HP MSR Router Series Layer 3 - IP Services Configuration Guide(V5) Part number: 5998-2023 Software version: CMW520-R2511 Document version: 6PW103-20140128
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring ARP ··························································································································································· 1 Overview············································································································································································ 1 ARP message format ·······························································································································
DHCP address pool··············································································································································· 25 IP address allocation sequence···························································································································· 26 DHCP server configuration task list ······························································································································ 26 Configuring an address p
Configuring the DHCP relay agent to work with authorized ARP···································································· 52 Enabling unauthorized DHCP server detection ·································································································· 53 Enabling DHCP starvation attack protection ······································································································ 53 Enabling client offline detection ···················································
DNS proxy ····························································································································································· 77 DNS spoofing ························································································································································ 78 Configuring the IPv4 DNS client ·································································································································· 79 Config
Configuration procedure ···································································································································· 104 Verifying the configuration ································································································································· 105 Optimizing IP performance ···································································································································· 107 Enabling forwarding of di
Solution ································································································································································· 139 Symptom 2 ··························································································································································· 139 Solution ······························································································································································
Specifying the secondary VAM server ·············································································································· 164 Configuring the username and password ········································································································ 165 Specifying the VPN domain of the VAM client ································································································ 165 Specifying the pre-shared key of the VAM client ·····················
Configuration procedure ···································································································································· 218 Configuration example ······································································································································· 219 Configuring an IPv4 over IPv4 tunnel ························································································································ 221 Configuration prerequisites
Troubleshooting GRE ··················································································································································· 257 Configuring IPv6 basics ·········································································································································· 258 Overview····································································································································································
Prefix selection process ······································································································································· 292 Address selection process ·································································································································· 293 DHCPv6 server configuration task list ························································································································ 293 Configuration prerequis
Configuration procedure ···································································································································· 320 Dynamic domain name resolution configuration example ······················································································ 320 Network requirements ········································································································································· 320 Configuration procedure ····················
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into physical addresses such as MAC addresses. On an Ethernet LAN, a device uses ARP to get the MAC address of the target device for a packet. ARP message format ARP uses two types of messages, ARP request and ARP reply. Figure 1 shows the format of the ARP request/reply. Numbers in the figure refer to field lengths.
1. Host A looks through its ARP table for an ARP entry for Host B. If one entry is found, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B. 2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request.
Dynamic ARP entry ARP automatically creates and updates dynamic entries. A dynamic ARP entry is removed when its aging timer expires or the output interface goes down, and it can be overwritten by a static ARP entry. Static ARP entry A static ARP entry is manually configured and maintained. It does not age out, and cannot be overwritten by a dynamic ARP entry. Static ARP entries protect communication between devices, because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry.
Step Command Remarks • Configure a long static ARP entry: 2. Configure a static ARP entry. arp static ip-address mac-address vlan-id interface-type interface-number [ vpn-instance vpn-instance-name ] • Configure a short static ARP entry: Use either command. arp static ip-address mac-address [ vpn-instance vpn-instance-name ] Configuring the maximum number of dynamic ARP entries for an interface An interface can dynamically learn ARP entries, so it might hold too many ARP entries.
Step 2. Command Set the aging timer for dynamic ARP entries. Remarks Optional. arp timer aging aging-time 20 minutes by default. Enabling dynamic ARP entry check The dynamic ARP entry check function controls whether the device supports dynamic ARP entries with multicast MAC addresses. When dynamic ARP entry check is enabled, the device cannot learn dynamic ARP entries containing multicast MAC addresses.
Displaying and maintaining ARP CAUTION: Clearing ARP entries from the ARP table might cause communication failures. Task Command Remarks Display ARP entries in the ARP table. display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ count | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the ARP entry for a specific IP address.
Figure 3 Network diagram Configuration procedure # Create VLAN 10. system-view [Switch] vlan 10 [Switch-vlan10] quit # Add interface Ethernet 1/1 to VLAN 10. [Switch] interface ethernet 1/1 [Switch-Ethernet1/1] port link-type trunk [Switch-Ethernet1/1] port trunk permit vlan 10 [Switch-Ethernet1/1] quit # Create interface VLAN-interface 10 and configure its IP address. [Switch] interface vlan-interface 10 [Switch-vlan-interface10] ip address 192.168.1.
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a change of its MAC address.
The master router of a VRRP group can periodically send gratuitous ARP packets to the hosts on the local network, so that the hosts can update local ARP entries and avoid using the virtual IP address of the VRRP group. If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router.
Configuring proxy ARP Overview Proxy ARP enables a device on a network to answer ARP requests for an IP address not on that network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they do on the same network. Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP—Allows communication between hosts that connect to different Layer-3 interfaces and reside in different broadcast domains.
Figure 5 Application environment of local proxy ARP Enable local proxy ARP in one of the following cases: • Hosts connecting to different isolated Layer 2 ports in the same VLAN need to communicate at Layer 3. • If a super VLAN is configured, hosts in different sub VLANs of the super VLAN need to communicate at Layer 3.
Step 3. Enable local proxy ARP. Command Remarks local-proxy-arp enable [ ip-range startIP to endIP ] Disabled by default. Displaying and maintaining proxy ARP Task Command Remarks Display whether proxy ARP is enabled. display proxy-arp [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display whether local proxy ARP is enabled.
Configuration procedure # Configure the IP address of interface Ethernet 1/2. system-view [Router] interface ethernet 1/2 [Router-Ethernet1/2] ip address 192.168.10.99 255.255.255.0 # Enable proxy ARP on interface Ethernet 1/2. [Router-Ethernet1/2] proxy-arp enable [Router-Ethernet1/2] quit # Configure the IP address of interface Ethernet 1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.20.99 255.255.255.0 # Enable proxy ARP on interface Ethernet 1/1.
# Add Ethernet 1/3, Ethernet 1/1 and Ethernet 1/2 to VLAN 2. Configure port isolation for Host A and Host B. system-view [Switch] vlan 2 [Switch-vlan2] port ethernet 1/3 [Switch-vlan2] port ethernet 1/1 [Switch-vlan2] port ethernet 1/2 [Switch-vlan2] quit [Switch] interface ethernet 1/3 [Switch-Ethernet1/3] port-isolate enable [Switch-Ethernet1/3] interface ethernet 1/1 [Switch-Ethernet1/1] port-isolate enable 2. Configure the router: # Specify the IP address of Ethernet 1/2.
Configuring ARP snooping Overview ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. The ARP snooping entries can be used by ARP fast-reply. If ARP snooping is enabled on a VLAN, ARP packets received by the interfaces of the VLAN are redirected to the CPU. The CPU uses the sender IP and MAC addresses of the ARP packets, and receiving VLAN and port to create ARP snooping entries.
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. A DHCP client can obtain an IP address and other configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent.
Dynamic IP address allocation process Figure 9 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For related information, see "DHCP message format." 3.
DHCP message format Figure 10 shows the DHCP message format, which is based on the BOOTP message format although DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 10 DHCP message format • op—Message type defined in option field. 1 = REQUEST, 2 = REPLY • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled.
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the Option field to carry information for dynamic address allocation and to provide additional configuration information to clients. Figure 11 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option.
The DHCP client can obtain the following information through Option 43: • Auto-Configuration Server (ACS) parameters, including the ACS URL, username, and password. • Service provider identifier, which is acquired by the Customer Premises Equipment (CPE) from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide.
Figure 14 PXE server address sub-option value field Relay agent option (Option 82) Option 82 is the relay agent option in the option field of the DHCP message. It records the location information of the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server. The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting.
Figure 16 Sub-option 2 in normal padding format • Verbose padding format: { Sub-option 1—Includes the user-specified access node identifier (ID of the device that adds Option 82 in DHCP messages), and the type, number, and VLAN ID of the interface that received the client's request. The VLAN ID field has a fixed length of 2 bytes. All the other padding contents of sub-option 1 are length variable. See Figure 17.
Figure 20 Sub-option 9 in private padding format • Standard padding format: { Sub-option 1—Includes the VLAN ID of the interface that received the client's request, module (subcard number of the receiving port on a centralized device or slot number of the receiving port on a distributed device) and port (number of the receiving port). The value of the sub-option type is 1, and the value of the Circuit ID type is 0.
• RFC 1542, Clarifications and Extensions for the Bootstrap Protocol • RFC 3046, DHCP Relay Agent Information Option • RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4 24
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and most users must acquire IP addresses dynamically. • Most hosts do not need fixed IP addresses.
1. If there is an address pool where an IP address is statically bound to the MAC address or ID of the client, the DHCP server selects this address pool and assigns the statically bound IP address to the client. For the configuration of this address pool, see "Configuring static address allocation." 2. If the receiving interface has an extended address pool referenced, the DHCP server assigns an IP address from this address pool.
Task Remarks Applying an extended address pool on an interface Required by the extended address pool configuration. When configuring a common address pool, ignore this task. Configuring the DHCP server security functions Optional. Enabling client offline detection Optional. Enabling handling of Option 82 Optional. Specifying the threshold for sending trap messages Optional.
Step 2. Create a DHCP address pool and enter its view. Command Remarks dhcp server ip-pool pool-name [ extended ] No DHCP address pool is created by default. A common address pool and an extended address pool are different in address allocation mode configuration. Configurations of other parameters (such as the domain name suffix and DNS server address) for them are the same.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter common address pool view. dhcp server ip-pool pool-name N/A 3. Specify the IP address. static-bind ip-address ip-address [ mask-length | mask mask ] No IP addresses are statically bound by default. • Specify the MAC address: Specify the MAC address or client ID. 4. static-bind mac-address mac-address Use either of the commands. • Specify the client ID: Neither is bound statically by default.
Step Command Remarks Optional. Exclude IP addresses from automatic allocation. 7. dhcp server forbidden-ip low-ip-address [ high-ip-address ] Except IP addresses of the DHCP server interfaces, all addresses in the DHCP address pool are assignable by default. Configuring dynamic address allocation for an extended address pool Extended address pools support dynamic address allocation only.
domain name, and the system adds the domain name suffix for name resolution. For more information about DNS, see "Configuring IPv4 DNS." To configure a domain name suffix in the DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A 3. Specify a domain name suffix. domain-name domain-name Not specified by default.
Step Command Remarks N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] 3. Specify WINS servers. nbns-list ip-address&<1-8> 4. Specify the NetBIOS node type. netbios-type { b-node | h-node | m-node | p-node } Optional for b-node. No WINS server is specified by default. Not specified by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name [ extended ] N/A No primary network calling processor is specified by default. 3. Specify the IP address of the network calling processor. voice-config ncp-ip ip-address 4. Specify the IP address of the backup network calling processor. voice-config as-ip ip-address 5. Configure the voice VLAN. voice-config voice-vlan vlan-id { disable | enable } 6.
Step Command Remarks • Specify the TFTP server: 3. 4. tftp-server ip-address ip-address Specify the IP address or the name of the TFTP server. • Specify the name of the TFTP server: Specify the bootfile name. bootfile-name bootfile-name tftp-server domain-name domain-name Use either command. Not specified by default. Not specified by default. Specifying a server's IP address for the DHCP client Some DHCP clients need to obtain configuration information from a server, such as a TFTP server.
Step Configure a self-defined DHCP option. 3. Command Remarks option code { ascii ascii-string | hex hex-string&<1-16> | ip-address ip-address&<1-8> } No self-defined DHCP option is configured by default. See Table 1 for a description of common options and corresponding commands.
When the DHCP server and client are on the same subnet: • { { With the keyword subaddress specified, the DHCP server preferably assigns an IP address from an address pool that resides on the same subnet as the primary IP address of the server interface (connecting to the client). If the address pool contains no assignable IP address, the server assigns an IP address from an address pool that resides on the same subnet as the secondary IP addresses of the server interface.
Configuring the DHCP server security functions Configuration prerequisites Before you perform this configuration, complete the following configurations on the DHCP server: 1. Enable DHCP. 2. Configure the DHCP address pool. Enabling unauthorized DHCP server detection Unauthorized DHCP servers on a network might assign wrong IP addresses to DHCP clients. With unauthorized DHCP server detection enabled, the DHCP server checks whether a DHCP request contains Option 54 (Server Identifier Option).
Step Command Remarks Optional. Configure the ping timeout time. 3. dhcp server ping timeout milliseconds The default setting is 500 ms. The value 0 disables IP address conflict detection. Configuring the DHCP server to work with authorized ARP Only the clients that obtain an IP address from the DHCP server are considered as authorized clients. If the DHCP server also serves as the gateway, the DHCP server can work with authorized ARP to block unauthorized clients and prevent ARP spoofing attacks.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCP server to work with authorized ARP. dhcp update arp Not enabled by default. 4. Enable authorized ARP. arp authorized enable Disabled by default. Enabling client offline detection With this feature enabled, the DHCP server considers that a DHCP client goes offline when the ARP entry for the client ages out.
To support Option 82 requires configuring both the DHCP server and relay agent (or the device enabled with DHCP snooping). For more information, see "Configuring the DHCP relay agent" and "Configuring DHCP snooping." Specifying the threshold for sending trap messages Configuration prerequisites Before you perform the configuration, use the snmp-agent target-host command to specify the destination address of the trap messages.
Task Command Remarks Display information about assignable IP addresses. display dhcp server free-ip [ | { begin | exclude | include } regular-expression ] Available in any view. Display IP addresses excluded from automatic allocation in the DHCP address pool. display dhcp server forbidden-ip [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about bindings.
Figure 22 Network diagram Gateway 10.1.1.126/25 Eth1/1 10.1.1.1/25 Router A DHCP server Eth1/1 10.1.1.2/25 DNS server Eth1/1 Router B Router C DHCP Client BOOTP Client Configuration procedure 1. Configure the IP address of Ethernet 1/1 on Router A: system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 25 [RouterA-Ethernet1/1] quit 2. Configure the DHCP server: # Enable DHCP. [RouterA] dhcp enable # Enable the DHCP server on Ethernet 1/1.
