HP High-End Firewalls Network Management Configuration Guide Part number: 5998-2647 Software version: F1000-A-EI&F1000-S-EI: R3721 F5000: F3210 F1000-E: F3171 Firewall module: F3171 Document version: 6PW101-20120719
Legal and notice information © Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring interface management ···························································································································· 1 Feature and hardware compatibility ·······························································································································1 Overview···········································································································································································
Configuring the MAC address table ························································································································ 47 Overview········································································································································································· 47 How a MAC address table entry is created ······································································································· 47 Types of MAC address tabl
Configuring PPP······················································································································································· 108 Overview······································································································································································· 108 Performing general PPP configurations ······················································································································ 112
Configuring inline forwarding at the CLI ·········································································································· 141 Displaying and maintaining inline Layer 2 forwarding ·················································································· 142 Forward-type inline Layer 2 forwarding configuration example at the CLI··················································· 142 Blackhole-type inline Layer 2 forwarding configuration example at the CLI ···················
DHCP relay agent configuration task list ·········································································································· 186 Enabling DHCP and configuring advanced parameters for the DHCP relay agent ···································· 187 Creating a DHCP server group ·························································································································· 189 Enabling the DHCP relay agent on an interface ··········································
Static domain name resolution configuration example ··················································································· 224 Dynamic domain name resolution configuration example ············································································· 224 DNS proxy configuration example ···················································································································· 227 Troubleshooting IPv4 DNS configuration ·············································
Local proxy ARP configuration example in case of port isolation ································································· 258 Local proxy ARP configuration example in isolate-user-VLAN ········································································ 260 Configuring QoS ····················································································································································· 262 Feature and hardware compatibility ····································
Configuring RIP globally ····································································································································· 329 Configuring interface RIP ···································································································································· 330 RIP configuration example in the web interface······························································································· 332 Configuring RIP at the CLI ·············
Configuing IPv6 BGP ·············································································································································· 424 Hardware and feature compatibility ·························································································································· 424 Overview······································································································································································· 424 Con
Specifying intervals for sending IS-IS hello and CSNP packets ····································································· 491 Specifying the IS-IS hello multiplier ···················································································································· 491 Configuring a DIS priority for an interface ······································································································· 492 Disabling an interface from sending/receiving IS-IS packets ·····
Configuration prerequisites ································································································································ 544 Configuration task list ········································································································································· 544 Enabling multicast routing ·································································································································· 544 Displaying multicast ro
PIM-SM admin-scope zone configuration example ························································································· 620 PIM-SSM configuration example························································································································ 626 Troubleshooting PIM ···················································································································································· 629 A multicast distribution tree cannot be built
Configuring parameters related to RA messages ···························································································· 672 Configuring the maximum number of attempts to send an NS message for DAD ······································· 675 Enabling ND proxy ············································································································································· 675 Configuring path MTU discovery ·························································
Configuring the DHCPv6 client ······························································································································ 703 Introduction to the DHCPv6 client ······························································································································ 703 Configuration prerequisites ········································································································································· 703 Configuration pr
OSPFv3 configuration task list ···································································································································· 733 Enabling OSPFv3 ························································································································································· 734 Prerequisites ························································································································································· 73
Prerequisites ························································································································································· 769 Configuring IPv6 BGP route redistribution ········································································································ 769 Configuring IPv6 BGP route summarization ····································································································· 770 Advertising a default route to an IPv6 pee
Displaying the IPv6 routing table ··························································································································· 810 Displaying the routing table at the CLI······················································································································· 810 Configuring IPv6 policy-based routing ·················································································································· 811 Introduction to IPv6 policy-b
Configuring IPv6 PIM hello options ··················································································································· 844 Configuring the prune delay ······························································································································ 846 Configuring IPv6 PIM common timers ··············································································································· 846 Configuring join/prune message sizes ··········
Prerequisites ························································································································································· 897 Defining an IP-prefix list ······································································································································ 897 Defining an AS path list ······································································································································ 898 Defining a
Configuring interface management Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module Subinterface rate statistics collection on an Ethernet interface No Yes Yes Yes Jumbo frame support No Yes No Yes Overview An interface is the point of interaction or communication between devices. It is used for exchanging data between devices. A physical interface is an interface that materially exists and is supported by a device.
• Virtual template (VT) interface—Template used for configuring virtual access (VA) interfaces. • Bridge-aggregation interface (BAGG)—Also known as a “Layer 2 aggregate interface”, which bundles multiple Layer 2 Ethernet interfaces. • Route-aggregation interface (RAGG)—Also known as a “Layer 3 aggregate interface”, which bundles multiple Layer 3 Ethernet interfaces.
To view the statistics of an interface, click the interface name in the interface name list to enter the page shown in Figure 2. Figure 2 Statistics of an interface Creating an interface Select Device Management > Interface from the navigation tree to enter the page shown in Figure 1. Click Add to enter the page for creating interfaces, as shown in Figure 3.
Figure 3 Creating an interface Table 1 describes the configuration items of creating an interface. Table 1 Configuration items Item Description Set the name for the interface or its subinterface. • If you select a logical interface type from the list, such as Dialer, LoopBack, Tunnel, Vlan-interface, Virtual-Template, Route-Aggregation, or Bridge-Aggregation, set the interface number in the box behind to create the logical interface.
Item Description Set how the interface obtains an IP address, which can be: • None—Not to set an IP address for the interface. • Static Address—Manually assign an IP address for the interface. After selecting this option, you need to manually set the IP Address and Mask items. IP Config • DHCP—The interface obtains an IP address through DHCP. • BOOTP—The interface obtains an IP address through BOOTP. • PPP Negotiate—The interface obtains an IP address through PPP negotiation.
Figure 4 Modifying interface information The configuration items of editing an interface are similar to those of creating an interface. Table 2 describes the configuration items specific to editing an interface. Table 2 Configuration items Item Description Interface Type Set the interface type, which can be Electrical port, Optical port, or None.
Item Description Set the interface to work in bridge mode or router mode. Working Mode A loopback interface operates only in router mode. Before configuring an IP address for the interface, make sure the interface is configured to work in router mode. Interface management configuration example Network requirements As shown in Figure 5, the Firewall connects Host A and Host B through its interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2 respectively.
Figure 6 Modifying interface GigabitEthernet 0/1 • Select the Bridge mode option for the working mode item. • Click Apply. # Change the working mode of GigabitEthernet 0/2 into bridge. (The configuration here is the same as that for GigabitEthernet 0/1) # Create VLAN-interface 1. By default, VLAN 1 exists and all ports are untagged members of VLAN 1. • On the interface management page, click Add, and make the following configurations, as shown in Figure 7.
Figure 7 Creating VLAN-interface 1 • Set the interface name to Vlan-interface1. • Select Static Address for the IP Config item. • Enter IP address 1.1.2.1. • Select 24 (255.255.255.255) as the network mask. • Click Apply. # Assign VLAN-interface 1 to a security zone (depending on the network environment), for example, security zone Trust.
Figure 8 Assigning VLAN-interface 1 to a security zone • Select Vlan-interface1 from the Interface Name area. • Click Apply. Host A and Host B can access the Firewall. # Display the statistics on interface GigabitEthernet 0/1. • Select Device Management > Interface from the navigation tree. • Click interface name GigabitEthernet0/1 to view its statistics, as shown in Figure 9.
Figure 9 Displaying interface statistics # Shut down interface GigabitEthernet 0/1. • Click Back on the Port Statistics page. • Click the • Click Disable at the end of the Interface Status line. icon corresponding to GigabitEthernet0/1. GigabitEthernet 0/1 is shut down, and Host A cannot access the Firewall.
The fiber combo port and copper combo port share one interface view, in which you can activate the fiber or copper combo port, and configure other port attributes, such as the interface rate and duplex mode. Before you configure combo interfaces, complete the following tasks: • Find out the combo interfaces on your device by checking the product specifications and identify the two physical interfaces that comprise each combo interface.
Step Command Remarks 5. Set the port speed. speed { 10 | 100 | 1000 | auto } Optional. 6. Restore the default settings for the interface. default Optional. auto by default. To configure an Ethernet subinterface: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an Ethernet subinterface. interface interface-type interface-number.subnumber This command also leads you to Ethernet subinterface view. Optional. 3. Set the interface description. description text 4.
CAUTION: Use this command with caution. After you manually shut down an Ethernet interface, the Ethernet interface cannot forward packets even if it is physically connected. Configuring flow control on an Ethernet interface To avoid packet drops on a link, you can enable flow control at both ends of the link.
Step 3. Command Enable loopback testing. loopback { external | internal } Remarks Optional. Disabled by default. NOTE: • On an interface that is physically down, you can only perform internal loopback testing. On an interface administratively shut down, you can perform neither internal nor external loopback testing. • The speed, duplex, mdi, and shutdown commands are unavailable during loopback testing. • During loopback testing, an Ethernet interface works in full duplex mode.
Step 2. Enter Ethernet interface view. 3. Enable subinterface rate statistics collection on the Ethernet interface. Command Remarks interface interface-type interface-number N/A Optional. By default, subinterface rate statistics collection is disabled.
Step Command Set the unknown unicast suppression threshold ratio. 5. Remarks Optional. unicast-suppression ratio By default, unknown unicast traffic is not suppressed. Configuring jumbo frame support An Ethernet interface may receive some frames larger than the standard Ethernet frame size (called "jumbo frames") during high-throughput data exchanges such as file transfers. Usually, an Ethernet interface discards jumbo frames.
To enable the interface to communicate with its peer, make sure that its transmit pins are connected to the remote receive pins. If the interface can detect the connection cable type, set the interface in auto MDI mode. If not, set its MDI mode using the following guidelines: • When a straight-through cable is used, set the interface to work in the MDI mode different than its peer.
Step Command Remarks Optional. 1500 bytes by default. • The MTU value of the 10GE interface Set the MTU. 3. on the interface module of the box type firewall is in the range of 46 to 1560 bytes. mtu size • The 10 GE interface on the inline card of the firewall supports jumbo frame, and the MTU value of the interface is in the range of 46 to 9216 bytes.
device. Note that, when you use a loopback interface address as the source address of IP packets, make sure that the route from the loopback interface to the peer is reachable by performing routing configuration. All data packets sent to the loopback interface are considered as packets sent to the device itself, so the device does not forward these packets. Because a loopback interface is always up, it can be used in dynamic routing protocols.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter null interface view. interface null 0 The Null 0 interface is the default null interface on your device. It cannot be manually created or removed. 3. Set the interface description. description text By default, the description of a null interface is interface name Interface. 4. Restore the default settings for the null interface. default Optional. Optional.
Configuring IPv4 address NOTE: • The IPv4 address configuration is available in the web interface and at the CLI. This chapter only describes the IPv4 address configuration at the CLI. For the IPv4 address configuration in the web interface, see the chapter "Configuring interface management." • For the IPv6 address configuration, see the chapter "Configuring IPv6 basics." • This chapter describes IP addressing basic and manual IP address assignment for interfaces.
Table 3 IP address classes and ranges Class Address range Remarks The IP address 0.0.0.0 is used by a host at startup for temporary communication. This address is never a valid destination address. A 0.0.0.0 to 127.255.255.255 B 128.0.0.0 to 191.255.255.255 N/A C 192.0.0.0 to 223.255.255.255 N/A D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255.
Subnetting increases the number of addresses that cannot be assigned to hosts. Therefore, using subnets means accommodating somewhat fewer hosts For example, a Class B network without subnetting can accommodate 1022 more hosts than the same network subnetted into 512 subnets. • Without subnetting—65,534 hosts (216 – 2). (The two deducted addresses are the broadcast address, which has an all-one host ID, and the network address, which has an all-zero host ID.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Assign an IP address to the interface. ip address ip-address { mask-length | mask } [ sub ] No IP address is assigned by default. IP addressing configuration exampleNetwork requirements As shown in Figure 12, GigabitEthernet 0/1 on the Firewall is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24.
Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring VLANs Overview Ethernet is a network technology based on the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) mechanism. As the medium is shared, collisions and excessive broadcasts are common on Ethernet networks. To address the issue, virtual LAN (VLAN) was introduced to break a LAN down into separate VLANs. VLANs are isolated from each other at Layer 2. A VLAN is a bridging domain, and all broadcast traffic is contained within it, as shown in Figure 13.
Figure 14 Traditional Ethernet frame format IEEE 802.1Q inserts a four-byte VLAN tag after the DA&SA field, as shown in Figure 15. Figure 15 Position and format of VLAN tag A VLAN tag comprises the following fields: • TPID—The 16-bit TPID field with a value of 0x8100 indicates that the frame is VLAN-tagged. • Priority—The 3-bit priority field indicates the 802.1p priority of the frame.
Protocols and standards • IEEE 802.1Q, IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks Configuring VLANs in the Web interface Configuration task list Table 4 VLAN configuration task list Task Remarks Creating a VLAN Required. Modifying a VLAN Modifying a port Select either task. Configure the untagged member ports and tagged member ports of the VLAN, or remove ports from the VLAN.
Table 5 Configuration items Item Description ID of the VLAN to be created. VLAN ID You can create a VLAN or a VLAN range. Modifying a VLAN Select Network > VLAN > VLAN from the navigation tree to enter the page as shown in Figure 16. In the Operation column for the VLAN you want to modify, click the icon to enter the page for modifying the VLAN, as shown in Figure 18. Figure 18 Modifying a VLAN Table 6 Configuration items Item Description ID Display the ID of the VLAN to be modified.
Figure 19 Port configuration page In the Operation column, click the port, as shown in Figure 20. icon for the port to be modified to enter the page for modifying the Figure 20 Modify a port Table 7 Configuration items Item Description Port Display the port to be modified. Untagged Member VLAN Display the VLANs to which the port belongs as an untagged member. Tagged Member VLAN Display the VLANs to which the port belongs as a tagged member. Untagged Set the target member type of the port.
VLAN configuration example NOTE: In this configuration example, either Device A or Device B is the firewall. Network requirements As shown in Figure 21, GigabitEthernet 0/1 is a hybrid port with VLAN 100 as its PVID. Assign GigabitEthernet 0/1 to VLAN 2 and VLANs 6 through 50 as an untagged member, and to VLAN 100 as a tagged member. Figure 21 Network diagram Configuration procedure 1.
Figure 23 Configuring the PVID of GigabitEthernet 0/1. • Select the Untagged option for Member Type. • Enter VLAN ID 100. • Click Apply. # Configure GigabitEthernet 0/1 as a hybrid port and assign it to VLAN 2 and VLANs 6 through 50 as an untagged member. • Click the icon for GigabitEthernet 0/1 in the Operation column and make the following configurations, as shown in Figure 24.
Figure 25 VLAN configuration page • Click the icon for VLAN 100 in the Operation column and make the following configuration on the page shown in Figure 26. Figure 26 Assigning GigabitEthernet 0/1 to VLAN 100 as a tagged member • Find GigabitEthernet 0/1 on the port list and select the Tagged Member option for it. • Click Apply to end the operation. 2. Configure Device B. Configure Device B as you configure Device A.
Figure 27 Displaying the port statistics of GigabitEthernet 0/1 Configuring VLAN at the CLI Configuring basic VLAN settings To configure basic VLAN settings: Step Command Remarks 1. Enter system view. system-view N/A 2. Create VLANs. vlan { vlan-id1 [ to vlan-id2 ] | all } Optional. 3. Enter VLAN view. vlan vlan-id 4. Configure a name for the VLAN. name text Use this command to create VLANs in bulk. By default, only the default VLAN (VLAN 1) exists in the system.
Step 5. Command Configure the description of the VLAN. Remarks Optional. description text By default, the description of a VLAN is its VLAN ID. For example, VLAN 0001. NOTE: As the default VLAN, VLAN 1 cannot be created or removed. Configuring basic settings of a VLAN interface For hosts of different VLANs to communicate, you must use a router or Layer 3 switch to perform Layer 3 forwarding. To achieve this, VLAN interfaces are used.
NOTE: Before creating a VLAN interface for a VLAN, create the VLAN first. Configuring port-based VLANs Introduction to port-based VLAN Port-based VLANs group VLAN members by port. A port forwards traffic for a VLAN only after it is assigned to the VLAN. • Port link type You can configure the link type of a port as access, trunk, or hybrid. The link types use the following VLAN tag handling methods: { { { An access port belongs to only one VLAN and sends traffic untagged.
Figure 28 Port link type configuration • PVID By default, VLAN 1 is the PVID for all ports. You can configure the PVID for a port as required. Use the following guidelines when you configure the PVID on a port: { { { An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port. The PVID of the access port changes along with the VLAN to which the port belongs. A trunk or hybrid port can join multiple VLANs, and you can configure a PVID for the port.
Port type Actions (in the inbound direction) Untagged frame Actions (in the outbound direction) Tagged frame • Receives the frame if its Access Tags the frame with the PVID tag. VLAN ID is the same as the PVID. • Drops the frame if its VLAN Removes the VLAN tag and send the frame. ID is different from the PVID. • Removes the tag and send the frame if the frame carries the PVID tag and the port belongs to the PVID.
Step Command Remarks Use either command. • Enter Ethernet interface view: interface interface-type interface-number 2. Enter interface view. • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number 3. 4. Configure the link type of the ports as access. port link-type access Assign the access ports to a VLAN. port access vlan vlan-id • The configuration made in Ethernet interface view applies only to the port.
Step Command Remarks Use either command. • The configuration made in Ethernet • Enter Ethernet interface view: interface interface-type interface-number 2. Enter interface view. • Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number interface view applies only to the port. • The configuration made in Layer 2 aggregate interface view applies to the aggregate interface and its aggregation member ports.
Step Command Remarks Use either command. • The configuration made in Ethernet • Enter Ethernet interface view: interface interface-type interface-number 2. Enter interface view. interface view applies only to the port. • The configuration made in Layer 2 aggregate interface view applies to the aggregate interface and its aggregation member ports. If the system fails to apply the configuration to the aggregate interface, it stops applying the configuration to aggregation member ports.
Figure 29 Network diagram Configuration procedure 1. Configure Firewall: # Create VLAN 5 and assign GigabitEthernet 0/1 to it. system-view [Firewall] vlan 5 [Firewall-vlan5] port gigabitethernet 0/1 # Create VLAN 10 and assign GigabitEthernet 0/2 to it. [Firewall-vlan5] vlan 10 [Firewall-vlan10] port gigabitethernet 0/2 [Firewall-vlan10] quit # Create VLAN-interface 5 and configure its IP address as 192.168.0.10/24.
NOTE: In this configuration example, either Device A or Device B is the firewall. Network requirements As shown in Figure 30, Host A and Host C belong to Department A, and access the enterprise network through different devices. Host B and Host D belong to Department B. They also access the enterprise network through different devices. To ensure communication security and avoid broadcast storms, VLANs are configured in the enterprise network to isolate Layer 2 traffic of different departments.
Verifying the configuration • Host A and Host C and ping each other successfully, but they both fail to ping Host B. Host B and Host D and ping each other successfully, but they both fail to ping Host A. • Check whether the configuration is successful by displaying relevant VLAN information. # Display information about VLANs 100 and 200 on Device A.
• As the default VLAN, VLAN 1 cannot be created or removed. • You cannot manually create or remove VLANs reserved for special purposes. • HP recommends that you set the same PVID for local and remote ports. • Make sure that a port is assigned to its PVID. Otherwise, when the port receives frames tagged with the PVID tag or untagged frames (including protocol packets such as STP BPDUs), the port filters out these frames.
Configuring the MAC address table NOTE: • The MAC address configuration is support only on Layer 2 Ethernet interfaces and Layer 2 aggregate interfaces. • This document covers only the management of static, dynamic and blackhole unicast MAC address table entries. The management of multicast MAC address entries is not introduced here. Overview An Ethernet device uses a MAC address table for forwarding frames through unicast instead of broadcast.
You can manually add MAC address entries to the MAC address table of the firewall to bind specific user devices to the port. Because manually configured entries have higher priority than dynamically learned ones, this prevents hackers from stealing data using forged MAC addresses. Types of MAC address table entries A MAC address table may contain the following types of entries: • Static entries—Manually configured and never age out.
Configuring the MAC address table in the Web interface Adding a MAC address entry Select Network > MAC > MAC from the navigation tree to enter the MAC address table display page, as shown in Figure 32. Figure 32 MAC address table display page Click Add to enter the MAC address entry adding page, as shown in Figure 33. Figure 33 Adding a MAC address entry Table 8 Configuration items Item Description MAC MAC address to be added.
Item Description Set the type of the MAC address entry: • Static—Static MAC address entries that never age out. • Dynamic—Dynamic MAC address entries that will age out. • Blackhole—Blackhole MAC address entries that never age out. IMPORTANT: Type The tab displays the following types of MAC address entries: • Config static—Static MAC address entries manually configured by the users. • Config dynamic—Dynamic MAC address entries manually configured by the users. • Blackhole—Blackhole MAC address entries.
For security, add a destination blackhole MAC address entry for Host B’s MAC address, so that all packets destined for Host B will be dropped. Set the aging timer for dynamic MAC address entries to 500 seconds. Configuration procedure NOTE: Before making the following configurations, check whether GigabitEthernet 0/1 operates in router mode.
Figure 36 Creating a blackhole MAC address entry • Enter MAC address 000f-e235-abcd. • Select blackhole in the Type list. • Select 1 in the VLAN list. • Click Apply. # Set the aging time for MAC address entries. • Select Network > MAC > Setting from the navigation tree, and make the following configuration on the page shown in Figure 37. Figure 37 Setting the aging time for MAC address entries • Select the Aging Time option and enter 500 as the aging time. • Click Apply.
Adding or modifying a MAC address table entry in system view Step Command Remarks N/A 1. Enter system view. system-view 2. Add or modify a dynamic or static MAC address entry. mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id Add or modify a blackhole MAC address entry. mac-address blackhole mac-address vlan vlan-id 3. Use either command. Make sure that you have created the VLAN and assigned the interface to the VLAN.
Task Command Remarks Display MAC address table information. display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole ] [ vlan vlan-id ] [ count ] ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the aging timer for dynamic MAC address entries.
000f-e235-dc71 --- 1 Config static 1 mac address(es) found GigabitEthernet 0/1 NOAGED --- # Display information about the destination blackhole MAC address table. [Firewall] display mac-address blackhole MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s) 000f-e235-abcd 1 Blackhole N/A NOAGED --- 1 mac address(es) found --- # View the aging time of dynamic MAC address entries.
Configuring MSTP As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, and also allows for link redundancy. Recent versions of STP are Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). This chapter describes the characteristics of STP, RSTP, and MSTP. Introduction to STP STP was developed based on the 802.
Designated bridge and designated port Table 10 Description of designated bridges and designated ports Classification Designated bridge Designated port For a device A device directly connected to the local device and responsible for forwarding BPDUs to the local device. The port through which the designated bridge forwards BPDUs to this device. For a LAN The device responsible for forwarding BPDUs to this LAN segment. The port through which the designated bridge forwards BPDUs to this LAN segment.
• Message age—Age of the configuration BPDU while it propagates in the network. • Max age—Maximum age of the configuration BPDU can be maintained on a device. • Hello time—Configuration BPDU interval. • Forward delay—The delay used by STP bridges to transit the state of the root and designated ports to forwarding.
Selection of the root bridge • Initially, each STP-enabled device on the network assumes itself to be the root bridge, with the root bridge ID being its own device ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.
Figure 40 The STP algorithm • Initial state of each device Table 13 Initial state of each device Device Device A Device B Device C • Port name BPDU of port AP1 {0, 0, 0, AP1} AP2 {0, 0, 0, AP2} BP1 {1, 0, 1, BP1} BP2 {1, 0, 1, BP2} CP1 {2, 0, 2, CP1} CP2 {2, 0, 2, CP2} Comparison process and result on each device Table 14 Comparison process and result on each device Device BPDU of port after comparison Comparison process • Port AP1 receives the configuration BPDU of Device B {1, 0, 1
Device BPDU of port after comparison Comparison process • Port BP1 receives the configuration BPDU of Device A {0, 0, 0, AP1}. Device B finds that the received configuration BPDU is superior to the configuration BPDU of the local port {1, 0, 1, BP1}, and updates the configuration BPDU of BP1. • Port BP2 receives the configuration BPDU of Device C {2, 0, 2, CP2}.
Device BPDU of port after comparison Comparison process After comparison: • Because the root path cost of CP2 (9) (root path cost of the BPDU (5) plus path cost corresponding to CP2 (4)) is smaller than the root path cost of CP1 (10) (root path cost of the BPDU (0) + path cost corresponding to CP2 (10)), the BPDU of CP2 is elected as the optimum BPDU, and CP2 is elected as the root port, the messages of which will not be changed.
• If a path becomes faulty, the root port on this path will no longer receive new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. The device will generate configuration BPDUs with itself as the root and send out the BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.
Introduction to MSTP Why MSTP STP and RSTP limitations STP does not support rapid state transition of ports. A newly elected root port or designated port must wait twice the forward delay time before transiting to the forwarding state, even if it is a port on a point-to-point link or an edge port, which directly connects to a user terminal rather than to another device or a shared LAN segment. Although RSTP supports rapid network convergence, it has the same drawback as STP.
Basic concepts in MSTP Figure 42 Basic concepts in MSTP All devices in Figure 42 are running MSTP. This section explains some basic concepts of MSTP based on the figure. MST region A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. These devices have the following characteristics: • All are MSTP-enabled. • They have the same region name. • They have the same VLAN-to-MSTI mapping configuration.
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. VLAN-to-MSTI mapping table As an attribute of an MST region, the VLAN-to-MSTI mapping table describes the mapping relationships between VLANs and MSTIs. In Figure 42, for example, the VLAN-to-MSTI mapping table of region A0 is: VLAN 1 is mapped to MSTI 1, VLAN 2 to MSTI 2, and the rest to CIST. MSTP achieves load balancing by means of the VLAN-to-MSTI mapping table.
During MSTP calculation, the role of a boundary port in an MSTI must be consistent with its role in the CIST. But this is not true with master ports. A master port on MSTIs is a root port on the CIST. For example, in Figure 42, if a device in region A0 is connected to the first port of a device in region D0, and the common root bridge of the entire switched network is located in region A0, the first port of that device in region D0 is the boundary port of region D0.
Port states In MSTP, a port may be in one of the following states: • Forwarding—The port learns MAC addresses and forwards user traffic. • Learning—The port learns MAC addresses but does not forward user traffic. • Discarding—The port does not learn MAC addresses or forwards user traffic. NOTE: A port can have different port states in different MSTIs. A port state is not exclusively associated with a port role. Table 15 lists the port states supported by each port role.
Implementation of MSTP on devices MSTP is compatible with STP and RSTP. STP and RSTP protocol packets can be recognized by devices running MSTP and used for spanning tree calculation.
Configuring an MST region Select Network > MSTP > Region from the navigation tree to enter the page as shown in Figure 44. Figure 44 MSTP region Click Modify to enter the MSTP Region Configuration page, as shown in Figure 45. Figure 45 Modifying an MSTP region Table 17 Configuration items Item Description Region Name Revision Level Manual MST region name. The MST region name is the bridge MAC address of the device by default. Revision level of the MST region.
Configuring MSTP globally Select Network > MSTP > Global from the navigation tree to enter the Global MSTP Configuration page, as shown in Figure 46. Figure 46 Configuring MSTP globally Table 18 Configuration items Item Description Whether to enable STP globally: • Enable—Enables STP globally. Enable STP Globally • Disable—Disables STP globally. Other MSTP configurations can take effect only after you enable STP globally.
Item Description Whether to enable BPDU guard globally: • Enable—Enables BPDU guard globally. BPDU Protection • Disable—Disables BPDU guard globally. BPDU guard can protect the device from malicious BPDU attacks, making the network topology stable. STP can operate in STP mode, RSTP mode, or MSTP mode. • STP mode—All ports of the device send out STP BPDUs. • RSTP mode—All ports of the device send out RSTP BPDUs.
Item Description Set the delay for the root and designated ports to transit to the forwarding state. Forward Delay The length of the forward delay time is related to the network diameter of the switched network. The larger the network diameter is, the longer the forward delay time should be. If the forward delay setting is too small, temporary redundant paths may be introduced. If the forward delay setting is too big, it may take a long time for the network to converge.
Item Description Instance ID ID of the MSTI to be configured. Role of the device in the MSTI: • Not Set—The device role is not configured. Root Type Instance • Primary—Configure the device as the root bridge. • Secondary—Configure the device as a secondary root bridge. After specifying the current device as the primary root bridge or a secondary root bridge, you cannot change the priority of the device.
Figure 48 MSTP port configuration Table 19 Configuration items Item Description Port Number Port number. Whether to enable STP on the port: STP Status • Enable—Enable STP on the port. • Disable—Disable STP on the port. Type of protection enabled on the port: Protection Type • Not Set—No protection is enabled on the port. • Edged Port, Root Protection, Loop Protection—For more information, see Table 20. Specify whether the port is connected to a point-to-point link.
Item Description In a switched network, if a port on an MSTP device connects to an STP device, this port will automatically migrate to the STP-compatible mode. However, after the STP device is removed, whether the port on the MSTP device can migrate automatically to the MSTP mode depends on which of the following parameter is selected: mCheck • Enable—Perform mCheck. The port automatically migrates back to the MSTP mode. • Disable—Do not perform mCheck.
VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated on the access layer devices, so the root bridges of MSTI 1 and MSTI 3 are Firewall and Device A respectively, and the root bridge of MSTI 4 is Device B.
Figure 50 Configure an MST region on Firewall { Configure the region name as example. { Set the revision level to 0. { Select the Manual option. { Select 1 in the Instance ID list. { Set the VLAN ID to 10. { Click Apply. { Repeat the previous steps to map VLAN 30 to MSTI 3 and VLAN 40 to MSTI 4. { Click Activate. # Enable MSTP globally and configure the current device as the root bridge of MSTI 1.
Figure 51 Configure global MSTP parameters on Firewall 3. { Select Enable from the Enable STP Globally list. { Select MSTP from the Mode list. { Select the Instance box. { Set the Instance ID field to 1. { Set the Root Type field to Primary. { Click Apply. Configure Device A: # Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4 respectively, and configure the revision level of the MST region as 0.
{ Select MSTP from the Mode list. { Select the Instance box. { Set the Instance ID field to 3. { Set the Root Type field to Primary. { Click Apply. Configure Device B: 4. # Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4 respectively, and configure the revision level of the MST region as 0. (The procedure here is the same as that of configuring an MST region on Firewall.
# Display brief spanning tree information on Device A. [DeviceA] display stp brief MSTID Port Role STP State Protection 0 GigabitEthernet0/1 DESI FORWARDING NONE 0 GigabitEthernet0/2 DESI FORWARDING NONE 0 GigabitEthernet0/3 DESI FORWARDING NONE 1 GigabitEthernet0/2 DESI FORWARDING NONE 1 GigabitEthernet0/3 ROOT FORWARDING NONE 3 GigabitEthernet0/1 DESI FORWARDING NONE 3 GigabitEthernet0/3 DESI FORWARDING NONE # Display brief spanning tree information on Device B.
Figure 52 MSTIs corresponding to different VLANs Configuring MSTP at the CLI Spanning tree configuration task list Before configuring a spanning tree, you must determine the spanning tree protocol to be used (STP, RSTP, or MSTP) and plan the device roles (the root bridge or leaf node). Complete the following tasks to configure STP: Task Remarks Required. Setting the spanning tree mode Configuring the root bridge Configure the device to work in STP-compatible mode.
Task Remarks Required. Configuring the leaf nodes Setting the spanning tree mode Configure the device to work in STP-compatible mode. Configuring the device priority Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional. Configuring path costs of ports Optional. Configuring the port priority Optional. Configuring the mode a port uses to recognize/send MSTP packets Optional. Enabling the spanning tree feature Required.
Task Remarks Configuring path costs of ports Optional. Configuring the port priority Optional. Configuring the port link type Optional. Configuring the mode a port uses to recognize/send MSTP packets Optional. Enabling the spanning tree feature Required. Performing mCheck Optional. Configuring protection functions Optional. Complete the following tasks to configure MSTP: Task Remarks Optional.
Task Remarks Configuring the port priority Optional. Configuring the port link type Optional. Configuring the mode a port uses to recognize/send MSTP packets Optional. Enabling the spanning tree feature Required. Performing mCheck Optional. Configuring Digest Snooping Optional. Configuring No Agreement Check Optional. Configuring protection functions Optional.
NOTE: Whether you need to specify the MSTI or VLAN for the spanning tree configuration varies with the spanning tree modes. • In STP-compatible or RSTP mode, do not specify any MSTI or VLAN. Otherwise, the spanning tree configuration is ineffective. • In MSTP mode, if you specify an MSTI, the spanning tree configuration is effective for the specified MSTI. If you specify a VLAN list, the spanning tree configuration is ineffective.
Configuring the root bridge or a secondary root bridge The root bridge of a spanning tree is determined through spanning tree calculation. Alternatively, you can specify the current device as the root bridge or a secondary root bridge. A device has independent roles in different spanning trees. It can act as the root bridge in one spanning tree and as a secondary root bridge in another. However, a device cannot be the root bridge and a secondary root bridge in the same spanning tree.
You can set the priority of a device to a low value to specify the device as the root bridge of the spanning tree. A spanning tree device can have different priorities in different MSTIs. To configure the priority of a device in a specified MSTI: Step 1. Enter system view. Command Remarks system-view N/A • In STP/RSTP mode: 2. Configure the priority of the current device. stp priority priority Use either command. • In MSTP mode: stp [ instance instance-id ] priority priority 32768 by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the network diameter of the switched network. stp bridge-diameter diameter 7 by default. NOTE: • Based on the network diameter you configured, the system automatically sets an optimal hello time, forward delay, and max age for the device. • Each MST region is considered as a device and the configured network diameter is effective only for the CIST (or the common root bridge), but not for MSTIs.
Step Command Remarks Optional. 4. Configure the max age timer. stp timer max-age time 2000 centiseconds by default. NOTE: • The length of the forward delay timer is related to the network diameter of the switched network. The larger the network diameter is, the longer the forward delay time should be. If the forward delay timer is too short, temporary redundant paths may be introduced. If the forward delay timer is too long, it may take a long time for the network to converge.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A 3. Configure the maximum rate of the ports. stp transmit-limit limit 10 by default. NOTE: The higher the maximum port rate is, the more BPDUs will be sent within each hello time, and the more system resources will be used.
Specifying a standard for the device to use when calculating the default path cost You can specify a standard for the device to use in automatic calculation for the default path cost. The device supports the following standards: • dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998. • dot1t—The device calculates the default path cost for ports based on IEEE 802.1t. • legacy—The device calculates the default path cost for ports based on a private standard.
Path cost Link speed 1000 Mbps Port type IEEE 802.1d-1998 IEEE 802.1t Private standard Aggregate interface containing 4 Selected ports 50,000 140 Single Port 20,000 20 Aggregate interface containing 2 Selected ports 10,000 18 6666 16 5000 14 Aggregate interface containing 3 Selected ports 4 Aggregate interface containing 4 Selected ports Configuring path costs of ports To configure the path cost of ports: Step Command Remarks 1. Enter system view. system-view N/A 2.
implementing per-VLAN load balancing. You can set port priority values based on the actual networking requirements. To configure the priority of a port or a group of ports: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A • In STP/RSTP mode: stp port priority priority 3. Configure the port priority. • In MSTP mode: Use either command.
• dot1s—802.1s-compliant standard format • legacy—Compatible format By default, the packet format recognition mode of a port is auto. The port automatically distinguishes the two MSTP packet formats, and determines the format of packets it will send based on the recognized format. You can configure the MSTP packet format on a port.
NOTE: • To globally enable or disable the spanning tree feature, use the stp enable command or undo stp enable command in system view. To enable or disable the spanning tree feature for specific VLANs, use the stp vlan enable command or undo stp vlan enable command. • You can disable the spanning tree feature for certain ports with the undo stp enable command to exclude them from spanning tree calculation and save CPU resources of the device.
Spanning tree implementations vary with vendors, and the configuration digests calculated using private keys is different, so devices of different vendors in the same MST region cannot communicate with each other. To enable communication between an HP device and a third-party device, enable the Digest Snooping feature on the port connecting the HP device to the third-party device in the same MST region.
Figure 53 Network diagram 2. Configuration procedure # Enable Digest Snooping on Ethernet 1/1 of Device A and enable global Digest Snooping on Device A. system-view [DeviceA] interface ethernet 1/1 [DeviceA-Ethernet1/1] stp config-digest-snooping [DeviceA-Ethernet1/1] quit [DeviceA] stp config-digest-snooping # Enable Digest Snooping on Ethernet 1/1 of Device B and enable global Digest Snooping on Device B.
Figure 54 Rapid state transition of an MSTP designated port Figure 55 shows rapid state transition of an RSTP designated port. Figure 55 Rapid state transition of an RSTP designated port If the upstream device is a third-party device, the rapid state transition implementation may be limited.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number N/A 3. Enable No Agreement Check. stp no-agreement-check Disabled by default. No Agreement Check configuration example 1. Network requirements As shown in Figure 56, Device A connects to a third-party device that has a different spanning tree implementation. Both devices are in the same region.
The spanning tree protocol provides the BPDU guard function to protect the system against such attacks. With the BPDU guard function enabled on the devices, when edge ports receive configuration BPDUs, the system will close these ports and notify the NMS that these ports have been closed by the spanning tree protocol. Ports disabled in this way will be re-activated by the device after a detection interval. For more information about this detection interval, see Getting Started Guide.
Enabling loop guard A device that keeps receiving BPDUs from the upstream device can maintain the state of the root port and blocked ports. However, link congestion or unidirectional link failures may cause these ports to fail to receive BPDUs from the upstream devices.
NOTE: HP does not recommend you disable this feature. Displaying and maintaining the spanning tree Task Command Remarks Display information about ports blocked by spanning tree protection functions. display stp abnormal-port [ | { begin | exclude | include } regular-expression ] Available in any view Display BPDU statistics on ports.
VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated on the access layer devices, so the root bridges of MSTI 1 and MSTI 3 are Device A and Device B respectively, and the root bridge of MSTI 4 is Device C.
# Enter MST region view, configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4 respectively, and configure the revision level of the MST region as 0. system-view [DeviceB] stp region-configuration [DeviceB-mst-region] region-name example [DeviceB-mst-region] instance 1 vlan 10 [DeviceB-mst-region] instance 3 vlan 30 [DeviceB-mst-region] instance 4 vlan 40 [DeviceB-mst-region] revision-level 0 # Activate MST region configuration.
# Activate MST region configuration. [DeviceD-mst-region] active region-configuration [DeviceD-mst-region] quit # Enable the spanning tree feature globally. [DeviceD] stp enable 6. Verify the configuration. You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Device A.
Figure 58 MSTIs mapped to different VLANs Configuration guidelines Follow these guidelines when you configure MSTP: • Two or more MSTP-enabled devices belong to the same MST region only if they are configured with the same format selector (0 by default, not configurable), MST region name, VLAN-to-instance mapping entries in the MST region, and MST region revision level, and they are interconnected through physical links.
Configuring PPP NOTE: • The PPP configuration is available only at the command line interface (CLI). • The firewall module does not support dialer interfaces. Overview Point-to-Point Protocol (PPP) is a link layer protocol that carries network layer packets over point-to-point links. It gains popularity because it provides user authentication, supports synchronous/asynchronous communication, and allows for easy extension.
During PAP authentication, the password is transmitted on the link in plain text. In addition, the authenticatee sends the username and the password repeatedly through the established PPP link until the authentication is over. PAP is not a secure authentication protocol and cannot prevent attacks. CHAP authentication CHAP is a three-way handshake authentication protocol using cipher text password. Two types of CHAP authentication exist: one-way CHAP authentication and two-way CHAP authentication.
Figure 60 CHAP authentication MS-CHAP authentication MS-CHAP is a three-way handshake authentication protocol using cipher text password. Different from CHAP, MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 in LCP option 3. Authentication Protocol, and MS-CHAP provides the authenticator-controlled authentication retry mechanism. MS-CHAP authentication operates in the following workflow: 1.
Different from CHAP, MS-CHAP-V2 is enabled by negotiating CHAP Algorithm 0x81 in LCP option 3, Authentication Protocol, provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Acknowledge packet, and supports the authentication retry and password changing mechanisms. MS-CHAP-V2 authentication operates in the following workflow: 1.
2. If the authentication (the remote verifies the local or the local verifies the remote) is configured, the PPP link goes to the Authenticate phase, where PAP, CHAP, MS-CHAP, or MS-CHAP-V2 authentication is performed. 3. If the authenticatee fails to pass the authentication, the link goes to the Terminate phase, where the link is torn down and LCP goes down. If the authenticatee passes the authentication, the link goes to the Network phase.
Step Command Remarks Optional. PPP authentication is disabled by default. 4. Configure the PPP authentication modes. • Configuring PAP authentication • Configuring CHAP authentication • Configuring MS-CHAP or MS-CHAP-V2 authentication You can configure several authentication modes simultaneously. In LCP negotiation, the authenticator negotiates with the authenticatee in the sequence of configured authentication modes until the LCP negotiation succeeds.
Step Command Remarks 7. Configure the service type of the local user as PPP. service-type ppp N/A 8. Return to system view. quit N/A Optional. 9. Create an ISP domain or enter an existing ISP domain view. 10. Configure local authentication for the PPP users. domain isp-name authentication ppp local To configure the ppp authentication-mode command with an ISP domain specified which is not the default domain system, configure this command before configuring the ppp authentication-mode command.
Step 3. Configure the local device to authenticate the peer using CHAP. Command Remarks ppp authentication-mode chap [ [ call-in ] domain isp-name ] By default, PPP authentication is disabled. 4. Assign a username to the CHAP authenticator. ppp chap user username The username you assign to the authenticator must be the same as the local username you assign to the authenticator on the authenticatee. 5. Return to system view. quit N/A 6.
Step Command Remarks 6. Set the password for the local user. password { cipher | simple } password The password of the authenticator user must be the same as that of the authenticatee user. 7. Configure the service type of the local user as PPP. service-type ppp N/A NOTE: • For more information about local user configuration, see Access Control Configuration Guide.
