HP MSR2000/3000/4000 Router Series Layer 3 - IP Services Configuration Guide (V7) Part number: 5998-3991 Software version: CMW710-R0007P02 Document version: 6PW100-20130927
Legal and notice information © Copyright 2013 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring ARP ··························································································································································· 1 Overview············································································································································································ 1 ARP message format ·······························································································································
Configuration procedure ······································································································································ 21 Configuring IP unnumbered ·········································································································································· 21 Configuration guidelines ······································································································································ 22 Configuration prere
DHCP server configuration examples ·························································································································· 48 Static IP address assignment configuration example························································································· 48 Dynamic IP address assignment configuration example ··················································································· 50 DHCP user class configuration example ·······························
Displaying and maintaining DHCP snooping ············································································································· 75 DHCP snooping configuration examples ····················································································································· 76 Basic DHCP snooping configuration example ··································································································· 76 Option 82 configuration example ·······················
Applying the DDNS policy to an interface················································································································ 106 Specifying the DSCP value for outgoing DDNS packets ························································································· 106 Displaying DDNS ························································································································································· 107 DDNS configuration examples ·······
Bidirectional NAT for internal-to-external access ····························································································· 130 NAT Server for external-to-internal access ········································································································ 132 NAT Server for external-to-internal access through domain name ································································· 135 Bidirectional NAT for external-to-internal access through NAT Server ··········
IPv6 features ························································································································································· 173 IPv6 addresses ····················································································································································· 174 IPv6 ND protocol ················································································································································· 177 IPv6
IPv6 prefix assignment ········································································································································ 206 Concepts······························································································································································· 207 DHCPv6 address pool ········································································································································ 208 IPv6 address/pr
Configuring tunneling ············································································································································· 235 Overview······································································································································································· 235 IPv6 over IPv4 tunneling ····································································································································· 235 I
Configuring ARP This chapter describes how to configure the Address Resolution Protocol (ARP). Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 1 ARP message format • Hardware type—Hardware address type. The value 1 represents Ethernet.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request comprises the following information: { Sender IP address and sender MAC address—Host A's IP address and MAC address. { Target IP address—Host B's IP address. { Target MAC address—An all-zero MAC address. All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request. 3.
Static ARP entry A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry. Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry. Static ARP entries include long and short ARP entries. • A long static ARP entry comprises the IP address, MAC address, VLAN, and output interface. It is directly used for forwarding packets.
Step Command Remarks • Configure a long static ARP entry: 2. Configure a static ARP entry. arp static ip-address mac-address vlan-id interface-type interface-number [ vpn-instance vpn-instance-name ] • Configure a short static ARP entry: arp static ip-address mac-address [ vpn-instance vpn-instance-name ] Use either command. By default, no static ARP entry is configured. Setting the maximum number of dynamic ARP entries for a device A device can dynamically learn ARP entries.
Step 3. Set the maximum number of dynamic ARP entries for the interface. Command Remarks arp max-learning-num number If the value of the number argument is set to 0, the interface is disabled from learning dynamic ARP entries. Setting the aging timer for dynamic ARP entries Each dynamic ARP entry in the ARP table has a limited lifetime, called an aging timer. The aging timer of a dynamic ARP entry is reset each time the dynamic ARP entry is updated.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable ARP log output. arp check log enable By default, ARP log output is disabled. Displaying and maintaining ARP IMPORTANT: Clearing ARP entries from the ARP table might cause communication failures. Make sure the entries to be cleared do not affect current communications. Execute display commands in any view and reset commands in user view. Task Command Display ARP entries (MSR2000/MSR3000).
Figure 3 Network diagram Configuration procedure # Create VLAN 10. system-view [Switch] vlan 10 [Switch-vlan10] quit # Add interface Ethernet 1/1 to VLAN 10. [Switch] interface ethernet 1/1 [Switch-Ethernet1/1] port access vlan 10 [Switch-Ethernet1/1] quit # Create VLAN-interface 10 and configure its IP address. [Switch] interface vlan-interface 10 [Switch-vlan-interface10] ip address 192.168.1.2 8 [Switch-vlan-interface10] quit # Configure a static ARP entry that has IP address 192.168.1.
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a MAC address change.
{ { If the virtual IP address of the VRRP group is associated with a virtual MAC address, the sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. If the virtual IP address of the VRRP group is associated with the real MAC address of an interface, the sender MAC address in the gratuitous ARP packet is the MAC address of the interface on the master router in the VRRP group. Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.
Step 5. Enable periodic sending of gratuitous ARP packets and set the sending interval. Command Remarks arp send-gratuitous-arp [ interval milliseconds ] By default, periodic sending of gratuitous ARP packets is disabled. Enabling IP conflict notification By default, if the sender IP address of a received gratuitous ARP packet is being used by the receiving device, the receiving device sends a gratuitous ARP request, and it displays an error message after it receives an ARP reply about the conflict.
Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts on different broadcast domains can communicate with each other as they would on the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP—Allows communication between hosts that connect to different Layer-3 interfaces and reside in different broadcast domains.
Displaying proxy ARP Execute display commands in any view. Task Command Display common proxy ARP status. display proxy-arp [ interface interface-type interface-number ] Display local proxy ARP status. display local-proxy-arp [ interface interface-type interface-number ] Common proxy ARP configuration example Network requirements As shown in Figure 4, Host A and Host D have the same prefix and mask, but they are located on different subnets. No default gateway is configured on Host A and Host D.
# Configure the IP address of interface Ethernet 1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 192.168.20.99 255.255.255.0 # Enable common proxy ARP on interface Ethernet 1/1. [Router-Ethernet1/1] proxy-arp enable [Router-Ethernet1/1] quit After the configuration, Host A and Host D can ping each other.
Configuring ARP snooping ARP snooping is not supported in the current release, and it is reserved for future use. ARP snooping is used in Layer 2 switching networks. It creates ARP snooping entries by using information in ARP packets. ARP fast-reply and manual-mode MFF (MAC–Forced Forwarding) can use the ARP snooping entries. For more information about MFF, see Security Configuration Guide. If you enable ARP snooping on a VLAN, ARP packets received by any interface in the VLAN are redirected to the CPU.
Task Command Display ARP snooping entries (MSR4000). display arp snooping [ vlan vlan-id ] [ slot slot-number ] [ count ] Remove ARP snooping entries.
Configuring ARP fast-reply ARP fast-reply is not supported in the current release, and it is reserved for future use. Overview Function In a wireless network, APs are connected to an AC through tunnels, so that clients can communicate with the AC through APs and can further access the gateway through the AC. If a client broadcasts an ARP request through the associated AP, the AC needs to send the ARP request to all the other APs, wasting tunnel resources and affecting forwarding performance.
ARP fast-reply configuration example Network requirements As shown in Figure 5, Client 1, Client 2 through Client 100, and Client 101 through Client 200 access the network through AP 1, AP 2 and AP 3, respectively. AP 1, AP 2 and AP 3 are connected to AC through the switch. APs are connected to VLAN 2. If Client 1 wants to access Client 200, it broadcasts an ARP request and the AC sends it to AP 2 and AP 3.
[AC-vlan1] quit 18
Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter. Overview This section describes the IP addressing basics. IP addressing uses a 32-bit address to identify each host on an IPv4 network.
Class Address range Remarks C 192.0.0.0 to 223.255.255.255 N/A D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use, except for the broadcast address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.
Assigning an IP address to an interface An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or PPP address negotiation. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous address. An interface can have one primary address and multiple secondary addresses.
Configuration guidelines Follow these guidelines when you configure IP unnumbered: • Layer 3 Ethernet interfaces and loopback interfaces cannot borrow IP addresses of other interfaces, but other interfaces can borrow IP addresses of these interfaces. • Synchronous and asynchronous serial interfaces, and dial-up interfaces can borrow IP addresses of Ethernet interfaces. • An interface cannot borrow an IP address from an unnumbered interface.
IP address configuration example Network requirements As shown in Figure 8, Ethernet 1/1 on the router is connected to a LAN comprising two segments: 172.16.1.0/24 and 172.16.2.0/24. To enable the hosts on the two network segments to communicate with the external network through the router, and to enable the hosts on the LAN to communicate with each other: • Assign a primary IP address and a secondary IP address to Ethernet 1/1 on the router.
56 bytes from 172.16.1.2: icmp_seq=0 ttl=254 time=7.000 ms 56 bytes from 172.16.1.2: icmp_seq=1 ttl=254 time=0.000 ms 56 bytes from 172.16.1.2: icmp_seq=2 ttl=254 time=1.000 ms 56 bytes from 172.16.1.2: icmp_seq=3 ttl=254 time=1.000 ms 56 bytes from 172.16.1.2: icmp_seq=4 ttl=254 time=2.000 ms --- Ping statistics for 172.16.1.2 --5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/2.200/7.000/2.
Figure 9 Network diagram Configuration procedure 1. Configure Router A: # Assign a primary IP address to Ethernet 1/1. system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 172.16.10.1 255.255.255.0 [RouterA-Ethernet1/1] quit # Configure Serial 2/1 to borrow an IP address from Ethernet 1/1.
[RouterA] ping 172.16.20.2 Ping 172.16.20.2 (172.16.20.2): 56 data bytes, press escape sequence to break 56 bytes from 172.16.20.2: icmp_seq=0 ttl=254 time=7.000 ms 56 bytes from 172.16.20.2: icmp_seq=1 ttl=254 time=0.000 ms 56 bytes from 172.16.20.2: icmp_seq=2 ttl=254 time=1.000 ms 56 bytes from 172.16.20.2: icmp_seq=3 ttl=254 time=1.000 ms 56 bytes from 172.16.20.2: icmp_seq=4 ttl=254 time=2.000 ms --- Ping statistics for 172.16.20.2 --5 packet(s) transmitted, 5 packet(s) received, 0.
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 10 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent.
Dynamic IP address allocation process Figure 11 Dynamic IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For related information, see "DHCP message format." 3.
DHCP message format Figure 12 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 12 DHCP message format • op—Message type defined in options field. 1 = REQUEST, 2 = REPLY • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled.
DHCP options DHCP uses the same message format as BOOTP, but DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information to clients. Figure 13 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option.
Through Option 43, the DHCP client can obtain the PXE server address, which is used to obtain the boot file or other control information from the PXE server. 1. Format of Option 43: Figure 14 Option 43 format Network configuration parameters are carried in different sub-options of Option 43 as shown in Figure 14. { 2. Sub-option type—The field value can be 0x02 (service provider identifier sub-option) or 0x80 (PXE server address sub-option).
• Normal padding format—Contains the VLAN ID and interface number of the interface that received the client's request. • Verbose padding format—Contains the access node identifier specified by the user, and the VLAN ID, interface number and interface type of the interface that received the client's request. Remote ID has the following padding formats: • String padding format—Contains a character string specified by the user.
