HP MSR Router Series Layer 3 - IP Services Configuration Guide(V7) Part number: 5998-5677 Software version: CMW710-R0106 Document version: 6PW100-20140607
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring ARP ··························································································································································· 1 Overview············································································································································································ 1 ARP message format ·······························································································································
IP address lease extension···································································································································· 23 DHCP message format··················································································································································· 24 DHCP options ································································································································································· 25 Co
Configuring the DHCP relay agent security functions ································································································ 55 Enabling the DHCP relay agent to record relay entries ···················································································· 55 Enabling periodic refresh of dynamic relay entries ··························································································· 55 Enabling DHCP starvation attack protection ·····························
Static domain name resolution····························································································································· 79 Dynamic domain name resolution ······················································································································· 79 DNS proxy ····························································································································································· 80 DNS spoofing ················
Bidirectional NAT ················································································································································ 110 Twice NAT ··························································································································································· 110 NAT hairpin ························································································································································· 110 NAT t
Load sharing NAT Server configuration example ··························································································· 154 NAT with DNS mapping configuration example ····························································································· 156 Static NAT444 configuration example ············································································································· 159 Dynamic NAT444 configuration example ··········································
Displaying and maintaining UDP helper ··················································································································· 189 UDP helper configuration examples ··························································································································· 189 Configuring UDP helper to convert broadcast to unicast ················································································ 189 Configuring UDP helper to convert broadcast to multi
Assignment involving four messages ················································································································· 223 Address/prefix lease renewal ···································································································································· 224 Stateless DHCPv6 ························································································································································· 225 Protocols and stan
Application of trusted and untrusted ports ········································································································ 252 Feature and hardware compatibility ·························································································································· 253 HP implementation of Option 18 and Option 37 ···································································································· 253 Option 18 for DHCPv6 snooping···················
Analysis ································································································································································ 297 Solution ································································································································································· 297 Configuring GRE ··················································································································································
IPv4 multi-hub-group ADVPN configuration example ······················································································ 361 IPv6 multi-hub-group ADVPN configuration example ······················································································ 375 IPv4 full-mesh NAT traversal ADVPN configuration example········································································· 390 Support and other resources ·····································································
Configuring ARP In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview ARP resolves IP addresses into MAC addresses on Ethernet networks. ARP message format ARP uses two types of messages: ARP request and ARP reply. Figure 1 shows the format of ARP request/reply messages. Numbers in the figure refer to field lengths. Figure 1 ARP message format • Hardware type—Hardware address type.
2. If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request. The payload of the ARP request contains the following information: { Sender IP address and sender MAC address—Host A's IP address and MAC address. { Target IP address—Host B's IP address. { Target MAC address—An all-zero MAC address. All hosts on this subnet can receive the broadcast request, but only the requested host (Host B) processes the request. 3.
Static ARP entry A static ARP entry is manually configured and maintained. It does not age out and cannot be overwritten by any dynamic ARP entry. Static ARP entries protect communication between devices because attack packets cannot modify the IP-to-MAC mapping in a static ARP entry. The device supports the following types of static ARP entries: • Long static ARP entry—It contains the IP address, MAC address, VLAN, and output interface. It is directly used for forwarding packets.
Step Command Remarks • Configure a long static ARP entry: 2. Configure a static ARP entry. arp static ip-address mac-address vlan-id interface-type interface-number [ vpn-instance vpn-instance-name ] • Configure a short static ARP entry: arp static ip-address mac-address [ vpn-instance vpn-instance-name ] Use either command. By default, no static ARP entry is configured. Setting the maximum number of dynamic ARP entries for a device A device can dynamically learn ARP entries.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A By default: • On the MSR2000 or MSR3000 3. Set the maximum number of dynamic ARP entries for the interface. routers, an interface can learn a maximum of 4096 dynamic ARP entries. arp max-learning-num number • On the MSR4000 routers, an interface can learn a maximum of 16384 dynamic ARP entries.
Enabling ARP logging This function enables a device to log ARP events when ARP cannot resolve IP addresses correctly. The device can log the following events: • • On a proxy ARP-disabled interface, the target IP address of a received ARP packet is not one of the following IP addresses: { The IP address of the receiving interface. { The virtual IP address of the VRRP group. { The NATed external address.
Task Command Display the aging timer of dynamic ARP entries. display arp timer aging Clear ARP entries from the ARP table (MSR2000/MSR3000). reset arp { all | dynamic | interface interface-type interface-number | static } Clear ARP entries from the ARP table (MSR4000).
# Configure a static ARP entry that has IP address 192.168.1.1, MAC address 00e0-fc01-0000, and output interface GigabitEthernet 2/1/1 in VLAN 10. [RouterB] arp static 192.168.1.1 00e0-fc01-0000 10 gigabitethernet 2/1/1 # Display information about static ARP entries. [RouterB] display arp static Type: S-Static D-Dynamic O-Openflow M-Multiport I-Invalid IP address MAC address VLAN Interface Aging Type 192.168.1.
Configuring gratuitous ARP Overview In a gratuitous ARP packet, the sender IP address and the target IP address are the IP address of the sending device. A device sends a gratuitous ARP packet for either of the following purposes: • Determine whether its IP address is already used by another device. If the IP address is already used, the device is informed of the conflict by an ARP reply. • Inform other devices of a MAC address change.
of the VRRP group. The sender MAC address in the gratuitous ARP packet is the virtual MAC address of the virtual router. For more information about VRRP, see High Availability Configuration Guide. Configuration procedure The following conditions apply to the gratuitous ARP configuration: • You can enable periodic sending of gratuitous ARP packets on up to 1024 interfaces.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable IP conflict notification. arp ip-conflict log prompt By default, IP conflict notification is disabled.
Configuring proxy ARP Proxy ARP enables a device on one network to answer ARP requests for an IP address on another network. With proxy ARP, hosts in different broadcast domains can communicate with each other as they do in the same broadcast domain. Proxy ARP includes common proxy ARP and local proxy ARP. • Common proxy ARP—Allows communication between hosts that connect to different Layer 3 interfaces and reside in different broadcast domains.
Task Command Display common proxy ARP status. display proxy-arp [ interface interface-type interface-number ] Display local proxy ARP status. display local-proxy-arp [ interface interface-type interface-number ] Common proxy ARP configuration example Network requirements As shown in Figure 4, Host A and Host D have the same prefix and mask, but they are located on different subnets. No default gateway is configured on Host A and Host D.
[Router-GigabitEthernet2/1/1] quit Verifying the configuration # Verify that Host A and Host D can ping each other.
Configuring IP addressing The IP addresses in this chapter refer to IPv4 addresses unless otherwise specified. This chapter describes IP addressing basic and manual IP address assignment for interfaces. Dynamic IP address assignment (BOOTP and DHCP) and PPP address negotiation are beyond the scope of this chapter. Overview This section describes the IP addressing basics. IP addressing uses a 32-bit address to identify each host on an IPv4 network.
Class Address range Remarks C 192.0.0.0 to 223.255.255.255 N/A D 224.0.0.0 to 239.255.255.255 Multicast addresses. E 240.0.0.0 to 255.255.255.255 Reserved for future use, except for the broadcast address 255.255.255.255. Special IP addresses The following IP addresses are for special use and cannot be used as host IP addresses: • IP address with an all-zero net ID—Identifies a host on the local network. For example, IP address 0.0.0.
Assigning an IP address to an interface An interface must have an IP address to communicate with other hosts. You can either manually assign an IP address to an interface, or configure the interface to obtain an IP address through BOOTP, DHCP, or PPP address negotiation. If you change the way an interface obtains an IP address, the new IP address will overwrite the previous address. An interface can have one primary address and multiple secondary addresses.
• Layer 3 Ethernet interfaces and loopback interfaces cannot borrow IP addresses of other interfaces, but other interfaces can borrow IP addresses of these interfaces. • An interface cannot borrow an IP address from an unnumbered interface. • Multiple interfaces can use the same unnumbered IP address. • If an interface has multiple manually configured IP addresses, only the manually configured primary IP address can be borrowed.
To enable the hosts on the two network segments to communicate with the external network through the router, and to enable the hosts on the LAN to communicate with each other: • Assign a primary IP address and a secondary IP address to GigabitEthernet 2/1/1 on the router. • Set the primary IP address of the router as the gateway address of the PCs on subnet 172.16.1.0/24. Set the secondary IP address of the router as the gateway address of the PCs on subnet 172.16.2.0/24.
ping 172.16.2.2 Ping 172.16.2.2 (172.16.2.2): 56 data bytes, press CTRL_C to break 56 bytes from 172.16.2.2: icmp_seq=0 ttl=128 time=2.000 ms 56 bytes from 172.16.2.2: icmp_seq=1 ttl=128 time=7.000 ms 56 bytes from 172.16.2.2: icmp_seq=2 ttl=128 time=1.000 ms 56 bytes from 172.16.2.2: icmp_seq=3 ttl=128 time=2.000 ms 56 bytes from 172.16.2.2: icmp_seq=4 ttl=128 time=1.000 ms --- Ping statistics for 172.16.2.2 --5 packet(s) transmitted, 5 packet(s) received, 0.
[RouterA] ip route-static 172.16.20.0 255.255.255.0 serial 2/1/1 2. Configure Router B: # Assign a primary IP address to GigabitEthernet 2/1/1. system-view [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ip address 172.16.20.1 255.255.255.0 [RouterB-GigabitEthernet2/1/1] quit # Configure interface Serial 2/1/1 to borrow an IP address from GigabitEthernet 2/1/1.
DHCP overview The Dynamic Host Configuration Protocol (DHCP) provides a framework to assign configuration information to network devices. Figure 9 shows a typical DHCP application scenario where the DHCP clients and the DHCP server reside on the same subnet. The DHCP clients can also obtain configuration parameters from a DHCP server on another subnet through a DHCP relay agent. For more information about the DHCP relay agent, see "Configuring the DHCP relay agent.
IP address allocation process Figure 10 IP address allocation process 1. The client broadcasts a DHCP-DISCOVER message to locate a DHCP server. 2. Each DHCP server offers configuration parameters such as an IP address to the client in a DHCP-OFFER message. The sending mode of the DHCP-OFFER is determined by the flag field in the DHCP-DISCOVER message. For more information, see "DHCP message format." 3.
DHCP message format Figure 11 shows the DHCP message format. DHCP uses some of the fields in significantly different ways. The numbers in parentheses indicate the size of each field in bytes. Figure 11 DHCP message format • op—Message type defined in options field. 1 = REQUEST, 2 = REPLY • htype, hlen—Hardware address type and length of the DHCP client. • hops—Number of relay agents a request message traveled.
DHCP options DHCP extends the message format as an extension to BOOTP for compatibility. DHCP uses the options field to carry information for dynamic address allocation and provide additional configuration information to clients. Figure 12 DHCP option format Common DHCP options The following are common DHCP options: • Option 3—Router option. It specifies the gateway address. • Option 6—DNS server option. It specifies the DNS server's IP address. • Option 33—Static route option.
• ACS parameters, including the ACS URL, username, and password. • Service provider identifier, which is acquired by the CPE from the DHCP server and sent to the ACS for selecting vender-specific configurations and parameters. For more information about CPE and ACS, see Network Management and Monitoring Configuration Guide. • PXE server address, which is used to obtain the boot file or other control information from the PXE server.
Relay agent option (Option 82) Option 82 is the relay agent option. It records the location information about the DHCP client. When a DHCP relay agent or DHCP snooping device receives a client's request, it adds Option 82 to the request message and sends it to the server. The administrator can use Option 82 to locate the DHCP client and further implement security control and accounting. The DHCP server can use Option 82 to provide individual configuration policies for the clients.
• RFC 3442, The Classless Static Route Option for Dynamic Host Configuration Protocol (DHCP) version 4 28
Configuring the DHCP server Overview The DHCP server is well suited to networks where: • Manual configuration and centralized management are difficult to implement. • IP addresses are limited. For example, an ISP limits the number of concurrent online users, and users must acquire IP addresses dynamically. • Most hosts do not need fixed IP addresses. An MCE serving as the DHCP server can assign IP addresses not only to clients on public networks, but also to clients on private networks.
c. If the matching user class has no assignable addresses, the DHCP server matches the client against the next user class. If all the matching user classes have no assignable addresses, the DHCP server selects an IP address from the common address range. d. If the DHCP client does not match any DHCP user class, the DHCP server selects an address in the IP address range specified by the address range command.
HP recommends that you make sure the primary subnet can be matched so the DHCP server turns to the secondary subnets only when the matching primary subnet has no assignable IP addresses. If only a secondary subnet is matched, the DHCP server does not select any IP address from other secondary subnets when the matching secondary subnet has no assignable addresses.
Configuring an address pool on the DHCP server Configuration task list Tasks at a glance (Required.
• IP addresses specified by the forbidden-ip command are not assignable in the current address pool, but are assignable in other address pools. IP addresses specified by the dhcp server forbidden-ip command are not assignable in any address pool. To specify a primary subnet and multiple address ranges for a DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a DHCP user class and enter DHCP user class view.
Specifying a primary subnet and multiple secondary subnets for a DHCP address pool If an address pool has a primary subnet and multiple secondary subnets, the DHCP server assigns an IP address on a secondary subnet to a requesting client when no assignable IP address on the primary subnet is available. Follow these guidelines when you specify a primary subnet and secondary subnets for a DHCP address pool: • You can specify only one primary subnet in each address pool.
Configuring a static binding in a DHCP address pool Some DHCP clients, such as a WWW server, need fixed IP addresses. To provide a fixed IP address for such a client, you can statically bind the MAC address or ID of the client to an IP address in a DHCP address pool. When the client requests an IP address, the DHCP server assigns the IP address in the static binding to the client. Follow these guidelines when you configure a static binding: • One IP address can be bound to only one client MAC or client ID.
Step Command Remarks 2. Enter DHCP address pool view. dhcp server ip-pool pool-name N/A 3. Specify gateways. gateway-list ip-address&<1-8> By default, no gateway is specified. network network-address [ mask-length | mask mask ] secondary N/A gateway-list ip-address&<1-8> By default, no gateway is specified. 4. (Optional.) Enter subnet view secondary 5. (Optional.) Specify gateways.
• p (peer-to-peer)-node—A p-node client sends the destination name in a unicast message to the WINS server and the WINS server returns the destination IP address. • m (mixed)-node—An m-node client broadcasts the destination name. If it receives no response, it unicasts the destination name to the WINS server to get the destination IP address. • h (hybrid)-node—An h-node client unicasts the destination name to the WINS server.
To configure the IP address of the TFTP server and the boot file name in a DHCP address pool: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter DHCP address pool view. dhcp server ip-pool pool-name N/A • Specify the IP address of the TFTP server: tftp-server ip-address ip-address 3. Specify the IP address or the name of a TFTP server. By default, no TFTP server is specified. • Specify the name of the TFTP server: tftp-server domain-name domain-name 4.
Step Command Remarks 4. (Optional.) Specify the IP address for the backup server. voice-config as-ip ip-address By default, no backup network calling processor is specified. 5. (Optional.) Configure the voice VLAN. voice-config voice-vlan vlan-id { disable | enable } By default, no voice VLAN is configured. 6. (Optional.) Specify the failover IP address and dialer string. voice-config fail-over ip-address dialer-string By default, no failover IP address or dialer string is specified.
Option Option name Corresponding command Recommended option command parameters 46 NetBIOS over TCP/IP Node Type Option netbios-type hex 66 TFTP server name tftp-server ascii 67 Boot file name bootfile-name ascii 43 Vendor Specific Information N/A hex Enabling DHCP You must enable DHCP to validate other DHCP configurations. To enable DHCP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP. dhcp enable By default, DHCP is disabled.
Step Command Remarks 2. Enter interface view. interface interface-type interface-number N/A 3. Apply an address pool on the interface. dhcp server apply ip-pool pool-name By default, no address pool is applied on an interface. If the applied address pool does not exist, the DHCP server fails to perform dynamic address allocation. Configuring IP address conflict detection Before assigning an IP address, the DHCP server pings that IP address.
Configuring DHCP server compatibility Perform this task to enable the DHCP server to support DHCP clients that are incompliant with RFC. Configuring the DHCP server to broadcast all responses Typically, the DHCP server broadcasts a response only when the broadcast flag in the DHCP request is set to 1. To work with DHCP clients that set the broadcast flag to 0 but do not accept unicast responses, configure the DHCP server to ignore the broadcast flag and always broadcast a response.
To configure the DHCP server to send BOOTP responses in RFC 1048 format: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable the DHCP server to send BOOTP responses in RFC 1048 format to the RFC 1048-incompliant BOOTP requests for statically bound addresses. dhcp server bootp reply-rfc-1048 By default, the DHCP server directly copies the Vend field of such requests into the responses.
Task Command Clear information about lease-expired IP addresses. reset dhcp server expired [ ip ip-address | pool pool-name ] Clear information about assigned IP addresses. reset dhcp server ip-in-use [ ip ip-address | pool pool-name ] Clear DHCP server statistics. reset dhcp server statistics DHCP server configuration examples DHCP networking includes the following types: • The DHCP server and clients reside on the same subnet.
2. Configure the DHCP server: # Enable DHCP. [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 2/1/1. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] dhcp select server [RouterA-GigabitEthernet2/1/1] quit # Create DHCP address pool 0. [RouterA] dhcp server ip-pool 0 # Configure a static binding for Router B. [RouterA-dhcp-pool-0] static-bind ip-address 10.1.1.
Figure 17 Network diagram Configuration procedure 1. Specify IP addresses for interfaces. (Details not shown.) 2. Configure the DHCP server: # Enable DHCP. system-view [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2.
[RouterA-dhcp-pool-2] domain-name aabbcc.com [RouterA-dhcp-pool-2] dns-list 10.1.1.2 [RouterA-dhcp-pool-2] gateway-list 10.1.1.254 Verifying the configuration Clients on networks 10.1.1.0/25 and 10.1.1.128/25 can obtain correct IP addresses and other network parameters from Router A. You can use the display dhcp server ip-in-use command on the DHCP server to display the IP addresses assigned to the clients.