NOTE: For more information about local user configuration and domain configuration, see Access Control Configuration Guide. To configure the authenticatee: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Assign a username to the CHAP authenticatee. ppp chap user username The username you assign to the authenticatee must be the same as the local username you assign to the authenticatee on the authenticator. 4.
Step Command Remarks 6. Set the password for the local user. password { cipher | simple } password N/A 7. Set the service type of the local user to PPP. service-type ppp N/A 8. Return to system view. quit N/A Optional. 9. Create an ISP domain, or enter an existing ISP domain view. 10. Configure local authentication for the PPP users.
DNS address negotiation PPP address negotiation can also determine the DNS server address. You can configure a device to allocate the DNS server address to the peer or receive the DNS server address from the peer. Normally, for a PPP link between a PC and the firewall, the DNS server address is usually allocated by the firewall, through which the PC can access the Internet directly by using domain names.
Step Command Remarks • (Approach 1) Define a global address pool and bind it to the interface: 2. a. ip pool pool-number low-ip-address [ high-ip-address ] Assign an IP address of a global address pool for the peer or specify the IP address to be allocated to the peer. Use either approach. b. interface virtual-template number c.
Configure the local end as the client To configure settings for DNS server address negotiation when the firewall is functioning as the client in PPP negotiation: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VT interface and enter its view. interface virtual-template number N/A 3. Enable the local end to request the peer for a DNS server address. ppp ipcp dns request By default, the firewall does not request its peer for a DNS server address. 4.
Step 3. Enable PPP traffic statistics collection. Command Remarks ppp account-statistics enable [ acl { acl-number | name acl-name } ] Disabled by default. Enabling the ignoring of next-hop address matching Introduction to the ignoring of next-hop address matching Traditional PPP links are single point-to-single point, but virtual template (VT) interface-based PPP links are typically single point-to-multiple points.
Figure 63 A PPPoA network Enabling the ignoring of next-hop address matching Step Command Remarks 1. Enter system view. system-view N/A 2. Enter virtual template interface view. interface virtual-template number N/A 3. Enable the ignoring of next-hop address matching. ppp ignore match-next-hop By default, the firewall matches the next-hop addresses. Displaying and maintaining PPP Task Display information about an existing VT.
PPP configuration examples NOTE: PPP works with PPPoE and L2TP. For PPP configuration examples, see the chapter "Configuring PPPoE" and VPN Configuration Guide. Troubleshooting PPP configuration Symptom 1 PPP authentication always fails, preventing the link from going up. Solution This problem may occur if the parameters for authentication are incorrect.
Symptom 3 Configure an IPv6 address on a PPP-encapsulated interface when IPv6 is disabled. The PPP link fails IPv6CP negotiation and cannot go up. After enabling IPv6, the interface still cannot go up. Analysis IPv6CP negotiation cannot succeed when IPv6 is disabled. As IPv6CP does not support re-negotiation, IPv6CP negotiation cannot succeed even if you enable IPv6 subsequently. Solution To resolve the problem, do the following: • Enable IPv6 before configuring an IPv6 address on a PPP link.
Configuring PPPoE Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module Configuring the PPPoE client Yes No No No Overview PPPoE Point-to-Point Protocol over Ethernet (PPPoE) can provide access to the Internet for the hosts in an Ethernet through a remote access device and implement access control and accounting on a per-host basis.
PPPoE client dial-up software on a device. The device operates as a PPPoE client and can provide Internet access for all the hosts in a LAN using a single ADSL account, even if the hosts do not have PPPoE client software installed. Figure 64 Network diagram As shown in Figure 64, Host A and Host B are in an Ethernet and are connected to the device operating as a PPPoE client.
Figure 65 PPPoE client information Figure 66 Creating a PPPoE client Table 23 Configuration items Task Remarks Configure the number of the dialer interface. CAUTION: Dialer Interface The dialer interfaces you create on the page by selecting Device Management > Interface can also be displayed on the PPPoE client page. On this page, you can modify or remove these dialer interfaces as well. However, you cannot establish PPPoE sessions for them.
Task Remarks Configure the way the dialer interface obtains its IP address: IP Config • None—Not configure IP address. • Static Address—Statically configure an IP address and subnet mask for the interface. • PPP Negotiate—Obtain an IP address through PPP negotiation. • Unnumbered—Borrow the IP address of another interface on the same device.
Figure 68 Summary information Table 24 Description on the fields in the statistic information about the PPPoE session Field Description Interface Ethernet interface where the PPPoE session belongs Session Number PPPoE session ID Received Packets Number of received packets in the PPPoE session Received Bytes Number of received bytes in the PPPoE session Dropped Packets (Received) Number of dropped packets which are received in the PPPoE session Sent Packets Number of transmitted packets in the
PPPoE client configuration example in the Web interface Network requirements Configure PPPoE client on the Firewall and enable the PPPoE client to communicate with the PPPoE server, as shown in Figure 69. Figure 69 Network diagram Configuring the PPPoE client # Create a PPPoE client. • Select Network > PPPoE > Client from the navigation tree, click Add, and make the following configurations on the page shown in Figure 70. Figure 70 Creating a PPPoE client • Enter 1 as the dialer interface name.
• Select the session type as Always Online. • Click Apply. Configuring the PPPoE server Enable the PPPoE protocol on the PPPoE server, configure the PPPoE username and password, and assign an IP address to the peer end of the PPP connection. (Details not shown.) Verifying the configuration # View the summary information about PPPoE client sessions on the PPPoE client. • Select Network > PPPoE > Session from the navigation tree.
Figure 72 Dialer interface information Configuring the PPPoE client at the CLI PPPoE client configuration includes dialer interface configuration and PPPoE session configuration. Configuring a dialer interface Before establishing a PPPoE session, you must first create a dialer interface and configure a dialer bundle on the interface. Each PPPoE session uniquely corresponds to a dialer bundle and each dialer bundle uniquely corresponds to a dialer interface.
Configuring a dialer interface for an IPv6 PPPoE client Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6 forwarding. ipv6 N/A 3. Create a dialer interface. interface dialer number N/A 4. Create a dialer user. dialer user username N/A • Manually: Specify an IPv6 address for the interface. 5. ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } [ link-local ] Use either command.
Resetting or terminating a PPPoE session To reset/terminate a PPPoE session: Step Command Remarks 1. Reset a PPPoE session on a PPPoE client. reset pppoe-client { all | dial-bundle-number number } Available in user view 2. Terminate a PPPoE session on a PPPoE client.
[Router-Virtual-Template1] ip address 1.1.1.1 255.0.0.0 [Router-Virtual-Template1] remote address 1.1.1.2 [Router-Virtual-Template1] quit # Configure the PPPoE server. [Router] interface GigabitEthernet 0/1 [Router- GigabitEthernet 0/1] pppoe-server bind virtual-template 1 2. Configure Firewall as the PPPoE client.
[Firewall-Dialer1] quit [Firewall] local-user user1 [Firewall-luser-user1] password simple hello [Firewall-luser-user1] quit # Configure the PPPoE session.
Configuring Layer 2 forwarding Layer 2 forwarding falls into the following categories: general and inline. Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module Inline forwarding Yes Yes No Yes Configuring general Layer 2 forwarding NOTE: General Layer 2 forwarding is available only at the command line interface (CLI).
• Forward type—A packet coming from one interface goes out of another. The packet is forwarded through the specified incoming and outgoing interfaces, rather than through looking up the MAC address table. A complete configuration contains an ID, which uniquely identifies an inline Layer 2 forwarding entry, and two interfaces. • Reflect type—A packet is forwarded through the interface that received the packet.
Forward-type inline forwarding configuration example in the Web interface Network requirements Packets received on GigabitEthernet 0/1 need to be forwarded from GigabitEthernet 0/2, and packets received on GigabitEthernet 0/2 need to be forwarded from GigabitEthernet 0/1. Configure forward-type inline forwarding between GigabitEthernet 0/1 and GigabitEthernet 0/2.
Creating a blackhole-type inline forwarding policy NOTE: Before configuration, make sure that GigabitEthernet 0/1 operates in bridge mode and it is added to a zone. Select Network > Forwarding from the navigation tree. On the page, click Add to enter the page for adding an inline forwarding policy. • Figure 77 Adding a blackhole-type inline forwarding policy • Enter policy ID 1. • Select Blackhole as the policy type. • Select GigabitEthernet0/1 from the Port 1 list. • Click Apply.
CAUTION: • An interface can only belong to one inline forwarding entry, and the last configured port inline-interfaces id command on an Ethernet interface takes effect. • Subinterfaces can be assigned to inline Layer 2 forwarding entries. To make these entries take effect, the main interface must be assigned to the VLAN of which the ID is used as the subinterface number. For example, if the subinterface GigabitEthernet 0/1.
Blackhole-type inline Layer 2 forwarding configuration example at the CLI Network requirements Configure blackhole-type inline Layer 2 forwarding on GigabitEthernet 0/1. Then packets received on GigabitEthernet 0/1 are directly dropped. Configuration procedure # Create blackhole-type inline Layer 2 forwarding entry 1. system-view [Sysname] inline-interfaces 1 blackhole # Assign GigabitEthernet 0/1 to blackhole-type inline Layer 2 forwarding entry 1.
Figure 78 Frame forwarding statistics You can click Reset to clear the statistics, and click Refresh to update the statistics on the page.
DHCP overview NOTE: After DHCP client is enabled on an interface, the interface can dynamically obtain an IP address and other configuration parameters from the DHCP server. This facilitates user configuration and centralized management. For more information about the DHCP client configuration, see the chapter “Configuring interface management.” DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices.
• Dynamic allocation—DHCP assigns an IP address to a client for a limited period of time, which is called a lease. Most DHCP clients obtain their addresses in this way. Dynamic IP address allocation process Figure 80 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. A DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message.
DHCP message format Figure 81 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 81 DHCP message format 0 7 op (1) 23 15 htype (1) hlen (1) 31 hops (1) xid (4) secs (2) flags (2) ciaddr (4) yiaddr (4) siaddr (4) giaddr (4) chaddr (16) sname (64) file (128) options (variable) • op—Message type defined in option field.
Figure 82 DHCP option format Common DHCP options Common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server’s IP address. • Option 33—Static route option. It specifies a list of classful static routes (the destination addresses in these static routes are classful) that a client should add to its routing table. If both Option 33 and Option 121 exist, Option 33 is ignored. • Option 53—DHCP message type option.
• Preboot Execution Environment (PXE) server address, which is used to obtain the bootfile or other control information from the PXE server. 1. Format of Option 43 Figure 83 Format of Option 43 Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 83. The sub-option fields are described as follows: { { { 2. Sub-option type—Type of a sub-option.
Relay agent option (Option 82) Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client’s request, it adds Option 82 to the request message and sends it to the server. The administrator can locate the DHCP client to further implement security control and accounting.
{ Sub-option 2: Padded with the MAC address of the DHCP relay agent interface or the MAC address of the DHCP snooping device that received the client’s request. It has the same format as that in normal padding format. See Figure 87. Option 184 Option 184 is a reserved option, and parameters in the option can be defined as needed.
Configuring DHCP server Introduction to DHCP server The DHCP server is well suited to the network where: • Manual configuration and centralized management are difficult to implement. • Many hosts need to acquire IP addresses dynamically. This may be because the number of hosts exceeds the number of assignable IP addresses, so it is impossible to assign a fixed IP address to each host. For example, an ISP has a limited number of host addresses. • A few hosts need fixed IP addresses.
3. Otherwise, the DHCP server selects the smallest address pool that contains the IP address of the receiving interface (if the client and the server reside on the same network segment), or the smallest address pool that contains the IP address specified in the giaddr field of the client’s request (if a DHCP relay agent is in-between).
Task Remarks Required to configure either of the two. Creating a static address pool for the DHCP server IMPORTANT: • If the DHCP server and DHCP clients are on the same subnet, make sure the address pool is on the same network segment as the interface with the DHCP server enabled; otherwise, the clients will fail to obtain IP addresses.
Figure 89 DHCP configuration page • Select the Enable option to enable DHCP globally. • Select the Disable option to disable DHCP globally. Creating a static address pool for the DHCP server Select Network > DHCP > DHCP Server from the navigation tree to enter the page shown in Figure 89. Select the Static option in the Address Pool field to view all static address pools. Click Add to enter the page shown in Figure 90.
Figure 90 Create a static address pool Table 27 Configuration items Item Description IP Pool Name Type the name of a static address pool. Type an IP address and select a subnet mask for the static address pool. IP Address The IP address cannot be the IP address of any interface on the DHCP server. Otherwise, an IP address conflict may occur and the bound client cannot obtain an IP address correctly. Mask You can type a mask length or a mask in dotted decimal notation.
Item Description Type the WINS server addresses for the client. WINS Server Address If b-node is specified for the client, you do not need to specify any WINS server address. Up to eight WINS servers can be specified in a DHCP address pool, separated by commas. NetBIOS Node Type Select the NetBIOS node type for the client. Creating a dynamic address pool for the DHCP server Select Network > DHCP > DHCP Server from the navigation tree to enter the page shown in Figure 89.
Item Description Type the gateway addresses for the client. DHCP clients that want to access hosts outside the local subnet request gateways to forward data. You can specify gateways in each address pool for clients and the DHCP server will assign gateway addresses while assigning an IP address to the client. Gateway Address Up to eight gateways can be specified in a DHCP address pool, separated by commas. Type the DNS server addresses for the client.
Table 30 Field description Field Description IP Address Assigned IP address Client MAC Address/Client ID Client MAC address or client ID bound to the IP address Pool Name Name of the DHCP address pool where the IP address resides Lease Expiration Lease time of the IP address DHCP server configuration examples DHCP networking involves two types: • The DHCP server and clients are on the same subnet.
Figure 94 Enabling the DHCP service • Select the Enable option in the DHCP Service field. # Configure a static address pool. • Click Add in the Address Pool field and perform the following configuration, as shown in Figure 95. By default, the Static option is selected.
Figure 95 Creating a static address pool • Enter static-pool for IP Pool Name. • Enter 10.1.1.5 for IP Address. • Enter 255.255.255.128 for Mask. • Enter 000f-e200-0002 for Client MAC Address. • Enter 10.1.1.126 for Gateway Address. • Enter 10.1.1.2 for DNS Server Address. • Click Apply. # Enable the DHCP server on GigabitEthernet 0/1. With DHCP enabled, interfaces work in the DHCP server mode.
• The IP addresses of GigabitEthernet 0/1 and GigabitEthernet 0/2 on the Firewall are 10.1.1.1/25 and 10.1.1.129/25 respectively. • Address pool 10.1.1.0/25 has the address lease duration ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, WINS server address 10.1.1.4/25, and gateway address 10.1.1.126/25. • Address pool 10.1.1.128/25 has the address lease duration five days, domain name suffix aabbcc.com, DNS server address 10.1.1.2/25, and gateway address 10.1.1.
Figure 98 Enabling the DHCP service • Select the Enable option in the DHCP Service field. # Configure DHCP address pool 0 (address range, client domain name suffix and DNS server address). • Select the Dynamic option in the Address Pool field and then click Add. Perform the following configuration, as shown in Figure 99.
Figure 99 Configuring DHCP address pool 0 • Enter pool0 for IP Pool Name. • Enter 10.1.1.0 for IP Address. • Enter 255.255.255.0 for Mask. • Enter aabbcc.com for Client Domain Name. • Enter 10.1.1.2 for DNS Server Address. • Click Apply. # Configure DHCP address pool 1 (address range, gateway, lease duration, and WINS server address). • Click Add and perform the following configuration, as shown in Figure 100. Figure 100 Configuring DHCP address pool 1 • Enter pool1 for IP Pool Name.
• Set Lease Duration to 10 days, 12 hours, 0 minutes, and 0 seconds. • Enter 10.1.1.126 for Gateway Address. • Enter 10.1.1.4 for WINS Server Address. • Click Apply. # Configure DHCP address pool 2 (address range, lease duration, and gateway). • Click Add and perform the following configuration, as shown in Figure 101. Figure 101 Configuring DHCP address pool 2 • Enter pool2 for IP Pool Name. • Enter 10.1.1.128 for IP Address. • Enter 255.255.255.128 for Mask.
Task Remarks Applying an extended address pool on an interface Required by the extended address pool configuration. When you configure a common address pool, ignore this task. Configuring the DHCP server security functions Optional. Enabling Option 82 handling Optional. Specifying the threshold for sending trap messages Optional.
NOTE: A common address pool and an extended address pool are different in address allocation mode configuration. Configurations of other parameters (such as the domain name suffix and DNS server address) for them are the same. Configuring an address allocation mode for a common address pool CAUTION: You can configure either a static binding or dynamic address allocation for a common address pool, but not both. You need to specify a subnet for dynamic address allocation.
NOTE: • Use the static-bind ip-address command together with static-bind mac-address or static-bind client-identifier to accomplish a static binding configuration. • In a DHCP address pool, if you execute the static-bind mac-address command before the static-bind client-identifier command, the latter will overwrite the former and vice versa.
NOTE: • In common address pool view, using the network or network ip range command repeatedly overwrites the previous configuration. • After you exclude IP addresses from automatic allocation by using the dhcp server forbidden-ip command, neither a common address pool nor an extended address pool can assign these IP addresses through dynamic address allocation. • Using the dhcp server forbidden-ip command repeatedly can exclude multiple IP address ranges from allocation.
domain name, and the system will add the domain name suffix for name resolution. For more information about DNS, see “Configuring DNS.” To configure a domain name suffix in the DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Specify a domain name suffix. domain-name domain-name Not specified by default.
Step Command Remarks N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] 3. Specify WINS server IP addresses. nbns-list ip-address&<1-8> Specify the NetBIOS node type. netbios-type { b-node | h-node | m-node | p-node } 4. Required (optional for b-node) No address is specified by default. Not specified by default. NOTE: If b-node is specified for the client, you do not need to specify any WINS server address.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Specify the IP address of the primary network calling processor. voice-config ncp-ip ip-address Not specified by default. Specify the IP address of the backup network calling processor. voice-config as-ip ip-address 5. Configure the voice VLAN. voice-config voice-vlan vlan-id { disable | enable } 6.
Step Command Remarks Required to use either command. 3. Specify the TFTP serverN/A tftp-server ip-address ip-address 4. Specify the name of the TFTP server. tftp-server domain-name domain-name Specify the bootfile name. bootfile-name bootfile-name 5. Not specified by default. Not specified by default. Configuring self-defined DHCP options By configuring self-defined DHCP options, you can • Define new DHCP options. New configuration options will come out with DHCP development.
CAUTION: Be cautious When you configure self-defined DHCP options because such configuration may affect the operation of DHCP. Enabling DHCP Enable DHCP before performing other configurations. To enable DHCP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP. dhcp enable Disabled by default.
Applying an extended address pool on an interface After you create an extended address pool and apply it on an interface, the DHCP server, upon receiving a client's request on the interface, attempts to assign the client the statically bound IP address first and then an IP address from the specified address pool. If no IP address is available, address allocation fails, and the DHCP server will not assign the client any IP address from other address pools.
NOTE: With the unauthorized DHCP server detection enabled, the firewall logs each detected DHCP server once. The administrator can use the log information to find unauthorized DHCP servers. Configuring IP address conflict detection With IP address conflict detection enabled, the DHCP server pings each IP address to be assigned by using ICMP. If the server receives a response within the specified period, the server selects and pings another IP address.
NOTE: Supporting Option 82 requires configuring both the DHCP server and relay agent (or the device enabled with DHCP snooping). For more information, see the chapter “Configuring DHCP relay agent.” Specifying the threshold for sending trap messages Configuration prerequisites Before performing the configuration, use the snmp-agent target-host command to specify the destination address of the trap messages. For more information about the command, see System Management and Maintenance Command Reference.
Task Command Remarks Display information about DHCP server statistics. display dhcp server statistics [ | { begin | exclude | include } regular-expression ] Available in any view Display tree organization information of address pool(s). display dhcp server tree { all | pool [ pool-name ] } [ | { begin | exclude | include } regular-expression ] Available in any view Clear information about IP address conflicts.
Figure 102 Network diagram Configuration procedure • Configure the IP address of GigabitEthernet 0/1 on the Firewall. system-view [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] ip address 10.1.1.1 25 [Firewall-GigabitEthernet0/1] quit • Configure the DHCP server. # Enable DHCP. [Firewall] dhcp enable # Enable the DHCP server on GigabitEthernet 0/1.
Dynamic IP address assignment configuration example Network requirements • As shown in Figure 103, the DHCP server (Firewall) assigns IP address to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. • The IP addresses of GigabitEthernet 0/1 and GigabitEthernet 0/2 on the Firewall are 10.1.1.1/25 and 10.1.1.129/25 respectively. • In subnet 10.1.1.0/25, the address lease duration is ten days and twelve hours, domain name suffix aabbcc.com, DNS server address 10.1.1.
[Firewall] dhcp server forbidden-ip 10.1.1.2 [Firewall] dhcp server forbidden-ip 10.1.1.4 [Firewall] dhcp server forbidden-ip 10.1.1.126 [Firewall] dhcp server forbidden-ip 10.1.1.254 # Configure DHCP address pool 0 (subnet, client domain name suffix, and DNS server address). [Firewall] dhcp server ip-pool 0 [Firewall-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [Firewall-dhcp-pool-0] domain-name aabbcc.com [Firewall-dhcp-pool-0] dns-list 10.1.1.
Figure 104 Network diagram Configuration procedure • Specify IP address for interface GigabitEthernet 0/1. (Details not shown.) • Configure the DHCP server # Enable DHCP. system-view [Firewall] dhcp enable # Enable the DHCP server on GigabitEthernet 0/1. [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet 0/1] dhcp select server global-pool [Firewall-GigabitEthernet 0/1] quit # Configure DHCP address pool 0. [Firewall] dhcp server ip-pool 0 [Firewall-dhcp-pool-0] network 10.
c. Enter ipconfig/renew to obtain another IP address.
Configuring DHCP relay agent Introduction to DHCP relay agent Application environment Since DHCP clients request IP addresses via broadcast messages, the DHCP server and clients must be on the same subnet. Therefore, a DHCP server must be available on each subnet, which is not practical. DHCP relay agent solves the problem. Via a relay agent, DHCP clients communicate with a DHCP server on another subnet to obtain configuration parameters.
Figure 106 DHCP replay agent work process DHCP client DHCP relay DHCP-DISCOVER (broadcast) DHCP server DHCP-DISCOVER (unicast) DHCP-OFFER (unicast) DHCP-OFFER DHCP-REQUEST (broadcast) DHCP-REQUEST (unicast) DHCP-ACK (unicast) DHCP-ACK As shown in Figure 106, the DHCP relay agent works as follows: 1.
If a client’s requesting message has… no Option 82 Handling strategy Padding format The DHCP relay agent will… N/A normal Forward the message after adding the Option 82 padded in normal format. N/A verbose Forward the message after adding the Option 82 padded in verbose format. N/A user-defined Forward the message after adding the user-defined Option 82.
Task Remarks Optional. Create a static IP-to-MAC binding, and view static and dynamic bindings. Configuring and displaying clients' IP-to-MAC bindings The DHCP relay agent can dynamically record clients’ IP-to-MAC bindings after clients get IP addresses. It also supports static bindings, that is, you can manually configure IP-to-MAC bindings on the DHCP relay agent, so that users can access external network using fixed IP addresses. By default, no static binding is created.
Figure 107 DHCP relay agent configuration page Table 33 Configuration items Item Description DHCP Service Enable or disable global DHCP. Enable or disable unauthorized DHCP server detection. There are unauthorized DHCP servers on networks, which reply DHCP clients with wrong IP addresses.
Item Description Enable or disable periodic refresh of dynamic client entries, and set the refresh interval. Dynamic Bindings Refresh Via the DHCP relay agent, a DHCP client sends a DHCP-RELEASE unicast message to the DHCP server to relinquish its IP address. In this case the DHCP relay agent simply conveys the message to the DHCP server, thus it does not remove the IP address from dynamic client entries. To solve this problem, the periodic refresh of dynamic client entries feature is introduced.
Figure 109 Configuring a DHCP relay agent interface Table 35 Configuration items Item Description Interface Name This field displays the name of a specific interface. DHCP Relay Enable or disable the DHCP relay agent on the interface. If the DHCP relay agent is disabled, the DHCP server is enabled on the interface. Enable or disable IP address check.
Figure 111 Create a static IP-to-MAC binding Table 36 Configuration items Item Description IP Address Enter the IP address of a DHCP client. MAC Address Enter the MAC address of the DHCP client. Select the Layer 3 interface connected with the DHCP client. IMPORTANT: Interface Name The interface of a static binding entry must be configured as a DHCP relay agent; otherwise, address entry conflicts may occur.
a. Select Network > DHCP > DHCP Relay from the navigation tree and perform the following configuration, as shown in Figure 113. Figure 113 Enabling the DHCP service b. Select the Enable option in the DHCP Service field. c. Click Apply. # Configure a DHCP server group. a. In the Server Group field, click Add and perform the following configuration, as shown in Figure 114. Figure 114 Create a DHCP server group b. Enter 1 for Server Group ID.
c. Enter 10.1.1.1 for IP Address. d. Click Apply. # Enable the DHCP relay agent on GigabitEthernet 0/1. a. In the Interface Config field, click the icon of GigabitEthernet 0/1 and perform the following configuration, as shown in Figure 115. Figure 115 Enabling DHCP relay agent on interface GigabitEthernet 0/1 b. Select the Enable option in the DHCP Relay field. c. Select 1 for Server Group ID. d. Click Apply.
Enabling DHCP Enable DHCP before performing other configurations related to the DHCP relay agent. To enable DHCP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP. dhcp enable Disabled by default. Enabling the DHCP relay agent on an interface With the DHCP relay agent enabled, an interface forwards incoming DHCP requests to a DHCP server for address allocation. To enable the DHCP relay agent on an interface: Step Command Remarks 1. Enter system view.
NOTE: • You can specify up to twenty DHCP server groups on the relay agent. • By executing the dhcp relay server-group command repeatedly, you can specify up to eight DHCP server addresses for each DHCP server group. • The IP addresses of DHCP servers and those of relay agent’s interfaces that connect DHCP clients cannot be on the same subnet. Otherwise, the client cannot obtain an IP address.
NOTE: • The dhcp relay address-check enable command can be executed only on Layer 3 Ethernet interfaces (including sub-interfaces). • Before enabling address check on an interface, you must enable the DHCP service, and enable the DHCP relay agent on the interface; otherwise, the address check configuration is ineffective. • The dhcp relay address-check enable command only checks IP and MAC addresses but not interfaces.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable unauthorized DHCP server detection. dhcp relay server-detect Disabled by default. NOTE: The relay agent logs a DHCP server only once. 4. Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests using different MAC addresses in the chaddr field to a DHCP server.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable offline detection. dhcp relay client-detect enable Disabled by default. NOTE: Removing an ARP entry manually does not remove the corresponding client’s IP-to-MAC binding. When the client goes offline, use the undo dhcp relay security command to remove the IP-to-MAC binding manually.
Step Command Remarks Disabled by default. 3. Enable the relay agent to support Option 82. dhcp relay information enable 4. Configure the handling strategy for requesting messages containing Option 82. dhcp relay information strategy { drop | keep | replace } Optional. replace by default. • Configure the padding format for Option 82 dhcp relay information format { normal | verbose [ node-identifier { mac | sysname | user-defined node-identifier } ] } 5. Configure non-user-defined Option 82.
Displaying and maintaining the DHCP relay agent Task Command Remarks Display information about DHCP server groups correlated to a specified or all interfaces. display dhcp relay { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view Display Option 82 configuration information on the DHCP relay agent.
Figure 116 Network diagram DHCP client DHCP client GE0/1 10.10.1.1/24 GE0/2 10.1.1.2/24 GE0/1 10.1.1.1/24 Firewall DHCP relay agent DHCP client Router DHCP server DHCP client Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. system-view [Firewall] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1 [Firewall] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on GigabitEthernet 0/1.
• The Firewall forwards DHCP requests to the DHCP server (Router) after replacing Option 82 in the requests, so that the DHCP clients can obtain IP addresses. Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. system-view [Firewall] dhcp enable # Add DHCP server 10.1.1.1 into DHCP server group 1. [Firewall] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on GigabitEthernet 0/1.
The relay agent interface connected to DHCP clients is correlated with a correct DHCP server group and the IP addresses of the group members are correct.
Configuring DHCP client NOTE: • The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), and Layer 3 aggregate interfaces. • You cannot configure an interface of an aggregation group as a DHCP client. Introduction to DHCP client With the DHCP client enabled, an interface uses DHCP to obtain configuration parameters such as an IP address from the DHCP server.
DHCP client configuration example Network requirements As shown in Figure 118, on a LAN, the Firewall contacts the DHCP server via GigabitEthernet 0/1 to obtain an IP address, DNS server address, and static route information. The IP address resides on network 10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to network 20.1.1.0/24 is 10.1.1.2. The DHCP server uses Option 121 to assign static route information to DHCP clients. Figure 117 shows the format of Option 121.
[RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02 • Configure the Firewall # Enable the DHCP client on GigabitEthernet 0/1. system-view [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] ip address dhcp-alloc Verifying the configuration # Use the display dhcp client command to view the IP address and other network parameters assigned to the Firewall.
Configuring BOOTP client NOTE: • BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including sub-interfaces), Layer 3 aggregate interfaces and VLAN interfaces. • You cannot configure an interface of an aggregation group as a BOOTP client. • The BOOTP client configuration is available only at the CLI.
• RFC 2132, DHCP Options and BOOTP Vendor Extensions • RFC 1542, Clarifications and Extensions for the Bootstrap Protocol Configuring an interface to dynamically obtain an IP address through BOOTP To configure an interface to dynamically obtain an IP address: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an interface to dynamically obtain an IP address through BOOTP.
Figure 119 Network diagram Configuration procedure The following describes only the configuration on the Firewall serving as a client. # Configure GigabitEthernet 0/1 to dynamically obtain an IP address by using BOOTP. system-view [Firewall] interface GigabitEthernet 0/1 [Firewall-GigabitEthernet0/1] ip address bootp-alloc # Use the display bootp client command to view the IP address assigned to the BOOTP client.
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. There are two types of DNS services, static and dynamic. After a user specifies a name, the firewall checks the local static name resolution table for an IP address.
Figure 120 Dynamic domain name resolution Figure 120 shows the relationship between the user program, DNS client, and DNS server. The resolver and cache comprise the DNS client. The user program and DNS client can run on the same device or different devices, while the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache.
The DNS proxy simplifies network management. When the DNS server address is changed, you only need to change the configuration on the DNS proxy instead of on each DNS client. Figure 121 DNS proxy networking application DNS client DNS proxy IP network DNS server DNS client DNS client DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy, that is, the destination address of the request is the IP address of the DNS proxy. 2.
• The device connects to the PSTN/ISDN network through a dial-up interface and triggers the establishment of a dial-up connection only when packets are to be forwarded through the dial-up interface. • The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established through the dial-up interface, the device dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms.
NOTE: If both static domain name resolution and dynamic domain name resolution are configured, the firewall first checks the static name resolution table for an IP address. If no IP address is available, it then contacts the DNS server for dynamic name resolution. Static name resolution table configuration task list Task Remarks Required Configuring static name resolution entries Configure static domain name resolution entries, that is, mappings between host name and IP address.
Figure 123 Static domain name resolution configuration page Figure 124 Creating a static domain name resolution entry Table 37 Configuration items Item Description Host Name Host name Host IP Address IP address that corresponds to the host name IMPORTANT: Each host name corresponds to one IP address only. If you configure multiple IP addresses for a host name, the last configured one takes effect.
Figure 125 Dynamic domain name resolution configuration page Table 38 Configuration items Item Description Dynamic DNS Enable or disable dynamic domain name resolution. Clear Dynamic DNS cache Remove all the information from the dynamic DNS cache. Configuring DNS proxy Select Network > DNS > Dynamic from the navigation tree to enter the page as shown in Figure 125. Table 39 Configuration items Item Description DNS proxy Enable or disable DNS proxy on the device.
Figure 126 Configuring a DNS server address Table 40 Configuration items Item Description DNS Server IP Address Enter the IP address of a DNS server. Configuring domain name suffixes Select Network > DNS > Dynamic from the navigation tree to enter the page as shown in Figure 125. Click Add Suffix to enter the page shown in Figure 127. Figure 127 Configure a DNS domain name suffix Table 41 Configuration items Item Description DNS Domain Name Suffix Enter a domain name suffix.
Figure 128 Network diagram NOTE: • Before performing the following configuration, make sure that the Firewall and the host are reachable to each other, and related configurations are done on both the Firewall and the host. For the IP addresses of the interfaces, see Figure 128. • This configuration may vary with different DNS servers. The following configuration is performed on a PC running Windows server 2000. Configuring the DNS server # Enter the DNS server configuration page.
Figure 130 Adding a host In Figure 130, right click zone com, and then select New Host to bring up a dialog box as shown in Figure 131. Enter host name host and IP address 3.1.1.1.
Configuring the DNS client # Enable dynamic domain name resolution. • Select Network > DNS > Dynamic from the navigation tree, and perform the following operations, as shown in Figure 132. Figure 132 Enabling dynamic domain name resolution • Select the Enable option for Dynamic DNS. • Click Apply. # Configure the DNS server address. • Select Network > DNS > Dynamic from the navigation tree, and then click Add IP. Perform the following operations, as shown in Figure 133.
Figure 134 Configuring the domain name suffix • Enter com in DNS Domain Name Suffix. • Click Apply. Verifying the configuration # On the DNS client, ping the host (3.1.1.1). [Firewall] ping host Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2) PING host.com (3.1.1.1): 56 data bytes, press CTRL_C to break Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms Reply from 3.1.1.
NOTE: • The IPv4 address you last assign to the host name will overwrite the previous one if there is any. • You may create up to 50 static mappings between domain names and IPv4 addresses. Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, dynamic domain name resolution needs to be enabled and a DNS server needs to be configured. In addition, you can configure a DNS suffix that the system will automatically add to the provided domain name for resolution.
Step Command Remarks • (Approach 1) System view dns server ip-address Specify a DNS server. 3. • (Approach 2) Interface view a. interface interface-type interface-number Use either approach. No DNS server is specified by default. b. dns server ip-address NOTE: You can specify multiple DNS servers by using the dns server command repeatedly. Upon receiving a name query request from a client, the DNS proxy forwards the request to the DNS server that has the highest priority.
Static domain name resolution configuration example Network requirements As shown in Figure 135, the Firewall wants to access the host by using an easy-to-remember domain name rather than an IP address. Configure static domain name resolution on the Firewall so that the Firewall can use the domain name host.com to access the host whose IP address is 10.1.1.2. Figure 135 Network diagram Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2.
Figure 136 Network diagram NOTE: • Before performing the following configuration, make sure that the Firewall and the host are accessible to each another via available routes, and the IP addresses of the interfaces are configured as shown Figure 136. • This configuration may vary with different DNS servers. The following configuration is performed on a PC running Windows Server 2000. Configuring the DNS server # Enter the DNS server configuration page. Select Start > Programs > Administrative Tools > DNS.
Figure 138 Adding a host In Figure 138, right click zone com, and then select New Host to bring up a dialog box as shown in Figure 139. Enter host name host and IP address 3.1.1.1. Figure 139 Adding a mapping between domain name and IP address Configuring the DNS client # Enable dynamic domain name resolution.
system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the Firewall to verify that the communication between the Firewall and the host is normal and that the corresponding destination IP address is 3.1.1.1. [Sysname] ping host Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.2) PING host.com (3.1.1.
Figure 140 Network diagram Configuration procedure NOTE: Before performing the following configuration, assume that Device A, the DNS server, and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 140. Configuring the DNS server 1. This configuration may vary with different DNS servers. When a Windows server 2000 PC acts as the DNS server, see “Dynamic domain name resolution configuration example” for related configuration information.
Reply from 3.1.1.1: bytes=56 Sequence=1 ttl=126 time=3 ms Reply from 3.1.1.1: bytes=56 Sequence=2 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access will fail because DNS leads you to the IP address that is no longer where the node resides.
Configuring DDNS in the web interface Configuration prerequisites • Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. When the DDNS client updates the mapping between the domain name and the IP address through the DDNS server, the DDNS server checks whether the account information is correct and whether the domain name to be updated belongs to the account.
Table 42 Configuration items Item Description Domain Name Specify the DDNS entry name, which is the only identifier of the DDNS entry. Server Provider Select the DDNS server provider, which can be 3322.org or PeanutHull. Specify the IP address of the DDNS server for domain name resolution. IMPORTANT: Server Name Server settings After the server provider is selected, the DDNS server name appears automatically. That is, if the server provider is 3322.org, the server name is members.3322.
The Firewall acquires its IP address through DHCP. Through DDNS service provided by www.3322.org, the Firewall informs the DNS server of the latest mapping between its domain name and IP address. The IP address of the DNS server is 1.1.1.1. The Firewall uses the DNS server to translate www.3322.org into the corresponding IP address. Figure 144 Network diagram www.3322.org DDNS server GE0/1 IP network Firewall DDNS client 1.1.1.
Figure 145 Enabling dynamic domain name resolution 2. Select the Enable option for Dynamic DNS. 3. Click Apply. Configuring the DNS server address. 1. Select Network > DNS > Dynamic from the navigation tree, and then click Add IP. Perform the following operations, as shown in Figure 146. Figure 146 Configuring the DNS server address 2. Enter 1.1.1.1 in DNS Server IP Address. 3. Click Apply. Configuring DDNS. 1. Select Network > DNS > DDNS from the navigation tree, and then click Add.
Figure 147 Configuring DDNS 2. Enter 3322 in Domain Name. 3. Select 3322.org from the Server Provider list. 4. Enter steven in Username. 5. Enter nevets in Password. 6. Select GigabitEthernet0/1 from the Associated Interface list. 7. Enter whatever.3322.org in FQDN. 8. Click Apply. Verifying the configuration After the preceding configuration is completed, the Firewall will notify the DNS server of its new domain name-to-IP address mapping through the DDNS server provided by www.3322.
Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, associated SSL client policy, and update time interval. After creating a DDNS policy, you can apply it to multiple interfaces to simplify DDNS configuration. The URL addresses configured for update requests vary by DDNS server. When a DDNS client contacts a DDNS server at www.3322.
Step Specify a URL address for DDNS update requests. 3. Command Remarks url request-url By default, no URL address is specified for DDNS update requests. Optional. 4. 5. Associate an SSL client policy with the DDNS policy. ssl client policy policy-name Specify the interval for sending update requests. interval days [ hours [ minutes ] ] By default, no SSL client policy is associated with the DDNS policy. The SSL client policy is only effective for DDNS update requests with HTTPS URLs. Optional.
NOTE: • If the DDNS service is provided by www.3322.org, the FQDN of the mapping to be updated must be specified; otherwise, DDNS update may fail. • If the DDNS server is a PeanutHull server and no FQDN is specified, the DDNS server will update all the corresponding domain names of the DDNS client account; if an FQDN is specified, the DDNS server will update only the mapping between the specified FQDN and the primary IP address.
system-view [Firewall] ddns policy 3322.org # Specify for DDNS update requests the URL address with the login ID steven and password nevets. [Firewall-ddns-policy-3322.org] url http://steven:nevets@members.3322.org/dyndns/update?system=dyndns&hostname=&myip=< a> # Set the interval for sending DDNS update requests to 15 minutes. [Firewall-ddns-policy-3322.org] interval 0 0 15 [Firewall-ddns-policy-3322.org] quit # Enable dynamic domain name resolution on the Firewall.
Figure 149 Network diagram www.oray.cn DDNS server GE0/1 IP network Firewall DDNS client 1.1.1.1 DNS server Configuration procedure NOTE: Before configuring DDNS on the Firewall, register with username steven and password nevets at http://www.oray.cn/, add the Firewall's host name-to-IP address mapping to the DNS server, and make sure that the devices are reachable to each other. # Create a DDNS policy named oray.cn and enter its view. system-view [Firewall] ddns policy oray.
Configuring ARP NOTE: The term router in this document refers to both routers and firewalls. Overview ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format ARP uses two types of messages, ARP request and ARP reply. Figure 150 shows the format of the ARP request/reply. Numbers in the figure refer to field lengths.
ARP operation If Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure 151, the resolution process is: 1. Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B. 2.
ARP table An ARP table stores dynamic and static ARP entries. Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry.
Creating a static ARP entry Select Firewall > ARP Management > ARP Table from the navigation tree to enter the page shown in Figure 152. Click Add to enter the New Static ARP Entry page, as shown in Figure 153. Figure 153 Adding a static ARP entry Table 43 Configuration items Item Description IP Address Enter an IP address for the static ARP entry. MAC Address Enter a MAC address for the static ARP entry. VLAN ID Advanced Options Enter a VLAN ID and specify a port for the static ARP entry.
Figure 154 Dynamic entry management page • Click Disable all to disable all interfaces in the list from learning dynamic ARP entries. • Select the boxes in front of the interfaces and click Disable selected to disable the selected interfaces from learning dynamic ARP entries. • Click Enable all to enable all interfaces in the list to learn dynamic ARP entries. • Select the boxes in front of the interfaces and click Enable selected to enable the selected interfaces to learn dynamic ARP entries.
Static ARP configuration example Network requirements As shown in Figure 156, hosts are connected to the Firewall, which is connected to the router through GigabitEthernet 0/1 belonging to VLAN 10. The IP address of the router is 192.168.1.1/24. The MAC address of the router is 00e0-fc01-0000. To enhance communication security between the Firewall and the router, a static ARP entry for the router needs to be configured on the Firewall.
• Click the icon corresponding to VLAN 10 on the VLAN page, and modify the VLAN configuration, as shown in Figure 158. Figure 158 Modifying VLAN configuration • Set GigabitEthernet 0/1 as an untagged member of VLAN 10. • Click Apply. # Configure a security zone for interface GigabitEthernet 0/1 and VLAN 10. (Details not shown) # Create VLAN-interface 10, and assign an IP address to it.
Click Apply. • # Create a static ARP entry. Select Firewall > ARP Management > ARP Table from the navigation tree and click Add to perform configurations shown in Figure 160. • Figure 160 Creating an ARP entry • Enter 192.168.1.1 for IP Address. • Enter 00e0-fc01-0000 for MAC Address. • Select the Advanced Options box. • Enter 10 for VLAN ID. • Select GigabitEthernet0/1 for Port. • Click Apply.