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically. • Most hosts do not need fixed IP addresses.
c. If the matching user class has no assignable addresses, the DHCP server matches the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range. d. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command.
IP address allocation sequence The DHCP server selects an IP address for a client in the following sequence: 1. IP address statically bound to the client's MAC address or ID. 2. IP address that was ever assigned to the client. 3. IP address designated by the Option 50 field in the DHCP-DISCOVER message sent by the client. Option 50 is the Requested IP Address option. The client uses this option to specify the wanted IP address in a DHCP-DISCOVER message. The content of Option 50 is user defined. 4.
Tasks at a glance Perform at least one of the following tasks: • • • • • • • • • • Specifying IP address ranges for a DHCP address pool Specifying gateways for the client Specifying a domain name suffix for the client Specifying DNS servers for the client Specifying WINS servers and NetBIOS node type for the client Specifying BIMS server information for the client Specifying the TFTP server and boot file name for the client Specifying a server for the DHCP client Configuring Option 184 parameters for the
Step 1. Enter system view. 2. Create a DHCP user class and enter DHCP user class view. Command Remarks system-view N/A dhcp class class-name Required for client classification. By default, no DHCP user class exists. Required for client classification. 3. Configure the match rule for the DHCP user class. if-match option option-code [ hex hex-string [ offset offset length length | mask mask ] ] 4. Return to system view. quit N/A 5. Enter address pool view.
request, the DHCP server selects an address from the primary subnet. If no assignable address is found, the server selects an address from the secondary subnets in the order they are configured. In scenarios where the DHCP server and the DHCP clients reside on different subnets and the DHCP clients obtain IP addresses through a DHCP relay agent, the DHCP server needs to use the same address pool to assign IP addresses to clients in different subnets.
Step Command (Optional.) Exclude the specified IP addresses from dynamic allocation globally. 9. dhcp server forbidden-ip start-ip-address [ end-ip-address ] Remarks Except for the IP address of the DHCP server interface, IP addresses in all address pools are assignable by default. To exclude multiple address ranges globally, repeat this step. Configuring a static binding in a DHCP address pool Some DHCP clients, such as a WWW server, need fixed IP addresses.
If you specify gateways in both address pool view and secondary subnet view, DHCP assigns the gateway addresses in the secondary subnet view to the clients on the secondary subnet. If you specify gateways in address pool view but not in secondary subnet view, DHCP assigns the gateway addresses in address pool view to the clients on the secondary subnet. To configure gateways in the DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view.
Specifying WINS servers and NetBIOS node type for the client A Microsoft DHCP client using NetBIOS protocol must contact a WINS server for name resolution. You can specify up to eight WINS servers for such clients in a DHCP address pool. In addition, you must specify a NetBIOS node type for the clients to approach name resolution. There are four NetBIOS node types: • b (broadcast)-node—A b-node client sends the destination name in a broadcast message.
Specifying the TFTP server and boot file name for the client To implement client auto-configuration, you must specify the IP address or name of a TFTP server and the boot file name for the clients, and there is no need to perform any configuration on the DHCP clients. A DHCP client obtains these parameters from the DHCP server, and uses them to contact the TFTP server to get the configuration file used for system initialization. Auto-configuration operates as follows: 1.
Configuring Option 184 parameters for the client To assign calling parameters to DHCP clients with voice service, you must configure Option 184 on the DHCP server. For more information about Option 184, see "Option 184." To configure option 184 parameters in a DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name N/A By default, no primary network calling processor is specified.
Step Command Remarks 2. Enter DHCP address pool view. dhcp server ip-pool pool-name N/A 3. Configure a self-defined DHCP option. option code { ascii ascii-string | hex hex-string | ip-address ip-address&<1-8> } By default, no self-defined DHCP option is configured.
Step Enable the DHCP server on the interface. 3. Command Remarks dhcp select server By default, the DHCP server on the interface is enabled. Applying an address pool on an interface Perform this task to apply a DHCP address pool on an interface. Upon receiving a DHCP request from the interface, the DHCP server assigns the statically bound IP address and configuration parameters from the address pool where the static binding is.
Enabling handling of Option 82 Perform this task to enable the DHCP server to handle Option 82. Upon receiving a DHCP request that contains Option 82, the DHCP server adds Option 82 into the DHCP response. If you disable the DHCP to handle Option 82, it does not add Option 82 into the response message. You must enable handling of Option 82 on both the DHCP server and the DHCP relay agent to ensure correct processing for Option 82.
To configure the DHCP server to ignore BOOTP requests: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the DHCP server to ignore BOOTP requests. dhcp server bootp ignore By default, the DHCP server processes BOOTP requests. Configuring the DHCP server to send BOOTP responses in RFC 1048 format Not all BOOTP clients can send requests compatible with RFC 1048.
Displaying and maintaining the DHCP server IMPORTANT: A restart of the DHCP server or execution of the reset dhcp server ip-in-use command deletes all lease information. The DHCP server denies any DHCP request for lease extension, and the client must request an IP address again. Execute display commands in any view and reset commands in user view. Task Command Display information about IP address conflicts.
0030-3030-662e-6532-3030-2e30-3030-322d-4574-6865-726e-6574-302f-30. The MAC address of the interface Ethernet 1/1 on Router C is 000f-e200-01c0. Figure 16 Network diagram Configuration procedure 1. Specify an IP address for Ethernet 1/1 on Router A: system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 25 [RouterA-Ethernet1/1] quit 2. Configure the DHCP server: # Enable DHCP. [RouterA] dhcp enable # Enable the DHCP server on Ethernet 1/1.
Dynamic IP address assignment configuration example Network requirements • As shown in Figure 17, the DHCP server (Router A) assigns IP address to clients on subnet 10.1.1.0/24, which is subnetted into 10.1.1.0/25 and 10.1.1.128/25. • The IP addresses of Ethernet 1/1 and Ethernet 1/2 on Router A are 10.1.1.1/25 and 10.1.1.129/25. • In subnet 10.1.1.0/25, the address lease duration is ten days and twelve hours, the domain name suffix is aabbcc.com, the DNS server address is 10.1.1.
# Configure DHCP address pool 1 to assign IP addresses and other configuration parameters to clients in subnet 10.1.1.0/25. [RouterA] dhcp server ip-pool 1 [RouterA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.128 [RouterA-dhcp-pool-1] expired day 10 hour 12 [RouterA-dhcp-pool-1] domain-name aabbcc.com [RouterA-dhcp-pool-1] dns-list 10.1.1.2 [RouterA-dhcp-pool-1] gateway-list 10.1.1.126 [RouterA-dhcp-pool-1] nbns-list 10.1.1.
Configuration procedure 1. Specify IP addresses for the interfaces on DHCP server. (Details not shown.) 2. Configure DHCP: # Enable DHCP and configure the DHCP server to handle Option 82. system-view [RouterB] dhcp enable [RouterB] dhcp server relay information enable # Enable the DHCP server on the interface Ethernet1/1.
Figure 19 Network diagram Configuration procedure 1. Specify an IP address for interface Ethernet 1/1. (Details not shown.) 2. Configure the DHCP server: # Enable DHCP. system-view [RouterA] dhcp enable # Enable the DHCP server on Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] dhcp select server [RouterA-Ethernet1/1] quit # Configure DHCP address pool 0. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.
3. Enable the network adapter or connect the network cable, release the IP address, and obtain another one on the client. For example, to release the IP address and obtain another one on a Windows XP DHCP client: a. In Windows environment, execute the cmd command to enter the DOS environment. b. Enter ipconfig /release to relinquish the IP address. c. Enter ipconfig /renew to obtain another IP address.
Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 20 shows a typical application of the DHCP relay agent.
Figure 21 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to locate the DHCP client for security and accounting purposes, and to assign IP addresses in a specific range to clients. For more information, see "Relay agent option (Option 82)." If the DHCP relay agent supports Option 82, it handles DHCP requests by following the strategies described in Table 3.
Tasks at a glance (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings. To enable DHCP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP. dhcp enable By default, DHCP is disabled.
To specify a DHCP server address on a relay agent: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify a DHCP server address on the relay agent. dhcp relay server-address ip-address By default, no DHCP server address is specified on the relay agent.
To enable periodic refresh of dynamic relay entries: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable periodic refresh of dynamic relay entries. dhcp relay client-information refresh enable By default, periodic refresh of dynamic relay entries is enabled. 3. Configure the refresh interval. dhcp relay client-information refresh [ auto | interval interval ] By default, the refresh interval is auto, which is calculated based on the number of total relay entries.
Configuring the DHCP relay agent to release an IP address Configure the relay agent to release the IP address for a relay entry. The relay agent sends a DHCP-RELEASE message to the server and meanwhile deletes the relay entry. Upon receiving the DHCP-RELEASE message, the DHCP server releases the IP address. To configure the DHCP relay agent to release an IP address: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the DHCP relay agent to release an IP address.
Setting the DSCP value for DHCP packets sent by the DHCP relay agent The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. To set the DSCP value for DHCP packets sent by the DHCP relay agent: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the DSCP value for DHCP packets sent by the DHCP relay agent. dhcp dscp dscp-value By default, the DSCP value in DHCP packets sent by the DHCP relay agent is 56.
Because the DHCP relay agent and server are on different subnets, you need to configure static or dynamic routing to make them reachable to each other. DHCP server configuration is also required to guarantee the client-server communication through the DHCP relay agent. For DHCP server configuration information, see "DHCP server configuration examples ." Figure 22 Network diagram DHCP client DHCP client Eth1/1 10.10.1.1/24 Eth1/2 10.1.1.2/24 Eth1/1 10.1.1.
Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enable DHCP. system-view [RouterA] dhcp enable # Enable the DHCP relay agent on Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] dhcp select relay # Specify the IP address of the DHCP server on the relay agent. [RouterA-Ethernet1/1] dhcp relay server-address 10.1.1.1 # Enable the DHCP relay agent to handle Option 82, and perform Option 82 related configurations.
Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces) and VLAN interfaces. When multiple VLAN interfaces with the same MAC address use DHCP for IP address acquisition through a relay agent, the DHCP server cannot be a Windows Server 2000 or Windows Server 2003.
Step 2. 3. Command Remarks Enter interface view. interface interface-type interface-number N/A Configure a DHCP client ID for the interface. dhcp client identifier { ascii string | hex string | mac interface-type interface-number } By default, an interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID. DHCP client ID includes ID type and type value.
Step 2. Set the DSCP value for DHCP packets sent by the DHCP client. Command Remarks dhcp dscp dscp-value By default, the DSCP value in DHCP packets sent by the DHCP client is 56. Displaying and maintaining the DHCP client Execute display command in any view. Task Command Display DHCP client information.