Dynamic IP address assignment configuration example Network requirements As shown in Figure 23, the DHCP server (Router A) assigns IP address to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. The IP addresses of Ethernet 1/1 and Ethernet 1/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25 respectively. In subnet 10.1.1.0/25, the address lease duration is ten days and twelve hours, the domain name suffix is aabbcc.com, the DNS server address is 10.1.1.
[RouterA] dhcp server forbidden-ip 10.1.1.2 [RouterA] dhcp server forbidden-ip 10.1.1.4 [RouterA] dhcp server forbidden-ip 10.1.1.126 [RouterA] dhcp server forbidden-ip 10.1.1.254 # Configure DHCP address pool 0 (subnet, client domain name suffix, and DNS server address). [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] domain-name aabbcc.com [RouterA-dhcp-pool-0] dns-list 10.1.1.
Configuration procedure 1. Specify IP address for interface Ethernet 1/1. (Details not shown.) 2. Configure the DHCP server: # Enable DHCP. system-view [RouterA] dhcp enable # Enable the DHCP server on Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] dhcp select server global-pool [RouterA-Ethernet1/1] quit # Configure DHCP address pool 0. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.
46
Configuring the DHCP relay agent The DHCP relay agent configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), virtual Ethernet interfaces (or subinterfaces), VLAN interfaces, Layer 3 aggregate interfaces, and serial interfaces. Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet, centralizes management, and reduces investment.
Figure 26 DHCP relay agent work process 1. After receiving a DHCP-DISCOVER or DHCP-REQUEST broadcast message from a DHCP client, the DHCP relay agent fills the giaddr field of the message with its IP address and forwards the message to the designated DHCP server in unicast mode. 2. Based on the giaddr field, the DHCP server returns an IP address and other configuration parameters in a response to the relay agent, and the relay agent conveys it to the client.
If a DHCP request has… Handling strategy Padding format The DHCP relay agent… N/A verbose Forwards the message after adding the Option 82 padded in verbose format. N/A user-defined Forwards the message after adding the user-defined Option 82. DHCP relay agent configuration task list Task Remarks Enabling DHCP Required. Enabling the DHCP relay agent on an interface Required. Correlating a DHCP server group with a relay agent interface Required.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCP relay agent on the current interface. dhcp select relay With DHCP is enabled, an interface operates in the DHCP server mode. Correlating a DHCP server group with a relay agent interface To improve availability, you can specify several DHCP servers as a group on the DHCP relay agent and correlate a relay agent interface with the server group.
Configuring the DHCP relay agent security functions Configuring address check Address check can block illegal hosts from accessing external networks. With this feature enabled, the DHCP relay agent can dynamically record clients' IP-to-MAC bindings after they obtain IP addresses through DHCP. You can also configure static IP-to-MAC bindings on the DHCP relay agent so that users can access external networks using fixed IP addresses.
Configuring periodic refresh of dynamic client entries A DHCP client unicasts a DHCP-RELEASE message to the DHCP server to release its IP address. The DHCP relay agent simply conveys the message to the DHCP server and does not remove the IP-to-MAC entry of the client. With this feature, the DHCP relay agent uses the IP address of a client and the MAC address of the DHCP relay interface to periodically send a DHCP-REQUEST message to the DHCP server.
Configuration guidelines • Authorized ARP can only be configured on Layer 3 Ethernet interfaces. • Disabling the DHCP relay agent to support authorized ARP deletes the corresponding authorized ARP entries. • Because the DHCP relay agent does not notify the authorized ARP module of the static bindings, you need to configure the corresponding static ARP entries for authorized users that have statically specified IP addresses.
• To relieve a DHCP starvation attack that uses DHCP packets encapsulated with different source MAC addresses, you can limit the number of ARP entries that a Layer 3 interface can learn or MAC addresses that a Layer 2 port can learn. You can also configure an interface that has learned the maximum MAC addresses to discard packets whose source MAC addresses are not in the MAC address table.
Configuring the DHCP relay agent to release an IP address You can configure the relay agent to release a client's IP address. The relay agent sends a DHCP-RELEASE message that contains the specified IP address. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address. Meanwhile, the client entry is removed from the DHCP relay agent. The IP address to be released must be available in a dynamic client entry.
Step 4. Configure the strategy for handling DHCP requests containing Option 82. Command Remarks dhcp relay information strategy { drop | keep | replace } Optional. • Configure the padding format for 5. Configure non-user-defined Option 82.
Task Command Remarks Display information about the configuration of a specific or all DHCP server groups. display dhcp relay server-group { group-id | all } [ | { begin | exclude | include } regular-expression ] Available in any view. Display packet statistics on the DHCP relay agent. display dhcp relay statistics [ server-group { group-id | all } ] [ | { begin | exclude | include } regular-expression ] Available in any view. Clear packet statistics on the DHCP relay agent.
[RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] dhcp select relay # Correlate Ethernet 1/1 to DHCP server group 1. [RouterA-Ethernet1/1] dhcp relay server-select 1 After the preceding configuration is complete, DHCP clients can obtain IP addresses and other network parameters from the DHCP server through the DHCP relay agent. You can use the display dhcp relay statistics command to view the statistics of DHCP packets forwarded by the DHCP relay agents.
Troubleshooting DHCP relay agent configuration Symptom DHCP clients cannot obtain any configuration parameters through the DHCP relay agent. Analysis Some problems might occur with the DHCP relay agent or server configuration. Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information. Verify that: 1. DHCP is enabled on the DHCP server and relay agent. 2.
Configuring DHCP client The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces. You cannot configure an interface of an aggregation group as a DHCP client. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
DHCP client configuration example Network requirements As shown in Figure 29, Router B contacts the DHCP server through Ethernet 1/1 to obtain an IP address, DNS server address, and static route information. The DHCP client IP address resides on network 10.1.1.0/24. The DNS server address is 20.1.1.1. The next hop of the static route to network 20.1.1.0/24 is 10.1.1.2. The DHCP server uses Option 121 to assign static route information to DHCP clients. Figure 28 shows the format of Option 121.
# Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.1 [RouterA-dhcp-pool-0] option 121 hex 18 14 01 01 0A 01 01 02 2. Configure Router B: # Enable the DHCP client on Ethernet 1/1.
Configuring DHCP snooping DHCP snooping is supported on fixed Layer 2 switching interfaces on MSR20-1X and MSR900 routers, and is not supported on MSR93X routers. To use DHCP snooping, other series routers need to install a FIC-16FSW, DFIC-24FSW, MIM-16FSW, or DMIM-24FSW interface module. A DHCP snooping-enabled device must be either between the DHCP client and relay agent, or between the DHCP client and server. It does not work if it is between the DHCP relay agent and DHCP server.
Application of trusted and untrusted ports Configuring a trusted port connected to a DHCP server Figure 30 Configuring trusted and untrusted ports Configuring trusted ports in a cascaded network In a cascaded network as shown in Figure 31, each DHCP snooping device's ports connected to other DHCP snooping devices should be configured as trusted ports.
DHCP snooping support for Option 82 Option 82 records the location information of the DHCP client so the administrator can locate the DHCP client for security control and accounting purposes. For more information, see "Configuring the DHCP relay agent." If DHCP snooping supports Option 82, it handles clients' requests according to Option 82, if any. Table 3 describes the handling strategies.
If a DHCP request has… Handling strategy Padding format The DHCP snooping device… N/A private Forwards the message after adding Option 82 padded in private format. N/A standard Forwards the message after adding Option 82 padded in standard format. N/A verbose Forwards the message after adding the Option 82 padded in verbose format. N/A user-defined Forwards the message after adding the user-defined Option 82.
To configure DHCP snooping basic functions: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP snooping. dhcp-snooping Disabled by default. 3. Enter Ethernet interface view. interface interface-type interface-number The interface connects to the DHCP server. 4. Specify the port as a trusted port that records the IP-to-MAC bindings of clients. dhcp-snooping trust After DHCP snooping is enabled, a port is an untrusted port by default. 5. Return to system view.
Step Command Remarks 3. Enable DHCP snooping to support Option 82. dhcp-snooping information enable Disabled by default. 4. Configure the handling strategy for requests containing Option 82. dhcp-snooping information strategy { append | drop | keep | replace } Optional. replace by default. Optional.
Configuring DHCP snooping entries backup DHCP snooping entries cannot survive a reboot. If the DHCP snooping device is rebooted, security modules (such as IP source guard) that use DHCP snooping entries to authenticate users reject requests from clients until new entries are learned. The DHCP snooping entries backup feature enables you to store DHCP snooping entries in a file. When the DHCP snooping device reboots, it reads DHCP snooping entries from this file.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A Disabled by default. Enable MAC address check. 3. You can enable MAC address check only on Layer 2 Ethernet interfaces, Layer 2 aggregate interfaces, and WLAN-BSS interfaces.
Task Command Remarks Display Option 82 configuration information on the DHCP snooping device. display dhcp-snooping information { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display DHCP packet statistics on the DHCP snooping device. display dhcp-snooping packet statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display information about trusted ports.
system-view [SwitchB] dhcp-snooping # Specify Ethernet 1/1 as trusted. [SwitchB] interface ethernet 1/1 [SwitchB-Ethernet1/1] dhcp-snooping trust [SwitchB-Ethernet1/1] quit DHCP snooping Option 82 support configuration example Network requirements As shown in Figure 32, Switch B replaces Option 82 in DHCP requests before forwarding them to the DHCP server (Switch A). • The Circuit ID sub-option is company001. • The Remote ID sub-option is device001.
Configuring BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces and VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. You cannot configure an interface of an aggregation group as a BOOTP client.
Configuring an interface to dynamically obtain an IP address through BOOTP Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an interface to dynamically obtain an IP address through BOOTP. ip address bootp-alloc By default, an interface does not use BOOTP to obtain an IP address. Displaying and maintaining BOOTP client configuration Task Command Remarks Display BOOTP client information.
75
Configuring IPv4 DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. DNS services can be static or dynamic. After a user specifies a name, the device checks the local static name resolution table for an IP address.
Figure 33 shows the relationship between the user program, DNS client, and DNS server. The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest mappings between domain names and IP addresses in the dynamic domain name cache.
Figure 34 DNS proxy networking application A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution table after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3.
The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up connection is established through the dial-up interface, the device dynamically obtains the DNS server address through DHCP or other autoconfiguration mechanisms. • Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the DNS server, if it cannot find a match in the local domain name resolution table.
Step Command Remarks Not configured by default. Configure a mapping between a host name and an IPv4 address. 2. ip host hostname ip-address The IPv4 address you last assign to the host name overwrites the previous one if there is any. You may create up to 50 static mappings between domain names and IPv4 addresses. Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure a DNS server.
Configuring the DNS proxy You can specify multiple DNS servers. Upon receiving a name query request from a client, the DNS proxy forwards the request to the DNS server that has the highest priority. If having not received a reply, it forwards to the request to a DNS server that has the second highest priority, and thus in turn. To configure the DNS proxy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DNS proxy. dns proxy enable Disabled by default.
Step 1. 2. Enter system view. Specify the source interface for DNS packets. Command Remarks system-view N/A dns source-interface interface-type interface-number By default, no source interface for DNS packets is specified. The device uses the primary IP address of the output interface of the matching route as the source IP address of a DNS request. Displaying and maintaining IPv4 DNS Task Command Remarks Display the static IPv4 domain name resolution table.
Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. system-view [Sysname] ip host host.com 10.1.1.2 # Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com PING host.com (10.1.1.2): 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=128 time=1 ms Reply from 10.1.1.
Configuration procedure Before performing the following configuration, make sure the device and the host are accessible to each other through available routes, and that the IP addresses of the interfaces are configured as shown Figure 37. This configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000. 1. Configure the DNS server: a. Select Start > Programs > Administrative Tools > DNS.
Figure 39 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created.
Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [Sysname] dns resolve # Specify the DNS server 2.1.1.2. [Sysname] dns server 2.1.1.2 # Configure com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 3.1.1.1.
Figure 41 Network diagram Configuration procedure Before performing the following configuration, assume that Device A, the DNS server, and the host are reachable to each other and the IP addresses of the interfaces are configured as shown in Figure 41. Configure the DNS server: 1. This configuration might vary with DNS servers. When a PC running Windows Server 2000 acts as the DNS server, see "Dynamic domain name resolution configuration example" for related configuration information.
Reply from 3.1.1.1: bytes=56 Sequence=3 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=4 ttl=126 time=1 ms Reply from 3.1.1.1: bytes=56 Sequence=5 ttl=126 time=1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/3 ms Troubleshooting IPv4 DNS configuration Symptom After enabling dynamic domain name resolution, the user cannot get the correct IP address. Solution 1.
Configuring DDNS Overview Although DNS allows you to access nodes in networks using their domain names, it provides only the static mappings between domain names and IP addresses. When you use the domain name to access a node whose IP address has changed, your access fails because DNS leads you to the IP address that is no longer where the node resides.
With the DDNS client configured, a device can dynamically update the latest mapping between its domain name and IP address on the DNS server through DDNS servers at www.3322.org or www.oray.cn for example. The DDNS update process does not have a unified standard but depends on the DDNS server that the DDNS client contacts. The well-known DDNS service providers include www.3322.org, www.oray.cn (also known as the PeanutHull server), and www.dyndns.com.
Configuration prerequisites Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. When the DDNS client updates the mapping between the domain name and the IP address through the DDNS server, the DDNS server checks whether the account information is correct and whether the domain name to be updated belongs to the account. Configuration procedure To configure a DDNS policy: Step Command Remarks 1. Enter system view. system-view N/A 2.
Configure static or dynamic domain name resolution to translate the domain name of the DDNS server into the IPv4 address. For more information, see "Configuring the IPv4 DNS client." • Configuration procedure To apply the DDNS policy to an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3.
Figure 43 Network diagram www.3322.org DDNS server Eth1/1 IP network Router DDNS client 1.1.1.1 DNS server Configuration procedure Before configuring DDNS on Router, register with username steven and password nevets at http://www.3322.org/, add Router's host name-to-IP address mapping to the DNS server, and make sure the devices are reachable to each other. # Create a DDNS policy named 3322.org, and enter its view. system-view [Router] ddns policy 3322.