[RouterB] dhcp class tt [RouterB-dhcp-class-tt] if-match rule 1 option 82 [RouterB-dhcp-class-tt] quit # Create DHCP address pool aa. [RouterB] dhcp server ip-pool aa # Specify the subnet for dynamic allocation. [RouterB-dhcp-pool-aa] network 10.10.1.0 mask 255.255.255.0 # Specify the address range for dynamic allocation. [RouterB-dhcp-pool-aa] address range 10.10.1.2 10.10.1.100 # Specify the address range for the user class tt. [RouterB-dhcp-pool-aa] class tt range 10.10.1.2 10.10.1.
system-view [RouterA] dhcp enable # Configure the primary and secondary IP addresses of interface GigabitEthernet 2/1/1, and enable the DHCP server on GigabitEthernet 2/1/1. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 10.1.1.1 24 [RouterA-GigabitEthernet2/1/1] ip address 10.1.2.1 24 sub [RouterA-GigabitEthernet2/1/1] dhcp select server [RouterA-GigabitEthernet2/1/1] quit # Create DHCP address pool aa.
Figure 20 Network diagram Configuration procedure 1. Specify an IP address for interface GigabitEthernet 2/1/1. (Details not shown.) 2. Configure the DHCP server: # Enable DHCP. system-view [RouterA] dhcp enable # Enable the DHCP server on GigabitEthernet 2/1/1. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] dhcp select server [RouterA-GigabitEthernet2/1/1] quit # Configure DHCP address pool 0. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.
a. In Windows environment, execute the cmd command to enter the DOS environment. b. Enter ipconfig /release to relinquish the IP address. c. Enter ipconfig /renew to obtain another IP address.
Configuring the DHCP relay agent Overview The DHCP relay agent enables clients to get IP addresses from a DHCP server on another subnet. This feature avoids deploying a DHCP server for each subnet to centralize management and reduce investment. Figure 21 shows a typical application of the DHCP relay agent. Figure 21 DHCP relay agent application An MCE device serving as the DHCP relay agent can forward DHCP packets between a DHCP server and clients on either a public network or a private network.
Figure 22 DHCP relay agent operation DHCP relay agent support for Option 82 Option 82 records the location information about the DHCP client. It enables the administrator to do the following operations: • Locate the DHCP client for security and accounting purposes. • Assign IP addresses in a specific range to clients. For more information about Option 82, see "Relay agent option (Option 82).
Tasks at a glance (Optional.) Configuring the DHCP relay agent security functions (Optional.) Configuring the DHCP relay agent to release an IP address (Optional.) Configuring Option 82 (Optional.) Setting the DSCP value for DHCP packets sent by the DHCP relay agent Enabling DHCP You must enable DHCP to validate other DHCP relay agent settings. To enable DHCP: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP. dhcp enable By default, DHCP is disabled.
To specify a DHCP server address on a relay agent: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify a DHCP server address on the relay agent. dhcp relay server-address ip-address By default, no DHCP server address is specified on the relay agent.
• If the server returns a DHCP-ACK message or does not return any message within a specific interval, the DHCP relay agent removes the relay entry. In addition, upon receiving the DHCP-ACK message, the relay agent sends a DHCP-RELEASE message to release the IP address. • If the server returns a DHCP-NAK message, the relay agent keeps the relay entry. To enable periodic refresh of dynamic relay entries: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks 1. Enter system view. system-view N/A The default aging time is 30 seconds. 2. Configure the aging time for MAC address check entries. dhcp relay check mac-address aging-time time 3. Enter the interface view. interface interface-type interface-number N/A 4. Enable MAC address check. dhcp relay check mac-address By default, MAC address check is disabled. This command takes effect only after you execute the dhcp relay check mac-address command.
Step Command Remarks 4. (Optional.) Configure the strategy for handling DHCP requests that contain Option 82. dhcp relay information strategy { drop | keep | replace } By default, the handling strategy is replace. 5. (Optional.) Configure the padding content and code type for the Circuit ID sub-option.
Task Command Clear relay entries on the DHCP relay agent. reset dhcp relay client-information [ interface interface-type interface-number | ip ip-address [ vpn-instance vpn-instance-name ] ] Clear packet statistics on the DHCP relay agent.
Verifying the configuration DHCP clients can obtain IP addresses and other network parameters from the DHCP server through the DHCP relay agent. You can use the display dhcp relay statistics command to display the statistics of DHCP packets forwarded by the DHCP relay agent. If you enable relay entry recording on the DHCP relay agent with the dhcp relay client-information record command, you can use the display dhcp relay client-information command to display relay entries.
Solution To locate the problem, enable debugging and execute the display command on the DHCP relay agent to view the debugging information and interface state information. Check that: • DHCP is enabled on the DHCP server and relay agent. • The DHCP server has an address pool on the same subnet as the DHCP clients. • The DHCP server and DHCP relay agent can reach each other. • The DHCP server address specified on the DHCP relay agent interface connected to the DHCP clients is correct.
Configuring the DHCP client With DHCP client enabled, an interface uses DHCP to obtain configuration parameters from the DHCP server, for example, an IP address. The DHCP client configuration is supported only on Layer 3 Ethernet interfaces (or subinterfaces), VLAN interfaces, and Layer 3 aggregate interfaces.
Step Command Remarks 3. Configure a DHCP client ID for the interface. dhcp client identifier { ascii string | hex string | mac interface-type interface-number } By default, an interface generates the DHCP client ID based on its MAC address. If the interface has no MAC address, it uses the MAC address of the first Ethernet interface to generate its client ID. DHCP client ID includes ID type and type value. Each ID type has a fixed type value.
Displaying and maintaining the DHCP client Execute display command in any view. Task Command Display DHCP client information. display dhcp client [ verbose ] [ interface interface-type interface-number ] DHCP client configuration example Network requirements As shown in Figure 25, Router B contacts the DHCP server through GigabitEthernet 2/1/1 to obtain an IP address, a DNS server address, and static route information. The DHCP client IP address resides on subnet 10.1.1.0/24.
[RouterA-GigabitEthernet2/1/1] quit # Enable DHCP. [RouterA] dhcp enable # Exclude an IP address from dynamic allocation. [RouterA] dhcp server forbidden-ip 10.1.1.2 # Configure DHCP address pool 0. Specify the subnet, lease duration, DNS server address, and a static route to subnet 20.1.1.0/24. [RouterA] dhcp server ip-pool 0 [RouterA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0 [RouterA-dhcp-pool-0] expired day 10 [RouterA-dhcp-pool-0] dns-list 20.1.1.
10.1.1.0/24 Direct 0 0 10.1.1.3 GE2/1/1 10.1.1.3/32 Direct 0 0 127.0.0.1 InLoop0 20.1.1.0/24 Static 70 0 10.1.1.2 GE2/1/1 10.1.1.255/32 Direct 0 0 10.1.1.3 GE2/1/1 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.0/32 Direct 0 0 127.0.0.1 InLoop0 127.0.0.1/32 Direct 0 0 127.0.0.1 InLoop0 127.255.255.255/32 Direct 0 0 127.0.0.1 InLoop0 224.0.0.0/4 Direct 0 0 0.0.0.0 NULL0 224.0.0.0/24 Direct 0 0 0.0.0.0 NULL0 255.255.255.255/32 Direct 0 0 127.0.0.
Configuring DHCP snooping In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview DHCP snooping works between the DHCP client and server, or between the DHCP client and DHCP relay agent. It guarantees that DHCP clients obtain IP addresses from authorized DHCP servers. Also, it records IP-to-MAC bindings of DHCP clients (called DHCP snooping entries) for security purposes.
Figure 26 Trusted and untrusted ports In a cascaded network as shown in Figure 27, configure each DHCP snooping device's ports connected to other DHCP snooping devices as trusted ports. To save system resources, you can disable the untrusted ports that are not directly connected to DHCP clients from generating DHCP snooping entries.
Table 5 Handling strategies If a DHCP request has… Option 82 No Option 82 Handling strategy DHCP snooping… Drop Drops the message. Keep Forwards the message without changing Option 82. Replace Forwards the message after replacing the original Option 82 with the Option 82 padded according to the configured padding format, padding content, and code type. N/A Forwards the message after adding the Option 82 padded according to the configured padding format, padding content, and code type.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP snooping. dhcp snooping enable By default, DHCP snooping is disabled. 3. Enter interface view. interface interface-type interface-number This interface must connect to the DHCP server. 4. Specify the port as a trusted port. dhcp snooping trust By default, all ports are untrusted ports after DHCP snooping is enabled. 5. Return to system view. quit N/A 6. Enter interface view.
Step Command Remarks 3. Enable DHCP snooping to support Option 82. dhcp snooping information enable By default, DHCP snooping does not support Option 82. 4. (Optional.) Configure a handling strategy for DHCP requests that contain Option 82. dhcp snooping information strategy { drop | keep | replace } By default, the handling strategy is replace. 5. (Optional.) Configure the padding content and code type for the Circuit ID sub-option.
Step Command Remarks 3. (Optional.) Manually save DHCP snooping entries to the file. dhcp snooping binding database update now DHCP snooping entries are saved to the database file each time this command is executed. The default setting is 300 seconds. 4. (Optional.) Set the amount of time to wait after a DHCP snooping entry changes before updating the database file.
Attackers can also forge DHCP-DECLINE or DHCP-RELEASE packets to terminate leases for legitimate DHCP clients that still need the IP addresses. To prevent such attacks, you can enable DHCP-REQUEST check. This feature uses DHCP snooping entries to check incoming DHCP-REQUEST messages. • • If a matching entry is found for a message, this feature compares the entry with the message information. { If they are consistent, the message is considered as valid and forwarded to the DHCP server.
Task Command Remarks Display Option 82 configuration information on the DHCP snooping device. display dhcp snooping information { all | interface interface-type interface-number } Available in any view. Display DHCP packet statistics on the DHCP snooping device (MSR2000/MSR3000). display dhcp snooping packet statistics Available in any view. Display DHCP packet statistics on the DHCP snooping device (MSR4000). display dhcp snooping packet statistics [ slot slot-number ] Available in any view.
Figure 28 Network diagram Configuration procedure # Enable DHCP snooping. system-view [RouterB] dhcp snooping enable # Configure GigabitEthernet 2/1/1 as a trusted port. [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] dhcp snooping trust [RouterB-GigabitEthernet2/1/1] quit # Enable DHCP snooping to record clients' IP-to-MAC bindings on GigabitEthernet 2/1/2.
Figure 29 Network diagram Configuration procedure # Enable DHCP snooping. system-view [RouterB] dhcp snooping enable # Configure GigabitEthernet 2/1/1 as a trusted port. [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] dhcp snooping trust [RouterB-GigabitEthernet2/1/1] quit # Configure Option 82 on GigabitEthernet 2/1/2.
Configuring the BOOTP client BOOTP client configuration only applies to Layer 3 Ethernet interfaces (including subinterfaces), Layer 3 aggregate interfaces and VLAN interfaces. If several VLAN interfaces sharing the same MAC address obtain IP addresses through a BOOTP relay agent, the BOOTP server cannot be a Windows Server 2000 or Windows Server 2003. BOOTP application An interface that acts as a BOOTP client can use BOOTP to obtain information (such as IP address) from the BOOTP server.
Configuring an interface to use BOOTP for IP address acquisition Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure an interface to use BOOTP for IP address acquisition. ip address bootp-alloc By default, an interface does not use BOOTP for IP address acquisition. Displaying and maintaining BOOTP client Execute display command in any view. Task Command Display BOOTP client information.
Configuring DNS Overview Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry. DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution.
Figure 30 Dynamic domain name resolution User program Request Request Resolver Response Response DNS server Read Save Cache DNS client Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires.
Figure 31 DNS proxy application A DNS proxy operates as follows: 1. A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy. 2. The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client. 3.
Figure 32 DNS spoofing application The DNS proxy does not have the DNS server address or cannot reach the DNS server after startup. A host accesses the HTTP server in the following steps: 1. The host sends a DNS request to the device to resolve the domain name of the HTTP server into an IP address. 2. Upon receiving the request, the device searches the local static and dynamic DNS entries for a match. Because no match is found, the device spoofs the host by replying a configured IP address.
Tasks at a glance (Optional.) Configuring DNS spoofing (Optional.) Specifying the source interface for DNS packets (Optional.) Configuring the DNS trusted interface (Optional.) Setting the DSCP value for outgoing DNS packets Configuring the IPv4 DNS client Configuring static domain name resolution Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses.
• { Specify DNS server IPv4 addresses for the public network and up to 1024 VPNs. { Specify a maximum of six DNS server IPv4 addresses for the public network or each VPN. You can specify DNS server IPv6 addresses as follows: { Specify DNS server IPv6 addresses for the public network and up to 1024 VPNs. { Specify a maximum of six DNS server IPv6 addresses for the public network or each VPN. An IPv4 name query is first sent to the DNS server IPv4 addresses.
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a mapping between a host name and an IPv6 address. ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ] By default, no mapping between a host name and an IPv6 address is configured. Configuring dynamic domain name resolution To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers.
Step Command Remarks 3. (Optional.) Configure a DNS suffix. dns domain domain-name [ vpn-instance vpn-instance-name ] By default, no DNS suffix is configured. Only the provided domain name is resolved. Configuring the DNS proxy You can specify multiple DNS servers. The DNS proxy forwards a request to the DNS server that has the highest priority. If having not received a reply, it forwards the request to a DNS server that has the second highest priority, and so on.
Step Command Remarks • Specify a translated IPv4 address: 3. Enable DNS spoofing and specify the translated IP address. dns spoofing ip-address [ vpn-instance vpn-instance-name ] • Specify a translated IPv6 address: ipv6 dns spoofing ipv6-address [ vpn-instance vpn-instance-name ] Use at least one command. By default, no translated IP address is specified.
Step Command Remarks 2. Specify the DNS trusted interface. dns trust-interface interface-type interface-number By default, no DNS trusted interface is specified. You can configure up to 128 DNS trusted interfaces. Setting the DSCP value for outgoing DNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Figure 33 Network diagram Configuration procedure # Configure a mapping between host name host.com and IP address 10.1.1.2. system-view [Sysname] ip host host.com 10.1.1.2 # Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2. [Sysname] ping host.com Ping host.com (10.1.1.2): 56 data bytes, press CTRL_C to break 56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms 56 bytes from 10.1.1.
Configuration procedure Before performing the following configuration, make sure that: • The device and the host can reach each other. • The IP addresses of the interfaces are configured as shown in Figure 34. 1. Configure the DNS server: The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2000. a. Select Start > Programs > Administrative Tools > DNS. The DNS server configuration page appears, as shown in Figure 35. b.
Figure 36 Adding a host d. On the page that appears, enter host name host and IP address 3.1.1.1. e. Click Add Host. The mapping between the IP address and host name is created. Figure 37 Adding a mapping between domain name and IP address 2.
# Specify the DNS server 2.1.1.2. system-view [Sysname] dns server 2.1.1.2 # Specify com as the name suffix. [Sysname] dns domain com Verifying the configuration # Use the ping host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 3.1.1.1. [Sysname] ping host Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break 56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms 56 bytes from 3.1.1.
Figure 38 Network diagram Configuration procedure Before performing the following configuration, make sure that: • Device A, the DNS server, and the host can reach each other. • The IPv6 addresses of the interfaces are configured as shown in Figure 38. 1. Configure the DNS server: The configuration might vary by DNS server. When a PC running Windows Server 2000 acts as the DNS server, see "Dynamic domain name resolution configuration example" for configuration information. 2.
--- Ping statistics for host.com --5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms IPv6 DNS configuration examples Static domain name resolution configuration example Network requirements As shown in Figure 39, the device wants to access the host by using an easy-to-remember domain name rather than an IPv6 address. Configure static domain name resolution on the device so that the device can use the domain name host.
Figure 40 Network diagram Configuration procedure Before performing the following configuration, make sure that: • The device and the host can reach each other. • The IPv6 addresses of the interfaces are configured as shown in Figure 40. 1. Configure the DNS server: The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2003.
Figure 42 Creating a record d. On the page that appears, select IPv6 Host (AAAA) as the resource record type.
Figure 43 Selecting the resource record type e. Type host name host and IPv6 address 1::1. f. Click OK. The mapping between the IPv6 address and host name is created.
Figure 44 Adding a mapping between domain name and IPv6 address 2. Configure the DNS client: # Specify the DNS server 2::2. system-view [Device] ipv6 dns server 2::2 # Configure com as the DNS suffix. [Device] dns domain com Verifying the configuration # Use the ping ipv6 host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 1::1.
DNS proxy configuration example Network requirements When the IP address of the DNS server changes, you must configure the new IP address of the DNS server on each device on the LAN. To simplify network management, you can use the DNS proxy function. As shown in Figure 45: • Specify Device A as the DNS server of Device B (the DNS client). Device A acts as a DNS proxy. The IP address of the real DNS server is 4000::1. • Configure the IP address of the DNS proxy on Device B.
Verifying the configuration # Use the ping host.com command on Device B to verify that the connection between the device and the host is normal and that the translated destination IP address is 3000::1. [DeviceB] ping host.com Ping6(56 data bytes) 2000::1 --> 3000::1, press CTRL_C to break 56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms 56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.000 ms 56 bytes from 3000::1, icmp_seq=3 hlim=128 time=1.
Configuring DDNS Overview DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails. Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers. DDNS is supported by only IPv4 DNS, and it is used to update the mappings between domain names and IPv4 addresses. DDNS application As shown in Figure 46, DDNS works on the client-server model.
NOTE: The DDNS update process does not have a unified standard but varies by DDNS server that the DDNS client contacts. DDNS client configuration task list Tasks at a glance (Required.) Configuring a DDNS policy (Required.) Applying the DDNS policy to an interface (Optional.) Setting the DSCP value for outgoing DDNS packets Configuring a DDNS policy A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, associated SSL client policy, and update time interval.
HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols. The URL address for an update request can start with: • http://—The HTTP-based DDNS server. • https://—The HTTPS-based DDNS server. • ods://—The TCP-based ODS server. • gnudip://—The TCP-based GNUDIP server. • oray://—The TCP-based DDNS server. members.3322.org and phservice2.oray.net are the domain names of DDNS servers.
Step Command Remarks 3. Specify a URL address for DDNS update requests. url request-url By default, no URL address is specified for DDNS update requests. 4. Specify the username to contained in the URL address. be username username By default, no username is specified. 5. Specify the password to contained in the URL address. be password { cipher | simple } password By default, no password is specified. 6. (Optional.
