the specified route type. if-match route-type { external-type1 | external-type1or2 | external-type2 | internal | is-is-level-1 | is-is-level-2 | nssa-external-type1 | nssa-external-type1or2 | nssa-external-type2 } * 1602. Match RIP, OSPF, and IS-IS routing information having the specified tag value Not configured by default. Support for keywords is-is-level-1 and is-is-level-2 depends on the device model. Optional.
Step Command Remarks Optional. 1609. Set a cost type for routing information. apply cost-type [ external | internal | type-1 | type-2 ] • Set the next hop for IPv4 routes: 1610. Set the next hop. apply ip-address next-hop ip-address Set the IP precedence. Support for the apply cost-type command depends on the device model. Optional. Not set by default. • Set the next hop for IPv6 routes: Support for the apply ipv6 next-hop command depends on the device model.
• If you configure the same apply clause that set different values (including the apply community and apply extcommunity clauses with the additive keyword) on nodes that are combined by the continue clause, the apply clause configured on the last matching node takes effect. • If you configure the apply community clause for multiple nodes that are combined by the continue clause, the apply comm-list delete clause configured on the current node cannot delete the COMMUNITY attributes set by preceding nodes.
Routing policy configuration examples 350B Applying a routing policy to IPv6 route redistribution 1048B The following matrix shows the configuration example and hardware compatibility: Hardware Example applicable F1000-A-EI/F1000-S-EI Yes F1000-E Yes F5000 Yes Firewall module Yes U200-A Yes U200-S No Network requirements 186B • In Figure 413, enable RIPng on Firewall and Router. • Configure three static routes on Firewall.
[Firewall] ipv6 route-static 20:: 32 11::2 [Firewall] ipv6 route-static 30:: 32 11::2 [Firewall] ipv6 route-static 40:: 32 11::2 # Configure a routing policy.
Hardware Example applicable Firewall module Yes U200-A Yes U200-S No Network requirements 186B • All the devices in Figure 414 run BGP. Router C establishes EBGP connections with Router A, Router B, and Firewall. • Configure a routing policy on Firewall to reject routes from AS 200. 308H Figure 414 Network diagram Configuration procedure 1869B 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure BGP: # Configure Router A.
[RouterC-bgp] peer 1.1.3.2 as-number 400 # Configure Firewall. system-view [Firewall] bgp 400 [Firewall-bgp] router-id 4.4.4.4 [Firewall-bgp] peer 1.1.3.1 as-number 300 [Firewall-bgp] quit # Inject routes 4.4.4.4/24, 5.5.5.5/24, and 6.6.6.6/24 on Router A. [RouterA-bgp] network 4.4.4.4 24 [RouterA-bgp] network 5.5.5.5 24 [RouterA-bgp] network 6.6.6.6 24 # Inject routes 7.7.7.7/24, 8.8.8.8/24, and 9.9.9.9/24 on Router B. [RouterB-bgp] network 7.7.7.7 24 [RouterB-bgp] network 8.8.8.
# On Firewall, specify routing policy rt1 to filter routes received from peer 1.1.3.1. [Firewall] bgp 400 [Firewall-bgp] peer 1.1.3.1 route-policy rt1 import # Display the BGP routing table information of Firewall. [Firewall-bgp] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 4.4.4.
942
Configuring SSL 58B SSL can be configured only at the CLI. Overview 352B Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online banking to provide secure data transmission over the Internet.
Figure 416 SSL protocol stack • SSL record protocol—Fragments data to be transmitted, computes and adds MAC to the data, and encrypts the data before transmitting it to the peer end. • SSL handshake protocol—Negotiates the cipher suite to be used for secure communication (including the symmetric encryption algorithm, key exchange algorithm, and MAC algorithm), securely exchanges the key between the server and client, and implements identity authentication of the server and client.
Step Command Remarks Optional. By default, no PKI domain is specified for an SSL server policy, and the SSL server generates and signs a certificate for itself and does not obtain a certificate from a CA server. 1623. Specify a PKI domain for the SSL server policy. pki-domain domain-name If SSL clients authenticate the server through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL server in the PKI domain.
Step Command Remarks Optional. 1629. Enable SSL client weak authentication. Disabled by default. client-verify weaken This command takes effect only when the client-verify enable command is configured. NOTE: Only TSL1.0 is supported in FIPS mode. HTTPS login configuration example using the CA certificate 35B Network requirements 1054B As shown in Figure 417, users need to access and control the firewall through webpages.