DDNS configuration example 2 Network requirements As shown in Figure 44, Router is a Web server with domain name whatever.gicp.cn. Router acquires the IP address through DHCP. Through the PeanutHull server, Router informs the DNS server of the latest mapping between its domain name and IP address. The IP address of the DNS server is 1.1.1.1. Router uses the DNS server to translate www.oray.cn into the corresponding IP address. Figure 44 Network diagram www.oray.
# Apply the DDNS policy to interface Ethernet 1/1 to enable DDNS update and dynamically update the mapping between whatever.gicp.cn and the primary IP address of Ethernet 1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ddns apply policy oray.cn fqdn whatever.gicp.cn After the preceding configuration is completed, Router notifies the DNS server of its new domain name-to-IP address mapping through the PeanutHull server, whenever the IP address of Router changes.
Configuring IP addressing This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter. Overview This section describes the IP addressing basics. IP addressing uses a 32-bit address to identify each host on a network. To make addresses easier to read, they are written in dotted decimal notation, each address being four octets in length.
Class Address range Remarks C 192.0.0.0 to 223.255.255.255 N/A D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use except for the broadcast address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses. • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.
With subnetting—Using the first 9 bits of the host-id for subnetting provides 512 (29) subnets. However, only 7 bits remain available for the host ID. This allows 126 (27 – 2) hosts in each subnet, a total of 64512 hosts (512 × 126). • Assigning an IP address to an interface You can assign an interface one primary address and multiple secondary addresses. Generally, you only need to assign the primary address to an interface. In some cases, you must assign secondary IP addresses to the interface.
• Set the primary IP address of the router as the gateway address of the hosts on subnet 172.16.1.0/24, and the secondary IP address of the router as the gateway address of the hosts on subnet 172.16.2.0/24. Figure 47 Network diagram Configuration procedure # Assign a primary IP address and a secondary IP address to Ethernet 1/1. system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 172.16.1.1 255.255.255.0 [Router-Ethernet1/1] ip address 172.16.2.1 255.255.255.
Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms --- 172.16.2.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Configuration procedure To configure IP unnumbered on an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify the current interface to borrow the IP address of the specified interface. ip address unnumbered interface interface-type interface-number The interface does not borrow IP addresses from other interfaces by default.
[RouterA] ip route-static 172.16.20.0 255.255.255.0 serial 2/1 2. Configure Router B: # Assign a primary IP address to Ethernet 1/1. system-view [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ip address 172.16.20.1 255.255.255.0 [RouterB-Ethernet1/1] quit # Configure interface Serial 2/1 to borrow an IP address from Ethernet 1/1.
Configuring fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It uses a five-tuple (source IP address, source port number, destination IP address, destination port number, and protocol number) to identify a data flow.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable fast forwarding on the interface in the inbound and/or outbound direction. ip fast-forwarding [ inbound | outbound ] Optional. By default, fast forwarding is enabled in the inbound and outbound directions. Displaying and maintaining fast forwarding Task Command Remarks Display information in the fast forwarding table.
Configuring Router C # Configure the IP address of interface Serial 2/1. By default, fast forwarding is enabled in the inbound and outbound directions. system-view [RouterC] interface serial2/1 [RouterC-Serial2/1] ip address 22.1.1.2 255.0.0.0 [RouterC-Serial2/1] quit # Configure a static route. [RouterC] ip route-static 11.1.1.0 255.0.0.0 22.1.1.1 Configuring Router B # Configure IP addresses of interfaces Ethernet 1/1 and Serial 2/1.
507 :0 11.1.1.1 8 22.1.1.2 0 1 Eth1/1 The output shows that fast forwarding entries have been created.
Optimizing IP performance This chapter describes multiple features for IP performance optimization. Enabling forwarding of directed broadcasts to a directly connected network A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
• The interface Ethernet 1/2 of Router and user hosts (Host A, Host B, and Host C) are in another subnet 2.2.2.0/24. • The default gateway of Administrator is the IP address 1.1.1.2/24 of the interface Ethernet 1/1 of Router. • The default gateway of Host A, Host B and Host C is the IP address 2.2.2.2/24 of the interface Ethernet 1/2 of Router. Configure forwarding of directed broadcasts so that user hosts can receive directed broadcasts from the Administrator to implement Wake on LAN.
• If you configure a TCP MSS on an interface, the size of each TCP segment received or sent on the interface cannot exceed the MSS value. • This configuration takes effect only for TCP connections that are established after the configuration rather than the TCP connections that already exist. • This configuration is effective only for IP packets. If MPLS is enabled on the interface, do not to configure the TCP MSS on the interface. To configure TCP MSS of the interface: Step Command Remarks 1.
The path MTU uses an aging mechanism to make sure the source device can increase the path MTU when the minimum link MTU on the path increases: • When the TCP source device receives an ICMP error message, it reduces the path MTU and starts an age timer for the path MTU. • After the age timer expires, the source device uses a larger MSS in the MTU table as described in RFC 1191.
Step Command Remarks Optional. • Configure the TCP synwait timer: 2. Configure TCP timers. tcp timer syn-timeout time-value • Configure the TCP finwait timer: tcp timer fin-timeout time-value By default: • The TCP synwait timer is 75 seconds. • The TCP finwait timer is 675 seconds. Configuring ICMP to send error packets Sending error packets is a major function of ICMP.
{ { { { If the destination of a packet is local but the transport layer protocol of the packet is not supported by the local device, the device sends a "protocol unreachable" ICMP error packet to the source. When receiving a packet with the destination being local and transport layer protocol being UDP, if the packet's port number does not match the running process, the device sends the source a "port unreachable" ICMP error packet.
Enabling support for ICMP extensions ICMP messages are of a fixed format and cannot carry extension information. With support for ICMP extensions enabled, a device appends an extension information field to the ICMP messages as needed. The device can append only MPLS label information to ICMP messages.
NOTE: ICMP/ICMPv6 messages that can carry extension information include only IPv4 redirect messages, IPv4/IPv6 time exceeded messages, and IPv4/IPv6 destination unreachable messages. Configuration procedure To enable support for ICMP extensions: Step 1. Enter system view. 2. Enable support for ICMP extensions. Command Remarks system-view N/A • In compliant mode: ip icmp-extensions compliant • In non-compliant mode: ip icmp-extensions non-compliant Optional. Disabled by default.
Configuration procedure To configure IP virtual fragment reassembly: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable IP virtual fragment reassembly. ip virtual-reassembly [ drop-fragments | max-fragments number | max-reassemblies number | timeout seconds ] * By default, the feature is disabled.
Displaying and maintaining IP performance optimization Task Command Remarks Display TCP connection statistics. display tcp statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display UDP statistics. display udp statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display statistics of IP packets. display ip statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display ICMP statistics.
Configuring NAT Overview Network Address Translation (NAT) provides a way to translate an IP address in the IP packet header to another IP address. NAT enables a large number of private users to access the Internet by using a small number of public IP addresses. NAT effectively alleviates the depletion of IP addresses. A private IP address is used only in an internal network, whereas a public or external IP address is used on the Internet and is globally unique.
The NAT operation is transparent to the terminals involved. The external server believes that the IP address of the internal PC is 20.1.1.1 and is unaware of the private address 192.168.1.3. As such, NAT hides the private network from the external networks. Despite the advantages of allowing internal hosts to access external resources and providing privacy, NAT also has the following disadvantages: • Because NAT involves translation of IP addresses, the IP headers cannot be encrypted.
NAPT mapping is based on both the IP address and the port number. With NAPT, packets from multiple internal hosts are mapped to the same external IP address with different port numbers. Figure 53 NAPT operation Host A 192.168.1.2 Direction Before NAT After NAT Outbound 192.168.1.2:1111 20.1.1.1:1001 Outbound 192.168.1.2:2222 20.1.1.1:1002 Outbound 192.168.1.3:1111 20.1.1.1:1003 Packet 1 Src : 192.168.1.2:1111 Packet 1 Src : 20.1.1.1:1001 Packet 2 Src : 192.168.1.2:2222 192.168.1.
You can configure an internal server on the NAT device by mapping a public IP address and port number to the private IP address and port number of the internal server. For instance, you can configure an address like 20.1.1.12:8080 as an internal Web server's external address and port number.
Easy IP Easy IP uses the public IP address of an interface on the device as the translated source address to save IP address resources, and uses ACLs to permit only certain internal IP addresses to be NATed. Support for special protocols Apart from the basic address translation function, NAT also provides an application layer gateway (ALG) mechanism that supports some special application protocols without requiring the NAT platform to be modified. This allows for high scalability.
If the NAT configuration (address translation or internal server configuration) on an interface is changed, save the configuration and reboot the device (or use the reset nat session command to manually clear the relevant NAT entries), to avoid the following problems: • After you delete the NAT-related configuration, address translation can still work for sessions already created.
Step Command 1. Enter system view. system-view 2. Configure a net-to-net static NAT mapping. nat static [ acl-number ] net-to-net local-start-address local-end-address global global-network { netmask-length | netmask } 3. Enter interface view. interface interface-type interface-number 4. Enable static NAT on the interface. nat outbound static Configuring dynamic NAT Dynamic NAT is usually implemented by associating an ACL with an address pool (or the address of an interface) on an interface.
Step Command Remarks 1. Enter system view. system-view N/A 2. Create an address group and enter its view. nat address-group group-number N/A 3. Add a member to the address group. address start-address end-address The IP address pools of address group members must not overlap with each other or with other address pools. 4. Configure the port range for the address group. port-range port-range-start port-range-end Optional. By default, the port range is 1 to 65535.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure NAPT by associating an ACL with an IP address pool on the outbound interface for translating both IP address and port number. nat outbound [ acl-number ] [ address-group group-number [ vpn-instance vpn-instance-name ] ] [ track vrrp virtual-router-id ] N/A 4. Return to system view. quit N/A 5. Configure the NAT mapping behavior mode.
Step Command Remarks • nat server index protocol pro-type global 3. { global-address global-port1 global-port2 inside local-address1 local-address2 local-port [ vpn-instance local-name ] [ track vrrp virtual-router-id ] | current-interface [ global-port ] inside local-address [ local-port ] [ vpn-instance local-name ] [ remote-host host-address ] [ lease-duration lease-time ] [ description string ] } Configure a common internal server.
Step Command Remarks Optional. The default NAT aging time varies by protocol: 2. Set NAT aging time for a specified protocol. nat aging-time { dns | ftp-ctrl | ftp-data | icmp | no-pat | pptp | tcp | tcp-fin | tcp-syn | udp } seconds • • • • • • • • 10 seconds for DNS. 300 seconds for FTP control links. 300 seconds for FTP data links. 10 seconds for ICMP. 240 seconds in NO-PAT mode. 300 seconds for PPTP. 300 seconds for TCP. 10 seconds for TCP FIN and RST connections.
Step Enable NAT logging. 2. Command Remarks nat log enable [ acl acl-number ] Disabled by default. • Enable logging of NAT Use either command. session establishment events: nat log flow-begin Enable NAT logging. 3. • Enable logging for active NAT sessions and set the logging interval: nat log flow-active minutes By default: • No log is generated when a NAT session is established. • Logging for active NAT sessions is disabled.
Step Export NAT logs to the information center. 2. Command Remarks userlog nat syslog NAT logs are exported to the NAT log server by default. Exporting NAT logs to the log server For the device to export NAT logs to the log server in UDP packets, you can configure three parameters: • IP address and UDP port number of the NAT log server. NAT logs cannot be exported successfully if you do not configure the information center export direction and specify the log server address.
Enabling aging out NAT entries upon master link failure In a link backup environment where NAT is enabled on the master and backup interfaces of a gateway device, if the master link fails, the backup link switches to the master state. If this feature is enabled on the gateway, all existing NAT entries on the failed link are aged out immediately, so that new NAT entries can be created for subsequent packets on the new master link, and thus existing NAT streams can be directed to the new link immediately.
Task Command Remarks Display NAT statistics. display nat statistics [ | { begin | exclude | include } regular-expression ] Available in any view. Display NAT log information. display nat log [ | { begin | exclude | include } regular-expression ] Available in any view. Display the configurations and statistics of output logs. display userlog export [ | { begin | exclude | include } regular-expression ] Available in any view. Clear the records in the NAT log buffer.
Dynamic NAT configuration example 1 Network requirements As shown in Figure 58, a company has three public IP addresses in the range of 202.38.1.1/24 to 202.38.1.3/24, and an internal network address of 10.110.0.0/16. Specifically, the company has the following requirements: • The internal users in subnet 10.110.10.0/24 can access the Internet using public IP addresses 202.38.1.2 and 202.38.1.3, but users in other network segments cannot.
[Router] connection-limit policy 1 [Router-connection-limit-policy-1] limit 0 acl 2002 per-destination amount 1000 200 [Router-connection-limit-policy-1] quit # Apply connection limit policy 1 to NAT. [Router] nat connection-limit-policy 1 Dynamic NAT configuration example 2 Network requirements As shown in Figure 59, a company has three public IP addresses in the range of 202.38.1.1/24 to 202.38.1.3/24, and a private network segment of 10.110.0.0/16.
Common internal server configuration example Network requirements As shown in Figure 60, a company provides two Web servers, one FTP server, and one SMTP server for external users to access. The internal network address is 10.110.0.0/16. The internal address for the FTP server is 10.110.10.3/16, for Web server 1 is 10.110.10.1/16, for Web server 2 is 10.110.10.2/16, and for the SMTP server is 10.110.10.4/16. The company has three public IP addresses in the range of 202.38.1.1/24 to 202.38.1.3/24.
NAT DNS mapping configuration example Network requirements As shown in Figure 61, a company provides Web and FTP services to external users, and uses internal IP network segment 10.110.0.0/16. The IP addresses of the Web and FTP servers are 10.110.10.1/16 and 10.110.10.2/16. The company has three public addresses 202.38.1.1/24 through 202.38.1.3/24. The DNS server is at 202.38.1.4/24. • The public IP address 202.38.1.2 is used to provide services to external users.