CAUTION: • The vlan-id argument must be the ID of an existing VLAN where the ARP entry resides. The specified Ethernet interface must belong to that VLAN. The VLAN interface of the VLAN must be created. • The IP address of the VLAN interface of the VLAN specified by the vlan-id argument must belong to the same subnet as the IP address specified by the ip-address argument. Configuring the maximum number of dynamic ARP entries for an interface Step Command Remarks 1. Enter system view.
When dynamic ARP entry check is disabled, the firewall can learn dynamic ARP entries containing multicast MAC addresses. To enable dynamic ARP entry check: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable dynamic ARP entry check. arp check enable Optional. Enabled by default.
Task Command Remarks Clear ARP entries from the ARP table. reset arp { all | dynamic | static | interface interface-type interface-number } Available in user view NOTE: Clearing ARP entries from the ARP table may cause communication failures. Static ARP entry configuration example Network requirements As shown in Figure 156, hosts are connected to the Firewall, which is connected to the router through interface GigabitEthernet 0/1 in VLAN 10. The IP and MAC addresses of the router are 192.168.1.
# Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 0/1 in VLAN 10. [Firewall] arp static 192.168.1.1 00e0-fc01-0000 10 GigabitEthernet 0/1 # View information about static ARP entries. [Firewall] display arp static Type: S-Static D-Dynamic IP Address MAC Address VLAN ID Interface 192.168.1.
Configuring gratuitous ARP Overview In a gratuitous ARP packet, both the sender IP address and the target IP address are the IP address of the device issuing the packet. A firewall implements the following functions by sending gratuitous ARP packets: • Determining whether its IP address is already used by another device. After any other device receives a gratuitous ARP packet, it checks whether the IP address contained in the packet is the same with its own.
Item Description Send gratuitous ARP packets when receiving ARP requests from another network segment Enable the firewall to send gratuitous ARP packets upon receiving ARP requests from another network segment. Configuring gratuitous ARP at the CLI Step Command Remarks 1. Enter system view. system-view N/A 2. Enable learning of gratuitous ARP packets. gratuitous-arp-learning enable Optional. Enabled by default.
Configuring proxy ARP NOTE: The proxy ARP configuration is available only at the CLI. Overview Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP allows communication when a sending host considers the receiving host to be on the same subnet, but the receiving host actually resides on a different subnet. • Local proxy ARP allows communication between hosts that reside on the same subnet but are isolated at Layer 2.
Local proxy ARP As shown in Figure 164, Host A and Host B belong to VLAN 2, but are isolated at Layer 2. Host A connects to Ethernet 1/3 while Host B connects to Ethernet 1/1. Enable local proxy ARP on Router to allow Layer 3 communication between the two hosts. Figure 164 Application environment of local proxy ARP Enable local proxy ARP in one of the following cases: • Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable local proxy ARP. local-proxy-arp enable [ ip-range startIP to endIP ] Disabled by default. Displaying and maintaining proxy ARP Task Command Remarks Display whether proxy ARP is enabled.
Figure 165 Network diagram Configuration procedure # Specify the IP address of interface GigabitEthernet 0/2. system-view [Firewall] interface GigabitEthernet 0/2 [Firewall-GigabitEthernet0/2] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 0/2. [Firewall-GigabitEthernet0/2] proxy-arp enable [Firewall-GigabitEthernet0/2] quit # Specify the IP address of interface GigabitEthernet 0/1.
Figure 166 Network diagram NOTE: In this configuration example, suppose all traffic between the hosts is blocked, so you need to configure local proxy ARP on GigabitEthernet 0/2 of the Firewall to enable communication between Host A and Host B. If the two ports (Ethernet 1/3 and Ethernet 1/1) on the switch are isolated only at Layer 2, you can enable communication between the two hosts by configuring local proxy ARP on VLAN-interface 2 of the switch.
The ping operation from Host A to Host B is successful after the configuration. Local proxy ARP configuration example in isolate-user-VLAN Network requirements As shown in Figure 167, the switch is attached to the Firewall. VLAN 5 on the switch is an isolate-user-VLAN, which includes uplink port Ethernet 1/2 and two secondary VLANs, VLAN 2 and VLAN 3. Ethernet 1/3 belongs to VLAN 2, and Ethernet 1/1 belongs to VLAN 3. Host A belongs to VLAN 2 and connects to Ethernet 1/3 of the switch.
Configuring the Firewall # Specify the IP address of GigabitEthernet 0/2. system-view [Firewall] interface GigabitEthernet 0/2 [Firewall-GigabitEthernet0/2] ip address 192.168.10.100 255.255.0.0 The ping operation from Host A to Host B is unsuccessful because they are isolated at Layer 2. # Configure local proxy ARP to implement Layer 3 communication between Host A and Host B.
Configuring QoS Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module Configuring the port bandwidth limit Yes No No No Configuring line rate in the Web interface Yes No No No Overview In data communications, Quality of Service (QoS) is the ability of a network to provide differentiated service guarantees for diversified traffic regarding bandwidth, delay, jitter, and drop rate. The network resources are always scarce.
DiffServ model The differentiated service (DiffServ) model is a multiple-service model that can satisfy diverse QoS requirements. It is easy to implement and extend. DiffServ does not signal the network to reserve resources before sending data, as IntServ does. All QoS techniques in this document are based on the DiffServ model. QoS techniques The QoS techniques include traffic classification, traffic policing, traffic shaping, line rate, congestion management, and congestion avoidance.
QoS processing flow in a device Figure 169 briefly describes how the QoS module processes traffic: 1. Traffic classifier identifies and classifies traffic for subsequent QoS actions. 2. The QoS module takes various QoS actions on classified traffic as configured, depending on the traffic processing phase and network status.
A class is identified by a class name and contains match criteria for traffic identification. The relationship between the criteria is AND or OR. { { AND: A packet is considered belonging to a class only when the packet matches all the criteria in the class. OR: A packet is considered belonging to a class if it matches any of the criteria in the class. A match criterion in a class can be any of the following: 2.
• Mean rate—Rate at which tokens are put into the bucket, or the permitted average rate of traffic. It is usually set to the committed information rate (CIR). • Burst size—The capacity of the token bucket, or the maximum traffic size permitted in each burst. It is usually set to the committed burst size (CBS). The set burst size must be greater than the maximum packet size. Evaluation is performed for each arriving packet.
Congestion management Causes, impacts, and countermeasures of congestion Congestion occurs on a link or node when traffic size is so large that the processing capability of the link or node is exceeded. It is typical of a statistical multiplexing network and can be caused by link failure, insufficient resources, and various other causes.
Figure 172 FIFO queuing As shown in Figure 172, First In First Out (FIFO) uses a single queue and does not classify traffic or schedule queues. FIFO delivers packets depending on their arrival order, with the one arriving earlier scheduled first. The only concern of FIFO is queue length, which affects delay and packet loss rate. On a device, resources are assigned for packets depending on their arrival order and load status of the device. The best-effort service model uses FIFO queuing.
{ Short packets and long packets are fairly scheduled: if both long packets and short packets exist in queues, statistically the short packets are scheduled preferentially to reduce the jitter between packets on the whole. Compared with FQ, WFQ takes weights into account when determining the queue scheduling order. Statistically, WFQ gives high priority traffic more scheduling opportunities than low priority traffic.
{ Match packets with classification rules in a class in the configuration order. Congestion management technology comparison Table 45 Congestion management technology comparison Type Number of queues Advantages Disadvantages • All packets are treated equally. The available bandwidth, delay and drop probability are determined by the arrival order of packets.
With line rate configured on an interface, all packets to be sent through the interface are firstly handled by the token bucket at line rate. If the token bucket has enough tokens, packets can be forwarded; otherwise, packets are put into QoS queues for congestion management. In this way, the traffic passing the physical interface is controlled.
Task Remarks Required. Applying the policy to an interface Apply the QoS policy to the specified interface. CAUTION: • With CBQ configured on an interface, you can set the maximum available interface bandwidth, which can be used for bandwidth check when CBQ enqueues packets. For more information, see "Configuring port bandwidth limit.
Figure 176 Creating a class Table 47 Configuration items Item Description Classifier Name Specify a name for the classifier to be created. Specify the logical relationship between rules in the classifier. The following options are available: • And—Specifies the relationship between the rules in a class as logical AND. The Operation Type firewall considers a packet as belonging to a class only when the packet matches all the rules in the class.
Figure 178 Creating a classification rule for a class Table 48 Configuration items Item Description Classifier Name Displays the name of the class you are configuring. Define an ACL-based match criterion, and specify the ACL by number. ACL You can select or enter an ACL number. The available ACLs are those configured in Firewall > ACL. For how to configure an ACL, see Access Control Configuration Guide.
Figure 179 Create a behavior Table 49 Configuration items Item Description Behavior Name Specify a name for the behavior to be created. 2. Configure actions for the traffic behavior Click the icon in the Operation column for the traffic behavior on the behavior list to enter the page for configuring actions for the traffic behavior, as shown in Figure 180.
Table 50 Configuration items Item Description Behavior Name Name of the traffic behavior being configured. CAR Configure CAR for data packets. Enable/Disable Enable or disable CAR. CIR Set the committed information rate (CIR), the average traffic rate. CBS Set the committed burst size (CBS), number of bits that can be sent in each interval. CAR IMPORTANT: For bursty traffic to be handled effectively, make sure that the ratio of CBS to CIR is at least 100:16.
Item Description Configure WFQ by entering the total number of fair queues, which must equal two to the power of an integer. WFQ IMPORTANT: A traffic behavior configured with WFQ can only be associated a system-defined class. IMPORTANT: The firewall does not support queuing configuration. Configure the packet filtering action for data packets: • Permit—Forwards the packet. Filter • Deny—Drops the packet. • Not Set—Cancels the packet filtering action.
Figure 182 Associating a classifier with a behavior Table 52 Configuration items Item Description Policy Name Name of the policy being configured. Classifier Name Associate an existing class with an existing behavior. Behavior Name Applying the policy to an interface Select Firewall > QoS > Apply from the navigation tree to enter the page for displaying policies applied to interfaces, as shown in Figure 183.
Table 53 Configuration items Item Description Interface Name Specify the interface to which the policy is to be applied. Policy Name Select the QoS policy to be applied. Specify the direction in which the policy is to be applied. • Inbound—Applies the policy to the incoming Direction packets on the specified interface. • Outbound—Applies the policy to the outgoing packets on the specified interface.
Table 54 Configuration items Item Description Bandwidth Limit Enable or disable port bandwidth limit for selected ports. Set the maximum available port bandwidth. HP recommends that you set the maximum available port bandwidth to be smaller than the actual available bandwidth of the physical interface or logical link. Max Bandwidth Select the port or ports to be configured with port bandwidth limit from the port list.
By default, the operator of a class is AND. The operator of a class can be AND or OR. 2. Create a class and enter class view. traffic classifier tcl-name [ operator { and | or } ] • AND—A packet is assigned to a class only when the packet matches all the criteria in the class. • OR—A packet is assigned to a class if it matches any of the criteria in the class. 3. Configure match criteria.
To apply the QoS policy to an interface: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Apply the policy to the interface. qos apply policy policy-name { inbound | outbound } Displaying and maintaining QoS policies Task Command Remarks Display traffic class configuration.
Figure 187 Configuring line rate on a port Table 55 Configuration items Item Description Please select an interface type Select the interface type to be configured with line rate. Rate Limit Enable or disable line rate on the specified port. Direction Select a direction in which the line rate is to be applied. CIR Set the committed information rate (CIR), which is the average traffic rate. CBS Set the committed burst size (CBS), which is the number of bits that can be sent in each interval.
QoS configuration examples CAR configuration example Network requirements As shown in Figure 188, Server and Host can access the Internet through Firewall. Perform traffic control on GigabitEthernet 1/0/1 of Firewall for traffic received from Server and Host respectively. • Limit the rate of traffic from Server to 54 kbps to transmit the conforming traffic but drop the exceeding traffic. • Limit the rate of traffic from Host to 8 kbps to transmit the conforming traffic but dropping the exceeding traffic.
{ { Click Apply. Click the icon for ACL 2000 on the ACL list, and click Add. Perform configuration on the page shown in Figure 190. Figure 190 Configuring rules for ACL 2000 { { { Select Permit from the Operation list. Select the Source IP Address box, enter 1.1.1.1 as the source IP address, and 0.0.0.0 as the source wildcard. Click Apply. # Configure ACL 2001 to match traffic from Host. { { Enter 2001 as the ACL number. { Click Apply. { { { { 2.
{ { Click Apply. Click the icon for classifier_server on the classifier list, and click Add. Perform configuration on the page shown in Figure 192. Figure 192 Configuring rules for class classifier_server { Select the ACL option, and then select 2000 from the list. { Click Apply. # Create a class named classifier_host, and reference ACL 2001 in the class. { { Enter classifier_host as the classifier name. { Click Apply. { 3.
{ Click the icon for behavior_server on the behavior list, and perform configuration on the page shown in Figure 194. Figure 194 Configuring actions for behavior behavior_server { Select the CAR box. { Enter 50 in the CIR field. { Select the CBS option, and then enter 4000. { Click Apply. The configuration progress dialog box as shown in Figure 195 appears.
Figure 195 Configuration progress dialog box { When OK appears, click Close. # Create a behavior named behavior_host, and configure CAR for the behavior. { { Enter behavior_host as the behavior name. { Click Apply. { 4. On the page displaying behaviors, click Add. Perform configuration on the page shown in Figure 193. Click the icon for behavior_host on the behavior list, and perform configuration on the page shown in Figure 194. { Select the CAR option. { Enter 8 in the CIR field.
Figure 197 Configuring class-behavior associations for the policy named policy { Select classifier_server from the Classifier Name list. { Select behavior_server from the Behavior Name list. { Click Apply. { 5. Select policy from the Policy Name list and then click Add Relation. Perform configuration on the page shown in Figure 197. { Select classifier_host from the Classifier Name list. { Select behavior_host from the Behavior Name list. { Click Apply. Apply the policy to an interface.
Traffic source Destination Processing priority Host A, B Mail server Medium Host A, B File server Low Figure 199 Network diagram Configuration procedure 1. Configure ACLs: # Configure ACL 3000 to match packets with destination address 192.168.0.1. { Select Firewall > ACL from the navigation tree and then click Add. Perform configuration on the page as shown in Figure 200. Figure 200 Creating ACL 3000 { Enter the ACL number 3000. { Select Config from the Match Order list. { Click Apply.
Figure 201 Configuring rules for ACL 3000 { { { Select Permit from the Operation list. Select the Destination IP Address box, and enter IP address 192.168.0.1 and destination wildcard 0.0.0.0. Click Apply. # Configure ACL 3001 to match packets with destination address 192.168.0.2. { Select Firewall > ACL from the navigation tree and then click Add. Perform configuration on the page shown in Figure 200. { Enter the ACL number 3001. { Click Apply.
{ { { { 2. Click the icon for ACL 3002 on the ACL list and click Add. Perform configuration on the page shown in Figure 201. Select Permit from the Operation list. Select the Destination IP Address box, and enter IP address 192.168.0.3 and destination wildcard 0.0.0.0. Click Apply. Configure classes: # Configure class classifier_dbserver to match packets based on ACL 3000. { Select Firewall > QoS > Classifier from the navigation tree and then click Add.
{ Select classifier_mserver on the classifier list and click its configuration on the page shown in Figure 203. { Select the ACL option and select ACL 3001. { Click Apply. icon. Click Create, and perform # Configure class classifier_fserver to match packets based on ACL 3002. { { Enter the class name classifier_fserver. { Click Apply. { 3. Select Firewall > QoS > Classifier from the navigation tree and then click Add. Perform configuration on the page shown in Figure 202.
Figure 205 Configuring actions for traffic behavior behavior_dbserver { Select the Dot1p box, and then select 4 from its list. { Click Apply. The configuration progress dialog box as shown in Figure 206 appears.
{ After OK appears, click Close. # Configure traffic behavior behavior_mserver to mark packets with local precedence 3. { Select Firewall > QoS > Behavior from the navigation tree and then click Add. Perform configuration on the page shown in Figure 204. { Enter the behavior name behavior_mserver. { Click Apply. { Click the icon for behavior_mserver on the behavior list, and perform configuration on the page shown in Figure 205. { Select the Dot1p box, and then select 3 from its list.
Figure 208 Configuring class-behavior associations for policy policy_server { Select class_dbserver in the Classifier Name list. { Select behavior_dbserver in the Behavior Name list. { Click Apply. { { Select class_mserver in the Classifier Name list. { Select behavior_mserver in the Behavior Name list. { Click Apply. { 5. Select policy_server from the Policy Name list above the policy list and then click Add Relation. Perform configuration on the page shown in Figure 208.
Packet filtering configuration example Network requirements As shown in Figure 210, configure a QoS policy to filter the incoming packets whose TCP source port is not 21 on GigabitEthernet 0/1. Figure 210 Network diagram Configuration procedure 1. Configure ACLs: # Create ACL 3000, and configure a rule to match packets whose TCP source port is not 21. { Select Firewall > ACL from the navigation tree, and click Add. Perform configuration on the page shown in Figure 211.
Figure 212 Configuring rules for ACL 3000 2. { Select Permit from the Operation list. { Select 6 TCP from the Protocol list. { Select not equal to from the Source Operation list, and enter 21 in the Port field. { Click Apply. Configure classes: # Create a class named classifier_1, and reference ACL 3000 in the class. { Select Firewall > QoS > Classifier from the navigation tree, and click Add. Perform configuration on the page shown in Figure 213.
Figure 214 Configuring rules for classifier_1 3. { Select the ACL option, and then select 3000 from the list. { Click Apply. Configure traffic behaviors: # Create a behavior named behavior_1, and configure the packet filtering action for the behavior to drop packets. { Select Firewall > QoS > Behavior from the navigation tree, and click Add. Perform configuration on the page shown in Figure 215. Figure 215 Creating a traffic behavior named behavior_1 { Enter behavior_1 as the behavior name.
Figure 216 Configuring actions for behavior behavior_1 { Select the Packet Filter box, and then select Deny. { Click Apply. The configuration progress dialog box as shown in Figure 217 appears.
{ 4. When OK appears, click Close. Configure a QoS policy. # Create a policy named policy, and configure class-behavior associations in the policy. { Select Firewall > QoS > Policy from the navigation tree, and click Add. Perform configuration on the page shown in Figure 218. Figure 218 Creating a policy named policy { Enter policy as the policy name. { Click Apply. { Select policy from the Policy Name list and then click Add Relation. Perform configuration on the page shown in Figure 219.
{ Select policy from the Policy Name list. { Select Inbound from the Direction list. { Click Apply. Configuration guidelines When you configure a QoS policy, note that: • How an ACL referenced by a QoS policy is handled depends on whether the policy is applied to a software interface or a hardware interface. { { If the QoS policy is applied to a software interface, only the permit statements in the referenced ACL will take effect and the deny statements in the referenced ACL will be ignored.
Configuring traffic policing Overview Introduction to traffic policing Without limits on user traffic, a network can be overwhelmed very easily. To help assign network resources such as bandwidth efficiently to improve network performance and hence user satisfaction, QoS technologies such as traffic policing, traffic shaping, and rate limit were introduced. Traffic policing limits traffic rate and resource usage according to traffic specifications.
• Delivering the packet to next-level traffic policing with its IP precedence re-marked if the evaluation result is “conforming.” • Entering the next-level policing (you can set multiple traffic policing levels each focused on specific objects). Traffic evaluation and token buckets Token bucket To perform traffic policing, a device must evaluate traffic to determine whether it has exceeded the specifications. This is typically done with token buckets.
Configuring traffic policing in the Web interface NOTE: Traffic policing can be configured in the policy-based approach or CAR list-based approach. This chapter describes only how to configure traffic policing in the CAR list-based approach. For how to configure traffic policing in the policy-based approach, see the chapter “QOS configuration.” Configuration task list NOTE: Committed access rate (CAR) is the major traffic policing mechanism, and therefore this document introduces how to configure CAR.
Figure 223 Creating a CAR list Table 57 Configuration items Item Description CAR List Index Specify the CAR list index. IP Type Select to configure a source IP-based CAR list or destination IP-based CAR list. Define the way of specifying a set of IP addresses. Two options are available: • Subnet—Specifies a network segment by specifying an IP address and a IP Set subnet mask. • IP Range—Specifies an IP address range by specifying a start IP address and an end IP address.
Figure 224 CAR lists applied to interfaces Figure 225 Applying a CAR list to an interface Table 58 Configuration items Item Description Interface Name Specify the interface to which a CAR list is to be applied. Specify the direction in which a CAR list is to be applied. Direction • Inbound—Applies the CAR list to the packets received on the specified interface. • Outbound—Applies the CAR list to the packets sent out the specified interface.
Item Description Set the committed information rate (CIR). IMPORTANT: If you apply an IP network segment-based CAR list to an interface, the CIR you defined takes on different meanings depending on the configurations of the per-IP address rate limiting function and the shared bandwidth mode for the CAR list. • If the per-IP address rate limiting function is not enabled, the CIR specifies the total bandwidth for the network segment and will be allocated to each IP address based on its traffic size.
Figure 226 Network diagram Configuration procedure # Configure a CAR list. • Select Firewall > Traffic Policing > CAR List from the navigation tree, and click Add. Add a CAR list as shown in Figure 227. Figure 227 Configuring a CAR list • Enter 1 as the CAR list index. • Select Source IP from the IP Type list. • Select IP Range from the IP Set list. • Enter 2.1.1.1 as the start IP address. • Enter 2.1.1.100 as the end IP address. • Select Enable from the Limit Rate Per IP Address list.
Figure 228 Applying the CAR list to the interface • Select GigabitEthernet 0/1 from the Interface Name list. • Select Inbound from the Direction list. • Enter 1 in the CAR List Index field. • Enter 50 in the CIR field. • Select the Pass option for Green. • Select the Discard option for Red. • Click Apply.
NOTE: If traffic policing is configured in both the policy approach and non-policy approach, the configuration in policy approach takes effect. Configuring traffic policing in policy approach Step Command 1. Enter system view. system-view 2. Create a class and enter class view. traffic classifier tcl-name [ operator { and | or } ] 3. Configure match criteria. if-match match-criteria 4. Return to system view. quit 5. Create a behavior and enter behavior view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an ACL. See "Configuring ACLs." Configure rules for the ACL. 3. Enter interface view. interface interface-type interface-number N/A 4. Configure an ACL based CAR policy on the interface. qos car { inbound | outbound } acl [ ipv6 ] acl-number cir committed-information-rate [ cbs committed-burst-size [ ebs excess-burst-size ] ] [ green action ] [ red action ] N/A 3.
IP routing overview NOTE: • The term "router" in this chapter refers to both routers and Layer 3 firewalls. • The types of interfaces that appear in any figures other than the network diagrams for configuration examples are for illustration only. Some of them might be unavailable on your router. Upon receiving a packet, a router determines the optimal route based on the destination address and forwards the packet to the next router in the path.
Each entry in the FIB table specifies a physical interface that packets destined for a certain address should go out to reach the next hop—the next router—or the directly connected destination.
Static route configuration Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module BFD for static routes No No Yes No Overview Static routes are manually configured. If a network’s topology is simple, you only need to configure static routes for the network to work properly. The proper configuration and usage of static routes can improve network performance and ensure bandwidth for important network applications.
Figure 230 Creating a static route 3. Create a static route as described in Table 59. Table 59 Configuration items Item Description Destination Enter the destination IP address in dotted decimal notation Mask Specify the destination IP address mask Next Hop Enter the next hop IP address in dotted decimal notation Outbound Interface Specify the outgoing interface Enter the static route priority Priority The static route priority defaults to 60.
Figure 231 Network diagram Configuration considerations 1. On Firewall A, configure a static route to Firewall B. 2. On Firewall B, configure two static routes to Firewall A and Firewall C. 3. On Firewall C, configure a static route to Firewall B. Configuration procedure 1. Configure IP addresses of hosts and gateways. As shown in Figure 231, configure IP addresses of the hosts, and configure the default gateways of Host A, Host B and Host C as 1.1.2.3, 1.1.6.1 and 1.1.3.1, respectively.
d. Click Apply. 4. Configure static routes on firewall B: a. Select Network > Routing Management > Static Routing from the navigation tree. b. Click Add. Enter 1.1.2.0 as the destination IP address, select 255.255.255.0 from the mask list, and enter 1.1.4.1 as the next hop. c. d. Click Apply. e. Click Add. Enter 1.1.3.0 as the destination IP address, select 255.255.255.0 from the mask list, and enter 1.1.5.6 as the next hop. f. g. Click Apply. 5. Configure a static route on firewall C: a.
Configuring a static route at the CLI Configuration prerequisites Before configuring a static route, complete the following tasks: • Configure the physical parameters for related interfaces • Configure the link-layer attributes for related interfaces • Configure the IP addresses for related interfaces Follow these guidelines when you configure a static route: • The next hop address of a static route cannot be the IP address of a local interface (such as Ethernet interface and VLAN interface).
Configuring BFD for static routes Bidirectional forwarding detection (BFD) provides a general-purpose, standard, medium-, and protocol-independent fast failure detection mechanism. It can uniformly and quickly detect the failures of the bidirectional forwarding paths between two routers for protocols, such as routing protocols. For more information about BFD, see High Availability Configuration Guide. A dynamic routing protocol notifies BFD of its neighbor information.
BFD echo packet mode With BFD echo packet mode enabled for a static route, the local device sends BFD echo packets to the peer, which loops it back to test the link. IMPORTANT: • Enabling BFD for a flapping route could worsen the situation. • For the echo mode, only one end needs to establish the BFD session, and the source address of echo packets must be configured. • BFD cannot be used for a static route with the outbound interface having the spoofing attribute.
Figure 233 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown) 2. Configure static routes: # Configure a default route on Firewall A. system-view [FirewallA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two static routes on Firewall B. system-view [FirewallB] ip route-static 1.1.2.0 255.255.255.0 1.1.4.1 [FirewallB] ip route-static 1.1.3.0 255.255.255.0 1.1.5.6 # Configure a default route on Firewall C.
# Display the IP routing table of Firewall B. [FirewallB] display ip routing-table Routing Tables: Public Destinations : 10 Destination/Mask Proto 1.1.2.0/24 Routes : 10 Pre Cost NextHop Interface Static 60 0 1.1.4.1 GE0/1 1.1.3.0/24 Static 60 0 1.1.5.6 GE0/2 1.1.4.0/30 Direct 0 0 1.1.4.2 GE0/1 1.1.4.2/32 Direct 0 0 127.0.0.1 InLoop0 1.1.5.4/30 Direct 0 0 1.1.5.5 GE0/2 1.1.5.5/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.
BFD for static routes configuration example (direct next hop) at the CLI Network requirements In Figure 234, configure a static route to subnet 120.1.1.0/24 on Firewall A, configure a static route to subnet 121.1.1.0/24 on Router B. Enable BFD for both routes so that when the link between Firewall A and Router B through the Layer 2 switch fails, BFD can detect the failure immediately and inform Firewall A and Router B to communicate through Router C.
[RouterB-GigabitEthernet0/1] bfd detect-multiplier 9 [RouterB-GigabitEthernet0/1] quit [RouterB] ip route-static 121.1.1.0 24 GigabitEthernet0/1 12.1.1.1 bfd control-packet [RouterB] ip route-static 121.1.1.0 24 GigabitEthernet0/2 13.1.1.2 preference 65 [RouterB] quit 3. Verify the configuration: The following operations are performed on Firewall A. The operations on Router B are similar. # Display BFD sessions on Firewall A.
Public Routing Table : Static Summary Count : 2 Static Routing table Status : < Active> Summary Count : 1 Destination/Mask Proto 120.1.1.0/24 Static 65 Pre Cost NextHop Interface 0 10.1.1.100 GigabitEthernet0/1 Cost NextHop Interface 0 12.1.1.2 GigabitEthernet0/1 Static Routing table Status : < Inactive> Summary Count : 1 Destination/Mask Proto 120.1.1.
# Configure static routes on Firewall A and enable BFD control packet mode for the static route through Router D. system-view [FirewallA] interface loopback 1 [FirewallA-LoopBack1] bfd min-transmit-interval 500 [FirewallA-LoopBack1] bfd min-receive-interval 500 [FirewallA-LoopBack1] bfd detect-multiplier 9 [FirewallA-LoopBack1] quit [FirewallA] ip route-static 120.1.1.0 24 2.2.2.9 bfd control-packet bfd-source 1.1.1.9 [FirewallA] ip route-static 120.1.1.0 24 GigabitEthernet0/2 10.1.1.
Summary Count : 1 Destination/Mask Proto Pre 120.1.1.0/24 Static 65 Cost NextHop Interface 0 10.1.1.100 GigabitEthernet0/2 # Enable BFD debugging. When the link between Firewall A and Router D fails, Firewall A can detect the failure. debugging bfd event debugging bfd scm terminal debugging %Oct 10 10:18:18:672 2010 FirewallA BFD/4/LOG:Sess[1.1.1.9/2.2.2.
Configuring RIP Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module BFD for RIP No No Yes No RIP is a simple Interior Gateway Protocol (IGP), mainly used in small-sized networks, such as academic networks and simple LANs. RIP is not applicable to complex networks. RIP is still widely used in practical networking due to easier implementation, configuration and maintenance than OSPF and IS-IS.
Figure 236 RIP global configuration page 2. Configure RIP globally as described in Table 60. Table 60 Configuration items Item Description Enable RIP (enable all interfaces automatically) Enable RIP on all interfaces. Import static routes Configure RIP to redistribute static routes. Configuring interface RIP 1. Select Network > Routing Management > RIP from the navigation tree. The RIP configuration page appears. If RIP is enabled, the More button is displayed. 2. Click More.
Figure 238 RIP interface configuration page 4. Configure RIP interface as described in Table 61. Table 61 Configuration items Item Description Interface Displays the RIP interface name Set whether to allow the receiving/sending of RIP packets on the interface. Work State • On—Allows the receiving/sending of RIP packets on the interface. • Off—Disallows the receiving/sending of RIP packets on the interface. Specify a RIP version for the interface.
Item Description Authentication Mode Set the authentication mode and parameters for authenticating RIP packets on a RIPv2 interface. • If the Authentication Mode is null, the interface does not authenticate RIP packets, and the Key String and Key ID are not required. • If Simple is specified for Authentication Mode, the interface Key String authenticates RIP packets using simple text key. You need to configure a Key String in simple text.
Figure 240 Enable RIP # Configure Firewall B. { Select Network > Routing Management > RIP from the navigation tree. { Select the Enable RIP(Enable all interfaces automatically) box. { Click Apply. Verifying the configuration 1. Display active routes of Firewall A. Select Network > Routing Management > Routing Info from the navigation tree of Firewall A to display learned RIP route destined for 10.0.0.0/8. Figure 241 RIP configuration result I 2. Display active routes of Firewall B.
Configuring RIP at the CLI RIP configuration task list Item Description Configuring RIP basic functions Required Configuring RIP route control Tuning and optimizing RIP networks Configuring an additional routing metric Optional Configuring RIPv2 route summarization Optional Disabling host route reception Optional Advertising a default route Optional Configuring inbound/outbound route filtering Optional Configuring a priority for RIP Optional Configuring RIP route redistribution Optional
Step Enable RIP on the interface attached to the specified network. 3. Command Remarks network network-address Disabled by default NOTE: • If you make some RIP configurations in interface view before enabling RIP, those configurations will take effect after RIP is enabled. • RIP runs only on the interfaces residing on the specified networks. Specify the network after enabling RIP to validate RIP on a specific interface. • You can enable RIP on all interfaces using the command network 0.0.0.0.
To configure a RIP version: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A Optional. By default, if an interface has a RIP version specified, the version takes precedence over the global one. If no RIP version is specified for an interface, the interface can send RIPv1 broadcasts, and receive RIPv1 broadcasts, unicasts, RIPv2 broadcasts, multicasts and unicasts. 3. Specify a global RIP version.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Define an inbound additional routing metric. rip metricin [ route-policy route-policy-name ] value Optional. Define an outbound additional routing metric. rip metricout [ route-policy route-policy-name ] value Optional. 4. The default is 0. The default is 1.
Step Advertise a summary route. 6. Command Remarks rip summary-address ip-address { mask | mask-length } N/A NOTE: You need to disable RIPv2 route automatic summarization before advertising a summary route on an interface. Disabling host route reception Sometimes a router may receive from the same network many host routes, which are not helpful for routing and consume a large amount of network resources. You can disable RIP from receiving host routes to save network resources.
Step Command Remarks Optional. 6. Configure the RIP interface to advertise a default route. rip default-route { { only | originate } [ cost cost ] | no-originate } By default, a RIP interface can advertise a default route if the RIP process is configured with default route advertisement. NOTE: The router enabled to advertise a default route does not receive default routes from RIP neighbors. Configuring inbound/outbound route filtering The device supports route filtering.
Step Configure a priority for RIP. 3. Command Remarks preference [ route-policy route-policy-name ] value Optional. 100 by default. Configuring RIP route redistribution If a router runs RIP and other routing protocols, you can configure RIP to redistribute OSPF, BGP, static, or direct routes. To configure RIP route redistribution: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3.
Step Command 3. timers { garbage-collect garbage-collect-value | suppress suppress-value | timeout timeout-value | update update-value } * Configure values for RIP timers. Remarks Optional. The default update timer, timeout timer, suppress timer, and garbage-collect timer are 30s, 180s, 120s and 120s respectively. NOTE: Based on network performance, you must make RIP timers of RIP routers identical to each other to avoid unnecessary traffic or route oscillation.
Configuring the maximum number of ECMP routes Perform this task to implement load sharing over ECMP routes. To configure the maximum number of load balanced routes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A Optional. 3. Configure the maximum number of ECMP routes. By default, the maximum number of ECMP routes depends on the device model, as shown in the following table.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIP view. rip [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable source IP address check on incoming RIP messages. validate-source-address Optional. Enabled by default. NOTE: The source IP address check feature should be disabled if the RIP neighbor is not directly connected.
NOTE: • You need not use the peer ip-address command when the neighbor is directly connected; otherwise the neighbor may receive both the unicast and multicast (or broadcast) of the same routing information. • If a specified neighbor is not directly connected, you need to disable source address check on incoming updates. Configuring RIP-to-MIB binding This task allows you to enable a specific RIP process to receive SNMP requests. To bind RIP to MIB: Step Enter system view. 1.
Configuring single-hop detection in BFD echo packet mode Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the source IP address of BFD echo packets. bfd echo-source-ip ip-address By default, no source IP address is configured for BFD echo packets. 3. Enter interface view. interface interface-type interface-number N/A 4. Enable BFD on the RIP interface. rip bfd enable Disabled by default.
Task Command Remarks Display routing information about a specified RIP process. display rip process-id route [ ip-address { mask | mask-length } | peer ip-address | statistics ] [ | { begin | exclude | include } regular-expression ] Reset a RIP processN/A reset rip process-id process Clear the statistics of a RIP process. reset rip process-id statistics Available in user view RIP version configuration at the CLI NOTE: In this configuration example, either Router A or Router B is the firewall.
10.0.0.0/8 1.1.1.2 1 0 RA 9 The output shows that RIPv1 uses natural mask to advertise routing information. 3. Configure a RIP version. # Configure RIPv2 on Router A. [RouterA] rip [RouterA-rip-1] version 2 [RouterA-rip-1] undo summary # Configure RIPv2 on Router B. [RouterB] rip [RouterB-rip-1] version 2 [RouterB-rip-1] undo summary # Display the RIP routing table of Router A.
Figure 244 Network diagram Configuration procedure 1. Configure an IP address for each interface. (Details not shown) 2. Configure RIP basic functions: # Enable RIP 100, and configure a RIP version of 2 on Firewall A. system-view [FirewallA] rip 100 [FirewallA-rip-100] network 10.0.0.0 [FirewallA-rip-100] network 11.0.0.0 [FirewallA-rip-100] version 2 [FirewallA-rip-100] undo summary [FirewallA-rip-100] quit # Enable RIP 100 and RIP 200, configure RIP version as 2 on Firewall B.
3. 16.4.1.1/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 Configure RIP route redistribution. # Configure RIP 200 to redistribute direct routes and routes from RIP 100 on Firewall B. [FirewallB] rip 200 [FirewallB-rip-200] import-route rip 100 [FirewallB-rip-200] import-route direct [FirewallB-rip-200] quit # Display the routing table of Firewall C.
Configuring an additional metric for a RIP interface at the CLI Network requirements As shown in Figure 245, RIPv2 is enabled on all the interfaces of Router A, Router B, Router C, Router D, and Firewall. Firewall has two links to Router D. The link from Router B to Router D is more stable than that from Router C to Router D. Configure an additional metric for RIP routes received through GigabitEthernet 0/2 on Firewall so that Firewall prefers the network 1.1.5.0/24 learned from Router B.
[RouterD-rip-1] undo summary # Configure Router A. system-view [RouterA] rip [RouterA-rip-1] network 1.0.0.0 [RouterA-rip-1] version 2 [RouterA-rip-1] undo summary # Display the IP routing table of Firewall. [Firewall] display rip 1 database 1.0.0.0/8, cost 0, ClassfulSumm 1.1.1.0/24, cost 0, nexthop 1.1.1.1, Rip-interface 1.1.2.0/24, cost 0, nexthop 1.1.2.1, Rip-interface 1.1.3.0/24, cost 1, nexthop 1.1.1.2 1.1.4.0/24, cost 1, nexthop 1.1.2.2 1.1.5.0/24, cost 2, nexthop 1.1.1.2 1.1.5.
Figure 246 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown) 2. Configure OSPF basic functions: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.5.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B. system-view [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.
[RouterC] rip 1 [RouterC-rip-1] network 11.0.0.0 [RouterC-rip-1] version 2 [RouterC-rip-1] undo summary [RouterC-rip-1] quit # Configure RIP to redistribute the routes from OSPF process 1 and direct routes on Firewall. [Firewall-rip-1] import-route direct [Firewall-rip-1] import-route ospf 1 # Display the routing table information of Router C. [RouterC] display ip routing-table Routing Tables: Public Destinations : 10 4. Routes : 10 Destination/Mask Proto Pre Cost NextHop Interface 10.1.1.
Configuring BFD for RIP (single-hop detection in BFD echo packet mode) at the CLI Network requirements As shown in Figure 247: • Firewall A and Router C are interconnected through a Layer 2 switch. GigabitEthernet 0/1 of the two routers runs RIP process 1, BFD is enabled on GigabitEthernet 0/1 of Router A. • Firewall A is connected to Router C through Router B. GigabitEthernet 0/2 on Firewall A runs RIP process 2.
[RouterB] rip 1 [RouterB-rip-1] network 192.168.2.0 [RouterB-rip-1] network 192.168.3.0 [RouterB-rip-1] quit # Configure Router C. system-view [RouterC] rip 1 [RouterC-rip-1] network 192.168.1.0 [RouterC-rip-1] network 192.168.3.0 [RouterC-rip-1] import-route static [RouterC-rip-1] quit 2. Configure the BFD parameters on GigabitEthernet 0/1 of Firewall A: [FirewallA] bfd session init-mode active [FirewallA] bfd echo-source-ip 11.11.11.
NextHop: 192.168.2.2 BkNextHop: 0.0.0.0 Interface: GigabitEthernet0/2 BkInterface: RelyNextHop: 0.0.0.0 Neighbor : 192.168.2.2 Tunnel ID: 0x0 Label: NULL BKTunnel ID: 0x0 BKLabel: NULL State: Inactive Adv Age: 00h12m50s Tag: 0 # Enable RIP event debugging on Firewall A. When the link between Router C and the Layer 2 switch fails, Firewall A quickly detects the link state change. debugging rip 1 event terminal debugging %Jan 19 10:41:51:203 2008 FirewallA BFD/4/LOG:Sess[192.
Configuring BFD for RIP (bidirectional detection in BFD control packet mode) at the CLI Network requirements As shown in Figure 248: • Firewall A is connected to Router C through Router B. GigabitEthernet 0/2 on Firewall A, GigabitEthernet 0/1 on Router C, and GigabitEthernet 0/1 and GigabitEthernet 0/2 on Router B run RIP process 1. • Configure a static route to Router C on Firewall A, and configure a static route to Firewall A on Router C.
[FirewallA-rip-1] import-route static [FirewallA-rip-1] quit [FirewallA] interface GigabitEthernet0/2 [FirewallA-GigabitEthernet0/2] rip bfd enable [FirewallA-GigabitEthernet0/2] quit [FirewallA] rip 2 [FirewallA-rip-2] network 192.168.3.0 [FirewallA-rip-2] quit # Configure Router C. system-view [RouterC] rip 1 [RouterC-rip-1] network 192.168.2.0 [RouterC-rip-1] network 192.168.4.0 [RouterC-rip-1] peer 192.168.1.
[RouterC] interface GigabitEthernet0/1 [RouterC-GigabitEthernet0/1] ip address 192.168.2.2 24 [RouterC-GigabitEthernet0/1] bfd min-transmit-interval 500 [RouterC-GigabitEthernet0/1] bfd min-receive-interval 500 [RouterC-GigabitEthernet0/1] bfd detect-multiplier 6 [RouterC-GigabitEthernet0/1] quit [RouterC] interface GigabitEthernet0/2 [RouterC-GigabitEthernet0/2] ip address 192.168.4.2 24 [RouterC-GigabitEthernet0/2] quit # Configure Router D.
RelyNextHop: 192.168.1.2 Neighbor : 192.168.2.2 Tunnel ID: 0x0 Label: NULL BKTunnel ID: 0x0 BKLabel: NULL State: Active Adv GotQ Age: 00h04m02s Tag: 0 Destination: 100.1.1.0/24 Protocol: RIP Process ID: 2 Preference: 100 Cost: 2 IpPrecedence: QosLcId: NextHop: 192.168.3.2 BkNextHop: 0.0.0.0 Interface: GigabitEthernet0/1 BkInterface: RelyNextHop: 0.0.0.0 Neighbor : 192.168.3.
