HP HSR6800 Routers Layer 3 - IP Services Configuration Guide Part number: 5998-4491 Software version: HSR6800-CMW520-R3303P05 Document version: 6PW105-20140507
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring ARP ··························································································································································· 1 Overview············································································································································································ 1 ARP message format ·······························································································································
DHCP overview ·························································································································································· 23 DHCP address allocation ·············································································································································· 23 Allocation mechanisms ········································································································································· 23 Dynamic
Solution ··································································································································································· 52 Configuring the DHCP relay agent ··························································································································· 53 Overview·······································································································································································
Configuring IPv4 DNS ··············································································································································· 81 Overview········································································································································································· 81 Static domain name resolution····························································································································· 81 Dynam
Displaying and maintaining flow classification ········································································································ 115 Configuring adjacency table·································································································································· 116 Overview······································································································································································· 116 Adjacency tab
Configuring the maximum number of neighbors dynamically learned ························································· 146 Setting the aging timer for ND entries in stale state ························································································ 146 Configuring parameters related to RA messages ···························································································· 147 Configuring the maximum number of attempts to send an NS message for DAD ·······················
Configuring the DHCPv6 relay agent ···················································································································· 180 Overview······································································································································································· 180 Configuration prerequisites ········································································································································· 181 Config
DNS64 function ··················································································································································· 209 AFT limitations······················································································································································ 209 Protocols and standards ····································································································································· 209 AFT configura
Configuration guidelines ···································································································································· 243 Configuration procedure ···································································································································· 243 Configuration example ······································································································································· 244 Configuring an IPv4 over IP
Configuration procedure ···································································································································· 280 Configuration example for backing up a P2MP GRE tunnel at the headquarters ················································ 282 Network requirements ········································································································································· 282 Configuration procedure ····································
Index ········································································································································································ 334 xi
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format ARP uses two types of messages, ARP request and ARP reply. Figure 1 shows the format of the ARP request/reply. Numbers in the figure refer to field lengths.
1. Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B. 2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request.
Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry. Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
A Layer 2 interface can learn an ARP entry only when both its maximum number and the VLAN interface's maximum number are not reached. To set the maximum number of dynamic ARP entries that an interface can learn: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A Optional. 3. Set the maximum number of dynamic ARP entries that the interface can learn.
Step 2. Command Enable dynamic ARP entry check. Remarks arp check enable Optional. Enabled by default. Enabling natural mask support for ARP requests This feature enables the device to learn the sender IP and MAC addresses in a received ARP request whose sender IP address is on the same classful network as but a different subnet from the IP address of the receiving interface. A classful network refers to a class A, B, or C network. For example, GigabitEthernet 3/0/1 with IP address 10.10.10.
Task Command Remarks Display the ARP entry for a specific IP address (in IRF mode). display arp ip-address [ chassis chassis-number slot slot-number ] [ verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the ARP entries for a specific VPN instance. display arp vpn-instance vpn-instance-name [ count ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the ARP entries for a specific topology.
Configuration procedure 1. Configure Router A: # Specify an IP address for GigabitEthernet 3/0/2. system-view [RouterA] interface GigabitEthernet 3/0/2 [RouterA-GigabitEthernet3/0/2] ip address 192.168.1.1 24 [RouterA-GigabitEthernet3/0/2]quit 2. Configure Router B: # Specify an IP address for GigabitEthernet 3/0/1. system-view [RouterB] interface GigabitEthernet 3/0/1 [RouterB-GigabitEthernet3/0/1] ip address 192.168.1.
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a change of its MAC address.
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network, so that the hosts can update local ARP entries and avoid using the virtual IP address of the VRRP group. If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router.
Step Command Remarks Enable the device to send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet. gratuitous-arp-sending enable By default, a device does not send gratuitous ARP packets upon receiving ARP requests whose sender IP address belongs to a different subnet. 4. Enter interface view. interface interface-type interface-number N/A 5. Enable periodic sending of gratuitous ARP packets and set the sending interval.
Configuring proxy ARP Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP in this chapter refers to the common proxy ARP. It allows communication between hosts that connect to different Layer-3 interfaces and reside in different broadcast domains.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable proxy ARP. proxy-arp enable Disabled by default. Displaying and maintaining proxy ARP Task Command Remarks Display whether proxy ARP is enabled. display proxy-arp [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view.
[Router-GigabitEthernet3/0/1] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 3/0/1. [Router-GigabitEthernet3/0/1] proxy-arp enable [Router-GigabitEthernet3/0/1] quit # Configure the IP address of interface GigabitEthernet 3/0/2. [Router] interface gigabitethernet 3/0/2 [Router-GigabitEthernet3/0/2] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface GigabitEthernet 3/0/2.
Configuring ARP snooping NOTE: The ARP snooping feature is supported only when SAP modules operate in bridge mode. Overview ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. If ARP snooping is enabled on a VLAN, ARP packets received by the interfaces of the VLAN are redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving VLAN and port to create ARP snooping entries.
15
Configuring IP addressing This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (DHCP) and PPP address negotiation are beyond the scope of this chapter. Overview This section describes the IP addressing basics. IP addressing uses a 32-bit address to identify each host on a network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length.
Class Address range Remarks D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.16 indicates the host with a host ID of 16 on the local network.
Assigning an IP address to an interface You can assign an interface one primary address and multiple secondary addresses. Generally, you only need to assign the primary address to an interface. In some cases, you must assign secondary IP addresses to the interface. For example, if the interface connects to two subnets, to enable the device to communicate with all hosts on the LAN, assign a primary IP address and a secondary IP address to the interface.
Figure 8 Network diagram Configuration procedure # Assign a primary IP address and a secondary IP address to GigabitEthernet 2/1/1. system-view [Router] interface GigabitEthernet 2/1/1 [Router-GigabitEthernet2/1/1] ip address 172.16.1.1 255.255.255.0 [Router-GigabitEthernet2/1/1] ip address 172.16.2.1 255.255.255.0 sub # Set the gateway address to 172.16.1.1 on the hosts attached to subnet 172.16.1.0/24, and to 172.16.2.1 on the hosts attached to subnet 172.16.2.0/24. # Ping a host on subnet 172.
Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms The output shows that the router can communicate with the host on subnet 172.16.2.0/24. # Ping a host on subnet 172.16.1.0/24 from a host on subnet 172.16.2.0/24 to verify the connectivity. Host B can be successfully pinged from Host A.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify the current interface to borrow the IP address of the specified interface. ip address unnumbered interface interface-type interface-number The interface does not borrow IP addresses from other interfaces by default.
system-view [RouterB] interface GigabitEthernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ip address 172.16.20.1 255.255.255.0 [RouterB-GigabitEthernet2/1/1] quit # Configure interface Serial 2/1/1 to borrow an IP address from GigabitEthernet 2/1/1. [RouterB] interface serial 2/1/1 [RouterB-Serial2/1/1] ip address unnumbered interface GigabitEthernet 2/1/1 [RouterB-Serial2/1/1] quit # Create a route to the subnet attached to Router A, specifying interface Serial 2/1/1 as the output interface.
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent.
Dynamic IP address allocation process Figure 11 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For related information, see "DHCP message format." 3.
DHCP message format Figure 12 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 12 DHCP message format • op—Message type defined in option field. 1 = REQUEST, 2 = REPLY. • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled.
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 13 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option.
The DHCP client can obtain the following information through Option 43: • Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password. • Service provider identifier, which is acquired by the Customer Premises Equipment (CPE) from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide.
Figure 16 PXE server address sub-option value field Relay agent option (Option 82) Option 82 is the relay agent option in the option field of the DHCP message. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server. The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting.
Figure 18 Sub-option 2 in normal padding format • Verbose padding format: { Sub-option 1—Contains the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received the client's request. The VLAN ID field has a fixed length of 2 bytes. All the other padding contents of sub-option 1 are length variable. See Figure 19.
Figure 22 Sub-option 9 in private padding format • Standard padding format: { Sub-option 1—Contains the VLAN ID of the interface that received the client's request, module (slot number of the receiving port) and port (number of the receiving port). The value of the sub-option type is 1, and the value of the circuit ID type is 0. Figure 23 Sub-option 1 in standard padding format { Sub-option 2—Contains the MAC address of the DHCP snooping device that received the client's request.
• RFC 3046, DHCP Relay Agent Information Option • RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4 31
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and most users must acquire IP addresses dynamically. • Most hosts do not need fixed IP addresses.
1. If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address to the client. For the configuration of this address pool, see "Configuring static address allocation." 2. If the receiving interface has an extended address pool referenced, the DHCP server assigns an IP address from this address pool.
Task Remarks Applying an extended address pool on an interface Required by the extended address pool configuration. When configuring a common address pool, ignore this task. Configuring the DHCP server security functions Optional. Enabling client offline detection Optional. Enabling handling of Option 82 Optional. Specifying the threshold for sending trap messages Optional.
Step 2. Create a DHCP address pool and enter its view. Command Remarks dhcp server ip-pool pool-name [ extended ] No DHCP address pool is created by default. A common address pool and an extended address pool are different in address allocation mode configuration. Configurations of other parameters (such as the domain name suffix and DNS server address) for them are the same.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter common address pool view. dhcp server ip-pool pool-name N/A 3. Specify the IP address. static-bind ip-address ip-address [ mask-length | mask mask ] No IP addresses are statically bound by default. • Specify the MAC address: Specify the MAC address or client ID. 4. static-bind mac-address mac-address Use either of the commands. • Specify the client ID: Neither is bound statically by default.
Step Command Remarks Optional. Exclude IP addresses from automatic allocation. 7. dhcp server forbidden-ip low-ip-address [ high-ip-address ] Except IP addresses of the DHCP server interfaces, all addresses in the DHCP address pool are assignable by default. Configuring dynamic address allocation for an extended address pool Extended address pools support dynamic address allocation only. When configuring an extended address pool, you must specify: • Assignable IP address range. • Mask.
domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring IPv4 DNS." To configure a domain name suffix in the DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Specify a domain name suffix. domain-name domain-name Not specified by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Specify WINS servers. nbns-list ip-address&<1-8> 4. Specify the NetBIOS node type. netbios-type { b-node | h-node | m-node | p-node } Optional for b-node. No WINS server is specified by default. Not specified by default.
To configure option 184 parameters in a DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Specify the IP address of the primary network calling processor. Not primary network calling processor is specified by default. voice-config ncp-ip ip-address Optional. Specify the IP address of the backup network calling processor. voice-config as-ip ip-address 5. Configure the voice VLAN.
Step Command Remarks • Specify the TFTP server: 3. 4. tftp-server ip-address ip-address Specify the IP address or the name of the TFTP server. • Specify the name of the TFTP server: Specify the bootfile name. bootfile-name bootfile-name tftp-server domain-name domain-name Use either command. Not specified by default. Not specified by default. Specifying a server's IP address for the DHCP client Some DHCP clients need to obtain configuration information from a server, such as a TFTP server.
Step Configure a self-defined DHCP option. 3. Command Remarks option code { ascii ascii-string | hex hex-string&<1-16> | ip-address ip-address&<1-8> } No self-defined DHCP option is configured by default. See Table 2 for a description of common options and corresponding commands.
primary IP address of the DHCP relay agent's interface (connected to the client) for a requesting client. When the DHCP server and client are on the same subnet: • { { With the keyword subaddress specified, the DHCP server preferably assigns an IP address from an address pool that resides on the same subnet as the primary IP address of the server interface (connecting to the client).
Configuring the DHCP server security functions Configuration prerequisites Before you perform this configuration, complete the following configurations on the DHCP server: 1. Enable DHCP. 2. Configure the DHCP address pool. Enabling unauthorized DHCP server detection Unauthorized DHCP servers on a network might assign wrong IP addresses to DHCP clients. With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request contains Option 54 (Server Identifier Option).
Step Command Remarks Optional. Configure the ping timeout time. 3. dhcp server ping timeout milliseconds The default setting is 500 milliseconds. The value 0 disables IP address conflict detection. Configuring the DHCP server to work with authorized ARP Only the clients that obtain an IP address from the DHCP server are considered as authorized clients.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCP server to work with authorized ARP. dhcp update arp Not enabled by default. 4. Enable authorized ARP. arp authorized enable Disabled by default. Enabling client offline detection With this feature enabled, the DHCP server considers that a DHCP client goes offline when the ARP entry for the client ages out.
To support Option 82 requires configuring both the DHCP server and relay agent (or the device enabled with DHCP snooping). For more information, see "Configuring the DHCP relay agent" and "Configuring DHCP snooping." Specifying the threshold for sending trap messages Configuration prerequisites Before you perform the configuration, use the snmp-agent target-host command to specify the destination address of the trap messages.