Domain-name: www.server.com Global-IP : 202.38.1.2 Global-port: 80(www) Protocol : 6(TCP) Domain-name: ftp.server.com Global-IP : 202.38.1.2 Global-port: 21(ftp) Protocol : 6(TCP) Host A and Host B can use the domain name www.server.com to access the Web server, and use ftp.server.com to access the FTP server.
2 -rw- 1747 Aug 07 2009 04:05:38 vrpcfg.cfg 3 -rw- 524288 Aug 13 2009 01:27:40 basicbtm.bin 4 -rw- 524288 Aug 13 2009 01:27:40 extendbtm.bin 249852 KB total (232072 KB free) File system type of cf: FAT32 cd logfile more logfile.log ……omitted…… %@250005%Jul 7 04:20:04:72 2005 DeviceA USERLOG/7/NAT: ICMP; 192.168.1.6:768--->1.1.1.1:12288; 2.2.2.
Field Description Reasons for generating NAT logs come from: • Aged for reset or config-change—Refers to logs generated due to configuration change or manual session deletion. • Aged for no-pat of NAT—Refers to logs generated when the no-pat session is aged out. Operator • Active data flow timeout—Refers to logs generated when the duration of NAT session exceeds the active data flow time. • Data flow created—Refers to logs generated when a NAT session is established.
You must run XLog on the NAT log server or the system log server to view NAT log information. Troubleshooting NAT Symptom 1 Abnormal translation of IP addresses. Solution 1. Enable debugging for NAT. Try to locate the problem based on the debugging display. 2. Use other commands, if necessary, to further identify the problem. Pay special attention to the source address after the address translation and make sure this address is the address that you intend to change to.
Configuring NAT-PT Overview Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation – Protocol Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network. As shown in Figure 64, NAT-PT runs on the device between IPv4 and IPv6 networks. The address translation is transparent to both IPv4 and IPv6 networks.
NAT-PT prefix The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases: • Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT device detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the device translates source and destination IPv6 addresses of the packet into IPv4 addresses.
Session initiated by an IPv4 host The NAT-PT implementation process for a session initiated by an IPv4 host is as follows: 1. Determines whether to perform NAT-PT. Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT device checks the destination IPv4 address in the packet against the static mappings configured on the IPv6 network side. If a match is found, the device considers that the packet needs to be forwarded to the IPv6 network and NAT-PT needs to be performed. 2.
NAT-PT configuration task list Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host: Task Remarks Enabling NAT-PT Required. Configuring a NAT-PT prefix Required. Configuring IPv4/IPv6 address mappings on the IPv6 side Required. Optional. Configuring a static mapping on the IPv4 side If no static IPv4/IPv6 address mapping is configured, the lowest 32 bits of the destination IPv6 address is used as the translated destination IPv4 address.
CAUTION: Fast forwarding invalidates NAT-PT. Therefore, before you enable NAT-PT, disable IPv4 or IPv6 fast forwarding by using undo ip fast-forwarding or undo ipv6 fast-forwarding in interface view, or clear existing fast-forwarding entries by using reset ip fast-forwarding cache or reset ipv6 fast-forwarding cache in user view. Enabling NAT-PT After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the device can implement translation between IPv4 and IPv6 addresses.
• If the source IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches the static mapping, the source IPv6 address is translated into the corresponding IPv4 address. • If the destination IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches the static mapping, the destination IPv4 address is translated into the corresponding IPv6 address. To configure a static IPv4/IPv6 address mapping on the IPv6 side: Step Command 1. Enter system view. system-view 2.
Step Command Remarks • Associate an IPv6 ACL with an address pool: natpt v6bound dynamic acl6 number acl-number address-group address-group [ no-pat ] Use one of the commands. • If the source IPv6 address of an IPv6 packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address of the specified address pool or interface. • Associate an IPv6 ACL with an interface Configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side. 3.
Step 2. Command Configure a static IPv4/IPv6 address mapping on the IPv4 side. natpt v4bound static ipv4-address ipv6-address Configuring a dynamic mapping policy on the IPv4 side A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches a specific ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address.
Step Set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0. 2. Command Remarks natpt turn-off traffic-class By default, the value of the Traffic Class field of IPv6 packets is the same as that of the ToS field in corresponding IPv4 packets. Configuring static NAPT-PT mappings of IPv6 servers Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides services for IPv6 hosts only.
Step Command Remarks The defaults are as follows: 2. Configure a NAT-PT session aging time for a protocol. natpt aging-time { default | { dns | finrst | frag | icmp | syn | tcp | udp } time-value } • • • • • • • 10 seconds for a DNS packet. 5 seconds for a FINRST packet. 5 seconds for a FRAG packet. 20 seconds for an ICMP packet. 240 seconds for a SYN packet. 40 seconds for a UDP packet. 86400 seconds for a TCP packet.
Task Command Remarks Clear dynamic NAT-PT address mappings. reset natpt dynamic-mappings Available in user view. Clear all NAT-PT statistics information. reset natpt statistics Available in user view. NAT-PT configuration examples Configuring dynamic mapping on the IPv6 side Network requirements As shown in Figure 66, Router C with IPv6 address 2001::2/64 on an IPv6 network wants to access Router A with IPv4 address 8.0.0.2/24 on an IPv4 network, whereas Router A cannot actively access Router C.
2. Configure Router A on the IPv4 side: # Configure a static route to subnet 9.0.0.0/24. system-view [RouterA] ip route-static 9.0.0.0 24 8.0.0.1 3. Configure Router C on the IPv6 side: # Enable IPv6. system-view [RouterC] ipv6 # Configure a static route to the subnet with the NAT-PT prefix. [RouterC] ipv6 route-static 3001:: 16 2001::1 Verifying the configuration Use the ping ipv6 3001::0800:0002 command on Router C, response packets can be received.
[RouterB-Serial2/0] natpt enable [RouterB-Serial2/0] quit [RouterB] interface serial 2/1 [RouterB-Serial2/1] ipv6 address 2001::1/64 [RouterB-Serial2/1] natpt enable [RouterB-Serial2/1] quit # Configure a NAT-PT prefix. [RouterB] natpt prefix 3001:: # Configure a static IPv4/IPv6 mapping on the IPv4 side. [RouterB] natpt v4bound static 9.0.0.2 3001::5 # Configure a static IPv4/IPv6 mapping on the IPv6 side. [RouterB] natpt v6bound static 2001::2 8.0.0.5 2.
Troubleshooting NAT-PT Symptom NAT-PT fails when a session is initiated on the IPv6 side. Solution 1. Enable debugging for NAT-PT and locate the fault according to the debugging information of the device. 2. During debugging, check whether the source address of a packet is translated successfully. If not, it is possible that the address pool has no sufficient IP addresses. 3. You can configure a larger address pool, or use NAPT-PT to perform NAT-PT.
Configuring DVPN Overview DVPN collects, maintains, and distributes dynamic public addresses through the VPN Address Management (VAM) protocol, making VPN establishment available between enterprise branches that use dynamic addresses to access the public network. In DVPN, a collection of nodes connected to the public network form a VPN.
A DVPN includes one server and multiple clients. The public address of the server in a DVPN must be static. The private address of a client needs to be statically assigned. The public address of a client can be manually configured or dynamically assigned. All the private addresses of the nodes composing a DVPN must belong to the same network segment. Each client registers the mapping of its private address and public address with the server.
Figure 69 Hub-spoke DVPN DVPN implementation DVPN operates in three phases: connection initialization, registration, and tunnel establishment. Connection initialization phase When a client accesses the server for the first time, connection initialization is performed. During the initialization procedure, the two parties negotiate whether VAM protocol packets should be secured.
next-highest priority algorithm against the list. The operation continues until a match is found or all the algorithms on the server's algorithm list have been compared. If a match is found, the server sends to the client a connection response, which carries the negotiation result, and at the same time, the server and the client generate the encryption key and integrity verification key. 3.
Figure 72 Tunnel establishment process 1. The initiator originates a tunnel establishment request. { { { 2. Hub-spoke tunnel—After a spoke registers itself successfully, it needs to establish a permanent tunnel with each hub in the VPN. Upon receiving the registered information of the hubs from the server, the spoke checks whether a tunnel is present to each hub. If no tunnel exists between the spoke and a hub, the spoke sends a tunnel establishment request to the hub.
AAA identity authentication of VAM clients on the VAM server After the initialization process completes, a VAM client registers with the VAM server. You can specify to authenticate VAM clients during the registration process. VAM supports PAP authentication and CHAP authentication. The VAM server uses AAA to authenticate clients in the VPN domain. A VAM client must pass authentication to access the VPN.
Configuring the VAM server Complete the following tasks to configure a VAM server: Task Remarks Creating a VPN domain Required. Enabling VAM server Required. Configuring the listening IP address and UDP port number Optional. Configuring the security parameters of VAM protocol packets Optional. Specifying the client authentication mode Optional. Specifying a hub Required. Configuring the pre-shared key of the VAM server Required. Configuring keepalive parameters Optional.
Step 2. Command Configure the listening IP address and UDP port number of the server. Remarks Optional. vam server ip-address ip-address [ port port-number ] By default, no listening IP address and UDP port number are configured. If you do not specify a listening IP address and port number on a VAM server, the VAM server listens to all packets whose destination IP address is a local interface IP address and destination port number is 18000.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VPN domain view. vam server vpn vpn-name N/A Specify the client authentication mode. authentication-method { none | { chap | pap } [ domain name-string ] } Optional. 3. By default, a VAM server performs CHAP authentication of clients, using the default domain configured for the system. Specifying a hub On a server, you can configure a hub by specifying its private IP address and public IP address.
Configuring keepalive parameters A client sends keepalive packets to the server periodically, and the server sends responses back to prove its existence. If a server receives no keepalive packets from a client within a specific period (which equals the product of the keepalive interval and the maximum number of transmission attempts), the server removes information about the client and logs off the client.
Creating a VAM client Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VAM client and enter its view. vam client name client-name No client is created by default. Setting the VAM protocol packet retransmission interval If a client sends a VAM protocol packet to the server but receives no response in a specific period of time, it retransmits the packet.
Configuring the username and password A client needs a username and a password to be authenticated by the server. You can configure the username and password for a client by creating a local user. Only one local user can be configured for a VAM client. To configure a username and password for a VAM client: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VAM client view. vam client name client-name N/A 3. Configure a username and password for the client.
Step Command Remarks • (Method 1) Enable VAM client for all Enable VAM client. 2. VAM clients or a specific VAM client: vam client enable { all | name client-name } Use either method. • (Method 2) Enable VAM client for a Disabled by default. VAM client: a. vam client name client-name b. client enable Configuring an IPsec profile An IPsec profile secures the transmission of data packets and control packets over a DVPN tunnel.
Step Command Remarks 2. Create an IPsec profile and enter IPsec profile view. ipsec profile profile-name By default, no IPsec profile is created. 3. Specify the IPsec transform sets for the IPsec profile to reference. transform-set transform-set-name&<1-6> By default, an IPsec profile references no IPsec transform set. 4. Specify the IKE peer for the IPsec profile to reference. ike-peer peer-name By default, an IPsec profile references no IKE peer. Optional. 5.
Configuration procedure To configure a DVPN tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a tunnel interface and enter its view. interface tunnel number No tunnel interface is created by default. 3. Configure a private IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } [ sub ] A tunnel interface has no private IPv4 address configured by default. 4.
Step Command Remarks Optional for a hub but required for a spoke, when OSPF is used. 11. Set the DR priority of the OSPF interface. By default, the interface DR priority is 1. ospf dr-priority priority The DR priority of a hub should be higher than that of a spoke. HP recommends setting the DR priority of a spoke to 0 to keep the spoke from participating in DR/BDR election. Optional. 12. Bind an IPsec profile to the DVPN tunnel interface.
For more information about the ospf network-type and ospf dr-priority commands, see Layer 3—IP Routing Command Reference. For more information about VPN instance configuration, see MPLS Configuration Guide. Configuring routing To establish private networks across the public network by using DVPN, you must perform routing configuration for devices in the private networks.
Full mesh DVPN configuration example Network requirements In the full mesh network shown in Figure 73, the primary VAM server and the secondary VAM server manage and maintain information about the nodes. The AAA server takes charge of VAM client authentication and accounting. With each being the backup of the other, the two hubs perform data forwarding and routing information exchange. Create a permanent tunnel between each hub-spoke pair.
Configuration procedure Configuring the primary VAM server 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure AAA: system-view # Configure RADIUS scheme radsun. [PrimaryServer] radius scheme radsun [PrimaryServer-radius-radsun] primary authentication 192.168.1.11 1812 [PrimaryServer-radius-radsun] primary accounting 192.168.1.
[PrimaryServer-vam-server-vpn-1] quit # Enable VAM server for all VPNs. [PrimaryServer] vam server enable all Configuring the secondary VAM server Except for the listening IP address configuration, the configurations for the secondary VAM server are the same as those for the primary VAM server. (Details not shown.) Configuring Hub 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM clients: system-view # Create a VAM client named dvpn1hub1 for VPN 1.
# Configure the IPsec profile. [Hub1] ipsec profile vamp [Hub1-ipsec-profile-vamp] transform-set vam [Hub1-ipsec-profile-vamp] ike-peer vam [Hub1-ipsec-profile-vamp] sa duration time-based 600 [Hub1-ipsec-profile-vamp] pfs dh-group2 [Hub1-ipsec-profile-vamp] quit 4. Configure DVPN tunnels: # Configure tunnel interface Tunnel1 for VPN 1. Tunnel 1 uses UDP for encapsulation. [Hub1] interface tunnel 1 [Hub1-Tunnel1] tunnel-protocol dvpn udp [Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address 10.0.
[Hub2-vam-client-name-dvpn1hub2] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Hub2-vam-client-name-dvpn1hub2] server primary ip-address 192.168.1.22 [Hub2-vam-client-name-dvpn1hub2] server secondary ip-address 192.168.1.33 [Hub2-vam-client-name-dvpn1hub2] pre-shared-key simple 123 # Create a local user named dvpn1hub2, setting the password as dvpn1hub2.