BKTunnel ID: 0x0 BKLabel: NULL State: Active Adv Age: 00h10m35s Tag: 0 Troubleshooting RIP No RIP updates received Symptom: No RIP updates are received when the links work properly. Analysis: After enabling RIP, you must use the network command to enable corresponding interfaces. Make sure no interfaces are disabled from handling RIP messages. If the peer is configured to send multicast messages, the same should be configured on the local end.
Configuring OSPF Hardware and feature compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module BFD for OSPF No No Yes No Overview Open Shortest Path First (OSPF) is a link state interior gateway protocol developed by the OSPF working group of the Internet Engineering Task Force (IETF). At present, OSPF version 2 (RFC 2328) is used. NOTE: Unless otherwise noted, OSPF refers to OSPFv2 throughout this chapter.
Configuration overview An OSPF routing domain has different types of routers, such as intra-area routers, ABR, and ASBR. OSPF can work normally only after being enabled on a router, regardless of the router’s type. Network planning is needed before OSPF configuration on routers. The configurations for routers in an area are performed on the area basis. Wrong configurations may cause communication failures, even routing information block or routing loops between neighboring routers.
Figure 249 OSPF global configuration page 2. Configure OSPF globally as described in Table 63. Table 63 Configuration items Item Description Enable OSPF Enable OSPF. Import static routes Configure OSPF to redistribute static routes. Configuring OSPF areas 1. Select Network > Routing Management > OSPF from the navigation tree. The OSPF configuration page. After you enable OSPF, the Area Configuration is displayed. Figure 250 Tabs on the OSPF area configuration page 2.
Figure 251 OSPF area configuration page 3. Configure an OSPF area as described in Table 64. Table 64 Configuration items Item Description Area ID Enter an area ID. Select an area type, including Normal, Stub, and NSSA. CAUTION: Area Type The type of a backbone area (with area ID 0) can only be configured as Normal. Enable all interfaces Set whether to enable OSPF on all the interfaces.
Configuring OSPF interfaces 1. Select Network > Routing Management > OSPF from the navigation tree. The OSPF configuration page appears. 2. After you complete OSPF area configurations, click the More button. The hidden OSPF interface list is displayed. Figure 252 OSPF interface list page 3. Click the icon. The configuration page of the specified OSPF interface appears.
Item Description Set the interval for sending hello packets. Hello Interval The hello interval on P2P, Broadcast interfaces defaults to 10 seconds and defaults to 30 seconds on P2MP and NBMA interfaces. The smaller the hello interval is, the faster the network converges and the more network resources are consumed. The interfaces on a specific network segment must have the same Hello interval. Set the OSPF dead interval.
Displaying OSPF interface information 1. Select Network > Routing Management > OSPF from the navigation tree. The OSPF configuration page appears. 2. After you complete OSPF area configurations, click Show Interface on the Show Information tab. The OSPF interface information is displayed.
The OSPF configuration page appears. 2. After you complete OSPF area configurations, click Show Peer on the Show Information tab. The OSPF neighbor information is displayed.
• Configure Area 1 as an NSSA area, and configure Device B as an ASBR to redistribute static routes into the AS. Figure 256 Network diagram Configuration procedure 1. Configure IP addresses for interfaces and configure security zones. (Details not shown). 2. Configure OSPF basic functions: # Configure Firewall. a. Select Network > Routing Management > OSPF from the navigation tree of Firewall. b. Select the Enable OSPF box. Figure 257 Enable OSPF c. Click Apply.
Figure 258 The web page displayed after OSPF is enabled d. Click Add on the Area Configuration tab. e. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. f. Click Apply.
Figure 259 Configure area 0 g. Click Add on the Area Configuration tab. h. Enter 1 for Area ID, select NSSA for Area Type, enter 10.2.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. . i. Click Apply.
Figure 260 Configure area 1 # Configure Device A. a. Select Network > Routing Management > OSPF from the navigation tree of Device A. b. Select the Enable OSPF box. c. Click Apply. d. Click Add on the Area Configuration tab. e. Enter 0 for Area ID, select Normal for Area Type, enter 10.1.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. f. Click Apply. g. Click Add on the Area Configuration tab. h. Enter 2 for Area ID, select Normal for Area Type, enter 10.3.1.
d. Click Add on the Area Configuration tab. e. Enter 1 for Area ID, Select NSSA for Area Type, enter 10.2.1.0 for Network Address, select 0.0.0.255 for Network Mask, and click Add Network. f. Enter 10.4.1.0 for Network Address, and select 0.0.0.255 for Network Mask, and click Add Network. g. Click Apply. h. Select Network > Static Route from the navigation tree and click Add. i. Enter 3.2.1.1 as the destination IP address, select 255.255.255.0 from the mask list, and enter 10.4.1.2 as the nexthop. j.
Figure 262 OSPF configuration result II Configuring OSPF at the CLI OSPF configuration task list Make a proper plan before configuring OSPF. To run OSPF in a routing domain, you must first enable OSPF on the routers. Then you can either use the default settings of parameters such as the hello interval, LSA delay timer, and SPF calculation interval. You can also configure them as needed. OSPF routers should be configured on an area basis.
Task Tuning and optimizing OSPF networks Remarks Configuring the maximum number of OSPF routes Optional Configuring the maximum number of ECMP routes Optional Configuring OSPF preference Optional Configuring OSPF route redistribution Optional Configuring OSPF packet timers Optional Specifying LSA transmission delay Optional Specifying SPF calculation interval Optional Specifying the LSA arrival interval Optional Specifying the LSA generation interval Optional Disabling interfaces from re
network segment of an area, the interface belongs to the area and is enabled with OSPF, and OSPF advertises the direct route of the interface. To run OSPF, a router must have a router ID, which is the unique identifier of the router in the AS. • You can specify a router ID when creating the OSPF process. Any two routers in an AS must have different router IDs. In practice, the ID of a router is the IP address of one of its interfaces.
Configuring OSPF areas After splitting an OSPF AS into multiple areas, you can further configure some areas as stub areas or NSSA areas as needed. If no connection can be achieved between the backbone and a non-backbone area, or within the backbone itself, you can configure virtual links to solve it. Configuration prerequisites Before configuring an OSPF area, you have configured: • Configure IP addresses for interfaces, making neighboring nodes accessible with each other at the network layer.
To configure an NSSA area: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3. Enter area view. area area-id N/A 4. Configure the area as an NSSA area. nssa [ default-route-advertise | no-import-route | no-summary | translate-always | translator-stability-interval value ] * Not configured by default. 5. Specify a cost for the default route advertised to the NSSA area.
P2P—When the link layer protocol is PPP, LAPB, or HDLC, OSPF considers the network type as P2P by default. • You can change the network type of an interface as needed. • When an NBMA network becomes fully meshed through address mapping—any two routers in the network have a direct virtual circuit in between, you can change the network type to broadcast to avoid manual configuration of neighbors.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the OSPF network type for the interface as NBMA. ospf network-type nbma By default, the network type of an interface depends on the link layer protocol. 4. Configure a router priority for the interface. ospf dr-priority priority 5. Exit to system view. quit N/A 6. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 7.
Step Specify a neighbor and its router priority on a P2MP unicast network. 6. Command Remarks peer ip-address [ cost value | dr-priority dr-priority ] Required if the interface type is P2MP unicast. Configuring the OSPF network type for an interface as P2P Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the OSPF network type for the interface as P2P.
Step Command Remarks 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3. Enter OSPF area view. area area-id N/A 4. Configure ABR route summarization. abr-summary ip-address { mask | mask-length } [ advertise | not-advertise ] [ cost cost ] Not configured by default. The command is available on an ABR only.
Step Configure inbound route filtering. 3. Command Remarks filter-policy { acl-number [ gateway ip-prefix-name ] | gateway ip-prefix-name | ip-prefix ip-prefix-name [ gateway ip-prefix-name ] | route-policy route-policy-name } import Not configured by default. Configuring ABR Type-3 LSA filtering You can configure an ABR to filter Type-3 LSAs advertised to an area. To configure Type-3 LSA filtering on an ABR: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3. Configure a bandwidth reference value. bandwidth-reference value Optional. The value defaults to 100 Mbps. Configuring the maximum number of OSPF routes Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A Optional. Configure a preference for OSPF. 3. preference [ ase ] [ route-policy route-policy-name ] value By default, the preference of OSPF internal routes is 10, and the preference of OSPF external routes is 150. Configuring OSPF route redistribution 1.
Step Command Remarks 3. default-route-advertise [ [ [ always | permit-calculate-other ] | cost cost | route-policy route-policy-name | type type ] * | summary cost cost ] Not redistributed by default. Redistribute a default route. NOTE: The default-route-advertise summary cost command is applicable only to VPN, and the default route is redistributed in a Type-3 LSA. The PE router will advertise the default route to the CE router. 3.
• Configure OSPF authentication to improve security. • Configure OSPF network management functions, such as binding OSPF MIB with a process, sending trap information and collecting log information. Configuration prerequisites Before you tune and optimize OSPF networks, complete the following tasks: • Configure IP addresses for interfaces • Configure OSPF basic functions Configuring OSPF packet timers You can configure the following timers on OSPF interfaces as needed.
NOTE: • The hello and dead intervals restore to default values after you change the network type for an interface. • The dead interval should be at least four times the hello interval on an interface. • The poll interval is at least four times the hello interval. • The retransmission interval should not be so small to avoid unnecessary LSA retransmissions. In general, this value is bigger than the round-trip time of a packet between two neighbors.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * N/A 3. Configure the LSA arrival interval. lsa-arrival-interval interval Optional. 1000 milliseconds by default. NOTE: The interval set with the lsa-arrival-interval command should be smaller than or equal to the interval set with the lsa-generation-interval command.
NOTE: • Different OSPF processes can disable the same interface from receiving and sending OSPF packets. The silent-interface command disables only the interfaces associated with the current process rather than interfaces associated with other processes. • After an OSPF interface is set to silent, other interfaces on the router can still advertise direct routes of the interface in Router LSAs, but the interface cannot send any packet.
Step Command Remarks 6. Return to system view quit N/A 7. Enter interface view interface interface-type interface-number N/A • Configure the simple 8. Configure the authentication mode for the interface authentication for the interface: ospf authentication-mode simple [ cipher | plain ] password • Configure the a MD5 authentication for the interface: ospf authentication-mode { hmac-md5 | md5 } key-id [ cipher | plain ] password Use either approach. Not configured by default.
Step Command Remarks N/A 2. Enter OSPF view. ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * 3. Enable compatibility with RFC 1583. rfc1583 compatible Optional. Enabled by default. NOTE: To avoid routing loops, HP recommends configuring all the routers to be either compatible or incompatible with RFC 1583. Logging neighbor state changes Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view.
Step Command 3. snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | iftxretransmit | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | vifcfgerror | virifauthfail | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ] * Enable OSPF trap generation. Remarks Optional. Enabled by default. Enabling message logging Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view.
Configuring the LSU transmit rate Sending large numbers of LSU packets affects router performance and consumes too much network bandwidth. You can configure the router to send LSU packets at a proper interval and limit the maximum number of LSU packets sent out of an OSPF interface each time. To configure the LSU transmit rate: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPF view.
Step Command Remarks 5. Enter interface view. interface interface-type interface-number N/A 6. Enable BFD control packet bidirectional detection on the interface. ospf bfd enable Not enabled by default. NOTE: • One network segment can only belong to one area. • Both ends of a BFD session must be on the same network segment and in the same area. Configuring echo packet single-hop detection Step Command Remarks 1. Enter system view. system-view N/A 2.
Task Command Display OSPF neighbor information. display ospf [ process-id ] peer [ verbose ] [ interface-type interface-number ] [ neighbor-id ] [ | { begin | exclude | include } regular-expression ] Display neighbor statistics of OSPF areas. display ospf [ process-id ] peer statistics [ | { begin | exclude | include } regular-expression ] Display next hop information. display ospf [ process-id ] nexthop [ | { begin | exclude | include } regular-expression ] Display routing table information.
Task Command Reset an OSPF process. reset ospf [ process-id ] process Re-enable OSPF route redistribution. reset ospf [ process-id ] redistribution Remarks Available in user view Configuring OSPF basic functions at the CLI NOTE: In this configuration example, either Router A or Router B is the firewall. Network requirements As shown in Figure 263, all routers run OSPF. The AS is split into three areas, in which, Router A and Router B act as ABRs.
[RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] area 2 [RouterB-ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.2] quit [RouterB-ospf-1] quit # Configure Router C. system-view [RouterC] ospf [RouterC-ospf-1] area 1 [RouterC-ospf-1-area-0.0.0.1] network 10.2.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] network 10.4.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] quit [RouterC-ospf-1] quit # Configure Router D.
[RouterA] display ospf routing OSPF Process 1 with Router ID 10.2.1.1 Routing Tables Routing for Network Destination 10.2.1.0/24 Cost Type 1 NextHop AdvRouter Transit 10.2.1.1 10.2.1.1 Area 0.0.0.1 10.3.1.0/24 2 Inter 10.1.1.2 10.3.1.1 0.0.0.0 10.4.1.0/24 2 Stub 10.2.1.2 10.4.1.1 0.0.0.1 10.5.1.0/24 3 Inter 10.1.1.2 10.3.1.1 0.0.0.0 10.1.1.0/24 1 Transit 10.1.1.1 10.2.1.1 0.0.0.
10.3.1.0/24 1 10.4.1.0/24 4 Transit 10.3.1.2 Inter 10.3.1.1 10.3.1.1 10.3.1.1 0.0.0.2 0.0.0.2 10.5.1.0/24 1 Stub 10.5.1.1 10.5.1.1 0.0.0.2 10.1.1.0/24 2 Inter 10.3.1.1 10.3.1.1 0.0.0.2 Total Nets: 5 Intra Area: 2 Inter Area: 3 ASE: 0 NSSA: 0 # Ping 10.4.1.1 to test connectivity. [RouterD] ping 10.4.1.1 PING 10.4.1.1: 56 data bytes, press CTRL_C to break Reply from 10.4.1.1: bytes=56 Sequence=2 ttl=253 time=2 ms Reply from 10.4.1.
3. Configure OSPF to redistribute routes: # On Firewall, configure a static route destined for network 3.1.2.0/24. system-view [Firewall] ip route-static 3.1.2.1 24 10.4.1.2 # On Firewall, configure OSPF to redistribute the static route. [Firewall] ospf 1 [Firewall-ospf-1] import-route static 4. Verify the configuration: # Display the ABR/ASBR information of Router C. display ospf abr-asbr OSPF Process 1 with Router ID 10.5.1.
Firewall is configured with route summarization and advertises only the summary route 10.0.0.0/8 to reduce Router A's routing table size. Figure 265 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown) 2. Configure OSPF basic functions: # Configure Router A. system-view [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 11.2.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure Firewall.
# Configure Router C. system-view [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 10.3.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit # Configure Router D. system-view [RouterD] ospf [RouterD-ospf-1] area 0 [RouterD-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] network 10.4.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] quit [RouterD-ospf-1] quit 3.
5. 11.2.1.2/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 Configure summary route 10.0.0.0/8 on Firewall and advertise it: [Firewall-ospf-1] asbr-summary 10.0.0.0 8 # Display the routing table of Router A. [RouterA] display ip routing-table Routing Tables: Public Destinations : 5 Routes : 5 Destination/Mask Proto Pre Cost NextHop Interface 10.0.0.0/8 O_ASE 150 2 11.2.1.1 GE0/1 11.2.1.0/24 Direct 0 0 11.2.
[FirewallB] ospf [FirewallB-ospf-1] import-route static [FirewallB-ospf-1] quit # Display ABR/ASBR information on Firewall A. display ospf abr-asbr OSPF Process 1 with Router ID 10.4.1.1 Routing Table to ABR and ASBR Type Destination Area Cost Nexthop RtType Intra 10.2.1.1 0.0.0.1 3 10.2.1.1 ABR Inter 10.3.1.1 0.0.0.1 5 10.2.1.1 ABR Inter 10.5.1.1 0.0.0.1 7 10.2.1.1 ASBR # Display OSPF routing information on Firewall A.
[FirewallA-ospf-1] area 1 [FirewallA-ospf-1-area-0.0.0.1] stub [FirewallA-ospf-1-area-0.0.0.1] quit [FirewallA-ospf-1] quit # Display routing information on Firewall A. [FirewallA] display ospf routing OSPF Process 1 with Router ID 10.4.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 0.0.0.0/0 4 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.2.1.0/24 3 Transit 10.2.1.2 10.2.1.1 0.0.0.1 10.3.1.0/24 7 Inter 10.2.1.1 10.2.1.1 0.0.0.1 10.4.1.0/24 3 Stub 10.4.
NOTE: After this configuration, route entries on the stub router are further reduced, containing only the default external route. Configuring an OSPF NSSA area at the CLI Network requirements Figure 267 shows an AS is split into three areas, where all routers run OSPF. Router A and Router B act as ABRs to forward routing information between areas. Configure Area 1 as an NSSA area, and configure Firewall as an ASBR to redistribute static routes into the AS.
NOTE: • If Firewall in the NSSA area wants to obtain routes to other areas within the AS, you need to configure the nssa command with the keyword default-route-advertise on Router A (an ABR) so that Router C can obtain a default route. • HP recommends configuring the nssa command with the keyword no-summary on Router A to reduce the routing table size on NSSA routers. On other NSSA routers, you only need to configure the nssa command. # Display routing information on Firewall.
Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0 The output shows that on Router C an external route imported from the NSSA area. Configuring OSPF DR election at the CLI Network requirements In Figure 268, Router A, Router B, Firewall A, and Firewall B are on the same network, running OSPF. Configure Firewall A as the DR, and configure Firewall B as the BDR. Figure 268 Network diagram Firewall A Router A GE0/1 192.168.1.1/24 Eth1/1 192.168.1.2/24 Eth1/1 192.168.1.4/24 GE0/1 192.168.1.
[FirewallB-ospf-1-area-0.0.0.0] quit [FirewallB-ospf-1] quit # Configure Router B. system-view [RouterB] router id 4.4.4.4 [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] return # Display neighbor information on Firewall A. [FirewallA] display ospf peer verbose OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 192.168.1.1(GigabitEthernet0/1)'s neighbors Router ID: 2.2.2.
# Configure Firewall B. [FirewallB] interface GigabitEthernet 0/1 [FirewallB-GigabitEthernet0/1] ospf dr-priority 2 [FirewallB-GigabitEthernet0/1] quit # Display information about neighbors on Router B. display ospf peer verbose OSPF Process 1 with Router ID 4.4.4.4 Neighbors Area 0.0.0.0 interface 192.168.1.4(Ethernet1/1)'s neighbors Router ID: 1.1.1.1 State: Full Address: 192.168.1.1 Mode:Nbr is DR: 192.168.1.4 Slave Priority: 100 BDR: 192.168.1.
Dead timer due in 39 sec Neighbor is up for 00:01:40 Authentication Sequence: [ 0 ] Router ID: 2.2.2.2 State: 2-Way Address: 192.168.1.2 Mode: None DR: 192.168.1.1 BDR: 192.168.1.3 Dead timer due in 35 GR State: Normal Priority: 0 MTU: 0 sec Neighbor is up for 00:01:44 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full Address: 192.168.1.3 Mode: Nbr is Slave DR: 192.168.1.1 Priority: 2 BDR: 192.168.1.
In Figure 269, Area 2 has no direct connection to Area 0, the backbone, and Area 1 acts as the Transit Area to connect Area 2 to Area 0 via a virtual link between Router B and Router C. After configuration, Router B can learn routes to Area 2. Figure 269 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown) 2. Configure OSPF basic functions: # Configure Router A. system-view [RouterA] ospf 1 router-id 1.1.1.
[RouterD-ospf-1] area 2 [RouterD-ospf-1-area-0.0.0.2] network 10.3.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.2] quit # Display OSPF routing information on Router B. [RouterB] display ospf routing OSPF Process 1 with Router ID 2.2.2.2 Routing Tables Routing for Network Destination Cost Type AdvRouter Area 10.2.1.0/24 2 Transit 10.2.1.1 NextHop 3.3.3.3 0.0.0.1 10.1.1.0/24 2 Transit 10.1.1.2 2.2.2.2 0.0.0.
Configuring route filtering at the CLI Network requirements As shown in Figure 270: • All the routers in the network run OSPF. The AS is divided into three areas. • Firewall A works as the ABR between Area 0 and Area 1. Router A works as the ABR between Area 0 and Area 2. Configure Firewall B as an ASBR to redistribute external routes (static routes), and configure a filter policy on Firewall B to filter out route 3.1.3.0/24. Configure a routing policy on Firewall A to filter route 10.5.1.0/24.
4. 3.1.1.0/24 O_ASE 150 1 10.2.1.2 GE0/2 3.1.2.0/24 O_ASE 150 1 10.2.1.2 GE0/2 3.1.3.0/24 O_ASE 150 1 10.2.1.2 GE0/2 10.1.1.0/24 Direct 0 0 10.1.1.1 GE0/1 10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.2.1.0/24 Direct 0 0 10.2.1.1 GE0/2 10.2.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.3.1.0/24 OSPF 10 4 10.1.1.2 GE0/1 10.4.1.0/24 OSPF 10 13 10.2.1.2 GE0/2 10.5.1.0/24 OSPF 10 14 10.1.1.2 GE0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.
[FirewallA] ospf 1 [FirewallA-ospf-1] filter-policy 2000 import [FirewallA-ospf-1] quit # Display the OSPF routing table of Firewall A. [FirewallA] display ip routing-table Routing Tables: Public Destinations : 10 Routes : 10 Destination/Mask Proto Pre Cost NextHop Interface 3.1.1.0/24 O_ASE 150 1 10.2.1.2 GE0/2 3.1.2.0/24 O_ASE 150 1 10.2.1.2 GE0/2 10.1.1.0/24 Direct 0 0 10.1.1.1 GE0/1 10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.2.1.0/24 Direct 0 0 10.2.1.1 GE0/2 10.2.1.
Figure 271 Network diagram 121.1.1.0/24 120.1.1.0/24 BFD Firewall A Router B GE0/1 GE0/1 L2 Switch GE0/2 Area 0 GE0/1 GE0/2 GE0/2 Router C Device Interface IP address Device Interface IP address Firewall A GE0/1 192.168.0.102/24 Router B GE0/1 192.168.0.100/24 GE0/2 10.1.1.102/24 GE0/2 13.1.1.1/24 Router C GE0/1 10.1.1.100/24 GE0/2 13.1.1.2/24 Configuration procedure 1. Configure IP addresses for the interfaces. (Details not shown.) 2.
[RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 13.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit 3. Configure BFD. # Enable BFD on Firewall A and configure BFD parameters.
Preference: 10 Cost: 4 IpPrecedence: QosLcId: NextHop: 10.1.1.100 BkNextHop: 0.0.0.0 Interface: GigabitEthernet0/2 BkInterface: RelyNextHop: 0.0.0.0 Neighbor : 0.0.0.0 Tunnel ID: 0x0 Label: NULL BKTunnel ID: 0x0 BKLabel: NULL State: Invalid Adv Age: 00h58m05s Tag: 0 # Enable BFD debugging on Firewall A.
The output shows that the BFD session between Firewall A and Router B is deleted and no information is displayed. # Display routes to 120.1.1.0/24 on Firewall A, and you can see that Firewall A communicates with Router B through Router C. display ip routing-table 120.1.1.0 verbose Routing Table : Public Summary Count : 2 Destination: 120.1.1.0/24 Protocol: OSPF Process ID: 1 Preference: 10 IpPrecedence: NextHop: 10.1.1.100 BkNextHop: 0.0.0.0 RelyNextHop: 0.0.0.
5. On an NBMA network, using the peer ip-address command to specify the neighbor manually is required. 6. On an NBMA or a broadcast network, at least one connected interface must have a router priority higher than 0. Incorrect routing information Symptom OSPF cannot find routes to other areas. Analysis The backbone area must maintain connectivity to all other areas. If a router connects to more than one area, at least one area must be connected to the backbone.
Configuing IPv6 BGP Hardware and feature compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module BFD for BGP No No Yes No Overview The Border Gateway Protocol (BGP) is a dynamic inter-AS Exterior Gateway Protocol. There are three early BGP versions, BGP-1 (RFC 1105), BGP-2 (RFC 1163) and BGP-3 (RFC 1267). The current version in use is BGP-4 (RFC 4271), which is the defacto Internet exterior gateway protocol used between ISPs.
Configuring BGP globally 1. Select Network > Routing Management > BGP from the navigation tree. The BGP configuration page appears. Figure 272 BGP global configuration page 2. Configure BGP globally as described in Table 68. Table 68 Configuration items Item Description Enable BGP Enable BGP. AS Specify a local AS number. Import static routes Configure BGP to redistribute static routes. Configuring BGP peer 1. Select Network > Routing Management > BGP from the navigation tree.
Figure 273 Tabs on the BGP peer configuration page 2. Click Add on the Peer Configuration tab. The BGP peer configuration page appears. Figure 274 Creating a BGP peer 3. Configure the parameters as described in Table 69. Table 69 Configuration items Item Description Peer IP Address Configure the IP address of the BGP peer. Peer AS Specify the AS number of the BGP peer. Displaying BGP peer information 1. Select Network > Routing Management > BGP from the navigation tree.
The page for displaying the BGP peer information appears. Figure 275 Displaying BGP peer information Table 70 Field description Field Description Peer IP Address IP address of the BGP peer Peer AS AS number of the BGP peer Version BGP version State Current state of the BGP peer BGP configuration example in the web interface Network requirements In the following figure are all BGP devices. Between Device A and Firewall is an EBGP connection.
Figure 277 Enabling BGP b. Select the Enable BGP box, and enter 65009 for AS. c. Click Apply. After you enable BGP, the following figure appears. Figure 278 The web page displayed after you enable BGP d. Click Add in the Peer Configuration field. The BGP configuration page appears. Figure 279 Adding a BGP peer e. Enter 9.1.1.2 for Peer IP Address, and enter 65009 for Peer AS.
f. Click Apply. g. Click Add in the Peer Configuration field,enter 9.1.3.2 for Peer IP Address, and enter 65009 for Peer AS. h. Click Apply. # Configure Device B. a. Select Network > Routing Management > BGP from the navigation tree of Device B. b. Select the Enable BGP box, and enter 65009 for AS c. Click Apply. d. Click Add in the Peer Configuration field. e. Enter 9.1.3.1 for Peer IP Address and enter 65009 for Peer AS. f. Click Apply. g. Click Add in the Peer Configuration field. h. Enter 9.1.2.
Verifying the configuration # Display the BGP peer connection state of Firewall. Select Network > Routing Management > BGP from the navigation tree of Firewall, and then click Show Peer in the Show Information field. BGP connections are established from Firewall to other devices, as shown in Figure 280. Figure 280 BGP configuration result Configuring BGP at the CLI BGP configuration task list Task Configuring BGP basic functions Controlling route generation Remarks Creating a BGP connection Required.
Task Remarks Tuning and optimizing BGP networks Configuring a large scale BGP network Configuring the BGP keepalive interval and holdtime Optional. Configuring the interval for sending the same update Optional. Configuring BGP soft-reset Optional. Enabling the BGP ORF capability Optional. Enabling 4-byte AS number suppression Optional. Enabling quick EBGP session reestablishment Optional. Enabling MD5 authentication for TCP connections Optional. Configuring BGP load balancing Optional.
Step Command Remarks Optional. Not configured by default. 2. Configure a global router ID. router id router-id 3. Enable BGP and enter BGP view. bgp as-number If no global router ID is configured, the highest loopback interface IP address—if any—is used as the router ID. If no loopback interface IP address is available, the highest physical interface IP address is used, regardless of the interface status. Not enabled by default. Optional. 4. Specify a router ID. router-id router-id 5.
Step Specify the source interface for establishing TCP connections to a peer or peer group. 3. Command Remarks peer { group-name | ip-address } connect-interface interface-type interface-number By default, BGP uses the outgoing interface of the best route to the BGP peer/peer group as the source interface for establishing a TCP connection to the peer/peer group.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Inject a network to the BGP routing table. network ip-address [ mask | mask-length ] route-policy route-policy-name Optional. Not injected by default. Configuring BGP route redistribution BGP does not find routes by itself. Rather, it redistributes routing information in the local AS from other routing protocols.
Controlling route distribution and reception Configuration prerequisites BGP connections have been created. Configuring BGP route summarization To reduce the routing table size on medium and large BGP networks, you need to configure route summarization on BGP routers. BGP supports two summarization modes: automatic and manual. Manual summary routes have a higher priority than automatic ones. 1. Configure automatic route summarization.
Step Advertise a default route to a peer or peer group. 3. Command Remarks peer { group-name | ip-address } default-route-advertise [ route-policy route-policy-name ] Not advertised by default. Configuring BGP route distribution/reception filtering policies 1. Configuration prerequisites Configure following filters as needed: { ACL { IP prefix list { Routing policy { AS-path ACL For how to configure an ACL, see Access Control Configuration Guide.
Only routes permitted by the configured filtering policies can be installed into the local BGP routing table. The members of a peer group can have different route reception filtering policies from the peer group. To configure BGP route reception filtering policies: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view.
Step 2. Enter BGP view. Command Remarks bgp as-number N/A • Specify the maximum number of prefixes that can be received from a peer/peer group: peer { group-name | ip-address } route-limit prefix-number [ percentage-value ] • Specify the maximum number of 3. Configure the maximum number of prefixes allowed to be received from a peer/peer group.
Configuring BGP route attributes Configuration prerequisites Create BGP connections. Specifying a preferred value for routes received By default, routes received from a peer have a preferred value of 0. Among multiple routes that have the same destination/mask and are learned from different peers, the one with the greatest preferred value is selected as the route to the destination. To specify a preferred value for routes from a peer or peer group: Step Command Remarks 1. Enter system view.
Step Command Remarks N/A 2. Enter BGP view. bgp as-number 3. Configure the default local preference. default local-preference value Optional. 100 by default. Configuring the MED attribute MED is used to determine the best route for traffic going into an AS. When a BGP router obtains from EBGP peers multiple routes to the same destination but with different next hops, it considers the route with the smallest MED value as the best route if other conditions are the same. 1.
*>i 10.0.0.0 * i 2.2.2.2 50 0 300e 3.3.3.3 50 0 200e When Router D learns network 10.0.0.0 from Router C which has a smaller router ID than Router B, the route from Router C becomes optimal. Network NextHop MED LocPrf PrefVal Path/Ogn *>i 10.0.0.0 1.1.1.1 60 0 200e * i 10.0.0.0 2.2.2.2 50 0 300e 3.3.3.3 50 0 200e * i However, Router C and Router B reside in the same AS, and BGP will compare the MEDs of them. Since Router C has a greater MED, network 10.0.0.
Configuring the next hop attribute By default, when advertising routes to an IBGP peer/peer group, a BGP router does not set itself as the next hop. However, to ensure a BGP peer can find the correct next hop in some cases, you need to configure the router as the next hop for routes sent to the peer. For example, as shown in Figure 282, Router A and Router B establish an EBGP neighbor relationship, and Router B and Router C establish an IBGP neighbor relationship.
Configuring the AS-PATH attribute 1. Permit local AS number to appear in routes from a peer/peer group In general, BGP checks whether the AS_PATH attribute of a route from a peer contains the local AS number. If so, it discards the route to avoid routing loops. To permit local AS number to appear in routes from a peer/peer group and specify the appearance times. Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Replace the AS number of a peer/peer group in the AS_PATH attribute as the local AS number. peer { group-name | ip-address } substitute-as Not configured by default. CAUTION: Improper AS number substitution configuration may cause route loops; use this command with caution. 5.
• If the holdtime settings on the local and peer routers are different, the smaller one is used. • If the keepalive interval is 0 and the negotiated holdtime is not 0, the actual keepalive interval equals one-third of the holdtime. • If the keepalive interval is not 0, the actual keepalive interval is the smaller one between one third of the holdtime and the keepalive interval. To configure BGP keepalive interval and holdtime: Step Command Remarks 1. Enter system view. system-view N/A 2.
However, if a peer not supporting route-refresh exists in the network, you need to configure the peer keep-all-routes command to save all routes from the peer, which are used during applying the new route selection policy. 1. Configure automatic soft-reset After route refresh is enabled for peers and a policy is modified, the router advertises a route-refresh message to the peers, which then resend their routing information to the router.
After you enable the BGP ORF capability, the local BGP router negotiates the ORF capability with the BGP peer through Open messages (determines whether to carry ORF information in messages, and if yes, whether to carry non-standard ORF information in the packets). After completing the negotiation process and establishing the neighboring relationship, the BGP router and its BGP peer can exchange ORF information through specific route-refresh messages.
Step 3. Enable 4-byte AS number suppression. Command Remarks peer { group-name | ip-address } capability-advertise suppress-4-byte-as Disabled by default. NOTE: If the peer device supports 4-byte AS numbers, do not enable the 4-byte AS number suppression function; otherwise, the BGP peer relationship cannot be established. Enabling quick EBGP session reestablishment If the router receives no keepalive messages from a BGP peer within the holdtime, it disconnects from the peer.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Configure the maximum number of BGP routes for load balancing. balance number Optional. Load balancing is not enabled by default. Forbidding session establishment with a peer or peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Forbid session establishment with a peer or peer group.
Step Add a peer into the IBGP peer group. 4. 2. Command peer ip-address group group-name Configure an EBGP peer group If peers in an EBGP group belong to the same external AS, the EBGP peer group is a pure EBGP peer group; if not, it is a mixed EBGP peer group. Use one of the following approaches to configure an EBGP peer group: { { { Create the EBGP peer group, specify its AS number, and add peers into it. All the added peers share the same AS number.
To configure an EBGP peer group using the third approach: Step Command 1. Enter system view. system-view 2. Enter BGP view. bgp as-number 3. Create an EBGP peer group. group group-name external 4. Add a peer into the group and specify its AS number. peer ip-address group group-name as-number as-number NOTE: • Do not specify any AS number for a peer before adding it into the peer group. • Peers added in the group can have different AS numbers.
To configure a BGP route reflector: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Configure the router as a route reflector and specify a peer/peer group as its client. peer { group-name | ip-address } reflect-client Not configured by default. Enable route reflection between clients. reflect between-clients 4. Optional. Enabled by default. Optional. Configure the cluster ID of the route reflector. 5.
Step Command Remarks 3. Configure a confederation ID. confederation id as-number Not configured by default. 4. Specify peering sub ASs in the confederation. confederation peer-as as-number-list Not configured by default. 2. Configure confederation compatibility If some other routers in the confederation do not comply with RFC 3065, you need to enable confederation compatibility to allow the router to work with those routers. Step Command Remarks 1. Enter system view. system-view N/A 2.
traps and the output direction) are determined according to the information center configuration. (For information center configuration, see System Management and Maintenance Configuration Guide.) To enable Trap: Step Command Remarks N/A 1. Enter system view. system-view 2. Enable Trap for BGP. snmp-agent trap enable bgp Optional. Enabled by default. Enabling logging of peer state changes Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3.
Displaying and maintaining BGP Displaying BGP Task Command Display peer group information. display bgp group [ group-name ] [ | { begin | exclude | include } regular-expression ] Display advertised BGP routing information. display bgp network [ | { begin | exclude | include } regular-expression ] Display AS path information. display bgp paths [ as-regular-expression | | { begin | exclude | include } regular-expression ] Display BGP peer/peer group information.
Task Command Display BGP dampened routing information. display bgp routing-table dampened [ | { begin | exclude | include } regular-expression ] Display BGP dampening parameter information. display bgp routing-table dampening parameter [ | { begin | exclude | include } regular-expression ] Display BGP routing information originating from different ASs. display bgp routing-table different-origin-as [ | { begin | exclude | include } regular-expression ] Display BGP routing flap statistics.
Step Command Reset all IBGP connections. reset bgp internal Reset all IPv4 unicast BGP connections. reset bgp ipv4 all Remarks Clearing BGP information Step Command Clear dampened MBGP routing information and release suppressed routes. reset bgp dampening [ ip-address [ mask | mask-length ] ] Clear route flap information.
[FirewallB-bgp] peer 3.3.3.3 as-number 65009 [FirewallB-bgp] peer 3.3.3.3 connect-interface loopback 0 [FirewallB-bgp] quit [FirewallB] ospf 1 [FirewallB-ospf-1] area 0 [FirewallB-ospf-1-area-0.0.0.0] network 2.2.2.2 0.0.0.0 [FirewallB-ospf-1-area-0.0.0.0] network 9.1.1.1 0.0.0.255 [FirewallB-ospf-1-area-0.0.0.0] quit [FirewallB-ospf-1] quit # Configure Firewall C. system-view [FirewallC] bgp 65009 [FirewallC-bgp] router-id 3.3.3.3 [FirewallC-bgp] peer 2.2.2.
[FirewallB] bgp 65009 [FirewallB-bgp] peer 3.1.1.2 as-number 65008 [FirewallB-bgp] quit # Display BGP peer information on Firewall B. [FirewallB] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 3.3.3.3 65009 12 10 0 3 00:09:16 Established 3.1.1.
Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn i 8.1.1.0/24 3.1.1.2 0 100 0 65008i NOTE: From the outputs, you can find Firewall A has learned no route to AS65009, and Firewall C has learned network 8.1.1.0 but the next hop 3.1.1.2 is unreachable, and thus the route is invalid. 4.
i 2.2.2.2/32 2.2.2.2 0 100 0 ? *>i 3.1.1.0/24 2.2.2.2 0 100 0 ? *>i 8.1.1.0/24 3.1.1.2 0 100 0 65008i * i 9.1.1.0/24 2.2.2.2 0 100 0 ? The output shows that the route 8.1.1.0 becomes valid with the next hop as Firewall A. 5. Verify the configuration: # Ping 8.1.1.1 on Firewall C. [FirewallC] ping 8.1.1.1 PING 8.1.1.1: 56 data bytes, press CTRL_C to break Reply from 8.1.1.1: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 8.1.1.
[FirewallB-ospf-1-area-0.0.0.0] quit [FirewallB-ospf-1] quit # Configure Firewall C. system-view [FirewallC] ospf 1 [FirewallC-ospf-1] import-route direct [FirewallC-ospf-1] area 0 [FirewallC-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [FirewallC-ospf-1-area-0.0.0.0] quit [FirewallC-ospf-1] quit 3. Configure the EBGP connection: Configure the EBGP connection and inject network 8.1.1.0/24 to the BGP routing table of Firewall A, so that Firewall B can obtain the route to 8.1.1.0/24.
Network NextHop MED LocPrf PrefVal Path/Ogn *> 3.3.3.3/32 3.1.1.1 1 0 65009? *> 8.1.1.0/24 0.0.0.0 0 0 i *> 9.1.2.0/24 3.1.1.1 1 0 65009? # Display the routing table on Firewall C. [FirewallC] display ip routing-table Routing Tables: Public Destinations : 9 5. Routes : 9 Destination/Mask Proto Pre Cost NextHop Interface 2.2.2.2/32 OSPF 10 1 9.1.1.1 GE0/1 3.3.3.3/32 Direct 0 0 127.0.0.1 InLoop0 8.1.1.0/24 O_ASE 1 9.1.1.1 GE0/1 9.1.1.0/24 Direct 0 0 9.1.1.
round-trip min/avg/max = 2/2/2 ms BGP load balancing configuration at the CLI Network requirements This example describes how to configure BGP load balancing. As shown in Figure 286, all firewalls run BGP, and Firewall A resides in AS 65008, Firewall B and Firewall C in AS 65009. Between Firewall A and Firewall B, Firewall A and Firewall C are EBGP connections, and between Firewall B and Firewall C is an IBGP connection. Two routes are configured on Firewall A for load balancing.
[FirewallA-bgp] quit # Configure Firewall B. system-view [FirewallB] bgp 65009 [FirewallB-bgp] router-id 2.2.2.2 [FirewallB-bgp] peer 3.1.1.2 as-number 65008 [FirewallB-bgp] peer 3.3.3.3 as-number 65009 [FirewallB-bgp] peer 3.3.3.3 connect-interface loopback 0 [FirewallB-bgp] network 9.1.1.0 24 [FirewallB-bgp] quit [FirewallB] ip route-static 3.3.3.3 32 9.1.1.2 # Configure Firewall C. system-view [FirewallC] bgp 65009 [FirewallC-bgp] router-id 3.3.3.3 [FirewallC-bgp] peer 3.1.2.
[FirewallA-bgp] quit 4. Verify the configuration: # Display the BGP routing table on Firewall A. [FirewallA] display bgp routing-table Total Number of Routes: 3 BGP Local router ID is 1.1.1.1 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *> *> 8.1.1.0/24 NextHop 0.0.0.0 9.1.1.0/24 *> { { MED 0 LocPrf PrefVal Path/Ogn 0 i 3.1.1.1 0 0 65009i 3.1.2.
[FirewallA] bgp 10 [FirewallA-bgp] router-id 1.1.1.1 [FirewallA-bgp] peer 200.1.2.2 as-number 20 [FirewallA-bgp] network 9.1.1.0 255.255.255.0 [FirewallA-bgp] quit # Configure Firewall B. system-view [FirewallB] bgp 20 [FirewallB-bgp] router-id 2.2.2.2 [FirewallB-bgp] peer 200.1.2.1 as-number 10 [FirewallB-bgp] peer 200.1.3.2 as-number 30 [FirewallB-bgp] quit # Configure Firewall C. system-view [FirewallC] bgp 30 [FirewallC-bgp] router-id 3.3.3.3 [FirewallC-bgp] peer 200.1.3.
Firewall C has learned the route to the destination 9.1.1.0/24 from Firewall B. 3. Configure BGP community attribute: # Configure a routing policy. [FirewallA] route-policy comm_policy permit node 0 [FirewallA-route-policy] apply community no-export [FirewallA-route-policy] quit # Apply the routing policy. [FirewallA] bgp 10 [FirewallA-bgp] peer 200.1.2.2 route-policy comm_policy export [FirewallA-bgp] peer 200.1.2.2 advertise-community # Display BGP routing table information on Firewall B.