Configuration procedure 1. Configure Router A: # Specify the IP address of Ethernet 1/1. system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ip address 10.1.1.1 24 [RouterA-Ethernet1/1] quit # Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from dynamic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0 and specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24.
T1 will timeout in 3 days 19 hours 48 minutes 43 seconds. # Use the display ip routing-table command to display the route information on Router B. The output shows that a static route to network 20.1.1.0/24 is added to the routing table. [RouterB] display ip routing-table Destinations : 11 Routes : 11 Destination/Mask Proto 10.1.1.0/24 10.1.1.3/32 Pre Cost NextHop Interface Direct 0 0 10.1.1.3 Eth1/1 Direct 0 0 127.0.0.1 InLoop0 20.1.1.0/24 Static 70 0 10.1.1.2 Eth1/1 10.1.1.
Configuring DHCP snooping DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes. DHCP snooping does not work between the DHCP server and DHCP relay agent.
Figure 25 Trusted and untrusted ports In a cascaded network as shown in Figure 26, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries.
Table 4 Handling strategies If a DHCP request has… Option 82 No Option 82 Handling strategy DHCP snooping… Drop Drops the message. Keep Forwards the message without changing Option 82. Replace Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type. N/A Forwards the message after adding the Option 82 padded according to the configured padding format, padding content, and code type.
Step Command Remarks 4. Specify the port as a trusted port. dhcp snooping trust By default, all ports are untrusted ports after DHCP snooping is enabled. 5. Return to system view. quit N/A 6. Enter interface view. interface interface-type interface-number This interface must connect to the DHCP client. 7. (Optional.) Enable recording of DHCP snooping entries. dhcp snooping binding record By default, after DHCP snooping is enabled, recording of DHCP snooping entries is disabled.
Step 6. (Optional.) Configure the padding content and code type for the remote ID sub-option. Command Remarks dhcp snooping information remote-id { normal [ format { ascii | hex } ] | [ vlan vlan-id ] string remote-id | sysname } By default, the padding format is normal and the code type is hex for the remote ID sub-option. Saving DHCP snooping entries DHCP snooping entries cannot survive a reboot.
Enabling DHCP starvation attack protection A DHCP starvation attack occurs when an attacker constantly sends forged DHCP requests that contain identical or different sender MAC addresses in the chaddr field to a DHCP server. This attack exhausts the IP address resources of the DHCP server so legitimate DHCP clients cannot obtain IP addresses. The DHCP server might also fail to work because of exhaustion of system resources. For information about the fields of DHCP packet, see "DHCP message format.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Enable DHCP-REQUEST check. dhcp snooping check request-message By default, DHCP-REQUEST check is disabled. You can enable DHCP-REQUEST check only on Layer 2 Ethernet interfaces. Configuring DHCP packet rate limit Perform this task to configure the maximum rate at which an interface can receive DHCP packets.
Task Command Remarks Display information about the file that stores DHCP snooping entries. display dhcp snooping binding database Available in any view. Clear DHCP snooping entries. reset dhcp snooping binding { all | ip ip-address [ vlan vlan-id ] } Available in user view. Clear DHCP packet statistics on the DHCP snooping device (MSR2000/MSR3000). reset dhcp snooping packet statistics Available in user view. Clear DHCP packet statistics on the DHCP snooping device (MSR4000).
[Router-Ethernet1/2] dhcp snooping binding record [Router-Ethernet1/2] quit Verifying the configuration After the preceding configuration is complete, the DHCP client can obtain an IP address and other configuration parameters only from the authorized DHCP server. You can view the DHCP snooping entry recorded for the client with the display dhcp snooping binding command.
[Router] interface ethernet 1/3 [Router-Ethernet1/3] dhcp snooping information enable [Router-Ethernet1/3] dhcp snooping information strategy replace [Router-Ethernet1/3] dhcp snooping information circuit-id verbose node-identifier sysname format ascii [Router-Ethernet1/3] dhcp snooping information remote-id string device001 Verifying the configuration Use the display dhcp snooping information command to display Option 82 configuration information on Ethernet 1/2 and Ethernet 1/3 on the DHCP snooping devic
Configuring the BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces) and VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.
Configuring an interface to use BOOTP for IP address acquisition Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an interface to use BOOTP for IP address acquisition. ip address bootp-alloc By default, an interface does not use BOOTP for IP address acquisition. Displaying and maintaining BOOTP client Execute display command in any view. Task Command Display BOOTP client information.
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. The domain name-to-IP address mapping is called a DNS entry. DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address.
Figure 29 shows the relationship between the user program, DNS client, and DNS server. The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices. Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache.
Figure 30 DNS proxy application A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3.
Figure 31 DNS spoofing application DNS spoofing enables the DNS proxy to send a spoofed reply with a configured IP address even if it cannot reach the DNS server. Without DNS spoofing, the proxy does not answer or forward a DNS request if it cannot find a matching DNS entry and it cannot reach the DNS server. In the network as shown in Figure 31, a host accesses the HTTP server in following these steps: 1.
Tasks at a glance (Optional.) Configuring the DNS trusted interface (Optional.) Specifying the DSCP value for outgoing DNS packets Configuring the IPv4 DNS client Configuring static domain name resolution Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses. Follow these guidelines when you configure static domain name resolution: • On the public network or a VPN, each host name maps to only one IPv4 address.
• You can specify DNS server IPv6 addresses for the public network and up to 1024 VPNs, and specify a maximum of six DNS server IPv6 addresses for the public network or each VPN. • An IPv4 name query is first sent to the DNS server IPv4 addresses. If no reply is received, it is sent to the DNS server IPv6 addresses. • You can specify domain name suffixes for the public network and up to 1024 VPNs, and specify a maximum of 16 domain name suffixes for the public network or each VPN.
Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and thus in turn.
A DNS proxy forwards an IPv4 name query first to IPv4 DNS servers, and if no reply is received, it forwards the request to IPv6 DNS servers. The DNS proxy forwards an IPv6 name query first to IPv6 DNS servers, and if no reply is received, it forwards the request to IPv4 DNS servers. To configure the DNS proxy: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DNS proxy. dns proxy enable By default, DNS proxy is disabled.
DNS servers. In some scenarios, the DNS server only responds to DNS requests sourced from a specific IP address. In such cases, you must specify the source interface for the DNS packets so that the device can always uses the primary IP address of the specified source interface as the source IP address of DNS packets. When sending IPv4 DNS request, the device uses the primary IPv4 address of the source interface as the source IP address of the DNS request.
Specifying the DSCP value for outgoing DNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority. To specify the DSCP value for outgoing DNS packets: Step 1. Enter system view. 2. Specify the DSCP value for outgoing DNS packets. Command Remarks system-view N/A • DSCP value for IPv4 DNS packets: By default, the DSCP value for outgoing DNS packets is 0.
Figure 32 Network diagram Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. system-view [Sysname] ip host host.com 10.1.1.2 # Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com Ping host.com (10.1.1.2): 56 data bytes, press escape sequence to break 56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms 56 bytes from 10.1.1.
Configuration procedure Before performing the following configuration, make sure the device and the host can reach each other, and that the IP addresses of the interfaces are configured as shown in Figure 33. 1. Configure the DNS server: The configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000. a. Select Start > Programs > Administrative Tools > DNS. The DNS server configuration page appears, as shown in Figure 34. b.
Figure 35 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created. Figure 36 Adding a mapping between domain name and IP address 2.
# Specify the DNS server 2.1.1.2. system-view [Sysname] dns server 2.1.1.2 # Specify com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 3.1.1.1. [Sysname] ping host Ping host.com (3.1.1.1): 56 data bytes, press escape sequence to break 56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.
Figure 37 Network diagram Configuration procedure Before performing the following configuration, ,make sure Device A, the DNS server, and the host can reach each other and the IPv6 addresses of the interfaces are configured as shown in Figure 37. 1. Configure the DNS server: The configuration might vary with DNS servers. When a PC running Windows Server 2000 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information. 2.
round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms IPv6 DNS configuration examples Static domain name resolution configuration example Network requirements As shown in Figure 38, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the device so that the device can use the domain name host.com to access the host whose IPv6 address is 1::2.
Figure 39 Network diagram Configuration procedure Before performing the following configuration, make sure the device and the host can reach each other, and the IPv6 addresses of the interfaces are configured, as shown Figure 39. 1. Configure the DNS server: The configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2003.
Figure 41 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type.
Figure 42 Selecting the resource record type e. Type host name host and IPv6 address 1::1. f. Click OK. The mapping between the IPv6 address and host name is created.
Figure 43 Adding a mapping between domain name and IPv6 address 2. Configure the DNS client: # Specify the DNS server 2::2. system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 1::1.
DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function. As shown in Figure 44: • Specify Device A as the DNS server of Device B (the DNS client). Device A acts as a DNS proxy. The IP address of the real DNS server is 4000::1. • Configure the IP address of the DNS proxy on Device B.
Verifying the configuration # Use the ping ipv6 host.com command on Device B to verify that the connection between the device and the host is normal and that the translated destination IP address is 3000::1. [DeviceB] ping ipv6 host.com Ping6(56 data bytes) 2000::1 --> 3000::1, press escape sequence to break 56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.
Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers to direct you to the latest IP address mapping to a domain name. DDNS is supported by only IPv4 DNS, and is used to update the mappings between domain names and IPv4 addresses.
NOTE: The DDNS update process does not have a unified standard but depends on the DDNS server that the DDNS client contacts. DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy (Required.) Applying the DDNS policy to an interface (Optional.) Specifying the DSCP value for outgoing DDNS packets Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, and update time interval.
HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols. The URL address for an update request can start with: • http://—The HTTP-based DDNS server. • https://—The HTTPS-based DDNS server. • ods://—The TCP-based ODS server. • gnudip://—The TCP-based GNUDIP server. • oray://—The TCP-based DDNS server. members.3322.org and phservice2.oray.net are the domain names of DDNS servers.
Step Command Remarks 4. Specify a username to be included in the URL address. username username By default, no username is specified. 5. Specify a password to be included in the URL address. password { cipher | simple } password By default, no password is specified. 6. (Optional.) Specify the interval for sending update requests. interval days [ hours [ minutes ] ] By default, the time interval is one hour.
To specify the DSCP value for outgoing DDNS packets: Step Command Remarks 1. Enter system view. system-view N/A 2. Specify the DSCP value for outgoing DDNS packets. ddns dscp dscp-value By default, the DSCP value for outgoing DDNS packets is 0. Displaying DDNS Execute display commands in any view. Task Command Display information about the DDNS policy. display ddns policy [ policy-name ] DDNS configuration examples DDNS configuration example with www.3322.