NOTE: If no FQDN is specified for the PeanutHull DDNS server, the DDNS server updates all domain names of the DDNS client account. If an FQDN is specified, the DDNS server updates only the mapping between the specified FQDN and the primary IP address. Setting the DSCP value for outgoing DDNS packets The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Figure 47 Network diagram www.3322.org DDNS server GE2/1/1 IP network Router DDNS client 1.1.1.1 DNS server Configuration procedure Before configuring DDNS on Router, do the following: • Register with username steven and password nevets at http://www.3322.org (www.pubyun.com). • Add Router's host name-to-IP address mapping to the DNS server. • Make sure the devices can reach each other. # Create a DDNS policy named 3322.org, and enter its view. system-view [Router] ddns policy 3322.
DDNS configuration example with PeanutHull server Network requirements As shown in Figure 48, Router is a Web server with domain name whatever.gicp.cn. Router acquires the IP address through DHCP. Through the PeanutHull server, Router informs the DNS server of the latest mapping between its domain name and IP address. Router uses the DNS server to translate www.oray.cn into its IP address. Figure 48 Network diagram www.oray.cn DDNS server GE2/1/1 IP network Router DDNS client 1.1.1.
After the configuration is completed, Router notifies the DNS server of its new domain name-to-IP address mapping through the PeanutHull server, whenever the IP address of Router changes. Therefore, Router can always provide Web service at whatever.gicp.cn.
Configuring NAT In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Network Address Translation (NAT) translates an IP address in the IP packet header to another IP address. Typically, NAT is configured on gateways to enable private users to access an external network and to enable external users to access private network resources such as a Web server. Figure 49 shows how NAT works.
NAT address An IP address for translation, which can be manually specified or dynamically allocated. The address in the external network must be routable from the NAT address. NAT entry An entry recording the translation between a private and a public address on a NAT device. For more information, see "NAT entries." Easy IP Easy IP uses the IP address of an interface on the device as the NAT address. The IP address of the interface is obtained through DHCP or PPPoE.
C/S NAT hairpin occurs when internal users access internal servers only by using NAT addresses. The destination IP address of the packet going to the internal server is translated by matching the NAT Server configurations. The source IP address is translated by matching the outbound dynamic or static NAT entries. NAT translation control NAT translation control enables the device to translate only addresses matching a specific rule. You can configure ACL-based NAT to achieve NAT translation control.
Figure 50 PAT operation See Figure 50 for an example. Packets 1 and 2 with different source ports are from Host A, and Packets 3 with the same source port as packet 1 is from Host B. PAT maps the source IP addresses of the three packets to the same NAT address and uses different port numbers to make each unique. When the NAT device receives a response packet, it translates the destination address and port number of the packet, and forwards it to the target host.
Figure 51 NAT Server operation Server Direction Before NAT After NAT Inbound 20.1.1.1:8080 192.168.1.3:8080 Dst : 192.168.1.3:8080 Dst : 20.1.1.1:8080 NAT 192.168.1.1 Intranet 192.168.1.3 Host 20.1.1.1 Internet Src : 192.168.1.3:8080 Src : 20.1.1.1:8080 20.1.1.2 1. The host in the public network sends a packet destined for the public IP address and port number of the server in the private network. 2.
The NAT444 gateway provides port block-based PAT translation. It maps multiple private IP addresses to one public IP address with different port blocks. Each private IP address uses a port block exclusively. For example, private IP address 10.1.1.1 is mapped to public IP address 202.1.1.1 and port block 10001 to 10256. When the internal user initiates sessions to the public network, the source IP address 10.1.1.1 is translated to 202.1.1.
NAT entries NAT session entry NAT translates the IP address of the first packet in a session and creates a NAT session entry for recording the mappings. The NAT session entry contains extended NAT information, such as interface and translation method. Subsequent packets of the session are translated by using this entry. The session management module maintains the updating and aging of NAT session entries. For information about session management, see Security Configuration Guide.
Using NAT with other features NAT with multiple VPN instances NAT with multiple VPN instances allows users from different VPN instances to access external networks and to access each other. 1. 2. Upon receiving a request from a user in a VPN instance to an external network, NAT does the following: { Translates the private source IP address and port number to a NAT IP address and port number. { Records the VPN instance information, such as the VPN name.
2. If a match is found, the NAT continues to match the public address, public port number, and the protocol type against the NAT Server configuration. 3. If a match is found, NAT translates the public IP address in the reply into the private IP address of the Web server. 4. The internal host can access the internal server. NAT with ALG Use NAT with ALG to translate the payload information to ensure connection establishment.
• Add a route manually for inbound static NAT. Use local-ip or local-network as the destination address, and use global-ip, an address in global-network, or the next hop address of the output interface for the incoming packets as the next hop. Configuring outbound one-to-one static NAT To translate a private IP address into a public IP address, and vice versa, configure outbound one-to-one static NAT on the interface that connects the external network.
Step Command Remarks 2. Configure a net-to-net mapping for outbound static NAT. nat static outbound net-to-net local-start-address local-end-address [ vpn-instance local -name ] global global-network { mask-length | mask } [ vpn-instance global-name ] [ acl acl-number [ reversible ] ] 3. Return to system view. quit N/A 4. Enter interface view. interface interface-type interface-number N/A 5. Enable static NAT on the interface. nat static enable By default, static NAT is disabled.
Step Command Remarks 1. Enter system view. system-view N/A 2. Configure a net-to-net mapping for inbound static NAT. nat static inbound net-to-net global-start-address global-end-address [ vpn-instance global -name ] local local-network { mask-length | mask } [ vpn-instance local-name ] [ acl acl-number [ reversible ] ] 3. Return to system view. quit N/A 4. Enter interface view. interface interface-type interface-number N/A 5. Enable static NAT on the interface.
• The source IP address of the outgoing packets that match the ACL permit statement is translated into an address in the address group. • The reversible keyword enables the device to perform the following operations: { { Compare the destination IP address in the first packet from the public network to the private network with existing NO-PAT entries. Translate the destination address into the NAT address in a matching NO-PAT entry. To configure outbound dynamic NAT: Step Command Remarks 1.
• The reversible keyword enables the device to perform the following operations: { { Compare the destination IP address in the first packet from the private network to the public network against existing NO-PAT entries. Translate the destination address into the NAT address in a matching NO-PAT entry. Inbound dynamic NAT does not support Easy IP. To configure inbound dynamic NAT: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure an address group and enter its view.
Step Command Remarks • A single global address with a single or no global port: nat server protocol pro-type global { global-address | current-interface | interface interface-type interface-number } [ global-port ] [ vpn-instance global-name ] inside local-address [ local-port ] [ vpn-instance local-name ] [ acl acl-number ] • A single global address with consecutive global ports: 3. Configure one or more common NAT Server mappings.
Step Command Remarks 5. Configure load sharing NAT Server. nat server protocol pro-type global { { global-address | current-interface | interface interface-type interface-number } { global-port | global-port1 global-port2 } | global-address1 global-address2 global-port } [ vpn-instance global-name ] inside server-group group-number [ vpn-instance local-name ] [ acl acl-number ] By default, no internal server exists. You can configure multiple load sharing internal servers on an interface.
Step Command Remarks 11. (Optional.) Configure the mapping behavior for PAT. nat mapping-behavior endpoint-independent [ acl acl-number ] The default mapping behavior is Address and Port-Dependent Mapping. Configuring dynamic NAT444 Dynamic NAT444 is applicable when the private IP addresses are not fixed. To configure dynamic NAT444: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a NAT address group, and enter its view.
Step Command Remarks 2. Configure a DNS mapping for NAT. nat dns-map domain domain-name protocol pro-type { interface interface-type interface-number | ip global-ip } port global-port By default, no DNS mapping for NAT exists. You can configure multiple DNS mappings for NAT. Configuring NAT hairpin NAT hairpin enables an internal host to access an internal server or another internal host by using NAT addresses.
• A NAT session is removed when you add configuration with higher priority, remove configuration, change ACLs, and when a NAT session ages out or a NAT session is deleted. • Active NAT flows exist. When the interval for logging active NAT flows is reached, the NAT session is logged. To enable NAT session logging: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable NAT logging. nat log enable [ acl acl-number ] By default, NAT logging is disabled.
Step Command Remarks 1. Enter system view. system-view N/A By default, NAT logging is disabled. 2. Enable NAT logging. nat log enable [ acl acl-number ] The acl acl-number option does not take effect on NAT444 user logging. • For port block assignment: 3. Enable NAT444 user logging. nat log port-block-assign • For port block withdrawal: By default, NAT444 user logging is disabled,.
Task Command Display NAT address group information. display nat address-group [ group-number ] Display NAT with DNS mapping configuration. display nat dns-map Display information about NAT EIM entries (MSR2000/MSR3000). display nat eim Display information about NAT EIM entries (MSR4000). display nat eim [ slot slot-number ] Display information about inbound dynamic NAT. display nat inbound Display NAT logging configuration.
NAT configuration examples One-to-one static NAT for internal-to-external access Network requirements Configure static NAT to allow the user at 10.110.10.8/24 to access the Internet. Figure 54 Network diagram Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Configure a one-to-one static NAT mapping between internal address 10.110.10.8 and the NAT address 202.38.1.100. system-view [Router] nat static 10.110.10.8 202.38.1.
DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Responder: Source IP/port: 202.38.1.111/42496 Destination IP/port: 202.38.1.
# Configure ACL 2000, and create a rule to permit packets only from segment 192.168.1.0/24 to pass through. [Router] acl number 2000 [Router-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2000] quit # Enable outbound dynamic PAT on interface GigabitEthernet 2/1/2. The source IP addresses of the packets permitted by the ACL rule is translated into the addresses in address group 0.
NBT : Enabled PPTP : Enabled RTSP : Enabled RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Use the display nat session verbose command to display NAT session information generated when Host A accesses the WWW server. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.10/52992 Destination IP/port: 200.1.1.10/2048 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: ICMP(1) Responder: Source IP/port: 200.1.1.
Figure 56 Network diagram Requirements analysis This is a typical application of bidirectional NAT. • When an internal host tries to access the external Web server by using the domain name, a DNS query is sent to the external DNS server. The server sends the internal host a response with the Web server's IP address, which overlaps with that of the internal host.
[Router-nat-address-group-2] address 202.38.1.3 202.38.1.3 [Router-nat-address-group-2] quit # Enable inbound NO-PAT on interface GigabitEthernet 2/1/2 to translate the source IP address in the DNS reply payload into the address in address group 1, and allow reversible NAT.
Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RTSP : Enabled RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Use the display nat session verbose command to display NAT session information generated
NAT Server for external-to-internal access Network requirements As shown in Figure 57, two Web servers, one FTP server and one SMTP server are in the internal network to provide services for external users. The internal network address is 10.110.0.0/16. The company has three public IP addresses from 202.38.1.1/24 to 202.38.1.3/24. Configure the NAT Server feature to allow the external user to access the internal servers with public address 202.38.1.1/24.
Verifying the configuration # Verify that the host on the external network can access the internal servers by using the NAT addresses. (Details not shown.) # Display all NAT configuration and statistics. [Router] display nat all NAT internal server information: There are 4 internal servers. Interface: GigabitEthernet2/1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/21 Local IP/port: 10.110.10.3/21 Interface: GigabitEthernet2/1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/25 Local IP/port: 10.110.10.
PPTP : Enabled RTSP : Enabled RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Use the display nat session verbose command to display NAT session information generated when Host accesses the FTP server. [Router] display nat session verbose Initiator: Source IP/port: 202.38.1.10/1694 Destination IP/port: 202.38.1.1/21 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) Responder: Source IP/port: 10.110.10.
Figure 58 Network diagram Requirements analysis To meet the network requirements, perform the following tasks: • To make sure the external host can access the internal DNS server, configure the NAT Server feature to map the internal IP address and port of the DNS server to an external address and port. • Enable DNS with ALG and configure outbound dynamic NAT to translate the internal IP address of the Web server in the payload of the DNS response packet to an external IP address.
Verifying the configuration # Verify that the host on the external network can access the internal Web server by using the server's domain name. (Details not shown.) # Display all NAT configuration and statistics. [Router] display nat all NAT address group information: There are 1 NAT address groups. Address group 1: Address information: Start address End address 202.38.1.3 202.38.1.3 NAT outbound information: There are 1 NAT outbound rules.
RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Use the display nat session verbose command to display NAT session information generated when Host accesses Web server. [Router] display nat session verbose Initiator: Source IP/port: 202.1.1.2/1694 Destination IP/port: 202.38.1.3/8080 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) Responder: Source IP/port: 10.110.10.2/8080 Destination IP/port: 202.1.1.
Figure 59 Network diagram Requirements analysis This is a typical application of bidirectional NAT. • To make sure the external host to access the internal Web server by using its domain name, configure NAT Server so that the external host can access the internal DNS server to obtain the IP address of the Web server. • The IP address of the Web server overlaps with the external host and is included in the response sent by the internal DNS server to the external host.
# Add address 202.38.1.3 to the address group. [Router-nat-address-group-2] address 202.38.1.3 202.38.1.3 [Router-nat-address-group-2] quit # Configure NAT Server on interface GigabitEthernet 2/1/2 to allow external hosts to access the internal DNS server by using the address 202.38.1.4. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat server protocol udp global 202.38.1.4 inside 192.168.1.
NAT internal server information: There are 1 internal servers. Interface: GigabitEthernet2/1/2 Protocol: 17(UDP) Global IP/port: 202.38.1.4/53 Local IP/port: 200.1.1.
Destination IP/port: 202.38.1.3/1025 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) State: TCP_ESTABLISHED Application: HTTP Start time: 2012-08-15 14:53:29 TTL: 3597s Interface(in) : GigabitEthernet2/1/2 Interface(out): GigabitEthernet2/1/1 Initiator->Responder: 7 packets 308 bytes Responder->Initiator: 5 packets 312 bytes Total sessions found: 1 NAT hairpin in C/S mode Network requirements As shown in Figure 60, the internal FTP server at 192.168.1.
system-view [Router] acl number 2000 [Router-acl-basic-2000] rule permit source 192.168.1.0 0.0.0.255 [Router-acl-basic-2000] quit # Configure NAT Server on interface GigabitEthernet 2/1/2 to map the IP address of the FTP server to a NAT address, allowing external users to access the internal FTP server. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat server protocol tcp global 202.38.1.2 inside 192.168.1.
NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RTSP : Enabled RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Use the display nat session verbose command to display NAT session information generated when Host A accesses the FTP server.
NAT hairpin in P2P mode for access between internal users Network requirements In the P2P application, internal clients must register their IP address to the external server and the server records the registered IP addresses and port numbers of the internal clients. An internal client must request the IP address and port number of another client from the external server before accessing the client.
[Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat outbound 2000 [Router-GigabitEthernet2/1/2] quit # Configure the Endpoint-Independent Mapping mode for PAT. For packets with the same source address and port number and permitted by ACL 2000, the source address and port number are translated to the same external address and port number. [Router] nat mapping-behavior endpoint-independent acl 2000 # Enable NAT hairpin on interface GigabitEthernet 2/1/1.
PPTP : Enabled RTSP : Enabled RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Use the display nat session verbose command to display NAT session information generated when Client A accesses Client B. [Router] display nat session verbose Initiator: Source IP/port: 192.168.1.3/44929 Destination IP/port: 202.38.1.3/1 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: UDP(17) Responder: Source IP/port: 192.168.1.
Requirements analysis This is a typical application of twice NAT. Both the source and destination addresses of packets between the two VPNs need to be translated. Configure static NAT on both interfaces that connects the VPNs on the NAT device. Configuration procedure # Specify VPN instances and IP addresses for the interfaces. (Details not shown.) # Configure a static outbound NAT mapping between 192.168.1.2 in vpn 1 and 172.16.1.2 in vpn 2. system-view [Router] nat static outbound 192.168.1.
Flow-begin : Disabled Flow-end : Disabled Flow-active : Disabled Port-block-assign : Disabled Port-block-withdraw : Disabled Alarm : Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RTSP : Enabled RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Use the display na
Responder->Initiator: 5 packets 420 bytes Total sessions found: 1 Load sharing NAT Server configuration example Network requirements As shown in Figure 63, three FTP servers are in the intranet to provide FTP services for external users. Configure NAT so that these external users use the address 202.38.1.1/16 to access the servers and the three FTP servers implement load sharing. Figure 63 Network diagram 10.110.10.1/16 FTP server 1 GE2/1/1 10.110.10.10/16 GE2/1/2 202.38.1.
0 10.110.10.1 21 100 10.110.10.2 21 100 10.110.10.3 21 100 NAT internal server information: There are 1 internal servers. Interface: GigabitEthernet2/1/2 Protocol: 6(TCP) Global IP/port: 202.38.1.1/21 Local IP/port: server group 0 10.110.10.1/21 (Connections: 1) 10.110.10.2/21 (Connections: 2) 10.110.10.
Destination IP/port: 202.38.1.1/21 DS-Lite tunnel peer: VPN instance/VLAN ID/VLL ID: -/-/Protocol: TCP(6) Responder: Source IP/port: 10.110.10.3/21 Destination IP/port: 202.38.1.
• Configure NAT with DNS mapping and ALG so that the external IP address of the internal server in the payload of the DNS response packet can be translated to the internal IP address. Configuration procedure # Specify IP addresses for the interfaces. (Details not shown.) # Enable NAT with ALG and DNS. system-view [Router] nat alg dns # Enter interface view of GigabitEthernet 2/1/2.
Global IP/port: 202.38.1.2/80 Local IP/port: 10.110.10.1/80 NAT DNS mapping information: There are 2 NAT DNS mappings. Domain name: ftp.server.com Global IP : 202.38.1.2 Global port: 21 Protocol : TCP(6) Domain name: www.server.com Global IP : 202.38.1.
Static NAT444 configuration example Network requirements As shown in Figure 65, configure static NAT444 to allow users at private IP addresses 10.110.10.1 to 10.110.10.10 to use the public IP address 202.38.1.100 to access the Internet. Set the port range to 10001 to 15000, and set the port block size to 500. Figure 65 Network diagram Configuration procedure # Specify IP addresses to interfaces. (Details not shown.) # Create NAT port block group 1.
Alarm : Disabled NAT mapping behavior: Mapping mode: Address and Port-Dependent ACL : --- NAT ALG: DNS : Enabled FTP : Enabled H323 : Enabled ICMP-ERROR : Enabled ILS : Enabled MGCP : Enabled NBT : Enabled PPTP : Enabled RTSP : Enabled RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled NAT port block group information: There are 1 NAT port block groups.