Figure 288 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown) 2. Configure BGP connections: # Configure Firewall A. system-view [FirewallA] bgp 100 [FirewallA-bgp] peer 192.1.1.2 as-number 200 # Inject network 1.0.0.0/8 to the BGP routing table. [FirewallA-bgp] network 1.0.0.0 [FirewallA-bgp] quit # Configure Firewall B. system-view [FirewallB] bgp 200 [FirewallB-bgp] peer 192.1.1.1 as-number 100 [FirewallB-bgp] peer 193.1.1.
4. Verify the configuration: # Display the BGP routing table on Firewall B. [FirewallB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 200.1.2.2 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Network NextHop MED 1.0.0.0 192.1.1.1 0 LocPrf PrefVal Path/Ogn 0 100i # Display the BGP routing table on Firewall D.
Figure 289 Network diagram Firewall B Firewall C GE0/1 GE0/1 GE0/1 AS 65002 GE0/2 AS 65003 Firewall F GE0/4 AS 100 GE0/1 GE0/5 GE0/2 Firewall A GE0/2 GE0/1 GE0/3 GE0/2 AS 200 Firewall D AS 65001 GE0/1 Firewall E Device Interface IP address Device Interface IP address Firewall A GE0/5 200.1.1.1/24 Firewall D GE0/1 10.1.5.1/24 GE0/1 10.1.2.1/24 GE0/2 10.1.3.2/24 GE0/2 10.1.3.1/24 GE0/1 10.1.5.2/24 GE0/3 10.1.4.1/24 GE0/2 10.1.4.2/24 GE0/4 10.1.1.1/24 GE0/1 9.1.1.
system-view [FirewallC] bgp 65003 [FirewallC-bgp] router-id 3.3.3.3 [FirewallC-bgp] confederation id 200 [FirewallC-bgp] confederation peer-as 65001 65002 [FirewallC-bgp] peer 10.1.2.1 as-number 65001 [FirewallC-bgp] quit 3. Configure IBGP connections in AS65001: # Configure Firewall A. [FirewallA] bgp 65001 [FirewallA-bgp] peer 10.1.3.2 as-number 65001 [FirewallA-bgp] peer 10.1.3.2 next-hop-local [FirewallA-bgp] peer 10.1.4.2 as-number 65001 [FirewallA-bgp] peer 10.1.4.
[FirewallB] display bgp routing-table Total Number of Routes: 1 BGP Local router ID is 2.2.2.2 Status codes: * - valid, ^ - VPNv4 best, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network *>i NextHop 9.1.1.0/24 MED LocPrf 0 100 10.1.1.1 PrefVal Path/Ogn 0 (65001) 100i [FirewallB] display bgp routing-table 9.1.1.0 BGP local router ID : 2.2.2.
AS-path : 100 Origin : igp Attribute value : MED 0, localpref 100, pref-val 0, pre 255 State : valid, internal, best, Not advertised to any peers yet The output information shows that: { { Firewall F can send route information to Firewall B and Firewall C through the confederation by establishing only an EBGP connection with Firewall A. Firewall B and Firewall D are in the same confederation, but belong to different sub ASs.
[FirewallB-ospf-1-area-0.0.0.0] network 192.1.1.0 0.0.0.255 [FirewallB-ospf-1-area-0.0.0.0] network 194.1.1.0 0.0.0.255 [FirewallB-ospf-1-area-0.0.0.0] quit [FirewallB-ospf-1] quit # Configure Firewall C. system-view [FirewallC] ospf [FirewallC-ospf] area 0 [FirewallC-ospf-1-area-0.0.0.0] network 193.1.1.0 0.0.0.255 [FirewallC-ospf-1-area-0.0.0.0] network 195.1.1.0 0.0.0.255 [FirewallC-ospf-1-area-0.0.0.0] quit [FirewallC-ospf-1] quit # Configure Firewall D.
Method I: Specify a higher MED value for the route 1.0.0.0/8 advertised to 192.1.1.2 to make Firewall D give priority to the route learned from Firewall C. # Define ACL 2000 to permit the route 1.0.0.0/8 [FirewallA] acl number 2000 [FirewallA-acl-basic-2000] rule permit source 1.0.0.0 0.255.255.255 [FirewallA-acl-basic-2000] quit # Define routing policy apply_med_50 that sets the MED value of route 1.0.0.0/8 to 50, and routing policy apply_med_100 that sets the MED value of route 1.0.0.0/8 to 100.
[FirewallC-route-policy] quit # Apply the routing policy localpref to the route from the peer 193.1.1.1 on Firewall C. [FirewallC] bgp 200 [FirewallC-bgp] peer 193.1.1.1 route-policy localpref import [FirewallC-bgp] quit # Display the BGP routing table on Firewall D. [FirewallD] display bgp routing-table Total Number of Routes: 2 BGP Local router ID is 194.1.1.
2. Configure OSPF so that Firewall A and Router C are reachable to each other. 3. Configure BGP on Firewall A: # Establish two IBGP connections between Firewall A and Router C. system-view [FirewallA] bgp 100 [FirewallA-bgp] peer 3.0.2.2 as-number 200 [FirewallA-bgp] peer 2.0.2.2 as-number 200 [FirewallA-bgp] quit # When the two links between Firewall A and Router C are both up, Router C adopts the link Firewall A<—>Router B<—>Router C to exchange packets with network 1.1.1.0/24.
{ Configure the minimum interval for transmitting BFD control packets as 500 milliseconds. [FirewallA-GigabitEthernet0/2] bfd min-transmit-interval 500 { Configure the minimum interval for receiving BFD control packets as 500 milliseconds. [FirewallA-GigabitEthernet0/2] bfd min-receive-interval 500 { Configure the detect multiplier as 7.
Total number of peers : 2 Peer Peers in established state : 2 AS MsgRcvd MsgSent OutQ PrefRcv Up/Down State 2.0.1.1 200 7 10 0 0 00:01:05 Established 3.0.1.1 200 7 10 0 0 00:01:34 Established # Display route 1.1.1.0/24 on Router C, and you can see that Firewall A and Router C communicate through Router B. display ip routing-table 1.1.1.0 24 verbose Routing Table : Public Summary Count : 2 Destination: 1.1.1.0/24 Protocol: BGP Process ID: 0 Preference: 0 NextHop: 3.0.1.
*Nov 5 11:42:24:187 2009 RouterC RM/6/RMDEBUG: BGP_BFD: Reset BGP session 3.0.1.1 for BFD session down. *Nov 5 11:42:24:187 2009 RouterC RM/6/RMDEBUG: BGP_BFD: Send DELETE msg to BFD, Connection type DIRECT, Src IP 3.0.2.2, Dst IP 3.0.1.1, Instance ID 0. # Display route 1.1.1.0/24 on Router C, and you can see that Firewall A and Router C communicate through Router D. display ip routing-table 1.1.1.0 24 verbose Routing Table : Public Summary Count : 1 Destination: 1.1.1.
8. Use the display tcp status command to check the TCP connection. 9. Check whether an ACL disabling TCP port 179 is configured.
Configuring IS-IS NOTE: • The term "router" in this chapter refers to both routers and Layer 3 firewalls. • The IS-IS configuration is available only in the command line interfaces (CLI).
Task Remarks Tuning and optimizing IS-IS networks Enhancing IS-IS network security Specifying intervals for sending IS-IS hello and CSNP packets Optional Specifying the IS-IS hello multiplier Optional Configuring a DIS priority for an interface Optional Disabling an interface from sending/receiving IS-IS packets Optional Enabling an interface to send small hello packets Optional Configuring LSP parameters Optional Configuring SPF parameters Optional Assigning a high priority to an IS-IS IP
Step Enable an IS-IS process on the interface. 6. Command Remarks isis enable [ process-id ] Disabled by default. Configuring the IS level and circuit level If only one area is available, HP recommends you to perform the following operations: • Configure the IS level of all routers as Level-1 or Level-2 rather than different levels because the routers do not need to maintain two identical LSDBs. • Configure the IS level as Level-2 on all routers in an IP network for scalability.
Step Command Remarks Optional. Configure the network type for the interface as P2P. 3. isis circuit-type p2p By default, the network type of an interface depends on the physical media. NOTE: You can only perform this configuration for a broadcast network with only two attached routers.
Step Command Remarks N/A 5. Enter interface view. interface interface-type interface-number 6. Specify a cost for the interface. isis cost value [ level-1 | level-2 ] Optional. No cost is specified for the interface by default. Configuring a global IS-IS cost Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Specify an IS-IS cost style.
Step 3. Specify a priority for IS-IS. Command Remarks preference { route-policy route-policy-name | preference } * 15 by default. Configuring the maximum number of ECMP routes Perform this task to implement load sharing over ECMP routes. To configure the maximum number of ECMP routes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Specify the maximum number of ECMP routes for load balancing.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Advertise a default route. default-route-advertise [ route-policy route-policy-name | [ level-1 | level-1-2 | level-2 ] ] * By default, the function is disabled. NOTE: The default route is only advertised to routers at the same level. You can use a routing policy to generate the default route only when a local routing entry is matched by the policy.
By referencing a configured ACL, IP prefix list or routing policy, you can filter the calculated routes. Only the routes matching the filter can be added into the IS-IS routing table. To filter routes calculated from received LSPs: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Filter routes calculated from received LSPs.
NOTE: • If a filter policy is specified, only routes passing it can be advertised into Level-1 area. • You can specify a routing policy in the import-route isis level-2 into level-1 command to filter routes from Level-2 to Level-1. Other routing policies specified for route reception and redistribution does not affect the route leaking.
Step 3. Specify the number of hello packets a neighbor must miss before declaring the router is down. Command Remarks isis timer holding-multiplier value [ level-1 | level-2 ] Optional. 3 by default. NOTE: On a broadcast link, Level-1 and Level-2 hello packets are advertised separately; therefore, you need to set a hello multiplier for each level. On a P2P link, Level-1 and Level-2 hello packets are advertised in P2P hello packets, and you do not need to specify Level-1 or Level-2.
Enabling an interface to send small hello packets IS-IS messages cannot be fragmented at the IP layer because they are directly encapsulated into frames. Any two IS-IS neighboring routers need to negotiate a common MTU. To avoid sending big hellos for saving bandwidth, enable the interface to send small hello packets without CLVs. To enable an interface to send small hello packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Step 3. 4. 3. Command Remarks Optional. Specify the LSP refresh interval. timer lsp-refresh seconds Specify the LSP generation interval. timer lsp-generation maximum-interval [ initial-interval [ second-wait-interval ] ] [ level-1 | level-2 ] 900 seconds by default. Optional. 2 seconds by default. Specify LSP sending intervals. If a change occurs in the LSDB, IS-IS advertises the changed LSP to neighbors. You can specify the minimum interval for sending such LSPs.
Step 4. Specify the maximum length of received LSPs. Command Remarks lsp-length receive size 1497 bytes by default. Enabling LSP flash flooding Because changed LSPs may trigger SPF recalculation, you can enable LSP flash flooding to advertise the changed LSPs before the router recalculates routes. Doing so can speed up network convergence. To enable LSP flash flooding: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view.
Figure 292 Network diagram of a fully meshed network To avoid this, configure some interfaces as a mesh group, configure the blocked interfaces, or both. • After receiving an LSP, a member interface in a mesh group floods it out the interfaces that does not belong to the mesh group. • If an interface is blocked, it does not send LSPs unless the neighbor sends LSP requests to it.
Step 3. Command Remarks timer spf maximum-interval [ initial-interval [ second-wait-interval ] ] Configure the SPF calculation interval. Optional. The default SPF calculation interval is 10 seconds. Assigning a high priority to an IS-IS IP prefix An IS-IS topology change causes route convergence. By assigning a high priority to an IS-IS IP prefix, you can achieve faster convergence for the specific routes. To assign a high priority to an IS-IS IP prefix: Step Command Remarks 1. Enter system view.
system IDs in dotted decimal notation is not convenient. To solve it, you can configure the mappings between system IDs and host names since host names are easier to remember and use. Such mappings can be configured manually or dynamically. • Using the display isis lsdb command on a router configured with dynamic system ID to host name mapping displays router names rather than system IDs.
Enabling the logging of neighbor state changes Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable the logging of neighbor state changes. log-peer-change Enabled by default. NOTE: With this feature enabled, the router delivers information about neighbor state changes to the terminal for display.
NOTE: • The level-1 and level-2 keywords are configurable on an interface that has IS-IS enabled with the isis enable command. • If you configure an authentication mode and a password without specifying a level, the authentication mode and password apply to both Level-1 and Level-2. • If neither ip nor osi is specified, the OSI related fields in LSPs are checked.
Step Command Remarks 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable SNMP trap. is-snmp-traps enable Enabled by default. Binding an IS-IS process with MIBs To bind an IS-IS process with MIBs: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Bind the IS-IS process with MIBs. isis mib-binding process-id By default, MIBs are bound with IS-IS process 1.
Task Command Remarks Display IS-IS IPv4 routing information. display isis route [ ipv4 ] [ [ level-1 | level-2 ] | verbose ] * [ process-id [ ipv4-unicast topology-name ] | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view Display IS-IS SPF calculation log information. display isis spf-log [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view Display IS-IS statistics.
# Configure Firewall A. system-view [FirewallA] isis 1 [FirewallA-isis-1] is-level level-1 [FirewallA-isis-1] network-entity 10.0000.0000.0001.00 [FirewallA-isis-1] quit [FirewallA] interface GigabitEthernet 4/1 [FirewallA-GigabitEthernet4/1] isis enable 1 [FirewallA-GigabitEthernet4/1] quit # Configure Firewall B. system-view [FirewallB] isis 1 [FirewallB-isis-1] is-level level-1 [FirewallB-isis-1] network-entity 10.0000.0000.0002.
[FirewallA] display isis lsdb Database information for ISIS(1) -------------------------------- Level-1 Link State Database LSPID Seq Num Checksum Holdtime Length ATT/P/OL -------------------------------------------------------------------------0000.0000.0001.00-00* 0x0000000d 0xb184 879 68 0/0/0 0000.0000.0002.00-00 0x0000000c 0xcf65 493 68 0/0/0 0000.0000.0003.
LSPID Seq Num Checksum Holdtime Length ATT/P/OL -----------------------------------------------------------------------0000.0000.0003.00-00* 0x00000013 0xbb56 1026 100 0/0/0 0000.0000.0004.
------------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE4/2 Direct D/L/- 10.1.2.0/24 10 NULL GE4/1 Direct D/L/- 192.168.0.
Figure 294 Network diagram Configuration procedure 1. Configure an IP address for interfaces. (Details not shown.) 2. Enable IS-IS: # Configure Firewall A. system-view [FirewallA] isis 1 [FirewallA-isis-1] network-entity 10.0000.0000.0001.00 [FirewallA-isis-1] quit [FirewallA] interface GigabitEthernet 4/1 [FirewallA-GigabitEthernet4/1] isis enable 1 [FirewallA-GigabitEthernet4/1] quit # Configure Firewall B. system-view [FirewallB] isis 1 [FirewallB-isis-1] network-entity 10.
[FirewallD] isis 1 [FirewallD-isis-1] network-entity 10.0000.0000.0004.00 [FirewallD-isis-1] is-level level-2 [FirewallD-isis-1] quit [FirewallD] interface GigabitEthernet 4/1 [FirewallD-GigabitEthernet4/1] isis enable 1 [FirewallD-GigabitEthernet4/1] quit # Display information about IS-IS neighbors of Firewall A. [FirewallA] display isis peer Peer information for ISIS(1) ---------------------------- System Id: 0000.0000.0002 Interface: GigabitEthernet4/1 Circuit Id: 0000.0000.0003.
--------------------------------Interface: GigabitEthernet4/1 Id IPV4.State 001 Up IPV6.State Down MTU Type DIS 1497 L1/L2 No/Yes By using the default DIS priority, Firewall C is the Level-1 DIS, and Firewall D is the Level-2 DIS. The pseudonodes of Level-1 and Level-2 are 0000.0000.0003.01 and 0000.0000.0004.01 respectively. 3.
System Id: 0000.0000.0001 Interface: GigabitEthernet4/1 Circuit Id: 0000.0000.0001.01 State: Up Type: L1 HoldTime: 7s PRI: 100 System Id: 0000.0000.0002 Interface: GigabitEthernet4/1 Circuit Id: 0000.0000.0001.01 State: Up Type: L1 HoldTime: 23s PRI: 64 [FirewallC] display isis interface Interface information for ISIS(1) --------------------------------Interface: GigabitEthernet4/1 Id IPV4.State IPV6.
Figure 295 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure IS-IS basic functions: # Configure Router A. system-view [RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface GigabitEthernet 0/1 [RouterA-GigabitEthernet0/1] isis enable 1 [RouterA-GigabitEthernet0/1] quit # Configure Router B.
[RouterC] interface GigabitEthernet0/3 [RouterC-GigabitEthernet0/3] isis enable 1 [RouterC-GigabitEthernet0/3] quit # Configure Firewall. system-view [Firewall] isis 1 [Firewall-isis-1] is-level level-2 [Firewall-isis-1] network-entity 20.0000.0000.0004.00 [Firewall-isis-1] quit [Firewall] interface GigabitEthernet 4/2 [Firewall-GigabitEthernet4/2] isis enable 1 [Firewall-GigabitEthernet4/2] quit # Display IS-IS routing information on each router.
------------------------------------- IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE0/2 Direct D/L/- 10.1.2.0/24 10 NULL GE0/1 Direct D/L/- 192.168.0.
ISIS(1) IPv4 Level-1 Forwarding Table ------------------------------------IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags -------------------------------------------------------------------------10.1.1.0/24 10 NULL GE0/2 Direct D/L/- 10.1.2.0/24 10 NULL GE0/1 Direct D/L/- 192.168.0.
Figure 296 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2. Configure IS-IS basic functions: # Configure Firewall A. system-view [FirewallA] isis 1 [FirewallA-isis-1] network-entity 10.0000.0000.0001.00 [FirewallA-isis-1] is-level level-1 [FirewallA-isis-1] quit [FirewallA] interface GigabitEthernet 4/1 [FirewallA-GigabitEthernet4/1] isis enable 1 [FirewallA-GigabitEthernet4/1] quit # Configure Firewall B.
[FirewallC] interface GigabitEthernet 4/3 [FirewallC-GigabitEthernet4/3] isis enable 1 [FirewallC-GigabitEthernet4/3] quit # Configure Firewall D. system-view [FirewallD] isis 1 [FirewallD-isis-1] network-entity 20.0000.0000.0001.00 [FirewallD-isis-1] quit [FirewallD] interface GigabitEthernet 4/1 [FirewallD-GigabitEthernet4/1] isis enable 1 [FirewallD-GigabitEthernet4/1] quit 3.
5. Configure routing domain authentication.
Configuring load sharing Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module Load sharing No No Yes No Configuring the load sharing mode A routing protocol can be configured with multiple equal-cost routes to the same destination. These routes have the same preference and will all be used to accomplish load balancing if there is no route with a higher preference available.
Displaying the routing table Displaying the routing table is a basic way to troubleshoot routing problems. The device supports displaying the routing table in the web interface and at the CLI. Displaying the routing table in the web interface NOTE: Only active routes are displayed on the route display page. Select Network > Routing Management > Routing Info from the navigation tree to enter the route display page, as shown in Figure 297.
Displaying the routing table at the CLI Task Command Remarks Display information about the routing table. display ip routing-table [ vpn-instance vpn-instance-name ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view Display information about routes permitted by an IPv4 basic ACL.
Configuring policy-based routing Overview Policy-based routing (PBR) is a routing mechanism based on user-defined policies. Different from the traditional destination-based routing mechanism, PBR enables you to use a policy to route packets based on the source address, packet length, and other criteria.
{ { permit—Specifies the match mode of a policy node as permit. If a packet satisfies all the if-match clauses on the policy node, the apply clause is executed. If not, the packet will go to the next policy node. deny—Specifies the match mode of a policy node as deny. When a packet satisfies all the if-match clauses on the policy node, the packet will be rejected and will not go to the next policy node. A packet satisfying the match criteria on a node will not go to other nodes.
Configuring a policy and the policy node Creating a policy Select Network > Routing Management > Policy Routing from the navigation tree to enter the default policy configuration page, as shown in Figure 298. Click Add to enter the policy configuration page, as shown in Figure 299. You can create a policy and configure its policy node on the page.
Table 73 Configuration items Item Description Enter a policy name. Policy Name IMPORTANT: Any spaces entered at the beginning or end of a policy name will be ignored. A policy name containing only spaces is considered as null. Node Index Enter a node index of the policy. The node with a smaller number has a higher priority and is matched first. Select a matching mode for the node.
Configuring a policy node To configure a node for an existing policy, use one of the following methods: • Click Add in Figure 298 to enter the policy configuration page as shown in Figure 299. Enter the name of the policy in the Policy Name box, and then configure its node. • Click the policy name link in Figure 298 to enter the policy node list page, as shown in Figure 300. You can create, modify, or remove a policy node on the page.
Applying a policy Select Network > Routing Management > Policy Routing from the navigation tree, and then click the Application tab to enter the page shown in Figure 302. Click Add to enter the page where you can apply a policy, as shown in Figure 303. Figure 302 PBR application page Figure 303 Applying a policy Table 75 Configuration items Item Description Specify the policy application mode: • Local—Enables local PBR. Unless otherwise required, HP does not recommend enabling local PBR.
Figure 304 Network diagram Configuration considerations To meet these requirements: • Configure ACL 3101 to match TCP packets and ACL 3102 to match all packets. • Configure node 5 of the policy to send the inbound packets matching ACL 3101 to GigabitEthernet 0/2. • Configure node 10 of the policy not to process the inbound packets matching ACL 3102. • Apply the policy on GigabitEthernet 0/1. Configuration procedure 1. Configure IP addresses for interfaces and configure security zones.
Figure 305 Creating ACL 3101 # Define rules for ACL 3101. { Click the icon of ACL 3101 in the ACL list page. Then click Add and perform the following configurations as shown in Figure 306. { Select Permit for Operation. { Select 6 TCP for Protocol. { Click Apply. Figure 306 Defining rules for ACL 3101 # Create ACL 3102. { Select Firewall > ACL from the navigation tree, and then click Add. { Enter 3102 for ACL Number.
{ Select Config for Match Order. { Click Apply. # Define rules for ACL 3102. 3. { Click the icon of ACL 3102 in the ACL list page, and then click Add. { Select Permit for Operation. { Select IP for Protocol. { Click Apply. Configure policy aaa: # Create node 5 for policy aaa. { Select Network > Routing Management > Policy Routing from the navigation tree to enter the default policy configuration page. Then click Add and perform the following configuration as shown in Figure 307.
# Create node 10 for policy aaa. { Click Add on the policy configuration page and perform the following configuration as shown in Figure 308. { Enter aaa as the policy name and 10 as node index, and set the mode to deny. { Enter 3102 as the number of the ACL for matching all IP packets. { Enter next hop 1.1.1.1. (Configure the next hop based on your network environment.) { Click Apply. Figure 308 Creating node 10 for policy aaa # Apply policy aaa to GigabitEthernet 0/1.
Figure 309 Applying policy aaa to GigabitEthernet 0/1 Configuring PBR at the CLI Defining a policy To define a policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a policy or policy node and enter PBR policy node view. policy-based-route policy-name [ deny | permit ] node node-number N/A 3. Define a packet length match criterion. if-match packet-length min-len max-len Optional. 4. Define an ACL match criterion. if-match acl acl-number Optional. 5.
Step Command Remarks Optional. 8. Set next hops. apply ip-address next-hop ip-address [ direct ] [ track track-entry-number ] [ ip-address [ direct ] [ track track-entry-number ] ] Optional. Set default outgoing interfaces. apply default output-interface interface-type interface-number [ track track-entry-number ] [ interface-type interface-number [ track track-entry-number ] ] 9. 10. Set default next hops.
Configuring local PBR Only one policy can be referenced for local PBR. To configure local PBR: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure local PBR. ip local policy-based-route policy-name Not configured by default. NOTE: If the specified policy does not exist, the local PBR configuration succeeds, but it takes effect only when the policy is created. Configuring interface PBR Only one policy can be referenced by an interface for interface PBR.
Task Command Remarks Display the PBR policy information. display policy-based-route [ policy-name ] [ | { begin | exclude | include } regular-expression ] Available in any view Clear PBR statistics. reset policy-based-route statistics [ policy-name ] Available in user view NOTE: • If a policy has a node with no if-match or apply clause configured, all packets can pass the policy. However, no action is taken and the packets will not go to the next policy node for a match.
# Define Node 5 of policy aaa, so that TCP packets are forwarded via GigabitEthernet 0/1. [Firewall] policy-based-route aaa permit node 5 [Firewall-pbr-aaa-5] if-match acl 3101 [Firewall-pbr-aaa-5] apply ip-address next-hop 1.1.2.2 [Firewall-pbr-aaa-5] quit # Apply policy aaa to Firewall. [Firewall] ip local policy-based-route aaa # Configure the IP addresses of the GigabitEthernet ports. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet 0/1] ip address 1.1.2.1 255.255.255.
Reply from 1.1.3.2: bytes=56 Sequence=3 ttl=255 time=1 ms Reply from 1.1.3.2: bytes=56 Sequence=4 ttl=255 time=1 ms Reply from 1.1.3.2: bytes=56 Sequence=5 ttl=255 time=1 ms --- 1.1.3.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms Telnet uses TCP, and ping uses ICMP. The preceding results show that all TCP packets of Firewall are forwarded via GigabitEthernet 0/1, and other packets are forwarded via GigabitEthernet 0/2.
system-view [Firewall] acl number 3101 [Firewall-acl-adv-3101] rule permit tcp [Firewall-acl-adv-3101] quit # Define Node 5 of policy aaa so that TCP packets are forwarded via GigabitEthernet 0/2. [Firewall] policy-based-route aaa permit node 5 [Firewall-pbr-aaa-5] if-match acl 3101 [Firewall-pbr-aaa-5] apply ip-address next-hop 1.1.2.2 [Firewall-pbr-aaa-5] quit # Apply the policy aaa to GigabitEthernet 0/1. [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ip address 10.
Configuring interface PBR based on packet length at the CLI Network requirements As shown in Figure 312, PBR is configured to control packets arriving on GigabitEthernet 0/1 of Firewall. Configure 150.1.1.2/24 as the next hop for packets with a length of 64 to 100 bytes, and configure 151.1.1.2/24 as the next hop for packets with a length of 101 to 1000. All other packets are forwarded according to the routing table.
[Firewall-GigabitEthernet0/1] quit # Configure the IP addresses of GigabitEthernet 0/2 and GigabitEthernet 0/3. [Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] ip address 150.1.1.1 255.255.255.0 [Firewall-GigabitEthernet0/2] quit [Firewall] interface GigabitEthernet 0/3 [Firewall-GigabitEthernet0/3] ip address 151.1.1.1 255.255.255.0 [Firewall-GigabitEthernet0/3] quit 2. Configure Router. # Configure RIP. system-view [Router] rip [Router-rip-1] network 10.0.0.
The debugging information about PBR displayed on Firewall is as follows: *Jun 7 12:04:33:519 2009 Firewall PBR/7/POLICY-ROUTING: IP policy based routing success : POLICY_ROUTEMAP : lab1, Node : 10, next-hop : 150.1.1.2 *Jun 7 12:04:34:518 2009 Firewall PBR/7/POLICY-ROUTING: IP policy based routing success : POLICY_ROUTEMAP : lab1, Node : 10, next-hop : 150.1.1.
• The LAN port of Firewall is connected to the hosts, and the uplink port GigabitEthernet 0/1 is connected to the Internet. • Subinterface 1 of GigabitEthernet 0/1 obtains its IP address through DHCP. Configure Firewall to forward SNMP packets and SNMP traps through subinterface 1 of GigabitEthernet 0/1. Figure 313 Network diagram Configuration procedure # Configure subinterface 1 of GigabitEthernet 0/1 (GigabitEthernet 0/1.1) to obtain its IP address through DHCP.
• The outbound interface and default outbound interface must be P2P interfaces. For non-P2P interfaces (broadcast interfaces and NBMA interfaces), such as Ethernet interfaces and Virtual-Template interfaces, multiple next hops are available, and thus packets may not be forwarded successfully. • The Web supports only one outbound interface, nexthop, default outbound interface, and default nexthop.
Multicast overview As a technique that coexist with unicast and broadcast, the multicast technique effectively addresses the issue of point-to-multipoint data transmission. By enabling high-efficiency point-to-multipoint data transmission over a network, multicast greatly saves network bandwidth and reduces network load.
Configuring multicast routing and forwarding In multicast implementations, multicast routing and forwarding are implemented by routing and forwarding tables: • Each multicast routing protocol has its own multicast routing table, such as the PIM routing table. • The multicast routing information of different multicast routing protocols forms a general multicast routing table. • The multicast forwarding table helps guide the forwarding of multicast packets.
3. Select Enable for Multicast Routing. 4. Click Apply. Figure 314 Global configuration page Table 76 Configuration item Item Description Multicast routing Enable or disable multicast routing globally. Displaying multicast routing table 1. Select Network > Routing Management > Multicast Routing from the navigation tree. 2. Click Multicast Routing Table. 3. The page for multicast routing table appears. 4.
Table 77 Field description Field Source address Group address Incoming interface Number of outgoing interfaces Outgoing interfaces Description (S, G) entry of the multicast routing table Upstream interface of the (S, G) entry, which multicast packets should arrive at. Number and list of downstream interfaces, which need to forward multicast packets.
Configuring multicast routing and forwarding Configuration prerequisites Before you configure multicast routing and forwarding, complete the following tasks: • Configure a unicast routing protocol so that all devices in the domain are interoperable at the network layer • Enable PIM (PIM-DM or PIM-SM) • Determine the maximum number of downstream nodes for a single multicast forwarding table entry • Determine the maximum number of entries in the multicast forwarding table Configuring multicast static
Step 3. Configure multicast load splitting. Command Remarks multicast load-splitting { source | source-group } Optional. Disabled by default. Configuring a multicast forwarding range Multicast packets do not travel without a boundary in a network. The multicast data corresponding to each multicast group must be transmitted within a definite scope. You can configure a forwarding boundary specific to a particular multicast group on all interfaces that support multicast forwarding.
Step Command Remarks Optional. 2. Configure the maximum number of entries in the multicast forwarding table. 3. Configure the maximum number of downstream nodes for a single multicast forwarding entry. multicast forwarding-table route-limit limit The default is the maximum number allowed by the system. The value ranges from 0 to 4096. Optional. multicast forwarding-table downstream-limit limit The default is the maximum number allowed by the system. The value ranges from 0 to 128.
Task Command Remarks Display information about the multicast routing table.
Multicast routing and forwarding configuration examples at the CLI Changing an RPF route Network requirements PIM-DM runs in the network. All routers in the network support multicast. Firewall A, Firewall B and Firewall C run OSPF. Typically, Receiver can receive the multicast data from Source through the path Firewall A – Firewall B, which is the same as the unicast route.
[FirewallB] multicast routing-enable [FirewallB] interface gigabitethernet 0/1 [FirewallB-GigabitEthernet0/1] igmp enable [FirewallB-GigabitEthernet0/1] pim dm [FirewallB-GigabitEthernet0/1] quit [FirewallB] interface gigabitethernet 0/2 [FirewallB-GigabitEthernet0/2] pim dm [FirewallB-GigabitEthernet0/2] quit [FirewallB] interface gigabitethernet 0/3 [FirewallB-GigabitEthernet0/3] pim dm [FirewallB-GigabitEthernet0/3] quit # Enable IP multicast routing on Firewall A, and enable PIM-DM on each interface.
Load splitting rule: disable The output shows that the RPF route on Firewall B has changed. It is now the configured multicast static route, and the RPF neighbor is now Firewall C. Creating an RPF route Network requirements PIM-DM runs in the network and all routers in the network support IP multicast. Firewall B and Firewall C run OSPF, and have no unicast routes to Firewall A. Typically, Receiver can receive the multicast data from Source 1 in the OSPF domain.
[FirewallC-GigabitEthernet0/2] pim dm [FirewallC-GigabitEthernet0/2] quit # Enable IP multicast routing on Firewall A and enable PIM-DM on each interface. system-view [FirewallA] multicast routing-enable [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] pim dm [FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim dm [FirewallA-GigabitEthernet0/2] quit The configuration on Firewall B is similar.
Multicast forwarding over GRE tunnels Network requirements Multicast routing and PIM-DM are enabled on Firewall A and Firewall C. Firewall B does not support multicast. OSPF runs on Firewall A, Firewall B, and Firewall C. Configure a GRE tunnel so that Receiver can receive the multicast data from Source. Figure 319 Network diagram Configuration procedure 1. Configure IP addresses: Configure the IP address and mask for each interface as per Figure 319. (Details not shown.) 2.
# Configure OSPF on Firewall A. [FirewallA] ospf 1 [FirewallA-ospf-1] area 0 [FirewallA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] network 50.1.1.0 0.0.0.255 [FirewallA-ospf-1-area-0.0.0.0] quit [FirewallA-ospf-1] quit # Configure OSPF on Firewall B. system-view [FirewallB] ospf 1 [FirewallB-ospf-1] area 0 [FirewallB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255 [FirewallB-ospf-1-area-0.0.0.
[FirewallC-Tunnel0] pim dm [FirewallC-Tunnel0] quit 5. Configure a static multicast route: # On Firewall C, configure a static multicast route and specify its RPF neighbor leading toward Source is Tunnel 0 on Firewall A. [FirewallC] ip rpf-route-static 10.1.1.0 24 50.1.1.1 6. Verify the configuration: Source sends multicast data to the multicast group 225.1.1.1 and Receiver can receive the multicast data after joining the multicast group.
Analysis • If the multicast static route is not configured or updated correctly to match the current network conditions, the route entry and the configuration information of multicast static route do not exist in the multicast routing table. • If a better route is found, the multicast static route might also fail. Solution 1.
Configuring IGMP As a TCP/IP protocol responsible for IP multicast group member management, the Internet Group Management Protocol (IGMP) is used by IP hosts to establish and maintain their multicast group memberships to immediately neighboring multicast routers. Configuring IGMP in the Web interface Configuration prerequisites Before you configure IGMP, complete the following tasks: • Configure a unicast routing protocol so that all devices in the domain are interoperable at the network layer.
Figure 320 IGMP interfaces configuration page Figure 321 Configuring the specified interface Table 78 Configuration items Item Description Interface Name of the interface to be configured IGMP Enable or disable IGMP on the interface Version Configure the IGMP version Displaying IGMP multicast group information 1. Select Network > Routing Management > IGMP from the navigation tree. 2. Click Group Information. 3. The page that displays the IGMP multicast group information appears. 4.
Figure 323 IGMP multicast group information of specific interface Table 79 Field description Field Description Interface Name of the interface that has joined the multicast group Group address Multicast group address Group uptime Length of time since the multicast group was reported Group remaining lifetime Remaining lifetime of the multicast group. "null" means that the multicast group times out when all multicast sources of this group time out.
Figure 324 Network diagram Configuring IP addresses and unicast routing Configure the IP address of each interface and the security zone as per Figure 324. (Details not shown.) Enable OSPF on firewalls on the PIM network to make sure the network-layer on the PIM-DM network is interoperable and the routing information among the firewalls can be dynamically updated. (Details not shown.) Configuring Firewall A 1. Enable IP multicast routing: a.
The configuration on GigabitEthernet 0/2 is similar to that on GigabitEthernet 0/1. (Details not shown.) Figure 326 Enabling PIM-DM 3. Enable IGMP on GigabitEthernet 0/1: a. Select Network > Routing Management > IGMP from the navigation tree to enter the Interface Configuration page. b. Click the icon corresponding to GigabitEthernet 0/1 to enter its configuration page, as shown in Figure 327. c. Select Enable from the list to enable IGMP. d. Specify the IGMP version to 2. e. Click Apply.
b. Click the c. icon corresponding to GigabitEthernet 0/1 to enter its configuration page. Select Enable from the list to enable IGMP. d. Specify the IGMP version as 2. e. Click Apply. Configuring Firewall C 1. Enable IP multicast routing: a. After logging in to the Web interface of Firewall C, select Network > Routing Management > Multicast Routing from the navigation tree to enter the Global Configuration page. b. Enable multicast routing by selecting Enable from the list. c. 2. Click Apply.
Configuring IGMP at the CLI Task Configuring IGMP basic functions Adjusting IGMP performance Configuring IGMP SSM mapping Configuring IGMP proxying Remarks Enabling IGMP Optional Configuring IGMP versions Optional Configuring static joining Optional Configuring a multicast group filter Optional Setting the maximum number of multicast groups that an interface can join Optional Configuring IGMP message options Optional Configuring IGMP query and response parameters Optional Configuring IGMP
Enabling IGMP To configure IGMP, you must enable IGMP on the interface on which the multicast group memberships will be established and maintained. To enable IGMP for the public network: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IP multicast routing. multicast routing-enable Disabled by default. 3. Enter interface view. interface interface-type interface-number N/A 4. Enable IGMP. igmp enable Disabled by default.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the interface as a static member of a multicast group or a multicast source and group. igmp static-group group-address [ source source-address ] An interface is not a static member of any multicast group or multicast source and group by default.
NOTE: This configuration takes effect in dynamically joined multicast groups but not in the statically configured multicast groups. Adjusting IGMP performance For the configuration tasks described in this section: • In IGMP view, the configuration is effective on all interfaces. In interface view, the configuration is effective on only the current interface.
Step Command Remarks 2. Enter public network IGMP view. igmp N/A 3. Configure the router to discard any IGMP message that does not carry the Router-Alert option. require-router-alert By default, the device does not check the Router-Alert option. Enable insertion of the Router-Alert option into IGMP messages. send-router-alert By default, IGMP messages carry the Router-Alert option. 4. To configure IGMP packet options on an interface: Step Command Remarks 1. Enter system view.
• For IGMP general queries, you can configure the maximum response time to fill their Max Response time field. • For IGMP group-specific queries and IGMP group-and-source-specific queries, you can configure the IGMP last-member query interval to fill their Max Response time field. Namely, for IGMP group-specific queries and IGMP group-and-source-specific queries, the maximum response time equals to the IGMP last-member query interval.
Step 4. Configure the startup query interval. Command Remarks igmp startup-query-interval interval By default, the startup query interval is 1/4 of the "IGMP general query interval". 5. Configure the startup query count. igmp startup-query-count value By default, the startup query count is set to the IGMP querier's robustness variable. 6. Configure the IGMP general query interval. igmp timer query interval 60 seconds by default. 7. Configure the maximum response time for IGMP general queries.
Step 3. Configure IGMP fast leave processing. Command Remarks fast-leave [ group-policy acl-number ] Disabled by default. To configure IGMP fast leave processing on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure IGMP fast leave processing. igmp fast-leave [ group-policy acl-number ] Disabled by default.
• Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer • Configure basic functions of IGMP Enabling SSM mapping Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the IGMP SSM mapping feature. igmp ssm-mapping enable Disabled by default.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the IGMP proxying feature. igmp proxying enable Disabled by default. NOTE: • Each device can have only one interface serving as the proxy interface. • You cannot enable IGMP on an interface with IGMP proxying enabled. Moreover, only the igmp require-router-alert, igmp send-router-alert, and igmp version commands can take effect on such an interface.
Displaying and maintaining IGMP Task Command Remarks Display IGMP group information. display igmp group [ group-address | interface interface-type interface-number ] [ static | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view Display information about the hosts tracked by IGMP on an interface.
IGMP configuration examples at the CLI Basic IGMP functions configuration example Network requirements Receivers receive VOD information through multicast. Receivers of different organizations form stub networks N1 and N2, and Host A and Host C are receivers in N1 and N2 respectively. IGMPv2 runs between Firewall A and N1 and between the other two routers and N2. Firewall B acts as the IGMP querier in N2 because it has a lower IP address. The hosts in N1 can join only multicast group 224.1.1.
[FirewallA-GigabitEthernet0/1] pim dm [FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim dm [FirewallA-GigabitEthernet0/2] quit # Enable IP multicast routing on Firewall B, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 0/1.
Querier for IGMP: 10.110.2.1 (this Firewall) Total 1 IGMP Group reported SSM mapping configuration example Network requirements The PIM-SM domain applies both the ASM model and SSM model for multicast delivery. Firewall D's GigabitEthernet 0/3 serves as the C-BSR and C-RP. The SSM group range is 232.1.1.0/24. IGMPv3 runs on Firewall D's GigabitEthernet 0/1. The Receiver host runs IGMPv2, and does not support IGMPv3.
# Enable IP multicast routing on Firewall D, enable PIM-SM on each interface and enable IGMPv3 and IGMP SSM mapping on GigabitEthernet 0/1.
[FirewallD] igmp [FirewallD-igmp] ssm-mapping 232.1.1.0 24 133.133.1.1 [FirewallD-igmp] ssm-mapping 232.1.1.0 24 133.133.3.1 [FirewallD-igmp] quit 6. Verify the configuration: Use the display igmp ssm-mapping command to display IGMP SSM mappings on the firewalls. # Display the IGMP SSM mapping information for multicast group 232.1.1.1 on the public network on Firewall D. [FirewallD] display igmp ssm-mapping 232.1.1.1 Group: 232.1.1.1 Source list: 133.133.1.1 133.133.3.
Protocol: igmp, UpTime: 00:13:25, Expires: - IGMP proxying configuration example Network requirements PIM-DM is required to run on the core network. Host A and Host C in the stub network receive VOD information sent to multicast group 224.1.1.1. Configure the IGMP proxying feature on Firewall so that Firewall can maintain group memberships and forward multicast traffic without running PIM-DM. Figure 331 Network diagram Configuration procedure 1.
[Firewall] interface gigabitethernet 0/2 [Firewall-GigabitEthernet0/2] igmp enable [Firewall-GigabitEthernet0/2] quit 3. Verify the configuration: Use the display igmp interface command to display IGMP configuration and operation information on the interface of the firewalls. For example, # Display the IGMP configuration and operation information on GigabitEthernet 0/1 of Firewall. [Firewall] display igmp interface gigabitethernet 0/1 verbose GigabitEthernet0/1(192.168.1.
The reason is that you have configured the shutdown command on the interface, that the interface is not properly connected, or that the IP address configuration is not correctly done. 2. Use the display current-configuration command to verify that multicast routing is enabled. If not, use the multicast routing-enable command in system view to enable IP multicast routing. In addition, check that IGMP is enabled on the corresponding interfaces. 3.