Task Command Remarks Display information about assignable IP addresses. display dhcp server free-ip [ | { begin | exclude | include } regular-expression ] Available in any view. Display IP addresses excluded from automatic allocation in the DHCP address pool. display dhcp server forbidden-ip [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about bindings.
Configuration procedure 1. Configure the IP address of GigabitEthernet 3/0/1 on Router A: system-view [RouterA] interface gigabitethernet 3/0/1 [RouterA-GigabitEthernet3/0/1] ip address 10.1.1.1 25 [RouterA-GigabitEthernet3/0/1] quit 2. Configure the DHCP server: # Enable DHCP. [RouterA] dhcp enable # Create DHCP address pool 0 and configure a static binding, DNS server, and gateway in it. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] static-bind ip-address 10.1.1.5.
Figure 25 Network diagram Configuration procedure 1. Specify IP addresses for interfaces. (Details not shown.) 2. Configure the DHCP server: # Enable DHCP. system-view [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2.
[RouterA] dhcp server ip-pool 2 [RouterA-dhcp-pool-2] network 10.1.1.128 mask 255.255.255.128 [RouterA-dhcp-pool-2] expired day 5 [RouterA-dhcp-pool-2] gateway-list 10.1.1.254 Verifying the configuration After the preceding configuration is complete, clients on networks 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and other network parameters from Router A. You can use the display dhcp server ip-in-use command on the DHCP server to view the IP addresses assigned to the clients.
Verifying the configuration After the preceding configuration is complete, Router B can obtain its IP address on 10.1.1.0/24 and the PXE server addresses from Router A. You can use the display dhcp server ip-in-use command on the DHCP server to view the IP addresses assigned to the clients. Troubleshooting DHCP server configuration Symptom A client's IP address obtained from the DHCP server conflicts with another IP address. Analysis Another host on the subnet might have the same IP address. Solution 1.
Configuring the DHCP relay agent The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, Layer 3 aggregate interfaces, and serial interfaces. Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet, centralizes management, and reduces investment.
Figure 28 DHCP relay agent work process 1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. 2. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response to the relay agent, and the relay agent conveys it to the client.
If a DHCP request has… Handling strategy Padding format The DHCP relay agent… N/A verbose Forwards the message after adding the Option 82 padded in verbose format. N/A user-defined Forwards the message after adding the user-defined Option 82. DHCP relay agent configuration task list Task Remarks Enabling DHCP Required. Enabling the DHCP relay agent on an interface Required. Correlating a DHCP server group with a relay agent interface Required.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCP relay agent on the current interface. dhcp select relay With DHCP is enabled, an interface operates in the DHCP server mode. Correlating a DHCP server group with a relay agent interface To improve availability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group.
Configuring the DHCP relay agent security functions Configuring address check Address check can block illegal hosts from accessing external networks. With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the DHCP relay agent so that users can access external networks using fixed IP addresses.
Configuring periodic refresh of dynamic client entries A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client. With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a DHCP-REQUEST message to the DHCP server.
Configuration guidelines • Authorized ARP can only be configured on Layer 3 Ethernet interfaces. • Disabling the DHCP relay agent to support authorized ARP deletes the corresponding authorized ARP entries. • Because the DHCP relay agent does not notify the authorized ARP module of the static bindings, you need to configure the corresponding static ARP entries for authorized users that have statically specified IP addresses.
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC addresses that a Layer 2 port can learn. You can also configure an interface that has learned the maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC address table.
Configuring the DHCP relay agent to release an IP address You can configure the relay agent to release a client's IP address. The relay agent sends a DHCP-RELEASE message that contains the specified IP address. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address. Meanwhile, the client entry is removed from the DHCP relay agent. The IP address to be released must be available in a dynamic client entry.
Step 4. Configure the strategy for handling DHCP requests containing Option 82. Command Remarks dhcp relay information strategy { drop | keep | replace } Optional. • Configure the padding format for 5. Configure non-user-defined Option 82.
Task Command Remarks Display information about the refreshing interval for entries of dynamic IP-to-MAC bindings. display dhcp relay security tracker [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about the configuration of a specific or all DHCP server groups. display dhcp relay server-group { group-id | all } [ | { begin | exclude | include } regular-expression ] Available in any view. Display packet statistics on the DHCP relay agent.
# Add DHCP server 10.1.1.1 into DHCP server group 1 [RouterA] dhcp relay server-group 1 ip 10.1.1.1 # Enable the DHCP relay agent on GigabitEthernet 3/0/1. [RouterA] interface gigabitethernet 3/0/1 [RouterA-GigabitEthernet3/0/1] dhcp select relay # Correlate GigabitEthernet 3/0/1 to DHCP server group 1.
Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain any configuration parameters through the DHCP relay agent. Analysis Some problems might occur with the DHCP relay agent or server configuration. Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information. Verify that: 1. DHCP is enabled on the DHCP server and relay agent. 2.
Configuring DHCP client The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. You cannot configure an interface of an aggregation group as a DHCP client. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
Task Command Remarks Display specified configuration information. display dhcp client [ verbose ] [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. DHCP client configuration example Network requirements As shown in Figure 31, Router B contacts the DHCP server through GigabitEthernet 3/0/1 to obtain an IP address, DNS server address, and static route information. The DHCP client IP address resides on network 10.1.1.0/24.
# Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from automatic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02 2.
20.1.1.0/24 Static 70 0 10.1.1.2 GE3/0/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.
Configuring DHCP snooping A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server. This feature is supported only when SAP modules operate in bridge mode. Overview DHCP snooping defines trusted and untrusted ports to make sure that clients obtain IP addresses only from authorized DHCP servers.
Application of trusted and untrusted ports Configuring a trusted port connected to a DHCP server Figure 32 Configuring trusted and untrusted ports Configuring trusted ports in a cascaded network In a cascaded network as shown in Figure 33, each DHCP snooping device's ports connected to other DHCP snooping devices should be configured as trusted ports.
DHCP snooping support for Option 82 Option 82 records the location information about the DHCP client so the administrator can locate the DHCP client for security control and accounting purposes. For more information, see "Configuring the DHCP relay agent." If DHCP snooping supports Option 82, it handles clients' requests according to Option 82, if any. Table 4 describes the handling strategies.
If a DHCP request has… Handling strategy Padding format The DHCP snooping device… N/A private Forwards the message after adding Option 82 padded in private format. N/A standard Forwards the message after adding Option 82 padded in standard format. N/A verbose Forwards the message after adding the Option 82 padded in verbose format. N/A user-defined Forwards the message after adding the user-defined Option 82.
To configure DHCP snooping basic functions: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP snooping. dhcp-snooping Disabled by default. 3. Enter Ethernet interface view. interface interface-type interface-number The interface connects to the DHCP server. 4. Specify the port as a trusted port that records the IP-to-MAC bindings of clients. dhcp-snooping trust After DHCP snooping is enabled, a port is an untrusted port by default. 5. Return to system view.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable DHCP snooping to support Option 82. dhcp-snooping information enable Disabled by default. 4. Configure the handling strategy for requests containing Option 82. dhcp-snooping information strategy { append | drop | keep | replace } Optional. replace by default. Optional.
Configuring DHCP snooping entries backup DHCP snooping entries cannot survive a reboot. If the DHCP snooping device is rebooted, security modules (such as IP source guard) that use DHCP snooping entries to authenticate users reject requests from clients until new entries are learned. The DHCP snooping entries backup feature enables you to store DHCP snooping entries in a file. When the DHCP snooping device reboots, it reads DHCP snooping entries from this file.
function enabled, the DHCP snooping device compares the chaddr field of a received DHCP request with the source MAC address field of the frame. If they are the same, the request is considered valid and forwarded to the DHCP server. If not, the request is discarded. To enable MAC address check: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A Enable MAC address check.
Displaying and maintaining DHCP snooping Task Command Remarks Display DHCP snooping entries. display dhcp-snooping [ ip ip-address ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display Option 82 configuration information on the DHCP snooping device. display dhcp-snooping information { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 34 Network diagram Configuration procedure # Enable DHCP snooping. system-view [Router] dhcp-snooping # Specify GigabitEthernet 3/0/1 as trusted. [Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] dhcp-snooping trust [Router-GigabitEthernet3/0/1] quit DHCP snooping Option 82 support configuration example Network requirements As shown in Figure 34, Switch B replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Switch).
[Router] interface gigabitethernet 3/0/1 [Router-GigabitEthernet3/0/1] dhcp-snooping trust [Router-GigabitEthernet3/0/1] quit # Configure GigabitEthernet 3/0/2 to support Option 82.
Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address.
The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query next time.
Figure 36 DNS proxy networking application A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3.
Figure 37 Application of DNS spoofing DNS spoofing enables the DNS proxy to send a spoofed reply with a configured IP address even if it cannot reach the DNS server. Without DNS spoofing, the proxy does not answer or forward a DNS request if it cannot find a matching DNS entry and it cannot reach the DNS server. In the network of Figure 37, a host accesses the HTTP server in the following steps: 1. The host sends a DNS request to the device to resolve the domain name of the HTTP server into an IP address.
Step Enter system view. 1. Command Remarks system-view N/A Not configured by default. Configure a mapping between a host name and an IPv4 address. 2. ip host hostname ip-address The IPv4 address you last assign to the host name overwrites the previous one if there is any. You can create up to 50 static mappings between domain names and IPv4 addresses.
Configuring the DNS proxy You can specify multiple DNS servers. Upon receiving a name query request from a client, the DNS proxy forwards the request to the DNS server that has the highest priority. If having not received a reply, it forwards to the request to a DNS server that has the second highest priority, and thus in turn. To configure the DNS proxy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DNS proxy. dns proxy enable Disabled by default.
Step 1. 2. Enter system view. Specify the source interface for DNS packets. Command Remarks system-view N/A dns source-interface interface-type interface-number By default, no source interface for DNS packets is specified. The device uses the primary IP address of the output interface of the matching route as the source IP address of a DNS request. Displaying and maintaining IPv4 DNS Task Command Remarks Display the static IPv4 domain name resolution table.
Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. system-view [Sysname] ip host host.com 10.1.1.2 # Use the ping host.com command to verify that Router can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com PING host.com (10.1.1.2): 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.
This configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000. 1. Configure the DNS server: a. Select Start > Programs > Administrative Tools > DNS. The DNS server configuration page appears, as shown in Figure 40. b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com. Figure 40 Creating a zone c. On the DNS server configuration page, right-click zone com, and select New Host.
Figure 41 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created. Figure 42 Adding a mapping between domain name and IP address 2.
# Enable dynamic domain name resolution. system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1. [Sysname] ping host Trying DNS resolve, press CTRL_C to break Trying DNS server (2.1.1.
Figure 43 Network diagram Configuration procedure Before performing the following configuration, assume that Device A, the DNS server, and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 43. Configure the DNS server: 1. This configuration might vary with DNS servers. When a PC running Windows Server 2000 acts as the DNS server, see "Dynamic domain name resolution configuration example" for related configuration information.
Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/3 ms Troubleshooting IPv4 DNS configuration Symptom After enabling dynamic domain name resolution, the user cannot get the correct IP address. Solution 1. Use the display dns host ip command to verify that the specified domain name is in the cache. 2.
Configuring NAT Overview Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to another IP address. NAT enables a large number of private users to access the Internet by using a small number of public IP addresses. NAT effectively alleviates the depletion of IP addresses. A private IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique.
The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT hides the private network from the external networks. Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT also has the following disadvantages: • Because NAT involves translation of IP addresses, the IP headers cannot be encrypted.
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers. Figure 45 NAPT operation Host A 192.168.1.2 Direction Before NAT After NAT Outbound 192.168.1.2:1111 20.1.1.1:1001 Outbound 192.168.1.2:2222 20.1.1.1:1002 Outbound 192.168.1.3:1111 20.1.1.1:1003 Packet 1 Src : 192.168.1.2:1111 Packet 1 Src : 20.1.1.1:1001 Packet 2 Src : 192.168.1.2:2222 192.168.1.
You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like 20.1.1.12:8080 as an internal Web server's external address and port number.
Easy IP Easy IP uses the public IP address of an interface on the device as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed. Support for special protocols Apart from the basic address translation function, NAT also provides an application layer gateway (ALG) mechanism that supports some special application protocols without requiring the NAT platform to be modified. This allows for high scalability.
If you configure NAT when NAT is running, the same configuration might have different results because of different configuration orders. • For an HSR6802/HSR6804/HSR6808 router, make sure all IP address pools referenced by the interfaces do not overlap each other. Configuring address translation A NAT device can be configured with or dynamically generate mappings to translate between internal and external network addresses. Address translation can be classified into static and dynamic NAT.
Step Command 2. Configure a net-to-net static NAT mapping. nat static net-to-net local-ip-address [ vpn-instance local-name ] global-ip-address [ vpn-instance global-name ] { mask-length | mask } 3. Enter interface view. interface interface-type interface-number 4. Enable static NAT on the interface.