--- 10.110.10.7 202.38.1.100 13001-13500 0 --- 10.110.10.8 202.38.1.100 13501-14000 0 --- 10.110.10.9 202.38.1.100 14001-14500 0 --- 10.110.10.10 202.38.1.100 14501-15000 0 Dynamic NAT444 configuration example Network requirements As shown in Figure 66, a company uses private IP address on network 192.168.0.0/16 and public IP addresses 202.38.1.2 and 202.38.1.3. Configure dynamic NAT444 with the following requirements: • Only users on subnet 192.168.1.
# Configure outbound NAT444 on interface GigabitEthernet 2/1/2. [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] nat outbound 2000 address-group 0 [Router-GigabitEthernet2/1/2] quit Verifying the configuration # Verify that Host A can access external servers, but Host B and Host C cannot. (Details not shown.) # Display all NAT configuration and statistics. [Router]display nat all NAT address group information: There are 1 NAT address groups.
RSH : Enabled SCCP : Enabled SIP : Enabled SQLNET : Enabled TFTP : Enabled XDMCP : Enabled # Display NAT statistics.
Basic IP forwarding on the device Upon receiving a packet, the device uses the destination IP address of the packet to find a match from the forwarding information base (FIB) table, and then uses the matching entry to forward the packet. FIB table A device selects optimal routes from the routing table, and puts them into the FIB table. Each FIB entry specifies the next hop IP address and output interface for packets destined for a specific subnet or host.
Task Command Display FIB entries.
Configuring fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: source IP address, source port number, destination IP address, destination port number, and protocol number.
Fast forwarding configuration example Network requirements As shown in Figure 67, enable fast forwarding on Router B. Figure 67 Network diagram Configuration procedure 1. Configure Router A: # Configure the IP address of interface GigabitEthernet 2/1/1. system-view [RouterA] interface gigabitethernet2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 11.1.1.1 255.0.0.0 [RouterA-GigabitEthernet2/1/1] quit # Configure a static route. [RouterA] ip route-static 22.1.1.0 255.0.0.0 11.1.1.2 2.
No fast-forwarding entries. The output shows that no fast forwarding entry exists. # Ping the IP address of GigabitEthernet 2/1/2 on Router C from Router A. Reply packets can be received. [RouterA] ping 22.1.1.2 PING 22.1.1.2: 56 data bytes, press CTRL_C to break Reply from 22.1.1.2: bytes=56 Sequence=1 ttl=254 time=2 ms Reply from 22.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 22.1.1.2: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 22.1.1.
Configuring flow classification To implement differentiated services, flow classification categorizes packets to be forwarded by a multi-core device according to one of the following flow classification policies: • Flow-based policy—Forwards packets of a flow to the same CPU. A data flow is defined by using the following fields: source IP address, destination IP address, source port number, destination port number, and protocol number. This policy takes the first-in first-out rule.
Displaying the adjacency table In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. The adjacency table stores information about directly connected neighbors for IP forwarding. The neighbor information in the adjacency table in this chapter refers to non-Ethernet neighbor information. This table is not user configurable.
Item Description Link head information(MPLS) Link layer header for MPLS forwarding. To display adjacency table entries, use one of the following commands in any view: Task Command Display IPv4 adjacency table information (MSR2000/MSR3000). display adjacent-table { all | physical-interface interface-type interface-number | routing-interface interface-type interface-number } [ count | verbose ] Display IPv4 adjacency table information (MSR4000).
Configuring IRDP The term router in this chapter refers to a routing-capable device. The term host in this chapter refers to the host that supports IRDP. For example, a host that runs the Linux operating system. Overview ICMP Router Discovery Protocol (IRDP), an extension of the ICMP, allows hosts to discover the IP addresses of neighboring routers that can be used as a default gateway to reach IP-based devices on other networks.
A larger preference value represents a higher preference. The minimum preference value (-2147483648) indicates that the address, even though it might be advertised, is not to be used by neighboring hosts as a default gateway address. Lifetime of an IP address An RA contains a lifetime field that specifies the lifetime of advertised IP addresses. If no new RA for an IP address is received within the lifetime of the IP address, the host removes the corresponding route entry.
Step Command Remarks The default lifetime is 1800 seconds. 5. (Optional.) Set the lifetime of advertised IP addresses. ip irdp lifetime lifetime-value The specified lifetime applies to all advertised IP addresses, including the IP addresses of the interface and proxy-advertised IP addresses on the interface. The lifetime of the advertised IP addresses cannot be shorter than the maximum advertising interval. 6. (Optional.) Set the maximum and minimum advertising intervals.
Configuration procedure 1. Configure Router A: # Specify an IP address for GigabitEthernet 2/1/1. system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 10.154.5.1 24 # Enable IRDP on GigabitEthernet 2/1/1. [RouterA-GigabitEthernet2/1/1] ip irdp # Specify preference 1000 for advertised IP addresses on GigabitEthernet 2/1/1. [RouterA-GigabitEthernet2/1/1] ip irdp preference 1000 # Specify the multicast address 224.0.0.
[HostB@localhost ~]$ netstat -rne Kernel IP routing table Destination Gateway Genmask Flags Metric Ref 10.154.5.0 0.0.0.0 255.255.255.0 U 0 0 Use Iface 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 10.154.5.1 0.0.0.0 UG 0 0 0 eth1 The output shows that the default route on Host B points to IP address 10.154.5.1, and Host B has routes to 192.168.1.0/24 and 192.168.2.0/24.
Optimizing IP performance In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Enabling an interface to receive and forward directed broadcasts destined for the directly connected network A directed broadcast packet is destined for all hosts on a specific network.
Configuration example Network requirements As shown in Figure 69, the default gateway of the host is the IP address 1.1.1.2/24 of the interface GigabitEthernet 2/1/1 of Router A. Configure a static route destined for the host on Router B. Router B can receive directed broadcasts from the host to IP address 2.2.2.255. Figure 69 Network diagram Configuration procedure 1. Configure Router A: # Specify IP addresses for GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2.
Fragmentation and reassembling consume system resources, so set an appropriate MTU for an interface based on the network environment to avoid fragmentation. To configure an MTU for an interface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A ip mtu mtu-size By default, no MTU is configured. 3. Configure interface.
3. Upon receiving the ICMP message, the TCP source device calculates the current path MTU of the TCP connection. 4. The TCP source device sends subsequent TCP segments that each are smaller than the MSS (MSS = path MTU – IP header length – TCP header length). If the TCP source device still receives ICMP error messages when the MSS is smaller than 32 bytes, the TCP source device will fragment packets.
To enable TCP SYN Cookie: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable SYN Cookie. tcp syn-cookie enable The default setting is disabled. Configuring the TCP buffer size Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the size of TCP receive/send buffer. tcp window window-size The default buffer size is 64 KB.
{ The selected route is not destined for 0.0.0.0. { There is no source route option in the received packet. ICMP redirect messages simplify host management and enable hosts to gradually optimize their routing table. • ICMP time exceeded messages A device sends ICMP time exceeded messages by following these rules: { { • If a received packet is not destined for the device and the TTL field of the packet is 1, the device sends an ICMP TTL exceeded in transit message to the source.
Sending ICMP error messages facilitates network management, but sending excessive ICMP messages increases network traffic. A device's performance degrades if it receives a lot of malicious ICMP messages that cause it to respond with ICMP error messages. To prevent such problems, you can disable the device from sending ICMP error messages. A device that is disabled from sending ICMP time exceeded messages does not send ICMP TTL exceeded in transit messages.
Displaying and maintaining IP performance optimization Execute display commands in any view and reset commands in user view. Task Command Display brief information about RawIP connections (MSR2000/MSR3000). display rawip Display brief information about RawIP connections (MSR4000). display rawip [ slot slot-number ] Display detailed information about RawIP connections (MSR2000/MSR3000). display rawip verbose [ pcb pcb-index ] Display detailed information about RawIP connections (MSR4000).
Task Command Clear IP packet statistics (MSR4000). reset ip statistics [ slot slot-number ] Clear TCP traffic statistics. reset tcp statistics Clear UDP traffic statistics.
Configuring UDP helper Overview UDP helper can provide the following packet conversion for packets with specific UDP destination port numbers: • Convert broadcast to unicast, and forward the unicast packets to specific destinations. • Convert broadcast to multicast, and forward the multicast packets. • Convert multicast to broadcast or unicast, and forward the broadcast or unicast packets.
Step Command Remarks 2. Enable UDP helper. udp-helper enable By default, UDP helper is disabled. 3. Specify a UDP port. udp-helper port { port-number | dns | netbios-ds | netbios-ns | tacacs | tftp | time } By default, no UDP port is specified. 4. Enter interface view. interface interface-type interface-number N/A By default, no destination server is specified. 5. Specify a destination server for UDP helper to convert broadcast to unicast.
Step Command 5. Specify a destination multicast address for UDP helper to convert broadcast to multicast. Remarks By default, no destination multicast address is specified for UDP helper. If you specify multiple multicast addresses, UDP helper creates one copy for each address. udp-helper broadcast-map multicast-address [ acl acl-number ] Use this command on the interface that receives broadcast packets.
Step Command Remarks By default, no address mapping is specified for UDP helper. 5. Map a multicast address to a directed broadcast or a unicast address for UDP helper. udp-helper multicast-map multicast-address ip-address [ global | vpn-instance vpn-instance-name ] [ acl acl-number ] If you specify multiple multicast and unicast addresses, UDP helper creates one copy for each address. For multicast to broadcast conversion, do not specify a limited broadcast address for the ip-address argument.
system-view [RouterA] udp-helper enable # Enable UDP helper to forward broadcast packets with the UDP destination port 55. [RouterA] udp-helper port 55 # Associate interface GigabitEthernet 2/1/2 with VPN instance a. [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ip binding vpn-instance a [RouterA-GigabitEthernet2/1/2] quit # Specify the destination server 10.2.1.1 in VPN instance a on the interface GigabitEthernet 2/1/1.
# Configure UDP helper to convert broadcast packets to multicast packets destined for 225.1.1.1 on GigabitEthernet 2/1/1. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 10.110.1.1 16 [RouterA-GigabitEthernet2/1/1] udp-helper broadcast-map 225.1.1.1 [RouterA-GigabitEthernet2/1/1] quit # Enable IP multicast routing globally. [RouterA] multicast routing [RouterA-mrib] quit # Enable PIM-DIM and IGMP on GigabitEthernet 2/1/1.
# Enable UDP helper. system-view [RouterA] udp-helper enable # Enable UDP helper to forward multicast packets with the UDP destination port 55. [RouterA] udp-helper port 55 # Configure UDP helper to convert multicast packets from 225.1.1.1 to broadcast packets destined for 10.110.255.255. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] udp-helper multicast-map 225.1.1.1 10.110.255.
Configuring basic IPv6 settings In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview IPv6, also called IP next generation (IPng), was designed by the IETF as the successor to IPv4. One significant difference between IPv6 and IPv4 is that IPv6 increases the IP address size from 32 bits to 128 bits.
Address autoconfiguration To simplify host configuration, IPv6 supports stateful and stateless address autoconfiguration. • Stateful address autoconfiguration enables a host to acquire an IPv6 address and other configuration information from a server (for example, a DHCPv6 server). For more information about DHCPv6 server, see "Configuring the DHCPv6 server.
An IPv6 address consists of an address prefix and an interface ID, which are equivalent to the network ID and the host ID of an IPv4 address. An IPv6 address prefix is written in IPv6-address/prefix-length notation, where the prefix-length is a decimal number indicating how many leftmost bits of the IPv6 address includes the address prefix. IPv6 address types IPv6 addresses include the following types: • Unicast address—An identifier for a single interface, similar to an IPv4 unicast address.
Multicast addresses IPv6 multicast addresses listed in Table 11 are reserved for special purposes. Table 8 Reserved IPv6 multicast addresses Address Application FF01::1 Node-local scope all-nodes multicast address. FF02::1 Link-local scope all-nodes multicast address. FF01::2 Node-local scope all-routers multicast address. FF02::2 Link-local scope all-routers multicast address. Multicast addresses also include solicited-node addresses.
IPv6 ND protocol The IPv6 Neighbor Discovery (ND) protocol uses the following ICMPv6 messages: Table 9 ICMPv6 messages used by ND ICMPv6 message Type Function Acquires the link-layer address of a neighbor. Neighbor Solicitation (NS) 135 Verifies whether a neighbor is reachable. Detects duplicate addresses. Neighbor Advertisement (NA) 136 Router Solicitation (RS) 133 Responds to an NS message. Notifies the neighboring nodes of link layer changes.
Neighbor reachability detection After Host A acquires the link-layer address of its neighbor Host B, Host A can use NS and NA messages to test reachability of Host B as follows: 1. Host A sends an NS message whose destination address is the IPv6 address of Host B. 2. If Host A receives an NA message from Host B, Host A decides that Host B is reachable. Otherwise, Host B is unreachable.
Redirection Upon receiving a packet from a host, the gateway sends an ICMPv6 redirect message to inform a better next hop to the host when the following conditions are met (similar to the ICMP redirection function in IPv4): • The interface receiving the packet is the same as the interface forwarding the packet. • The selected route is not created or modified by an ICMPv6 redirect message. • The selected route is not a default route on the device.
of all transition technologies. However, it does not solve the IPv4 address depletion issue because each dual stack node must have a globally unique IPv4 address. Tunneling Tunneling uses one network protocol to encapsulate the packets of another network protocol and transfers them over the network. For more information about tunneling, see "Configuring tunneling.
• RFC 3307, Allocation Guidelines for IPv6 Multicast Addresses • RFC 4191, Default Router Preferences and More-Specific Routes • RFC 4291, IP Version 6 Addressing Architecture • RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification • RFC 4861, Neighbor Discovery for IP Version 6 (IPv6) • RFC 4862, IPv6 Stateless Address Autoconfiguration IPv6 basics configuration task list Tasks at a glance (Required.
• EUI-64 IPv6 address—The IPv6 address prefix of the interface is manually configured, and the interface identifier is generated automatically by the interface. • Manual configuration—The IPv6 global unicast address is manually configured. • Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message. You can configure multiple IPv6 global unicast addresses on an interface.
Step Command Remarks By default, no IPv6 global unicast address is configured on an interface. 3. Enable stateless autoconfiguration. address ipv6 address auto Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses and link-local addresses that are automatically generated on the interface.
To generate a temporary address, an interface must be enabled with stateless address autoconfiguration. Temporary IPv6 addresses do not overwrite public IPv6 addresses, so an interface can have multiple IPv6 addresses with the same address prefix but different interface IDs. If an interface fails to generate a public IPv6 address because of a prefix conflict or other reasons, it does not generate any temporary IPv6 address.
Manually specifying an IPv6 link-local address for an interface Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Manually specify an IPv6 link-local address for the interface. ipv6 address ipv6-address link-local By default, no link-local address is configured on an interface. After an IPv6 global unicast address is configured on the interface, a link-local address is generated automatically.
• Method 2—Associate a neighbor's IPv6 address and link-layer address with a local port in a VLAN. If you use Method 2, make sure the corresponding VLAN interface exists and the Layer 2 port specified by port-type port-number belongs to the VLAN specified by vlan-id. The device associates the VLAN interface with the neighbor IPv6 address to identify the static neighbor entry. To configure a static neighbor entry: Step Command Remarks 1. Enter system view. system-view N/A 2.
Minimizing link-local ND entries Perform this task to minimize link-local ND entries assigned to the driver. Link-local ND entries refer to ND entries comprising link-local addresses. By default, the device assigns all ND entries to the driver. With this feature enabled, the device does not add newly learned link-local ND entries whose link local addresses are not the next hop of any route into the driver to save driver resources.
Parameter Description Determines whether a host uses stateful autoconfiguration to obtain an IPv6 address. If the M flag is set to 1, the host uses stateful autoconfiguration (for example, from a DHCPv6 server) to obtain an IPv6 address. Otherwise, the host uses stateless autoconfiguration to generate an IPv6 address according to its link-layer address and the prefix information in the RA message.
Configuring parameters for RA messages Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the prefix information in RA messages.
message again. If the interface still does not receive a response after the number of attempts reaches the threshold specified by the ipv6 nd dad attempts command, it considers the address is usable. To configure the attempts to send an NS message for DAD: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Configure the number of attempts to send an NS message for DAD.
Figure 80 Application environment of local ND proxy Router GE1/0/2 4:3::100/16 VLAN 2 Private VLAN GE1/0/2 uplink-port GE1/0/3 GE1/0/1 Host A Switch Host B 4:2::100/16 4:1::100/16 Because Host A's IPv6 address is on the same subnet as Host B's, Host A directly sends an NS message to obtain Host B's MAC address. However, Host B cannot receive the NS message because they are isolated at Layer 2.
Configuring path MTU discovery Configuring the interface MTU IPv6 routers do not support packet fragmentation. If the size of a packet exceeds the MTU of the output interface, the router discards the packet and sends a packet too big message to the source host. The source host fragments the packet according to the MTU. To avoid this situation, configure a proper interface MTU. To configure the interface MTU: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view.
Controlling sending ICMPv6 messages This section describes how to configure ICMPv6 message sending. Configuring the rate limit for ICMPv6 error messages To avoid sending excessive ICMPv6 error messages within a short period that might cause network congestion, you can limit the rate at which ICMPv6 error messages are sent. A token bucket algorithm is used with one token representing one ICMPv6 error message.
• If the device fails to deliver the packet because the destination is beyond the scope of the source IPv6 address (for example, the source IPv6 address is a link-local address whereas the destination IPv6 address is a global unicast address), the device sends the source an ICMPv6 beyond scope of source address message. • If the device fails to resolve the link layer address for the destination IPv6 address, the device sends the source an ICMPv6 address unreachable message.
The ICMPv6 redirect function simplifies host management by enabling hosts that hold few routes to optimize their routing table gradually. However, to avoid adding too many routes on hosts, this function is disabled by default. To enable sending ICMPv6 redirect messages: Step Command Remarks 1. Enter system view. system-view N/A ipv6 redirects enable By default, sending ICMPv6 redirect messages is disabled. 2. Enable sending messages.
Task Command Display the total number of neighbor entries (MSR2000/MSR3000). display ipv6 neighbors { all | dynamic | interface interface-type interface-number | static | vlan vlan-id } count Display the total number of neighbor entries (MSR4000). display ipv6 neighbors { { all | dynamic | static } [ slot slot-number ] | interface interface-type interface-number | vlan vlan-id } count Display neighbor information for a VPN.