Configuration procedure Before configuring DDNS on Router, register with username steven and password nevets at http://www.3322.org/, add Router's host name-to-IP address mapping to the DNS server, and make sure the devices can reach each other. # Create a DDNS policy named 3322.org, and enter its view. system-view [Router] ddns policy 3322.org # Specify for DDNS update requests the URL address with the login ID steven and plaintext password nevets. [Router-ddns-policy-3322.
Figure 47 Network diagram www.oray.cn DDNS server Eth1/1 IP network Router DDNS client 1.1.1.1 DNS server Configuration procedure Before configuring DDNS on Router, register with username steven and password nevets at http://www.oray.cn/, add Router's host name-to-IP address mapping to the DNS server, and make sure the devices can reach each other. # Create a DDNS policy named oray.cn and enter its view. system-view [Router] ddns policy oray.
Configuring NAT Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private users to access an external network and to enable external users to access private network resources such as a Web server. Figure 48 shows how NAT works. Figure 48 NAT operation Host Direction Before NAT After NAT Outbound 192.168.1.3 20.1.1.1 Inbound 20.1.1.1 192.168.1.3 Src : 192.168.1.3 Dst : 1.1.1.2 Src : 20.1.1.
NAT address An IP address for translation, which can be manually specified or dynamically allocated. The address in the external network must be routable from the NAT address. NAT entry An entry recording the translation between a private and a public address on a NAT device. For more information, see "NAT entries." NAT types Traditional NAT Traditional NAT enables hosts in a private network to access hosts in the external network. Traditional NAT allows outbound sessions from the private network.
layer protocol, and VPN instance in an ACL rule for packet matching. Only packets matching an ACL permit rule are processed by NAT. NAT features Static NAT Static NAT uses a fixed translation of a real address to a NAT address. Because the NAT address is the same for each consecutive connection, static NAT allows bidirectional access to and from the host. With dynamic NAT, each host uses a different address or port for each subsequent translation, so bidirectional initiation is not supported.
Figure 49 PAT operation See Figure 49 for an example. Packets 1 and 2 with different source ports are from Host A, and Packets 3 with the same source port as packet 1 is from Host B. PAT maps the source IP addresses of the three packets to the same NAT address and uses different port numbers to make each unique. When the NAT device receives a response packet, it translates the destination address and port number of the packet, and forwards it to the target host.
Figure 50 NAT Server operation Server Direction Before NAT After NAT Inbound 20.1.1.1:8080 192.168.1.3:8080 Dst : 192.168.1.3:8080 192.168.1.1 Intranet 192.168.1.3 Dst : 20.1.1.1:8080 NAT Src : 192.168.1.3:8080 Host 20.1.1.1 Internet Src : 20.1.1.1:8080 20.1.1.2 1. The host in the public network sends a packet destined for the public IP address and port number of the server in the private network. 2.
NAT entries NAT session entry NAT translates the IP address of the first packet in a session and creates a NAT session entry for recording the mappings. The NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry. The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide.
1. Upon receiving a request from a user in an MPLS VPN to an external network, NAT translates the private source IP address and port number to a NAT IP address and port number, and records the MPLS VPN information, such as the VPN name. 2. When a response packet arrives, NAT translates the destination IP address and port number to the private IP address and port number, and forwards the packet to the target MPLS VPN.
NAT translates only IP addresses and port numbers in packet headers and does not analyze fields in application layer payload. However, the packet payloads of some protocols might contain IP address or port information, which might cause problems if not translated. For example, an FTP application involves both data connection and control connection. The data connection establishment dynamically depends on the payload information of the control connection.
When the destination IP address of a packet from the public matches the global-ip, the destination IP address is translated into the local-ip. • To configure outbound one-to-one static NAT: Step Command Remarks 1. Enter system view. system-view N/A Configure a one-to-one mapping for outbound static NAT. nat static outbound local-ip [ vpn-instance local-name ] global-ip [ vpn-instance global-name ] [ acl acl-number [ reversible ] ] By default, no mappings exist. 2. 3. Return to system view.
Configuring inbound one-to-one static NAT Configure inbound one-to-one static NAT for address translation between a private IP address and a public IP address. • When the source IP address of a packet from the public network to the private network matches the global-ip, the IP address is translated to the local-ip. • When the destination IP address of a packet from the private matches the local-ip, the source IP address is translated to the global-ip.
Step Enable static NAT on the interface. 5. Command Remarks nat static enable By default, static NAT is disabled. Configuring dynamic NAT Dynamic NAT implements address translation by mapping a group of IP addresses to a smaller number of NAT addresses. You can specify an address group (or the IP address of an interface) and ACL to implement dynamic NAT on the NAT interface. Configuration restrictions and guidelines • You can configure multiple dynamic NAT rules.
Step Configure an address group and enter its view. 2. Command Remarks nat address-group group-number By default, no address group exists. By default, no group member exists. 3. 4. Add a group member to the address group. address start-address end-address Enter interface view. interface interface-type interface-number You can add multiple members to an address group. The IP addresses of the members must not overlap. N/A • Configure NO-PAT: Configure outbound dynamic NAT. 5.
Step 2. Configure an address group and enter its view. Command Remarks nat address-group group-number By default, no address group exists. By default, no group member exists. You can add multiple members to an address group. Add a group member to the address group. address start-address end-address 4. Enter interface view. interface interface-type interface-number N/A 5. Configure inbound dynamic NAT.
Step Command Remarks • A single global address with a single or no global port: nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ] [ acl acl-number ] • A single global address with consecutive global ports: 3. Configure one or more common NAT Server mappings.
Step 5. Command Configure load sharing NAT Server. Remarks nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-name ] inside server-group group-number [ vpn-instance local-name ] [ acl acl-number ] By default, no internal server exists. You can configure multiple load sharing internal servers on an interface.
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure NAT with ALG for the specified protocol or all protocols. nat alg { all | dns | ftp | h323 | icmp-error | rtsp | sip | tftp } By default, NAT with ALG is enabled. Configuring NAT logging NAT logging records NAT session information, such as IP address and port number translation, user access, and network flows. A NAT device generates NAT logs when one of the following occurs: • A NAT session is established.
Task Command Display information about inbound dynamic NAT. display nat inbound Display NAT logging configuration. display nat log Display information about NAT NO-PAT entries (MSR2000/MSR3000). display nat no-pat Display information about NAT NO-PAT entries (MSR4000). display nat no-pat [ slot slot-number ] Display information about outbound dynamic NAT. display nat outbound Display NAT Server configuration. display nat server Display internal server group configuration.
Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Configure a one-to-one static NAT mapping between internal address 10.110.10.8 and the NAT address 202.38.1.100. system-view [Router] nat static 10.110.10.8 202.38.1.100 # Enable static NAT on interface GigabitEthernet 1/2.
Outbound dynamic NAT for internal-to-external access (non-overlapping addresses) Network requirements As shown in Figure 53, a company has a segment address 192.168.0.0/16 and two public IP addresses 202.38.1.2 and 202.38.1.3. Configure outbound dynamic NAT to allow only internal users on segment 192.168.1.0/24 to access the Internet. Figure 53 Network diagram Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.
0 202.38.1.2 202.38.1.3 NAT outbound information: There are 1 NAT outbound rules.
Bidirectional NAT for internal-to-external access Network requirements As shown in Figure 54, the IP address of the Web server is 192.168.1.10, and it overlaps with internal network 192.168.1.0/24, where the hosts reside. The company has two public IP addresses 202.38.1.2 and 202.38.1.3. Configure NAT to allow internal users to access the external Web server by using its domain name. Figure 54 Network diagram Configuration considerations This is a typical application of bidirectional NAT.
[Router] nat address-group 1 # Add address 202.38.1.2 to the group. [Router-nat-address-group-1] address 202.38.1.2 202.38.1.2 [Router-nat-address-group-1] quit # Create address group 2. [Router] nat address-group 2 # Add address 202.38.1.3 to the group. [Router-nat-address-group-2] address 202.38.1.3 202.38.1.
Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host A accesses the Web server. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.10/1694 Destination IP/port: 202.38.1.
Figure 55 Network diagram 10.110.10.1/16 10.110.10.2/16 Web server 1 Web server 2 GE1/1 10.110.10.10/16 GE1/2 202.38.1.1/24 Router FTP server SMTP server 10.110.10.3/16 10.110.10.4/16 Internet Host Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enter interface view of GigabitEthernet 1/2. system-view [Router] interface gigabitethernet 1/2 # Configure NAT Server to allow external users to access the FTP server by using the address 202.38.1.
Interface: GigabitEthernet1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/25 Local IP/port: 10.110.10.4/25 Interface: GigabitEthernet1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/80 Local IP/port: 10.110.10.1/80 Interface: GigabitEthernet1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/8080 Local IP/port: 10.110.10.
Interface(out): GigabitEthernet1/1 Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT Server for external-to-internal access through domain name Network requirements As shown in Figure 56, Web server at 0.110.10.2/24 in the internal network provides services for external users. A DNS server at 10.110.10.3/24 is used to resolve the domain name of the Web server. The company has two public IP addresses: 202.38.1.2 and 202.38.1.3.
# Add address 202.38.1.3 to the group. [Router-nat-address-group-1] address 202.38.1.3 202.38.1.3 [Router-nat-address-group-1] quit # Configure NAT Server on interface GigabitEthernet 1/2 to map the address 202.38.1.1 to 10.110.10.3. External users can access the internal DNS server. [Router] interface gigabitethernet 1/2 [Router-GigabitEthernet1/2] nat server protocol udp global 202.38.1.2 inside 10.110.10.
FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host accesses Web server. [Router] display nat session verbose Initiator: Source IP/port: 202.1.1.2/1694 Destination IP/port: 202.38.1.3/8080 VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) Responder: Source IP/port: 10.110.10.2/8080 Destination IP/port: 202.1.1.
Figure 57 Network diagram Configuration considerations This is a typical application of bidirectional NAT. • To make sure the external host to access the internal Web server by using its domain name, configure NAT Server so that the external host can access the internal DNS server to obtain the IP address of the Web server. • The IP address of the Web server overlaps with the external host and is included in the response sent by the internal DNS server to the external host.
# Add address 202.38.1.3 to the address group. [Router-nat-address-group-2] address 202.38.1.3 202.38.1.3 [Router-nat-address-group-2] quit # Configure NAT Server on interface GigabitEthernet 1/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4. [Router] interface gigabitethernet 1/2 [Router-GigabitEthernet1/2] nat server protocol udp global 202.38.1.4 inside 200.1.1.
Local IP/port: 200.1.1.3/53 NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host accesses the Web server. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.2/1694 Destination IP/port: 202.