Configuring PIM Protocol Independent Multicast (PIM) provides IP multicast forwarding by leveraging unicast static routes or unicast routing tables generated by any unicast routing protocol, such as routing information protocol (RIP), open shortest path first (OSPF), intermediate system to intermediate system (IS-IS), or border gateway protocol (BGP).
Configuring PIM-SM Task Remarks Required. Globally enable multicast routing Globally enable multicast routing after selecting Network > Routing Management > Multicast Routing. For more information, see " Configuring multicast routing and forwarding." By default, multicast routing is globally disabled. Required. Configuring PIM interfaces Enable PIM-SM on an interface. By default, PIM is disabled on an interface. Optional.
Figure 332 PIM interfaces configuration page Figure 333 Modifying the specified PIM interface Table 80 Configuration items Item Description Interface Display the name of the interface to be configured. Working mode Enable PIM-DM or PIM-SM on the interface; null means not to enable PIM on this interface. Configuring advanced PIM features 1. Select Network > Routing Management > PIM from the navigation tree. 2. Click Advanced Configuration. 3.
Table 81 Configuration items Item Description Enable or disable auto-RP. IMPORTANT: Auto-RP Auto-RP announcement and discovery messages are addressed to the multicast group addresses 224.0.1.39 and 224.0.1.40 respectively. With auto-RP enabled on a device, the device can receive these two types of messages and record the RP information carried in such messages. Calculate the register message checksum based on the entire register messages or the header parts.
Figure 335 PIM neighbor information Table 82 Field description Field Description Interface Name of the interface connecting to a PIM neighbor Neighbor address IP address of a PIM neighbor Uptime Length of time for which the PIM neighbor has been up, where a "01:02:11:32:18" value means that the neighbor has been up for 1 week, 2 days, 11 hours, 32 minutes, and 18 seconds.
Figure 336 Network diagram Configuring IP addresses and unicast routing Configure the IP address for each interface as per Figure 336 and configure the security zone. (Details not shown.) Enable OSPF on firewalls on the PIM-DM network to make sure the network-layer on the PIM-DM network is interoperable and the routing information among the firewalls can be dynamically updated. (Details not shown.) Configuring Firewall A 1. Enable IP multicast routing: a.
e. Click Apply. Figure 338 Enabling IGMP 3. Enable PIM-DM on each interface: a. Select Network > Routing Management > PIM from the navigation tree to enter the Interface Configuration page. b. Click the icon corresponding to GigabitEthernet 0/2 to enter its configuration page shown in Figure 339. c. Specify the operating mode as PIM-DM and click Apply. The configuration on GigabitEthernet 0/1 is similar to that on GigabitEthernet 0/2. (Details not shown.
Verifying the configuration Log into the Web interface of Firewall C, select Network > Routing Management > PIM from the navigation tree and click Neighbor Information to enter the page as shown in Figure 340.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IP multicast routing. multicast routing-enable Disable by default. 3. Enter interface view. interface interface-type interface-number N/A 4. Enable PIM-DM. pim dm Disabled by default. CAUTION: PIM-DM does not work with multicast groups in the SSM group range. For more information about the multicast routing-enable command, see Network Management Command Reference.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view. pim N/A 3. Configure the interval between state-refresh messages. state-refresh-interval interval Configure the time to wait before receiving a new state-refresh message. state-refresh-rate-limit interval Configure the TTL value of state-refresh messages. state-refresh-ttl ttl-value 4. 5. Optional. 60 seconds by default. Optional. 30 seconds by default. Optional. 255 by default.
Task Configuring administrative scoping Remarks Configuring C-BSR timers Optional. Disabling BSM semantic fragmentation Optional. Enabling administrative scoping Optional. Configuring an admin-scope zone boundary Optional. Configuring C-BSRs for each admin-scope zone and the global-scope zone Optional. Configuring multicast source registration Optional. Configuring SPT switchover Optional. Configuring PIM common features Optional.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IP multicast routing. multicast routing-enable Disable by default. 3. Enter interface view. interface interface-type interface-number N/A 4. Enable PIM-SM. pim sm Disabled by default. For more information about the multicast routing-enable command, see Network Management Command Reference. Configuring an RP An RP can be manually configured or dynamically elected through the BSR mechanism.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view. pim N/A 3. Configure an interface to be a C-RP for PIM-SM. c-rp interface-type interface-number [ group-policy acl-number | priority priority | holdtime hold-interval | advertisement-interval adv-interval ] * No C-RPs are configured by default. 4. Configure a legal C-RP address range and the range of multicast groups to be served. crp-policy acl-number Optional. No restrictions by default.
Step Command Configure C-RP timeout time. 4. c-rp holdtime interval Remarks Optional. 150 seconds by default. For more information about the configuration of other timers in PIM-SM, see "Configuring PIM common timers." Configuring a BSR A PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising RP information in the PIM-SM domain. 1.
Step Command Remarks No C-BSRs are configured by default. 3. Configure an interface as a C-BSR. c-bsr interface-type interface-number [ hash-length [ priority ] ] 4. Configure a legal BSR address range. bsr-policy acl-number Optional. No restrictions on BSR address range by default.
Step Command Remarks Optional. Configure the C-BSR priority. 4. c-bsr priority priority By default, the C-BSR priority is 64. NOTE: You can configure the hash mask length and C-BSR priority globally, in an admin-scope zone, and in the global scope zone. • The values configured in the global scope zone or admin-scope zone have preference over the global values. • If you do not configure these parameters in the global scope zone or admin-scope zone, the corresponding global values will be used.
CAUTION: In configuration, make sure the BS period value is smaller than the BS timeout value. 5. Disabling BSM semantic fragmentation Generally, a BSR periodically distributes the RP-set information in bootstrap messages within the PIM-SM domain. It encapsulates a BSM in an IP datagram and might split the datagram into fragments if the message exceeds the maximum transmission unit (MTU). In respect of such IP fragmentation, loss of a single IP fragment leads to unavailability of the entire message.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view. pim N/A 3. Enable administrative scoping. c-bsr admin-scope Disabled by default. 2. Configuring an admin-scope zone boundary The boundary of each admin-scope zone is formed by ZBRs. Each admin-scope zone maintains a BSR, which serves a specific multicast group range.
NOTE: The group-address { mask | mask-length } parameter of the c-bsr group command can specify the multicast groups the C-BSR serves, in the range of 239.0.0.0/8. { Configure C-BSRs for the global-scope zone Perform the following configuration on the routers that you want to configure as C-BSRs in the global-scope zone. To configure a C-BSR for the global-scope zone: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view. pim N/A 3.
Configure a filtering rule for register messages on all C-RP routers and configure them to calculate the checksum based on the entire register messages. Configure the register suppression time and the register probe time on all routers that might become source-side DRs. To configure register-related parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network PIM view. pim N/A 3. Configure a filtering rule for register messages. 4.
PIM-SSM configuration task list Task Remarks Enabling PIM-SM Required Configuring the SSM group range Optional Configuring PIM common features Optional Configuration prerequisites Before you configure PIM-SSM, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer • Determine the SSM group range Enabling PIM-SM The SSM model is implemented based on some subsets of PIM-SM.
CAUTION: • Make sure the same SSM group range is configured on all routers in the entire domain. Otherwise, multicast information cannot be delivered through the SSM model. • When a member of a multicast group in the SSM group range sends an IGMPv1 or IGMPv2 report message, the device does not trigger a (*, G) join.
• Determine the assert timeout time (global value/interface value). • Determine the join/prune interval (global value/interface level value). • Determine the join/prune timeout (global value/interface value). • Determine the multicast source lifetime. • Determine the maximum size of join/prune messages. • Determine the maximum number of (S, G) entries in a join/prune message.
NOTE: With the hello message filter configured, if hello messages of an existing PIM neighbor fail to pass the filter, the PIM neighbor will be removed automatically when it times out. Configuring PIM hello options In both a PIM-DM domain and a PIM-SM domain, the hello messages sent among routers contain the following configurable options: • DR_Priority (for PIM-SM only)—Priority for DR election. The device with the highest priority wins the DR election.
Step Command Remarks Optional. 5. Configure the prune message delay time (LAN-delay). hello-option lan-delay interval 6. Configure the prune override interval. hello-option override-interval interval 2,500 milliseconds by default. 7. Disable join suppression. hello-option neighbor-tracking Enabled by default. 500 milliseconds by default. Optional. To configure hello options on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Step Command Remarks Optional. 3. Configure the prune delay interval. prune delay interval 3 seconds by default, which equals the prune pending time. Configuring PIM common timers PIM routers discover PIM neighbors and maintain PIM neighboring relationships with other routers by periodically sending out hello messages. After receiving a hello message, a PIM router waits a random period, which is smaller than the maximum delay between hello messages, before sending a hello message.
Step Command 3. Configure the hello interval. pim timer hello interval 4. Configure the maximum delay between hello messages. pim triggered-hello-delay interval 5. Configure the join/prune interval. pim timer join-prune interval 6. Configure the join/prune timeout time. pim holdtime join-prune interval Configure assert timeout time. pim holdtime assert interval 7. Remarks Optional. 30 seconds by default. Optional. 5 seconds by default. Optional. 60 seconds by default. Optional.
Task Command Remarks Display the number of PIM control messages. display pim control-message counters [ message-type { probe | register | register-stop } | [ interface interface-type interface-number | message-type { assert | bsr | crp | graft | graft-ack | hello | join-prune | state-refresh } ] * ] [ | { begin | exclude | include } regular-expression ] Available in any view Display information about unacknowledged PIM-DM graft messages.
PIM configuration examples at the CLI PIM-DM configuration example Network requirements As shown in Figure 336, receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network. The entire PIM domain operates in the dense mode. Host A and Host C are multicast receivers in two stub networks N1 and N2. IGMPv2 runs between Router A and N1 and between Router B/Router C and N2.
Configure OSPF on the routers and the firewall in the PIM-DM domain to make sure the network-layer on the PIM-DM network is interoperable and routing information among routers and the firewall can be dynamically updated. (Details not shown.) 2. Enable IP multicast routing, and enable PIM-DM and IGMP: # Enable IP multicast routing on Router A, enable PIM-DM on each interface, and enable IGMP on GigabitEthernet 0/1, which connects Router A to N1.
Neighbor Interface 192.168.1.1 GE0/2 00:02:22 00:01:27 1 Uptime Expires Dr-Priority 192.168.2.1 GE0/3 00:00:22 00:01:29 3 192.168.3.1 GE0/4 00:00:23 00:01:31 5 Assume that Host A needs to receive the information addressed to multicast group G (225.1.1.1). After the multicast source S (10.110.5.100/24) sends multicast packets to the multicast group G, an SPT is established through traffic flooding. Routers and the firewall on the SPT path (Router A and Firewall) have their (S, G) entries.
1: GigabitEthernet0/2 Protocol: pim-dm, UpTime: 00:03:27, Expires: never 2: GigabitEthernet0/3 Protocol: pim-dm, UpTime: 00:03:27, Expires: never 3: GigabitEthernet0/4 Protocol: pim-dm, UpTime: 00:03:27, Expires: never PIM-SM non-scoped zone configuration example Network requirements As shown in Figure 342, receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and one or more receiver hosts exist in each stub network.
Figure 342 Network diagram Receiver Host A Firewall A G E0 /3 GE0/1 GE0/2 G E0 /2 Host B GE0/3 GE0/1 GE0/4 Receiver GE0/3 Source GE0/1 GE0/2 GE0/2 Firewall C GE0/1 Firewall B 10.110.5.100/24 Router A Host C GE0/2 GE0/1 PIM-SM Host D Router B Device Interface IP address Device Interface IP address Firewall A GE0/1 10.110.1.1/24 Firewall B GE0/1 10.110.5.1/24 GE0/2 192.168.9.1/24 GE0/2 192.168.1.2/24 GE0/3 192.168.1.1/24 GE0/3 192.168.4.2/24 GE0/1 10.110.2.
[FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim sm [FirewallA-GigabitEthernet0/2] quit [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] pim sm [FirewallA-GigabitEthernet0/3] quit The configuration on Router A and Router B is similar to that on Firewall A. The configuration on Firewall B and Firewall C is also similar to that on Firewall A except that it is not necessary to enable IGMP on the corresponding interfaces on these two routers. 3.
Scope: Not scoped Uptime: 00:40:40 Expires: 00:01:42 # Display BSR information and the locally configured C-RP information in effect on Firewall B. [FirewallB] display pim bsr-info Elected BSR Address: 192.168.9.2 Priority: 20 Hash mask length: 32 State: Accept Preferred Scope: Not scoped Uptime: 00:05:26 Expires: 00:01:45 Candidate BSR Address: 192.168.4.2 Priority: 10 Hash mask length: 32 State: Candidate Scope: Not scoped Candidate RP: 192.168.4.
Priority: 192 HoldTime: 150 Uptime: 00:51:45 Expires: 00:02:22 RP: 192.168.9.2 Priority: 192 HoldTime: 150 Uptime: 00:51:45 Expires: 00:02:22 Assume that Host A needs to receive information addressed to multicast group G (225.1.1.0). The RP corresponding to the multicast group G is Firewall C as a result of hash calculation, so an RPT will be built between Firewall A and Firewall C. When the multicast source S (10.110.5.100/24) registers with the RP, an SPT will be built between Firewall B and Firewall C.
(10.110.5.100, 225.1.1.0) RP: 192.168.9.2 Protocol: pim-sm, Flag: SPT LOC ACT UpTime: 00:00:42 Upstream interface: GigabitEthernet0/1 Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/3 Protocol: pim-sm, UpTime: 00:00:42, Expires: 00:02:26 # Display PIM routing table information on Firewall C. [FirewallC] display pim routing-table Total 1 (*, G) entry; 0 (S, G) entry (*, 225.1.1.0) RP: 192.168.9.
Figure 343 Network diagram /3 E0 G /3 E0 G G E0 /4 /1 E0 G /2 E0 G G /2 E0 Device Interface IP address Device Interface IP address Router A GE0/1 192.168.1.1/24 Firewall B GE0/1 10.110.8.1/24 GE0/2 10.110.1.1/24 GE0/2 10.110.7.1/24 GE0/1 192.168.2.1/24 GE0/2 10.110.3.1/24 GE0/3 10.110.2.1/24 Firewall A Router C Router E Router F GE0/4 10.110.1.2/24 GE0/1 10.110.2.2/24 GE0/2 GE0/3 GE0/4 192.168.3.1/24 Router D GE0/3 10.110.4.2/24 GE0/1 192.168.4.1/24 GE0/2 10.110.5.
2. Enable IP multicast routing and administrative scoping, and enable PIM-SM and IGMP: # Enable IP multicast routing and administrative scoping on Router A, enable PIM-SM on each interface, and enable IGMP on the host-side interface GigabitEthernet 0/1.
# On Router C, configure GigabitEthernet 0/1 and GigabitEthernet 0/5 as the boundary of admin-scope zone 2. system-view [RouterC] interface gigabitethernet 0/1 [RouterC-GigabitEthernet0/1] multicast boundary 239.0.0.0 8 [RouterC-GigabitEthernet0/1] quit [RouterC] interface gigabitethernet 0/5 [RouterC-GigabitEthernet0/5] multicast boundary 239.0.0.0 8 [RouterC-GigabitEthernet0/5] quit # On Firewall B, configure GigabitEthernet0/1 as the boundary of admin-scope zone 2.
Elected BSR Address: 10.110.9.1 Priority: 64 Hash mask length: 30 State: Accept Preferred Scope: Global Uptime: 00:01:45 Expires: 00:01:25 Elected BSR Address: 10.110.1.2 Priority: 64 Hash mask length: 30 State: Elected Scope: 239.0.0.0/8 Uptime: 00:04:54 Next BSR message scheduled at: 00:00:06 Candidate BSR Address: 10.110.1.2 Priority: 64 Hash mask length: 30 State: Elected Scope: 239.0.0.0/8 Candidate RP: 10.110.1.
Priority: 192 HoldTime: 150 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:10 # Display BSR information and the locally configured C-RP information on Firewall C. [FirewallC] display pim bsr-info Elected BSR Address: 10.110.9.1 Priority: 64 Hash mask length: 30 State: Elected Scope: Global Uptime: 00:11:11 Next BSR message scheduled at: 00:00:49 Candidate BSR Address: 10.110.9.1 Priority: 64 Hash mask length: 30 State: Elected Scope: Global Candidate RP: 10.110.9.
HoldTime: 150 Uptime: 00:03:42 Expires: 00:01:48 Group/MaskLen: 239.0.0.0/8 RP: 10.110.4.2 (local) Priority: 192 HoldTime: 150 Uptime: 00:06:54 Expires: 00:02:41 # Display RP information on Firewall C. [FirewallC] display pim rp-info PIM-SM BSR RP information: Group/MaskLen: 224.0.0.0/4 RP: 10.110.9.1 (local) Priority: 192 HoldTime: 150 Uptime: 00:00:32 Expires: 00:01:58 PIM-SSM configuration example Network requirements As shown in Figure 344, receivers receive VOD information through multicast.
Figure 344 Network diagram Receiver Host A Firewall A G E0 /2 G E0 /3 GE0/1 GE0/2 Host B GE0/3 GE0/1 GE0/4 Receiver GE0/3 Source GE0/1 GE0/2 GE0/2 Firewall C GE0/1 Firewall B 10.110.5.100/24 Router A Host C GE0/2 GE0/1 PIM-SSM Host D Router B Device Interface IP address Device Interface IP address Firewall A GE0/1 10.110.1.1/24 Firewall B GE0/1 10.110.5.1/24 GE0/2 192.168.9.1/24 GE0/2 192.168.1.2/24 GE0/3 192.168.1.1/24 GE0/3 192.168.4.2/24 GE0/1 10.110.2.
[FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim sm [FirewallA-GigabitEthernet0/2] quit [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] pim sm [FirewallA-GigabitEthernet0/3] quit The configuration on Router A and Router B is similar to that on Firewall A.
Protocol: igmp, UpTime: 00:13:25, Expires: 00:03:25 # Display PIM routing table information on Firewall B. [FirewallB] display pim routing-table Total 0 (*, G) entry; 1 (S, G) entry (10.110.5.100, 232.1.1.
• The same PIM mode must run on the entire network. Otherwise, the establishment of a multicast distribution tree will surely fail, causing abnormal multicast forwarding. 1. Use the display ip routing-table command to verify that a unicast route exists from the receiver host to the multicast source. 2. Use the display pim interface command to verify that that PIM is enabled on the interfaces, especially on the RPF interface.
Analysis • As the core of a PIM-SM domain, the RPs serve specific multicast groups. Multiple RPs can coexist in a network. Make sure the RP information on all routers is exactly the same, and a specific group is mapped to the same RP. Otherwise, multicast forwarding will fail. • If the static RP mechanism is used, the same static RP command must be executed on all the routers in the entire network. Otherwise, multicast forwarding will fail. 1.
Configuring MSDP NOTE: The firewall supports MSDP configuration only at the CLI. Multicast source discovery protocol (MSDP) is an inter-domain multicast solution that addresses the interconnection of protocol independent multicast sparse mode (PIM-SM) domains. It discovers multicast source information in other PIM-SM domains.
Configuring basic functions of MSDP NOTE: All the configuration tasks should be carried out on RPs in PIM-SM domains, and each of these RPs acts as an MSDP peer.
Configuring a static RPF peer Configuring static RPF peers avoids RPF check of SA messages. To configure a static RPF peer: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network MSDP view. msdp N/A 3. Configure a static RPF peer. static-rpf-peer peer-address [ rp-policy ip-prefix-name ] No static RPF peer configured by default. NOTE: If only one MSDP peer is configured on a router, this MSDP will be registered as a static RPF peer.
An MSDP peer in an MSDP mesh group forwards SA messages from outside the mesh group that have passed the RPF check to the other members in the mesh group. A mesh group member accepts SA messages from inside the group without performing an RPF check, and does not forward the message within the mesh group. This mechanism not only avoids SA flooding but also simplifies the RPF check mechanism, because no need exists to run BGP or MBGP between these MSDP peers.
Configuring SA messages related parameters Configuration prerequisites Before you configure SA message delivery, complete the following tasks: • Configure any unicast routing protocol so that all devices in the domain are interoperable at the network layer • Configuring basic functions of MSDP • Determine the ACL rules for filtering SA request messages • Determine the ACL rules as SA message creation rules • Determine the ACL rules for filtering SA messages to be received and forwarded • Determin
Configuring SA request messages By default, after receiving a new join message, a router does not send an SA request message to any MSDP peer. Instead, it waits for the next SA message from its MSDP peer. This will cause the receiver to delay obtaining multicast source information. To enable a new receiver to get the active multicast source information as early as possible, you can configure routers to send SA request messages to the designated MSDP peers after receiving a join message of a new receiver.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter public network MSDP view. msdp N/A 3. Configure an SA message creation rule. import-source [ acl acl-number ] No restrictions on (S, G) entries by default. 4. Configure a filtering rule for receiving or forwarding SA messages. peer peer-address sa-policy { import | export } [ acl acl-number ] No filtering rule by default . 5. Configure the TTL threshold for multicast data packet encapsulation in SA messages.
Task Command Remarks View the detailed information about the status of MSDP peers. display msdp peer-status [ peer-address ] [ | { begin | exclude | include } regular-expression ] Available in any view View the (S, G) entry information in the SA cache. display msdp sa-cache [ group-address | source-address | as-number ] * [ | { begin | exclude | include } regular-expression ] Available in any view View the number of (S, G) entries in the SA cache.
Figure 345 Network diagram G E0 /3 /2 E0 G /1 E0 G G E0 /2 /1 E0 G Device Interface IP address Device Interface IP address Router A GE0/1 10.110.1.2/24 Router B GE0/1 10.110.4.2/24 GE0/2 10.110.2.1/24 GE0/2 10.110.5.1/24 GE0/3 10.110.3.1/24 GE0/1 10.110.6.1/24 GE0/1 10.110.1.1/24 GE0/2 192.168.3.2/24 GE0/2 192.168.1.1/24 Loop0 1.1.1.1/32 GE0/1 10.110.4.1/24 GE0/2 192.168.3.1/24 GE0/3 192.168.1.2/24 Loop0 2.2.2.2/32 Firewall A Firewall B Firewall C Loop0 3.3.3.
[RouterA] interface gigabitethernet 0/2 [RouterA-GigabitEthernet0/2] pim sm [RouterA-GigabitEthernet0/2] quit [RouterA] interface gigabitethernet 0/3 [RouterA-GigabitEthernet0/3] igmp enable [RouterA-GigabitEthernet0/3] pim sm [RouterA-GigabitEthernet0/3] quit The configuration on Firewall A, Firewall B, Router B, Firewall C, and Router C is similar to that on Router A. # Configure a PIM domain border on Firewall A.
[FirewallA-msdp] quit # Configure MSDP peers on Firewall B. [FirewallB] msdp [FirewallB-msdp] peer 192.168.1.1 connect-interface GigabitEthernet 0/1 [FirewallB-msdp] peer 192.168.3.2 connect-interface GigabitEthernet 0/2 [FirewallB-msdp] quit # Configure an MSDP peer on Firewall C. [FirewallC] msdp [FirewallC-msdp] peer 192.168.3.1 connect-interface GigabitEthernet 0/2 [FirewallC-msdp] quit 6.
* > 192.168.1.1 0 0 100? * >i 2.2.2.2/32 1.1.1.1/32 0.0.0.0 0 0 ? * > 192.168.1.0 0.0.0.0 0 0 ? * > 192.168.1.1/32 0.0.0.0 0 0 ? * > 192.168.1.2/32 0.0.0.0 0 0 ? When the multicast sources (Source 1 and Source 2) in PIM-SM 1 and PIM-SM 2 send multicast information, receivers in PIM-SM 1 and PIM-SM 3 can receive the multicast data. You can use the display msdp brief command to display brief information about the MSDP peering relationship between the firewalls.
Information about (Source, Group)-based SA filtering policy: Import policy: none Export policy: none Information about SA-Requests: Policy to accept SA-Request messages: none Sending SA-Requests status: disable Minimum TTL to forward SA with encapsulated data: 0 SAs learned from this peer: 0, SA-cache maximum for the peer: none Input queue size: 0, Output queue size: 0 Counters for MSDP message: Count of RPF check failure: 0 Incoming/outgoing SA messages: 0/0 Incoming/outgoing SA requests: 0/0 Incoming/outg
Figure 346 Network diagram AS 200 AS 100 PIM-SM 3 Receiver 0/2 GE Loop0 Firewall C GE0/1 G E0 /2 GE0/1 Router D / E0 G Loop0 2 0/3 GE Receiver GE0/2 GE0/1 /1 E0 G Firewall A Router B PIM-SM 2 /1 E0 G Firewall B GE0/3 GE0/2 GE0/1 Router C GE0/1 Router A Source 1 Loop0 G E0 /2 GE0/2 Source 2 PIM-SM 1 BGP peers Device Interface IP address Device Interface IP address Source 1 — 192.168.1.100/24 Firewall B GE0/1 10.110.5.1/24 Source 2 — 192.168.3.100/24 GE0/2 10.
[RouterB-GigabitEthernet0/1] quit [RouterB] interface gigabitethernet 0/2 [RouterB-GigabitEthernet0/2] igmp enable [RouterB-GigabitEthernet0/2] pim sm [RouterB-GigabitEthernet0/2] quit [RouterB] interface gigabitethernet 0/3 [RouterB-GigabitEthernet0/3] pim sm [RouterB-GigabitEthernet0/3] quit The configuration on Firewall A, Router A, Firewall B, Router C, Router D, and Firewall C is similar to that on Router B. (Details not shown.) # Configure PIM domain borders on Router A.
[RouterD-bgp] peer 10.110.4.1 as-number 100 [RouterD-bgp] import-route ospf 1 [RouterD-bgp] quit # Redistribute BGP routing information into OSPF on Router A. [RouterA] ospf 1 [RouterA-ospf-1] import-route bgp [RouterA-ospf-1] quit # Redistribute BGP routing information into OSPF on Firewall B. [FirewallB] ospf 1 [FirewallB-ospf-1] import-route bgp [FirewallB-ospf-1] quit # Redistribute BGP routing information into OSPF on Router B.
You can use the display msdp brief command to display brief information about the MSDP peering relationship between the firewalls. For example: # Display brief MSDP peer information on Firewall A. [FirewallA] display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 2 2 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 10.110.3.2 Up 01:07:08 ? 8 0 10.110.6.2 Up 00:16:39 ? 13 0 # Display brief MSDP peer information on Firewall B.
Lo op 2 Lo op 0 0 op Lo 20 op Lo 0 GE 0/2 0/3 GE 0/2 GE GE 0/3 0/1 GE GE 0/2 0/2 GE GE 0/2 Figure 347 Network diagram Device Interface IP address Device Interface IP address Source 1 — 10.110.5.100/24 Router B GE0/1 192.168.1.2/24 Source 2 — 10.110.6.100/24 GE0/2 192.168.2.2/24 Router A GE0/1 10.110.5.1/24 GE0/1 10.110.3.1/24 GE0/2 10.110.2.2/24 GE0/2 10.110.4.1/24 GE0/1 10.110.1.1/24 GE0/3 192.168.2.1/24 GE0/2 10.110.2.1/24 Loop0 2.2.2.2/32 GE0/3 192.168.1.
[FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim sm [FirewallA-GigabitEthernet0/2] quit [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] pim sm [FirewallA-GigabitEthernet0/2] quit [FirewallA] interface loopback 0 [FirewallA-LoopBack0] pim sm [FirewallA-LoopBack0] quit [FirewallA] interface loopback 10 [FirewallA-LoopBack10] pim sm [FirewallA-LoopBack10] quit [FirewallA] interface loopback 20 [FirewallA-LoopBack20] pim sm
# Display brief MSDP peer information on Firewall B. [FirewallB] display msdp brief MSDP Peer Brief Information Configured Up Listen Connect Shutdown Down 1 1 0 0 0 0 Peer's Address State Up/Down time AS SA Count Reset Count 1.1.1.1 Up 00:10:18 ? 0 0 To display PIM routing information on each firewall, use the display pim routing-table command. When Source 1 (10.110.5.100/24) sends multicast data to multicast group G (225.1.1.1), Host A joins multicast group G.
# Display PIM routing information on Firewall A. [FirewallA] display pim routing-table No information is output on Firewall A. # Display PIM routing information on Firewall B. [FirewallB] display pim routing-table Total 1 (*, G) entry; 1 (S, G) entry (*, 225.1.1.1) RP: 10.1.1.
Figure 348 Network diagram PIM-SM 1 PIM-SM 2 Loop0 PIM-SM 3 Source 2 GE0/1 Receiver Host A Firewall A GE 0/3 GE0/2 Loop0 GE0/1 Firewall C GE 0/3 GE0/3 GE0/2 0/4 GE Source 1 GE0/2 GE0/1 Firewall D GE0/2 0/3 GE GE0/1 Firewall B Receiver Host B MSDP peers Receiver Host C Device Interface IP address Device Interface IP address Source 1 — 10.110.3.100/24 Firewall C GE0/1 10.110.4.1/24 Source 2 — 10.110.6.100/24 GE0/2 10.110.5.1/24 Firewall A GE0/1 10.110.1.
[FirewallA-GigabitEthernet0/2] pim sm [FirewallA-GigabitEthernet0/2] quit [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] pim sm [FirewallA-GigabitEthernet0/3] quit [FirewallA] interface loopback 0 [FirewallA-LoopBack0] pim sm [FirewallA-LoopBack0] quit The configuration on Firewall B, Firewall C and Firewall D is similar to that on Firewall A. (Details not shown.) # Configure PIM domain borders on Firewall C.
# Configure an SA message filter on Firewall C so that Firewall C will not forward SA messages for (Source 1, 225.1.1.0/30) to Firewall D. [FirewallC] acl number 3001 [FirewallC-acl-adv-3001] rule deny ip source 10.110.3.100 0 destination 225.1.1.0 0.0.0.3 [FirewallC-acl-adv-3001] rule permit ip source any destination any [FirewallC-acl-adv-3001] quit [FirewallC] msdp [FirewallC-msdp] peer 10.110.5.
Troubleshooting MSDP MSDP peers stay in down state Symptom The configured MSDP peers stay in the down state. Analysis • A TCP connection–based MSDP peering relationship is established between the local interface address and the MSDP peer after the configuration. • The TCP connection setup will fail if the local interface address is not consistent with the MSDP peer address configured on the peer router. • If no route is available between the MSDP peers, the TCP connection setup will fail. 1.
Inter-RP communication faults in Anycast RP application Symptom RPs fail to exchange their locally registered (S, G) entries with one another in the Anycast RP application. Analysis • In the Anycast RP application, RPs in the same PIM-SM domain are configured to be MSDP peers to achieve load balancing among the RPs. • An MSDP peer address must be different from the Anycast RP address, and the C-BSR and C-RP must be configured on different devices or interfaces.
Configuring IPv6 basics Overview Internet Protocol Version 6 (IPv6), also called IP next generation (IPng), was designed by the Internet Engineering Task Force (IETF) as the successor to Internet Protocol version 4 (IPv4). The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
• Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server). • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
An IPv6 address prefix is written in IPv6-address/prefix-length notation where the IPv6-address is represented in any of the formats above and the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address comprises the address prefix. IPv6 address types IPv6 addresses fall into three types, unicast address, multicast address, and anycast address. • Unicast address—An identifier for a single interface, similar to an IPv4 unicast address.
• A loopback address is 0:0:0:0:0:0:0:1 (or ::1). It may never be assigned to any physical interface and can be used by a node to send an IPv6 packet to itself in the same way as the loopback address in IPv4. • An unspecified address is 0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.
• On a tunnel interface The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For more information about tunnels, see VPN Configuration Guide. • On an interface of another type The EUI-64 address-based interface identifier is generated randomly by the firewall.
Figure 351 Address resolution The address resolution operates in the following steps: 1. Host A multicasts an NS message. The source address of the NS message is the IPv6 address of the sending interface of Host A and the destination address is the solicited-node multicast address of Host B. The NS message contains the link-layer address of Host A. 2. After receiving the NS message, Host B judges whether the destination address of the packet is its solicited-node multicast address.
3. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from Host B. If receiving no NA message, Host A decides that the IPv6 address is not in use and uses this address. Router/prefix discovery and address autoconfiguration Router/prefix discovery enables a node to locate the neighboring routers and to learn from the received RA message configuration parameters such as the prefix of the network where the node is located.
Figure 353 Path MTU discovery process 1. The source host compares its MTU with the packet to be sent, performs necessary fragmentation, and sends the resulting packet to the destination host. 2. If the MTU supported by a forwarding interface is smaller than the packet, the device discards the packet and returns an ICMPv6 error packet containing the interface MTU to the source host. 3.
6PE 6PE is a transition technology by which Internet service providers (ISPs) can use existing IPv4 backbone networks to allow communications between isolated IPv6 networks. 6PE adds labels to the IPv6 routing information of customer networks and advertises the information into the IPv4 backbone network over Internal Border Gateway Protocol (iBGP) sessions. IPv6 packets are labeled and forwarded over tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS LSPs.
IPv6 basics configuration task list Task Remarks Configuring basic IPv6 functions Configuring IPv6 ND Configuring path MTU discovery Enabling IPv6 Required Configuring an IPv6 global unicast address Configure an IPv6 anycast address Required to configure one Configuring a static neighbor entry Optional Configuring the maximum number of neighbors dynamically learned Optional Setting the aging timer for ND entries in stale state Optional Configuring parameters related to RA messages Optional
Configuring an IPv6 global unicast address Configure an IPv6 global unicast address by using the following ways: • EUI-64 IPv6 addressing—The IPv6 address prefix of an interface is manually configured, and the interface identifier is generated automatically by the interface. • Manual configuration—The IPv6 global unicast address is configured manually.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an IPv6 address to be generated through stateless address autoconfiguration. ipv6 address auto By default, no IPv6 global unicast address is configured on an interface. With stateless address autoconfiguration enabled on an interface, the device automatically generates an IPv6 global unicast address by using the address prefix information in the received RA message and the interface ID.
Manual assignment—IPv6 link-local addresses can be assigned manually. • NOTE: • An interface can have only one link-local address. To avoid link-local address conflicts, use the automatic generation method. • Manual assignment takes precedence over automatic generation. If you first use automatic generation and then manual assignment, the manually assigned link-local address will overwrite the automatically generated one.
NOTE: • After an IPv6 global unicast address is configured for an interface, a link-local address is generated automatically. The automatically generated link-local address is the same as the one generated by using the ipv6 address auto link-local command. If a link-local address is manually assigned to an interface, this manual link-local address takes effect. If the manually assigned link-local address is removed, the automatically generated link-local address takes effect.
CAUTION: After a static neighbor entry is configured, the firewall must resolve the corresponding Layer 2 port information of the VLAN interface. Configuring the maximum number of neighbors dynamically learned The firewall can dynamically acquire the link-layer address of a neighboring node through NS and NA messages and add it into the neighbor table. A large table may reduce the forwarding performance of the firewall.
Table 86 Parameters in an RA message and their descriptions Parameters Description Cur Hop Limit When sending an IPv6 packet, a host uses the value to fill the Hop Limit field in IPv6 headers. The value is also filled into the Hop Limit field in the response packet of a device. Prefix Information options After receiving the prefix information, the hosts on the same link can perform stateless autoconfiguration. MTU Make sure that all nodes on a link use the same MTU value.
To configure parameters related to RA messages: Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the hop limit. ipv6 nd hop-limit value 3. Enter interface view. interface interface-type interface-number Optional. 64 by default. N/A Optional. 4. Configure the prefix information in RA messages. ipv6 nd ra prefix { ipv6-prefix prefix-length | ipv6-prefix/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig | off-link ] * 5.
NOTE: • The maximum interval for sending RA messages should be less than or equal to the router lifetime in RA messages, so that the router can be updated through an RA message before expiration. • The values of the NS retransmission timer and the reachable time configured for an interface are sent to hosts via RA messages. Furthermore, this interface sends NS messages at the interval of the NS retransmission timer and considers a neighbor reachable within the reachable time.
Figure 355 Network diagram Because Host A considers that Host B is on the same network, it directly sends an NS message to obtain the hardware address of Host B. Host B, however, cannot receive this message because it locates in a different broadcast domain. You can solve the problem by enabling ND proxy on Ethernet 1/1 and Ethernet 1/2 of Router.
Configuring a static path MTU for a specified IPv6 address You can configure a static path MTU for a specified destination IPv6 address. When a source host sends a packet through an interface, it compares the interface MTU with the static path MTU of the specified destination IPv6 address. If the packet size is larger than the smaller one of the two values, the host fragments the packet according to the smaller value. To configure a static path MTU for a specified IPv6 address: Step Command Remarks 1.
Step Command Remarks Optional. 2. Set the synwait timer. tcp ipv6 timer syn-timeout wait-time 3. Set the finwait timer. tcp ipv6 timer fin-timeout wait-time 4. Set the size of the IPv6 TCP sending/receiving buffer. tcp ipv6 window size 75 seconds by default. Optional. 675 seconds by default. Optional. 8 KB by default. Configuring IPv6 FIB load sharing In the IPv6 FIB load sharing mode, the firewall can decide how to select equal cost multi-paths (ECMP) to forward packets.
To configure the capacity and update interval of the token bucket: Step Enter system view. 1. Command Remarks system-view N/A Optional. Configure the capacity and update interval of the token bucket. 2. ipv6 icmp-error { bucket bucket-size | ratelimit interval } * By default, the capacity of a token bucket is 10 and the update interval is 100 milliseconds. At most 10 ICMPv6 error packets can be sent within 100 milliseconds.
Enabling sending of ICMPv6 destination unreachable messages If the firewall fails to forward a received IPv6 packet due to one of the following reasons, it drops the packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source. • If no route is available for forwarding the packet, the firewall sends a "no route to destination" ICMPv6 error message to the source.
Task Command Remarks Display neighbor information. display ipv6 neighbors { ipv6-address | all | dynamic | interface interface-type interface-number | static | vlan vlan-id } [ vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the total number of neighbor entries satisfying the specified conditions.
Network requirements As shown in Figure 356, a host, Router A and Router B are connected through Ethernet interfaces. Configure IPv6 addresses for the interfaces and verify that they are connected. • The global unicast address of GigabitEthernet 0/1 and GigabitEthernet 0/2 on Router A are 3001::1/64 and 2001::1/64 respectively. • The global unicast address of GigabitEthernet 0/1 on Router B is 3001::2/64, and a route to Host is available.
[RouterA] display ipv6 neighbors interface gigabitethernet 0/2 Type: S-Static D-Dynamic IPv6 Address Link-layer FE80::215:E9FF:FEA6:7D14 0015-e9a6-7d14 N/A VID Interface GE0/2 STALE D 1238 State T Age 2001::15B:E0EA:3524:E791 0015-e9a6-7d14 N/A GE0/2 STALE D 1248 The output shows that the IPv6 global unicast address that Host obtained is 2001::15B:E0EA:3524:E791. Verifying the configuration # Display the IPv6 interface information on Router A.
OutFragCreates: 0 InMcastPkts: 6 InMcastNotMembers: 25747 OutMcastPkts: 48 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 [RouterA] display ipv6 interface gigabitethernet 0/2 GigabitEthernet0/2 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::20F:E2FF:FE00:1C0 Global unicast address(es): 2001::1, subnet is 2001::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF00:1 FF02::1:FF00:1C0 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of
OutFragCreates: 0 InMcastPkts: 79 InMcastNotMembers: 65 OutMcastPkts: 938 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Display the IPv6 interface settings on Router B. All the IPv6 global unicast addresses configured on the interface are displayed.
InMcastNotMembers: 0 OutMcastPkts: 7 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Ping Router A and Router B from Host, and ping Router A and Host from Router B to verify that they are connected. IMPORTANT: When you ping a link-local address, you should use the "–i" parameter to specify an interface for the link-local address.
DHCPv6 overview NOTE: The DHCPv6 configuration is available only at the command line interface (CLI). Introduction to DHCPv6 The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) was designed based on IPv6 addressing scheme and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to hosts.
Assignment involving four messages Figure 358 shows the process of IPv6 address/prefix assignment involving four messages. Figure 358 Assignment involving four messages The assignment involving four messages operates in the following steps. 1. The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. 2.
Figure 360 Using the Rebind message for address/prefix lease renewal As shown in Figure 360, if the DHCPv6 client receives no response from the DHCPv6 server after sending out a Renew message at T1, it multicasts a Rebind message to all DHCPv6 servers at T2 (that is, when 80% preferred lifetime expires). Then the DHCPv6 server responds with a Reply message, informing that the lease is renewed or not.
Operation Figure 361 Operation of stateless DHCPv6 As shown in Figure 361, stateless DHCPv6 operates in the following steps. 1. The DHCPv6 client multicasts an Information-request message to the multicast address of all DHCPv6 servers and DHCPv6 relay agents. The Information-request message contains an Option Request option, specifying the configuration parameters that the client requests from the DHCPv6 server. 2.
Configuring the DHCPv6 server Introduction to the DHCPv6 server Application environment Figure 362 Typical DHCPv6 server application As shown in Figure 362, the DHCPv6 server assigns the DHCPv6 client an IPv6 prefix to facilitate IPv6 address management and network configuration.
Figure 363 Format of DUID-LL A DUID based on link-layer address (DUID-LL) defined in RFC 3315 is used to identify a DHCPv6 device. Figure 363 shows the DUID-LL format, where: • DUID type—The device supports DUID-LL as the DUID type with the value of 0x0003. • Hardware type—The device supports Ethernet as the hardware type with the value of 0x0001. • Link layer address—Its value is the bridge MAC address of the device.
DHCPv6 server configuration task list Task Remarks Enabling the DHCPv6 server Required Creating a prefix pool Required Configuring a DHCPv6 address pool Required Applying the address pool to an interface Required Configuration prerequisites Before you configure the DHCPv6 server, enable IPv6 by using the ipv6 command. For more information about the ipv6 command, see Network Management Command Reference. Enabling the DHCPv6 server Step Command Remarks 1. Enter system view.