Determine whether to translate port information. • Configuring NAT address pools You can configure NAT address pools in two ways: • Configure an address pool that consists of a set of consecutive addresses. • Configure an address group that can contain several members. Each member specifies an address pool that consists of a set of consecutive addresses. The address pools of members might not be consecutive.
Step Command 1. Enter system view. system-view 2. Enter interface view. interface interface-type interface-number 3. Configure No-PAT by associating an ACL with an IP address pool on the outbound interface for translating only IP addresses.
If you configure an internal server using Easy IP but do not configure an IP address for the interface, the internal server configuration does not take effect. To configure a common internal server: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A • nat server protocol pro-type global { global-address | 3. Configure a common internal server.
Step Command 1. Enter system view. system-view 2. Configure a DNS mapping. nat dns-map domain domain-name protocol pro-type ip global-ip port global-port Setting NAT connection limits For more information about NAT connection limits, see Security Configuration Guide. Displaying and maintaining NAT IMPORTANT: Clearing the NAT log buffer implies loss of all NAT logs. In general, HP recommends not using this command. Task Command Remarks Display information about NAT address pools.
Task Command Remarks Display NAT statistics on a specific interface card. (In standalone mode.) display nat statistics slot slot-number [ | { begin | exclude | include } regular-expression ] Available in any view. Display NAT statistics on a specific interface card of an IRF member device. (In IRF mode.) display nat statistics chassis chassis-number slot slot-number [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 49 Network diagram 10.110.10.1/16 10.110.10.2/16 Web server 1 Web server 2 GE3/1/1 10.110.10.10/16 GE3/1/2 202.38.1.1/24 Internet Router FTP server SMTP server 10.110.10.3/16 10.110.10.4/16 Host Configuration procedure # Configure the IP addresses for the interfaces. (Details not shown.) # Enter interface GigabitEthernet 3/1/2 view. system-view [Router] interface gigabitethernet 3/1/2 # Configure the internal FTP server.
Figure 50 Network diagram 10.110.10.1/16 FTP server 1 GE3/1/1 10.110.10.10/16 GE3/1/2 202.38.1.1/16 Internet Router FTP server 2 FTP server 3 10.110.10.2/16 10.110.10.3/16 Host Configuration procedure # Configure the IP addresses for the interfaces. (Details not shown.) # Add members to internal server group 0. system-view [Router] nat server-group 0 [Router-nat-server-group-0] inside ip 10.110.10.1 port 21 [Router-nat-server-group-0] inside ip 10.110.10.
Figure 51 Network diagram 10.110.10.1/16 10.110.10.2/16 202.38.1.4/24 Web server FTP server DNS server GE3/1/1 10.110.10.10/16 GE3/1/2 202.38.1.1/24 Internet Router Host A Host B 10.110.10.3/16 202.38.1.10/24 Configuration procedure # Configure the IP addresses for the interfaces. (Details not shown.) # Enter the view of interface GigabitEthernet 3/1/2. system-view [Router] interface gigabitethernet 3/1/2 # Configure the internal Web server.
Troubleshooting NAT Symptom 1 Abnormal translation of IP addresses. Solution 1. Enable debugging for NAT. Try to locate the problem based on the debugging display. 2. Use other commands, if necessary, to further identify the problem. Pay special attention to the source address after the address translation and make sure this address is the address that you intend to change to. If not, there might be an address pool bug. 3.
Basic forwarding on the device Upon receiving a packet, a device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and uses the matching entry to forward the packet. FIB table A router selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next-hop IP address and output interface for packets destined for a specific subnet or host.
Task Command Remarks Display FIB information. display fib [ multiple-topology topology-name | vpn-instance vpn-instance-name ] [ acl acl-number | ip-prefix ip-prefix-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display FIB information about bandwidth-based load sharing. display fib [ vpn-instance vpn-instance-name ] bandwidth-based-sharing [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring load sharing If a routing protocol finds multiple equal-cost best routes to the same destination, the router forwards packets over the equal-cost routes to implement load sharing. The device allows a maximum of 8 routes for load sharing. Static routing/IPv6 static routing, RIP/RIPng, OSPF/OSPFv3, BGP/IPv6 BGP, and IS-IS/IPv6 IS-IS support load sharing.
Configuring the load sharing mode CAUTION: HP recommends that you configure the load sharing mode when no traffic passes through the device to avoid impact on some services. If a routing protocol finds multiple equal-cost best routes to a destination, the router forwards packets over the equal-cost routes to implement load sharing. You can configure the device to identify flows by packet information such as source and destination IP addresses. To configure the load sharing mode: Step 1.
Configuring flow classification Overview Flow classification organizes packets with different characteristics into different classes by using certain match criteria. It is the basis for providing differentiated services. For a multi-core device, the control plane and data plane run on different kernels and threads respectively. The data plane processes packets based on flows. A flow identifies packets with the same characteristics (identical quintuple) and processing procedure.
Displaying and maintaining flow classification Task Command Remarks Display the current flow classification policy. display forwarding policy [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring adjacency table The adjacency table feature only applies to hardware forwarding, but not software forwarding. The adjacency table feature does not apply to Ethernet networks that use ARP for storing and managing neighbor information. Overview An adjacency table stores information about active neighbors, including neighbor network layer address (nexthop), output interface, link layer service type, and link layer address (PVC for ATM. Unavailable for PPP).
Task Command Remarks Display IPv4 adjacency table entries (in standalone mode). display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number | slot slotnum } [ count | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display IPv4 adjacency table entries (in IRF mode).
Optimizing IP performance This chapter describes multiple features for IP performance optimization. Enabling receiving and forwarding of directed broadcasts to a directly connected network A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the interface to forward directed broadcasts. ip forward-broadcast [ acl acl-number ] Disabled by default. Receiving and forwarding directed broadcasts configuration example Network requirements As shown in Figure 52, the default gateway of the host is the IP address 1.1.1.2/24 of the interface GigabitEthernet 3/0/1 of Router.
After the configurations, if you ping the subnet-directed broadcast address (2.2.2.255) on the host, the ping packets can be received by the interface GigabitEthernet 3/0/2 of Router B. However, if you cancel the ip forward-broadcast configuration on any router, the ping packets cannot be received by the interface GigabitEthernet 3/0/2 of Router B. Configuring TCP attributes This section provides information about configuring TCP attributes.
1. A TCP source device sends a packet with the Don't Fragment (DF) bit set. 2. A router that fails to forward the packet because it exceeds the MTU on the outgoing interface discards the packet and returns an ICMP error message, which contains the MTU of the outgoing interface. 3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection. 4.
Configuring TCP timers You can configure the following TCP timers: • synwait timer—When sending a SYN packet, TCP starts the synwait timer. If no response packet is received within the synwait timer interval, the TCP connection cannot be created. • finwait timer—When a TCP connection is changed into FIN_WAIT_2 state, the finwait timer is started. { { If no FIN packet is received within the timer interval, the TCP connection is terminated.
If the device receives an IP packet with a timeout error, it drops the packet and sends an ICMP timeout packet to the source. The device sends an ICMP timeout packet under the following conditions: { { If the device finds that the destination of a packet is not itself and the TTL field of the packet is 1, it sends a "TTL timeout" ICMP error message. When the device receives the first fragment of an IP datagram whose destination is the device itself, it starts a timer.
Step Command Remarks • Enable sending ICMP redirect packet: ip redirects enable 2. Enable sending ICMP error packets. • Enable sending ICMP timeout packet: ip ttl-expires enable • Enable sending ICMP destination unreachable packet: ip unreachables enable Disabled by default. When sending ICMP timeout packets is disabled, the device does not send "TTL timeout" ICMP error packets. However, "reassembly timeout" error packets are sent correctly.
Table 5 Handling ICMP messages Device mode ICMP messages sent ICMP messages received Remarks Common mode Common ICMP messages Common ICMP messages Extension information in extended ICMP messages is not processed.
Fragment-flood attack—If the number of concurrent reassemblies or the number of fragments per datagram exceeds the upper limits, the reassemblies or fragments are considered a fragment-flood attack. • Configuration guidelines • The IP virtual fragment reassembly feature only applies to incoming packets on an interface. • The IP virtual fragment reassembly feature does not support load sharing. The fragments of an IP datagram cannot arrive through different interfaces.
[RouterA-GigabitEthernet3/0/2] nat outbound static [RouterA-GigabitEthernet3/0/2] ip virtual-reassembly With the IP virtual fragment reassembly feature, Router A checks, sequences, and caches fragments that do not arrive in order at GigabitEthernet 3/0/2. You can use the display ip virtual-reassembly command to view related information. Displaying and maintaining IP performance optimization Task Command Remarks Display TCP connection statistics.
128
129
Configuring UDP helper Overview UDP helper enables a device to convert received UDP broadcast packets into unicast packets and forward them to a specific server. UDP helper is suitable for the scenario where hosts cannot obtain configuration information or device names by broadcasting packets because the target server or host resides on another broadcast domain. Upon receiving a UDP broadcast packet, UDP helper matches the UDP destination port number of the packet against the configured UDP ports.
Step Command Remarks 4. Enter interface view. interface interface-type interface-number N/A 5. Specify a destination server. udp-helper server [ vpn-instance vpn-instance-name ] ip-address No destination server is specified by default. Displaying and maintaining UDP helper Task Command Remarks Displays information about packets forwarded by UDP helper.
[RouterA-GigabitEthernet2/1/1] ip address 10.110.1.1 16 [RouterA-GigabitEthernet2/1/1] udp-helper server 10.2.1.
Configuring IPv6 basics Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. IPv6 features Simplified header format IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header.
• Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server). • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address respectively. An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the IPv6-address is represented in any of the formats previously mentioned and the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address comprises the address prefix.
• A loopback address is 0:0:0:0:0:0:0:1 (or ::1). It cannot be assigned to any physical interface and can be used by a node to send an IPv6 packet to itself in the same way as the loopback address in IPv4. • An unspecified address is 0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.
Figure 56 Converting a MAC address into an EUI-64 address-based interface identifier • On a tunnel interface The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For more information about tunnels, see "Configuring tunneling.
ICMPv6 message Type Function Redirect message 137 Informs the source host of a better next hop on the path to a particular destination when certain conditions are met. Address resolution This function is similar to the ARP function in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA message exchanges. Figure 57 shows how Host A acquires the link-layer address of Host B on a single link.
Figure 58 Duplicate address detection 1. Host A sends an NS message whose source address is the unspecified address and whose destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message contains the IPv6 address. 2. If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6 address of Host B. 3. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from Host B.
IPv6 path MTU discovery The links that a packet passes from a source to a destination may have different MTUs. In IPv6, when the packet size exceeds the path MTU of a link, the packet is fragmented at the source end of the link to reduce the processing pressure on intermediate devices and to use network resources effectively. The path MTU discovery mechanism is designed to find the minimum MTU of all links in the path between a source and a destination.
Tunneling Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets of another network protocol and transfer them over the network. For more information about tunneling, see "Configuring tunneling." NAT-PT Network Address Translation – Protocol Translation (NAT-PT) is usually applied on a device between IPv4 and IPv6 networks to translate between IPv4 and IPv6 packets, allowing communication between IPv4 and IPv6 nodes.
• RFC 4191, Default Router Preferences and More-Specific Routes • RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification • RFC 4861, Neighbor Discovery for IP Version 6 (IPv6) • RFC 4862, IPv6 Stateless Address Autoconfiguration IPv6 basics configuration task list Task Remarks Enabling IPv6 Configuring basic IPv6 functions Required. Configuring an IPv6 global unicast address Configuring an IPv6 link-local address Required to configure one.
To enable IPv6: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6. ipv6 Disabled by default. Configuring an IPv6 global unicast address Configure an IPv6 global unicast address by using the following options: • EUI-64 IPv6 addressing—The IPv6 address prefix of an interface is manually configured, and the interface identifier is generated automatically by the interface. • Manual configuration—The IPv6 global unicast address is configured manually.
Step Configure an IPv6 address manually. 3. Command Remarks ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } By default, no IPv6 global unicast address is configured on an interface.
Step Command Remarks Optional. Configure an IPv6 link-local address manually. 3. ipv6 address ipv6-address link-local By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically. After an IPv6 global unicast address is configured for an interface, a link-local address is generated automatically.
If you use Method 2, make sure the corresponding VLAN interface exists and that the Layer 2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. The device associates the VLAN interface with the neighbor IPv6 address to identify the static neighbor entry. To configure a static neighbor entry: Step 1. 2. Enter system view. Configure a static neighbor entry.
Step Command Remarks 1. Enter system view. system-view N/A 2. Set the aging timer for ND entries in stale state. ipv6 neighbor stale-aging aging-time Optional. 4 hours by default. Configuring parameters related to RA messages You can enable an interface to send RA messages, and configure the interval for sending RA messages and parameters in RA messages. After receiving an RA message, a host can use these parameters to perform corresponding operations.