Figure 58 Network diagram Configuration considerations This is a typical NAT hairpin application in C/S mode. • Configure NAT Server on the interface that connects the external network to make sure an external host can access the internal FTP server by using a NAT address. • Enable NAT hairpin on the interface that connects the internal network to make sure internal hosts can access the internal FTP server by using a NAT address.
Verifying the configuration After completing the configurations, both internal and external hosts can access the internal FTP server through the external address. # Display all NAT configuration and statistics. [Router]display nat all NAT outbound information: There are 1 NAT outbound rules. Interface: GigabitEthernet1/2 ACL: 2000 Address group: --- NO-PAT: N Reversible: N Port-preserved: N NAT internal server information: There are 1 internal servers.
VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Interface(in) : GigabitEthernet1/1 Interface(out): GigabitEthernet1/1 Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT hairpin in P2P mode for access between internal users Network requirements In the P2P application, internal clients must register their IP address to the external server and the server re
Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Configure ACL 2000, and create a rule to permit packets only from segment 192.168.1.0/24 to be translated. system-view [Router] acl number 2000 [Router-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2000] quit # Configure outbound dynamic PAT with Easy IP on interface GigabitEthernet 1/2.
NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Client A accesses Client B. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.3/44929 Destination IP/port: 202.38.1.3/1 VPN instance/VLAN ID/VLL ID: -/-/Protocol: UDP(17) Responder: Source IP/port: 192.168.1.2/69 Destination IP/port: 202.38.1.
Configuration considerations This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces that connects the VPNs on the NAT device. Configuration procedure # Specify VPN instances and IP addresses for the interfaces. (Details not shown.) # Configure a static outbound NAT mapping between 192.168.1.2 in vpn 1 and 172.16.1.2 in vpn 2. system-view [Router] nat static outbound 192.
Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when Host A accesses Host B. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.2/42496 Destination IP/port: 172.16.2.
Figure 61 Network diagram 10.110.10.1/16 FTP server 1 GE1/1 10.110.10.10/16 GE1/2 202.38.1.1/16 Internet Router FTP server 2 FTP server 3 10.110.10.2/16 10.110.10.3/16 Host Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Create NAT Server group 0, and add members to the group. system-view [Router] nat server-group 0 [Router-nat-server-group-0] inside ip 10.110.10.1 port 21 [Router-nat-server-group-0] inside ip 10.110.10.
10.110.10.2/21 (Connections: 2) 10.110.10.3/21 (Connections: 2) NAT logging: Log enable : Disabled Flow-begin : Disabled Flow-end : Disabled Flow-active: Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS: Enabled FTP: Enabled H323: Enabled ICMP-ERROR: Enabled # Use the display nat session verbose command to display NAT session information generated when external hosts access an internal FTP server.
Configure NAT so that: • The public IP address 202.38.1.2 is used by external users to access the Web and FTP servers. • External users can use the public address or domain name of internal servers to access them. • Internal users can access the internal servers by using their domain names. Figure 62 Network diagram 10.110.10.1/16 10.110.10.2/16 202.38.1.4/24 Web server FTP server DNS server GE1/1 10.110.10.10/16 GE1/2 202.38.1.1/24 Internet Router Host A Host B 10.110.10.3/16 202.38.1.
Verifying the configuration After completing the configurations, both internal and external hosts can access the internal servers by using domain names. # Display all NAT configuration and statistics. [Router] display nat all NAT outbound information: There are 1 NAT outbound rules. Interface: GigabitEthernet1/2 ACL: --- Address group: --- NO-PAT: N Reversible: N NAT internal server information: There are 2 internal servers. Interface: GigabitEthernet1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.
H323: Enabled ICMP-ERROR: Enabled 152
Basic IP forwarding on the device Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next hop IP address and output interface for packets destined for a specific subnet or host.
Task Command Display FIB entries.
Configuring fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using five fields: source IP address, source port number, destination IP address, destination port number, and protocol number.
Fast forwarding configuration example Network requirements Enable fast forwarding on Router B. Figure 63 Network diagram Eth1/1 11.1.1.1/8 Eth1/1 11.1.1.2/8 Router A Eth1/2 22.1.1.1/8 Eth1/2 22.1.1.2/8 Router B Router C Configuration procedure 1. Configure Router A: # Configure the IP address of interface Ethernet 1/1. system-view [RouterA] interface ethernet1/1 [RouterA-Ethernet1/1] ip address 11.1.1.1 255.0.0.0 [RouterA-Ethernet1/1] quit # Configure a static route.
Verifying the configuration # Display the fast forwarding table on Router B. [RouterB] display ip fast-forwarding cache No fast-forwarding entries. The output shows that no fast forwarding entry exists. # Ping the IP address of Ethernet 1/2 of Router C from Router A. Reply packets can be received. [RouterA] ping 22.1.1.2 PING 22.1.1.2: 56 data bytes, press CTRL_C to break Reply from 22.1.1.2: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 22.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 22.1.
Displaying the adjacency table The adjacency table stores information about directly connected neighbors for IP forwarding. The neighbor information in the adjacency table in this chapter refers to non-Ethernet neighbor information. This table is not user configurable. The neighbor information is generated, updated, and deleted by link layer protocols through negotiation (such as PPP dynamic negotiation) or through manual configuration (such as ATM static configuration).
Task Command Display IPv6 adjacency table information.
Optimizing IP performance A customized configuration can help optimize overall IP performance. This chapter describes various techniques you can use to customize your installation. Enabling an interface to receive and forward directed broadcasts destined for the directly connected network A directed broadcast packet is destined for all hosts on a specific network. In the destination IP address of the directed broadcast, the network ID identifies the target network, and the host ID is made up of all ones.
Configuration example Network requirements As shown in Figure 64, the default gateway of the host is the IP address 1.1.1.2/24 of the interface Ethernet 1/1 of Router A. Configure a static route destined for the host on Router B. Router B can receive directed broadcasts from the host to IP address 2.2.2.255. Figure 64 Network diagram Configuration procedure 1. Configure Router A: # Specify IP addresses for Ethernet 1/1 and Ethernet 1/2.
To configure an MTU for an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an MTU for the interface. ip mtu mtu-size By default, no MTU is configured. Configuring TCP MSS for an interface The maximum segment size (MSS) option informs the receiver of the largest segment that the sender can accept. Each end announces its MSS during TCP connection establishment.
3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection. 4. The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS = path MTU – IP header length – TCP header length). If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets.
To enable TCP SYN Cookie: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable SYN Cookie. tcp syn-cookie enable The default setting is disabled. Configuring the TCP buffer size Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the size of TCP receive/send buffer. tcp window window-size The default buffer size is 64 KB.
{ The selected route is not created or modified by any ICMP redirect packet. { The selected route is not destined for 0.0.0.0. { There is no source route option in the received packet. ICMP redirect packets simplify host management and enable hosts to gradually optimize their routing table.
Sending ICMP error packets facilitates network management, but sending excessive ICMP packets increases network traffic. A device's performance degrades if it receives a lot of malicious ICMP packets that cause it to respond with ICMP error packets. To prevent such problems, you can disable the device from sending ICMP error packets. A device disabled from sending ICMP time-exceeded packets does not send ICMP TTL Expired packets but can still send ICMP Fragment Reassembly Timeout packets.
Configuring IP virtual fragment reassembly To make sure fragments arrive at a service module in order, the IP virtual fragment reassembly feature virtually reassembles the fragments of a datagram through sequencing and caching. The IP virtual fragment reassembly feature also prevents some service modules (such as IPsec, NAT, and firewall) from processing packet fragments that do not arrive in order.
Figure 65 Network diagram Configuration procedure 1. Configure routes so that the Host, Router A, and Router B can communicate with each other. (Details not shown.) 2. On Router A, configure NAT and IP virtual fragment reassembly. system-view [RouterA] nat static inbound 11.2.2.3 10.1.1.
Task Command Display brief information about UDP connections (MSR4000). display udp [ slot slot-number ] Display detailed information about UDP connections (MSR2000/MSR3000). display udp verbose [ pcb pcb-index ] Display detailed information about UDP connections (MSR4000). display udp verbose [ slot slot-number [ pcb pcb-index ] ] Display IP packet statistics (MSR2000/MSR3000). display ip statistics Display IP packet statistics (MSR4000).
Configuring UDP helper Overview UDP helper enables a device to convert received UDP broadcast packets into unicast packets and forward them to a specific server. UDP helper is suitable for the scenario where hosts cannot obtain configuration information or device names by broadcasting packets because the target server or host resides on another broadcast domain. Upon receiving a UDP broadcast packet (the destination address is 255.255.255.
Displaying and maintaining UDP helper Execute display command in any view and reset command in user view. Task Command Display information about packets forwarded by UDP helper. display udp-helper interface interface-type interface-number Clear UDP helper statistics. reset udp-helper statistics UDP helper configuration example Network requirements As shown in Figure 66, configure UDP helper on Router A to forward broadcast packets with UDP destination port 55 and destination IP address 255.255.255.
Verifying the configuration # Display information about UDP packets forwarded by UDP helper on the interface Ethernet 1/1. [RouterA-Ethernet1/1] display udp-helper interface ethernet 1/1 Interface Server address Packets sent Ethernet1/1 10.2.1.
Configuring basic IPv6 settings Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits. IPv6 features Simplified header format IPv6 removes several IPv4 header fields or moves them to the IPv6 extension headers to reduce the length of the basic IPv6 packet header.
• Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring DHCPv6 server." • Stateless address autoconfiguration enables a host to automatically generate an IPv6 address and other configuration information by using its link-layer address and the prefix information advertised by a router.
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address. An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address includes the address prefix. IPv6 address types IPv6 addresses include the following types: • Unicast address—An identifier for a single interface, similar to an IPv4 unicast address.
Multicast addresses IPv6 multicast addresses listed in Table 7 are reserved for special purposes. Table 7 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all-nodes multicast address. FF02::1 Link-local scope all-nodes multicast address. FF01::2 Node-local scope all-routers multicast address. FF02::2 Link-local scope all-routers multicast address. Multicast addresses also include solicited-node addresses.
IPv6 ND protocol The IPv6 Neighbor Discovery (ND) protocol uses the following ICMPv6 messages: Table 8 ICMPv6 messages used by ND ICMPv6 message Type Function Acquires the link-layer address of a neighbor. Neighbor Solicitation (NS) 135 Verifies whether a neighbor is reachable. Detects duplicate addresses. Neighbor Advertisement (NA) 136 Router Solicitation (RS) 133 Responds to an NS message. Notifies the neighboring nodes of link layer changes.
Neighbor reachability detection After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages to test reachability of Host B as follows: 1. Host A sends an NS message whose destination address is the IPv6 address of Host B. 2. If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise, Host B is unreachable.