[Hub2-Tunnel1] ospf network-type broadcast [Hub2-Tunnel1] ipsec profile vamp [Hub2-Tunnel1] quit # Configure tunnel interface Tunnel2 for VPN 2. Tunnel 2 uses GRE for encapsulation. [Hub2] interface tunnel 2 [Hub2-Tunnel2] tunnel-protocol dvpn gre [Hub2-Tunnel2] vam client dvpn2hub2 [Hub2-Tunnel2] ip address 10.0.2.2 255.255.255.0 [Hub2-Tunnel2] source ethernet 1/1 [Hub2-Tunnel2] ospf network-type broadcast [Hub2-Tunnel2] ipsec profile vamp [Hub2-Tunnel2] quit 5.
[Spoke1-ipsec-transform-set-vam] transform esp [Spoke1-ipsec-transform-set-vam] esp encryption-algorithm des [Spoke1-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Spoke1-ipsec-transform-set-vam] quit # Configure the IKE peer. [Spoke1] ike peer vam [Spoke1-ike-peer-vam] pre-shared-key abcde [Spoke1-ike-peer-vam] quit # Configure the IPsec profile.
[Spoke2-vam-client-name-dvpn1spoke2] server primary ip-address 192.168.1.22 [Spoke2-vam-client-name-dvpn1spoke2] server secondary ip-address 192.168.1.33 [Spoke2-vam-client-name-dvpn1spoke2] pre-shared-key simple 123 # Create a local user named dvpn1spoke2, setting the password as dvpn1spoke2.
[Spoke2-Tunnel1] ipsec profile vamp [Spoke2-Tunnel1] quit # Configure tunnel interface Tunnel2 for VPN 2. Tunnel 2 uses GRE for encapsulation. [Spoke2] interface tunnel 2 [Spoke2-Tunnel2] tunnel-protocol dvpn gre [Spoke2-Tunnel2] vam client dvpn2spoke2 [Spoke2-Tunnel2] ip address 10.0.2.4 255.255.255.0 [Spoke2-Tunnel2] source ethernet 1/1 [Spoke2-Tunnel2] ospf network-type broadcast [Spoke2-Tunnel2] ospf dr-priority 0 [Spoke2-Tunnel2] ipsec profile vamp [Spoke2-Tunnel2] quit 5.
[Spoke3] ipsec transform-set vam [Spoke3-ipsec-transform-set-vam] encapsulation-mode tunnel [Spoke3-ipsec-transform-set-vam] transform esp [Spoke3-ipsec-transform-set-vam] esp encryption-algorithm des [Spoke3-ipsec-transform-set-vam] esp authentication-algorithm sha1 [Spoke3-ipsec-transform-set-vam] quit # Configure the IKE peer. [Spoke3] ike peer vam [Spoke3-ike-peer-vam] pre-shared-key abcde [Spoke3-ike-peer-vam] quit # Configure the IPsec profile.
10.0.1.1 192.168.1.1 hub 0H 52M 10.0.1.2 192.168.1.2 hub 0H 47M 31S 10.0.1.3 192.168.1.3 spoke 0H 28M 25S 10.0.1.4 192.168.1.4 spoke 0H 19M 15S VPN name: 7S 2 Total address-map number: 4 Private-ip Public-ip 10.0.2.1 192.168.1.1 hub Type 0H 51M 44S Holding time 10.0.2.2 192.168.1.2 hub 0H 46M 45S 10.0.2.3 192.168.1.5 spoke 0H 11M 25S 10.0.2.4 192.168.1.
Private IP: 10.0.1.3 Public IP: 192.168.1.3 Session type: hub-spoke State: SUCCESS Holding time: 0h 8m 7s Input: 164 packets, 163 data packets, 54 multicasts, Output: 77 packets, 76 data packets, 55 multicasts, 1 control packets 0 errors Private IP: 10.0.1.4 Public IP: 192.168.1.
Input: 130 packets, 127 data packets, 120 multicasts, Output: 127 packets, 126 data packets, 119 multicasts, 3 control packets 0 errors 1 control packets 0 errors The output shows that: • In VPN 1, Hub 1 has established a permanent tunnel with Hub 2, Spoke 1, and Spoke 2, respectively. • In VPN 2, Hub 1 has established a permanent tunnel with Hub 2, Spoke 2, and Spoke 3, respectively. The DVPN tunnel information of Hub 2 is similar to that of Hub 1.
Public IP: 192.168.1.2 Session type: spoke-Hub State: SUCCESS Holding time: 0h 1m 50s Input: 242 packets, 241 data packets, 231 multicasts, Output: 251 packets, 241 data packets, 225 multicasts, 1 control packets 0 errors 7 control packets 0 errors The output shows that Spoke 2 has established a permanent hub-spoke tunnel with Hub 1 and Hub 2 respectively in both VPN 1 and VPN 2. The DVPN tunnel information of Spoke 1 and Spoke 3 is similar to that of Spoke 2.
225 multicasts, 0 errors Private IP: 10.0.2.3 Public IP: 192.168.1.5 Session type: spoke-spoke State: SUCCESS Holding time: 0h 0m 0s Input: 1 packets, 0 data packets, 0 multicasts, Output: 1 packets, 1 control packets 0 errors 0 data packets, 0 multicasts, 1 control packets 0 errors The output shows that a spoke-spoke tunnel has been established dynamically between Spoke 2 and Spoke 3.
Tunnel1 10.0.1.2/24 Eth1/1 192.168.1.4/24 Primary server Eth1/1 192.168.1.22/24 Eth1/2 10.0.3.1/24 Secondary server Eth1/1 192.168.1.33//2 4 Tunnel1 10.0.1.4/24 AAA server Spoke 2 192.168.1.11/24 Configuration procedure Configuring the primary VAM server 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure AAA: system-view # Configure RADIUS scheme radsun.
Configuring the secondary VAM server Except for the listening IP address configuration, the configurations for the secondary VAM server are the same as those for the primary VAM server. (Details not shown.) Configuring Hub 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: system-view # Create a VAM client named dvpn1hub1 for VPN 1.
[Hub1-Tunnel1] ospf network-type p2mp [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit To use GRE for tunnel encapsulation, perform the following configurations: [Hub1] interface tunnel 1 [Hub1-Tunnel1] tunnel-protocol dvpn gre [Hub1-Tunnel1] vam client dvpn1hub1 [Hub1-Tunnel1] ip address 10.0.1.1 255.255.255.0 [Hub1-Tunnel1] source ethernet 1/1 [Hub1-Tunnel1] ospf network-type p2mp [Hub1-Tunnel1] ipsec profile vamp [Hub1-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network.
# Configure the IKE peer. [Hub2] ike peer vam [Hub2-ike-peer-vam] pre-shared-key abcde [Hub2-ike-peer-vam] quit # Configure the IPsec profile. [Hub2] ipsec profile vamp [Hub2-ipsec-profile-vamp] transform-set vam [Hub2-ipsec-profile-vamp] ike-peer vam [Hub2-ipsec-profile-vamp] sa duration time-based 600 [Hub2-ipsec-profile-vamp] pfs dh-group2 [Hub2-ipsec-profile-vamp] quit 4. Configure the DVPN tunnel: # Configure tunnel interface Tunnel 1 for VPN 1.
# Create a VAM client named dvpn1spoke1 for VPN 1. [Spoke1] vam client name dvpn1spoke1 [Spoke1-vam-client-name-dvpn1spoke1] vpn 1 # Specify the IP addresses of the VAM servers and set the pre-shared key. [Spoke1-vam-client-name-dvpn1spoke1] server primary ip-address 192.168.1.22 [Spoke1-vam-client-name-dvpn1spoke1] server secondary ip-address 192.168.1.33 [Spoke1-vam-client-name-dvpn1spoke1] pre-shared-key simple 123 # Create a local user named dvpn1spoke1, setting the password as dvpn1spoke1.
[Spoke1-Tunnel1] ip address 10.0.1.3 255.255.255.0 [Spoke1-Tunnel1] source ethernet 1/1 [Spoke1-Tunnel1] ospf network-type p2mp [Spoke1-Tunnel1] ospf dr-priority 0 [Spoke1-Tunnel1] ipsec profile vamp [Spoke1-Tunnel1] quit 5. Configure OSPF: # Configure OSPF for the public network. [Spoke1] ospf 100 [Spoke1-ospf-100] area 0 [Spoke1-ospf-100-area-0.0.0.0] network 192.168.1.3 0.0.0.255 [Spoke1-ospf-100-area-0.0.0.0] quit # Configure OSPF for the private network.
[Spoke2] ipsec profile vamp [Spoke2-ipsec-profile-vamp] transform-set vam [Spoke2-ipsec-profile-vamp] ike-peer vam [Spoke2-ipsec-profile-vamp] sa duration time-based 600 [Spoke2-ipsec-profile-vamp] pfs dh-group2 [Spoke2-ipsec-profile-vamp] quit 4. Configure the DVPN tunnel: # Configure tunnel interface Tunnel 1 for VPN 1.
Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 hub 0H 10.0.1.2 192.168.1.2 hub 0H 13M 10.0.1.3 192.168.1.3 spoke 0H 3M 58S 10.0.1.4 192.168.1.4 spoke 0H 0M 29S 7M 35S 8S # Display the address mapping information of all VAM clients registered with the secondary VAM server. [SecondaryServer] display vam server address-map all VPN name: 1 Total address-map number: 4 Private-ip Public-ip Type Holding time 10.0.1.1 192.168.1.1 hub 0H 10.0.1.2 192.168.1.
Holding time: 0h 3m 15s Input: 20 packets, 0 data packets, 0 multicasts, Output: 20 packets, 0 errors 6 data packets, 6 multicasts, 20 control packets 14 control packets 0 errors The output shows that in VPN 1, Hub 1 has established a permanent tunnel with Hub 2, Spoke 1, and Spoke 2, respectively. The DVPN tunnel information of Hub 2 is similar to that of Hub 1. # Display the DVPN tunnel information of Spoke 1. [Spoke1] display dvpn session all Interface: Tunnel1 VPN name: 1 Private IP: 10.0.1.
Interface: Tunnel2 VPN name: 2 Private IP: 10.0.2.1 Public IP: 192.168.1.1 Session type: spoke-Hub State: Total number: 2 SUCCESS Holding time: 1h 10m 0s Input: 451 packets, 450 data packets, 435 multicasts, Output: 453 packets, 0 errors 447 data packets, 430 multicasts, 6 control packets 0 errors Private IP: 10.0.2.2 Public IP: 192.168.1.
Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end. Tunneling refers to the whole process from data encapsulation to data transfer to data de-encapsulation.
Figure 75 IPv6 over IPv4 tunnel The IPv6 over IPv4 tunnel processes packets as follows: 1. A host in the IPv6 network sends an IPv6 packet to Device A at the tunnel source. 2. After determining according to the routing table that the packet needs to be forwarded through the tunnel, Device A encapsulates the IPv6 packet with an IPv4 header and forwards it through the physical interface of the tunnel.
Tunnel type 1. Tunnel mode Tunnel source/destination address Tunnel interface address type 6to4 tunneling The source IPv4 address is manually configured. The destination IPv4 address is automatically obtained.. 6to4 address, in the format of 2002:IPv4-source-addr ess::/48 Intra-site automatic tunnel addressing protocol (ISATAP) tunneling The source IPv4 address is manually configured. The destination IP address is automatically obtained.
Figure 76 Principle of 6to4 tunneling and 6to4 relay 4. ISATAP tunneling An ISATAP tunnel is a point-to-point automatic tunnel. It provides a solution to connect an IPv6 host to an IPv6 network over an IPv4 network. The destination addresses of IPv6 packets and the IPv6 addresses of tunnel interfaces are all ISATAP addresses. The ISATAP address format is prefix(64bit):0:5EFE:ip-address.
Figure 78 Principle of IPv4 over IPv4 tunneling Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure 78. • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IP protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface. c.
The encapsulation and de-encapsulation processes illustrated in Figure 79 are described as follows: • Encapsulation: a. Upon receiving a IPv4 packet, Device A delivers it to the IPv4 protocol stack. b. The IPv4 protocol stack uses the destination address of the packet to determine the output interface. If the output interface is the tunnel interface, the IPv4 protocol stack delivers the packet to the tunnel interface. c.
{ Customer Premises Equipment (CPE) Resides at the customer's premise, connects the customer's network to an Internet Service Provider (ISP) network, and usually serves as the gateway of the customer's network. As a tunnel end, the CPE encapsulates IPv4 packets of the customer's network into IPv6 packets and sends them to the other end of the tunnel, and de-encapsulates IPv6 packets into IPv4 packets and sends them to the customer's network. Some hosts can serve as the CPE.
{ The AFTR performs NAT. When a host serves as the CPE, the process is similar and therefore is not shown. NAT supports both basic address translation between private and public addresses and Network Address Port Translation (NAPT), which translates both IP address (private or public) and port number. Figure 81 shows an example of NAPT. For more information about NAT, see "Configuring NAT.
Protocols and standards • RFC 1853, IP in IP Tunneling • RFC 2473, Generic Packet Tunneling in IPv6 Specification • RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers • RFC 3056, Connection of IPv6 Domains via IPv4 Clouds • RFC 4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Tunneling configuration task list Task Remarks Configuring a tunnel interface N/A Configuring an IPv6 manual tunnel Configuring an IPv6 over IPv4 tunnel Configuring an automatic IPv4-compatible IPv6
Step Command Remarks 1. Enter system view. system-view N/A 2. Create a tunnel interface and enter its view. interface tunnel number By default, no tunnel interface is created. 3. Configure a description for the interface. Optional. description text By default, the description of a tunnel interface is Tunnel number Interface. • Set the MTU for IPv4 packets 4. Set the MTU of the tunnel interface.
• After a tunnel interface is deleted, all the features configured on the tunnel interface are deleted. • If the destination IPv6 network is not in the same subnet as the IPv6 address of the tunnel interface, you must configure a static route destined for the destination IPv6 network. You can specify the local tunnel interface as the output interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop.