Task Command Display ICMPv6 traffic statistics (MSR4000). display ipv6 icmp statistics [ slot slot-number ] Display IPv6 TCP traffic statistics (MSR2000/MSR3000). display tcp statistics Display IPv6 TCP traffic statistics (MSR4000). display tcp statistics [ slot slot-number ] Display IPv6 UDP traffic statistics (MSR2000/MSR3000). display udp statistics Display IPv6 UDP traffic statistics (MSR4000). display udp statistics [ slot slot-number ] Clear IPv6 neighbor information (MSR2000/MSR3000).
[RouterA-GigabitEthernet2/1/1] quit # Configure a global unicast address for interface GigabitEthernet 2/1/2 and enable it to advertise RA messages (an interface does not advertises RA messages by default). [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ipv6 address 2001::1/64 [RouterA-GigabitEthernet2/1/2] undo ipv6 nd ra halt [RouterA-GigabitEthernet2/1/2] quit 2. Configure Router B: # Configure a global unicast address for interface GigabitEthernet 2/1/1.
InTooShorts: 0 InTruncatedPkts: 0 InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 47 OutRequests: 89 OutForwDatagrams: 48 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 6 InMcastNotMembers: 25747 OutMcastPkts: 48 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 [RouterA] display ipv6 interface gigabitethernet 2/1/2 GigabitEth
InHopLimitExceeds: 0 InBadHeaders: 0 InBadOptions: 0 ReasmReqds: 0 ReasmOKs: 0 InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 159 OutRequests: 1012 OutForwDatagrams: 35 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 79 InMcastNotMembers: 65 OutMcastPkts: 938 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Display IPv6 interface information on Router B.
InFragDrops: 0 InFragTimeouts: 0 OutFragFails: 0 InUnknownProtos: 0 InDelivers: 117 OutRequests: 83 OutForwDatagrams: 0 InNoRoutes: 0 InTooBigErrors: 0 OutFragOKs: 0 OutFragCreates: 0 InMcastPkts: 28 InMcastNotMembers: 0 OutMcastPkts: 7 InAddrErrors: 0 InDiscards: 0 OutDiscards: 0 # Ping Router A and Router B from the host, and ping Router A and the host from Router B to verify that they can reach each other.
Solution 1. Use the display ipv6 interface command in any view to verify that the IPv6 address of the output interface is correct and the interface is up. 2. Use the debugging ipv6 packet command in user view to enable the debugging for IPv6 packets to locate the fault.
DHCPv6 overview DHCPv6 provides a framework to assign IPv6 prefixes, IPv6 addresses, and other configuration parameters to hosts. DHCPv6 address/prefix assignment An address/prefix assignment process involves two or four messages. Rapid assignment involving two messages As shown in Figure 82, rapid assignment operates in the following steps: 1. The DHCPv6 client sends to the DHCPv6 server a Solicit message that contains a Rapid Commit option to prefer rapid assignment. 2.
Figure 83 Assignment involving four messages Address/prefix lease renewal An IPv6 address/prefix assigned by a DHCPv6 server has a valid lifetime. After the valid lifetime expires, the DHCPv6 client cannot use the IPv6 address/prefix. To use the IPv6 address/prefix, the DHCPv6 client must renew the lease time. Figure 84 Using the Renew message for address/prefix lease renewal As shown in Figure 84, at T1, the DHCPv6 client sends a Renew message to the DHCPv6 server.
For more information about the valid lifetime and the preferred lifetime, see "Configuring basic IPv6 settings." Stateless DHCPv6 Stateless DHCPv6 enables a device that has obtained an IPv6 address/prefix to get other configuration parameters from a DHCPv6 server. The device performs stateless DHCPv6 if an RA message with the following flags is received from the router during stateless address autoconfiguration: • The managed address configuration flag (M flag) is set to 0.
Configuring the DHCPv6 server Overview A DHCPv6 server can assign IPv6 addresses, IPv6 prefixes, and other configuration parameters to DHCPv6 clients. IPv6 address assignment As shown in Figure 87, the DHCPv6 server assigns IPv6 addresses, domain name suffixes, DNS server addresses, and other configuration parameters to DHCPv6 clients. The IPv6 addresses assigned to the clients include the following types: • Temporary IPv6 addresses—Frequently changed without lease renewal.
Figure 88 IPv6 prefix assignment Concepts Multicast addresses used by DHCPv6 DHCPv6 uses the multicast address FF05::1:3 to identify all site-local DHCPv6 servers. It uses the multicast address FF02::1:2 to identify all link-local DHCPv6 servers and relay agents. DUID A DHCP unique identifier (DUID) uniquely identifies a DHCPv6 device (DHCPv6 client, server, or relay agent). A DHCPv6 device adds its DUID in a sent packet.
PD The DHCPv6 server creates a prefix delegation (PD) for each assigned prefix to record the following details: • IPv6 prefix. • Client DUID. • IAID. • Valid lifetime. • Preferred lifetime. • Lease expiration time. • IPv6 address of the requesting client. DHCPv6 address pool The DHCP server selects IPv6 addresses, IPv6 prefixes, and other parameters from an address pool, and assigns them to the DHCP clients.
3. If no static address pool is configured and no address pool is applied to the receiving interface, the DHCPv6 server selects an address pool depending on the client location. { { Client on the same subnet as the server—The DHCPv6 server compares the IPv6 address of the receiving interface with the subnets of all address pools. It selects the address pool with the longest-matching subnet.
• Configure a static IPv6 prefix binding in an address pool—If you bind a DUID and an IAID to an IPv6 prefix, the DUID and IAID in a request must match those in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client. If you only bind a DUID to an IPv6 prefix, the DUID in the request must match the DUID in the binding before the DHCPv6 server can assign the IPv6 prefix to the DHCPv6 client.
Step Command Remarks • Configure a static prefix binding: 6. Configure dynamic assignment. static or prefix static-bind prefix prefix/prefix-len duid duid [ iaid iaid ] [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] • Apply the prefix pool to the address pool: prefix-pool prefix-pool-number [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] Use at least one command. By default, no static or dynamic prefix assignment is configured for an address pool.
Step Command Remarks 1. Enter system view. system-view N/A 2. (Optional.) Specify the IPv6 addresses excluded from dynamic assignment. ipv6 dhcp server forbidden-address start-ipv6-address [ end-ipv6-address ] By default, all IPv6 addresses except for the DHCPv6 server's IP address in a DHCPv6 address pool are assignable. If the excluded IPv6 address is in a static binding, the address still can be assigned to the client. To exclude multiple IPv6 prefix ranges, repeat this step. 3.
Configuring network parameters in a DHCPv6 address pool Step Command Remarks 1. Enter system view. system-view N/A 2. Create a DHCPv6 address pool and enter its view. ipv6 dhcp pool pool-name By default, no DHCPv6 address pool exists on the DHCPv6 server. 3. Specify an IPv6 subnet for dynamic assignment. network prefix/prefix-length [ preferred-lifetime preferred-lifetime valid-lifetime valid-lifetime ] By default, no IPv6 subnet is specified. 4. (Optional.) Specify a DNS server address.
Configuring the DHCPv6 server on an interface Enable the DHCP server and configure one of the following address/prefix assignment methods on an interface: • Apply an address pool on the interface—The DHCPv6 server selects an IPv6 address/prefix from the applied address pool for a requesting client. If there is no assignable IPv6 address/prefix in the address pool, the DHCPv6 server cannot to assign an IPv6 address/prefix to a client.
Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 server The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. To set the DSCP value for DHCPv6 packets sent by the DHCPv6 server: Step Command Remarks 1. Enter system view. system-view N/A 2. Set the DSCP value for DHCPv6 packets sent by the DHCPv6 server. ipv6 dhcp dscp dscp-value By default, the DSCP value in DHCPv6 packets sent by the DHCPv6 server is 56.
Task Command Clear packets statistics on the DHCPv6 server. reset ipv6 dhcp server statistics DHCPv6 server configuration examples Dynamic IPv6 prefix assignment configuration example Network requirements As shown in Figure 90, Router serves as a DHCPv6 server to assign an IPv6 prefix, a DNS server address, a domain name, a SIP server address, and a SIP server name to each DHCPv6 client.
# In address pool 1, bind prefix 2001:0410:0201::/48 to the client DUID 00030001CA0006A40000, and set the preferred lifetime to one day, and the valid lifetime to three days. [Router-dhcp6-pool-1] static-bind prefix 2001:0410:0201::/48 duid 00030001CA0006A40000 preferred-lifetime 86400 valid-lifetime 259200 # Configure the DNS server address as 2:2::3. [Router-dhcp6-pool-1] dns-server 2:2::3 # Configure the domain name as aaa.com. [Router-dhcp6-pool-1] domain-name aaa.
Prefix: 2001:410::/32 Assigned length: 48 Total prefix number: 65536 Available: 65535 In-use: 0 Static: 1 # After the client with the DUID 00030001CA0006A40000 obtains an IPv6 prefix, display the binding information on the DHCPv6 server. [Router-GigabitEthernet2/1/1] display ipv6 dhcp server pd-in-use Pool: 1 IPv6 prefix Type 2001:410:201::/48 Static(C) Jul 10 19:45:01 2009 Lease expiration # After the other client obtains an IPv6 prefix, display the binding information on the DHCPv6 server.
# Enable the DHCPv6 server on the interfaces GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2. system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 dhcp select server [RouterA-GigabitEthernet2/1/1] quit [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ipv6 dhcp select server [RouterA-GigabitEthernet2/1/2] quit # Exclude the DNS server address from dynamic assignment.
Configuring the DHCPv6 relay agent A DHCPv6 client usually uses a multicast address to contact the DHCPv6 server on the local link to obtain an IPv6 address and other configuration parameters. As shown in Figure 92, if the DHCPv6 server resides on another subnet, the DHCPv6 clients need a DHCPv6 relay agent to contact the server. The relay agent feature avoids deploying a DHCP server on each subnet.
Figure 93 Operating process of a DHCPv6 relay agent DHCPv6 client DHCPv6 relay agent DHCPv6 server (1) Solicit (contains a Rapid Commit option) (2) Relay-forward (3) Relay-reply (4) Reply Configuration guidelines • You can use the ipv6 dhcp relay server-address command to specify a maximum of eight DHCPv6 servers on the DHCP relay agent interface. The DHCPv6 relay agent forwards DHCP requests to all the specified DHCPv6 servers.
Displaying and maintaining the DHCPv6 relay agent Execute display commands in any view and reset commands in user view. Task Command Display the DUID of the local device. display ipv6 dhcp duid Display DHCPv6 server addresses specified on the DHCPv6 relay agent. display ipv6 dhcp relay server-address [ interface interface-type interface-number ] Display packet statistics on the DHCPv6 relay agent.
[RouterA-GigabitEthernet2/1/2] quit [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 address 1::1 64 # Enable the DHCPv6 relay agent on GigabitEthernet 2/1/1 and specify the DHCPv6 server on the relay agent. [RouterA-GigabitEthernet2/1/1] ipv6 dhcp select relay [RouterA-GigabitEthernet2/1/1] ipv6 dhcp relay server-address 2::2 2. Configure Router A as the gateway, enable Router A to send RA messages, and turn on the M and O flags.
Configuring the DHCPv6 client Overview With DHCPv6 client configured, an interface can obtain configuration parameters from the DHCPv6 server. A DHCPv6 client can use DHCPv6 to complete the following functions: • Obtain an IPv6 address and other configuration parameters, and automatically create a DHCPv6 option group for the obtained parameters. • Obtain an IPv6 prefix and other configuration parameters, and automatically create a DHCPv6 option group for the obtained parameters.
Step Command Remarks • Layer 3 Ethernet interface: interface interface-type interface-number • Layer 3 aggregate interface: 2. Enter interface view. interface route-aggregation interface-number N/A • VLAN interface: interface vlan-interface interface-number 3. Configure the interface to use DHCPv6 to obtain an IPv6 address and other configuration parameters.
Step Command Remarks • Enable stateless IPv6 address 3. Configure the interface to support stateless DHCPv6. Use at least one of the methods. autoconfiguration: ipv6 address auto • Enable stateless DHCPv6: ipv6 dhcp client stateless enable By default, the interface does not support stateless DHCPv6. Setting the DSCP value for DHCPv6 packets sent by the DHCPv6 client The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet.
Figure 95 Network diagram Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." # Configure GigabitEthernet 2/1/1 to support DHCPv6 rapid address assignment. Enable the DHCPv6 client to create dynamic DHCPv6 option group 1 for saving configuration parameters.
# Display information about the dynamic DHCPv6 option group. The output shows that the client has created a dynamic DHCPv6 option group for saving configuration parameters. [Router-GigabitEthernet2/1/1] display ipv6 dhcp option-group 1 DHCPv6 option group: 1 DNS server addresses: Type: Dynamic (DHCPv6 address allocation) Interface: GigabitEthernet2/1/1 2000::FF Domain name: Type: Dynamic (DHCPv6 address allocation) Interface: GigabitEthernet2/1/1 example.
Configuration procedure You must configure the DHCPv6 server before configuring the DHCPv6 client. For information about configuring the DHCPv6 server, see "Configuring the DHCPv6 server." # Configure an IPv6 address for GigabitEthernet 2/1/1 that connects to the DHCPv6 server. system-view [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ipv6 address 1::2/48 # Configure GigabitEthernet 2/1/1 to support DHCPv6 rapid prefix assignment.
DHCPv6 option group: 1 DNS server addresses: Type: Dynamic (DHCPv6 prefix allocation) Interface: GigabitEthernet2/1/1 2000::FF Domain name: Type: Dynamic (DHCPv6 prefix allocation) Interface: GigabitEthernet2/1/1 example.com SIP server addresses: Type: Dynamic (DHCPv6 prefix allocation) Interface: GigabitEthernet2/1/1 2:2::4 SIP server domain names: Type: Dynamic (DHCPv6 prefix allocation) Interface: GigabitEthernet2/1/1 bbb.
# Enable stateless IPv6 address autoconfiguration on GigabitEthernet 2/1/1. system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 address auto With stateless IPv6 address autoconfiguration enabled, but no IPv6 address configured for GigabitEthernet 2/1/1, Router A generates a link local address. It sends an RS message to Router B to request configuration information for IPv6 address generation. Upon receiving the RS message, Router B sends back an RA message.
Configuring DHCPv6 snooping In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview DHCPv6 snooping works between the DHCPv6 client and server, or between the DHCPv6 client and DHCPv6 relay agent. It guarantees that DHCPv6 clients obtain IP addresses from authorized DHCPv6 servers.
Figure 98 Trusted and untrusted ports Feature and hardware compatibility This feature is supported only on the following models: MSR routers that hold an Layer 2 switching module. HP implementation of Option 18 and Option 37 Option 18 for DHCPv6 snooping Option 18, also called the interface-ID option, is used by the DHCPv6 relay agent to determine the interface to use to forward RELAY-REPLY message.
• VLAN ID—ID of the outer VLAN. • Second VLAN ID—ID of the inner VLAN. • DUID—DUID of the DHCPv6 client. NOTE: The Second VLAN ID field is optional. If the received DHCPv6 request does not contain a second VLAN, Option 18 also does not contain it. DHCPv6 snooping support for Option 37 Option 37, also called the remote-ID option, is used to identify the client.
Tasks at a glance (Optional.) Saving DHCPv6 snooping entries (Optional.) Setting the maximum number of DHCPv6 snooping entries (Optional.) Enabling DHCPv6-REQUEST check Configuring basic DHCPv6 snooping To make sure DHCPv6 clients can obtain valid IPv6 addresses, specify the ports connected to authorized DHCPv6 servers as trusted ports. The trusted ports and the ports connected to DHCPv6 clients must be in the same VLAN. To configure basic DHCPv6 snooping: Step Command Remarks 1. Enter system view.
Step Command Remarks 5. Enable support for Option 37. ipv6 dhcp snooping option remote-id enable By default, Option 37 is not supported. ipv6 dhcp snooping option remote-id [ vlan vlan-id ] string remote-id By default, the DHCPv6 snooping device uses its DUID as the content for Option 37. • (Optional.) Specify the content as the remote ID. Saving DHCPv6 snooping entries DHCPv6 snooping entries cannot survive a reboot.
Setting the maximum number of DHCPv6 snooping entries Perform this task to prevent the system resources from being overused. To set the maximum number of DHCPv6 snooping entries: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Set the maximum number of DHCPv6 snooping entries for the interface to learn.
Displaying and maintaining DHCPv6 snooping Execute display commands in any view, and reset commands in user view. Task Command Display information about trusted ports. display ipv6 dhcp snooping trust Display DHCPv6 snooping entries. display ipv6 dhcp snooping binding [ address ipv6-address [ vlan vlan-id ] ] Display information about the file that stores DHCPv6 snooping entries. display ipv6 dhcp snooping binding database Display DHCPv6 packet statistics for DHCPv6 snooping (MSR2000/MSR3000).
[RouterB] ipv6 dhcp snooping enable # Specify GigabitEthernet 2/1/1 as a trusted port. [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ipv6 dhcp snooping trust [RouterB-GigabitEthernet2/1/1] quit # Enable recording of client information in DHCPv6 snooping entries.
Configuring IPv6 fast forwarding Overview Fast forwarding reduces route lookup time and improves packet forwarding efficiency by using a high-speed cache and data-flow-based technology. It identifies a data flow by using the following fields: • Source IPv6 address. • Destination IPv6 address. • Source port number. • Destination port number. • Protocol number. • VPN instance name.
Task Command Clear IPv6 fast forwarding table information (MSR4000). reset ipv6 fast-forwarding cache [ slot slot-number ] IPv6 fast forwarding configuration example Network requirements As shown in Figure 102, enable IPv6 fast forwarding on Router B. Figure 102 Network diagram Configuration procedure 1. Configure Router A: # Specify the IPv6 address of interface GigabitEthernet 2/1/1.
[RouterB-GigabitEthernet2/1/2] quit Verifying the configuration # Display the IPv6 fast forwarding table on Router B. [RouterB] display ipv6 fast-forwarding cache No IPv6 fast-forwarding entries. The output shows that no IPv6 fast forwarding entry exists. # Ping the IPv6 address of GigabitEthernet 2/1/2 on Router C from Router A. Reply packets can be received.
Configuring tunneling In this chapter, "MSR2000" refers to MSR2003. "MSR3000" collectively refers to MSR3012, MSR3024, MSR3044, MSR3064. "MSR4000" collectively refers to MSR4060 and MSR4080. Overview Tunneling is an encapsulation technology. One network protocol encapsulates packets of another network protocol and transfers them over a virtual point-to-point connection. The virtual connection is called a tunnel.