Redirection Upon receiving a packet from a host, the gateway sends an ICMPv6 Redirect message to inform a better next hop to the host when the following conditions are met (similar to the ICMP redirection function in IPv4): • The interface receiving the packet is the same as the interface forwarding the packet. • The selected route is not created or modified by an ICMPv6 Redirect message. • The selected route is not a default route on the device.
both IPv4 and IPv6 packets. An application that supports both IPv4 and IPv6 prefers IPv6 at the network layer. Dual stack is suitable for communication between IPv4 nodes or between IPv6 nodes. It is the basis of all transition technologies. However, it does not solve the IPv4 address depletion issue because each dual stack node must have a globally unique IPv4 address. Tunneling Tunneling uses one network protocol to encapsulate the packets of another network protocol and transfers them over the network.
• RFC 2460, Internet Protocol, Version 6 (IPv6) Specification • RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification • RFC 2464, Transmission of IPv6 Packets over Ethernet Networks • RFC 2526, Reserved IPv6 Subnet Anycast Addresses • RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses • RFC 3513, Internet Protocol Version 6 (IPv6) Addressing Architecture • RFC 4191, Default Router Preferences and More-Specific Routes • RFC 4861
Assigning IPv6 addresses to interfaces This section describes how to configure an IPv6 global unicast address, an IPv6 link-local address, and an IPv6 anycast address. Configuring an IPv6 global unicast address Use one of the following methods to configure an IPv6 global unicast address for an interface: • EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the interface identifier is generated automatically by the interface.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A By default, no IPv6 global unicast address is configured on an interface. Enable stateless address autoconfiguration. 3. ipv6 address auto Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses automatically generated on the interface.
Step Enable the system to preferably use the temporary IPv6 address as the source address of the packet. 3. Command Remarks ipv6 prefer temporary-address By default, the system does not preferably use the temporary IPv6 address as the source address of the packet. To generate a temporary address, an interface must be enabled with stateless address autoconfiguration.
Step Command Manually specify an IPv6 link-local address for the interface. 3. Remarks ipv6 address ipv6-address link-local By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically. After you configure an IPv6 global unicast address for an interface, the interface automatically generates a link-local address.
If you use Method 2, make sure the corresponding VLAN interface exists and the Layer 2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. The device associates the VLAN interface with the neighbor IPv6 address to identify the static neighbor entry. To configure a static neighbor entry: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a static neighbor entry.
Minimizing link-local ND entries Perform this task to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries comprising link-local addresses. By default, the device assigns all ND entries to the driver. With this feature enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route into the driver to save driver resources.
Parameter Description Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address. M flag If the M flag is set to 1, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain an IPv6 address. Otherwise, the host uses stateless autoconfiguration to generate an IPv6 address according to its link-layer address and the prefix information in the RA message.
Configuring parameters for RA messages Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the prefix information in RA messages.
Configuring the maximum number of attempts to send an NS message for DAD An interface sends an NS message for DAD after obtaining an IPv6 address. If the interface does not receive a response within the time specified by the ipv6 nd ns retrans-timer command, it sends an NS message again. If the interface still does not receive a response after the number of attempts reaches the threshold specified by the ipv6 nd dad attempts command, it considers the address is usable.
Figure 74 Application environment of local ND proxy Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they are isolated at Layer 2. To solve this problem, enable local ND proxy on Ethernet 1/2 of the router so that the router can forward messages between Host A and Host B.
Configuring path MTU discovery Configuring the interface MTU IPv6 routers do not support packet fragmentation. If the size of a packet exceeds the MTU of the output interface, the router discards the packet and sends a Packet Too Big message to the source host. The source host fragments the packet according to the MTU. To avoid this situation, configure a proper interface MTU. To configure the interface MTU: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Step 2. Configure the aging time for dynamic path MTUs. Command Remarks ipv6 pathmtu age age-time The default setting is 10 minutes. Controlling sending ICMPv6 packets This section describes how to configure ICMPv6 packet sending. Configuring the rate limit for ICMPv6 error messages To avoid sending excessive ICMPv6 error messages within a short period that might cause network congestion, you can limit the rate at which ICMPv6 error messages are sent.
• If a packet does not match any route, the device sends a No Route to Destination ICMPv6 error message to the source. • If the device fails to forward the packet because of administrative prohibition (such as a firewall filter or an ACL), the device sends the source a Destination Network Administratively Prohibited ICMPv6 error message.
• The interface receiving the packet is the interface forwarding the packet. • The selected route is not created or modified by any ICMPv6 redirect message. • The selected route is not a default route. • The forwarded packet does not contain the routing extension header. The ICMPv6 redirect function simplifies host management by enabling hosts that hold few routes to gradually optimize their routing table. However, to avoid adding too many routes on hosts, this function is disabled by default.
Task Command Display neighbor information (MSR2000/MSR3000). display ipv6 neighbors { ipv6-address | all | dynamic | interface interface-type interface-number | static | vlan vlan-id } [ verbose ] Display neighbor information (MSR4000). display ipv6 neighbors { { ipv6-address | all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } [ verbose ] Display the total number of neighbor entries (MSR2000/MSR3000).
Task Command Display detailed information about IPv6 UDP connections (MSR4000). display ipv6 udp verbose [ slot slot-number [ pcb pcb-index ] ] Display ICMPv6 traffic statistics (MSR2000/MSR3000). display ipv6 icmp statistics Display ICMPv6 traffic statistics (MSR4000). display ipv6 icmp statistics [ slot slot-number ] Display IPv6 TCP traffic statistics (MSR2000/MSR3000). display tcp statistics Display IPv6 TCP traffic statistics (MSR4000).
Configuration procedure 1. Configure Router A: # Configure a global unicast address for interface Ethernet 1/1. system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 3001::1/64 [RouterA-Ethernet1/1] quit # Configure a global unicast address for interface Ethernet 1/2 and enable it to advertise RA messages (an interface does not advertises RA messages by default).
FF02::1:FF00:2 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 25829 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 47 OutRequests: 89 OutForwDatagrams: 48
ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 600 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses IPv6 Packet statistics: InReceives: 272 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 159 OutReq
IPv6 Packet statistics: InReceives: 117 InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 117 OutRequests: 83 OutForwDatagrams: 0 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 28 InMcastNotMembers: 0 OutMcastPkts: 7 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Ping Router A and Router
Troubleshooting IPv6 basics configuration Symptom An IPv6 address cannot be pinged. Solution 1. Use the display ipv6 interface command in any view to verify that the IPv6 address of the output interface is correct and the interface is up. 2. Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 packets to locate the fault.
DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 76, rapid assignment operates in the following steps: 1. The DHCPv6 client sends a Solicit message that contains a Rapid Commit option to prefer rapid assignment. 2.
Figure 77 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time. Figure 78 Using the Renew message for address/prefix lease renewal As shown in Figure 78, at T1, the DHCPv6 client sends a Renew message to the DHCPv6 server.
Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device decides whether to perform stateless DHCP according to the managed address configuration flag (M flag) and the other stateful configuration flag (O flag) in the RA message received from the router during stateless address autoconfiguration.
Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses or IPv6 prefixes to DHCPv6 clients. IPv6 address assignment As shown in Figure 81, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients include the following types: • Temporary IPv6 addresses—Internally used and frequently changed without lease renewal.
Figure 82 IPv6 prefix assignment Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers, and uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent). A DHCPv6 device adds its DUID in a sent packet.
PD The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the IPv6 prefix, client DUID, IAID, valid lifetime, preferred lifetime, lease expiration time, and IPv6 address of the requesting client. DHCPv6 address pool The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.
client against the subnets of all address pools, and selects the address pool with the longest-matching subnet. To avoid wrong address allocation, keep the subnet used for dynamic assignment consistent with the subnet where the interface of the DHCPv6 server or DHCPv6 relay agent resides. IPv6 address/prefix allocation sequence The DHCPv6 server selects an IPv6 address/prefix for a client in the following sequence: 1.
Configuration guidelines • An IPv6 prefix can be bound to only one DHCPv6 client. You cannot modify bindings that have been created. To change the binding for a DHCPv6 client, you must delete the existing binding first. • Only one prefix pool can be applied to an address pool. You cannot modify prefix pools that have been applied. To change the prefix pool for an address pool, you must remove the prefix pool application first. • You can apply a prefix pool that has not been created to an address pool.
Configuring IPv6 address assignment Use one of the following methods to configure IPv6 address assignment: Configure a static IPv6 address binding in an address pool: • If you bind a DUID and an IAID to an IPv6 address, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 address to the requesting client.
Step 2. Command (Optional.) Specify the IPv6 addresses excluded from dynamic assignment. ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ] Remarks By default, all IPv6 addresses except for the DHCPv6 server's IP address in a DHCPv6 address pool are assignable. If the excluded IPv6 address is in a static binding, the address still can be assigned to the client. To exclude multiple IPv6 prefix ranges, repeat this step. Create a DHCPv6 address pool and enter its view.
Step Command Remarks 3. Specify an IPv6 subnet for dynamic assignment. network prefix/prefix-length [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] By default, no IPv6 subnet is specified. 4. (Optional.) Specify a DNS server address. dns-server ipv6-address By default, no DNS server address is specified. 5. (Optional.) Specify a domain name suffix. domain-name domain-name By default, no domain name suffix is specified. 6. (Optional.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Enable the DHCPv6 server on the interface. ipv6 dhcp select server By default, the interface discards DHCPv6 packets from DHCPv6 clients. • Configure global address assignment: 4. Configure an address/prefix assignment method. ipv6 dhcp server { allow-hint | preference preference-value | rapid-commit } * Use one of the commands.
Task Command Display information about IPv6 address bindings. display ipv6 dhcp server ip-in-use [ address ipv6-address | pool pool-name ] Display information about IPv6 prefix bindings. display ipv6 dhcp server pd-in-use [ pool pool-name | prefix prefix/prefix-len ] Display packet statistics on the DHCPv6 server. display ipv6 dhcp server statistics [ pool pool-name ] Clear information about IPv6 address conflicts.
Configuration procedure # Specify an IPv6 address for Ethernet 1/1. system-view [Router] interface ethernet 1/1 [Router-Ethernet1/1] ipv6 address 1::1/64 [Router-Ethernet1/1] quit # Create prefix pool 1, and specify the prefix 2001:0410::/32 with assigned prefix length 48. [Router] ipv6 dhcp prefix-pool 1 prefix 2001:0410::/32 assign-len 48 # Create address pool 1. [Router] ipv6 dhcp pool 1 # In address pool 1, specify subnet 1::/64 where the server interface resides.
Prefix pool: 1 Preferred lifetime 86400, valid lifetime 259200 Static bindings: DUID: 00030001ca0006a4 IAID: Not configured Prefix: 2001:410:201::/48 Preferred lifetime 86400, valid lifetime 259200 DNS server addresses: 2:2::3 Domain name: aaa.com SIP server addresses: 2:2::4 SIP server domain names: bbb.com # Display information about prefix pool 1.