Step Command Remarks • (Approach 1) Configure a static prefix 3. .Configure a prefix. static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] Use either approach. • (Approach 2) Apply a prefix pool to the No prefix is specified by default. address pool prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] 4. Configure a DNS server address.
NOTE: • An interface cannot serve as a DHCPv6 server and DHCPv6 relay agent at the same time. • It is not recommended that you enable DHCPv6 server and DHCPv6 client on the same interface. • Only one address pool can be applied to an interface. • A non-existing address pool can be applied to an interface. However, the server cannot assign any prefix or other configuration information from the address pool until the address pool is created.
2::2:3. The DHCPv6 clients reside in domain aaa.com. The SIP server address is 2:2::4, and the domain name of the SIP server is bbb.com. Configuration considerations To configure the DHCPv6 server: • Enable IPv6 and DHCPv6 server. • Create a prefix pool containing prefix 2001:0410::/32 with the length of the assigned prefix being 48, so that the server assigns clients the prefixes ranging 2001:0410::/48 to 2001:0410:FFFF::/48. • Create an address pool.
[Firewall-ipv6-dhcp-pool-1] static-bind prefix 2001:0410:0201::/48 duid 00030001CA0006A40000 preferred-lifetime 86400 valid-lifetime 259200 # Configure the DNS server address as 2:2::3. [Firewall-ipv6-dhcp-pool-1] dns-server 2:2::3 # Configure the domain name as aaa.com. [Firewall-ipv6-dhcp-pool-1] domain-name aaa.com # Configure the SIP server address as 2:2::4, and the domain name of the SIP server as bbb.com.
Available: 65535 In-use: 0 Static: 1 # After the client whose DUID is 00030001CA0006A40000 obtains an IPv6 prefix, display the PD information on the DHCPv6 server. [Firewall-GigabitEthernet0/1] display ipv6 dhcp server pd-in-use all Total number = 1 Prefix Type Pool Lease-expiration 2001:410:201::/48 Static(C) 1 Jul 10 2009 19:45:01 # After the other client obtains an IPv6 prefix, display the PD information on the DHCPv6 server.
Configuring the DHCPv6 relay agent Introduction to the DHCPv6 relay agent Figure 365 Typical DHCPv6 relay agent application A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 365, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server via a DHCPv6 relay agent. Thus, you do not need to deploy a DHCPv6 server on each subnet.
3. After obtaining the Solicit message from the Relay-forward message, the DHCPv6 server selects an IPv6 address and other required parameters, and adds them to the reply which is encapsulated within the Relay Message option of a Relay-reply message. The DHCPv6 server then sends the Relay-reply message to the DHCPv6 relay agent. 4. The DHCPv6 relay agent obtains the reply from the Relay-reply message and sends the reply to the DHCPv6 client.
Displaying and maintaining the DHCPv6 relay agent Task Command Remarks Display the DUID of the local device. display ipv6 dhcp duid [ | { begin | exclude | include } regular-expression ] Available in any view Display DHCPv6 server addresses specified on the DHCPv6 relay agent. display ipv6 dhcp relay server-address { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view Display packet statistics on the DHCPv6 relay agent.
[Firewall-GigabitEthernet0/2] ipv6 address 2::1 64 [Firewall-GigabitEthernet0/2] quit [Firewall] interface gigabitethernet 0/1 [Firewall-GigabitEthernet0/1] ipv6 address 1::1 64 # Enable DHCPv6 relay agent and specify the DHCPv6 server address on interface GigabitEthernet 0/1. [Firewall-GigabitEthernet0/1] ipv6 dhcp relay server-address 2::2 Configuring the Firewall as a gateway # Enable Router A to send RA messages and turn on the M and O flags.
Configuring the DHCPv6 client Introduction to the DHCPv6 client Serving as a DHCPv6 client, the firewall only supports stateless DHCPv6 configuration, that is, the firewall can only obtain other network configuration parameters, except the IPv6 address and prefix from the DHCPv6 server. With an IPv6 address obtained through stateless address autoconfiguration, the firewall automatically enables the stateless DHCPv6 function after it receives an RA message with the M flag set to 0 and the O flag set to 1.
Task Command Remarks Display the DUID of the local device. display ipv6 dhcp duid [ | { begin | exclude | include } regular-expression ] Available in any view Stateless DHCPv6 configuration example Network requirements Through stateless DHCPv6, Firewall A obtains the DNS server address, domain name, and other information from the DHCPv6 server. Firewall B acts as the gateway to send RA messages periodically.
Verifying the configuration After receiving an RA message with the M flag set to 0 and the O flag set to 1, Firewall A automatically enables stateless DHCPv6. # Use the display ipv6 dhcp client command to view the current client configuration information. If the client successfully obtains configuration information from the server, the following information is displayed.
Configuring IPv6 DNS NOTE: The IPv6 DNS configuration is available only at the command line interface (CLI). Overview IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS. For more information, see " Configuring DNS.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable dynamic domain name resolution. dns resolve Disabled by default. Specify a DNS server. dns server ipv6 ipv6-address [ interface-type interface-number ] Not specified by default. 3. If the IPv6 address of a DNS server is a link-local address, you need to specify the interface-type and interface-number arguments. Optional. 4. Configure a DNS suffix. dns domain domain-name Not configured by default.
Figure 369 Network diagram Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. system-view [Firewall] ipv6 host host.com 1::2 # Enable IPv6 packet forwarding. [Firewall] ipv6 # Use the ping ipv6 host.com command to verify that the Firewall can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2. [Firewall] ping ipv6 host.com PING host.
Figure 370 Network diagram NOTE: • Before performing the following configuration, make sure that the Firewall and the host are accessible to each another via available routes, and the IPv6 addresses of the interfaces are configured as shown Figure 370. • This configuration may vary with DNS servers. The following configuration is performed on a PC running Windows Server 2003.
Figure 372 Creating a record In Figure 372, select Other New Records to bring up a dialog box as shown in Figure 373. Select IPv6 Host (AAA) as the resource record type.
Figure 373 Selecting the resource record type As shown in Figure 374, type host name host and IPv6 address 1::1, and then click OK.
Figure 374 Adding a mapping between domain name and IPv6 address Configuring the DNS client # Enable dynamic domain name resolution. system-view [Firewall] dns resolve # Specify the DNS server 2::2. [Firewall] dns server ipv6 2::2 # Configure com as the DNS suffix.
Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring IPv6 static routing NOTE: • The term "router" in this document refers to both routers and Layer 3 firewalls. • The IPv6 static routing configuration is available only at the CLI. Introduction to IPv6 static routing Static routes are manually configured. They work well in simple networks. Configuring and using them properly can improve network performance and ensure enough bandwidth for important applications. However, static routes also have limitations.
Step 2. Command Configure an IPv6 static route.
Figure 375 Network diagram Configuration procedure 1. Configure IPv6 addresses for all interfaces. (Details not shown.) 2. Configure IPv6 static routes: # Configure the default IPv6 route on Firewall A. system-view [FirewallA] ipv6 [FirewallA] ipv6 route-static :: 0 4::2 # Configure two IPv6 static routes on Firewall B.
Interface : InLoop0 Cost : 0 Destination : 1::/64 Protocol : Direct NextHop : 1::1 Preference : 0 Interface : GE0/1 Cost : 0 Destination : 1::1/128 Protocol : Direct NextHop : ::1 Preference : 0 Interface : InLoop0 Cost : 0 Destination : FE80::/10 Protocol : Direct NextHop : :: Preference : 0 Interface : NULL0 Cost : 0 # Check connectivity with the ping command.
RIPng configuration NOTE: • The term "router" in this chapter refers to both routers and Layer 3 firewalls. • The RIPng configuration is available only at the CLI. Introduction to RIPng RIP next generation (RIPng) is an extension of RIP-2 for IPv4. Most RIP concepts are applicable in RIPng.
Configuring RIPng basic functions This section presents the information to configure the basic RIPng features. You must enable RIPng first before configuring other tasks, but it is not necessary for RIPng related interface configurations, such as assigning an IPv6 address. Configuration prerequisites Before the configuration, complete the following tasks first: • Enable IPv6 packet forwarding. • Configure an IP address for each interface, and make sure all nodes can reach each other.
The inbound additional metric is added to the metric of a received route before the route is added into the routing table, so the route's metric is changed. To configure an inbound/outbound additional routing metric: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify an inbound routing additional metric. ripng metricin value Specify an outbound routing additional metric. ripng metricout value 4.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view. ripng [ process-id ] N/A 3. Configure a filter policy to filter incoming routes. filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } import By default, RIPng does not filter incoming routing information. 4. Configure a filter policy to filter outgoing routes.
Configuring RIPng timers You can adjust RIPng timers to optimize the performance of the RIPng network. When adjusting RIPng timers, consider the network performance and perform unified configurations on routers running RIPng to avoid unnecessary network traffic increase or route oscillation. To configure RIPng timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view. ripng [ process-id ] N/A Configure RIPng timers.
Step Enable the poison reverse function. 3. Command Remarks ripng poison-reverse Disabled by default. Configuring zero field check on RIPng packets Some fields in the RIPng packet must be zero, which are called "zero fields". With zero field check on RIPng packets enabled, if such a field contains a non-zero value, the entire RIPng packet will be discarded. If you are sure that all packets are reliable, disable the zero field check to reduce the CPU processing time.
Create an IPsec policy • For more information about IPsec policy configuration, see VPN Configuration Guide. Configuration guidelines An IPsec policy used for RIPng can only be in manual mode. For more information, see VPN Configuration Guide. Configuration procedure To apply an IPsec policy in a process: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter RIPng view. ripng [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Apply an IPsec policy in the process.
RIPng configuration examples Configuring RIPng basic functions Network requirements As shown in Figure 376, all firewalls learn IPv6 routing information through RIPng. Configure Firewall B to filter the route (3::/64) learned from Firewall C, which means the route will not be added to the routing table of Firewall B, and Firewall B will not forward it to Firewall A. Figure 376 Network diagram Configuration procedure 1. Configure the IPv6 address for each interface. (Details not shown.) 2.
[FirewallC-GigabitEthernet0/1] ripng 1 enable [FirewallC-GigabitEthernet0/1] quit [FirewallC] interface GigabitEthernet 0/2 [FirewallC-GigabitEthernet0/2] ripng 1 enable [FirewallC-GigabitEthernet0/2] quit [FirewallC] interface GigabitEthernet 0/3 [FirewallC-GigabitEthernet0/3] ripng 1 enable [FirewallC-GigabitEthernet0/3] quit # Display the routing table of Firewall B.
via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec Dest 5::/64, via FE80::20F:E2FF:FE00:100, cost 1, tag 0, A, 5 Sec [FirewallA] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ---------------------------------------------------------------- Peer FE80::20F:E2FF:FE00:1235 on GigabitEthernet0/1 Dest 1::/64, via FE80::20F:E2FF:FE00:1235, cost 1, tag 0, A, 2 Sec Dest 4::/64, via FE80::20F:E2FF:FE00:1235, cost 2, tag 0, A, 2 Sec Dest 5::/64, via FE80::20F:E2FF:FE00:
[FirewallB] interface GigabitEthernet 0/2 [FirewallB-GigabitEthernet0/2] ripng 100 enable [FirewallB-GigabitEthernet0/2] quit [FirewallB] ripng 200 [FirewallB-ripng-200] quit [FirewallB] interface GigabitEthernet 0/1 [FirewallB-GigabitEthernet0/1] ripng 200 enable # Enable RIPng 200 on Firewall C.
[FirewallB-ripng-100] default cost 3 [FirewallB-ripng-100] import-route ripng 200 [FirewallB-ripng-100] quit [FirewallB] ripng 200 [FirewallB-ripng-200] import-route ripng 100 [FirewallB-ripng-200] quit # Display the routing table of Firewall A.
Figure 378 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure RIPng basic functions. # Configure Firewall A. system-view [FirewallA] ripng 1 [FirewallA-ripng-1] quit [FirewallA] interface GigabitEthernet 0/1 [FirewallA-GigabitEthernet0/1] ripng 1 enable [FirewallA-GigabitEthernet0/1] quit # Configure Firewall B.
[FirewallA-ipsec-policy-manual-policy001-10] proposal tran1 [FirewallA-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 [FirewallA-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345 [FirewallA-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [FirewallA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [FirewallA-ipsec-policy-manual-policy001-10] quit # On Firewall B, create an IPsec proposal named tran1, and set the encapsulation mode to transport mo
# Configure Firewall B. [FirewallB] ripng 1 [FirewallB-ripng-1] enable ipsec-policy policy001 [FirewallB-ripng-1] quit # Configure Firewall C. [FirewallC] ripng 1 [FirewallC-ripng-1] enable ipsec-policy policy001 [FirewallC-ripng-1] quit 5. Verify the configuration. RIPng packets between Firewall A, B and C are protected by IPsec.
OSPFv3 configuration NOTE: The OSPFv3 configuration is available only at the CLI. Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module BFD for OSPFv3 No No Yes No Introduction to OSPFv3 Open Shortest Path First version 3 (OSPFv3) supports IPv6 and complies with RFC 2740 (OSPF for IPv6).
Task Remarks Tuning and optimizing OSPFv3 networks Configuring the maximum number of ECMP routes Optional Configuring a priority for OSPFv3 Optional Configuring OSPFv3 route redistribution Optional Configuring OSPFv3 timers Optional Configuring a DR priority for an interface Optional Ignoring MTU check for DD packets Optional Disable interfaces from receiving and sending OSPFv3 packets Optional Enable the logging of neighbor state changes Optional Configuring BFD for OSPFv3 Optional App
Configuring OSPFv3 area parameters The stub area and virtual link features of OSPFv3 are the same as OSPFv2. Splitting an OSPFv3 AS into multiple areas reduces the number of LSAs and extends OSPFv3 applications. For those non-backbone areas residing on the AS boundary, you can configure them as stub areas to further reduce the size of routing tables and the number of LSAs. Non-backbone areas exchange routing information via the backbone area.
To configure a virtual link: Step Command 1. Enter system view. system-view 2. Enter OSPFv3 view. ospfv3 [ process-id ] 3. Enter OSPFv3 area view. area area-id 4. Configure a virtual link.
Configuring an NBMA or P2MP neighbor For NBMA and P2MP interfaces (only when in unicast mode), you need to specify the link-local IP addresses of their neighbors because such interfaces cannot find neighbors via broadcasting Hello packets. You can also specify DR priorities for neighbors. To configure an NBMA or P2MP (unicast) neighbor and its DR priority: Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3.
Step Command Remarks 1. Enter system view system-view N/A 2. Enter OSPFv3 view ospfv3 [ process-id ] N/A 3. Configure inbound route filtering filter-policy { acl-number | ipv6-prefix ipv6-prefix-name } import Not configured by default. NOTE: Use of the filter-policy import command can only filter routes computed by OSPFv3. Only routes not filtered out can be added into the local routing table.
To configure the maximum number of load-balanced routes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 3. Specify the maximum number of ECMP routes. maximum load-balancing maximum Optional. 8 by default. Configuring a priority for OSPFv3 A router may run multiple routing protocols. The system assigns a priority for each protocol.
Step Command Remarks Not configured by default. 4. Redistribute routes from another protocol, or another OSPFv3 process. import-route protocol [ process-id | allow-ibgp ] [ cost value | route-policy route-policy-name | type type ] * 5. Inject a default route. default-route-advertise [ always | cost value | type type | route-policy route-policy-name ] * Filter redistributed routes.
Step Command 5. Configure the dead interval. ospfv3 timer dead seconds [ instance instance-id ] 6. Configure the LSA retransmission interval. ospfv3 timer retransmit interval [ instance instance-id ] Optional. Configure the LSA transmission delay. ospfv3 trans-delay seconds [ instance instance-id ] Optional. 8. Return to system view. quit N/A 9. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 7. Remarks Optional. Defaults to 40 seconds on P2P, broadcast interfaces. Defaults to 5 seconds.
Step Command Remarks 2. Enter interface view interface interface-type interface-number N/A 3. Ignore MTU check for DD packets ospfv3 mtu-ignore [ instance instance-id ] Not ignored by default. Disable interfaces from receiving and sending OSPFv3 packets Follow these guidelines when you disable interfaces from receiving and sending OSPFv3 packets: • Multiple OSPFv3 processes can disable the same interface from receiving and sending OSPFv3 packets.
To configure BFD for OSPFv3, you need to configure OSPFv3 first. To configure BFD for OSPFv3: Step Command Remarks Enter system view system-view N/A Enter OSPFv3 view ospfv3 [ process-id ] N/A Specify a router ID router-id router-id N/A Quit the OSPFv3 view quit N/A Enter interface view interface interface-type interface-number N/A Enable an OSPFv3 process on the interface ospfv3 process-id area area-id [ instance instance-id ] Not enabled by default.
Configuration procedure To apply an IPsec policy in an area: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter OSPFv3 view. ospfv3 [ process-id ] N/A 3. Enter OSPF area view. area area-id N/A 4. Apply an IPsec policy in the area. enable ipsec-policy policy-name Not configured by default. To apply an IPsec policy on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3.
Task Command Display OSPFv3 LSDB statistics. display ospfv3 lsdb statistic [ | { begin | exclude | include } regular-expression ] Display OSPFv3 neighbor information. display ospfv3 [ process-id ] [ area area-id ] peer [ [ interface-type interface-number ] [ verbose ] | peer-router-id ] [ | { begin | exclude | include } regular-expression ] Display OSPFv3 neighbor statistics.
Figure 379 Network diagram Firewall B OSPFv3 GE0/2 2001:1::1/64 OSPFv3 Area 1 GE0/2 2001:1::2/64 Firewall A Firewall C Area 0 GE0/1 2001::1/64 GE0/1 2001:3::1/64 GE0/1 2001::2/64 GE0/2 2001:2::1/64 GE0/2 2001:2::2/64 OSPFv3 Area 2 Stub Firewall D Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 basic functions. # Configure Firewall A. system-view [FirewallA] ipv6 [FirewallA] ospfv3 1 [FirewallA-ospfv3-1] router-id 1.1.
[FirewallC-GigabitEthernet0/1] ospfv3 1 area 0 [FirewallC-GigabitEthernet0/1] quit [FirewallC] interface GigabitEthernet 0/2 [FirewallC-GigabitEthernet0/2] ospfv3 1 area 2 [FirewallC-GigabitEthernet0/2] quit # Configure Firewall D. system-view [FirewallD] ipv6 [FirewallD] ospfv3 1 [FirewallD-ospfv3-1] router-id 4.4.4.
-----------------------------------------------------------------------*Destination: 2001::/64 Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 2 *Destination: 2001:1::/64 Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 3 *Destination: 2001:2::/64 Type : I Cost NextHop : directly-connected Interface: GE0/2 : 1 *Destination: 2001:3::/64 3. Type : IA Cost NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 : 4 Configure Area 2 as a stub area.
*Destination: 2001:2::/64 Type : I Cost : 1 NextHop : directly-connected Interface: GE0/2 *Destination: 2001:3::/64 4. Type : IA Cost : 4 NextHop : FE80::F40D:0:93D0:1 Interface: GE0/2 Configure Area 2 as a totally stub area to reduce the stub area routing table size. # Configure Area 2 as a totally stub area on Firewall C. [FirewallC-ospfv3-1-area-0.0.0.2] stub no-summary # Display OSPFv3 routing table information on Firewall D. You can find route entries are reduced.
Figure 380 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure OSPFv3 basic functions. # Configure Firewall A. system-view [FirewallA] ipv6 [FirewallA] ospfv3 [FirewallA-ospfv3-1] router-id 1.1.1.1 [FirewallA-ospfv3-1] quit [FirewallA] interface GigabitEthernet 0/1 [FirewallA-GigabitEthernet0/1] ospfv3 1 area 0 [FirewallA-GigabitEthernet0/1] quit # Configure Firewall B.
[FirewallD] ipv6 [FirewallD] ospfv3 [FirewallD-ospfv3-1] router-id 4.4.4.4 [FirewallD-ospfv3-1] quit [FirewallD] interface GigabitEthernet 0/1 [FirewallD-GigabitEthernet0/1] ospfv3 1 area 0 [FirewallD-GigabitEthernet0/1] quit # Display neighbor information on Firewall A. You can find the firewalls have the same default DR priority 1. Then, Firewall D (the firewall with the highest router ID) is elected as the DR, and Firewall C is the BDR. [FirewallA] display ospfv3 peer OSPFv3 Area ID 0.0.0.
4.4.4.4 1 Full/DR 00:00:36 GE0/1 0 # Display neighbor information on Firewall D. You can find Firewall D is still the DR. [FirewallD] display ospfv3 peer OSPFv3 Area ID 0.0.0.0 (Process 1) ---------------------------------------------------------------------Neighbor ID Pri State Dead Time 1.1.1.1 100 Full/DROther 00:00:33 GE0/1 0 2.2.2.2 0 Full/DROther 00:00:36 GE0/1 0 3.3.3.3 2 Full/Backup 00:00:40 GE0/1 0 4. Interface Instance ID Restart DR/BDR election.
Figure 381 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.). 2. Configure OSPFv3 basic functions. # Enable OSPFv3 process 1 on Firewall A. system-view [FirewallA] ipv6 [FirewallA] ospfv3 1 [FirewallA-ospfv3-1] router-id 1.1.1.
[FirewallC-ospfv3-2] quit [FirewallC] interface GigabitEthernet 0/2 [FirewallC-GigabitEthernet0/2] ospfv3 2 area 2 [FirewallC-GigabitEthernet0/2] quit [FirewallC] interface GigabitEthernet 0/1 [FirewallC-GigabitEthernet0/1] ospfv3 2 area 2 [FirewallC-GigabitEthernet0/1] quit # Display the routing table of Firewall C.
Destinations : 8 Routes : 8 Destination: ::1/128 Protocol NextHop : ::1 Preference: 0 : Direct Interface : InLoop0 Cost : 0 Destination: 1::/64 Protocol : OSPFv3 NextHop : FE80::200:CFF:FE01:1C03 Preference: 150 Interface : GE0/2 Cost : 3 Destination: 2::/64 Protocol : OSPFv3 NextHop : FE80::200:CFF:FE01:1C03 Preference: 150 Interface : Eth/1/2 Cost : 3 Destination: 3::/64 Protocol : Direct NextHop : 3::2 Preference: 0 Interface : GE0/2 Cost : 0 Destination: 3::2/12
Figure 382 Network diagram Device Interface IPv6 address Device Interface IPv6 address Firewall A GE0/1 2001::1/64 Router B GE0/1 2001::2/64 GE0/2 2001:2::1/64 GE0/2 2001:3::2/64 Router C GE0/1 2001:2::2/64 GE0/2 2001:3::1/64 Configuration procedure 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure OSPF basic functions: # Configure Firewall A. Enable OSPFv3 and configure the router ID as 1.1.1.1.
# Configure Router C. Enable OSPFv3 and configure the router ID as 3.3.3.3. system-view [RouterC] ipv6 [RouterC] ospfv3 1 [RouterC-ospfv3-1] router-id 3.3.3.3 [RouterC-ospfv3-1] quit [RouterC] interface GigabitEthernet0/1 [RouterC-GigabitEthernet0/1] ospfv3 1 area 0 [RouterC-GigabitEthernet0/1] quit [RouterC] interface GigabitEthernet0/2 [RouterC-GigabitEthernet0/2] ospfv3 1 area 0 [RouterC-GigabitEthernet0/2] quit 3. Configure BFD: # Enable BFD on Firewall A and configure BFD parameters.
Routing Table : Summary Count : 2 Destination : 2001:4:: PrefixLength : 64 NextHop : 2001::2 Preference : 10 IpPrecedence : QosLcId : RelayNextHop : :: Tag : 0H Neighbor : :: ProcessID : 0 Interface : GigabitEthernet0/1 Protocol : OSPFv3 State : Active Adv Cost : 1 Tunnel ID : 0x0 Label : NULL Age : 4538sec Destination : 2001:4:: PrefixLength : 64 NextHop : 2001:2::2 Preference : 10 IpPrecedence : QosLcId : RelayNextHop : :: Tag : 0H Neighbor : :: ProcessID : 0
Destination : 2001:4:: PrefixLength : 64 NextHop : 2001:2::2 Preference : 10 IpPrecedence : QosLcId : RelayNextHop : :: Tag : 0H Neighbor : :: ProcessID : 0 Interface : GigabitEthernet0/2 Protocol : OSPFv3 State : Invalid Adv Cost : 2 Tunnel ID : 0x0 Label : NULL Age : 4610sec Configuring OSPFv3 IPsec policies Network requirements As shown in Figure 383, • Configure OSPFv3 on the firewalls. The AS is divided into two areas.
[FirewallB-ospfv3-1] quit [FirewallB] interface GigabitEthernet 0/2 [FirewallB-GigabitEthernet0/2] ospfv3 1 area 1 [FirewallB-GigabitEthernet0/2] quit [FirewallB] interface GigabitEthernet 0/1 [FirewallB-GigabitEthernet0/1] ospfv3 1 area 0 [FirewallB-GigabitEthernet0/1] quit # Configure Firewall C: enable OSPFv3 and configure the router ID as 3.3.3.3. system-view [FirewallC] ipv6 [FirewallC] ospfv3 1 [FirewallC-ospfv3-1] router-id 3.3.3.
[FirewallB-ipsec-proposal-tran1] esp authentication-algorithm sha1 [FirewallB-ipsec-proposal-tran1] quit [FirewallB] ipsec policy policy001 10 manual [FirewallB-ipsec-policy-manual-policy001-10] proposal tran1 [FirewallB-ipsec-policy-manual-policy001-10] sa spi outbound esp 12345 [FirewallB-ipsec-policy-manual-policy001-10] sa spi inbound esp 12345 [FirewallB-ipsec-policy-manual-policy001-10] sa string-key outbound esp abcdefg [FirewallB-ipsec-policy-manual-policy001-10] sa string-key inbound esp abcdefg [F
# Configure Firewall B. [FirewallB] ospfv3 1 [FirewallB-ospfv3-1] area 0 [FirewallB-ospfv3-1-area-0.0.0.0] enable ipsec-policy policy002 [FirewallB-ospfv3-1-area-0.0.0.0] quit [FirewallB-ospfv3-1] area 1 [FirewallB-ospfv3-1-area-0.0.0.1] enable ipsec-policy policy001 [FirewallB-ospfv3-1-area-0.0.0.1] quit [FirewallB-ospfv3-1] quit # Configure Firewall C. [FirewallC] ospfv3 1 [FirewallC-ospfv3-1] area 0 [FirewallC-ospfv3-1-area-0.0.0.0] enable ipsec-policy policy002 [FirewallC-ospfv3-1-area-0.0.0.
Analysis The backbone area must maintain connectivity to all other areas. If a router connects to more than one area, at least one area must be connected to the backbone. The backbone cannot be configured as a Stub area. In a Stub area, all routers cannot receive external routes, and all interfaces connected to the Stub area must be associated with the Stub area. Solution 1. Use the display ospfv3 peer command to display OSPFv3 neighbors. 2.
IPv6 BGP configuration NOTE: • The term "router" in this chapter refers to both routers and Layer 3 firewalls. • This chapter describes only configuration for IPv6 BGP. For BGP related information, see "IPv4 routing configuration." • The IPv6 BGP configuration is available only at the CLI.
Task Controlling route distribution and reception Configuring IPv6 BGP route attributes Tuning and optimizing IPv6 BGP networks Configuring a large scale IPv6 BGP network Remarks Configuring a preferred value for routes from a peer/peer group Optional Specifying the source interface for establishing TCP connections Optional Allowing the establishment of a non-direct eBGP connection Optional Configuring a description for an IPv6 peer/peer group Optional Disabling session establishment to an IPv6
Configuring IPv6 BGP basic functions Prerequisites • Specify IP addresses for interfaces • Enable IPv6 NOTE: You need create a peer group before configuring basic functions for it. For related information, see "Configuring IPv6 BGP peer group." Specifying an IPv6 BGP peer Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A Optional. 3. Specify a router ID. router-id router-id 4. Enter IPv6 address family view or IPv6 BGP-VPN instance view.
Configuring a preferred value for routes from a peer/peer group If you both reference a routing policy and use the command peer { ipv6-group-name | ipv6-address } preferred-value value to set a preferred value for routes from a peer, the routing policy sets the specific preferred value for routes matching it. If the preferred value in the routing policy is zero, the routes use the value set with the peer { ipv6-group-name | ipv6-address } preferred-value value command.
Step 4. Specify the source interface for establishing TCP connections to an IPv6 BGP peer or peer group. Command Remarks peer { ipv6-group-name | ipv6-address } connect-interface interface-type interface-number By default, IPv6 BGP uses the outgoing interface of the best route to the IPv6 BGP peer or peer group as the source interface for establishing a TCP connection.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Disable session establishment to an IPv6 peer/peer group. peer { ipv6-group-name | ipv6-address } ignore Optional. Not disabled by default. Logging IPv6 peer/peer group state changes To configure to log on the session and event information of an IPv6 peer/peer group: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks Optional. 4. Enable default route redistribution into the IPv6 BGP routing table. default-route imported Not enabled by default. 5. Enable route redistribution from another routing protocol. import-route protocol [ process-id [ med med-value | route-policy route-policy-name ] *] Required. Not enabled by default. NOTE: If the default-route imported command is not configured, using the import-route command cannot redistribute any IGP default route.
NOTE: With the peer default-route-advertise command executed, the local router advertises a default route with itself as the next hop to the specified IPv6 peer/peer group, regardless of whether the default route is available in the routing table. Configuring outbound route filtering To configure outbound route filtering: Step Command Remarks 1. Enter system view system-view N/A 2. Enter BGP view bgp as-number N/A 3. Enter IPv6 address family view or IPv6 BGP-VPN instance view.
Step Command Remarks 4. Configure inbound route filtering. filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } import Not configured by default. 5. Apply a routing policy to routes from an IPv6 peer/peer group. peer { ipv6-group-name | ipv6-address } route-policy route-policy-name import Not applied by default. Specify an ACL to filter routes imported from an IPv6 peer/peer group. peer { ipv6-group-name | ipv6-address } filter-policy acl6-number import Not specified by default.
Configuring route dampening Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Configure IPv6 BGP route dampening parameters. dampening [ half-life-reachable half-life-unreachable reuse suppress ceiling | route-policy route-policy-name ]* Optional. Not configured by default.
Step Command Remarks 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A 4. Configure preference values for IPv6 BGP external, internal, local routes. preference { external-preference internal-preference local-preference | route-policy route-policy-name } 5. Configure the default local preference. default local-preference value 6.
Step Command Remarks 3. Enter IPv6 address family view. ipv6-family N/A 4. Allow the local AS number to appear in AS_PATH of routes from a peer/peer group and specify the repeat times. peer { ipv6-group-name | ipv6-address } allow-as-loop [ number ] Optional. Specify a fake AS number for an IPv6 peer/peer group. peer { ipv6-group-name | ipv6-address } fake-as as-number Optional. Disable IPv6 MBGP from considering the AS_PATH during best route selection.
• Enable IPv6 • Configure IPv6 BGP basic functions Configuring IPv6 BGP timers Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A Specify keepalive interval and holdtime: timer keepalive keepalive hold holdtime 4. Configure IPv6 BGP timers. Configure keepalive interval and holdtime for an IPv6 peer/peer group: peer { ipv6-group-name | ipv6-address } timer keepalive keepalive hold Optional.
Perform manual soft-reset To perform manual soft reset: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Save all routes from an IPv6 peer/peer group, not letting them go through the inbound policy. peer { ipv6-group-name | ipv6-address } keep-all-routes Optional. 5. Return to user view. return N/A 6. Soft-reset BGP connections manually.
Step Command Remarks 4. Enable the non-standard ORF capability for a BGP peer/peer group. peer { group-name | ipv6-address } capability-advertise orf non-standard 5. Enable the ORF IP prefix negotiation capability for a BGP peer/peer group. peer { group-name | ip-address | ipv6-address } capability-advertise orf ipv6-prefix { both | receive | send } Optional. By default, standard BGP ORF capability defined in RFC 5291 and RFC 5292 is supported. Not supported by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view or IPv6 BGP-VPN instance view. ipv6-family [ vpn-instance vpn-instance-name ] N/A Configure the maximum number of load balanced routes. balance number By default, no load balancing is enabled. 4. Enabling MD5 authentication for TCP connections IPv6 BGP employs TCP as the transport protocol.
For more information about IPsec policy configuration, see VPN Configuration Guide. Configuration procedure To apply an IPsec policy to a peer/peer group: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Apply an IPsec policy to a peer/peer group. peer { group-name | ip-address } ipsec-policy policy-name Not configured by default.
Step Command Remarks 3. Enter IPv6 address family view. ipv6-family N/A 4. Create an iBGP peer group. group ipv6-group-name [ internal ] N/A 5. Add a peer into the group. peer ipv6-address group ipv6-group-name [ as-number as-number ] Not added by default. Command Remarks Creating a pure eBGP peer group To configure a pure eBGP group: Step 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4.
Configuring IPv6 BGP community Advertise community attribute to an IPv6 peer/peer group Step Command Remarks 1. Enter system view. system-view N/A 2. Enter BGP view. bgp as-number N/A 3. Enter IPv6 address family view. ipv6-family N/A 4. Advertise community attribute to an IPv6 peer/peer group. peer { ipv6-group-name | ipv6-address } advertise-community Not advertised by default. 5. Advertise extended community attribute to an IPv6 peer/peer group.
Step 5. 6. Command Enable route reflection between clients. reflect between-clients Configure the cluster ID of the route reflector. reflector cluster-id cluster-id Remarks Optional. Enabled by default. Optional. By default, a route reflector uses its router ID as the cluster ID. NOTE: • In general, since the route reflector forwards routing information between clients, you are not required to make clients of a route reflector fully meshed.
Displaying and maintaining IPv6 BGP Displaying BGP Task Command Display IPv6 BGP peer group information. display bgp ipv6 group [ ipv6-group-name ] [ | { begin | exclude | include } regular-expression ] Display IPv6 BGP advertised routing information. display bgp ipv6 network [ | { begin | exclude | include } regular-expression ] Display IPv6 BGP AS path information.
Task Command Display BGP routing information to or from an IPv6 peer. display bgp ipv6 routing-table peer ipv6-address { advertised-routes | received-routes } [ network-address prefix-length | statistic ] [ | { begin | exclude | include } regular-expression ] Display IPv6 BGP routing information matching a regular expression. display bgp ipv6 routing-table regular-expression as-regular-expression Display IPv6 BGP routing statistics.
Figure 384 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure iBGP connections. # Configure Firewall B. system-view [FirewallB] ipv6 [FirewallB] bgp 65009 [FirewallB-bgp] router-id 2.2.2.2 [FirewallB-bgp] ipv6-family [FirewallB-bgp-af-ipv6] peer 9:1::2 as-number 65009 [FirewallB-bgp-af-ipv6] peer 9:3::2 as-number 65009 [FirewallB-bgp-af-ipv6] quit [FirewallB-bgp] quit # Configure Firewall C.
# Configure Firewall A. system-view [FirewallA] ipv6 [FirewallA] bgp 65008 [FirewallA-bgp] router-id 1.1.1.1 [FirewallA-bgp] ipv6-family [FirewallA-bgp-af-ipv6] peer 10::1 as-number 65009 [FirewallA-bgp-af-ipv6] quit [FirewallA-bgp] quit # Configure Firewall B. [FirewallB] bgp 65009 [FirewallB-bgp] ipv6-family [FirewallB-bgp-af-ipv6] peer 10::2 as-number 65008 [FirewallB-bgp-af-ipv6] quit [FirewallB-bgp] quit # Display IPv6 peer information on Firewall B.
Firewall B and Firewall D need not establish an iBGP connection because Firewall C reflects updates between them. Figure 385 Network diagram Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IPv6 BGP basic functions. # Configure Firewall A. system-view [FirewallA] ipv6 [FirewallA] bgp 100 [FirewallA-bgp] router-id 1.1.1.
[FirewallD] bgp 200 [FirewallD-bgp] router-id 4.4.4.4 [FirewallD-bgp] ipv6-family [FirewallD-bgp-af-ipv6] peer 102::1 as-number 200 3. Configure route reflector. # Configure Firewall C as a route reflector, Firewall B and Firewall D as its clients. [FirewallC-bgp-af-ipv6] peer 101::2 reflect-client [FirewallC-bgp-af-ipv6] peer 102::2 reflect-client 4. Verify the configuration.
[FirewallB-bgp] ipv6-family [FirewallB-bgp-af-ipv6] group ibgp internal [FirewallB-bgp-af-ipv6] peer 1::1 group ibgp [FirewallB-bgp-af-ipv6] quit [FirewallB-bgp] quit 3. Configure the EBGP connection # Configure Firewall C. system-view [FirewallC] ipv6 [FirewallC] bgp 65009 [FirewallC-bgp] router-id 3.3.3.
outbound SAs using ESP to abcdefg; create an IPsec proposal named tran2, and set the encapsulation mode to transport mode, the security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to SHA1; create an IPsec policy named policy002, specify the manual mode for it, reference IPsec proposal tran2, set the SPIs of the inbound and outbound SAs to 54321, and the keys for the inbound and outbound SAs using ESP to gfedcba.
[FirewallC-ipsec-policy-manual-policy002-10] quit 5. Apply IPsec policies to iBGP peers. # Configure Firewall A. [FirewallA] bgp 65008 [FirewallA-bgp] ipv6-family [FirewallA-bgp-af-ipv6] peer 1::2 ipsec-policy policy001 [FirewallA-bgp-af-ipv6] quit [FirewallA-bgp] quit # Configure Firewall B. [FirewallB] bgp 65008 [FirewallB-bgp] ipv6-family [FirewallB-bgp-af-ipv6] peer 1::1 ipsec-policy policy001 [FirewallB-bgp-af-ipv6] quit [FirewallB-bgp] quit 6. Apply IPsec policies to EBGP peers.
Maximum allowed prefix number: 4294967295 Threshold: 75% Minimum time between advertisement runs is 30 seconds Optional capabilities: Route refresh capability has been enabled ORF advertise capability based on prefix (type 64): Local: both Negotiated: send Peer Preferred Value: 0 IPsec policy name: policy001, SPI :12345 Routing policy configured: No routing policy is configured BGP Peer is 3::2, remote AS 65009, Type: EBGP link BGP version 4, remote router ID 3.3.3.
• Establish two IBGP connections between Firewall A and Router C. When both links are working, Router C adopts the link Firewall A<—>Router B<—>Router C to exchange packets with network 1200::0/64. Configure BFD over the link. Then if the link fails, BFD can quickly detect the failure and notify it to IPv6 BGP. Then the link Firewall A<—>Router D<—>Router C takes effect immediately. Figure 387 Network diagram Configuration procedure 1. Configure IP addresses for interfaces. (Details not shown.) 2.
[FirewallA-route-policy] quit { Apply routing policy apply_med_50 to routes outgoing to peer 3002::2, and apply routing policy apply_med_100 to routes outgoing to peer 2002::2.
{ Configure the BFD authentication mode as plain-text authentication, and set the authentication key to ibgpbfd. [RouterC-GigabitEthernet0/1] bfd authentication-mode simple 1 ibgpbfd [RouterC-GigabitEthernet0/1] return 6. Verify the configuration: The following operations are made on Router C. Operations on Firewall A and Router B are similar. (Details not shown.) # Display BFD session information on Router C.
RelayNextHop : 3002::1 Tag : 0H Neighbor : 3001::1 ProcessID : 0 Interface : GigabitEthernet0/1 Protocol : BGP4+ State : Active Adv Cost : 50 Tunnel ID : 0x0 Label : NULL Age : 4538sec Destination : 1200:: PrefixLength : 64 NextHop : 2001::1 Preference : 255 RelayNextHop : 2002::1 Tag : 0H Neighbor : 2001::1 ProcessID : 0 Interface : GigabitEthernet0/2 Protocol : BGP4+ State : Invalid Adv Cost : 100 Tunnel ID : 0x0 Label : NULL Age : 4515sec The output shows
Tunnel ID : 0x0 Age : 4635sec Label : NULL The output shows that Router C has one route to reach network 1200::0/64, that is, Router C<—>Router D<—>Firewall A. Troubleshooting IPv6 BGP configuration IPv6 BGP peer relationship not established Symptom Display BGP peer information by using the display bgp ipv6 peer command. The state of the connection to the peer cannot become established.
Configuring IPv6 IS-IS NOTE: • This chapter describes how to configure IPv6 IS-IS, which supports all IPv4 IS-IS features except that it advertises IPv6 routing information instead. For more information about IS-IS, see “Configuring IS-IS.” • The term "router" in this chapter refers to both routers and Layer 3 firewalls. • The IPv6 IS-IS configuration is available only at the CLI.
Configuration procedure To configure the basic functions of IPv6 IS-IS: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable an IS-IS process and enter IS-IS view. isis [ process-id ] Not enabled by default. 3. Configure the network entity title for the IS-IS process. network-entity net Not configured by default. 4. Enable IPv6 for the IS-IS process. ipv6 enable Disabled by default. 5. Return to system view. quit N/A 6. Enter interface view.
Step 7. 8. 9. Command Configure IPv6 IS-IS to redistribute routes from another routing protocol. Remarks ipv6 import-route protocol [ process-id ] [ allow-ibgp ] [ cost cost | [ level-1 | level-1-2 | level-2 ] | route-policy route-policy-name | tag tag ] * Configure the maximum number of redistributed Level 1/Level 2 IPv6 routes. ipv6 import-route limit number Configure the filtering of outgoing redistributed routes.
Figure 388 Network diagram for IPv6 IS-IS MTR Router A Router B IPv6 IPv6 4 IPv6 IPv4 3 36 IPv6 IPv4 5 IPv4 IPv4 Router D Router C In Figure 388, the numbers refer to the link costs. Router A, Router B, and Router D support both IPv4 and IPv6. Router C supports only IPv4 and cannot forward IPv6 packets. Enable IPv6 IS-IS MTR on Router A, Router B, Router C, and Router D to make them perform route calculation separately in IPv4 and IPv6 topologies.
Task Command Remarks Display IS-IS enabled interface information. display isis interface [ statistics | [ interface-type interface-number ] [ verbose ] ] [ process-id | vpn-instance vpn-instance-name ] [ | { begin | exclude | include } regular-expression ] Available in any view Display LSDB information.