2. After Device A receives the IPv6 packet, it processes the packet as follows: a. Searches the routing table to identify the outgoing interface for the IPv6 packet. The outgoing interface is the tunnel interface, so Device A knows that the packet needs to be forwarded through the tunnel. b. Encapsulates the IPv6 packet with an IPv4 header and forwards it through the physical interface of the tunnel.
Tunnel type • • Tunnel mode Tunnel source/destination address Destination IPv6 address format ISATAP tunneling The source IPv4 address is manually configured. The destination IPv4 address is automatically obtained. ISATAP address, in the format of Prefix:0:5EFE:IPv4-destination-ad dress/64 where the IPv4-destination-address is the IPv4 address of the tunnel destination. IPv6 over IPv4 manual tunneling—A point-to-point link and its source and destination IPv4 addresses are manually configured.
Figure 104 Principle of 6to4 tunneling and 6to4 relay • ISATAP tunneling—An ISATAP tunnel is a point-to-multipoint automatic tunnel. It provides a solution to connect an IPv6 host to an IPv6 network over an IPv4 network. The destination addresses of IPv6 packets are all ISATAP addresses. The ISATAP address format is prefix:0:5EFE:abcd:efgh. The 64-bit prefix is a valid IPv6 unicast address prefix.
Packets traveling through a tunnel undergo encapsulation and de-encapsulation, as shown in Figure 106. • Encapsulation: a. Device A receives an IP packet from an IPv4 host and submits it to the IP protocol stack. b. The IPv4 protocol stack determines how to forward the packet according to the destination address in the IP header. If the packet is destined for the IPv4 host connected to Device B, Device A delivers the packet to the tunnel interface. c.
d. The IPv6 protocol stack uses the destination IPv6 address of the packet to look up the routing table, and then sends it out. • De-encapsulation: e. Upon receiving the IPv6 packet from the attached IPv6 network, Device B delivers the packet to the IPv6 protocol stack to examine the protocol type encapsulated in the data portion of the packet. f. If the protocol type is IPv4, the IPv6 protocol stack delivers the packet to the tunneling module. g.
{ Address Family Transition Router (AFTR) An AFTR resides in the ISP network and terminates the tunnel from the B4 router. NAT is also implemented on the interface that connects the public IPv4 network. AFTR de-encapsulates the tunneled packet, translates the network address, and routes the packet to the destination IPv4 network. For IPv4 packets coming from the public IPv4 network, AFTR performs reverse address translation and sends them to the B4 router by using the DS-Lite tunnel.
− Looks up the IPv6 address-tunnel ID mapping to obtain the IP address of the B4 router. − Uses the address as the destination address of the encapsulated IPv6 packet. − Forwards the packet to the B4 router. Figure 109 shows an example of PAT translation for dynamic NAT. DS-Lite tunneling also supports static NAT and NO-PAT. Typically, dynamic NAT is used.
• RFC 2893, Transition Mechanisms for IPv6 Hosts and Routers • RFC 3056, Connection of IPv6 Domains via IPv4 Clouds • RFC 4214, Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) • RFC 6333, Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion Tunneling configuration task list Tasks at a glance (Required.
Step Command Remarks 3. (Optional.) Configure a description for the interface. description text By default, the description of a tunnel interface is Tunnel number Interface. 4. (Optional.) Specify a service card for forwarding the traffic on the tunnel interface (MSR4000). service slot slot-number By default, no service card is specified. 5. Set the MTU of the tunnel interface. mtu mtu-size By default, the MTU is 64000 bytes. By default, the expected bandwidth is 64 kbps.
{ { Configure a static route, and specify the local tunnel interface as the egress interface or specify the IPv6 address of the peer tunnel interface as the next hop. Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose. For more information about route configuration, see Layer 3—IP Routing Configuration Guide. To configure an IPv6 over IPv4 manual tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2.
Figure 111 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv4. • Configure Router A: # Specify an IPv4 address for GigabitEthernet 2/1/2. system-view [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ip address 192.168.100.1 255.255.255.0 [RouterA-GigabitEthernet2/1/2] quit # Specify an IPv6 address for GigabitEthernet 2/1/1.
# Specify an IPv6 address for the tunnel interface. [RouterB-Tunnel0] ipv6 address 3001::2/64 # Specify GigabitEthernet 2/1/2 as the source interface of the tunnel interface. [RouterB-Tunnel0] source gigabitethernet 2/1/2 # Specify the destination address for the tunnel interface as the IP address of GigabitEthernet 2/1/2 on Router A. [RouterB-Tunnel0] destination 192.168.50.1 [RouterB-Tunnel0] quit # Configure a static route destined for IPv6 network 1 through Tunnel 0 on Router B.
Step Command Remarks 3. Specify an IPv6 address for the tunnel interface. For configuration details, see "Configuring basic IPv6 settings." No IPv6 address is configured for the tunnel interface by default. 4. Configure a source address or source interface for the tunnel interface. source { ip-address | interface-type interface-number } 5. (Optional.) Set the DF bit for tunneled packets. tunnel dfbit enable By default, no source address or source interface is configured for the tunnel interface.
[RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ip address 192.168.50.1 255.255.255.0 [RouterB-GigabitEthernet2/1/1] quit # Configure an automatic IPv4-compatible IPv6 tunnel. [RouterB] interface tunnel 0 mode ipv6-ipv4 auto-tunnel # Specify an IPv4-compatible IPv6 address for the tunnel interface. [RouterB-Tunnel0] ipv6 address ::192.168.50.1/96 # Specify GigabitEthernet 2/1/1 as the source interface of the tunnel interface.
Step Command Remarks By default, no source address or source interface is configured for the tunnel interface. 4. Configure a source address or source interface for the tunnel interface. source { ip-address | interface-type interface-number } 5. (Optional.) Set the DF bit for tunneled packets. tunnel dfbit enable The DF bit is not set for tunneled packets by default. 6. Return to system view. quit N/A 7. (Optional.) Enable dropping of IPv6 packets using IPv4-compatible IPv6 addresses.
# Specify an IPv4 address for GigabitEthernet 2/1/2. system-view [RouterA] interface gigabitethernet 2/1/2 [RouterA-GigabitEthernet2/1/2] ip address 2.1.1.1 24 [RouterA-GigabitEthernet2/1/2] quit # Specify a 6to4 address for GigabitEthernet 2/1/1. [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 address 2002:0201:0101:1::1/64 [RouterA-GigabitEthernet2/1/1] quit # Create a 6to4 tunnel interface tunnel 0.
Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time=1ms Reply from 2002:501:101:1::2: bytes=32 time<1ms Ping statistics for 2002:501:101:1::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 13ms, Average = 3ms 6to4 relay configuration example Network requirements As shown in Figure 114, Router A is a 6to4 router, and 6to4 addresses are used on the connected IPv6 network.
# Configure a 6to4 tunnel interface tunnel 0. [RouterA] interface tunnel 0 mode ipv6-ipv4 6to4 # Specify an IPv6 address for the tunnel interface. [RouterA-Tunnel0] ipv6 address 2002::1/64 # Specify GigabitEthernet 2/1/2 as the source interface of the tunnel interface. [RouterA-Tunnel0] source gigabitethernet 2/1/2 [RouterA-Tunnel0] quit # Configure a static route to the 6to4 relay router.
Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 13ms, Average = 3ms Configuring an ISATAP tunnel Follow these guidelines when you configure an ISATAP tunnel: • You do not need to configure a destination address for an ISATAP tunnel, because the destination IPv4 address is embedded in the ISATAP address. • Because automatic tunnels do not support dynamic routing, configure a static route destined for the destination IPv6 network at each tunnel end.
Figure 115 Network diagram Configuration procedure • Configure the router: # Specify an IPv6 address for GigabitEthernet 2/1/2. system-view [Router] interface gigabitethernet 2/1/2 [Router-GigabitEthernet2/1/2] ipv6 address 3001::1/64 [Router-GigabitEthernet2/1/2] quit # Specify an IPv4 address for GigabitEthernet 2/1/1. [Router] interface gigabitethernet 2/1/1 [Router-GigabitEthernet2/1/1] ip address 1.1.1.1 255.0.0.
preferred link-local fe80::5efe:1.1.1.2, life infinite link MTU 1280 (true link MTU 65515) current hop limit 128 reachable time 42500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48 # Specify an IPv4 address for the ISATAP router. C:\>netsh interface ipv6 isatap set router 1.1.1.1 # Display information about the ISATAP interface.
Reply from 3001::2: time=1ms Ping statistics for 3001::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms Configuring an IPv4 over IPv4 tunnel Follow these guidelines when you configure an IPv4 over IPv4 tunnel: • The destination address specified for the local tunnel interface must be the source address specified for the peer tunnel interface, and vice versa.
Step Command Remarks By default, no destination address is configured for the tunnel interface. 5. Configure a destination address for the tunnel interface. destination ip-address 6. (Optional.) Set the DF bit for tunneled packets. tunnel dfbit enable The tunnel destination address must be the IP address of the receiving interface on the tunnel peer. It is used as the destination IP address of tunneled packets. The DF bit is not set for tunneled packets by default.
# Specify the IP address of Serial 2/2/1 on Router B as the destination address for the tunnel interface. [RouterA-Tunnel1] destination 3.1.1.1 [RouterA-Tunnel1] quit # Configure a static route destined for the IP network Group 2 through the tunnel interface. [RouterA] ip route-static 10.1.3.0 255.255.255.0 tunnel 1 • Configure Router B: # Specify an IPv4 address for GigabitEthernet 2/1/1. system-view [RouterB] interface gigabitethernet 2/1/1 [RouterB-GigabitEthernet2/1/1] ip address 10.1.3.
Configuring an IPv4 over IPv6 manual tunnel Follow these guidelines when you configure an IPv4 over IPv6 manual tunnel: • The destination address specified for the local tunnel interface must be the source address specified for the peer tunnel interface, and vice versa. • The source/destination addresses of local tunnels of the same tunnel mode cannot be the same.
Figure 117 Network diagram Router A S2/2/0 2001::1:1/64 IPv6 network S2/2/1 2002::2:1/64 Router B IPv4 over IPv6 tunnel GE2/1/1 30.1.1.1/24 Tunnel1 30.1.2.1/24 Tunnel2 30.1.2.2/24 GE2/1/1 30.1.3.1/24 IPv4 network 2 IPv4 network 1 Configuration procedure Make sure Router A and Router B can reach each other through IPv6. • Configure Router A: # Specify an IPv4 address for GigabitEthernet 2/1/1.
[RouterB] interface tunnel 2 mode ipv6 # Specify an IPv4 address for the tunnel interface. [RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0 # Specify the IP address of Serial 2/2/1 as the source address for the tunnel interface. [RouterB-Tunnel2] source 2002::2:1 # Specify the IP address of Serial 2/2/0 on Router A as the destination address for the tunnel interface.
• The source addresses of local tunnels of the same tunnel mode cannot be the same. • Enable NAT on the interface that connects to the public IPv4 interface. • The tunnel destination cannot be configured on the AFTR. The AFTR uses the address of the B4 router as the IPv6 address of the tunnel destination. • It is not necessary to configure a route to the destination IPv4 address for forwarding packets through the tunnel interface. This section only covers the AFTR configuration.
Figure 118 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv6. • Configure Router A: # Specify an IPv4 address for GigabitEthernet 2/1/1. system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ip address 10.0.0.2 255.255.255.0 [RouterA-GigabitEthernet2/1/1] quit # Specify an IPv6 address for GigabitEthernet 2/1/2, which is the physical interface of the tunnel.
[RouterB] interface tunnel 2 mode ds-lite-aftr # Configure an IPv4 address for the tunnel interface. [RouterB-Tunnel2] ip address 30.1.2.2 255.255.255.0 # Specify GigabitEthernet 2/1/2 as the source interface of the tunnel interface. [RouterB-Tunnel2] source gigabitethernet 2/1/2 [RouterB-Tunnel2] quit # Enable DS-Lite tunneling on GigabitEthernet 2/1/1.
{ Enable a dynamic routing protocol on both tunnel interfaces to achieve the same purpose. For more information about route configuration, see Layer 3—IP Routing Configuration Guide. • The destination address of the route passing the tunnel interface must not be on the same subnet as the destination address configured for the tunnel interface. To configure an IPv6 over IPv6 tunnel: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IPv6 tunnel interface view.
Figure 119 Network diagram Configuration procedure Make sure Router A and Router B can reach each other through IPv6. • Configure Router A: # Specify an IPv6 address for GigabitEthernet 2/1/1. system-view [RouterA] interface gigabitethernet 2/1/1 [RouterA-GigabitEthernet2/1/1] ipv6 address 2002:1::1 64 [RouterA-GigabitEthernet2/1/1] quit # Specify an IPv6 address for Serial 2/2/0, which is the physical interface of the tunnel.
[RouterB] interface tunnel 2 mode ipv6 # Specify an IPv6 address for the tunnel interface. [RouterB-Tunnel2] ipv6 address 3001::1:2 64 # Specify the IP address of Serial 2/2/1 as the source address for the tunnel interface. [RouterB-Tunnel2] source 2002::22:1 # Specify the IP address of Serial 2/2/0 on Router A as the destination address for the tunnel interface.
Troubleshooting tunneling configuration Symptom A tunnel interface configured with related parameters such as tunnel source address, tunnel destination address, and tunnel mode cannot go up. Analysis The physical interface of the tunnel does not go up, or the tunnel destination is unreachable. Solution 1. Perform the following tasks to resolve the problem: { { 2. Use the display interface or display ipv6 interface command to check whether the physical interface of the tunnel is up.
Configuring GRE Overview Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate any network layer protocol (such as IPv6) into a virtual point-to-point tunnel over an IP network (such as an IPv4 network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. The network layer protocol of the packets before encapsulation and after encapsulation can be the same or different.
As shown in Figure 121, an IPv6 protocol packet traverses an IPv4 network through a GRE tunnel as follows: 1. After receiving an IPv6 packet from the interface connected to IPv6 network 1, Device A processes the packet as follows: a. Looks up the routing table to identify the outgoing interface for the IPv6 packet. b. Submits the IPv6 packet to the outgoing interface—the GRE tunnel interface Tunnel 0. 2. Upon receiving the packet, the tunnel interface encapsulates the packet with GRE and then with IPv4.
Connecting networks running different protocols over a single backbone Figure 122 Network diagram IPv6 network 1 IPv6 network 2 Internet Device A Device B GRE tunnel IPv4 network 1 IPv4 network 2 As shown in Figure 122, IPv6 network 1 and IPv6 network 2 are IPv6 networks, and IPv4 network 1 and IPv4 network 2 are IPv4 networks.
Constructing VPN Figure 124 Network diagram As shown in Figure 124, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN. Operating with IPsec Figure 125 Network diagram As shown in Figure 125, GRE can be used together with IPsec to form a GRE over IPsec tunnel. Packets (for example, routing protocol packets, voice data, and video data) are first encapsulated with GRE and then with IPsec.
• RFC 2890, Key and Sequence Number Extensions to GRE Configuring a GRE over IPv4 tunnel Follow these guidelines when you configure a GRE over IPv4 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
Step Command Remarks By default, no source address or interface is configured for a tunnel interface. 4. Configure a source address or source interface for the tunnel interface. source { ip-address | interface-type interface-number } If you configure a source address for a tunnel interface, the tunnel interface uses the source address as the source address of the encapsulated packets.
Configuring a GRE over IPv6 tunnel Follow these guidelines when you configure a GRE over IPv6 tunnel: • You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end. • HP recommends not configuring the same tunnel source and destination addresses for local tunnel interfaces that use the same tunnel mode.
Step Command Remarks By default, no source IPv6 address or interface is configured for a tunnel interface. 4. Configure a source IPv6 address or source interface for the tunnel interface. source { ipv6-address | interface-type interface-number } If you configure a source IPv6 address for a tunnel interface, the tunnel interface uses the source IPv6 address as the source IPv6 address of the encapsulated packets.
Task Command Display information about tunnel interfaces. display interface [ tunnel [ number ] ] [ brief [ description | down ] ] Display IPv6 information about tunnel interfaces. display ipv6 interface [ tunnel [ number ] ] [ brief ] Clear tunnel interface statistics. reset counters interface [ tunnel [ number ] ] GRE configuration examples GRE over IPv4 tunnel configuration example Network requirements Group 1 and Group 2 are two private IPv4 networks.
# Create tunnel interface Tunnel 0 and specify the tunnel mode as GRE over IPv4. system-view [RouterB] interface tunnel 0 mode gre # Configure an IP address for the tunnel interface. [RouterB-Tunnel0] ip address 10.1.2.2 255.255.255.0 # Configure the source address of the tunnel interface as the IP address of interface GigabitEthernet 2/1/2 on Router B. [RouterB-Tunnel0] source 2.2.2.
Internet Address is 10.1.2.2/24 Primary Tunnel source 2.2.2.2, destination 1.1.1.
# Create a tunnel interface Tunnel 0, and specify the tunnel mode as GRE over IPv6. system-view [RouterA] interface tunnel 0 mode gre ipv6 # Configure an IP address for the tunnel interface. [RouterA-Tunnel0] ip address 10.1.2.1 255.255.255.0 # Configure the source address of the tunnel interface as the IP address of interface GigabitEthernet 2/1/2 on Router A.
Output queue - Urgent queuing: Size/Length/Discards 0/100/0 Output queue - Protocol queuing: Size/Length/Discards 0/500/0 Output queue - FIFO queuing: Size/Length/Discards 0/75/0 Last clearing of counters: Never Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec Input: 0 packets, 0 bytes, 0 drops Output: 0 packets, 0 bytes, 0 drops # Display tunnel interface information on Router B.
Troubleshooting GRE The key to configuring GRE is to keep the configuration consistent. Most faults can be located by using the debugging gre or debugging tunnel command. This section analyzes one type of fault for illustration, with the scenario shown in Figure 128. Figure 128 Network diagram Symptom The interfaces at both ends of the tunnel are configured correctly and can ping each other, but Host A and Host B cannot ping each other.
Configuring ADVPN Overview Auto Discovery Virtual Private Network (ADVPN) enables enterprise branches that use dynamic public addresses to establish a VPN network. ADVPN uses the VPN Address Management (VAM) protocol to collect, maintain, and distribute dynamic public addresses. VAM uses the client/server model. All VAM clients register their public addresses on the VAM server. A VAM client obtains the public addresses of other clients from the server to establish ADVPN tunnels.