Enabling sending of RA messages Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Disable RA message suppression. undo ipv6 nd ra halt By default, RA messages are suppressed. Optional. 4. Configure the maximum and minimum intervals for sending RA messages.
Step Command Remarks Optional. 7. Set the O flag bit to 1. ipv6 nd autoconfig other-flag 8. Configure the router lifetime in RA messages. ipv6 nd ra router-lifetime value By default, the O flag bit is set to 0 and hosts acquire other configuration information through stateless autoconfiguration. Optional. The default setting is 1800 seconds. Optional. 9. Set the NS retransmission timer.
Configuring path MTU discovery This section describes how to configure path MTU discovery. Configuring the interface MTU IPv6 routers do not support packet fragmentation. After an IPv6 router receives an IPv6 packet, if the packet size is greater than the MTU of the forwarding interface, the router discards the packet. Meanwhile, the router sends the MTU to the source host through an ICMPv6 packet — Packet Too Big message. The source host fragments the packet according to the MTU and resends it.
Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the aging time for dynamic path MTUs. ipv6 pathmtu age age-time Optional. 10 minutes by default. Configuring IPv6 TCP properties You can configure the following IPv6 TCP properties: • synwait timer—When a SYN packet is sent, the synwait timer is triggered. If no response packet is received before the synwait timer expires, the IPv6 TCP connection establishment fails.
sent, the number of tokens in a token bucket decreases by one. If the number of ICMPv6 error packets successively sent exceeds the capacity of the token bucket, the additional ICMPv6 error packets cannot be sent out until the capacity of the token bucket is restored. To configure the capacity and update interval of the token bucket: Step Enter system view. 1. Command Remarks system-view N/A Optional. Configure the capacity and update interval of the token bucket. 2.
Step Command Enable sending ICMPv6 Time Exceeded messages. 2. ipv6 hoplimit-expires enable Remarks Optional. Enabled by default. Enabling sending ICMPv6 destination unreachable messages If the device fails to forward a received IPv6 packet because of one of the following reasons, it drops the packet and sends a corresponding ICMPv6 Destination Unreachable error message to the source.
Step Command 2. Enable sending ICMPv6 redirect messages ipv6 redirects enable Remarks Optional. By default, this function is disabled. Enabling the device to discard IPv6 packets that contain extension headers Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the device to discard IPv6 packets that contain extension headers. ipv6 option drop enable By default, the device does not discard IPv6 packets that contain extension headers.
Task Command Remarks Display the total number of neighbor entries meeting the specified conditions (in standalone mode). display ipv6 neighbors { { all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count [ | { begin | exclude | include } regular-expression ] Available in any view. Display the total number of neighbor entries meeting the specified conditions (in IRF mode).
Task Command Remarks Clear all IPv6 TCP connection statistics. reset tcp ipv6 statistics Available in user view. Clear the statistics of all IPv6 UDP packets. reset udp ipv6 statistics Available in user view. IPv6 basics configuration example Network requirements As shown in Figure 61, a host, Router A, and Router B are connected through GigabitEthernet interfaces. Configure IPv6 addresses for the interfaces and verify that they are connected.
# Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1. [RouterB] ipv6 route-static 2001:: 64 3001::1 3. Configure the host: # Enable IPv6 for the host to obtain an IPv6 address automatically through IPv6 ND. # Execute the ping ipv6 command on Router A to verify the connectivity between Router A and Router B.
FF02::1:FF00:2 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 25829 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 47 OutRequests: 89 OutForw
ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 600 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 272 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 R
FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 117 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 117 OutRequests: 83 OutForwDatagrams: 0 InNoRoute
[RouterB-GigabitEthernet2/0/1] ping ipv6 -c 1 2001::15B:E0EA:3524:E791 PING 2001::15B:E0EA:3524:E791 : 56 data bytes, press CTRL_C to break Reply from 2001::15B:E0EA:3524:E791 bytes=56 Sequence=1 hop limit=63 time = 3 ms --- 2001::15B:E0EA:3524:E791 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms The output shows that Router B can ping Router A and the host.
DHCPv6 overview The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. Basic concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all DHCPv6 servers on the site-local scope, and uses the multicast address FF02::1:2 to identify all DHCPv6 servers and relay agents on the link-local scope.
Binding The DHCPv6 server uses bindings to record the configuration information assigned to DHCPv6 clients, including the IPv6 address/prefix, client DUID, IAID, valid lifetime, preferred lifetime, and lease expiration time. PD The DHCPv6 server creates a Prefix Delegation (PD) for each assigned prefix to record the IPv6 prefix, client DUID, IAID, valid lifetime, preferred lifetime, and lease expiration time.
The assignment involving four messages operates as follows: 1. The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. 2.
For more information about the valid lifetime and the preferred lifetime, see "Configuring IPv6 basics." Stateless DHCPv6 configuration After obtaining an IPv6 address/prefix, a device can use stateless DHCPv6 to obtain other configuration parameters from a DHCPv6 server. This application is called stateless DHCPv6 configuration.
Configuring the DHCPv6 server Introduction to the DHCPv6 server To simplify IPv6 address management and network configuration, you can configure a DHCPv6 server to assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients.
Prefix selection process To configure a DHCPv6 server to assign IPv6 prefixes to DHCPv6 clients, you must apply an address pool on the receiving interface of the DHCPv6 server. Upon receiving a request, the DHCPv6 server searches all address pools for a static IPv6 prefix bound to the client. • If a match is found in an address pool, the server assigns the client the IPv6 prefix and other configuration parameters in the address pool.
Enabling the DHCPv6 server Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the DHCPv6 server function. ipv6 dhcp server enable Disabled by default.
Step 3. Create a DHCPv6 address pool and enter its view. Command Remarks ipv6 dhcp pool pool-number Not configured by default. • Configure a static prefix binding: 4. Configure the DHCPv6 server. static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] • Apply a prefix pool to the address pool: Use at least one command. Not configured by default.
Step Command Description 1. Enter system view. system-view N/A 2. Create a DHCPv6 address pool and enter its view. ipv6 dhcp pool pool-number Not configured by default. • Configure a static IPv6 address binding: 3. Configure the DHCPv6 server.
Enabling the DHCPv6 server on an interface To enable the DHCPv6 server to assign IPv6 prefixes to clients, you must apply an address pool when enabling the DHCP server on the interface. If you only need the DHCPv6 server to assign IPv6 addresses to clients, you do not need to apply an address pool. Follow these guidelines when you enable the DHCPv6 server on an interface: • An interface cannot serve as a DHCPv6 server and DHCPv6 relay agent at the same time.
Task Command Remarks Display information about IPv6 address bindings. display ipv6 dhcp server ip-in-use { address ipv6-address | all | pool pool-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about IPv6 prefix bindings. display ipv6 dhcp server pd-in-use { all | pool pool-number | prefix prefix/prefix-len | prefix-pool prefix-pool-number } [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 69 Network diagram Configuration procedure # Enable IPv6 and DHCPv6 server. system-view [Router] ipv6 [Router] ipv6 dhcp server enable # Configure the IPv6 address of GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ipv6 address 1::1/64 [Router-GigabitEthernet2/1/1] quit # Create and configure prefix pool 1. [Router] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48 # Create address pool 1.
[Router-GigabitEthernet2/1/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit Verifying the configuration # Display the DHCPv6 server configuration information on GigabitEthernet 2/1/1. [Router-GigabitEthernet2/1/1] display ipv6 dhcp server interface gigabitethernet 2/1/1 Using pool: 1 Preference value: 255 Allow-hint: Enabled Rapid-commit: Enabled # Display information about address pool 1.
2001:410::/48 Auto(C) 1 Jul 10 2011 20:44:05 Static IPv6 address assignment configuration example Network requirements As shown in Figure 70, the router serves as a DHCPv6 server with IPv6 address 1::1/64. It assigns IPv6 address 1::A/124 to the client whose DUID is FF00010006498D3322000102030405, and assigns IPv6 address 1::B/124 to the client whose DUID is 00030001CA0006A40000. Configuration considerations Configure the following settings on the DHCPv6 server: 1. Enable IPv6 and DHCPv6 server. 2.
# Enable the DHCPv6 server on interface GigabitEthernet 2/1/1, apply address pool 1 to the interface, configure the address pool to support desired address assignment and rapid address assignment, and set the precedence to the highest. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit Verifying the configuration # Display the DHCPv6 server configuration information on GigabitEthernet 2/1/1.
Dynamic IPv6 address assignment configuration example Network requirements As shown in Figure 71, serving as the DHCPv6 server, the router assigns IPv6 addresses on subnet 1:2::/32 to clients Host A and Host B, and assigns IPv6 addresses on subnet 1:3::/32 to clients Host C and Host D. Configuration considerations Configure the following settings on the DHCPv6 server: 1. Enable IPv6 and DHCPv6 server. 2.
[Router-dhcp6-pool-1] network 1:2::/32 preferred-lifetime 86400 valid-lifetime 259200 [Router-dhcp6-pool-1] quit # Create address pool 2, specify subnet 1:3::/32 in the address pool, and set the preferred lifetime to one day and valid lifetime to three days.
1:2::3 Auto(C) 1 Jul 10 2011 19:45:01 # After Host C and Host D have obtained IPv6 addresses, display the IPv6 address binding information on the DHCPv6 server.
Configuring the DHCPv6 relay agent Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 72, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server through a DHCPv6 relay agent, so you do not need to deploy a DHCPv6 server on each subnet.
Figure 73 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server (1) Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply Configuration prerequisites Before you configure the DHCPv6 relay agent, enable IPv6 by using the ipv6 command in system view. Configuration guidelines • You can specify up to eight DHCPv6 servers for an interface.
Displaying and maintaining the DHCPv6 relay agent Task Command Remarks Display the DUID of the local device. display ipv6 dhcp duid [ | { begin | exclude | include } regular-expression ] Available in any view. Display DHCPv6 server addresses specified on the DHCPv6 relay agent. display ipv6 dhcp relay server-address { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display packet statistics on the DHCPv6 relay agent.
# Enable IPv6. system-view [RouterA] ipv6 # Configure the IPv6 addresses of GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2, respectively. [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ipv6 address 2::1 64 [RouterA-GigabitEthernet2/1/2] quit [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 address 1::1 64 # Enable DHCPv6 relay agent and specify the DHCPv6 server address on interface GigabitEthernet 2/1/1.
RELAY-REPLY : 0 184
Configuring IPv6 DNS IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS. For more information, see "Configuring IPv4 DNS." Configuring the IPv6 DNS client This section explains how to configure static and dynamic domain resolution for the IPv6 DNS client.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable dynamic domain name resolution. dns resolve Disabled by default. Not specified by default. 3. Specify a DNS server. dns server ipv6 ipv6-address [ interface-type interface-number ] 4. Configure a DNS suffix. dns domain domain-name If the IPv6 address of a DNS server is a link-local address, you need to specify the interface-type and interface-number arguments. Optional. Not configured by default.
Figure 75 Network diagram Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. system-view [Router] ipv6 host host.com 1::2 # Enable IPv6. [Router] ipv6 # Use the ping ipv6 host.com command to verify that Router can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2. [Router] ping ipv6 host.com PING host.
Configure dynamic domain name resolution and the domain name suffix com on Router that serves as a DNS client so that Router can use domain name host to access the host with the domain name host.com and the IPv6 address 1::1/64. Figure 76 Network diagram Configuration procedure Before performing the following configuration, make sure Router and the host are accessible to each other through available routes, and the IPv6 addresses of the interfaces are configured as shown Figure 76.
Figure 78 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type. e. Click Create Record.
Figure 79 Selecting the resource record type f. On the page that appears, enter host name host and IPv6 address 1::1, and then click OK. The mapping between the host name and the IPv6 address is created.
Figure 80 Adding a mapping between domain name and IPv6 address Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [Router] dns resolve # Specify the DNS server 2::2. [Router] dns server ipv6 2::2 # Configure com as the DNS suffix. [Router] dns domain com Verifying the configuration # Use the ping ipv6 host command on Router to verify that the communication between Router and the host is normal and that the corresponding destination IP address is 1::1.
bytes=56 Sequence=2 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuring NAT-PT Overview Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation – Protocol Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network. As shown in Figure 81, NAT-PT runs on the device between IPv4 and IPv6 networks. The address translation is transparent to both IPv4 and IPv6 networks.
NAT-PT prefix The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases: • Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device translates source and destination IPv6 addresses of the packet into IPv4 addresses.
Session initiated by an IPv4 host The NAT-PT implementation process for a session initiated by an IPv4 host is as follows: 1. Determines whether to perform NAT-PT. Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT device checks the destination IPv4 address in the packet against the static mappings configured on the IPv6 network side. If a match is found, the device considers that the packet needs to be forwarded to the IPv6 network and NAT-PT needs to be performed. 2.