Figure 85 Network diagram Configuration procedure 1. Specify IPv6 addresses for interfaces on the DHCPv6 server. (Details not shown.) 2. Enable DHCPv6: # Enable the DHCPv6 server on the interfaces Ethernet 1/1 and Ethernet 1/2.
Verifying the configuration After the preceding configuration, clients in subnets 1::1:0:0:0/96 and 1::2:0:0:0/96 can obtain IPv6 addresses and other configuration parameters from the DHCPv6 server (Router A). You can use the display ipv6 dhcp server ip-in-use command to display IPv6 addresses assigned to the clients.
Configuring the DHCPv6 relay agent A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 86, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server. The relay agent feature avoids deploying a DHCP server on each subnet.
Figure 87 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server (1) Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply Configuration guidelines • You can use the ipv6 dhcp relay server-address command to specify a maximum of eight DHCPv6 servers on the DHCP relay agent interface. The DHCPv6 relay agent forwards DHCP requests to all the specified DHCPv6 servers.
Displaying and maintaining the DHCPv6 relay agent Execute display commands in any view and reset commands in user view. Task Command Display the DUID of the local device. display ipv6 dhcp duid Display DHCPv6 server addresses specified on the DHCPv6 relay agent. display ipv6 dhcp relay server-address [ interface interface-type interface-number ] Display packet statistics on the DHCPv6 relay agent.
[RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ipv6 address 2::1 64 [RouterA-Ethernet1/2] quit [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 1::1 64 # Enable the DHCPv6 relay agent on Ethernet 1/1 and specify the DHCPv6 server on the relay agent. [RouterA-Ethernet1/1] ipv6 dhcp select relay [RouterA-Ethernet1/1] ipv6 dhcp relay server-address 2::2 2. Configure Router A as the gateway, enable Router A to send RA messages, and turn on the M and O flags.
Configuring DHCPv6 snooping NOTE: The feature is not supported. DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent. It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers. Also, it records IP-to-MAC bindings of DHCPv6 clients (called DHCPv6 snooping entries) for security purposes. DHCPv6 snooping does not work between the DHCPv6 server and DHCPv6 relay agent.
Figure 89 Trusted and untrusted ports HP implementation of Option 18 and Option 37 Option 18 for DHCPv6 snooping Option 18, also called the interface-ID option, is used by the DHCPv6 relay agent to determine the interface to use to forward RELAY-REPLY message. In HP implementation, the DHCPv6 snooping device adds Option 18 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. The server then assigns IP address to the client based on the client information in Option 18.
NOTE: The Second VLAN ID field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 also does not contain it. DHCPv6 snooping support for Option 37 Option 37, also called the remote-ID option, is used to identify the client. In HP implementation, the DHCPv6 snooping device adds Option 37 to the received DHCPv6 request message before forwarding it to the DHCPv6 server. This option provides client information about address allocation.
Tasks at a glance (Optional.) Enabling DHCPv6-REQUEST check Configuring basic DHCPv6 snooping To make sure DHCPv6 clients can obtain valid IPv6 addresses, specify the ports connected to authorized DHCPv6 servers as trusted ports. The trusted ports and the ports connected to DHCPv6 clients must be in the same VLAN. To configure basic DHCPv6 snooping: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCPv6 snooping.
Step Enable support for Option 37. 5. • (Optional.) Specify the content as the remote ID. Command Remarks ipv6 dhcp snooping option remote-id enable By default, Option 37 is not supported. ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id By default, the DHCPv6 snooping device uses its DUID as the content for Option 37. Saving DHCPv6 snooping entries DHCPv6 snooping entries cannot survive a reboot.
Setting the maximum number of DHCPv6 snooping entries Perform this task to prevent the system resources from being overused. To set the maximum number of DHCPv6 snooping entries: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Set the maximum number of DHCPv6 snooping entries for an interface to learn.
Displaying and maintaining DHCPv6 snooping Execute display commands in any view, and reset commands in user view. Task Command Display information about trusted ports. display ipv6 dhcp snooping trust Display DHCPv6 snooping entries. display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ] Display information about the file that stores DHCPv6 snooping entries. display ipv6 dhcp snooping binding database Display DHCPv6 packet statistics for DHCPv6 snooping (MSR2000/MSR3000).
Configuration procedure # Enable DHCPv6 snooping. system-view [Router] ipv6 dhcp snooping enable # Specify Ethernet 1/1 as a trusted port. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ipv6 dhcp snooping trust [Router-Ethernet1/1] quit # Enable recording of client information in DHCPv6 snooping entries.
Configuring IPv6 fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using six fields: source IPv6 address, destination IPv6 address, source port number, destination port number, protocol number, and VPN instance name.
IPv6 fast forwarding configuration example Network requirements As shown in Figure 93, enable IPv6 fast forwarding on Router B. Figure 93 Network diagram Configuration procedure 1. Configure Router A: # Specify the IPv6 address of interface Ethernet 1/1. system-view [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 2002::1 64 [RouterA-Ethernet1/1] quit # Configure a static route. [RouterA] ipv6 route-static 2001:: 64 2002::2 2.
[RouterB] display ipv6 fast-forwarding cache No IPv6 fast-forwarding entries. The output shows that no IPv6 fast forwarding entry exists. # Ping the IPv6 address of Ethernet 1/2 of Router C from Router A. Reply packets can be received.
Configuring tunneling Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel. Packets are encapsulated at the tunnel source end and de-encapsulated at the tunnel destination end. Tunneling refers to the whole process from data encapsulation to data transfer to data de-encapsulation.
physical interface of the tunnel. In the IPv4 header, the source IPv4 address is the IPv4 address of the tunnel source, and the destination IPv4 address is the IPv4 address of the tunnel destination. 3. Upon receiving the packet, Device B de-encapsulates the packet. 4. If the destination address of the IPv6 packet is itself, Device B forwards it to the upper-layer protocol. If not, Device B forwards it according to the routing table.
• Automatic IPv4-compatible IPv6 tunneling—A point-to-multipoint link. Both ends of the tunnel use IPv4-compatible IPv6 addresses. The address format is 0:0:0:0:0:0:a.b.c.d/96, where a.b.c.d is the IPv4 address of the tunnel destination. This mechanism simplifies tunnel establishment. Automatic IPv4-compatible IPv6 tunnels have limitations because IPv4-compatible IPv6 addresses must use globally unique IPv4 addresses. • 6to4 tunneling { Ordinary 6to4 tunneling—A point-to-multipoint automatic tunnel.
ISATAP tunnels are mainly used for communication between IPv6 routers or between an IPv6 host and an IPv6 router over an IPv4 network. Figure 96 Principle of ISATAP tunneling IPv4 over IPv4 tunneling IPv4 over IPv4 tunneling (RFC 1853) enables isolated IPv4 networks to communicate. For example, an IPv4 over IPv4 tunnel can connect isolated private IPv4 networks over a public IPv4 network.
IPv4 over IPv6 tunneling Implementation IPv4 over IPv6 tunneling adds an IPv6 header to IPv4 packets so that IPv4 packets can pass an IPv6 network through a tunnel to realize interworking between isolated IPv4 networks. Figure 98 IPv4 over IPv6 tunnel Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure 98. • Encapsulation: a. Upon receiving an IPv4 packet, Device A delivers it to the IPv4 protocol stack. b.
Dual Stack Lite (DS-Lite) is a combination of the tunneling and NAT technologies. NAT translates the private IPv4 addresses of the IPv4 hosts before the hosts reach the IPv4 public network. DS-Lite tunnel supports only an IPv4 host in a private network initiating communication with an IPv4 host on the Internet. It does not support an IPv4 host on the Internet initiating communication with an IPv4 host in a private network.
Figure 100 Packet forwarding process in DS-Lite 10.0.0.1/24 10.0.0.2/24 1::1/64 Private IPv4 network IPv4 host 2::1/64 30.1.1.1/24 20.1.1.1/24 IPv6 network IPv4 network DS-Lite tunnel IPv4 dst: 30.1.1.1 IPv4 src: 10.0.0.1 TCP dst: 80 TCP src: 10000 Adds the IPv6 header IPv4 host AFTR B4 IPv6 dst: 2::1 IPv6 src: 1::1 IPv4 dst: 30.1.1.1 IPv4 src: 10.0.0.1 TCP dst: 80 TCP src: 10000 Removes the IPv4 dst: 30.1.1.1 IPv6 header and IPv4 src: 20.1.1.
IPv6 over IPv6 tunneling IPv6 over IPv6 tunneling (RFC 2473) enables isolated IPv6 networks to communicate with each other over another IPv6 network. For example, two isolated IPv6 networks that do not want to show their addresses to the Internet can use an IPv6 over IPv6 tunnel to communicate with each other. Figure 101 Principle of IPv6 over IPv6 tunneling Figure 101 shows the encapsulation and de-encapsulation processes. • Encapsulation: a.
Tunneling configuration task list Tasks at a glance (Required.
Step Command Remarks 5. Set the intended bandwidth for the tunnel interface. bandwidth bandwidth-value The intended bandwidth for the tunnel interface affects the link cost value. For more information, see Layer 3—IP Routing Configuration Guide. 6. Set the ToS for tunneled packets. tunnel tos tos-value The default setting is the same as the ToS of the original packet. 7. Set the TTL for tunneled packets. tunnel ttl ttl-value The default TTL for tunneled packets is 255.
Step 4. Command Configure a source address or source interface for the tunnel interface. Remarks By default, no source address or source interface is configured for the tunnel interface. source { ip-address | interface-type interface-number } The specified source address or the primary IP address of the specified source interface is used as the source IP address of tunneled packets. By default, no destination address is configured for the tunnel interface.
[RouterA] interface ethernet 1/2 [RouterA-Ethernet1/2] ip address 192.168.100.1 255.255.255.0 [RouterA-Ethernet1/2] quit # Specify an IPv6 address for Ethernet 1/1. [RouterA] interface ethernet 1/1 [RouterA-Ethernet1/1] ipv6 address 3002::1 64 [RouterA-Ethernet1/1] quit # Configure an IPv6 over IPv4 manual tunnel interface tunnel 0. [RouterA] interface tunnel 0 mode ipv6-ipv4 # Specify an IPv6 address for the tunnel interface.
# Router B and Router A can ping the IPv6 address of Ethernet 1/1 of each other. For example, ping the IPv6 address of Ethernet 1/1 on Router B from Router A. [RouterA] ping ipv6 3003::1 Ping6(56 data bytes) 3001::1 --> 3003::1, press escape sequence to break 56 bytes from 3003::1, icmp_seq=0 hlim=64 time=45.000 ms 56 bytes from 3003::1, icmp_seq=1 hlim=64 time=10.000 ms 56 bytes from 3003::1, icmp_seq=2 hlim=64 time=4.000 ms 56 bytes from 3003::1, icmp_seq=3 hlim=64 time=10.