Figure 389 Network diagram Firewall A L1 GE4/1 2001:1::2/64 GE4/2 2001:1::1/64 GE4/1 2001:2::1/64 GE4/3 2001:3::1/64 Firewall C L1/L2 GE4/1 2001:3::2/64 Firewall D L2 Area 20 GE4/1 2001:2::2/64 Firewall B L1 GE4/2 2001:4::1/64 Area 10 Configuration procedure 1. Configure IPv6 addresses for interfaces. (Details not shown.) 2. Configure IPv6 IS-IS: # Configure Firewall A.
[FirewallC] interface GigabitEthernet 4/1 [FirewallC-GigabitEthernet4/1] isis ipv6 enable 1 [FirewallC-GigabitEthernet4/1] quit [FirewallC] interface GigabitEthernet 4/2 [FirewallC-GigabitEthernet4/2] isis ipv6 enable 1 [FirewallC-GigabitEthernet4/2] quit [FirewallC] interface GigabitEthernet4/3 [FirewallC-GigabitEthernet4/3] isis ipv6 enable 1 [FirewallC-GigabitEthernet4/3] quit # Configure Firewall D.
Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set # Display the IPv6 IS-IS routing table of Firewall B.
Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set ISIS(1) IPv6 Level-2 Forwarding Table ------------------------------------Destination: 2001:1:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE4/2 : 10 Destination: 2001:2:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE4/2 : 10 Destination: 2001:3:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE4/3 : 10 Destination: 2001:4::1 PrefixLen: 128 Flag : R/-/- C
IPv6 IS-IS MTR configuration example Network requirements As shown in Figure 390, enable IPv6 IS-IS MTR to make the routers perform route calculation separately in IPv4 and IPv6 topologies. Figure 390 Network diagram Configuration procedure 1. Configure IPv4 and IPv6 addresses for the interfaces on each router and configure IS-IS Follow Figure 390 to configure the IPv4 and IPv6 address and subnet mask of each interface on the routers. (Details not shown.
Route information for ISIS(1) ----------------------------ISIS(1) IPv6 Level-1 Forwarding Table ------------------------------------Destination: 12:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE4/1 : 4 Destination: 44::1 PrefixLen: 128 Flag : R/L/- Cost Next Hop : FE80::200:5EFF:FE00:F11 Interface: GE4/2 : 36 Destination: 14:: PrefixLen: 64 Flag : D/L/- Cost Next Hop : Direct Interface: GE4/2 : 36 Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down B
Displaying the IPv6 routing table Displaying the routing table is a basic way to troubleshoot routing problems. The device supports displaying the routing table only at the CLI. Displaying the routing table at the CLI Task Command Remarks Display IPv6 routing table information. display ipv6 routing-table [ vpn-instance vpn-instance-name ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view Display routing information permitted by an IPv6 ACL.
Configuring IPv6 policy-based routing NOTE: The IPv6 policy-based routing configuration is available only at the CLI. Introduction to IPv6 policy-based routing IPv6 policy-based routing is used to route IPv6 unicasts based on a policy. Policy-based routing Policy-based routing (PBR) is a routing mechanism based on the user-defined policies.
Table 88 Relationship between the match mode and the clauses Then… If a packet… In permit mode In deny mode Matches all the if-match clauses on the policy node The apply clause is executed, and the packet will not go to the next policy node for a match. The apply clause is not executed, the packets will not go to the next policy node for a match, and will be forwarded according to the routing table.
Clause apply default output-interface and apply ipv6-address default next-hop Meaning Priority Sets the default outgoing interface and default next hop The apply default output-interface clause takes precedence over the apply ipv6-address default next-hop clause. Only the apply default output-interface clause is executed when both are configured.
NOTE: • If an ACL match criterion is defined, packets are matched against the ACL rules, whereas the permit or deny action of the specified ACL is ignored. If the specified ACL does not exist, no packet is matched. • If a local Ethernet interface or sub Ethernet interface is specified as the outgoing interface, packets can be forwarded through the interface but the forwarding may fail, because the interface is a broadcast interface. You need to specify a next hop.
Displaying and maintaining IPv6 PBR configuration Task Command Remarks Display the specified IPv6 PBR routing information. display ipv6 policy-based-route setup { policy-name | interface interface-type interface-number | local } [ | { begin | exclude | include } regular-expression ] Available in any view Display IPv6 PBR statistics.
Figure 391 Network diagram Configuration procedure 1. Configure Firewall A: # Define ACL 3001 to match TCP packets. system-view [FirewallA] ipv6 [FirewallA] acl ipv6 number 3001 [FirewallA-acl6-adv-3001] rule permit tcp [FirewallA-acl6-adv-3001] quit # Define Node 5 of policy aaa, so that TCP packets are forwarded via GigabitEthernet 0/1.
telnet ipv6 1::2 Trying 1::2 ... Press CTRL+K to abort Connected to 1::2 ... ****************************************************************************** * Copyright (c) 2010-2012 Hewlett-Packard Development Company, L.P. * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** # Telnet to Firewall C (2::2/64) from Firewall A. The operation fails.
Figure 392 Network diagram Configuration procedure NOTE: In this example, RIPng is configured to ensure the reachability among devices. 1. Configure Firewall A: # Configure RIPng.
[FirewallA-pbr6-aaa-5] quit # Apply policy aaa on GigabitEthernet 0/1. [FirewallA] interface gigabitethernet00/1 [FirewallA-GigabitEthernet0/1] ipv6 address 10::2 64 [FirewallA-GigabitEthernet0/1] undo ipv6 nd ra halt [FirewallA-GigabitEthernet0/1] ripng 1 enable [FirewallA-GigabitEthernet0/1] ipv6 policy-based-route aaa [FirewallA-GigabitEthernet0/1] quit 2. Configure Firewall B: # Configure RIPng.
Configuring IPv6 interface PBR based on packet length Network requirements As shown in Figure 393, PBR is configured to control packets arriving on GigabitEthernet 0/1 of Firewall A. Configure 150::2/64 as the next hop for IPv6 packets with a length of 64 to 100 bytes, and configure 151::2/64 as the next hop for IPv6 packets with a length of 101 to 1000 bytes. All other IPv6 packets are forwarded according to the routing table.
[FirewallA-pbr6-lab1-20] quit # Apply policy lab1 to GigabitEthernet 0/1. [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ipv6 address 192::1 64 [FirewallA-GigabitEthernet0/1] undo ipv6 nd ra halt [FirewallA-GigabitEthernet0/1] ripng 1 enable [FirewallA-GigabitEthernet0/1] ipv6 policy-based-route lab1 [FirewallA-GigabitEthernet0/1] quit 2. Configure Firewall B: # Configure RIPng.
Ping statistics for 10::1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 5ms, Average = 2ms The debugging information about PBR displayed on Firewall A: *Jun 7 16:03:28:946 2012 FirewallA PBR6/7/IPv6-POLICY-ROUTING: IPv6 Policy routin g success : POLICY_ROUTEMAP_IPV6 : lab1, Node : 10, Packet sent with next-hop 0150::0002 *Jun 7 16:03:29:950 2012 FirewallA PBR6/7/IPv6-POLICY-ROUTING: IPv6 Policy routin g success
*Jun 7 16:06:58:621 2012 FirewallA PBR6/7/IPv6-POLICY-ROUTING: IPv6 Policy routin g success : POLICY_ROUTEMAP_IPV6 : lab1, Node : 20, Packet sent with next-hop 0151::0002 The preceding information shows that Firewall A sets the next hop for the received packets to 151::2 according to PBR. The packets are forwarded via GigabitEthernet 0/3.
Configuring IPv6 multicast routing and forwarding NOTE: • The types of interfaces that appear in any figures other than the network diagrams for configuration examples are for illustration only. Some of them might be unavailable on your firewall. • The IPv6 multicast routing and forwarding configuration is available only at the CLI.
To enable IPv6 multicast routing: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6 multicast routing. multicast ipv6 routing-enable Disabled by default. Configuring IPv6 multicast routing and forwarding Configuration prerequisites Before you configure IPv6 multicast routing and forwarding, complete the following tasks: • Enable IPv6 forwarding and configure an IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer.
boundary condition, the packet will not be forwarded. Once an IPv6 multicast boundary is configured on an interface, this interface can no longer forward IPv6 multicast packets (including those sent from the local device) or receive IPv6 multicast packets. To configure an IPv6 multicast forwarding range: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A Configure an IPv6 multicast forwarding boundary.
Displaying and maintaining IPv6 multicast routing and forwarding Task Command Remarks Display the IPv6 multicast boundary information. display multicast ipv6 boundary { group [ ipv6-group-address [ prefix-length ] ] | scope [ scope-id ] } [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the information of the IPv6 multicast forwarding table.
Configuring IPv6 PIM NOTE: The IPv6 PIM configuration is available only at the CLI. Introduction to IPv6 PIM Protocol Independent Multicast for IPv6 (IPv6 PIM) provides IPv6 multicast forwarding by leveraging IPv6 unicast static routes or IPv6 unicast routing tables generated by any IPv6 unicast routing protocol, such as RIPng, OSPFv3, IS-ISv6, or BGP4+. IPv6 PIM uses an IPv6 unicast routing table to perform reverse path forwarding (RPF) check to implement IPv6 multicast forwarding.
• Enable IPv6 forwarding and configure an IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer. • Determine the interval between state refresh messages. • Determine the minimum time to wait before receiving a new refresh message. • Determine the hop limit value of state-refresh messages. • Determine the graft retry period.
Configuring state refresh parameters The router directly connected with the multicast source periodically sends state-refresh messages. You can configure the interval for sending such messages. A router might receive multiple state-refresh messages within a short time. Some messages might be duplicated messages. To keep a router from receiving such duplicated messages, you can configure the time that the router must wait before receiving the next state-refresh message.
For more information about the configuration of other timers in IPv6 PIM-DM, see "Configuring IPv6 PIM common timers." Configuring IPv6 PIM-SM IPv6 PIM-SM configuration task list Complete these tasks to configure IPv6 PIM-SM: Task Remarks Enabling IPv6 PIM-SM Required. Configuring a static RP Configuring an RP Configuring a BSR Configuring IPv6 administrative scoping Configuring a C-RP Enabling embedded RP Required. Use any approach. Configuring C-RP timers globally Optional.
• Determine the hash mask length. • Determine the IPv6 ACL rule defining a legal BSR address range. • Determine the BS period. • Determine the BS timeout. • Determine the IPv6 ACL rule for register message filtering. • Determine the register suppression time. • Determine the register probe time. • Determine the IPv6 multicast traffic rate threshold, IPv6 ACL rule, and sequencing rule for initiating an SPT switchover.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A 3. Configure a static RP for IPv6 PIM-SM. static-rp ipv6-rp-address [ acl6-number ] [ preferred ] No static RP by default. CAUTION: To enable a static RP to work normally, you must perform this configuration on all routers in the IPv6 PIM-SM domain and specify the same RP address. Configuring a C-RP In an IPv6 PIM-SM domain, you can configure routers that intend to become the RP as C-RPs.
the RP dynamically calculated based on the BSR mechanism. Thus, the DR does not need to know the RP address beforehand. Perform this configuration on all routers in the IPv6 PIM-SM domain. To enable embedded RP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A Optional. 3. Enable embedded RP. embedded-rp [ acl6-number ] By default, embedded RP is enabled for IPv6 multicast groups in the default embedded RP address scopes.
Configuring a BSR An IPv6 PIM-SM domain can have only one BSR, but must have at least one C-BSR. Any router can be configured as a C-BSR. Elected from C-BSRs, the BSR is responsible for collecting and advertising RP information in the IPv6 PIM-SM domain. Configuring a C-BSR You should configure C-BSRs on routers in the backbone network. When you configure a router as a C-BSR, be sure to specify the IPv6 address of an IPv6 PIM-SM-enabled interface on the router.
NOTE: Because a large amount of information needs to be exchanged between a BSR and the other devices in the IPv6 PIM-SM domain, a relatively large bandwidth should be provided between the C-BSR and the other devices in the IPv6 PIM-SM domain. Configuring an IPv6 PIM domain border As the administrative core of an IPv6 PIM-SM domain, the BSR sends the collected RP-set information in the form of bootstrap messages to all routers in the IPv6 PIM-SM domain.
Perform the following configuration on C-BSR routers. To configure C-BSR timers: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A 3. Configure the BS period. c-bsr interval interval Optional. For the default value, see the note after this table. Optional. 4. Configure the BS timeout. c-bsr holdtime interval For the default value, see the note after this table.
To disable the BSM semantic fragmentation function: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A 3. Disable the BSM semantic fragmentation function. undo bsm-fragment enable By default, the BSM semantic fragmentation function is enabled. NOTE: Generally, a BSR performs BSM semantic fragmentation according to the MTU of its BSR interface.
Step 3. Configure an IPv6 multicast forwarding boundary. Command Remarks multicast ipv6 boundary { ipv6-group-address prefix-length | scope { scope-id | admin-local | global | organization-local | site-local } } By default, no multicast forwarding boundary is configured. Configuring C-BSRs for IPv6 admin-scope zones In a network with IPv6 administrative scoping enabled, BSRs are elected from C-BSRs specific to different Scope field values.
multicast data from the IPv6 multicast source along the SPT, the RP sends a register-stop message to the source-side DR. After receiving this message, the DR stops sending register messages encapsulated with IPv6 multicast data and starts a register-stop timer. Before the register-stop timer expires, the DR sends a null register message (a register message without multicast data) to the RP. If the DR receives a register-stop message during the register probe time, it will reset its register-stop timer.
Configuring IPv6 PIM-SSM NOTE: The IPv6 PIM-SSM model needs the support of MLDv2. Be sure to enable MLDv2 on IPv6 PIM routers with receivers attached to them.
subscribed by the receivers falls in the IPv6 SSM group range. All IPv6 PIM-SM-enabled interfaces assume that IPv6 multicast groups within this address range are using the IPv6 SSM model. Perform the following configuration on all routers in the IPv6 PIM-SSM domain. To configure the IPv6 SSM group range: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 PIM view. pim ipv6 N/A 3. Configure the IPv6 SSM group range. ssm-policy acl6-number Optional.
• Enable IPv6 forwarding and configure an IPv6 unicast routing protocol so that all devices in the domain are interoperable at the network layer • Configure IPv6 PIM-DM (or IPv6 PIM-SM or IPv6 PIM-SSM) • Determine the IPv6 ACL rule for filtering IPv6 multicast data • Determine the IPv6 ACL rule defining a legal source address range for hello messages • Determine the priority for DR election (global value/interface level value) • Determine the IPv6 PIM neighbor timeout time (global value/interface
Configuring a hello message filter Along with the wide applications of IPv6 PIM, the security requirement for the protocol is becoming increasingly demanding. The establishment of correct IPv6 PIM neighboring relationships is a prerequisite for secure application of IPv6 PIM. To guide against IPv6 PIM message attacks, you can configure a legal source address range for hello messages on interfaces of routers to ensure the correct IPv6 PIM neighboring relationships.
message from the upstream router has changed, it assumes that the status of the upstream neighbor is lost or the upstream neighbor has changed. In this case, it triggers a join message for state update. If you disable join suppression—namely, enable neighbor tracking, be sure to disable the join suppression feature on all IPv6 PIM routers on a multi-access subnet. Otherwise, the upstream router will fail to explicitly track join messages from downstream routers.
Configuring the prune delay Configuring the prune delay interval on an upstream router in a shared network segment can make the upstream router not perform the prune action immediately after receiving the prune message from its downstream router. Instead, the upstream router maintains the current forwarding state for a period of time that the prune delay interval defines. In this period, if the upstream router receives a join message from the downstream router, it cancels the prune action.
Step Command Configure the join/prune timeout time. holdtime join-prune interval 6. Configure assert timeout time. holdtime assert interval 7. Configure the IPv6 multicast source lifetime. source-lifetime interval 5. Remarks Optional. 210 seconds by default. Optional. 180 seconds by default. Optional. 210 seconds by default. Configuring IPv6 PIM common timers on an interface To configure IPv6 PIM common timers on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step 3. 4. Command Configure the maximum size of a join/prune message. jp-pkt-size packet-size Configure the maximum number of (S, G) entries in a join/prune message. jp-queue-size queue-size Remarks Optional. 8,100 bytes by default. Optional. 1,020 by default. Displaying and maintaining IPv6 PIM Task Command Remarks Display the BSR information in the IPv6 PIM-SM domain and locally configured C-RP information in effect.
IPv6 PIM configuration examples IPv6 PIM-DM configuration example Network requirements Receivers receive VOD information through multicast. The receiver groups of different organizations form stub networks, and at least one receiver host exists in each stub network. The entire IPv6 PIM domain operates in the dense mode. Host A and Host C are IPv6 multicast receivers in two stub networks N1 and N2. MLDv1 runs between Router A and N1 and between Router B/Router C and N2.
Configure OSPFv3 on the routers and the firewall in the IPv6 PIM-DM domain to make sure the network-layer on the IPv6 PIM-DM network is interoperable and the routing information among the routers and the firewall can be dynamically updated. (Details not shown.) 2. Enable IPv6 multicast routing, and enable IPv6 PIM-DM and MLD: # Enable IPv6 multicast routing on Router A, and enable IPv6 PIM-DM on each interface and enable MLD on GigabitEthernet 0/1, which connects Router A to N1.
# Verify the IPv6 PIM neighboring relationships on Firewall. [Firewall] display pim ipv6 neighbor Total Number of Neighbors = 3 Neighbor Interface Uptime Expires 1002::1 GE0/2 00:04:00 00:01:29 1 2002::1 GE0/3 00:04:16 00:01:29 3 3001::1 GE0/4 00:03:54 00:01:17 5 Dr-Priority Assume that Host A needs to receive information addressed to IPv6 multicast group G (FF0E::101).
RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 3 1: GigabitEthernet0/2 Protocol: pim-dm, UpTime: 00:02:19, Expires: never 2: GigabitEthernet0/3 Protocol: pim-dm, UpTime: 00:02:19, Expires: never 3: GigabitEthernet0/4 Protocol: pim-dm, UpTime: 00:02:19, Expires: never IPv6 PIM-SM non-scoped zone configuration example Network requirements Receivers receive VOD information through multicast.
N2 Ethernet Ethernet G E0 /2 G E0 /2 Ethernet N1 Figure 395 Network diagram Device Interface IPv6 address Device Interface IPv6 address Firewall A GE0/1 1001::1/64 Firewall B GE0/1 4001::1/64 GE0/2 1002::1/64 GE0/2 1002::2/64 GE0/3 1003::1/64 GE0/3 4002::1/64 GE0/1 2001::1/64 GE0/1 3001::2/64 GE0/2 2002::1/64 GE0/2 2002::2/64 GE0/1 2001::2/64 GE0/3 1003::2/64 GE0/2 3001::1/64 GE0/4 4002::2/64 Router A Router B Firewall C Configuration procedure 1.
[FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim ipv6 sm [FirewallA-GigabitEthernet0/2] quit [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/2] pim ipv6 sm [FirewallA-GigabitEthernet0/2] quit The configuration on Router A and Router B is similar to that on Firewall A. The configuration on Firewall B and Firewall C is also similar to that on Firewall A except that it is not necessary to enable MLD on the corresponding interfaces on these two routers. 3.
State: Accept Preferred Uptime: 00:04:22 Expires: 00:01:46 # Display BSR information and locally configured C-RP information in effect on Firewall B.
Uptime: 00:05:19 Expires: 00:02:11 RP: 1003::2 Priority: 192 HoldTime: 130 Uptime: 00:05:19 Expires: 00:02:11 Assume that Host A needs to receive information addressed to IPv6 multicast group G (FF0E::100). The RP corresponding to the multicast group G is Firewall C as result of hash calculation, so an RPT will be built between Firewall A and Firewall C. When the multicast source S (4001::100/64) registers with the RP, an SPT will be built between Firewall B and Firewall C.
RP: 1003::2 Protocol: pim-sm, Flag: SPT LOC ACT UpTime: 00:14:44 Upstream interface: GigabitEthernet0/1 Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet0/3 Protocol: mld, UpTime: 00:14:44, Expires: 00:02:26 # Display IPv6 PIM routing table information on Firewall C.
Figure 396 Network diagram /3 E0 G /2 E0 G G E0 /1 /4 E0 G /1 E0 G G /2 E0 Device Interface IPv6 address Device Interface IPv6 address Router A GE0/1 1001::1/64 Router B GE0/1 6002::1/64 GE0/2 1002::1/64 GE0/2 6001::1/64 GE0/1 2001::1/64 GE0/2 1002::2/64 GE0/3 2002::1/64 Firewall A Firewall B Router E Router F GE0/4 2003::1/64 GE0/1 3001::1/64 GE0/2 GE0/3 GE0/4 2002::2/64 Router C GE0/3 3002::2/64 GE0/1 7001::1/64 GE0/2 3003::2/64 GE0/3 6001::2/64 GE0/1 8001::1
2. Enable IPv6 multicast routing and IPv6 administrative scoping, and enable IPv6 PIM-SM and MLD: # Enable IPv6 multicast routing and IPv6 administrative scoping on Router A, enable IPv6 PIM-SM on each interface, and enable MLD on the host-side interface GigabitEthernet 0/1.
# On Firewall B, configure GigabitEthernet 0/4 and GigabitEthernet 0/5 as the boundary of IPv6 admin-scope zone 2. system-view [FirewallB] interface gigabitethernet 0/4 [FirewallB-GigabitEthernet0/4] multicast ipv6 boundary scope 4 [FirewallB-GigabitEthernet0/4] quit [FirewallB] interface gigabitethernet 0/5 [FirewallB-GigabitEthernet0/5] multicast ipv6 boundary scope 4 [FirewallB-GigabitEthernet0/5] quit # On Router B, configure GigabitEthernet 0/1 as the boundary of admin-scope zone 2.
Expires: 00:01:25 Elected BSR Address: 1002::2 Priority: 64 Hash mask length: 126 State: Elected Scope: 4 Uptime: 00:04:54 Next BSR message scheduled at: 00:00:06 Candidate BSR Address: 1002::2 Priority: 64 Hash mask length: 126 State: Elected Scope: 4 Candidate RP: 1002::2(GigabitEthernet0/2) Priority: 192 HoldTime: 130 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:15 # Display BSR information and locally configured C-RP information on Router B.
Elected BSR Address: 8001::1 Priority: 64 Hash mask length: 126 State: Elected Scope: 14 Uptime: 00:01:11 Next BSR message scheduled at: 00:00:49 Candidate BSR Address: 8001::1 Priority: 64 Hash mask length: 126 State: Elected Scope: 14 Candidate RP: 8001::1(GigabitEthernet0/1) Priority: 192 HoldTime: 130 Advertisement Interval: 60 Next advertisement scheduled at: 00:00:55 To display the RP information learned on a router, use the display pim ipv6 rp-info command.
Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF4E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF5E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF6E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF7E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF8E::/16 RP: 8001::1 Pr
HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFBE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFCE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFDE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFEE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFFE::/16
Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF24::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF34::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF44::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF54::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix leng
RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF94::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFA4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFB4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFC4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix
prefix/prefix length: FFF4::/16 RP: 1002::2 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 # Display RP information on Firewall C.
Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF6E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF7E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF8E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FF9E::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFAE::/16 RP: 8001::1 Pr
HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFDE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFEE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 prefix/prefix length: FFFE::/16 RP: 8001::1 Priority: 192 HoldTime: 130 Uptime: 00:03:39 Expires: 00:01:51 IPv6 PIM-SSM configuration example Network requirements Receivers receive VOD information through multicast.
N2 Ethernet Ethernet G E0 /2 G E0 /2 Ethernet N1 Figure 397 Network diagram Device Interface IPv6 address Device Interface IPv6 address Firewall A GE0/1 1001::1/64 Firewall B GE0/1 4001::1/64 GE0/2 1002::1/64 GE0/2 1002::2/64 GE0/3 1003::1/64 GE0/3 4002::1/64 GE0/1 2001::1/64 GE0/1 3001::2/64 GE0/2 2002::1/64 GE0/2 2002::2/64 GE0/1 2001::2/64 GE0/3 1003::2/64 GE0/2 3001::1/64 GE0/4 4002::2/64 Router A Router B Firewall C Configuration procedure 1.
[FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] pim ipv6 sm [FirewallA-GigabitEthernet0/2] quit [FirewallA] interface gigabitethernet 0/3 [FirewallA-GigabitEthernet0/3] pim ipv6 sm [FirewallA-GigabitEthernet0/3] quit The configuration on Router A and Router B is similar to that on Firewall A.
1: GigabitEthernet0/1 Protocol: mld, UpTime: 00:00:11, Expires: 00:03:25 # Display IPv6 PIM multicast routing table information on Firewall B.
5. Use the display pim ipv6 interface verbose command to verify that the same PIM mode is enabled on the RPF interface and the corresponding interface of the RPF neighbor router. 6. Use the display current-configuration command to verify that the same IPv6 PIM mode is enabled on all the routers in the entire network. Make sure that the same IPv6 PIM mode is enabled on all the routers: IPv6 PIM-SM on all routers, or IPv6 PIM-DM on all routers.
C-RP has a unicast route to the BSR, the BSR has a unicast route to each C-RP, and all the routers in the entire network have a unicast route to the RP. 2. IPv6 PIM-SM needs the support of the RP and BSR. Use the display pim ipv6 bsr-info command to verify that the BSR information is available on each router, and then use the display pim ipv6 rp-info command to verify that the RP information is correct. 3.
Configuring MLD NOTE: The MLD configuration is available only at the CLI. Overview The Multicast Listener Discovery protocol (MLD) is used by an IPv6 router to discover the presence of multicast listeners on the directly attached subnets. Multicast listeners are nodes wishing to receive IPv6 multicast packets.
NOTE: • In MLD view, the configuration is effective globally. In interface view, the configuration is effective on only the current interface. • A configuration made in interface view always has priority over the same configuration made in MLD view. If no configuration is made in interface view, the global configuration in MLD view applies.
Configuring an MLD version globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD view. mld N/A 3. Configure an MLD version globally. version version-number MLDv1 by default. Configuring an MLD version on an interface Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an MLD version on the interface. mld version version-number MLDv1 by default.
Configuring an IPv6 multicast group filter To restrict the hosts on the network attached to an interface from joining certain IPv6 multicast groups, you can set an IPv6 ACL rule on the interface so that the interface maintains only the IPv6 multicast groups matching the criteria. To configure an IPv6 multicast group filter: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an IPv6 multicast group filter.
• Enable IPv6 forwarding and configure an IPv6 unicast routing protocol so that all devices in the domain can be interoperable at the network layer • Configure basic functions of MLD • Determine the startup query interval • Determine the startup query count • Determine the MLD query interval • Determine the MLD querier's robustness variable • Determine the maximum response delay of MLD general query messages • Determine the MLD last listener query interval • Determine the MLD other querier
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the interface to discard any MLD message without the Router-Alert option. mld require-router-alert By default, the device does not check MLD messages for the Router-Alert option. Enable the insertion of the Router-Alert option into MLD messages. mld send-router-alert By default, MLD messages carry the Router-Alert option. 4.
Step Command Remarks 4. Configure the startup query interval. startup-query-interval interval By default, the startup query interval is 1/4 of the "MLD query interval." 5. Configure the startup query count. startup-query-count value By default, the startup query count is set to the MLD querier's robustness variable. 6. Configure the MLD query interval. timer query interval 125 seconds by default. 7. Configure the maximum response delay for MLD general query messages.
Step 9. Configure the MLD other querier present interval. Command Remarks mld timer other-querier-present interval By default, the other querier present interval is determined by the formula "Other querier present interval (in seconds) = [ MLD query interval ] × [ MLD querier's robustness variable ] + [ maximum response delay for MLD general query ] /2". CAUTION: • Make sure that the other querier present interval is greater than the MLD query interval.
Enabling the MLD host tracking function With the MLD host tracking function, the switch can record the information of the member hosts that are receiving IPv6 multicast traffic, including the host IPv6 address, running duration, and timeout time. You can monitor and manage the member hosts according to the recorded information. Enabling the MLD host tracking function globally Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD view. mld N/A 3.
NOTE: To ensure SSM service for all hosts on a subnet, regardless of the MLD version running on the hosts, enable MLDv2 on the interface that forwards IPv6 multicast traffic onto the subnet. Configuring MLD SSM mappings By performing this configuration multiple times, you can map an IPv6 multicast group to different IPv6 multicast sources. To configure an MLD SSM mapping: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter MLD view. mld N/A 3. Configure an MLD SSM mapping.
NOTE: • Each device can have only one interface serving as the MLD proxy interface. • You cannot enable MLD on interfaces with MLD proxying enabled. Moreover, only the mld require-router-alert, mld send-router-alert, and mld version commands can take effect on such interfaces. • You cannot enable other IPv6 multicast routing protocols (such as IPv6 PIM-DM or IPv6 PIM-SM) on interfaces with MLD proxying enabled, or vice versa.
Task Command Remarks Display MLD configuration and running information on the specified interface or all MLD-enabled interfaces. display mld interface [ interface-type interface-number ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view Display the information of the MLD proxying groups.
Figure 398 Network diagram Configuration procedure 1. Enable IPv6 forwarding and configure IPv6 addresses and IPv6 unicast routing: Enable IPv6 forwarding on each firewall and configure an IPv6 address and prefix length for each interface as shown in Figure 398. (Details not shown.) Configure OSPFv3 on the firewalls on the IPv6 PIM network to make sure the network-layer in the IPv6 PIM network is interoperable and routing information among firewalls can be dynamically updated. (Details not shown.) 2.
[FirewallB] interface gigabitethernet 0/2 [FirewallB-GigabitEthernet0/2] pim ipv6 dm [FirewallB-GigabitEthernet0/2] quit # Enable IPv6 multicast routing on Firewall C, enable IPv6 PIM-DM on each interface, and enable MLD on the host-side interface GigabitEthernet 0/1.
Source 1, Source 2, and Source 3 send IPv6 multicast packets to multicast groups in the IPv6 SSM group range. You can configure the MLD SSM mapping feature on Firewall so that the receiver host will receive IPv6 multicast data from Source 1 and Source 3 only.
[Firewall-GigabitEthernet0/2] quit [Firewall] interface GigabitEthernet 0/3 [Firewall-GigabitEthernet0/3] pim ipv6 sm [Firewall-GigabitEthernet0/3] quit # Enable IPv6 multicast routing on Router A, and enable IPv6 PIM-SM on each interface.
3001::1 Use the display mld ssm-mapping group command to display IPv6 multicast group information created based on the configured MLD SSM mappings. # Display IPv6 multicast group information created based on the configured MLD SSM mappings on Firewall. [Firewall] display mld ssm-mapping group Total 1 MLD SSM-mapping Group(s).
Configure the MLD proxying feature on Firewall so that Firewall can maintain group memberships and forward IPv6 multicast traffic without running IPv6 PIM-DM. Figure 400 Network diagram Proxy & Querier Firewall GE0/2 3001::1/64 GE1/1 2001::1/64 Querier Router GE0/1 2001::2/64 Receiver Host A IPv6 PIM-DM S2/1 1001::1/64 Receiver Host C Host B Configuration procedure 1. Enable IPv6 forwarding and configure the IPv6 addresses.
# Display MLD information on GigabitEthernet 0/1 of the Firewall. [Firewall] display mld interface gigabitethernet 0/1 verbose GigabitEthernet0/1(2001::2): MLD proxy is enabled Current MLD version is 1 Multicast routing on this interface: enabled Require-router-alert: disabled Use the display mld group command to display MLD group information. For example, # Display MLD group information on the Router. [Router] display mld group Total 1 MLD Group(s).
3. Use the display mld interface command to verify that the MLD version on the interface is lower than that on the host. 4. Use the display current-configuration interface command to verify that no ACL rule has been configured to restrict the host from joining IPv6 multicast group G. If an IPv6 ACL is configured to restrict the host from joining IPv6 multicast group G, the ACL must be modified to allow IPv6 multicast group G to receive report messages.
Routing policy configuration Routing policies are used to receive, advertise and redistribute only specific routes and modify the attributes of some routes. NOTE: • Routing policy in this chapter involves both IPv4 routing policy and IPv6 routing policy. • The routing policy configuration is available only at the CLI. Introduction to routing policy A routing policy is used to filter routes when they are received, advertised, or redistributed and modify the attributes of some routes.
An IP prefix list is configured to match the destination address of routing information. You can use the gateway option to allow only routing information from certain routers to be received. For gateway option information, see Network Management Command Reference. An IP prefix list, identified by name, can comprise multiple items. Each item, identified by an index number, can specify a prefix range to match. An item with a smaller index number is matched first.
Task Defining an IP-prefix list Defining filters Defining an AS path list Defining a community list Creating a routing policy Configuring a routing policy Defining if-match clauses Defining apply clauses Defining a continue clause Defining filters Prerequisites Before configuring this task, you must determine IP-prefix list name, matching address range, and extcommunity list sequence number.
[Sysname] ip ip-prefix abc index 40 permit 0.0.0.0 0 less-equal 32 Define an IPv6 prefix list Identified by name, each IPv6 prefix list can comprise multiple items. Each item specifies a prefix range to match and is identified by an index number. An item with a smaller index number is matched first. If one item is matched, the IPv6 prefix list is passed, and the routing information will not go to the next item. To define an IPv6 prefix list: Step Command Remarks 1. Enter system view.
Step 1. Enter system view. Command Remarks system-view N/A • Define a basic community list: 2. ip community-list { basic-comm-list-num | basic comm-list-name } { deny | permit } [ community-number-list ] [ internet | no-advertise | no-export | no-export-subconfed ] * Define a community list. • Define an advanced community list: Use either approach. Not defined by default.
Creating a routing policy Step Command 1. Enter system view. system-view 2. Create a routing policy, specify a node for it and enter routing policy view. route-policy route-policy-name { deny | permit } node node-number Defining if-match clauses Follow these guidelines when you define if-match clauses: • The if-match clauses of a routing policy node are in logic AND relationship. Routing information has to satisfy all its if-match clauses before being executed with its apply clauses.
Step 5. 6. Command Remarks Optional. Match BGP routing information whose AS path attribute is specified in the AS path list (s). if-match as-path AS-PATH-number&<1-16> Not configured by default. Match BGP routing information whose community attribute is specified in the community list(s). if-match community { { basic-community-list-number | comm-list-name } [ whole-match ] | adv-community-list-number }&<1-16> Optional. Not configured by default. Optional. 7.
Step 6. Command Set a cost for routing information. apply cost [ + | - ] value Remarks Optional. Not set by default. Optional. 7. Set a cost type for routing information. apply cost-type [ external | internal | type-1 | type-2 ] Not set by default. Only F5000 supports the external and internal keywords. • Set the next hop for IPv4 routes: 8. Set the next hop. apply ip-address next-hop ip-address • Set the next hop for IPv6 routes: apply ipv6 next-hop ipv6-address 9.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a routing policy and enter routing policy view. route-policy route-policy-name { deny | permit } node node-number Not created by default. Optional. Specify the next routing policy node to be matched. 3. Not configured by default. continue [ node-number ] The node number specified must be larger that the current node number.
Figure 401 Network diagram Configuration procedure 1. Configure Firewall A. # Configure IPv6 addresses for interfaces GigabitEthernet 0/1 and GigabitEthernet0/2. system-view [FirewallA] ipv6 [FirewallA] interface gigabitethernet 0/1 [FirewallA-GigabitEthernet0/1] ipv6 address 10::1 32 [FirewallA-GigabitEthernet0/1] quit [FirewallA] interface gigabitethernet 0/2 [FirewallA-GigabitEthernet0/2] ipv6 address 11::1 32 [FirewallA-GigabitEthernet0/2] quit # Enable RIPng on GigabitEthernet 0/1.
[FirewallB-GigabitEthernet0/1] ripng 1 enable [FirewallB-GigabitEthernet0/1] quit # Enable RIPng. [FirewallB] ripng # Display RIPng routing table information.
[FirewallA-bgp] peer 1.1.1.2 as-number 300 # Configure Firewall B. system-view [FirewallB] bgp 200 [FirewallB-bgp] router-id 2.2.2.2 [FirewallB-bgp] peer 1.1.2.2 as-number 300 # Configure Firewall C. system-view [FirewallC] bgp 300 [FirewallC-bgp] router-id 3.3.3.3 [FirewallC-bgp] peer 1.1.1.1 as-number 100 [FirewallC-bgp] peer 1.1.2.1 as-number 200 [FirewallC-bgp] peer 1.1.3.2 as-number 400 # Configure Firewall D.
3. Configure Firewall D to reject the routes from AS 200. # Configure AS-PATH list 1. [FirewallD] ip as-path 1 permit .*200.* # Create routing policy rt1 with node 1, and specify the match mode as deny to deny routes from AS 200. [FirewallD] route-policy rt1 deny node 1 [FirewallD-route-policy] if-match as-path 1 [FirewallD-route-policy] quit # Create routing policy rt1 with node 10, and specify the match mode as permit to permit routes from other ASs.
IPv6 routing information filtering failure Symptom The routing protocol is running properly, but filtering routing information failed. Analysis At least one item of the IPv6 prefix list should be configured as permit mode, and at least one node of the routing policy should be configured as permit mode. Solution 1. Use the display ip ipv6-prefix command to display IP prefix list information. 2. Use the display route-policy command to display routing policy information.
Configuring SSL The SSL configuration is available only at the CLI. Feature and hardware compatibility Feature F1000-A-EI/S-EI F1000-E F5000 Firewall module FIPS No No No Yes SSL overview Secure Sockets Layer (SSL) is a security protocol that provides secure connection services for TCP-based application layer protocols such as HTTP. It is widely used in e-business and online bank fields to ensure secure data transmission over the Internet.
NOTE: For more information about symmetric key algorithms, asymmetric key algorithm RSA, digital signature, and PKI, see VPN Configuration Guide. SSL protocol stack As shown in Figure 404, the SSL protocol consists of two layers of protocols: the SSL record protocol at the lower layer and the SSL handshake protocol, change cipher spec protocol, and alert protocol at the upper layer.
To configure an SSL server policy: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an SSL server policy and enter its view. ssl server-policy policy-name N/A pki-domain domain-name By default, no PKI domain is specified for an SSL server policy. If the client requires certificate-based authentication for the SSL server, you must use this command to specify a PKI domain for the server and request a local certificate for the server through the PKI domain. 3.
NOTE: SSL mainly comes in these versions: SSL 2.0, SSL 3.0, and TLS 1.0, where TLS 1.0 corresponds to SSL 3.1. When the switch acts as an SSL server, it can communicate with clients running SSL 3.0 or TLS 1.0, and can identify the SSL 2.0 Client Hello message from a client supporting SSL 2.0 and SSL 3.0/TLS 1.0 and notify the client to use SSL 3.0 or TLS 1.0 to communicate with the server. In FIPS mode, only TLS 1.0 is supported.
[Firewall-pki-entity-en] quit # Create PKI domain 1, specify the trusted CA as ca server, the URL of the registration server as http://10.1.2.2/certsrv/mscep/mscep.dll, the authority for certificate request as RA, and the entity for certificate request as en. [Firewall] pki domain 1 [Firewall-pki-domain-1] ca identifier ca server [Firewall-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.
Configuring an SSL client policy An SSL client policy is a set of SSL parameters for a client to use when connecting to the server. An SSL client policy takes effect only after it is associated with an application layer protocol. If the SSL server is configured to authenticate the SSL client, you must configure the PKI domain for the SSL client policy to use to obtain the certificate of the client. For more information about PKI domain configuration, see VPN Configuration Guide.
Displaying and maintaining SSL Task Command Remarks Display SSL server policy information. display ssl server-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view Display SSL client policy information. display ssl client-policy { policy-name | all } [ | { begin | exclude | include } regular-expression ] Available in any view Troubleshooting SSL SSL handshake failure Symptom As the SSL server, the firewall fails to handshake with the SSL client.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents a firewall. Port numbering in examples The port numbers in this document are for illustration only and might be unavailable on your device.
Index ABCDEFHIMOPQRSTV Configuring ARP at the CLI,248 A Configuring ARP in the web interface,243 Address/prefix lease renewal,688 Configuring basic functions of MLD,876 Adjusting MLD performance,878 Configuring basic functions of MSDP,633 Applying IPsec policies for OSPFv3,743 Configuring basic IPv6 functions,667 Applying IPsec policies for RIPng,723 Configuring BFD for IPv6 BGP,783 Applying the address pool to an interface,694 Configuring BFD for OSPFv3,742 Assigning an IP address to an interf
Configuring MS-CHAP or MS-CHAP-V2 authentication,117 DDNS client configuration task list,235 Configuring MSTP at the CLI,82 Defining filters,897 DDNS configuration example,232 Configuring MSTP in the Web interface,69 DHCP address allocation,145 Configuring multicast routing and forwarding at the CLI,546 DHCP client configuration example,205 DHCP message format,147 Configuring multicast routing and forwarding in the Web interface,544 DHCP options,147 DHCP overview,145 Configuring OSPF at the CLI,3
E Introduction to RSTP,63 Enabling common proxy ARP,256 Introduction to STP,56 Introduction to the DHCPv6 client,703 Enabling IPv6 multicast routing,824 Introduction to the DHCPv6 relay agent,699 Enabling IS-IS SNMP trap,500 Introduction to the DHCPv6 server,691 Enabling local proxy ARP,256 IPv6 basics configuration example,681 Enabling OSPFv3,734 IPv6 basics configuration task list,667 Enabling the DHCP client on an interface,204 IPv6 BGP configuration examples,785 Enabling the DHCPv6 server,
Overview,521 T Overview,706 Traffic policing configuration example,308 Overview,262 Troubleshooting BGP,481 Overview,1 Troubleshooting DHCP relay agent configuration,202 Overview,362 Troubleshooting DHCP server configuration,182 P Troubleshooting IGMP,582 Performing general PPP configurations,112 Troubleshooting IPv4 DNS configuration,229 Troubleshooting IPv6 basics configuration,686 PIM configuration example in the Web interface,588 Troubleshooting IPv6 BGP configuration,798 PIM configurati