NAT-PT configuration task list Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task Remarks Enabling NAT-PT Required. Configuring a NAT-PT prefix Required. Configuring IPv4/IPv6 address mappings on the IPv6 side Required. Optional. Configuring a static mapping on the IPv4 side If no static IPv4/IPv6 address mapping is configured, the lowest 32 bits of the destination IPv6 address is used as the translated destination IPv4 address.
• The natpt enable command enables both NAT-PT and Address Family Translation (AFT). For information about AFT, see "Configuring AFT." • Do not configure NAT-PT mapping policies and AFT policies on the same device. To enable NAT-PT: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable NAT-PT on the interface. natpt enable Disabled by default.
Step Command 1. Enter system view. system-view 2. Configure a static IPv4/IPv6 address mapping on the IPv6 side.
Step Command Remarks • Associate an IPv6 ACL with an address pool: natpt v6bound dynamic acl6 number acl-number address-group address-group [ no-pat ] Use one of the commands. • If the source IPv6 address of an IPv6 packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address of the specified address pool or interface. • Associate an IPv6 ACL with an interface Configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side. 3.
Configuring a dynamic mapping policy on the IPv4 side A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches a specific ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address. The natpt-prefix argument specified in the natpt v6bound dynamic acl number acl-number prefix natpt-prefix command must have been configured with the natpt prefix command. For more information about ACL, see ACL and QoS Configuration Guide.
Configuring static NAPT-PT mappings of IPv6 servers Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides services for IPv6 hosts only. To allow IPv4 hosts to access the IPv6 server, you can specify a static NAPT-PT mapping between the IPv6 address plus the port number and the IPv4 address plus the port number of the IPv6 server.
Task Command Remarks Display NAT-PT statistics information (in IRF mode). display natpt statistics [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Clear all NAT-PT statistics information (in standalone mode). reset natpt statistics [ slot slot-number ] Available in user view. Clear all NAT-PT statistics information (in IRF mode). reset natpt statistics [ chassis chassis-number slot slot-number ] Available in user view.
# Configure a NAT-PT address pool. [RouterB] natpt address-group 1 9.0.0.10 9.0.0.19 # Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts. [RouterB] natpt v6bound dynamic prefix 3001:: address-group 1 2. Configure Router A on the IPv4 side: # Configure a static route to subnet 9.0.0.0/24. system-view [RouterA] ip route-static 9.0.0.0 24 8.0.0.1 3. Configure Router C on the IPv6 side: # Enable IPv6.
[RouterB-Serial2/2/1] natpt enable [RouterB-Serial2/2/1] quit # Configure a NAT-PT prefix. [RouterB] natpt prefix 3001:: # Configure a static IPv4/IPv6 mapping on the IPv4 side. [RouterB] natpt v4bound static 9.0.0.2 3001::5 # Configure a static IPv4/IPv6 mapping on the IPv6 side. [RouterB] natpt v6bound static 2001::2 8.0.0.5 2. Configure Router A: # Configure a static route to subnet 9.0.0.0/24. system-view [RouterA] ip route-static 9.0.0.0 24 8.0.0.1 3.
Configuring AFT Overview Address Family Translation (AFT) is a transition technology for communication between IPv4 and IPv6 networks. As shown in Figure 85, the AFT router performs address and protocol translation between IPv4 and IPv6 networks. With AFT, IPv6 and IPv4 hosts can communicate with one another without having their configurations changed.
Figure 86 DNS64 prefix is added to an IPv4 address to translate it into an IPv6 address When an IPv4 packet is sent from an IPv4 host to an IPv6 host, AFT translates its source IPv4 address to an IPv6 address by adding a DNS64 prefix. When an IPv6 host sends a packet to an IPv4 host, the destination IPv6 address is formed by adding the DNS64 prefix to the IPv4 address of the IPv4 host.
Stateful AFT is used only when the source IPv6 address of an IPv6 packet is translated into an IPv4 address and the source IPv6 address is not an IVI address. Otherwise, stateless AFT is used. Stateful AFT can also perform port address translation (PAT) to translate both addresses and TCP/UDP port numbers. This method can translate multiple IPv6 addresses into one IPv4 address. It distinguishes the IPv6 addresses by port number.
4. Forwards the packet and records the mapping. The AFT performs protocol translation such as changing the IPv6 header to the IPv4 header, forwards the packet, and records the IPv4-IPv6 mappings. 5. Translates and forwards the response packet. Upon receiving a response from the IPv4 host, the AFT replaces the IPv4 addresses in the packet header with IPv6 addresses based on the recorded address mappings and forwards the packet to the IPv6 host.
To view the address mappings, use the display session table command. For more information about this command, see Security Configuration Guide. DNS64 function A DNS client in an IPv6 network cannot communicate with a DNS server in an IPv4 network because their address formats are different. The DNS64 function of AFT can solve this issue. When an IPv6 host sends an AAAA (IPv6) DNS query to an IPv4 DNS server, the destination IPv6 address is translated from the IPv4 address of the DNS server.
AFT configuration task list IPv4-to-IPv6 static mappings configuration task list Task Remarks Enabling AFT Required. Configuring an IPv4-to-IPv6 static mapping Required. When communication is initiated by an IPv6 host Task Remarks Enabling AFT Required Configuring an IVI prefix Required. Configuring a 6to4 AFT policy Perform either one. When communication is initiated by an IPv4 host Task Remarks Enabling AFT Required. Configuring an IVI prefix Required.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A Disabled by default. Enable AFT on the interface. 3. This command enables both AFT and NAT-PT. For more information about NAT-PT, see "Configuring NAT-PT." aft enable Configuring an IPv4-to-IPv6 static mapping Follow these guidelines when you configure an IPv4-to-IPv6 static mapping: • AFT static mappings take priority over IVI prefixes and dynamic mappings.
Step Command Remarks No IVI prefix is configured by default. Configure an IVI prefix. 2. aft prefix-ivi ivi-prefix The DNS64 prefix cannot be the same as the IVI prefix. Repeat this command to configure multiple IVI prefixes. Configuring a 6to4 AFT policy When the communication is initiated by an IPv6 host and the address of the IPv6 host is not an IVI address, the AFT translates the IPv6 address into an IPv4 address based on the 6to4 ATF policy.
Step Command Configure an AFT IPv4 address pool. 2. aft address-group group-number start-ipv4-address end-ipv4-address Remarks Required for type 1 and type 3. Ignored for type 2 and type 4. • Associate an IPv6 ACL with an address pool: aft v6tov4 acl6 number acl6-number address-group group-number [ no-pat ] • Associate an IPv6 ACL with an interface address: aft v6tov4 acl6 number acl6-number interface interface-type interface-number Configure the 6to4 AFT policy. 3.
Step 3. Configure the 4to6 AFT policy for destination address translation. Command Remarks aft v4tov6 acl number acl-number prefix-ivi ivi-prefix N/A The DNS64 and IVI prefixes must be those configured by the aft prefix-dns64 and aft prefix-ivi commands. With the DNS64 function, the AFT translates the IPv4 address resolved by the DNS server into an IPv6 address by using the DNS64 prefix specified in the 4to6 AFT policy for source address translation.
Figure 90 An IPv6 host with an IVI address initiates communication with an IPv4 host Configuration consideration The IPv6 address of Host A is an IVI address. For Host A to communicate with Host C, enable AFT, and configure DNS64 and IVI prefixes on Router B. Configuration procedure 1. Configure Router B (the AFT): # Enable IPv6. system-view [RouterB] ipv6 # Configure IP addresses for the interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2, and enable AFT on the interfaces.
# Execute the display session table verbose command on Router B to view the established sessions. [RouterB] display session table verbose Initiator: Source IP/Port : 0006:0:ff06:0606:0200::/32768 Dest IP/Port : 2000:0:0404:0402::/43982 VPN-Instance/VLAN ID/VLL ID: Responder: Source IP/Port : 4.4.4.2/0 Dest IP/Port : 6.6.6.
[RouterB-GigabitEthernet3/0/1] quit [RouterB] interface gigabitethernet 3/0/2 [RouterB-GigabitEthernet3/0/2] ip address 4.4.4.1 24 [RouterB-GigabitEthernet3/0/2] aft enable [RouterB-GigabitEthernet3/0/2] quit # Configure the DNS64 prefix. [RouterB] aft prefix-dns64 2000:: 32 # Configure the IVI prefix. [RouterB] aft prefix-ivi 6:: # Create ACL 3000 to permit IP packets destined to the IPv4 network 6.6.6.0/24, which is embedded in the IVI address.
# Execute the display session table verbose command on Router B to view the established sessions. [RouterB] display session table verbose Initiator: Source IP/Port : 4.4.4.2/2048 Dest IP/Port : 6.6.6.
Configuration procedure 1. Configure Router B (the AFT): # Enable IPv6. system-view [RouterB] ipv6 # Configure IP addresses for the interfaces GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, and GigabitEthernet 3/0/3, and enable AFT on the interfaces.
{ Specify the IPv6 address (2000:0:303:305::, which is translated from 3.3.3.5) of the DNS server. Configure Host C: 3. Perform the following configurations on Host A. (Details not shown.) { { Configure IPv4 address 4.4.4.2/24. Configure a static route to network 6.6.6.0/24, which the AFT address pool belongs to, and the next hop address 4.4.4.1. NOTE: Configure a static route to network 6.6.6.0/24 on the DNS server. The configuration procedure is not shown.
Total find: 2 Troubleshooting AFT Symptom 1 When an IPv6 host with a non-IVI address initiates communication with an IPv4 host, AFT fails to perform address translation. Solution 1. Enable debugging for AFT and locate the causes based on the debugging information. 2. Verify the translation of the source address is successful based on the debugging information. If not, the address pool might run out of IP addresses. 3.
Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end. Tunneling refers to the whole process from data encapsulation to data transfer to data de-encapsulation.
Figure 93 IPv6 over IPv4 tunnel The IPv6 over IPv4 tunnel processes packets as follows: 1. A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source. 2. After determining according to the routing table that the packet needs to be forwarded through the tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the physical interface of the tunnel.
Tunnel type 1. Tunnel mode Tunnel source/destination address Tunnel interface address type 6to4 tunneling The source IPv4 address is manually configured. The destination IPv4 address is automatically obtained. 6to4 address, in the format of 2002:IPv4-source-addr ess::/48 Intra-site automatic tunnel addressing protocol (ISATAP) tunneling The source IPv4 address is manually configured. The destination IP address is automatically obtained.
Device A forwards all packets destined for the IPv6 network over the 6to4 tunnel and Device C then forwards them to the IPv6 network. Figure 94 Principle of 6to4 tunneling and 6to4 relay 4. ISATAP tunneling An ISATAP tunnel is a point-to-point automatic tunnel. It provides a solution to connect an IPv6 host to an IPv6 network over an IPv4 network. The destination addresses of IPv6 packets and the IPv6 addresses of tunnel interfaces are all ISATAP addresses.
Figure 96 Principle of IPv4 over IPv4 tunneling Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure 96. • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IP protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface. c.
The encapsulation and de-encapsulation processes illustrated in Figure 97 are described as follows: • Encapsulation: a. Upon receiving a IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the output interface. If the output interface is the tunnel interface, the IPv4 protocol stack delivers the packet to the tunnel interface. c.
b. The IPv6 protocol stack uses the destination IPv6 address of the packet to find the output interface. If the output interface is the tunnel interface, the stack delivers it to the tunnel interface. c. After receiving the packet, the tunnel interface adds an IPv6 header to it and submits it to the IPv6 protocol stack. d. The IPv6 protocol stack forwards the packet according to its destination IPv6 address. • De-encapsulation e.
Configuration guidelines Follow these guidelines when you configure a tunnel interface: • When an active/standby switchover occurs or the standby card is removed on an HSR6802/HSR6804/HSR6808 router, the tunnel interfaces configured on the active or standby card still exist. To delete a tunnel interface, use the undo interface tunnel command. • For an HSR6802/HSR6804/HSR6808 router, all services and traffic are processed on the service card.
Step Command Optional. Set the bandwidth for the tunnel interface. 6. Remarks tunnel bandwidth bandwidth-value By default, the bandwidth is 64 kbps. Optional. Set the intended bandwidth for the tunnel interface. 7. bandwidth bandwidth-value The intended bandwidth is used for bandwidth monitoring of the network management, but does not affect the actual bandwidth of the interface. Optional. Shut down the tunnel interface. 8.
Step 3. Enter tunnel interface view. Command Remarks interface tunnel number N/A • Configure a global unicast IPv6 address or a site-local address: { 4. Configure an IPv6 address for the tunnel interface. { ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } ipv6 address ipv6-address/prefix-length eui-64 • Configure a link-local IPv6 address: { { ipv6 address auto link-local ipv6 address ipv6-address link-local The link-local IPv6 address configuration is optional.