# Create a PKI entity named en, and configure the common name as http-server1 and the FQDN as ssl.security.com. system-view [Firewall] pki entity en [Firewall-pki-entity-en] common-name http-server1 [Firewall-pki-entity-en] fqdn ssl.security.com [Firewall-pki-entity-en] quit # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.
For more information about PKI commands and the public-key local create rsa command, see VPN Command Reference. For more information about HTTPS, see Getting Started Guide. HTTPS login configuration example using the default certificate 356B Network requirements 1057B Users can access and control the firewall through Web.
Figure 420 Configuring a local user Configuring the firewall at the CLI 187B 1. Configure the HTTPS service: # Create SSL server policy myssl. System-view [Firewall] ssl server-policy myssl # Specify the PKI domain for the SSL server policy as default. [Firewall-ssl-server-policy-myssl] pki-domain default # Configure the HTTPS service to use SSL server policy myssl. [Firewall] ip https ssl-server-policy myssl # Enable the HTTPS server. [Firewall] ip https enable 2.
Step 1630. Enter system view. 1631. Create an SSL client policy and enter its view. Command Remarks system-view N/A ssl client-policy policy-name N/A Optional. No PKI domain is specified by default. 1632. Specify a PKI domain for the SSL client policy. pki-domain domain-name If the SSL server authenticates the SSL client through a digital certificate, you must use this command to specify a PKI domain and request a local certificate for the SSL client in the PKI domain.
Troubleshooting SSL 359B SSL handshake failure 1059B Symptom 1879B As the SSL server, the device fails to handshake with the SSL client. Analysis 180B SSL handshake failure may result from the following causes: • The SSL client is configured to authenticate the SSL server, but the SSL server has no certificate or the certificate is not trusted. • The SSL server is configured to authenticate the SSL client, but the SSL client has no certificate or the certificate is not trusted.
Support and other resources 59B Contacting HP 360B For worldwide technical support information, see the HP support website: http://www.hp.
Conventions 362B This section describes the conventions used in this documentation set. Command conventions 182B Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ...
Network topology icons 185B Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall product or a UTM device. Port numbering in examples 186B The port numbers in this document are for illustration only and might be unavailable on your device.
Index 0B ABCDEFHILMOPQRST 1072H 1073H 1074H 1075H 1076H 107H 1078H 1079H 108H 108H 1082H 1083H 1084H 1085H 1086H 1087H Configuring ARP at the CLI,249 A 318H Configuring ARP in the Web interface,244 Address/prefix lease renewal,700 319H Configuring basic IPv6 IS-IS,796 3084H Adjusting MLD performance,910 3120H Configuring basic IS-IS,430 3085H Applying IPsec policies for OSPFv3,776 312H Configuring basic MLD functions,908 3086H Applying IPsec policies for RIPng,755 312H Con
Configuring the MAC address table at the CLI,53 Configuring IPv6 TCP properties,687 315H 3196H Configuring IS-IS routing information control,432 Configuring the MAC address table in the Web interface,49 3156H Configuring Layer 3 subinterface forwarding,262 3197H 3157H Configuring traffic policing at the CLI,319 Configuring line rate on a port,293 3198H 3158H Configuring traffic policing in the Web interface,314 Configuring MLD proxying,916 319H 3159H Configuring VLANs at the CLI,40 Configu
Feature and hardware compatibility,804 Displaying and maintaining PPP,122 324H 3274H Displaying and maintaining proxy ARP,258 Feature and hardware compatibility,667 Displaying and maintaining RIPng,756 Feature and hardware compatibility,852 325H 3275H 326H 3276H Displaying and maintaining the DHCPv6 client,731 Feature and hardware compatibility,326 Displaying and maintaining the DHCPv6 relay agent,726 FIB table,324 327H 327H 3278H H 328H Displaying and maintaining the DHCPv6 server,711 3
OSPFv3 configuration task list,765 Q Overview,326 QoS configuration approaches,275 308H 309H 351H Overview,253 QoS configuration examples,295 310H 352H Overview,242 QoS service models,273 31H 35H Overview,256 QoS techniques overview,274 312H 354H Overview,312 R 31H Overview,272 314H Related information,952 Overview,187 35H 315H RIPng configuration examples,757 Overview,156 356H 316H RIPng configuration task list,750 Overview,211 357H 317H Routing policy configuration examp
959