Configuration example Network requirements As shown in Figure 83, configure an IPv4 network between Router A and Router B so the two IPv6 networks can reach each other over the IPv4 network. The tunnel destination IPv4 address cannot be automatically obtained from the destination IPv6 addresses of packets. Therefore, configure an IPv6 manual tunnel. Figure 83 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Enable IPv6.
[RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] ip address 192.168.50.1 255.255.255.0 [RouterB-Ethernet1/2] quit # Configure an IPv6 address for Ethernet 1/1. [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ipv6 address 3003::1 64 [RouterB-Ethernet1/1] quit # Configure an IPv6 manual tunnel. [RouterB] interface tunnel 0 [RouterB-Tunnel0] ipv6 address 3001::2/64 [RouterB-Tunnel0] source ethernet 1/2 [RouterB-Tunnel0] destination 192.168.100.
FF02::2 FF02::1 MTU is 1480 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 55 ... # Ping the IPv6 address of Ethernet 1/1 at the peer end from Router A.
Configuration procedure To configure an automatic IPv4-compatible IPv6 tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the IPv6 packet forwarding function. ipv6 By default, the IPv6 packet forwarding function is disabled. Enter tunnel interface view. interface tunnel number N/A 3. • Configure an IPv6 global unicast address or a site-local address: { 4. Configure an IPv6 address for the tunnel interface.
Configuration procedure Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Enable IPv6. system-view [RouterA] ipv6 # Configure an IPv4 address for Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 192.168.100.1 255.255.255.0 [RouterA-Ethernet1/1] quit # Configure an automatic IPv4-compatible IPv6 tunnel.
Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 65 ... [RouterB-Tunnel0] display ipv6 interface tunnel 0 Tunnel0 current state :UP Line protocol current state :UP IPv6 is enabled, link-local address is FE80::C0A8:3201 Global unicast address(es): ::192.168.50.
Configuring a 6to4 tunnel Configuration prerequisites Configure an IP address for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface.. Configuration guidelines Follow these guidelines when you configure a 6to4 tunnel: • No destination address needs to be configured for a 6to4 tunnel because the destination IPv4 address is embedded in the 6to4 IPv6 address.
Step Command Remarks 6. Configure a source address or interface for the tunnel. source { ip-address | interface-type interface-number } By default, no source address or interface is configured for the tunnel. 7. Return to system view. quit N/A 8. Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses. tunnel discard ipv4-compatible-packet Optional. The default setting is disabled.
[RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ip address 2.1.1.1 24 [RouterA-Ethernet1/2] quit # Configure an IPv6 address for Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 2002:0201:0101:1::1/64 [RouterA-Ethernet1/1] quit # Configure the 6to4 tunnel.
Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time<1ms Ping statistics for 2002:501:101:1::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 13ms, Average = 3ms 6to4 relay configuration example Network requirements As shown in Figure 86, Router A is a 6to4 router, and 6to4 addresses are used on the connected IPv6 network.
# Configure a 6to4 tunnel. [RouterA] interface tunnel 0 [RouterA-Tunnel0] ipv6 address 2002:0201:0101::1/64 [RouterA-Tunnel0] source ethernet 1/2 [RouterA-Tunnel0] tunnel-protocol ipv6-ipv4 6to4 [RouterA-Tunnel0] quit # Configure a static route to the 6to4 relay router. [RouterA] ipv6 route-static 2002:0601:0101:: 64 tunnel 0 # Configure the default route to the IPv6-only network. [RouterA] ipv6 route-static :: 0 2002:0601:0101::1 • Configure Router B: # Enable IPv6.
Minimum = 0ms, Maximum = 13ms, Average = 3ms Configuring an ISATAP tunnel Configuration prerequisites Configure an IP addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface. Configuration guidelines Follow these guidelines when you configure an ISATAP tunnel: • No destination address needs to be configured for an ISATAP tunnel because the destination IPv4 address is embedded in the ISATAP address.
Step Command Remarks 5. Specify the ISATAP tunnel mode. tunnel-protocol ipv6-ipv4 isatap The same tunnel mode should be configured at both ends of the tunnel. Otherwise, packet delivery fails. 6. Configure a source address or interface for the tunnel. source { ip-address | interface-type interface-number } By default, no source address or interface is configured for the tunnel. 7. Return to system view. quit N/A 8. Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses.
[Router-Tunnel0] tunnel-protocol ipv6-ipv4 isatap # Disable RA suppression so that the ISATAP host can acquire information such as the address prefix from the RA message advertised by the ISATAP router. [Router-Tunnel0] undo ipv6 nd ra halt [Router-Tunnel0] quit # Configure a static route to the ISATAP host. [Router] ipv6 route-static 2001:: 16 tunnel 0 • Configure the ISATAP host: Configurations on the ISATAP host vary depending on the operating system. The following example is performed on Windows XP.
reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48 # The host acquires the address prefix 2001::/64 and has automatically generated the address 2001::5efe:2.1.1.2. The message "uses Router Discovery" indicates that the router discovery function is enabled on the host. Ping the IPv6 address of the tunnel interface of the router. The ping operation succeeds, indicating an ISATAP tunnel has been established. C:\>ping 2001::5efe:1.1.1.
If you specify a source interface instead of a source address for a tunnel interface, the source address of the tunnel is the primary IP address of the source interface. • Configuration procedure To configure an IPv4 over IPv4 tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter tunnel interface view. interface tunnel number N/A 3. Configure an IPv4 address for the tunnel interface.
# Configure an IPv4 address for Ethernet 1/1. system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 255.255.255.0 [RouterA-Ethernet1/1] quit # Configure an IPv4 address for Serial 2/0 (the physical interface of the tunnel). [RouterA] interface serial 2/0 [RouterA-Serial2/0] ip address 2.1.1.1 255.255.255.0 [RouterA-Serial2/0] quit # Create interface Tunnel 1. [RouterA] interface tunnel 1 # Configure an IPv4 address for interface Tunnel 1.
Verifying the configuration # Display the status of the tunnel interfaces on Router A and Router B, respectively. [RouterA] display interface tunnel 1 Tunnel1 current state: UP Line protocol current state: UP Description: Tunnel1 Interface The Maximum Transmit Unit is 64000 Internet Address is 10.1.2.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set Tunnel source 2.1.1.1, destination 3.1.1.
--- 10.1.3.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/15/16 ms Configuring an IPv4 over IPv6 manual tunnel Configuration prerequisites Configure an IPv6 addresses for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface.
Step 7. Configure the destination address for the tunnel interface. Command Remarks destination ipv6-address By default, no destination address is configured for the tunnel. Configuration example Network requirements As shown in Figure 89, configure an IPv4 over IPv6 manual tunnel between Router A and Router B so the two IPv4 networks can reach each other over the IPv6 network. Figure 89 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv6.
[RouterA-Tunnel1] quit # Configure a static route from Router A through interface Tunnel 1 to Group 2. [RouterA] ip route-static 30.1.3.0 255.255.255.0 tunnel 1 • Configure Router B: # Enable IPv6. system-view [RouterB] ipv6 # Configure an IPv4 address for Ethernet 1/1. [RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ip address 30.1.3.1 255.255.255.0 [RouterB-Ethernet1/1] quit # Configure an IPv6 address for Serial 2/1 (the physical interface of the tunnel).
0 input error 168 packets output, 10752 bytes 0 output error [RouterB] display interface tunnel 2 Tunnel2 current state: UP Line protocol current state: UP Description: Tunnel2 Interface The Maximum Transmit Unit is 64000 Internet Address is 30.1.2.
Configuring the CPE of a tunnel You can configure the CPE of a DS-Lite tunnel or IPv4 over IPv6 manual tunnel: • If you configure a DS-Lite tunnel on the CPE, the CPE automatically obtains the IPv6 address of the AFTR through DHCPv6 and uses the address as the destination address of the tunnel. • If you configure an IPv4 over IPv6 manual tunnel on the CPE, you must manually specify the address of the AFTR as the destination address of the tunnel.
• Tunnel interfaces using the same encapsulation protocol must have different source and destination addresses. • If you configure the source interface for the tunnel, the primary IP address of the source interface is the source address of the tunnel. • Configuring a destination address on the AFTR is unnecessary. When receiving a packet from the tunnel, the AFTR records the source IPv6 address of the packet and uses it as the IPv6 address of the tunnel destination (address of the CPE).
Figure 90 Network diagram Configuration procedure Before you configure a DS-Lite tunnel, make sure Router A and Router B are reachable to each other. In this example, Router A and Router C are in the same network segment. Otherwise, you must deploy a DHCPv6 relay agent between them. DHCPv6 relay agent is beyond the scope of this document. For more information about DHCPv6, see "Configuring DHCPv6 relay agent." • Configure Router A (the CPE): # Enable IPv6.
[RouterB] interface ethernet 1/1 [RouterB-Ethernet1/1] ipv6 address 1::2 64 [RouterB-Ethernet1/1] quit # Configure an IPv4 address for interface Ethernet 1/2. [RouterB] interface ethernet 1/2 [RouterB- Ethernet1/2] ip address 20.1.1.1 24 [RouterB- Ethernet1/2] quit # Create interface Tunnel 2. [RouterB] interface tunnel 2 # Configure an IPv4 address for interface Tunnel 2. [RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0 # Specify the tunnel encapsulation mode as IPv4 over IPv6.
Internet Address is 30.1.2.1/24 Primary Encapsulation is TUNNEL, service-loopback-group ID not set.
round-trip min/avg/max = 1/1/1 ms Configuring an IPv6 over IPv6 tunnel Configuration prerequisites Configure an IPv6 address for the interface (such as a VLAN interface, Ethernet interface, or loopback interface) to be configured as the source interface of the tunnel interface.
Step Command Remarks • (Method 1) Configure an IPv6 global unicast address or site-local address: { 4. Configure an IPv6 address for the tunnel interface. { ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } ipv6 address ipv6-address/prefix-length eui-64 • (Method 2) Configure an IPv6 link-local address: { { Use either method. By default, no IPv6 address is configured for the tunnel interface. ipv6 address auto link-local ipv6 address ipv6-address link-local 5.
• Configure Router A: # Enable IPv6. system-view [RouterA] ipv6 # Configure an IPv6 address for Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 2002:1::1 64 [RouterA-Ethernet1/1] quit # Configure an IPv6 address for Serial 2/0 (the physical interface of the tunnel). [RouterA] interface serial 2/0 [RouterA-Serial2/0] ipv6 address 2002::11:1 64 [RouterA-Serial2/0] quit # Create interface Tunnel 1.
# Configure the destination address for interface Tunnel 2 (IP address of Serial 2/0 of Router A). [RouterB-Tunnel2] destination 2002::11:1 [RouterB-Tunnel2] quit # Configure a static route destined for the IPv6 network Group 1 through interface Tunnel 2. [RouterB] ipv6 route-static 2002:1:: 64 tunnel 2 Verifying the configuration # Display the status of the tunnel interfaces on Router A and Router B, respectively.
bytes=56 Sequence=1 hop limit=64 time = 31 ms Reply from 2002:3::1 bytes=56 Sequence=2 hop limit=64 time = 1 ms Reply from 2002:3::1 bytes=56 Sequence=3 hop limit=64 time = 16 ms Reply from 2002:3::1 bytes=56 Sequence=4 hop limit=64 time = 16 ms Reply from 2002:3::1 bytes=56 Sequence=5 hop limit=64 time = 31 ms --- 2002:3::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
no routing entry is available for tunnel communication in the routing table, configure a route to reach the tunnel destination.
Configuring UDP helper Overview The UDP helper function supports two modes: • Broadcast UDP helper—Relay specified UDP broadcast packets. • Multicast UDP helper—Relay specified UDP multicast packets. Broadcast UDP helper Sometimes, a host needs to forward broadcasts to obtain network configuration information or request the names of other devices on the network.
You can specify up to 20 destination servers on an interface. • To configure broadcast UDP helper: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable UDP helper. udp-helper enable The default setting is disabled. 3. Enable the forwarding of packets with the specified UDP port. udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time } No UDP port is specified by default. 4. Enter interface view.
Displaying and maintaining UDP helper Task Command Remarks Displays information about packets forwarded by UDP helper. display udp-helper server [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Clear UDP helper statistics. reset udp-helper packet Available in user view.
Multicast UDP helper configuration example Network requirements As shown in Figure 93, the IP address of Ethernet 1/2 of Router A is 10.110.1.1/16, and the interface connects to the subnet 10.110.0.0/16. Configure multicast UDP helper to forward broadcast packets with UDP destination port number 55 and destination IP address 224.1.1.1 to all hosts on the destination subnet 10.110.0.0/16. Figure 93 Network diagram Configuration procedure Make sure Router B can forward packets to Router A through multicast.
Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate multiple network layer protocols into virtual point-to-point tunnels over an IP network. Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. GRE encapsulation format Figure 94 GRE encapsulation format As shown in Figure 94, a GRE-tunneled packet includes the following parts: • Payload packet—Original packet.
GRE encapsulation and de-encapsulation The following sections uses Figure 96 to describe how an X protocol packet traverses an IP network through a GRE tunnel. Figure 96 X protocol networks interconnected through a GRE tunnel Encapsulation process 1. After receiving an X protocol packet from the interface connected to Group 1, Device A submits it to the X protocol for processing. 2. The X protocol checks the destination address field in the packet header to determine how to route the packet. 3.
GRE application scenarios The following shows typical GRE application scenarios: Connecting private networks running different protocols over a single backbone As shown in Figure 97, Group 1 and Group 2 are IPv6 networks, and Team 1 and Team 2 are IPv4 networks. Through the GRE tunnel between Device A and Device B, Group 1 can communicate with Group 2 and Team 1 can communicate with Team 2, without affecting each other.
Figure 99 Network diagram Operating with IPsec As shown in Figure 100, GRE can be encapsulated into IPsec to improve transmission security for routing protocol packets, voice data, and video data. Figure 100 Network diagram For more information about IPsec, see Security Configuration Guide.