Figure 99 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Enable IPv6. system-view [RouterA] ipv6 # Specify an IPv4 address for GigabitEthernet 2/0/2. [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 192.168.100.1 255.255.255.0 [RouterA-GigabitEthernet2/0/2] quit # Specify an IPv6 address for GigabitEthernet 2/0/1.
[RouterB] interface tunnel 0 [RouterB-Tunnel0] ipv6 address 3001::2/64 [RouterB-Tunnel0] source gigabitethernet 2/0/2 [RouterB-Tunnel0] destination 192.168.100.1 [RouterB-Tunnel0] tunnel-protocol ipv6-ipv4 [RouterB-Tunnel0] quit # Configure a static route to IPv6 Group 1 through Tunnel 0 on Router B. [RouterB] ipv6 route-static 3002:: 64 tunnel 0 Verifying the configuration # Display the status of the tunnel interfaces on Router A and Router B, respectively.
... # Ping the IPv6 address of GigabitEthernet 2/0/1 at the peer end from Router A.
Step 2. 3. Command Remarks Enable the IPv6 packet forwarding function. ipv6 By default, the IPv6 packet forwarding function is disabled. Enter tunnel interface view. interface tunnel number N/A • Configure an IPv6 global unicast address or a site-local address: { 4. Configure an IPv6 address for the tunnel interface.
Configuration procedure Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Enable IPv6. system-view [RouterA] ipv6 # Specify an IPv4 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ip address 192.168.100.1 255.255.255.0 [RouterA-GigabitEthernet2/0/1] quit # Configure an automatic IPv4-compatible IPv6 tunnel.
Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 65 ... [RouterB-Tunnel0] display ipv6 interface tunnel 0 Tunnel0 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::C0A8:3201 Global unicast address(es): ::192.168.50.
Configuring a 6to4 tunnel Configuration prerequisites Configure an IP address for the interface (such as a VLAN interface, GigabitEthernet interface, or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure a 6to4 tunnel: • No destination address needs to be configured for a 6to4 tunnel because the destination IPv4 address is embedded in the 6to4 IPv6 address.
Step Command Remarks 5. Specify the 6to4 tunnel mode. tunnel-protocol ipv6-ipv4 6to4 The default mode is GRE. The same tunnel mode should be configured at both ends of the tunnel. Otherwise, packet delivery fails. 6. Configure a source address or interface for the tunnel. source { ip-address | interface-type interface-number } By default, no source address or interface is configured for the tunnel. 7. Return to system view. quit N/A 8.
• Configure Router A: # Enable IPv6. system-view [RouterA] ipv6 # Specify an IPv4 address for GigabitEthernet 2/0/2. [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 2.1.1.1 24 [RouterA-GigabitEthernet2/0/2] quit # Specify an IPv6 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 2002:0201:0101:1::1/64 [RouterA-GigabitEthernet2/0/1] quit # Configure the 6to4 tunnel.
Pinging 2002:501:101:1::2 from 2002:201:101:1::2 with 32 bytes of data: Reply from 2002:501:101:1::2: bytes=32 time=13ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time<1ms Ping statistics for 2002:501:101:1::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 13ms, Average = 3ms 6to4 relay configuration example Network requirements As show
[RouterA-GigabitEthernet2/0/2] quit # Specify an IPv6 address for GigabitEthernet 2/0/1. [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ipv6 address 2002:0201:0101:1::1/64 [RouterA-GigabitEthernet2/0/1] quit # Configure a 6to4 tunnel.
Reply from 2001::2: bytes=32 time=1ms Reply from 2001::2: bytes=32 time<1ms Ping statistics for 2001::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 13ms, Average = 3ms Configuring an ISATAP tunnel Configuration prerequisites Configure an IP addresses for the interface (such as a VLAN interface, GigabitEthernet interface, or loopback interface) to be configured as the source interface of the tunnel interface.
Step Command Remarks • Configure an IPv6 global unicast address or site-local address: { 4. Configure an IPv6 address for the tunnel interface. { ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } ipv6 address ipv6-address/prefix-length eui-64 • Configure an IPv6 link-local address: { { ipv6 address auto link-local ipv6 address ipv6 address link-local The IPv6 link-local address configuration is optional.
# Enable IPv6. system-view [Router] ipv6 # Specify IP addresses for interfaces. [Router] interface gigabitethernet 2/0/2 [Router-GigabitEthernet2/0/2] ipv6 address 3001::1/64 [Router-GigabitEthernet2/0/2] quit [Router] interface gigabitethernet 2/0/1 [Router-GigabitEthernet2/0/1] ip address 1.1.1.1 255.0.0.0 [Router-GigabitEthernet2/0/1] quit # Configure an ISATAP tunnel.
After executing the command, display information about the ISATAP interface. C:\>ipv6 if 2 Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE} does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 2.1.1.2 router link-layer address: 1.1.1.1 preferred global 2001::5efe:2.1.1.2, life 29d23h59m46s/6d23h59m46s (public) preferred link-local fe80::5efe:2.1.1.
Configuration guidelines Follow these guidelines when you configure an IPv4 over IPv4 tunnel: • If the destination IPv4 network is not on the same subnet as the IPv4 address of the local tunnel interface, you must configure a route destined for the destination IPv4 network through the tunnel interface. You can configure a static route, and specify the local tunnel interface as the output interface or specify the IPv4 address of the peer tunnel interface as the next hop.
Step 6. Configure a destination address for the tunnel interface. Command Remarks destination ip-address By default, no destination address is configured for the tunnel. Configuration example Network requirements As shown in Figure 104, the two subnets Group 1 and Group 2 use private IPv4 addresses. Configure an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each other.
[RouterA-Tunnel1] source 2.1.1.1 # Specify the IP address of GigabitEthernet 2/0/2 of Router B as the destination address for interface Tunnel 1. [RouterA-Tunnel1] destination 3.1.1.1 [RouterA-Tunnel1] quit # Configure a static route destined for the IP network Group 2 through interface Tunnel 1. [RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 • Configure Router B: # Specify an IPv4 address for GigabitEthernet 2/0/1.
Last 300 seconds input: Last 300 seconds output: 4 packets input, 0 bytes/sec, 0 packets/sec 2 bytes/sec, 0 packets/sec 256 bytes 0 input error 12 packets output, 768 bytes 0 output error [RouterB] display interface tunnel 2 Tunnel2 current state: UP Line protocol current state: UP Description: Tunnel2 Interface The Maximum Transmit Unit is 64000 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set Tunnel source 3.1.1.1, destination 2.1.1.
Configuration guidelines Follow these guidelines when you configure an IPv4 over IPv6 manual tunnel: • If the destination IPv4 network is not on the same subnet as the IPv4 address of the local tunnel interface, you must configure a route destined for the destination IPv4 network through the tunnel interface. You can configure a static route, and specify the local tunnel interface as the output interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop.
Figure 105 Network diagram Router A GE2/0/2 2002::1:1/64 IPv6 network GE2/0/2 2002::2:1/64 Router B IPv4 over IPv6 tunnel GE2/0/1 30.1.1.1/24 Tunnel1 30.1.2.1/24 GE2/0/1 30.1.3.1/24 Tunnel2 30.1.2.2/24 IPv4 Group 2 IPv4 Group 1 Configuration procedure Make sure Router A and Router B can reach each other through IPv6. • Configure Router A: # Enable IPv6. system-view [RouterA] ipv6 # Specify an IPv4 address for GigabitEthernet 2/0/1.
[RouterB-GigabitEthernet2/0/1] quit # Specify an IPv6 address for GigabitEthernet 2/0/2, the physical interface of the tunnel. [RouterB] interface gigabitethernet 2/0/2 [RouterB-GigabitEthernet2/0/2] ipv6 address 2002::2:1 64 [RouterB-GigabitEthernet2/0/2] quit # Create interface Tunnel 2. [RouterB] interface tunnel 2 # Specify an IPv4 address for interface Tunnel 2. [RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0 # Configure the tunnel encapsulation mode as IPv4 over IPv6.
Encapsulation is TUNNEL, service-loopback-group ID not set Tunnel source 2002::0002:0001, destination 2002::0001:0001 Tunnel protocol/transport IP/IPv6 Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) Output queue : (FIFO queuing : Size/Length/Discards) Last 300 seconds input: Last 300 seconds output: 167 packets input, 0/500/0 0/75/0 1 bytes/sec, 0 packets/sec 1 bytes/sec, 0 packets/sec 10688 bytes 0 input error 170 packets outpu
• The IPv6 address of the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interface. • The destination address of the route passing the tunnel interface cannot be on the same subnet as the destination address configured for the tunnel interface. • Two or more tunnel interfaces using the same encapsulation protocol must have different source and destination addresses.
Step 9. Return to system view. 10. Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses. Command Remarks quit N/A Optional. tunnel discard ipv4-compatible-packet The default setting is disabled. Configuration example Network requirements As shown in Figure 106, configure an IPv6 over IPv6 tunnel between Router A and Router B so the two IPv6 networks can reach each other without disclosing their IPv6 addresses.
[RouterA-Tunnel1] source 2002::11:1 # Specify the IP address of GigabitEthernet 2/0/2 of Router B as the destination address for interface Tunnel 1. [RouterA-Tunnel1] destination 2002::22:1 [RouterA-Tunnel1] quit # Configure a static route destined for the IPv6 network Group 2 through interface Tunnel 1. [RouterA] ipv6 route-static 2002:3:: 64 tunnel 1 • Configure Router B: # Enable IPv6. system-view [RouterB] ipv6 # Specify an IPv6 address for GigabitEthernet 2/0/1.
FF02::2 FF02::1 MTU is 1460 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: ...
Displaying and maintaining tunneling Task Display information about tunnel interfaces. Command display interface [ tunnel ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface tunnel number [ brief [ description ] ] [ | { begin | exclude | include } regular-expression ] Remarks Available in any view. Display IPv6 information on tunnel interfaces.
Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate multiple network layer protocols into virtual point-to-point tunnels over an IP network. Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. GRE encapsulation format Figure 107 GRE encapsulation format As shown in Figure 107, a GRE-tunneled packet comprises the following parts: • Payload packet—Original packet.
GRE encapsulation and de-encapsulation The following sections uses Figure 109 to describe how an X protocol packet traverses an IP network through a GRE tunnel. Figure 109 X protocol networks interconnected through a GRE tunnel Encapsulation process 1. After receiving an X protocol packet from the interface connected to Group 1, Router A submits it to the X protocol for processing. 2. The X protocol checks the destination address field in the packet header to determine how to route the packet. 3.
GRE application scenarios The following shows typical GRE application scenarios: Connecting private networks running different protocols over a single backbone As shown in Figure 110, Group 1 and Group 2 are IPv6 networks, and Team 1 and Team 2 are IPv4 networks. Through the GRE tunnel between Router A and Router B, Group 1 can communicate with Group 2 and Team 1 can communicate with Team 2, without affecting each other.
Figure 112 Network diagram Operating with IPsec As shown in Figure 113, GRE can be encapsulated into IPsec to improve transmission security for routing protocol packets, voice data, and video data. Figure 113 Network diagram For more information about IPsec, see Security Configuration Guide.
You can enable or disable the checksum function at both ends of a tunnel. • { { If checksum is enabled at the local end but not at the remote end, the local end calculates the checksum of a packet to be sent but does not check the checksum of a received packet. If checksum is enabled at the remote end but not at the local end, the local end checks the checksum of a received packet but does not calculate the checksum of a packet to be sent.
Step 8. Command Enable the GRE packet checksum function. gre checksum Remarks Optional. Disabled by default. Optional. 9. Configure the key for the GRE tunnel interface. gre key key-number By default, no key is configured for a GRE tunnel interface. The two ends of a tunnel must have the same key or have no key at the same time. Optional. 10. Specify a value for the Recursion Control field in the GRE header. gre recursion recursion-value 11.
The IPv6 address of the tunnel interface and the tunnel destination address configured on the tunnel interface must be in different subnets. • Configuration prerequisites Configure an IPv6 address for the interface (such as a VLAN interface, a GigabitEthernet interface, or a Loopback interface) to be used as the source interface of the tunnel interface. Configuration procedure To configure a GRE over IPv6 tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks 12. Return to system view. quit N/A 13. Configure a route for packet forwarding through the tunnel. See Layer 3—IP Routing Configuration Guide. Each end of the tunnel must have a route (static or dynamic) through the tunnel to the other end. For information about tunnel interfaces and related configurations, see "Configuring tunneling.