Configuration example Network requirements As shown in Figure 103, dual-stack routers Router A and Router B communicate over an IPv4 network. Configure an automatic IPv4-compatible IPv6 tunnel between the two routers to enable IPv6 communications over the IPv4 network. Figure 103 Network diagram Configuration procedure Before configuring an automatic IPv4-compatible IPv6 tunnel, make sure Router A and Router B can reach each other through IPv4.
# Router B and Router A can ping the IPv4-compatible IPv6 address of each other. For example, ping the IPv4-compatible IPv6 address on Router B from Router A. [RouterA-Tunnel0] ping ipv6 ::192.168.50.1 Ping6(56 data bytes) ::192.168.100.1 --> ::192.168.50.1, press escape sequence to break 56 bytes from ::192.168.50.1, icmp_seq=0 hlim=64 time=17.000 ms 56 bytes from ::192.168.50.1, icmp_seq=1 hlim=64 time=9.000 ms 56 bytes from ::192.168.50.1, icmp_seq=2 hlim=64 time=11.000 ms 56 bytes from ::192.168.50.
Step 7. (Optional.) Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses. Command Remarks tunnel discard ipv4-compatible-packet The default setting is disabled. 6to4 tunnel configuration example Network requirements As shown in Figure 104, configure a 6to4 tunnel between 6to4 routers Router A and Router B so Host A and Host B can reach each other over the IPv4 network.
[RouterB] interface tunnel 0 mode ipv6-ipv4 6to4 # Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address 3001::1/64 # Specify the source interface as Ethernet1/2 for the tunnel interface. [RouterA-Tunnel0] source ethernet 1/2 [RouterA-Tunnel0] quit # Configure a static route destined for 2002::/16 through the tunnel interface. [RouterA] ipv6 route-static 2002:: 16 tunnel 0 • Configure Router B: # Specify an IPv4 address for Ethernet 1/2.
6to4 relay configuration example Network requirements As shown in Figure 105, Router A is a 6to4 router, and 6to4 addresses are used on the connected IPv6 network. Router B serves as a 6to4 relay router and is connected to an IPv6 network (2001::/16). Configure a 6to4 tunnel between Router A and Router B to make Host A and Host B reachable to each other. The configuration on a 6to4 relay router is similar to that on a 6to4 router.
[RouterA] ipv6 route-static 2002:0601:0101:: 64 tunnel 0 # Configure a default route to reach the IPv6 network, which specifies the next hop as the 6to4 address of the relay router. [RouterA] ipv6 route-static :: 0 2002:0601:0101::1 • Configure Router B: # Specify an IPv4 address for Ethernet 1/2. system-view [RouterB] interface ethernet 1/2 [RouterB-Ethernet1/2] ip address 6.1.1.1 255.255.255.0 [RouterB-Ethernet1/2] quit # Specify an IPv6 address for Ethernet 1/1.
• Because automatic tunnels do not support dynamic routing, configure a static route destined for the destination IPv6 network at each tunnel end. You can specify the local tunnel interface as the egress interface of the route or specify the IPv6 address of the peer tunnel interface as the next hop of the route. For the detailed configuration, see Layer 3—IP Routing Configuration Guide. • The source addresses of local tunnels of the same tunnel mode cannot be the same.
Configuration procedure • Configure the router: # Specify an IPv6 address for Ethernet1/2. system-view [Router] interface ethernet 1/2 [Router-Ethernet1/2] ipv6 address 3001::1/64 [Router-Ethernet1/2] quit # Specify an IPv4 address for Ethernet1/1. [Router] interface ethernet 1/1 [Router-Ethernet1/1] ip address 1.1.1.1 255.0.0.0 [Router-Ethernet1/1] quit # Create an ISATAP tunnel interface tunnel 0.
# Display information about the ISATAP interface. C:\>ipv6 if 2 Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE} does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 1.1.1.2 router link-layer address: 1.1.1.1 preferred global 2001::5efe:1.1.1.2, life 29d23h59m46s/6d23h59m46s (public) preferred link-local fe80::5efe:1.1.1.
Configuring an IPv4 over IPv4 tunnel Follow these guidelines when you configure an IPv4 over IPv4 tunnel: • The destination address specified for the local tunnel interface must be the source address specified for the peer tunnel interface, and vice versa. • The source/destination addresses of local tunnels of the same tunnel mode cannot be the same. • The IPv4 address of the local tunnel interface cannot be on the same subnet as the destination address configured on the tunnel interface.
Configuration example Network requirements As shown in Figure 107, the two subnets Group 1 and Group 2 use private IPv4 addresses. Configure an IPv4 over IPv4 tunnel between Router A and Router B to make the two subnets reachable to each other. Figure 107 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Specify an IPv4 address for Ethernet 1/1.
[RouterB-Ethernet1/1] quit # Specify an IPv4 address for Serial 2/1, which is the physical interface of the tunnel. [RouterB] interface serial 2/1 [RouterB-Serial2/1] ip address 3.1.1.1 255.255.255.0 [RouterB-Serial2/1] quit # Create an IPv4 over IPv4 tunnel interface tunnel 2. [RouterB] interface tunnel 2 mode ipv4-ipv4 # Specify an IPv4 address for the tunnel interface. [RouterB-Tunnel2] ip address 10.1.2.2 255.255.255.
To configure an IPv4 over IPv6 manual tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter tunnel interface view. interface tunnel number [ mode ipv6 ] N/A 3. Configure an IPv4 address for the tunnel interface. ip address ip-address { mask | mask-length } [ sub ] By default, no IPv4 address is configured for the tunnel interface. 4. Configure the source address or interface for the tunnel interface.
# Specify an IPv6 address for Serial 2/0, which is the physical interface of the tunnel. [RouterA] interface serial 2/0 [RouterA-Serial2/0] ipv6 address 2001::1:1 64 [RouterA-Serial2/0] quit # Create an IPv6 tunnel interface tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv4 address for the tunnel interface. [RouterA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Specify the IP address of Serial 2/0 as the source address for the tunnel interface.
Ping 30.1.3.1 (30.1.3.1) from 30.1.1.1: 56 data bytes, press escape sequence to break 56 bytes from 30.1.3.1: icmp_seq=0 ttl=255 time=3.000 ms 56 bytes from 30.1.3.1: icmp_seq=1 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 30.1.3.1: icmp_seq=3 ttl=255 time=1.000 ms 56 bytes from 30.1.3.1: icmp_seq=4 ttl=255 time=1.000 ms --- Ping statistics for 30.1.3.1 --5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/stddev = 0.000/1.
Step Command Remarks By default, no source address or interface is specified for the tunnel. If you specify a source address, it is used as the source address of the encapsulated IPv6 packets. Specify the source address or source interface for the tunnel. source { ipv6-address | interface-type interface-number } 5. Exit to system view. quit N/A 6. Enter the view of the interface that connects the IPv4 public network. interface interface-type interface-number N/A 4.
[RouterA-Ethernet1/2] ipv6 address 1::1 64 [RouterA-Ethernet1/2] quit # Create an IPv6 tunnel interface tunnel1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv4 address for the tunnel interface. [RouterA-Tunnel1] ip address 30.1.2.1 255.255.255.0 # Specify the IP address of Ethernet 1/2 as the source address for the tunnel interface. [RouterA-Tunnel1] source 1::1 # Specify IP address of Ethernet 1/2 on Router B as the destination address for the tunnel interface.
Pinging 20.1.1.2 with 32 bytes of data: Reply from 20.1.1.2: bytes=32 time=51ms TTL=255 Reply from 20.1.1.2: bytes=32 time=44ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Reply from 20.1.1.2: bytes=32 time=1ms TTL=255 Ping statistics for 20.1.1.
Step Command Remarks By default, no destination address is configured for the tunnel. Configure the destination address for the tunnel interface. destination ipv6-address (Optional.) Configure the maximum number of nested encapsulations of a packet. encapsulation-limit number By default, there is no limit to the nested encapsulations of a packet. 7. Return to system view. quit N/A 8. (Optional.) Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses.
# Create an IPv6 tunnel interface tunnel 1. [RouterA] interface tunnel 1 mode ipv6 # Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel1] ipv6 address 3001::1:1 64 # Specify the IP address of Serial 2/0 as the source address for the tunnel interface. [RouterA-Tunnel1] source 2001::11:1 # Specify the IP address of Serial 2/1 on Router B as the destination address for the tunnel interface.
56 bytes from 2002:3::1, icmp_seq=4 hlim=64 time=0.000 ms --- Ping6 statistics for 2002:3::1 --5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.000/0.000/0.000/0.000 ms Displaying and maintaining tunneling configuration Execute display commands in any view and reset commands in user view. Task Display information about tunnel interfaces.
Configuring flow classification The following matrix shows the feature and router compatibility: Feature MSR2000 MSR3000 MSR4000 Flow classification No Yes Yes To implement differentiated services, flow classification categorizes packets to be forwarded by a multi-core device according to one of the following flow classification policies: • Flow-based policy—Forwards packets of a flow to the same CPU.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEFHINOPRSTU Configuring an ISATAP tunnel,253 A Configuring basic DHCP snooping,71 Address/prefix lease renewal,204 Configuring basic DHCPv6 snooping,227 Applying an address pool on an interface,45 Configuring DHCP packet rate limit,75 Applying the DDNS policy to an interface,106 Configuring DHCP server compatibility,46 ARP fast-reply configuration example,17 Configuring DNS spoofing,88 Assigning an IP address to an interface,21 Configuring dynamic NAT,120 Assigning IPv6 addresses to i
Contacting HP,270 Displaying proxy ARP,12 Controlling sending ICMPv6 packets,193 DNS configuration task list,84 Conventions,271 E D Enabling an interface to receive and forward directed broadcasts destined for the directly connected network,160 DDNS client configuration task list,104 DDNS configuration examples,107 Enabling ARP log output,5 DHCP address allocation,27 Enabling common proxy ARP,11 DHCP client configuration example,66 Enabling DHCP,57 DHCP message format,29 Enabling DHCP,44 DHC
Setting the DSCP value for DHCP packets sent by the DHCP relay agent,61 NAT translation control,111 NAT types,111 Setting the DSCP value for DHCP packets sent by the DHCP server,47 O Obtaining an IP address dynamically,79 Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server,214 Overview,103 Overview,8 Setting the maximum number of DHCPv6 snooping entries,229 Overview,81 Setting the maximum number of dynamic ARP entries for a device,4 Overview,69 Overview,235 Setting the maximum numb