Figure 129 Full mesh ADVPN • Hub-spoke— In a hub-spoke ADVPN, spokes communicate with each other through the hub. The hub acts as both the route exchange center and data forwarding center. As shown in Figure 130, each spoke establishes a permanent tunnel to the hub. Spokes communicate with each other through the hub. Figure 130 Hub-spoke ADVPN • Hub-group—A hub-group ADVPN can accommodate more ADVPN clients.
{ { All hubs must belong to the backbone hub group. This hub group forms the full-mesh backbone area. All hubs obtain information about other hubs from the VAM server and establish permanent ADVPN tunnels to each other. Spokes must belong to non-backbone hub groups. Each non-backbone hub group includes at least one hub and uses either the full-mesh or hub-spoke structure. Spokes obtain hub information in the ADVPN domain from the VAM server, and establish permanent tunnels to the hub.
2. The server compares the algorithm list of the client to its own algorithm list in priority order. 3. The server sends the matching algorithms to the client. If no match is found, the negotiation fails. 4. The server and the client generate encryption and authentication keys based on the pre-shared key. If authentication and encryption are not needed, they do not generate keys. 5. The server and the client exchange negotiation acknowledgment packets protected by using the keys. 6.
Tunnel establishment phase A spoke can establish permanent tunnels to any number of hubs. Hubs in an ADVPN domain must establish permanent tunnels. Figure 134 Tunnel establishment process Figure 134 shows the tunnel establishment process: 1. The initiator originates a tunnel establishment request. { To establish a hub-spoke tunnel: The spoke checks whether a tunnel to each hub exists. If not, the spoke sends a tunnel establishment request to the hub.
Figure 135 shows the format of ADVPN packets. ADVPN supports both GRE and UDP encapsulations. In the outer IP header, the source IP address is the public address of the local spoke, and the destination address is the public address corresponding to the private next hop. IPsec can be used to protect ADVPN tunnels.
Task (Optional.) Configuring keepalive parameters (Optional.) Configuring the retry timer Creating an ADVPN domain Specify a unique ID for an ADVPN domain. To create an ADVPN domain: Step Command Remarks 1. Enter system view. system-view N/A 2. Create an ADVPN domain and enter ADVPN domain view. vam server advpn-domain domain-name [ id domain-id ] By default, no ADVPN domain exists. Enabling the VAM server Step Command Remarks 1. Enter system view.
Configuring hub groups Hub groups apply to large ADVPN networks. You can classify spokes to different hub groups, and specify one or more hubs for each group. When a VAM client registers with the VAM server, the VAM server selects a hub group for the client as follows: 1. The server matches the private address of the client against the private addresses of hubs in different hub groups in lexicographic order. 2. If a matching hub is found, the server assigns the client to the hub group as a hub. 3.
Step Command Remarks • Configure an IPv4 hub private 4. Configure a hub private address. address: hub private-address private-ip-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ] • Configure an IPv6 hub private address: hub ipv6 private-address private-ipv6-address [ public-address { public-ip-address | public-ipv6-address } [ advpn-port port-number ] ] Use either command. By default, no hub private address is configured.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter ADVPN domain view. vam server advpn-domain domain-name [ id domain-id ] N/A 3. Enter hub group view. hub-group group-name N/A • Configure rules for establishing 4. Configure rules for establishing spoke-to-spoke tunnels.
Step Command Remarks 4. Specify encryption algorithms. encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | des-cbc | none } * The default encryption algorithms are AES-CBC-256, AES-CBC-192, AES-CBC-128, AES-CTR-256, AES-CTR-192, AES-CTR-128, 3DES-CBC, and DES-CBC in the descending order of priority. Configuring an authentication method The VAM server uses the specified method to authenticate clients in the ADVPN domain.
Configuring the retry timer The VAM server starts the retry timer after it sends a request to a client. If the server receives no response from the client before the retry timer expires, the server resends the request. The server stops sending the request after receiving a response from the client or after the timeout timer (product of the keepalive interval and keepalive attempts) expires. To configure the retry timer: Step Command Remarks 1. Enter system view. system-view N/A 2.
Step Command Remarks • Enable one or all VAM clients: 2. Enable VAM clients. vam client enable { all | name client-name } • Enable a VAM client: a. vam client name client-name Use either method. By default, no VAM client is enabled. b. client enable Specifying VAM servers You can specify a primary VAM server and a secondary VAM server for a VAM client. The client registers with both servers, and accepts settings from the server that first registers the client.
All VAM clients and the VAM server in an ADVPN domain must have the same pre-shared key. If they have different pre-shared keys, they will fail to establish a connection. To specify a pre-shared key for a VAM client: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VAM client view. vam client name client-name N/A 3. Specify a pre-shared key for the VAM client.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VAM client view. vam client name client-name N/A 3. Configure a username and password for the client. user username password { cipher cipher-string | simple simple-string } By default, no username and password is configured for the client. Configuring an ADVPN tunnel interface ADVPN establishes tunnels over ADVPN tunnel interfaces. To configure an ADVPN tunnel interface: Step Command Remarks 1. Enter system view.
Step Command Remarks By default, the source UDP port number of ADVPN packets is 18001. 6. (Optional.) Set the source UDP port number of ADVPN packets. This command is available when the tunnel mode is UDP. advpn source-port port-number • Bind an IPv4 VAM client to the 7. Bind a VAM client to the tunnel interface. tunnel interface: vam client client-name [ compatible advpn0 ] • Bind an IPv6 VAM client to the tunnel interface: vam ipv6 client client-name • Configure a private IPv4 8. (Optional.
Configuring routing ADVPN supports OSPF, RIP, and BGP for IPv4: • When OSPF is used, set the network type of an OSPF interface to broadcast in a full mesh network and to P2MP in a hub-spoke network. • When RIP is used, you can use RIP-1 or RIP-2 broadcast in a full mesh network and use RIP-2 multicast and disable split horizon in a hub-spoke network.
Task Command Display ADVPN domain statistics on the VAM server. display vam server statistics [ advpn-domain domain-name ] Display FSM information for VAM clients. display vam client fsm [ name client-name ] Display statistics for VAM clients. display vam client statistics [ name client-name ] Display the rules for establishing IPv4 spoke-to-spoke tunnels for VAM clients.
Each spoke establishes a permanent ADVPN tunnel to each hub. Any two spokes in the same ADVPN domain can dynamically establish a temporary ADVPN tunnel. Figure 136 Network diagram Table 12 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE1/0/1 1.0.0.1/24 Spoke 1 GE1/0/1 1.0.0.3/24 Tunnel1 192.168.0.1/24 GE1/0/2 192.168.1.1/24 GE1/0/1 1.0.0.2/24 Tunnel1 192.168.0.3/24 Tunnel1 192.168.0.2/24 GE1/0/1 1.0.0.4/24 1.0.0.
# Configure AAA methods for the ISP domain abc. [PrimaryServer] domain abc [PrimaryServer-isp-abc] authentication advpn radius-scheme abc [PrimaryServer-isp-abc] accounting advpn radius-scheme abc [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc 3. Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private addresses.
[Hub1-vam-client-Hub1] client enable [Hub1-vam-client-Hub1] quit 3. Configure an IPsec profile: # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile.
# Set the username and password to hub2. [Hub2-vam-client-Hub2] user hub2 password simple hub2 # Specify the primary and secondary VAM servers. [Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11 [Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit 3. Configure the IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.
[Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc # Configure a pre-shared key for the VAM client. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.
[Spoke1-Tunnel1] tunnel protection ipsec profile abc [Spoke1-Tunnel1] undo shutdown [Spoke1-Tunnel1] quit Configuring Spoke 2 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client spoke2. system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Configure a pre-shared key for the VAM client.
[Spoke2-ospf-1] quit 5. Configure GRE-mode ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn gre [Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.
[Spoke1] display advpn session Interface : Tunnel1 Number of sessions: 2 Private address Public address Port Type State Holding time 192.168.0.1 1.0.0.1 -- S-H Success 0H 46M 8S 192.168.0.2 1.0.0.2 -- S-H Success 0H 46M 8S The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Ping the private address 192.168.0.4 of Spoke 2 from Spoke 1. [Spoke2] ping 192.168.0.4 Ping 192.168.0.4 (192.168.0.
Figure 137 Network diagram Table 13 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE1/0/1 1::1/64 Spoke 1 GE1/0/1 1::3/64 Tunnel1 192:168::1/64 GE1/0/2 192:168:1::1/64 GE1/0/1 1::2/64 Tunnel1 192:168::3/64 Tunnel1 192:168::2/64 GE1/0/1 1::4/64 1::10/64 GE1/0/2 192:168:2::1/64 Tunnel1 192:168::4/64 Hub 2 AAA server Primary server GE1/0/1 1::11/64 Secondary server GE1/0/1 1::12/64 Spoke 2 Configuring the primary VAM serv
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc [PrimaryServer-isp-abc] accounting advpn radius-scheme abc [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc 3. Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private addresses.
[Hub1-vam-client-Hub1] quit 3. Configure an IPsec profile: # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile.
# Set the username and password to hub2. [Hub2-vam-client-Hub2] user hub2 password simple hub2 # Specify the primary and secondary VAM servers. [Hub2-vam-client-Hub2] server primary ipv6-address 1::11 [Hub2-vam-client-Hub2] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit 3. Configure the IPsec profile: # Configure IKE.
# Create VAM client spoke1. system-view [Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client. [Spoke1-vam-client-Spoke1] advpn-domain abc # Configure a pre-shared key for the VAM client. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.
[Spoke1-Tunnel1] ospfv3 network-type broadcast [Spoke1-Tunnel1] ospfv3 dr-priority 0 [Spoke1-Tunnel1] source gigabitethernet 1/0/1 [Spoke1-Tunnel1] tunnel protection ipsec profile abc [Spoke1-Tunnel1] undo shutdown [Spoke1-Tunnel1] quit Configuring Spoke 2 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client spoke2. system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client.
[Spoke2-ospfv3-1] area 0 [Spoke2-ospfv3-1-area-0.0.0.0] quit [Spoke2-ospfv3-1] quit 5. Configure GRE-mode ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke2 will not participate in DR/BDR election.
The output shows that Hub 1 has established a permanent tunnel to Hub 2, Spoke 1, and Spoke 2. The ADVPN tunnel information for Hub 2 is similar to that of Hub 1. # Display the ADVPN tunnel information for Spoke 1.
Figure 138 Network diagram Table 14 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE1/0/1 1.0.0.1/24 Spoke 1 GE1/0/1 1.0.0.3/24 Tunnel1 192.168.0.1/24 GE1/0/2 192.168.1.1/24 GE1/0/1 1.0.0.2/24 Tunnel1 192.168.0.3/24 Tunnel1 192.168.0.2/24 GE1/0/1 1.0.0.4/24 1.0.0.10/24 GE1/0/2 192.168.2.1/24 Tunnel1 192.168.0.4/24 Hub 2 AAA server Primary server GE1/0/1 1.0.0.11/24 Secondary server GE1/0/1 1.0.0.
[PrimaryServer-isp-abc] authentication advpn radius-scheme abc [PrimaryServer-isp-abc] accounting advpn radius-scheme abc [PrimaryServer-isp-abc] quit [PrimaryServer] domain default enable abc 3. Configure the VAM server: # Create ADVPN domain abc. [PrimaryServer] vam server advpn-domain abc id 1 # Create hub group 0. [PrimaryServer-vam-server-domain-abc] hub-group 0 # Specify hub private addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.
3. Configure an IPsec profile: # Configure IKE. [Hub1] ike keychain abc [Hub1-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Hub1-ike-keychain-abc] quit [Hub1] ike profile abc [Hub1-ike-profile-abc] keychain abc [Hub1-ike-profile-abc] quit # Configure the IPsec profile.
# Specify the primary and secondary VAM servers. [Hub2-vam-client-Hub2] server primary ip-address 1.0.0.11 [Hub2-vam-client-Hub2] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Hub2-vam-client-Hub2] client enable [Hub2-vam-client-Hub2] quit 3. Configure the IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.
[Spoke1-vam-client-Spoke1] advpn-domain abc # Configure a pre-shared key for the VAM client. [Spoke1-vam-client-Spoke1] pre-shared-key simple 123456 # Set the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12 # Enable the VAM client.
Configuring Spoke 2 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client spoke2. system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Configure a pre-shared key for the VAM client. [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set the username and password to spoke2.
[Spoke2-Tunnel1] ip address 192.168.0.4 255.255.255.0 [Spoke2-Tunnel1] vam client Spoke2 [Spoke2-Tunnel1] ospf network-type p2mp [Spoke2-Tunnel1] source gigabitethernet 1/0/1 [Spoke2-Tunnel1] tunnel protection ipsec profile abc [Spoke2-Tunnel1] undo shutdown [Spoke2-Tunnel1] quit Verifying the configuration # Display the address mapping information for all VAM clients registered with the primary VAM server.
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Ping the private address 192.168.0.4 of Spoke 2 from Spoke 1. [Spoke2] ping 192.168.0.4 Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break 56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms 56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms 56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 192.168.0.4: icmp_seq=3 ttl=255 time=0.000 ms 56 bytes from 192.
Device Interface IP address Device Interface IP address Tunnel1 192:168::2/64 Spoke 2 GE1/0/1 1::4/64 1::10/64 GE1/0/2 192:168:2::1/64 Tunnel1 192:168::4/64 AAA server Primary server GE1/0/1 1::11/64 Secondary server GE1/0/1 1::12/64 Configuring the primary VAM server 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure AAA: # Configure RADIUS scheme abc.
[PrimaryServer-vam-server-domain-abc] server enable [PrimaryServer-vam-server-domain-abc] quit Configuring the secondary VAM server # Configure the secondary VAM server in the same way that the primary server is configured. (Details not shown.) Configuring Hub 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client hub1. system-view [Hub1] vam client name Hub1 # Specify ADVPN domain abc for the VAM client.
[Hub1-ospfv3-1] area 0 [Hub1-ospfv3-1-area-0.0.0.0] quit [Hub1-ospfv3-1] quit 5. Configure GRE-mode ADVPN tunnel interface tunnel1.
[Hub2-ipsec-transform-set-abc] quit [Hub2] ipsec profile abc isakmp [Hub2-ipsec-profile-isakmp-abc] transform-set abc [Hub2-ipsec-profile-isakmp-abc] ike-profile abc [Hub2-ipsec-profile-isakmp-abc] quit 4. Configure OSPFv3. [Hub2] ospfv3 1 [Hub2-ospfv3-1] router-id 0.0.0.2 [Hub2-ospfv3-1] area 0 [Hub2-ospfv3-1-area-0.0.0.0] quit [Hub2-ospfv3-1] quit 5. Configure GRE-mode ADVPN tunnel interface tunnel1.
[Spoke1] ike profile abc [Spoke1-ike-profile-abc] keychain abc [Spoke1-ike-profile-abc] quit # Configure the IPsec profile.
# Enable the VAM client. [Spoke2-vam-client-Spoke2] client enable [Spoke2-vam-client-Spoke2] quit 3. Configure the IPsec profile: # Configure IKE. [Spoke2] ike keychain abc [Spoke2-ike-keychain-abc] pre-shared-key address ipv6 :: 0 key simple 123456 [Spoke2-ike-keychain-abc] quit [Spoke2] ike profile abc [Spoke2-ike-profile-abc] keychain abc [Spoke2-ike-profile-abc] quit # Configure the IPsec profile.
0 192:168::3 1::3 Spoke No 0H 28M 25S 0 192:168::4 1::4 Spoke No 0H 19M 15S # Display the address mapping information for all VAM clients registered with the secondary VAM server.
IPv4 multi-hub-group ADVPN configuration example Network requirements As shown in Figure 140, the primary and secondary VAM servers manage and maintain VAM client information for all hubs and spokes. The AAA server performs authentication and accounting for VAM clients. Configure three hub groups to accommodate all ADVPN nodes: • Hub group 0 contains Hub 1, Hub 2, and Hub 3. • Hub group 1 contains Hub 1, Hub 2, Spoke 1, and Spoke 2. Hub 1 and Hub 2 back up each other.
Device Hub 3 Interface IP address Tunnel2 Interface IP address 192.168.0.2/24 GE1/0/3 192.168.30.1/24 GE1/0/1 1.0.0.3/24 Tunnel1 192.168.1.4/24 Tunnel1 192.168.2.1/24 GE1/0/1 1.0.0.6/24 Tunnel2 192.168.0.3/24 GE1/0/2 192.168.40.1/24 1.0.0.10/24 Tunnel1 192.168.2.2/24 GE1/0/1 1.0.0.7/24 GE1/0/2 192.168.50.1/24 GE1/0/3 192.168.60.1/24 Tunnel1 192.168.2.3/24 AAA server Primary server GE1/0/1 1.0.0.11/24 Secondary server GE1/0/1 1.0.0.
[PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.1 [PrimaryServer-vam-server-domain-abc-hub-group-1] hub private-address 192.168.1.2 # Specify a spoke private network. [PrimaryServer-vam-server-domain-abc-hub-group-1] spoke private-address network 192.168.1.0 255.255.255.0 # Allow establishing spoke-spoke tunnels. [PrimaryServer-vam-server-domain-abc-hub-group-1] shortcut interest all [PrimaryServer-vam-server-domain-abc-hub-group-1] quit # Create hub group 2.
[Hub1-vam-client-Hub1Group0] quit # Create VAM client Hub1Group1. [Hub1] vam client name Hub1Group1 # Specify ADVPN domain abc for the VAM client. [Hub1-vam-client-Hub1Group1] advpn-domain abc # Set the pre-shared key to 123456. [Hub1-vam-client-Hub1Group1] pre-shared-key simple 123456 # Set the username and password to hub1 [Hub1-vam-client-Hub1Group1] user hub1 password simple hub1 # Specify the primary and secondary VAM servers. [Hub1-vam-client-Hub1Group1] server primary ip-address 1.0.0.
[Hub1-Tunnel1] vam client Hub1Group1 [Hub1-Tunnel1] ospf network-type broadcast [Hub1-Tunnel1] source gigabitethernet 1/0/1 [Hub1-Tunnel1] tunnel protection ipsec profile abc [Hub1-Tunnel1] undo shutdown [Hub1-Tunnel1] quit # Configure UDP-mode ADVPN tunnel interface tunnel2. [Hub1] interface tunnel2 mode advpn udp [Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.
# Enable the VAM client. [Hub2-vam-client-Hub2Group1] client enable [Hub2-vam-client-Hub2Group1] quit 3. Configure the IPsec profile: # Configure IKE. [Hub2] ike keychain abc [Hub2-ike-keychain-abc] pre-shared-key address 0.0.0.0 0.0.0.0 key simple 123456 [Hub2-ike-keychain-abc] quit [Hub2] ike profile abc [Hub2-ike-profile-abc] keychain abc [Hub2-ike-profile-abc] quit # Configure the IPsec profile.