# Configure an IPv4 address for interface GigabitEthernet 2/1/1. system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 10.1.1.1 255.255.255.0 [RouterA-GigabitEthernet2/1/1] quit # Configure an IPv4 address for interface Serial 2/2/0, the physical interface of the tunnel. [RouterA] interface serial 2/2/0 [RouterA-Serial2/2/0] ip address 1.1.1.1 255.255.255.0 [RouterA-Serial2/2/0] quit # Create a tunnel interface Tunnel 0.
[RouterB-Tunnel0] quit # Configure a static route from Router B through the tunnel interface Tunnel 0 to Group 1. [RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0 Verifying the configuration: # Display the tunnel interface status on Router A and Router B, respectively. [RouterA] display interface tunnel 0 Tunnel0 current state: UP Line protocol current state: UP Description: Tunnel0 Interface The Maximum Transmit Unit is 1476 Internet Address is 10.1.2.
10 packets output, 840 bytes 0 output error # From Router B, ping the IP address of GigabitEthernet 2/1/1 on Router A. [RouterB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=2 ms --- 10.1.1.
[RouterA] interface tunnel 0 # Configure an IPv4 address for the tunnel interface Tunnel 0. [RouterA-Tunnel0] ip address 10.1.2.1 255.255.255.0 # Configure the tunnel encapsulation mode. [RouterA-Tunnel0] tunnel-protocol gre ipv6 # Configure the source address of the tunnel interface Tunnel 0 as the IP address of interface Serial 2/2/0. [RouterA-Tunnel0] source 2002::1:1 # Configure the destination address of the tunnel interface Tunnel 0 as the IP address of interface Serial 2/2/1 on Router B).
Tunnel0 current state: UP Line protocol current state: UP Description: Tunnel0 Interface The Maximum Transmit Unit is 1456 Internet Address is 10.1.2.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set.
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms --- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/3 ms Troubleshooting GRE The key to configuring GRE is to keep the configurations consistent. Most faults can be located by using the debugging gre or debugging tunnel command. This section analyzes one type of fault for illustration, with the scenario shown in Figure 116.
Configuring a point-to-multipoint GRE tunnel Overview Figure 117 P2MP GRE tunnel application scenario A traditional GRE tunnel is a point to point connection. To use traditional GRE tunnels on an enterprise network as shown in Figure 117, you need to configure a P2P GRE tunnel between the headquarters and each branch.
Figure 118 Learning tunnel destination addresses dynamically Dest 10.1.1.0/24 Tun Dest 11.1.1.2 Headquarters Branch 11.1.1.2 GRE 10.1.1.2 Router A Router B 11.1.1.1/24 IPv4 network 11.1.1.2/24 GRE tunnel Tunnel0 10.3.1.1/24 Tunnel0 10.3.1.2/24 10.2.1.2/24 10.1.1.2/24 Host A Host B Different from a P2P GRE tunnel, a P2MP GRE tunnel does not require manual configuration of the tunnel destination addresses but learns them from GRE tunnel packets received from peers.
GRE tunnel backup at a branch Figure 119 Backing up a GRE tunnel at a branch As shown in Figure 119, for higher network reliability, a branch can use multiple gateway devices so that a GRE tunnel is established between the headquarters and each gateway of the branch for GRE tunnel backup. When creating a GRE tunnel on a gateway of the branch, you can configure the GRE key. The headquarters device will read the GRE key from the GRE packet and record the GRE key value in the corresponding tunnel entry.
As shown in Figure 120, for higher network reliability, you can deploy multiple gateways at the headquarters and specify one or more backup interfaces for the main tunnel interface on the main gateway (for example, Tunnel 1), to implement headquarters node backup and GRE tunnel backup. If the link between the main gateway and the branch gateway goes down, the main tunnel interface will soon lose the matching tunnel entry for forwarding packets to the branch.
• On an HSR6802/HSR6804/HSR6808 router, you must execute the service command specify the service card that forwards the traffic on the current interface. For more information about the service command, see Layer 3—IP Services Command Reference. • Two or more P2MP GRE tunnel interfaces cannot share the same source address. • If you specify a source interface for a P2MP GRE tunnel interface, the tunnel interface takes the primary IP address of the source interface as its source address.
Step 5. Command Configure the source address or interface for the tunnel interface. source { ip-address | interface-type interface-number } Remarks By default, no source address or interface is configured for a tunnel interface. On each branch node, you must configure the tunnel destination address as this source address. Optional. Disabled by default. 6. Enable the GRE packet checksum function. gre checksum 7. Configure a route for packet forwarding through the tunnel.
Basic P2MP GRE tunnel configuration example Network requirements A company has a network at the headquarters and each of its branches. Implement communication between the headquarters and the branches through GRE, but forbid communication between the branches. Figure 121 shows a simplified scenario, where there is only one branch. • Router A is the gateway at the headquarters, and Router B is the gateway of the branch.
[RouterA] interface tunnel 0 [RouterA-Tunnel0] ip address 192.168.22.1 255.255.255.0 # Configure the tunnel encapsulation mode as P2MP GRE. [RouterA-Tunnel0] tunnel-protocol gre p2mp # Configure the mask of the branch network as 255.255.255.0. [RouterA-Tunnel0] gre p2mp branch-network-mask 255.255.255.0 # Set the tunnel entry aging time to 20 seconds. [RouterA-Tunnel0] gre p2mp aging-time 20 # Configure the source IP address of the tunnel interface Tunnel 0. [RouterA-Tunnel0] source 11.1.1.
# View tunnel entry information on Router A again. Because the branch has initiated tunnel establishment by sending packets to the headquarters, a tunnel entry should be installed, as shown in the following output information: [RouterA] display gre p2mp tunnel-table interface tunnel 0 Dest Addr Mask Tunnel Dest Addr 192.168.12.0 255.255.255.0 11.1.1.
Device Interface IP Address Device Interface IP Address Router A GE3/1/1 11.1.1.1/24 Router B GE3/1/1 11.1.1.2/24 Router C GE3/1/2 10.1.1.1/24 GE3/1/2 10.1.1.2/24 GE3/1/3 192.168.11.1/24 GE3/1/3 192.168.11.2/24 Tunnel0 172.168.1.1/24 Tunnel0 172.168.2.2/24 Tunnel1 192.168.22.2/24 Tunnel0 172.168.1.3/24 Tunnel1 172.168.2.3/24 Tunnel1 192.168.22.1/24 GE3/1/1 11.1.1.3/24 GE3/1/2 192.168.12.1/24 Router C Configuration procedure 1.
[RouterB] interface tunnel 0 [RouterB-Tunnel0] ip address 172.168.2.2 255.255.255.0 # Configure the tunnel encapsulation mode of the tunnel interface Tunnel 0 as P2MP GRE. [RouterB-Tunnel0] tunnel-protocol gre p2mp # Configure the source IP address of the tunnel interface Tunnel 0. [RouterB-Tunnel0] source 11.1.1.2 # Configure the mask of the branch network connected to Tunnel 0 as 255.255.255.0. [RouterB-Tunnel0] gre p2mp branch-network-mask 255.255.255.
[RouterC-Tunnel1] quit # Configure a static route to the headquarters network with the outgoing interface being Tunnel 1 and priority value being 10. This makes the priority of this route lower than that of the static route of interface Tunnel 0, making sure that Router C prefers the tunnel between Router A and Router C for packet forwarding. [RouterC] ip route-static 192.168.11.0 255.255.255.
Configuration example for backing up a P2MP GRE tunnel at a branch Network requirements As shown in Figure 123, a branch uses two gateways at the egress of the internal network, with Router C for backup. A P2MP GRE tunnel is created on Router A, the gateway at the headquarters, allowing Router A to establish two GRE tunnels to the branch network, one for connecting Router B and the other for connecting Router C. Router A decides which GRE tunnel to use to send packets to the hosts on the branch network.
# Configure the mask of the branch network connected to the tunnel interface Tunnel 0 as 255.255.255.0. [RouterA-Tunnel0] gre p2mp branch-network-mask 255.255.255.0 # Set the tunnel entry aging time to 20 seconds. [RouterA-Tunnel0] gre p2mp aging-time 20 # Configure the source IP address of the tunnel interface Tunnel 0. [RouterA-Tunnel0] source 11.1.1.1 [RouterA-Tunnel0] quit # Configure a static route to the branch network with the outgoing interface being the tunnel interface Tunnel 0.
Verifying the configuration. # On Host B, specify Router C as the default gateway. Ping Host A from Host B. The ping operation succeeds. View tunnel entries on Router A: [RouterA] display gre p2mp tunnel-table interface tunnel 0 Dest Addr Mask Tunnel Dest Addr Gre Key 192.168.1.0 255.255.255.0 11.1.1.3 2 # On Host B, specify Router B as the default gateway. Ping Host A from Host B. The ping operation succeeds.
Configuring DVPN Overview Dynamic VPN (DVPN) collects, maintains, and distributes dynamic public addresses through the VPN Address Management (VAM) protocol, making VPN establishment available between enterprise branches that use dynamic addresses to access the public network. In DVPN, a collection of nodes connected to the public network form a VPN.
A DVPN comprises one server and multiple clients. The public address of the server in a DVPN must be static. The private address of a client needs to be statically assigned. The public address of a client can be manually configured or dynamically assigned. All the private addresses of the nodes composing a DVPN must belong to the same network segment. Each client registers the mapping of its private address and public address with the server.
Figure 125 Hub-spoke DVPN DVPN implementation DVPN works in three phases: connection initialization, registration, and tunnel establishment. Connection initialization phase When a client accesses the server for the first time, connection initialization is performed. During the initialization procedure, the two parties negotiate whether VAM protocol packets should be secured.
next-highest priority algorithm against the list. The operation continues until a match is found or all the algorithms on the server's algorithm list have been compared. If a match is found, the server sends to the client a connection response, which carries the negotiation result, and at the same time, the server and the client generate the encryption key and integrity verification key. 3.
Figure 128 Tunnel establishment process 1. The initiator originates a tunnel establishment request. { To establish a hub-spoke tunnel: After a spoke registers itself successfully, it needs to establish a permanent tunnel with each hub in the VPN. Upon receiving the registered information of the hubs from the server, the spoke checks whether a tunnel is present to each hub. If no tunnel exists between the spoke and a hub, the spoke sends a tunnel establishment request to the hub.
Support for dynamic VAM client IP address As each VAM client registers its public and private addresses with the VAM server and can get the public address of the peer VAM client from the VAM server, no tunnel destination address needs to be configured on either tunnel interface of a tunnel. When a VAM client has its IP address changed, it reregisters with the VAM server, thus supporting dynamic IP address.
Configuring AAA A VAM server can employ AAA to authenticate the identities of clients accessing a VPN domain. For AAA configuration, see Security Configuration Guide. Configuring the VAM server Complete the following tasks to configure a VAM server: Task Remarks Creating a VPN domain Required. Enabling VAM server Required. Configuring the listening IP address and UDP port number Optional. Configuring the security parameters of VAM protocol packets Optional.
Configuring the listening IP address and UDP port number To configure the listening IP address and UDP port number of the VAM server: Step 1. Enter system view. 2. Configure the listening IP address and UDP port number of the server. Command Remarks system-view N/A Optional. vam server ip-address ip-address [ port port-number ] By default, no listening IP address and UDP port number are configured.
A VAM server supports only PAP and CHAP authentication. To configure the client authentication mode: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VPN domain view. vam server vpn vpn-name N/A Specify the client authentication mode. authentication-method { none | { chap | pap } [ domain name-string ] } Optional. 3. By default, a VAM server performs CHAP authentication of clients, using the default domain configured for the system.
Step 3. Configure the pre-shared key of the VAM server. Command Remarks pre-shared-key { cipher | simple } key-string No pre-shared key exists by default. Configuring keepalive parameters A client sends keepalive packets to the server periodically, and the server sends responses back to prove its existence.
Creating a VAM client Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VAM client and enter its view. vam client name client-name No client is created by default. Setting the VAM protocol packet retransmission interval If a client sends a VAM protocol packet to the server but receives no response in a specific period of time, it retransmits the packet.
Configuring the username and password A client needs a username and a password to be authenticated by the server. You can configure the username and password for a client by creating a local user. Only one local user can be configured for a VAM client. To configure a username and password for a VAM client: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VAM client view. vam client name client-name N/A 3. Configure a username and password for the client.
Step Command Remarks • (Approach 1) Enable VAM client for all Enable VAM client. 2. VAM clients or a specific VAM client: vam client enable { all | name client-name } Use either approach. • (Approach 2) Enable VAM client for a Disabled by default. VAM client: a. vam client name client-name b. client enable Configuring an IPsec profile An IPsec profile secures the transmission of data packets and control packets over a DVPN tunnel.