{ { If checksum is enabled at the local end but not at the remote end, the local end calculates the checksum of a packet to be sent but does not check the checksum of a received packet. If checksum is enabled at the remote end but not at the local end, the local end checks the checksum of a received packet but does not calculate the checksum of a packet to be sent.
Step 8. Command Enable the GRE packet checksum function. gre checksum Remarks Optional. Disabled by default. Optional. 9. Configure the key for the GRE tunnel interface. gre key key-number By default, no key is configured for a GRE tunnel interface. The two ends of a tunnel must have the same key or have no key at the same time. Optional. 10. Specify a value for the Recursion Control field in the GRE header. gre recursion recursion-value 11.
{ { Configure a static route, using the destination address of the original packet as the destination address of the route and the address of the peer tunnel interface as the next hop. Enable a dynamic routing protocol on both the tunnel interface and the interface connecting the private network, so the dynamic routing protocol can establish a routing entry with the tunnel interface as the outgoing interface.
Step Command Remarks Optional. 10. Specify a value for the Recursion Control field in the GRE header. gre recursion recursion-value 11. Return to system view. quit By default, the value of the Recursion Control field in the GRE header is 0, which means not to limit the number of encapsulations. N/A Optional. 12. Configure the device to discard the IPv4-compatible IPv6 packets. tunnel discard ipv4-compatible-packet 13. Configure a route for packet forwarding through the tunnel.
Figure 101 Network diagram Configuration procedure Before the configuration, make sure Router A and Router B can reach each other. 1. Configure Router A: # Configure an IPv4 address for interface Ethernet 1/1. system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 255.255.255.0 [RouterA-Ethernet1/1] quit # Configure an IPv4 address for interface Serial 2/0, the physical interface of the tunnel. [RouterA] interface serial 2/0 [RouterA-Serial2/0] ip address 1.1.1.
# Configure an IP address for the tunnel interface Tunnel0. [RouterB-Tunnel0] ip address 10.1.2.2 255.255.255.0 # Configure the tunnel encapsulation mode as GRE over IPv4. [RouterB-Tunnel0] tunnel-protocol gre # Configure the source address of the tunnel interface Tunnel0 as the IP address of the interface Serial 2/1. [RouterB-Tunnel0] source 2.2.2.2 # Configure the destination address of the tunnel interface Tunnel0 as the IP address of the interface Serial 2/0 on Router A.
GRE key disabled Checksumming of GRE packets disabled Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) Output queue : (FIFO queuing : Size/Length/Discards) Last clearing of counters: 0/75/0 Never Last 300 seconds input: Last 300 seconds output: 10 packets input, 0/500/0 2 bytes/sec, 0 packets/sec 2 bytes/sec, 0 packets/sec 840 bytes 0 input error 10 packets output, 840 bytes 0 output error # From Router B, ping the IP address
[RouterA] ipv6 # Configure an IPv4 address for interface Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 255.255.255.0 [RouterA-Ethernet1/1] quit # Configure an IPv6 address for interface Serial 2/0, the physical interface of the tunnel. [RouterA] interface serial 2/0 [RouterA-Serial2/0] ipv6 address 2002::1:1 64 [RouterA-Serial2/0] quit # Create a tunnel interface named Tunnel0.
# Configure the destination address of the tunnel interface Tunnel0 as the IP address of the interface Serial 2/0 on Router A. [RouterB-Tunnel0] destination 2002::1:1 [RouterB-Tunnel0] quit # Configure a static route from Router B through the tunnel interface Tunnel0 to Group 1. [RouterB] ip route-static 10.1.1.0 255.255.255.0 tunnel 0 3. Verify the configuration: # Display the tunnel interface status on Router A and Router B, respectively.
10 packets output, 840 bytes 0 output error # From Router B, ping the IP address of Ethernet 1/1 on Router A. [RouterB] ping 10.1.1.1 PING 10.1.1.1: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=3 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=2 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms --- 10.1.1.
Configuring IPv6 basics Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. The significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. IPv6 features Simplified header format IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header.
• Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCP server). • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address respectively. An IPv6 address prefix is written in IPv6-address/prefix-length notation. The IPv6-address is represented in any of the formats previously mentioned. The prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address serve as the address prefix.
• A loopback address is 0:0:0:0:0:0:0:1 (or ::1). It cannot be assigned to any physical interface and can be used by a node to send an IPv6 packet to itself in the same way as the loopback address in IPv4. • An unspecified address is 0:0:0:0:0:0:0:0 (or ::). It cannot be assigned to any node. Before acquiring a valid IPv6 address, a node fills this address in the source address field of IPv6 packets. The unspecified address cannot be used as a destination IPv6 address.
Figure 105 Converting a MAC address into an EUI-64 address-based interface identifier • On a tunnel interface The lower 32 bits of the EUI-64 address-based interface identifier are the source IPv4 address of the tunnel interface. The higher 32 bits of the EUI-64 address-based interface identifier of an ISATAP tunnel interface are 0000:5EFE, whereas those of other tunnel interfaces are all zeros. For more information about tunnels, see "Configuring tunneling.
ICMPv6 message Type Function Redirect message 137 Informs the source host of a better next hop on the path to a particular destination when certain conditions are met. Address resolution This function is similar to the ARP function in IPv4. An IPv6 node acquires the link-layer addresses of neighboring nodes on the same link through NS and NA message exchanges. Figure 106 shows how Host A acquires the link-layer address of Host B on a single link.
Figure 107 Duplicate address detection 1. Host A sends an NS message whose source address is the unspecified address and whose destination address is the corresponding solicited-node multicast address of the IPv6 address to be detected. The NS message contains the IPv6 address. 2. If Host B uses this IPv6 address, Host B returns an NA message. The NA message contains the IPv6 address of Host B. 3. Host A learns that the IPv6 address is being used by Host B after receiving the NA message from Host B.
IPv6 path MTU discovery The links that a packet passes from a source to a destination might have different MTUs. In IPv6, when the packet size exceeds the path MTU of a link, the packet is fragmented at the source end of the link to reduce the processing pressure on intermediate devices and to use network resources effectively. The path MTU discovery mechanism is designed to find the minimum MTU of all links in the path between a source and a destination.
Tunneling Tunneling is an encapsulation technology that utilizes one network protocol to encapsulate packets of another network protocol and transfer them over the network. For more information about tunneling, see "Configuring tunneling." NAT-PT Network Address Translation – Protocol Translation (NAT-PT) is usually applied on a device between IPv4 and IPv6 networks to translate between IPv4 and IPv6 packets, allowing communication between IPv4 and IPv6 nodes.
• RFC 4191, Default Router Preferences and More-Specific Routes • RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification • RFC 4861, Neighbor Discovery for IP Version 6 (IPv6) • RFC 4862, IPv6 Stateless Address Autoconfiguration IPv6 basics configuration task list Task Remarks Enabling IPv6 Configuring basic IPv6 functions Required. Configuring an IPv6 global unicast address Configuring an IPv6 link-local address Required to configure one.
Configuring basic IPv6 functions Enabling IPv6 Enable IPv6 before you perform any IPv6-related configuration. Without IPv6 enabled, an interface cannot forward IPv6 packets even if it has an IPv6 address configured. To enable IPv6: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IPv6. ipv6 Disabled by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an IPv6 address manually. ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } By default, no IPv6 global unicast address is configured on an interface. Stateless address autoconfiguration To configure an interface to generate an IPv6 address by using stateless address autoconfiguration: Step Command Remarks 1.
Step Command Remarks Optional. 3. Configure the interface to automatically generate an IPv6 link-local address. ipv6 address auto link-local By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically. To manually configure an IPv6 link-local address: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Configuring IPv6 ND Configuring a static neighbor entry The IPv6 address of a neighboring node can be resolved into a link-layer address dynamically through NS and NA messages or through a manually configured static neighbor entry. The device uniquely identifies a static neighbor entry by the neighbor's IPv6 address and the local Layer 3 interface number. You can configure a static neighbor entry by using either of the following methods.
Step Command Remarks Optional. 3. Configure the maximum number of neighbors which can be dynamically learned by an interface. ipv6 neighbors max-learning-num number By default, a Layer 2 interface does not limit the number of neighbors dynamically learned. A Layer 3 interface can dynamically learn a maximum of 1024 neighbors. Setting the age timer for ND entries in stale state ND entries in stale state have an age timer.
Parameters Description Determines whether hosts use stateful autoconfiguration to acquire other configuration information. O flag If the O flag is set to 1, hosts use stateful autoconfiguration (for example, through a DHCP server) to acquire other configuration information. Otherwise, hosts use stateless autoconfiguration to acquire other configuration information. Router Lifetime This field tells the receiving hosts how long the advertising device can live.
Step 3. Enter interface view. Command Remarks interface interface-type interface-number N/A Optional. ipv6 nd ra prefix { ipv6-prefix prefix-length | ipv6-prefix/prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig | off-link ] * 4. Configure the prefix information in RA messages. 5. Turn off the MTU option in RA messages. ipv6 nd ra no-advlinkmtu Set the M flag bit to 1.
continues to send an NS message. If the interface still does not receive a response after the number of sent attempts reaches the threshold (specified with the ipv6 nd dad attempts command), the acquired address is considered usable. To configure the attempts to send an NS message for DAD: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the number of attempts to send an NS message for DAD. Optional.
• If super VLAN is used, the two hosts must belong to different sub VLANs. • If isolate-user-VLAN is used, the two hosts must belong to different secondary VLANs. Configuration procedure You can enable local ND proxy in VLAN interface view, Layer 3 Ethernet interface view, or Layer 3 Ethernet subinterface view. To enable local ND proxy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable local ND proxy.
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a static path MTU for a specified IPv6 address. ipv6 pathmtu [ vpn-instance vpn-instance-name ] ipv6-address [ value ] Not configured by default. Configuring the aging time for dynamic path MTUs After the path MTU from a source host to a destination host is dynamically determined (see "Configuring path MTU discovery"), the source host sends subsequent packets to the destination host based on this MTU.
Configuring IPv6 FIB load sharing In the IPv6 FIB load sharing mode, the device can decide how to select equal cost multi-paths (ECMP) to forward packets. The device supports the following load sharing modes: • Load sharing based on the HASH algorithm—An algorithm based on the source IPv6 address and destination IPv6 address is adopted to select an ECMP route to forward packets. • Load sharing based on polling—Each ECMP route is used in turn to forward packets.
Step Command Configure the capacity and update interval of the token bucket. 2. Remarks Optional. ipv6 icmp-error { bucket bucket-size | ratelimit interval } * By default, the capacity of a token bucket is 100 and the update interval is 1000 milliseconds. A maximum of 100 ICMPv6 error packets can be sent within 1000 milliseconds. Enabling replying to multicast echo requests If hosts are configured to answer multicast echo requests, an attacker might use this mechanism to attack a host.
• If no route is available for forwarding the packet, the device sends a "no route to destination" ICMPv6 error message to the source. • If the device fails to forward the packet because of an administrative prohibition (such as a firewall filter or an ACL), the device sends the source a "destination network administratively prohibited" ICMPv6 error message.
Displaying and maintaining IPv6 basics configuration Task Command Remarks Display the IPv6 FIB entries. display ipv6 fib [ vpn-instance vpn-instance-name ] [ acl6 acl6-number | ipv6-prefix ipv6-prefix-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the IPv6 FIB entry of a specified destination IPv6 address.
Task Command Remarks Clear the statistics of IPv6 and ICMPv6 packets. reset ipv6 statistics Available in user view. Clear all IPv6 TCP connection statistics. reset tcp ipv6 statistics Available in user view. Clear the statistics of all IPv6 UDP packets. reset udp ipv6 statistics Available in user view. IPv6 basics configuration example Network requirements As shown in Figure 111, a host, Router A and Router B are connected through Ethernet interfaces.
[RouterB-Ethernet1/1] ipv6 address 3001::2/64 [RouterB-Ethernet1/1] quit # Configure an IPv6 static route with destination IP address 2001::/64 and next hop address 3001::1. [RouterB] ipv6 route-static 2001:: 64 3001::1 3. Configure the host: # Enable IPv6 for the host to obtain an IPv6 address automatically through IPv6 ND. # Execute the ping ipv6 command on Router A to verify the connectivity between Router A and Router B.
FF02::1:FF00:0 FF02::1:FF00:1 FF02::1:FF00:2 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 25829 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers:
FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 600 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 272 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeader
FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 117 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 117 OutRequests: 83 OutForwDatagrams: 0 I
round-trip min/avg/max = 2/2/2 ms [RouterB-Ethernet1/1] ping ipv6 -c 1 2001::15B:E0EA:3524:E791 PING 2001::15B:E0EA:3524:E791 : 56 data bytes, press CTRL_C to break Reply from 2001::15B:E0EA:3524:E791 bytes=56 Sequence=1 hop limit=63 time = 3 ms --- 2001::15B:E0EA:3524:E791 ping statistics --1 packet(s) transmitted 1 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/3/3 ms The output shows that Router B can ping Router A and the host.
DHCPv6 overview The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. Basic concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all DHCPv6 servers on the site-local scope, and uses the multicast address FF02::1:2 to identify all DHCPv6 servers and relay agents on the link-local scope.
Binding The DHCPv6 server uses bindings to record the configuration information assigned to DHCPv6 clients, including the IPv6 address/prefix, client DUID, IAID, valid lifetime, preferred lifetime, and lease expiration time. PD The DHCPv6 server creates a Prefix Delegation (PD) for each assigned prefix to record the IPv6 prefix, client DUID, IAID, valid lifetime, preferred lifetime, and lease expiration time.
The assignment involving four messages operates as follows: 1. The DHCPv6 client sends out a Solicit message, requesting an IPv6 address/prefix and other configuration parameters. 2.
For more information about the valid lifetime and the preferred lifetime, see "Configuring IPv6 basics." Stateless DHCPv6 configuration After obtaining an IPv6 address/prefix, a device can use stateless DHCPv6 to obtain other configuration parameters from a DHCPv6 server. This application is called stateless DHCPv6 configuration.