[Hub2-Tunnel1] undo shutdown [Hub2-Tunnel1] quit Configuring Hub 3 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client Hub3Group0. system-view [Hub3] vam client name Hub3Group0 # Specify ADVPN domain abc for the VAM Client. [Hub3-vam-client-Hub3Group0] advpn-domain abc # Set pre-shared key 123456 for the VAM client. [Hub3-vam-client-Hub3Group0] pre-shared-key simple 123456 # Set the username and password to hub3.
[Hub3-ipsec-transform-set-abc] encapsulation-mode transport [Hub3-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Hub3-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Hub3-ipsec-transform-set-abc] quit [Hub3] ipsec profile abc isakmp [Hub3-ipsec-profile-isakmp-abc] transform-set abc [Hub3-ipsec-profile-isakmp-abc] ike-profile abc [Hub3-ipsec-profile-isakmp-abc] quit 4. Configure OSPF to advertise the private networks. [Hub3] ospf 1 [Hub3-ospf-1] area 0 [Hub3-ospf-1-area-0.0.0.
# Set the username and password to spoke1. [Spoke1-vam-client-Spoke1] user spoke1 password simple spoke1 # Specify the primary and secondary VAM servers. [Spoke1-vam-client-Spoke1] server primary ip-address 1.0.0.11 [Spoke1-vam-client-Spoke1] server secondary ip-address 1.0.0.12 # Enable the VAM client. [Spoke1-vam-client-Spoke1] client enable [Spoke1-vam-client-Spoke1] quit 3. Configure the IPsec profile: # Configure IKE. [Spoke1] ike keychain abc [Spoke1-ike-keychain-abc] pre-shared-key address 0.0.0.
Configuring Spoke 2 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client spoke2. system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Configure a pre-shared key for the VAM client. [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set the username and password to spoke2.
5. Configure UDP-mode ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke2 will not participate in DR/BDR election. [Spoke2] interface tunnel1 mode advpn udp [Spoke2-Tunnel1] ip address 192.168.1.4 255.255.255.0 [Spoke2-Tunnel1] vam client Spoke2 [Spoke2-Tunnel1] ospf network-type broadcast [Spoke2-Tunnel1] ospf dr-priority 0 [Spoke2-Tunnel1] advpn network 192.168.20.0 255.255.255.0 [Spoke2-Tunnel1] advpn network 192.168.30.0 255.255.255.
[Spoke3] ipsec profile abc isakmp [Spoke3-ipsec-profile-isakmp-abc] transform-set abc [Spoke3-ipsec-profile-isakmp-abc] ike-profile abc [Spoke3-ipsec-profile-isakmp-abc] quit 4. Configure OSPF to advertise the private networks. [Spoke3] ospf 1 [Spoke3-ospf-1] area 2 [Spoke3-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [Spoke3-ospf-1-area-0.0.0.2] network 192.168.40.0 0.0.0.255 [Spoke3-ospf-1-area-0.0.0.2] quit [Spoke3-ospf-1] quit 5. Configure UDP-mode ADVPN tunnel interface tunnel1.
[Spoke4-ike-keychain-abc] quit [Spoke4] ike profile abc [Spoke4-ike-profile-abc] keychain abc [Spoke4-ike-profile-abc] quit # Configure the IPsec profile.
1 192.168.1.4 1.0.0.5 Spoke No 0H 28M 25S 2 192.168.2.1 1.0.0.3 Hub No 0H 28M 25S 2 192.168.2.2 1.0.0.6 Spoke No 0H 25M 40S 2 192.168.2.3 1.0.0.7 Spoke No 0H 25M 31S # Display the address mapping information for all VAM clients registered with the secondary VAM server. [SecondaryServer] display vam server address-map ADVPN domain name: 1 Total private address mappings: 10 Group Private address Public address Type NAT Holding time 0 192.168.0.1 1.0.0.
The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Display the ADVPN tunnel information for Spoke 3. [Spoke1] display advpn session Interface : Tunnel1 Number of sessions: 2 Private address Public address Port State Holding time 192.168.1.1 1.0.0.1 18001 S-H Type Success 0H 46M 8S 192.168.1.2 1.0.0.2 18001 S-H Success 0H 46M 8S The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3.
Table 17 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE1/0/1 1::1/64 Spoke 1 GE1/0/1 1::4/64 Tunnel1 192:168:1::1/64 GE1/0/2 192:168:10::1/64 Tunnel2 192:168::1/64 Tunnel1 192:168:1::3/64 GE1/0/1 1::2/64 GE1/0/1 1::5/64 Tunnel1 192:168:1::2/64 GE1/0/2 192:168:20::1/64 Tunnel2 192:168::2/64 GE1/0/3 192:168:30::1/64 GE1/0/1 1::3/64 Tunnel1 192:168:1::4/64 Tunnel1 192:168:2::1/64 GE1/0/1 1::6/64 Tunnel2 192:168::3/64
# Specify hub private addresses. [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::1 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::2 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub ipv6 private-address 192:168::3 [PrimaryServer-vam-server-domain-abc-hub-group-0] quit # Create hub group 1. [PrimaryServer-vam-server-domain-abc] hub-group 1 # Specify hub private addresses.
[Hub1] vam client name Hub1Group0 # Specify ADVPN domain abc for the VAM client. [Hub1-vam-client-Hub1Group0] advpn-domain abc # Set the pre-shared key to 123456. [Hub1-vam-client-Hub1Group0] pre-shared-key simple 123456 # Set the username and password to hub1 [Hub1-vam-client-Hub1Group0] user hub1 password simple hub1 # Specify the primary and secondary VAM servers.
4. Configure OSPFv3. [Hub1] ospfv3 1 [Hub1-ospfv3-1] router-id 0.0.0.1 [Hub1-ospfv3-1] area 0 [Hub1-ospfv3-1-area-0.0.0.0] quit [Hub1-ospfv3-1] area 1 [Hub1-ospfv3-1-area-0.0.0.1] quit [Hub1-ospfv3-1] quit 5. Configure an ADVPN tunnel: # Configure UDP-mode ADVPN tunnel interface tunnel1.
# Enable the VAM client. [Hub2-vam-client-Hub2Group0] client enable [Hub2-vam-client-Hub2Group0] quit # Create VAM client Hub2Group1. [Hub2] vam client name Hub2Group1 # Specify ADVPN domain abc for the VAM Client. [Hub2-vam-client-Hub2Group1] advpn-domain abc # Set pre-shared key 123456 for the VAM client. [Hub2-vam-client-Hub2Group1] pre-shared-key simple 123456 # Set the username and password to hub2.
[Hub2] interface tunnel1 mode advpn udp [Hub2-Tunnel1] ipv6 address 192:168:1::2 64 [Hub2-Tunnel1] ipv6 address fe80::1:2 link-local [Hub2-Tunnel1] vam ipv6 client Hub2Group1 [Hub2-Tunnel1] ospfv3 1 area 1 [Hub2-Tunnel1] ospfv3 network-type broadcast [Hub2-Tunnel1] source gigabitethernet 1/0/1 [Hub2-Tunnel1] tunnel protection ipsec profile abc [Hub2-Tunnel1] undo shutdown [Hub2-Tunnel1] quit # Configure UDP-mode ADVPN tunnel interface tunnel2.
# Set the username and password to hub3. [Hub3-vam-client-Hub3Group1] user hub3 password simple hub3 # Specify the primary and secondary VAM servers. [Hub3-vam-client-Hub3Group1] server primary ipv6-address 1::11 [Hub3-vam-client-Hub3Group1] server secondary ipv6-address 1::12 # Enable the VAM client. [Hub2-vam-client-Hub2Group1] client enable [Hub2-vam-client-Hub2Group1] quit 3. Configure the IPsec profile: # Configure IKE. [Hub3] ike keychain abc [Hub3-ike-keychain-abc] pre-shared-key address 0.0.0.
# Configure UDP-mode ADVPN tunnel interface tunnel2. [Hub3] interface tunnel2 mode advpn udp [Hub3-Tunnel2] ipv6 address 192:168::3 64 [Hub3-Tunnel2] ipv6 address fe80::3 link-local [Hub3-Tunnel2] vam ipv6 client Hub3Group0 [Hub3-Tunnel2] ospfv3 1 area 0 [Hub3-Tunnel2] ospfv3 network-type broadcast [Hub3-Tunnel2] source gigabitethernet 1/0/1 [Hub3-Tunnel2] tunnel protection ipsec profile abc [Hub3-Tunnel2] undo shutdown [Hub3-Tunnel2] quit Configuring Spoke 1 1. Configure IP addresses for the interfaces.
[Spoke1-ipsec-profile-isakmp-abc] ike-profile abc [Spoke1-ipsec-profile-isakmp-abc] quit 4. Configure OSPFv3. [Spoke1] ospfv3 1 [Spoke1-ospfv3-1] router-id 0.0.0.4 [Spoke1-ospfv3-1] area 0 [Spoke1-ospfv3-1-area-0.0.0.0] quit [Spoke1-ospfv3-1] area 1 [Spoke1-ospfv3-1-area-0.0.0.1] quit [Spoke1-ospfv3-1] quit [Spoke1] interface gigabitethernet 1/0/2 [Spoke1-GigabitEthernet1/0/2] ospfv3 1 area 1 [Spoke1-GigabitEthernet1/0/2] quit 5. Configure UDP-mode ADVPN tunnel interface tunnel1.
3. Configure the IPsec profile: # Configure IKE. [Spoke2] ike keychain abc [Spoke2-ike-keychain-abc] pre-shared-key address :: 0 key simple 123456 [Spoke2-ike-keychain-abc] quit [Spoke2] ike profile abc [Spoke2-ike-profile-abc] keychain abc [Spoke2-ike-profile-abc] quit # Configure the IPsec profile.
Configuring Spoke 3 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client spoke3. system-view [Spoke3] vam client name Spoke3 # Specify ADVPN domain abc for the VAM client. [Spoke3-vam-client-Spoke3] advpn-domain abc # Configure a pre-shared key for the VAM client. [Spoke3-vam-client-Spoke3] pre-shared-key simple 123456 # Set the username and password to spoke3.
[Spoke3-GigabitEthernet1/0/2] ospfv3 1 area 2 [Spoke3-GigabitEthernet1/0/2] quit 5. Configure UDP-mode ADVPN tunnel interface tunnel1. Configure its DR priority as 0 so Spoke3 will not participate in DR/BDR election.
[Spoke4-ipsec-transform-set-abc] esp encryption-algorithm des-cbc [Spoke4-ipsec-transform-set-abc] esp authentication-algorithm sha1 [Spoke4-ipsec-transform-set-abc] quit [Spoke4] ipsec profile abc isakmp [Spoke4-ipsec-profile-isakmp-abc] transform-set abc [Spoke4-ipsec-profile-isakmp-abc] ike-profile abc [Spoke4-ipsec-profile-isakmp-abc] quit 4. Configure OSPFv3. [Spoke4] ospfv3 1 [Spoke4-ospfv3-1] router-id 0.0.0.7 [Spoke4-ospfv3-1] area 0 [Spoke4-ospfv3-1-area-0.0.0.
1 192:168:1::3 1::4 Spoke No 0H 18M 26S 1 192:168:1::4 1::5 Spoke No 0H 28M 25S 2 192:168:2::1 1::3 Hub No 0H 28M 25S 2 192:168:2::2 1::6 Spoke No 0H 25M 40S 2 192:168:2::3 1::7 Spoke No 0H 25M 31S # Display the address mapping information for all VAM clients registered with the secondary VAM server.
192:168:1::2 1::2 18001 S-H Success 0H 46M 8S The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Display the ADVPN tunnel information for Spoke 3. [Spoke3] display advpn ipv6 session Interface : Tunnel1 Number of sessions: 2 Private address Public address Port Type 192:168:2::1 1::3 18001 S-H State Holding time Success 0H 46M 8S The output shows that Spoke 3 has established a permanent hub-spoke tunnel to Hub 3.
Table 18 Interface and IP address assignment Device Interface IP address Device Interface IP address Hub 1 GE1/0/1 10.0.0.2/24 Spoke 1 GE1/0/1 10.0.0.2/24 Tunnel1 192.168.0.1/24 GE1/0/2 192.168.1.1/24 GE1/0/1 10.0.0.3/24 Tunnel1 192.168.0.3/24 Tunnel1 192.168.0.2/24 GE1/0/1 10.0.0.2/24 GE1/0/1 1.0.0.1/24 GE1/0/2 192.168.2.1/24 GE1/0/2 10.0.0.1/24 Tunnel1 192.168.0.4/24 GE1/0/1 1.0.0.2/24 GE1/0/1 1.0.0.4/24 GE1/0/2 10.0.0.1/24 GE1/0/2 10.0.0.1/24 GE1/0/1 1.0.0.
{ Hub2—The private address is 192.168.0.2, the public address is 1.0.0.1 (after NAT), and the source port number of ADVPN packets is 4002 (after NAT). [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.1 public-address 1.0.0.1 advpn-port 4001 [PrimaryServer-vam-server-domain-abc-hub-group-0] hub private-address 192.168.0.2 public-address 1.0.0.1 advpn-port 4002 # Specify a spoke private network.
# Configure OSPF to advertise the private network. [Hub1] ospf 1 [Hub1-ospf-1] area 0 [Hub1-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [Hub1-ospf-1-area-0.0.0.0] quit [Hub1-ospf-1] quit # Configure a default route. [Hub1] ip route-static 0.0.0.0 0 10.0.0.1 4. Configure UDP-mode ADVPN tunnel interface tunnel1. [Hub1] interface tunnel 1 mode advpn udp [Hub1-Tunnel1] ip address 192.168.0.1 255.255.255.
[Hub2-Tunnel1] ip address 192.168.0.2 255.255.255.0 [Hub2-Tunnel1] vam client Hub2 [Hub2-Tunnel1] ospf network-type broadcast [Hub2-Tunnel1] source gigabitethernet 1/0/1 [Hub2-Tunnel1] undo shutdown [Hub2-Tunnel1] quit Configuring Spoke 1 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client spoke1. system-view [Spoke1] vam client name Spoke1 # Specify ADVPN domain abc for the VAM client.
Configuring Spoke 2 1. Configure IP addresses for the interfaces. (Details not shown.) 2. Configure the VAM client: # Create VAM client spoke2. system-view [Spoke2] vam client name Spoke2 # Specify ADVPN domain abc for the VAM client. [Spoke2-vam-client-Spoke2] advpn-domain abc # Configure a pre-shared key for the VAM client. [Spoke2-vam-client-Spoke2] pre-shared-key simple 123456 # Set the username and password to spoke2.
[NAT1-acl-basic-2000] quit # Configure NAT internal servers on GigabitEthernet1/0/1. Allow external ADVPN nodes to access Hub 1 and Hub 2 by using the public address 1.0.0.1. Hub 1 and Hub 2 both use the default source UDP port number 18001. The UDP port number after NAT is 4001 on Hub 1, and is 4002 on Hub 2. [NAT1] interface gigabitethernet 1/0/1 [NAT1-GigabitEthernet1/0/1] nat server protocol udp global current-interface 4001 inside 10.0.0.
servers both use the default source UDP port number 18000. The UDP port number after NAT is 4001 for the primary server, and is 4002 for the secondary server. system-view [NAT4] interface gigabitethernet 1/0/1 [NAT4-GigabitEthernet1/0/1] nat server protocol udp global current-interface 4001 inside 10.0.0.3 18000 [NAT4-GigabitEthernet1/0/1] nat server protocol udp global current-interface 4002 inside 10.0.0.
192.168.0.2 1.0.0.1 4002 S-H Success 0H 46M 8S The output shows that Spoke 1 has established a permanent hub-spoke tunnel to Hub 1 and Hub 2. # Ping the private address 192.168.0.4 of Spoke 2 from Spoke 1. [Spoke2] ping 192.168.0.4 Ping 192.168.0.4 (192.168.0.4): 56 data bytes, press CTRL_C to break 56 bytes from 192.168.0.4: icmp_seq=0 ttl=255 time=4.000 ms 56 bytes from 192.168.0.4: icmp_seq=1 ttl=255 time=0.000 ms 56 bytes from 192.168.0.4: icmp_seq=2 ttl=255 time=0.000 ms 56 bytes from 192.168.0.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point. Represents a mesh access point.
Index ABCDEFGHINOPRSTU Configuring an interface to use BOOTP for IP address acquisition,78 A Address/prefix lease renewal,224 Configuring an IPv4 over IPv4 tunnel,285 ADVPN configuration examples,329 Configuring an IPv4 over IPv6 manual tunnel,288 ADVPN configuration task list,317 Configuring an IPv6 over IPv4 manual tunnel,272 Applying an address pool on an interface,40 Configuring an IPv6 over IPv6 tunnel,293 Applying the DDNS policy to an interface,104 Configuring an ISATAP tunnel,282 ARP conf
Configuring TCP timers,181 Displaying and maintaining DHCP snooping,73 Configuring the DHCP relay agent security functions,55 Displaying and maintaining DHCPv6 snooping,258 Displaying and maintaining DHCPv6 client,246 Configuring the DHCP relay agent to release an IP address,57 Displaying and maintaining fast forwarding,166 Configuring the DHCPv6 server on an interface,234 Displaying and maintaining IP addressing,18 Displaying and maintaining GRE,305 Configuring the DNS proxy,86 Displaying and ma
Enabling the DHCP server on an interface,40 Overview,244 F Overview,186 Overview,166 Fast forwarding configuration example,167 Overview,193 Feature and hardware compatibility,169 Overview,252 Feature and hardware compatibility,69 Feature and hardware compatibility,253 P FIB table,164 Protocols and standards,200 G Protocols and standards,77 Protocols and standards,27 GRE configuration examples,306 Protocols and standards,225 H R HP implementation of Option 18 and Option 37,253 Related info
Troubleshooting DHCP relay agent configuration,60 Troubleshooting tunneling configuration,297 Troubleshooting DHCP server configuration,50 Tunneling configuration task list,271 Troubleshooting GRE,311 U Troubleshooting IPv4 DNS configuration,100 UDP helper configuration examples,189 Troubleshooting IPv6 basics configuration,221 Using NAT with other features,116 Troubleshooting IPv6 DNS configuration,100 405