Step Command Remarks 2. Create an IPsec profile and enter IPsec profile view. ipsec profile profile-name By default, no IPsec profile is created. 3. Specify the IPsec transform sets for the IPsec profile to reference. transform-set transform-set-name&<1-6> By default, an IPsec profile references no IPsec transform set. 4. Specify the IKE peer for the IPsec profile to reference. ike-peer peer-name By default, an IPsec profile references no IKE peer. Optional. 5.
Configuration prerequisites IP addresses have been configured for the source interfaces (VLAN interfaces, GigabitEthernet interfaces, or Loopback interfaces) of the virtual tunnel interfaces and there are routes available between the interfaces. Configuration procedure To configure a DVPN tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a tunnel interface and enter its view. interface tunnel number No tunnel interface is created by default. 3.
Step Command Remarks Required when OSPF is used. 10. Specify the network type of the OSPF interface. ospf network-type { broadcast | p2mp } By default, no network type is specified. A DVPN tunnel can use only two types of OSPF interfaces: broadcast and P2MP. Optional for a hub but required for a spoke, when OSPF is used. 11. Set the DR priority of the OSPF interface. By default, the interface DR priority is 1. ospf dr-priority priority The DR priority of a hub should be higher than that of a spoke.
For more information about commands interface tunnel, tunnel-protocol, and source, see Layer 3—IP Services Command Reference. For information about command ipsec profile, see Security Command Reference. For more information about the ospf network-type and ospf dr-priority commands, see Layer 3—IP Routing Command Reference. For more information about VPN instance configuration, see MPLS Configuration Guide.
Task Command Remarks Display information about a specific or all IPsec profiles. display ipsec profile [ name profile-name ] [ | { begin | excludeAvailable in any view. | include } regular-expression ] Remove DVPN tunnels. reset dvpn session { all | interface interface-type interface-number Available in user view. [ private-ip ip-address ] } For more information about command display ipsec profile, see Security Command Reference.
Spoke 3 GE3/0/1 192.168.1.5/24 Tunnel1 10.0.1.4/24 GE3/0/2 10.0.5.1/24 Tunnel2 10.0.2.4/24 Tunnel2 AAA server 10.0.2.3/24 Primary server GE3/0/1 192.168.1.22/24 192.168.1.11/24 Secondary server GE3/0/1 192.168.1.33//24 Configuring the primary VAM server 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure AAA: system-view # Configure RADIUS scheme radsun.
[PrimaryServer-vam-server-vpn-2] hub private-ip 10.0.2.1 [PrimaryServer-vam-server-vpn-2] hub private-ip 10.0.2.2 [PrimaryServer-vam-server-vpn-1] quit # Enable VAM server for all VPNs. [PrimaryServer] vam server enable all Configuring the secondary VAM server Except for the listening IP address configuration, the configurations for the secondary VAM server are the same as those for the primary VAM server. (Details not shown.) Configuring Hub 1 1. Configure IP addresses for the interfaces.
[Hub1-ike-peer-vam] pre-shared-key abcde [Hub1-ike-peer-vam] quit # Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] transform-set vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit 4. Configure DVPN tunnels: # Configure tunnel interface Tunnel1 for VPN 1. Tunnel 1 uses UDP for encapsulation.
# Create a VAM client named dvpn1hub2 for VPN 1. [Hub2] vam client name dvpn1hub2 [Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Create a local user named dvpn1hub2, setting the password as dvpn1hub2.
[Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.0 [Hub2-Tunnel1] source gigabitethernet 3/0/1 [Hub2-Tunnel1] ospf network-type broadcast [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit # Configure tunnel interface Tunnel2 for VPN 2. Tunnel 2 uses GRE for encapsulation. [Hub2] interface tunnel 2 [Hub2-Tunnel2] tunnel-protocol dvpn gre [Hub2-Tunnel2] vam client dvpn2hub2 [Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.
[Spoke1] ipsec transform-set vam [Spoke1-ipsec-transform-set-vam] encapsulation-mode tunnel [Spoke1-ipsec-transform-set-vam] transform esp [Spoke1-ipsec-transform-set-vam] esp encryption-algorithm des [Spoke1-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Spoke1-ipsec-transform-set-vam] quit # Configure the IKE peer. [Spoke1] ike peer vam [Spoke1-ike-peer-vam] pre-shared-key abcde [Spoke1-ike-peer-vam] quit # Configure the IPsec profile.
# Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2.
[Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit # Configure tunnel interface Tunnel2 for VPN 2. Tunnel 2 uses GRE for encapsulation. [Spoke2] interface tunnel 2 [Spoke2-Tunnel2] tunnel-protocol dvpn gre [Spoke2-Tunnel2] vam client dvpn2spoke2 [Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.
# Configure the IPsec transform set. [Spoke3] ipsec transform-set vam [Spoke3-ipsec-transform-set-vam] encapsulation-mode tunnel [Spoke3-ipsec-transform-set-vam] transform esp [Spoke3-ipsec-transform-set-vam] esp encryption-algorithm des [Spoke3-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Spoke3-ipsec-transform-set-vam] quit # Configure the IKE peer. [Spoke3] ike peer vam [Spoke3-ike-peer-vam] pre-shared-key abcde [Spoke3-ike-peer-vam] quit # Configure the IPsec profile.
10.0.1.1 192.168.1.1 hub 0H 52M 10.0.1.2 192.168.1.2 hub 0H 47M 31S 10.0.1.3 192.168.1.3 spoke 0H 28M 25S 10.0.1.4 192.168.1.4 spoke 0H 19M 15S VPN name: 7S 2 Total address-map number: 4 Private-ip Public-ip 10.0.2.1 192.168.1.1 hub Type 0H 51M 44S Holding time 10.0.2.2 192.168.1.2 hub 0H 46M 45S 10.0.2.3 192.168.1.5 spoke 0H 11M 25S 10.0.2.4 192.168.1.
Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: hub-spoke State: SUCCESS Holding time: 0h 8m 7s Input: 164 packets, 163 data packets, 54 multicasts, Output: 77 packets, 76 data packets, 55 multicasts, 1 control packets 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.
Input: 130 packets, 127 data packets, 120 multicasts, Output: 127 packets, 126 data packets, 119 multicasts, 3 control packets 0 errors 1 control packets 0 errors The output shows that: • In VPN 1, Hub 1 has established a permanent tunnel with Hub 2, Spoke 1, and Spoke 2, respectively. • In VPN 2, Hub 1 has established a permanent tunnel with Hub 2, Spoke 2, and Spoke 3, respectively. The DVPN tunnel information of Hub 2 is similar to that of Hub 1.
Public IP: 192.168.1.2 Session type: spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 231 multicasts, Output: 251 packets, 241 data packets, 225 multicasts, 1 control packets 0 errors 7 control packets 0 errors The output shows that Spoke 2 has established a permanent hub-spoke tunnel with Hub 1 and Hub 2 respectively in both VPN 1 and VPN 2. The DVPN tunnel information of Spoke 1 and Spoke 3 is similar to that of Spoke 2.
225 multicasts, 0 errors Private IP: 10.0.2.3 Public IP: 192.168.1.5 Session type: spoke-spoke State: SUCCESS Holding time: 0h 0m 0s Input: 1 packets, 0 data packets, 0 multicasts, Output: 1 packets, 1 control packets 0 errors 0 data packets, 0 multicasts, 1 control packets 0 errors The output shows that a spoke-spoke tunnel has been established dynamically between Spoke 2 and Spoke 3.
Primary server GE3/0/1 192.168.1.22/24 GE3/0/2 10.0.3.1/24 Secondary server GE3/0/1 192.168.1.33//2 4 Tunnel1 10.0.1.4/24 AAA server 192.168.1.11/24 Configuring the primary VAM server 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure AAA: system-view # Configure RADIUS scheme radsun. [PrimaryServer] radius scheme radsun [PrimaryServer-radius-radsun] primary authentication 192.168.1.11 1812 [PrimaryServer-radius-radsun] primary accounting 192.168.
2. Configure the VAM client: system-view # Create a VAM client named dvpn1hub1 for VPN 1. [Hub1] vam client name dvpn1hub1 [Hub1-vam-client-name-dvpn1hub1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub1-vam-client-name-dvpn1hub1] server primary ip-address 192.168.1.22 [Hub1-vam-client-name-dvpn1hub1] server secondary ip-address 192.168.1.
[Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0 [Hub1-Tunnel1] source gigabitethernet 3/0/1 [Hub1-Tunnel1] ospf network-type p2mp [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Hub1] ospf 100 [Hub1-ospf-100] area 0 [Hub1-ospf-100-area-0.0.0.0] network 192.168.1.1 0.0.0.255 [Hub1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network.
[Hub2-ipsec-profile-vamp] transform-set vam [Hub2-ipsec-profile-vamp] ike-peer vam [Hub2-ipsec-profile-vamp] sa duration time-based 600 [Hub2-ipsec-profile-vamp] pfs dh-group2 [Hub2-ipsec-profile-vamp] quit 4. Configure the DVPN tunnel: # Configure tunnel interface Tunnel 1 for VPN 1. To use UDP for tunnel encapsulation, perform the following configurations: [Hub2] interface tunnel 1 [Hub2-Tunnel1] tunnel-protocol dvpn udp [Hub2-Tunnel1] vam client dvpn1hub2 [Hub2-Tunnel1] ip address 10.0.1.2 255.255.255.
[Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123 # Create a local user named dvpn1spoke1, setting the password as dvpn1spoke1. [Spoke1-vam-client-name-dvpn1spoke1] user dvpn1spoke1 password simple dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] client enable [Spoke1-vam-client-name-dvpn1spoke1] quit 3. Configure the IPsec profile: # Configure the IPsec transform set.
5. Configure OSPF: # Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network. [Spoke1] ospf 200 [Spoke1-ospf-200] area 0 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.1.3 0.0.0.255 [Spoke1-ospf-200-area-0.0.0.0] network 10.0.2.1 0.0.0.255 Configuring Spoke 2 1. Configure IP addresses for the interfaces. (Details not shown.) 2.
4. Configure the DVPN tunnel: # Configure tunnel interface Tunnel 1 for VPN 1. To use UDP for tunnel encapsulation, perform the following configurations: [Spoke2] interface tunnel 1 [Spoke2-Tunnel1] tunnel-protocol dvpn udp [Spoke2-Tunnel1] vam client dvpn1spoke2 [Spoke2-Tunnel1] ip address 10.0.1.4 255.255.255.
[SecondaryServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 hub 0H 10.0.1.2 192.168.1.2 hub 0H 14M 58S 10.0.1.3 192.168.1.3 spoke 0H 5M 10.0.1.4 192.168.1.4 spoke 0H 1M 40S 8M 46S 9S The output shows that Hub 1, Hub 2, Spoke 1, and Spoke 2 all have registered their address mapping information with the VAM servers. # Display the DVPN tunnel information of Hub 1.
# Display the DVPN tunnel information of Spoke 1. [Spoke1] display dvpn session all Interface: Tunnel1 VPN name: 1 Private IP: 10.0.1.1 Public IP: 192.168.1.1 Session type: spoke-Hub State: Total number: 2 SUCCESS Holding time: 1h 1m 22s Input: 381 packets, 380 data packets, 374 multicasts, Output: 384 packets, 0 errors 376 data packets, 369 multicasts, 8 control packets 0 errors Private IP: 10.0.1.2 Public IP: 192.168.1.
Input: 451 packets, 450 data packets, 435 multicasts, Output: 453 packets, 447 data packets, 430 multicasts, 6 control packets 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHINOPRSTU Configuring address translation,99 A Configuring an address pool on the DHCP server,34 Address/prefix lease renewal,164 Configuring an automatic IPv4-compatible IPv6 tunnel,234 AFT configuration examples,214 AFT configuration task list,210 Configuring an internal server,102 Applying an extended address pool on an interface,43 Configuring an IPsec profile,301 Configuring an IPv4 over IPv4 tunnel,246 Assigning an IP address to an interface,18 Configuring an IPv4 over IPv6 manu
Displaying and maintaining DVPN,305 Configuring the DHCP relay agent security functions,57 Displaying and maintaining flow classification,115 Configuring the DHCP relay agent to handle Option 82,61 Displaying and maintaining IP addressing,22 Displaying and maintaining IP performance optimization,127 Configuring the DHCP relay agent to release an IP address,61 Displaying and maintaining IPv4 DNS,87 Configuring the DHCP server security functions,44 Displaying and maintaining IPv6 basics configuration,
Overview,193 Enabling the device to discard IPv6 packets that contain extension headers,154 Overview,180 Enabling the DHCP client on an interface,66 Overview,260 Enabling the DHCP relay agent on an interface,55 Overview,70 Enabling the DHCP server on an interface,42 Overview,222 Enabling the DHCPv6 server,168 Overview,1 Enabling the DHCPv6 server on an interface,171 Overview,16 F Overview,205 FIB table,110 P Full mesh DVPN configuration example,306 Protocols and standards,165 Protocols and