Configuring the DHCPv6 server Overview To simplify IPv6 address management and network configuration, you can configure a DHCPv6 server to assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. Figure 118 Typical DHCPv6 server application for address assignment DHCPv6 address pool A DHCPv6 address pool includes IPv6 addresses, IPv6 prefixes, and other configuration parameters that the DHCPv6 server assigns to DHCPv6 clients.
• If a match is found in an address pool, the server assigns the client the IPv6 prefix and other configuration parameters in the address pool. • If no match is found, the DHCPv6 server assigns an IPv6 prefix and other configuration parameters from the address pool applied on the receiving interface. Address selection process Upon receiving a request for an IPv6 address, the DHCPv6 server searches all the address pools for a static IPv6 address bound to the client.
Configuring the DHCPv6 server to assign IPv6 prefixes to DHCPv6 clients Use either of the following methods to configure the DHCPv6 server to assign an IPv6 prefix to a DHCPv6 client: • Configure a static IPv6 prefix binding in an address pool—If you bind a DUID and an IAID to an IPv6 prefix, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client.
Step Command Remarks • Configure a static prefix binding: Configure the DHCPv6 server. 4. static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] • Apply a prefix pool to the address pool: Use at least one command. Not configured by default.
Step Command Description • Configure a static IPv6 address binding: 3. Configure the DHCPv6 server. static-bind address ipv6-address/addr-prefix-length duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] Use at least one command. Not configured by default.
• An interface cannot serve as a DHCPv6 server and DHCPv6 relay agent at the same time. • Do not enable DHCPv6 server and DHCPv6 client on the same interface. • Only one address pool can be applied to an interface. • A non-existing address pool can be applied to an interface, but the server cannot assign any prefix, address, or other configuration information from the address pool until the address pool is created.
Task Command Remarks Clear information about IPv6 address conflicts. reset ipv6 dhcp server conflict { address ipv6-address | all | pool pool-number } Available in user view. Clear information about IPv6 address bindings. reset ipv6 dhcp server ip-in-use { address ipv6-address | all | pool pool-number } Available in user view. Clear information about IPv6 prefix bindings. reset ipv6 dhcp server pd-in-use { all | pool pool-number | prefix prefix/prefix-len } Available in user view.
Figure 119 Network diagram Configuration procedure # Enable IPv6 and DHCPv6 server. system-view [Router] ipv6 [Router] ipv6 dhcp server enable # Configure the IPv6 address of Ethernet 1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ipv6 address 1::1/64 [Router-Ethernet1/1] quit # Create and configure prefix pool 1. [Router] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48 # Create address pool 1.
[Router-Ethernet1/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit Verifying the configuration # Display DHCPv6 server configuration information on Ethernet 1/1. [Router-Ethernet1/1] display ipv6 dhcp server interface ethernet 1/1 Using pool: 1 Preference value: 255 Allow-hint: Enabled Rapid-commit: Enabled # Display information about address pool 1.
Static IPv6 address assignment configuration example Network requirements As shown in Figure 120, the router serves as a DHCPv6 server with IPv6 address 1::1/64. It assigns IPv6 address 1::A/124 to the client whose DUID is FF00010006498D3322000102030405, and assigns IPv6 address 1::B/124 to the client whose DUID is 00030001CA0006A40000. Configuration considerations Configure the following settings on the DHCPv6 server: 1. Enable IPv6 and DHCPv6 server. 2. Create a DHCPv6 address pool.
# Enable the DHCPv6 server on interface Ethernet 1/1, apply address pool 1 to the interface, configure the address pool to support desired address assignment and rapid address assignment, and set the precedence to the highest. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ipv6 dhcp server apply pool 1 allow-hint preference 255 rapid-commit Verifying the configuration # Display DHCPv6 server configuration information on Ethernet 1/1.
Dynamic IPv6 address assignment configuration example Network requirements As shown in Figure 121, serving as the DHCPv6 server, the router assigns IPv6 addresses on subnet 1:2::/32 to clients Host A and Host B, and assigns IPv6 addresses on subnet 1:3::/32 to clients Host C and Host D. Configuration considerations Configure the following settings on the DHCPv6 server: 1. Enable IPv6 and DHCPv6 server. 2.
[Router-dhcp6-pool-1] network 1:2::/32 preferred-lifetime 86400 valid-lifetime 259200 [Router-dhcp6-pool-1] quit # Create address pool 2, specify subnet 1:3::/32 in the address pool, and set the preferred lifetime to one day and valid lifetime to three days. [Router] ipv6 dhcp pool 2 [Router-dhcp6-pool-2] network 1:3::/32 preferred-lifetime 86400 valid-lifetime 259200 [Router-dhcp6-pool-2] quit # Enable the DHCPv6 server, desired address assignment, and rapid address assignment on interface Ethernet 1/1.
# After Host C and Host D have obtained IPv6 addresses, display IPv6 address binding information on the DHCPv6 server.
Configuring the DHCPv6 relay agent Overview A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 122, if the DHCPv6 server resides on another subnet, the DHCPv6 client can contact the server through a DHCPv6 relay agent, so you do not need to deploy a DHCPv6 server on each subnet.
Figure 123 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server (1) Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply Configuration prerequisites Before you configure the DHCPv6 relay agent, enable IPv6 by using the ipv6 command in system view. Configuration guidelines • You can specify up to eight DHCPv6 servers for an interface.
Displaying and maintaining the DHCPv6 relay agent Task Command Remarks Display the DUID of the local device. display ipv6 dhcp duid [ | { begin | exclude | include } regular-expression ] Available in any view. Display DHCPv6 server addresses specified on the DHCPv6 relay agent. display ipv6 dhcp relay server-address { all | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ] Available in any view. Display packet statistics on the DHCPv6 relay agent.
# Enable IPv6. system-view [RouterA] ipv6 # Configure the IPv6 addresses of Ethernet 1/1 and Ethernet 1/2 respectively. [RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ipv6 address 2::1 64 [RouterA-Ethernet1/2] quit [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 1::1 64 # Enable DHCPv6 relay agent and specify the DHCPv6 server address on interface Ethernet 1/1. [RouterA-Ethernet1/1] ipv6 dhcp relay server-address 2::2 Configure Router A as a gateway: 2.
Configuring the DHCPv6 client Serving as a DHCPv6 client, the device only supports stateless DHCPv6 configuration, that is, the device can only obtain other network configuration parameters, except the IPv6 address and prefix from the DHCPv6 server. With an IPv6 address obtained through stateless address autoconfiguration, the device automatically enables the stateless DHCPv6 function after it receives an RA message with the M flag set to 0 and the O flag set to 1.
Task Command Remarks Clear DHCPv6 client statistics. reset ipv6 dhcp client statistics [ interface interface-type interface-number ] Available in user view. Stateless DHCPv6 configuration example Network requirements Through stateless DHCPv6, Router A obtains the DNS server address, domain name, and other information from the DHCPv6 server. Router B acts as the gateway to send RA messages periodically. Figure 125 Stateless DHCPv6 configuration Configuration procedure 1.
After this command is executed, and if Ethernet 1/1 has no IPv6 address configured, Router A automatically generates a link-local address, and sends a router solicitation (RS) message, requesting the gateway (Router B) to reply with an RA message immediately. Verifying the configuration After receiving an RA message with the M flag set to 0 and the O flag set to 1, Router A automatically enables stateless DHCPv6.
Configuring IPv6 fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It uses a five-tuple (source IPv6 address, destination IPv6 address, source port number, destination port number, and protocol number) to describe a data flow.
Displaying and maintaining IPv6 fast forwarding Task Command Remarks Display information in the IPv6 fast forwarding table. display ipv6 fast-forwarding cache [ ipv6-address | verbose ] [ | { begin | exclude | include } regular-expression ] Available in any view. Clear information in the IPv6 fast forwarding table. reset ipv6 fast-forwarding cache Available in user view.
Configuring Router B # Enable IPv6 and configure IPv6 addresses of interfaces Ethernet 1/1 and Serial 2/1. By default, IPv6 fast forwarding is enabled in the inbound and outbound directions.
DIP: 2002::1 DPort: 0 Pro: 58 Flg: 256 Input interface: S2/1 Output interface: Eth1/1 The output shows that IPv6 fast forwarding entries have been created.
317
Configuring IPv6 DNS IPv6 Domain Name System (DNS) is responsible for translating domain names into IPv6 addresses. Like IPv4 DNS, IPv6 DNS includes static domain name resolution and dynamic domain name resolution. The functions and implementations of the two types of domain name resolution are the same as those of IPv4 DNS. For more information, see "Configuring IPv4 DNS." Configuring the IPv6 DNS client This section explains how to configure static and dynamic domain resolution for the IPv6 DNS client.
Step 2. Enable dynamic domain name resolution. Command Remarks dns resolve Disabled by default. Not specified by default. 3. Specify a DNS server. dns server ipv6 ipv6-address [ interface-type interface-number ] 4. Configure a DNS suffix. dns domain domain-name If the IPv6 address of a DNS server is a link-local address, you need to specify the interface-type and interface-number arguments. Optional. Not configured by default. Only the provided domain name is resolved.
Configuration procedure # Configure a mapping between host name host.com and IPv6 address 1::2. system-view [Device] ipv6 host host.com 1::2 # Enable IPv6. [Device] ipv6 # Use the ping ipv6 host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2. [Device] ping ipv6 host.com PING host.
Figure 128 Network diagram Configuration procedure Before performing the following configuration, make sure the device and the host are accessible to each other through available routes, and the IPv6 addresses of the interfaces are configured as shown Figure 128. This configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2003.
Figure 130 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type. e. Click Create Record.
Figure 131 Selecting the resource record type f. On the page that appears, enter host name host and IPv6 address 1::1, and then click OK. The mapping between the host name and the IPv6 address is created.
Figure 132 Adding a mapping between domain name and IPv6 address Configure the DNS client: 2. # Enable dynamic domain name resolution. system-view [Device] dns resolve # Specify the DNS server 2::2. [Device] dns server ipv6 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device and the host is normal and that the corresponding destination IP address is 1::1.
bytes=56 Sequence=2 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=3 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=4 hop limit=126 time = 1 ms Reply from 1::1 bytes=56 Sequence=5 hop limit=126 time = 1 ms --- host.com ping statistics --5 packet(s) transmitted 5 packet(s) received 0.
Basic forwarding on the device Upon receiving a packet, a device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and uses the matching entry to forward the packet. FIB table A router selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next hop IP address and output interface for packets destined for a specific subnet or host.
Displaying and maintaining the FIB table Task Command Remarks Display FIB information. display fib [ vpn-instance vpn-instance-name ] [ acl acl-number | ip-prefix ip-prefix-name ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display FIB information matching the specified destination IP address. display fib [ vpn-instance vpn-instance-name ] ip-address [ mask | mask-length ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring load sharing If a routing protocol finds multiple equal-cost best routes to the same destination, the router forwards packets over the equal-cost routes to implement load sharing. The maximum number of routes for load sharing is eight. Static routing/IPv6 static routing, RIP/RIPng, OSPF/OSPFv3, BGP/IPv6 BGP, and IS-IS/IPv6 IS-IS support load sharing.
Step Command Remarks Optional. The default is the physical bandwidth of the interface. 4. Specify the bandwidth of the interface for load sharing. load-bandwidth bandwidth 5. Return to user view. return 6. Display statistics about bandwidth-based load sharing. display load-sharing ip address ip-address { mask | mask-length } [ | { begin | exclude | include } regular-expression ] 7. Clear statistics about bandwidth-based load sharing.
Bandwidth-based load sharing configuration example Network requirements Router A in Figure 133 has the following three equal-cost routes to the destination network 10.2.1.0/24: display fib 10.2.1.0 Destination count: 1 FIB entry count: 3 Flag: U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static R:Relay Destination/Mask Nexthop Flag OutInterface InnerLabel Token 10.2.1.0/24 10.1.1.2 GSU Eth1/1 Null Invalid 10.1.2.2 GSU Atm1/0 Null Invalid 10.1.3.
[RouterA] interface serial 2/0 [RouterA-serial2/0] load-bandwidth 300 [RouterA-serial2/0] quit # Display the bandwidths of the three interfaces. [RouterA] display loadsharing ip address 10.2.1.0 24 There are/is totally 3 route entry(s) to the same destination network. Nexthop Packet(s) Bandwidth[KB] Flow(s) Interface 10.1.2.2 142824 100 0 Atm1/0 10.1.1.2 285648 200 0 Ethernet1/1 10.1.3.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFGHINOPRSTU Configuring a static ARP entry,3 A Configuring a tunnel interface,204 Address/prefix lease renewal,290 Configuring a VAM client,163 Applying an extended address pool on an interface,36 Configuring AAA,159 Configuring address translation,122 Applying the DDNS policy to an interface,91 Configuring an address pool on the DHCP server,27 ARP entry configuration example,6 Configuring an automatic IPv4-compatible IPv6 tunnel,209 Assigning an IP address to an interface,98 B Config
Configuring NAT logging,127 DHCP snooping Option 82 support configuration example,72 Configuring network parameters in a DHCPv6 address pool,296 DHCPv6 relay agent configuration example,308 Configuring path MTU discovery,276 DHCPv6 server configuration examples,298 Configuring routing,170 DHCPv6 server configuration task list,293 Configuring static NAPT-PT mappings of IPv6 servers,148 Displaying and maintaining ARP,6 Configuring TCP attributes,108 Displaying and maintaining BOOTP client configura
Enabling DHCP,35 Overview,258 Enabling DHCP starvation attack protection,69 Overview,89 Enabling DHCP-REQUEST message attack protection,70 Overview,8 Enabling dynamic ARP entry check,5 Overview,140 Overview,10 Enabling forwarding of directed broadcasts to a directly connected network,107 Overview,1 Enabling handling of Option 82,39 Overview,196 Overview,117 Enabling local proxy ARP,11 Overview,96 Enabling NAT-PT,144 Overview,154 Enabling natural mask support for ARP requests,5 Overview,10
Troubleshooting NAT,139 U Troubleshooting NAT-PT,153 UDP helper configuration examples,242 Troubleshooting tunneling configuration,238 Tunneling configuration task list,204 338